1 - it's always the same username at the same client. I don't know why the PID change. It's a qpopper architecture behavior?
2 - I've check'd with a sniffer and the MD5 stuff is correctly exchanged between the client and the server
any hint ?
Analysing the sniffer trace I've seen the follwing strange thing: there is, among the correct APOP exchange packets, a flow which use USER command! Because this command, a response -ERR [AUTH] is back! Hmmm....could it be an Eudora problem ? Could it be a Windows problem? I'm sure that....
Damnd! I FIND IT!!!
The user have the 3M Post-it utility installed on his computer and this funny (and useful) piece of code has the capability to use the SMTP and POP to exchange yellow-notes via e-mail, but IS NOT APOP compliant!
Well! Lesson learned ;-)
Thank you Chuck and all for your help in exercise my gray-matter!
BYE and MERRY XMAS!!!!
At 09.20 04/12/2002 -0800, you wrote:
Quoting Gennaro Esposito ([EMAIL PROTECTED]):
> Hi Chuck
> I'm sorry but the user IS using APOP
> here is an example (from mail server syslog)
Process 31231:
> Dec 3 14:50:43 <mailserver> qpopper[31231]: apop "<username>"
> Dec 3 14:50:43 <mailserver> qpopper[31231]: Stats: <username> 1 2034 0 0 <client-fqdn> <client ip-add>
Process 30947:
> Dec 3 14:50:52 <mailserver> qpopper[30947]: <username> at <client-fqdn> (<client ip-add>): -ERR [AUTH] You must use stronger authentication such as AUTH or APOP to connect to this server
I don't see APOP being used in the second.
It's sort of a pain that you are removing the usernames, causee I, at
least, can't tell if it's the same username/ip/fqdn in all these.
"I'm pushing a pedal in my car, but it won't stop."
Which pedal? Not mentioned. Try real logs if you're still stuck.
> Hmmm....I don't see the $MD5_blob_of_data you referred but maybe this is
> simply not wrote down in the syslog...
No, it's not. Using a sniffer (tcpdump or - better - ethereal) will
show you the actual interaction, not a log of the interaction.
> I'll sniff the lan to see more in dept.
> Thank for your suggestion, anyway
> bye
> At 09.47 03/12/2002 -0800, you wrote:
> >Then the user is not using APOP. Trace the connection;
> >turn up debugging, run ethereal, whatever.
> >My money is that the client is offering:
> >USER user@fqdn
> >
> >rather than "APOP user@fqdn $MD5_blob_of_data"
>
> ----------
> Gennaro Esposito
> (System & Security Engineer)
> MARS Center *****************************
> Via E. Gianturco,31 * YES! I SUPPORT *
> I-80146 - Napoli - ITALY * *
> ph.: +39 081-6042 493 * _/_/ _ _/_/ *
> fax...: +39 081-6042 100 * _/_/===x===_/_/ *
> mailto:[EMAIL PROTECTED] * _/_/ _/_/ *
> http://www.marscenter.it * *
> ftp://ftp.marscenter.it *International Space Station*
> *****************************
Gennaro Esposito
(System & Security Engineer)
MARS Center *****************************
Via E. Gianturco,31 * YES! I SUPPORT *
I-80146 - Napoli - ITALY * *
ph.: +39 081-6042 493 * _/_/ _ _/_/ *
fax...: +39 081-6042 100 * _/_/===x===_/_/ *
mailto:[EMAIL PROTECTED] * _/_/ _/_/ *
http://www.marscenter.it * *
ftp://ftp.marscenter.it *International Space Station*
*****************************
