dovecot_login accepts blank password for exim smtp auth

Jeff Rogers dvrsn at diphi.com
Fri Feb 17 21:16:22 UTC 2023


Hi all,

I recently discovered a configuration issue on my system where a system 
user account had a blank rather than invalid or disabled password in the 
passwd/shadow database.   The user could not be logged into through 
login/telnet/ssh because it was marked as a system account (uid < 100).  
Dovecot also would not authenticate the user for the same reason.  
However, I'm using exim using dovecot_login for authentication, and that 
would authenticate the user with a blank and allow me to be used as an 
open relay.

This is clearly a config issue on my part (since fixed), but should 
dovecot_login guard against blank passwords or system users just as a 
normal login does?

I'm running dovecot 2.2.36 (1f10bfa63)
Exim version 4.96

I don't know which software supplies the dovecot_login connenector.

The SMTP session would include

AUTH LOGIN
334 VXNlcm5hbWU6
cG9zdGZpeA==
334 UGFzc3dvcmQ6
              <--  nothing, just a return here
235 Authentication succeeded
DONE





More information about the dovecot mailing list