&%authresults%& expansion item.
.new
-.cindex authentication "failure event"
+.cindex authentication "failure event, server"
If an authenticator is run and does not succeed,
an event (see &<<CHAPevents>>&) of type "auth:fail" is raised.
While the event is being processed the variables
&$sender_host_authenticated$& (with the authenticator name)
-and &$authenticated_fail_id$& (as set by the suthenticator &%server_set_id%& option)
+and &$authenticated_fail_id$& (as set by the authenticator &%server_set_id%& option)
will be valid.
+If the event is serviced and a string is returned then the string will be logged
+instead of the default log line.
See <<CHAPevents>> for details on events.
.wen
Exim abandons trying to send the message to the host for the moment. It will
try again later. If there are any backup hosts available, they are tried in the
usual way.
+
+.new
+.next
+.cindex authentication "failure event, client"
+If the response to authentication is a permanent error (5&'xx'& code),
+an event (see &<<CHAPevents>>&) of type "auth:fail" is raised.
+While the event is being processed the variable
+&$sender_host_authenticated$& (with the authenticator name)
+will be valid.
+If the event is serviced and a string is returned then the string will be logged.
+See <<CHAPevents>> for details on events.
+.wen
+
.next
If the response to authentication is a permanent error (5&'xx'& code), Exim
carries on searching the list of authenticators and tries another one if
The current list of events is:
.itable all 0 0 4 25* left 10* center 15* center 50* left
-.row auth:fail after main "per driver per authentication attempt"
+.row auth:fail after both "per driver per authentication attempt"
.row dane:fail after transport "per connection"
.row msg:complete after main "per message"
.row msg:defer after transport "per message per delivery try"
return an empty string. Should it return anything else the
following will be forced:
.itable all 0 0 2 20* left 80* left
+.row auth:fail "log information to write"
.row tcp:connect "do not connect"
.row tls:cert "refuse verification"
.row smtp:connect "close connection"
1. The expansion-test faciility (exim -be) can set variables.
- 2. An event on a failing SMTP AUTH, server side.
+ 2. An event on a failing SMTP AUTH, for both client and server operations.
Version 4.96
------------
{ DEBUG(D_auth) debug_printf("tls auth succeeded\n"); }
else
{
- uschar * save_name = sender_host_authenticated;
DEBUG(D_auth) debug_printf("tls auth not succeeded\n");
- sender_host_authenticated = au->name;
- (void) event_raise(event_action, US"auth:fail", s, NULL);
- sender_host_authenticated = save_name;
+#ifndef DISABLE_EVENT
+ {
+ uschar * save_name = sender_host_authenticated, * logmsg;
+ sender_host_authenticated = au->name;
+ if ((logmsg = event_raise(event_action, US"auth:fail", s, NULL)))
+ log_write(0, LOG_MAIN, "%s", logmsg);
+ sender_host_authenticated = save_name;
+ }
+#endif
}
}
break;
smtp_printf("%s\r\n", FALSE, smtp_resp);
if (rc != OK)
{
- uschar * save_name = sender_host_authenticated;
-
- log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
- au->name, host_and_ident(FALSE), errmsg);
- sender_host_authenticated = au->name;
- (void) event_raise(event_action, US"auth:fail", smtp_resp, NULL);
- sender_host_authenticated = save_name;
+ uschar * logmsg = NULL;
+#ifndef DISABLE_EVENT
+ {uschar * save_name = sender_host_authenticated;
+ sender_host_authenticated = au->name;
+ logmsg = event_raise(event_action, US"auth:fail", smtp_resp, NULL);
+ sender_host_authenticated = save_name;
+ }
+#endif
+ if (logmsg)
+ log_write(0, LOG_MAIN|LOG_REJECT, "%s", logmsg);
+ else
+ log_write(0, LOG_MAIN|LOG_REJECT, "%s authenticator failed for %s: %s",
+ au->name, host_and_ident(FALSE), errmsg);
}
}
else
sx->buffer, sizeof(sx->buffer));
sx->outblock.authenticating = FALSE;
driver_srcfile = authenticator_name = NULL; driver_srcline = 0;
-DEBUG(D_transport) debug_printf("%s authenticator yielded %d\n", au->name, rc);
+DEBUG(D_transport) debug_printf("%s authenticator yielded %s\n", au->name, rc_names[rc]);
/* A temporary authentication failure must hold up delivery to
this host. After a permanent authentication failure, we carry on
/* Failure after reading a response */
case FAIL:
+ {
+ uschar * logmsg = NULL;
+
if (errno != 0 || sx->buffer[0] != '5') return FAIL;
- log_write(0, LOG_MAIN, "%s authenticator failed H=%s [%s] %s",
- au->name, host->name, host->address, sx->buffer);
+#ifndef DISABLE_EVENT
+ {
+ uschar * save_name = sender_host_authenticated;
+ sender_host_authenticated = au->name;
+ if ((logmsg = event_raise(sx->conn_args.tblock->event_action, US"auth:fail",
+ sx->buffer, NULL)))
+ log_write(0, LOG_MAIN, "%s", logmsg);
+ sender_host_authenticated = save_name;
+ }
+#endif
+ if (!logmsg)
+ log_write(0, LOG_MAIN, "%s authenticator failed H=%s [%s] %s",
+ au->name, host->name, host->address, sx->buffer);
break;
+ }
/* Failure by some other means. In effect, the authenticator
decided it wasn't prepared to handle this case. Typically this
logger:
warn logwrite = event $event_name
set acl_m1 = ${listextract{1}{$event_name}}
- accept condition = ${if !inlist{$acl_m1}{tcp:smtp:msg:auth}}
- logwrite = UNEXPECTED $event_name
- accept acl = ev_$acl_m1
+ accept condition = ${if inlist{$acl_m1}{tcp:smtp:msg:auth}}
+ acl = ev_$acl_m1
+ accept logwrite = UNEXPECTED $event_name
auth_advertise_hosts = 10.0.0.5
trusted_users = CALLER
-event_action = ${acl {logger}}
+event_action = ${acl {auth_event}}
# ----- ACL -----
.include DIR/aux-fixed/event-logger-acl
+auth_event:
+ warn acl = logger
+ accept condition = ${if eq {$event_name}{auth:fail}}
+ message = custom-message: $sender_host_authenticated authenticator failed \
+ H=$sender_fullhost [$sender_host_address] $event_data $authenticated_fail_id
+
# ----- Authentication -----
--- /dev/null
+# Exim test configuration 3419
+
+.include DIR/aux-var/std_conf_prefix
+
+log_selector = +smtp_mailauth
+primary_hostname = myhost.test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = accept
+
+
+# ----- ACL -----
+
+begin acl
+
+.include DIR/aux-fixed/event-logger-acl
+
+auth_event:
+ warn acl = logger
+ accept condition = ${if eq {$event_name}{auth:fail}}
+ message = custom-message: $sender_host_authenticated authenticator failed H=$host [$host_address] $event_data
+
+# ----- Authentication -----
+
+begin authenticators
+
+login:
+ driver = plaintext
+ public_name = LOGIN
+ client_send = : userx : secret
+ client_set_id = userx
+
+# ----- Routers -----
+
+begin routers
+
+force:
+ driver = manualroute
+ route_list = domain.com 127.0.0.1 byname
+ self = send
+ transport = smtp_force
+ errors_to = ""
+
+# ----- Transports -----
+
+begin transports
+
+smtp_force:
+ driver = smtp
+ port = PORT_S
+ hosts_try_fastopen = :
+ hosts_require_auth = *
+ event_action = ${acl {auth_event}}
+
+
+# ----- Retry -----
+
+
+begin retry
+
+* auth_failed
+* * F,1h,10m
+
+# End
-1999-03-02 09:44:33 testname authenticator failed for (testing.testing) [10.0.0.5] U=CALLER: 535 Incorrect authentication data (set_id=rx secret)
1999-03-02 09:44:33 event auth:fail
1999-03-02 09:44:33 . "auth fail" event_data <535 Incorrect authentication data> sender_host_authenticated <testname> authenticated_fail_id < (set_id=rx secret)>
-1999-03-02 09:44:33 testname authenticator failed for (testing.testing) [10.0.0.5] U=CALLER: 501 Invalid base64 data
+1999-03-02 09:44:33 custom-message: testname authenticator failed H=(testing.testing) [10.0.0.5] [10.0.0.5] 535 Incorrect authentication data (set_id=rx secret)
1999-03-02 09:44:33 event auth:fail
1999-03-02 09:44:33 . "auth fail" event_data <501 Invalid base64 data> sender_host_authenticated <testname> authenticated_fail_id <>
+1999-03-02 09:44:33 custom-message: testname authenticator failed H=(testing.testing) [10.0.0.5] [10.0.0.5] 501 Invalid base64 data
--- /dev/null
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 event tcp:connect
+1999-03-02 09:44:33 10HmaX-0005vi-00 . [127.0.0.1]:1111
+1999-03-02 09:44:33 10HmaX-0005vi-00 event smtp:connect
+1999-03-02 09:44:33 10HmaX-0005vi-00 . [127.0.0.1] -> [127.0.0.1]:PORT_S
+1999-03-02 09:44:33 10HmaX-0005vi-00 . banner <220 ESMTP>
+1999-03-02 09:44:33 10HmaX-0005vi-00 event smtp:ehlo
+1999-03-02 09:44:33 10HmaX-0005vi-00 . [127.0.0.1] -> [127.0.0.1]:PORT_S
+1999-03-02 09:44:33 10HmaX-0005vi-00 . ehlo-resp <250-OK\n250-HELP\n250 AUTH LOGIN>
+1999-03-02 09:44:33 10HmaX-0005vi-00 event auth:fail
+1999-03-02 09:44:33 10HmaX-0005vi-00 . "auth fail" event_data <599 no way, man> sender_host_authenticated <login> authenticated_fail_id <>
+1999-03-02 09:44:33 10HmaX-0005vi-00 custom-message: login authenticator failed H=127.0.0.1 [127.0.0.1] 599 no way, man
+1999-03-02 09:44:33 10HmaX-0005vi-00 event tcp:close
+1999-03-02 09:44:33 10HmaX-0005vi-00 . [127.0.0.1] -> [127.0.0.1]:PORT_S
+1999-03-02 09:44:33 10HmaX-0005vi-00 event msg:host:defer
+1999-03-02 09:44:33 10HmaX-0005vi-00 . host deferral ip <127.0.0.1> port <1224> fqdn <127.0.0.1> local_part <userx> domain <domain.com> errno <-42> errstr <authentication required but authentication attempt(s) failed> router <force> transport <smtp_force>
+1999-03-02 09:44:33 10HmaX-0005vi-00 event msg:defer
+1999-03-02 09:44:33 10HmaX-0005vi-00 . message deferral ip <127.0.0.1> port <1224> fqdn <127.0.0.1> local_part <userx> domain <domain.com> errno <-42> errstr <authentication required but authentication attempt(s) failed> router <force> transport <smtp_force>
+1999-03-02 09:44:33 10HmaX-0005vi-00 == userx@domain.com R=force T=smtp_force defer (-42): authentication required but authentication attempt(s) failed
+1999-03-02 09:44:33 10HmaX-0005vi-00 ** userx@domain.com: retry timeout exceeded
+1999-03-02 09:44:33 10HmaX-0005vi-00 event msg:fail:delivery
+1999-03-02 09:44:33 10HmaX-0005vi-00 . refused by fdqn <> local_part <userx> domain <domain.com> errstr <authentication required but authentication attempt(s) failed: retry timeout exceeded>
+1999-03-02 09:44:33 10HmaX-0005vi-00 userx@domain.com: error ignored
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 testname authenticator failed for (testing.testing) [10.0.0.5] U=CALLER: 535 Incorrect authentication data (set_id=rx secret)
-1999-03-02 09:44:33 testname authenticator failed for (testing.testing) [10.0.0.5] U=CALLER: 501 Invalid base64 data
+1999-03-02 09:44:33 custom-message: testname authenticator failed H=(testing.testing) [10.0.0.5] [10.0.0.5] 535 Incorrect authentication data (set_id=rx secret)
+1999-03-02 09:44:33 custom-message: testname authenticator failed H=(testing.testing) [10.0.0.5] [10.0.0.5] 501 Invalid base64 data
--- /dev/null
+# plaintext client fail event
+need_ipv4
+#
+server PORT_S
+220 ESMTP
+EHLO
+250-OK
+250-HELP
+250 AUTH LOGIN
+AUTH LOGIN
+334 VXNlciBOYW1l
+dXNlcng
+334 UGFzc3dvcmQ=
+c2VjcmV0
+599 no way, man
+QUIT
+250 OK
+****
+exim -odi userx@domain.com
+.
+no_msglog_check
--- /dev/null
+
+******** SERVER ********
+Listening on port 1224 ...
+Connection request from [127.0.0.1]
+220 ESMTP
+EHLO myhost.test.ex
+250-OK
+250-HELP
+250 AUTH LOGIN
+AUTH LOGIN
+334 VXNlciBOYW1l
+dXNlcng=
+334 UGFzc3dvcmQ=
+c2VjcmV0
+599 no way, man
+QUIT
+250 OK
+End of script
git://git.exim.org / exim.git / commitdiff