<!doctype html>
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<div>
</div>
<blockquote type="cite">
<div>
On 17/02/2023 23:16 EET Jeff Rogers <<a href="mailto:dvrsn@diphi.com">dvrsn@diphi.com</a>> wrote:
</div>
<div>
</div>
<div>
</div>
<div>
Hi all,
</div>
<div>
</div>
<div>
I recently discovered a configuration issue on my system where a system
</div>
<div>
user account had a blank rather than invalid or disabled password in the
</div>
<div>
passwd/shadow database. The user could not be logged into through
</div>
<div>
login/telnet/ssh because it was marked as a system account (uid < 100).
</div>
<div>
Dovecot also would not authenticate the user for the same reason.
</div>
<div>
However, I'm using exim using dovecot_login for authentication, and that
</div>
<div>
would authenticate the user with a blank and allow me to be used as an
</div>
<div>
open relay.
</div>
<div>
</div>
<div>
This is clearly a config issue on my part (since fixed), but should
</div>
<div>
dovecot_login guard against blank passwords or system users just as a
</div>
<div>
normal login does?
</div>
<div>
</div>
<div>
I'm running dovecot 2.2.36 (1f10bfa63)
</div>
<div>
Exim version 4.96
</div>
<div>
</div>
<div>
I don't know which software supplies the dovecot_login connenector.
</div>
<div>
</div>
<div>
The SMTP session would include
</div>
<div>
</div>
<div>
AUTH LOGIN
</div>
<div>
334 VXNlcm5hbWU6
</div>
<div>
cG9zdGZpeA==
</div>
<div>
334 UGFzc3dvcmQ6
</div>
<div>
<-- nothing, just a return here
</div>
<div>
235 Authentication succeeded
</div>
<div>
DONE
</div>
</blockquote>
<div class="default-style">
</div>
<div class="default-style">
Hi!
</div>
<div class="default-style">
</div>
<div class="default-style">
Can you provide logs about this with auth_debug=yes and doveconf -n output?
</div>
<div class="io-ox-signature">
<pre>---
Aki</pre>
</div>
</body>
</html>