On Tuesday 25 January 2005 09:51 am, Ted Zlatanov wrote: > On 24 Jan 2005, [EMAIL PROTECTED] wrote: > > Anyway... Both qmail-send and qmail-verify recognize that more than one > > result for a mail address lookup is an error and they will not deliver to > > either recipient. I added duplicate [EMAIL PROTECTED] mailalternate > > addresses and here is what I got. > > Great. Should your patch also guard against this possibility, though? > That was my original concern. Someone malicious could set their > mailAlternateAddress and break someone else's login in your system.
That protection is already there. Well, anyway, it protects against stealing mail. If you give away access to mailalternateaddress, a user can still break other mailboxes at will. Of course, nobody will be able to send to the broken mail address anyway, so a broken auth_pop response seems appropriate. At least it will make your phone ring so you can fix it. A test with my custom auth mod ([EMAIL PROTECTED] has two matching mailalternate addresses): sh# LOGLEVEL=255 /var/qmail/bin/qmail-popup asdf /var/qmail/bin/auth_pop env +OK <[EMAIL PROTECTED]> user [EMAIL PROTECTED] +OK pass XXXXXXX init_ldap: control/ldaplogin: init_ldap: control/ldappassword: init_ldap: control/ldapserver: localhost init_ldap: control/ldapbasedn: o=My Org, c=US init_ldap: control/ldapobjectclass: init_ldap: control/ldaptimeout: 40 init_ldap: control/ldaprebind: 1 init_ldap: control/ldapdefaultdotmode: both init_ldap: control/defaultquotasize: 50000000 init_ldap: control/defaultquotacount: 0 init: control/ldaplocaldelivery: 0 init: control/ldapcluster: 0 init: control/dirmaker: /var/qmail/bin/soho-dirmaker qldap_open: init successful qldap_set_option: set referrals successful qldap_bind: successful qldap_lookup: search for (|([EMAIL PROTECTED])([EMAIL PROTECTED])) succeeded qldap_lookup: Too many entries found (2) warning: auth_error: authorization failed (too many objects) -ERR temporary error Note: "-ERR temporary error" is what gets passed back up to qmail-popup. The rest is debug output. -ray.
