Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-10 Thread Mike Miller
Nope.  Not using MD5 passwords.  5.3.20 at present.
-M

From: Tom Collins [EMAIL PROTECTED]
To: vpopmail list [EMAIL PROTECTED]
Subject: Re: [vchkpw] SMTP-Auth bug in passwords?
Date: Tue, 9 Sep 2003 21:24:31 -0700
On Tuesday, September 9, 2003, at 08:40  PM, Mike Miller wrote:
Looking just below, the SPAMmer who made use of this, used the same 
username and password.  I then tried the base64 password for their 
'webmaster00' password and that [d2VibWFzdGVyMDA=] works as well.  I then 
tried truncating their password character by character.  What I found was 
that only when I brought the password to 'webmast' (webmaste still 
worked), did it stop authenticating properly.
What version of vpopmail?

Are you using MD5 passwords (go to your vpopmail source directory and `grep 
MD5 config.h`)?  If not, I think crypt() only uses the first 8 characters 
of the password.  I'm not sure what the limit is if you're using MD5.

--
Tom Collins
[EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

_
Add photos to your messages with MSN 8. Get 2 months FREE*.  
http://join.msn.com/?page=features/featuredemail




Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-10 Thread Mike Miller
It is my understanding that this is not using CRAM-MD5 but PLAIN login, so 
those methods aren't affected.  I used the 
http://members.elysium.pl/brush/qmail-smtpd-auth/ patch and haven't had 
difficulty using it from within netscape or other clients.  I will be 
investigating further.
 As far as I can tell, it's only on the AUTH LOGIN which I'm having this 
issue (although more testing is needed).  It just doesn't seem to keep 
enough significant characters to return true.  And in theory, the patch 
should just pass it's information off to vpopmail.
 I'll do some more investigating later today and see what I can come up 
with.  AUTH LOGIN sends the base64 
(http://makcoder.sourceforge.net/demo/base64.php) encoded username and 
password [which is two-way, so really not as secure, but it's better than 
nothing], one per line.

-M

From: Jeremy Kitchen [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [vchkpw] SMTP-Auth bug in passwords?
Date: Wed, 10 Sep 2003 00:10:30 -0500
I apologize for sending a copy directly to you Anthony, reply button in
evolution is a little crazy sometimes :)
On Wed, 2003-09-10 at 00:06, Anthony Baratta wrote:
 Tom...

 Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If 
he
 put in AUTH CRAM-MD5 then it would be expecting MD5 encoding.

 So this appears to be a problem with LOGIN, either in the patch or with
 vPopmail.

 Do I have my logic wrong??

the smtp-auth patch you are probably using wrongly advertises that it
can handle CRAM-MD5.  Simply edit qmail-smtpd.c, search for the
CRAM-MD5, remove it, rebuild qmail-smtpd, and you're set.  I just did
this today, and it worked fine.
--
Jeremy Kitchen
Systems Administrator
.
Inter7 Internet Technologies, Inc.
www.inter7.com
866.528.3530 toll free
847.492.0470 int'l
847.492.0632 fax
GNUPG key ID: 93BDD6CE

_
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*   
http://join.msn.com/?page=features/junkmail




Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-10 Thread Mike Miller
It's JUST login/plain and not CRAM-MD5.  As proof, I used a test client 
script:
# Simple SMTP client with STARTTLS and AUTH support.
# Michal Ludvig [EMAIL PROTECTED], 2003
# See http://www.logix.cz/~mic/devel/smtp for details.

# ./smtp-client.pl --host=IP --hello-host=breaded --disable-starttls 
--auth-plain --user=webmaster --pass=webmaster --from=[EMAIL PROTECTED] 
--to=[EMAIL PROTECTED] --data=txt

-- works with password of 'webmaster' when the password if vpopmail is 
either webmaste, webmaster.  As soon as I change it to webmast, it stops 
working.  CRAM-MD5 will only work if the password is 100% acurate.

So --auth-cram-md5 won't work unless the password is right.  --auth-login 
and --auth-plain will work if the password is webmaste, webmaster, 
webmaster0, webmaster00.

Very strange.  Anything I can do to help.
-M


From: Tom Collins [EMAIL PROTECTED]
To: vpopmail list [EMAIL PROTECTED]
Subject: Re: [vchkpw] SMTP-Auth bug in passwords?
Date: Tue, 9 Sep 2003 22:23:27 -0700
On Tuesday, September 9, 2003, at 10:06  PM, Anthony Baratta wrote:
Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If 
he put in AUTH CRAM-MD5 then it would be expecting MD5 encoding.

So this appears to be a problem with LOGIN, either in the patch or with 
vPopmail.
When vpopmail stores passwords (at least in cdb), it either uses crypt() 
with a two-character salt and DES encoding (where only the first 8 
characters of the password matter), or it uses an 8-character salt and MD5 
encoding.

It would be interesting to see whether the problem exists when using 
CRAM-MD5 as well.  It could also be isolated by trying to authenticate with 
qmailadmin or courier-imap and using just the first 8 characters of the 
password.

--
Tom Collins
[EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

_
Protect your PC - get McAfee.com VirusScan Online  
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963




Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Tom Collins
On Tuesday, September 9, 2003, at 08:40  PM, Mike Miller wrote:
Looking just below, the SPAMmer who made use of this, used the same 
username and password.  I then tried the base64 password for their 
'webmaster00' password and that [d2VibWFzdGVyMDA=] works as well.  I 
then tried truncating their password character by character.  What I 
found was that only when I brought the password to 'webmast' (webmaste 
still worked), did it stop authenticating properly.
What version of vpopmail?

Are you using MD5 passwords (go to your vpopmail source directory and 
`grep MD5 config.h`)?  If not, I think crypt() only uses the first 8 
characters of the password.  I'm not sure what the limit is if you're 
using MD5.

--
Tom Collins
[EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/



Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Anthony Baratta
At 09:24 PM 9/9/2003, Tom Collins wrote:

Are you using MD5 passwords (go to your vpopmail source directory and 
`grep MD5 config.h`)?  If not, I think crypt() only uses the first 8 
characters of the password.  I'm not sure what the limit is if you're 
using MD5.
Tom...

Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If he 
put in AUTH CRAM-MD5 then it would be expecting MD5 encoding.

So this appears to be a problem with LOGIN, either in the patch or with 
vPopmail.

Do I have my logic wrong??

---
Anthony Baratta
President
Keyboard Jockeys
Conformity is the refuge of the unimaginative.




Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Jeremy Kitchen
I apologize for sending a copy directly to you Anthony, reply button in
evolution is a little crazy sometimes :)

On Wed, 2003-09-10 at 00:06, Anthony Baratta wrote:
 Tom...
 
 Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If he 
 put in AUTH CRAM-MD5 then it would be expecting MD5 encoding.
 
 So this appears to be a problem with LOGIN, either in the patch or with 
 vPopmail.
 
 Do I have my logic wrong??

the smtp-auth patch you are probably using wrongly advertises that it
can handle CRAM-MD5.  Simply edit qmail-smtpd.c, search for the
CRAM-MD5, remove it, rebuild qmail-smtpd, and you're set.  I just did
this today, and it worked fine.

-- 
Jeremy Kitchen
Systems Administrator
.
Inter7 Internet Technologies, Inc.
www.inter7.com
866.528.3530 toll free
847.492.0470 int'l
847.492.0632 fax
GNUPG key ID: 93BDD6CE




Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Tom Collins
On Tuesday, September 9, 2003, at 10:06  PM, Anthony Baratta wrote:
Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? 
If he put in AUTH CRAM-MD5 then it would be expecting MD5 encoding.

So this appears to be a problem with LOGIN, either in the patch or 
with vPopmail.
When vpopmail stores passwords (at least in cdb), it either uses 
crypt() with a two-character salt and DES encoding (where only the 
first 8 characters of the password matter), or it uses an 8-character 
salt and MD5 encoding.

It would be interesting to see whether the problem exists when using 
CRAM-MD5 as well.  It could also be isolated by trying to authenticate 
with qmailadmin or courier-imap and using just the first 8 characters 
of the password.

--
Tom Collins
[EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/