dovecot_login accepts blank password for exim smtp auth
Jeff Rogers
dvrsn at diphi.com
Fri Feb 17 21:16:22 UTC 2023
Hi all,
I recently discovered a configuration issue on my system where a system
user account had a blank rather than invalid or disabled password in the
passwd/shadow database. The user could not be logged into through
login/telnet/ssh because it was marked as a system account (uid < 100).
Dovecot also would not authenticate the user for the same reason.
However, I'm using exim using dovecot_login for authentication, and that
would authenticate the user with a blank and allow me to be used as an
open relay.
This is clearly a config issue on my part (since fixed), but should
dovecot_login guard against blank passwords or system users just as a
normal login does?
I'm running dovecot 2.2.36 (1f10bfa63)
Exim version 4.96
I don't know which software supplies the dovecot_login connenector.
The SMTP session would include
AUTH LOGIN
334 VXNlcm5hbWU6
cG9zdGZpeA==
334 UGFzc3dvcmQ6
<-- nothing, just a return here
235 Authentication succeeded
DONE
More information about the dovecot
mailing list