In my opinion symptom number 2 is a direct cause of problem 3
I'll dig out my copy of Eudora 4.3. I'm not sure if it is 4.3.? I'll have
to look.
A small consolidation is that there is light at the end of the tunnel. I
hear from the grapevine that a version may be released for beta 1 (alpha)
testing from ipswitch.
Unfortunately there is no KB entry yet which acknowledges the problem.
(That's probably more strategy related)
Anthony
----- Original Message -----
From: "R. Scott Perry" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, April 12, 2000 3:45 PM
Subject: RE: [IMail Forum] DoS vulnerability on Imail 5.x/6.x???
> > > Is Eudora 4.3 different from 4.3.1, and if so, is there somewhere
where
> it
> > > can be downloaded? Does anyone know how this can be reproduced
without
> > > Eudora (what commands to send)? This is starting to sound like an
urban
> > > legend, but if there truly is a vulnerability, I'd like to know about
> it.
> >
> > When I upped from 4.2.2 to 4.3, I couldn't send mail anymore.
> > In the Eud mail personality box, I had to uncheck the
> > "authentification allowed" box. So something most definitely
> > happened in the Eud 4.3 in the smtp auth area.
>
> This is SMTP AUTH problem #1 (Eudora can't authenticate). It occurs
because
> of the IMail and Eudora bugs (Eudora using CRAM-MD5 even though IMail says
> it won't accept it, and IMail not sending a CRLF after the authentication
> string), that causes the client to hang. This bug can be verified pretty
> easily (sending EHLO followed by AUTH CRAM-MD5, you'll see the missing
CRLF,
> which the RFC says should be there).
>
> SMTP AUTH problem #2 is that people using Netscape (and possibly other
mail
> clients) occasionally can't authenticate. In some reports, the server
needs
> rebooting. In other reports, the people can authenticate a minute or two
> later.
>
> SMTP AUTH problem #3 (which I haven't confirmed) suggests that anyone
using
> Eudora 4.3 (but probably not 4.3.1) will cause the IMail server (SMTPD
> only?) to hang, until Eudora times out. Nobody can do anything more than
> say that Eudora 4.3 will cause this; Eudora 4.3 is no longer available for
> download. My testing can't reproduce this problem. I'm starting to doubt
> that the problem truly exists. If I can get my hands on a copy of Eudora
> 4.3, or someone can show how it can be reproduced without Eudora 4.3, I'll
> believe it.
>
> The neat thing is that SMTP AUTH problem #3, if it does exist, could
easily
> explain SMTP AUTH problem #2 (which would really only be a symptom of #3,
> rather than its own problem).
> -SCott
>
> Please visit http://www.ipswitch.com/support/mailing-lists.html
> to be removed from this list.
>
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
