Gorobets Igor | 2 Mar 08:12 2012
Picon

auths/dovecot.c , server_socket IP listen


Hello
The other day needed to create an SMTP authentication via dovecot.
Dovecot with version 2.0 in addition to creating UNIX-socket can listen to TCP/IP socket.
I made changes to the file auths/dovecot.c.
Now in the config exim server_socket can be set as follows:
server_socket = 127.0.0.1:9999
File with the changes in atache.
Thank you.
Attachment (dovecot.c): text/x-csrc, 13 KiB

Hello
The other day needed to create an SMTP authentication via dovecot.
Dovecot with version 2.0 in addition to creating UNIX-socket can listen to TCP/IP socket.
I made changes to the file auths/dovecot.c.
Now in the config exim server_socket can be set as follows:
server_socket = 127.0.0.1:9999
File with the changes in atache.
Thank you.
Phil Pennock | 2 Mar 11:00 2012

dbmjz lookup type - testing needed

So, it's all very well adding gsasl support but if real world admins
can't use it to migrate from Cyrus SASL, then it's not providing a
viable alternative.  I have nothing in particular against Cyrus, I just
want to make sure that we offer real options, with real competition.

sasldb2 stores passwords under a key composed of:
  $usercode \x00 $realm \x00 "userPassword"

I've added a new lookup type "dbmjz" to exim, on the "dbmjz" branch.  It
interprets the key as an Exim list and joins the list items together
with ASCII NUL characters to form the lookup key.  This key, with
embedded NULs, is then safely passed to the DBM routines and the result
retrieved.  Embedded NULs in the result will still cause problems
elsewhere, as may leading and trailing whitespace.

So I've tested this with both of:

auth_cram:
  driver        = gsasl
  public_name   = CRAM-MD5
  server_realm  = imap.spodhuis.org
  server_password = ${lookup{$auth1:$auth3:userPassword}dbmjz{/usr/local/etc/sasldb2}{$value}fail}
  server_set_id = ${quote:$auth1}
  server_condition = yes

auth_cram_own:
  driver     = cram_md5
  public_name   = CRAM-MD5
  server_secret = ${lookup{$auth1:imap.spodhuis.org:userPassword}dbmjz{/usr/local/etc/sasldb2}{$value}fail}
  server_set_id = $auth1
(Continue reading)

Phil Pennock | 2 Mar 11:25 2012

Re: GNU SASL gsasl integration into Exim

On 2012-02-13 at 21:52 -0500, Phil Pennock wrote:
>  (5) Exim currently can not use a string with embedded NULs, supplied in
>      configuration, for DB lookups, so you can *not* just use the gsasl
>      driver to talk directly to sasldb2 and cut over.  It would be
>      informative to see expressions of serious interest by users who
>      want this, so that we can judge the importance of this work.

There is now a "dbmjz" branch in Exim's git repository which adds the
"dbmjz" lookup type.  This new type is very similar to dbmnz, except
that the key is interpreted as an Exim list, the items of which are
joined together with ASCII NUL characters.

I can successfully authenticate to Exim using:

auth_cram_own:
  driver        = cram_md5
  public_name   = CRAM-MD5
  server_secret = ${lookup{$auth1:imap.spodhuis.org:userPassword}\
                    dbmjz{/usr/local/etc/sasldb2}{$value}fail}
  server_set_id = $auth1

Note here that "imap.spodhuis.org" is the server realm as used by my
Cyrus install, whereas "userPassword" is a literal string.

You need to make sure that the Exim run-time user has read access to the
sasldb2 file.

This also works with the new gsasl authenticator, so that with gsasl and
dbmjz you should be able to migrate from Cyrus SASL to GNU SASL while
using the same password stores.
(Continue reading)

Phil Pennock | 2 Mar 16:13 2012

Re: DKIM problems

On 2012-02-20 at 12:14 +0100, Marcin Mirosław wrote:
> W dniu 19.01.2012 22:34, Marcin Mirosław pisze:
> > W dniu 2012-01-19 21:49, Phil Pennock napisał(a):
> >> If you have a copy of such an email which you're willing to share, then
> >> could you please forward it, WITH ALL HEADERS INTACT, to me and I'll
> >> try to find time to take a look.
> > 
> > I sended such mail to you offlist.
> > Thank you.
> > 
> 
> Hello!
> Did you have some time to look into problematic email?

Is it possible that the mail was received using \r line termination,
instead of \r\n ?

I think that we have a bug in that case: after the \r, we call
receive_getc() and if the resulting character is *not* \n, then we put
it back with receive_ungetc().

Meanwhile, each call to receive_getc() updates DKIM state, so if
receive_ungetc() is ever called, that character will update DKIM state
twice.

If you can confirm this, eg with tcpdump, then we may have found the
cause.

CC'ing Tom, for confirmation of analysis (I need sleep and may have
missed something).
(Continue reading)

Marcin Mirosław | 2 Mar 17:46 2012
Picon

Re: DKIM problems

W dniu 02.03.2012 16:13, Phil Pennock pisze:
> Is it possible that the mail was received using \r line termination,
> instead of \r\n ?
> 
> I think that we have a bug in that case: after the \r, we call
> receive_getc() and if the resulting character is *not* \n, then we put
> it back with receive_ungetc().
> 
> Meanwhile, each call to receive_getc() updates DKIM state, so if
> receive_ungetc() is ever called, that character will update DKIM state
> twice.
> 
> If you can confirm this, eg with tcpdump, then we may have found the
> cause.
> 
> CC'ing Tom, for confirmation of analysis (I need sleep and may have
> missed something).

Hello,
I can see 0d0a sequence in stream at the end of line.
Phil, thanks for looking into problem, sleep well
(I created test email account so i'm attaching all tcpdump flow).
Regards,
Marcin
Attachment (dkim-exim.tcp): application/octet-stream, 4165 bytes
--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
(Continue reading)

Tom Kistner | 2 Mar 16:37 2012
Picon

Re: [exim] DKIM problems

Thanks for checking. I'm traveling and will take a look at this next week.

-----Original Message-----
From: Phil Pennock [mailto:pdp <at> exim.org] 
Sent: Freitag, 2. März 2012 16:13
To: Marcin Mirosław
Cc: exim-users <at> exim.org; exim-dev <at> exim.org; Tom Kistner
Subject: Re: [exim] DKIM problems

On 2012-02-20 at 12:14 +0100, Marcin Mirosław wrote:
> W dniu 19.01.2012 22:34, Marcin Mirosław pisze:
> > W dniu 2012-01-19 21:49, Phil Pennock napisał(a):
> >> If you have a copy of such an email which you're willing to share, 
> >> then could you please forward it, WITH ALL HEADERS INTACT, to me 
> >> and I'll try to find time to take a look.
> > 
> > I sended such mail to you offlist.
> > Thank you.
> > 
> 
> Hello!
> Did you have some time to look into problematic email?

Is it possible that the mail was received using \r line termination, instead of \r\n ?

I think that we have a bug in that case: after the \r, we call
receive_getc() and if the resulting character is *not* \n, then we put it back with receive_ungetc().

Meanwhile, each call to receive_getc() updates DKIM state, so if
receive_ungetc() is ever called, that character will update DKIM state twice.
(Continue reading)

Drav Sloan | 3 Mar 14:50 2012

Re: GNU SASL gsasl integration into Exim

Phil Pennock wrote:
> I can successfully authenticate to Exim using:
> 
> auth_cram_own:
>   driver        = cram_md5
>   public_name   = CRAM-MD5
>   server_secret = ${lookup{$auth1:imap.spodhuis.org:userPassword}\
>                     dbmjz{/usr/local/etc/sasldb2}{$value}fail}
>   server_set_id = $auth1

I have been successful in compiling and using this on my companies exim 
server. A handful of weekend users (including myself) have all successfully
authenticated. Monday morning will provide some better "stress testing"
but it works perfectly so far!

Regards

D.

> -- 
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

(Continue reading)

Phil Pennock | 4 Mar 09:28 2012

Re: GNU SASL gsasl integration into Exim

On 2012-03-03 at 13:50 +0000, Drav Sloan wrote:
> Phil Pennock wrote:
> > I can successfully authenticate to Exim using:
> > 
> > auth_cram_own:
> >   driver        = cram_md5
> >   public_name   = CRAM-MD5
> >   server_secret = ${lookup{$auth1:imap.spodhuis.org:userPassword}\
> >                     dbmjz{/usr/local/etc/sasldb2}{$value}fail}
> >   server_set_id = $auth1
> 
> I have been successful in compiling and using this on my companies exim 
> server. A handful of weekend users (including myself) have all successfully
> authenticated. Monday morning will provide some better "stress testing"
> but it works perfectly so far!

Good to know, thanks.  :)

I'd be interested to know your views on the utility of this, versus just
proving that it can be done and having an alternative/competitor.

"One less moving part"?  Problems with saslauthd?  Or "doesn't really
matter to us"?

Ta muchly,
-Phil

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
(Continue reading)

Drav Sloan | 5 Mar 14:36 2012

Re: GNU SASL gsasl integration into Exim

Phil Pennock wrote:
> > I have been successful in compiling and using this on my companies exim 
> > server. A handful of weekend users (including myself) have all successfully
> > authenticated. Monday morning will provide some better "stress testing"
> > but it works perfectly so far!
> 
> Good to know, thanks.  :)

And FYI, today has seen no issues.

> I'd be interested to know your views on the utility of this, versus just
> proving that it can be done and having an alternative/competitor.
> 
> "One less moving part"?  Problems with saslauthd?  Or "doesn't really
> matter to us"?

I remember having issues, some time ago, when setting up our Exim mail
server to play with sasl - It took a certain amount of faff to get it
to work. This looks like a more clear and straight forward way to do
similar authentication (it just worked when I put your example in place
with the appropriate tweaks for my server).

D.

--

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

(Continue reading)

Arkadiusz Miskiewicz | 8 Mar 11:25 2012
Picon

[Bug 1216] New: exigrep doesn't find all entries relevant to the message

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1216
           Summary: exigrep doesn't find all entries relevant to the message
           Product: Exim
           Version: 4.76
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Exigrep
        AssignedTo: nigel <at> exim.org
        ReportedBy: arekm <at> maven.pl
                CC: exim-dev <at> exim.org

# exigrep -l some <at> email.pl logfile

finds:

2012-03-08 11:18:10 1S5aQE-0002B2-FJ <= root <at> test.pl U=root P=local S=466
2012-03-08 11:19:09 1S5aQE-0002B2-FJ => user1 <some <at> email.pl>
R=sql_uservacation T=uservacation_transport QT=59s
2012-03-08 11:19:09 1S5aQE-0002B2-FJ => some <at> other.email.pl <some <at> email.pl>
R=send_to_mailmxout_gateway T=remote_smtp H=mailmxout.pl [1.1.1.1] C="250 OK
id=1S5aRB-0002Es-Ss" QT=59s
2012-03-08 11:19:09 1S5aQE-0002B2-FJ Completed

while 
(Continue reading)


Gmane