As near as I can tell from the courier auth*vchkpw.c code, it only
triggers either the vset_lastauth or the open_smtp_relay() routines
BEFORE authentication. 

What good is that?

Two problems -
        1. The way it calls vset_lastauth in the pre* code means that you can
have a denial of service race since it explicity sets the remote_ip
field to "imap". If it already had a useful value in it, it's lost. As
above - this is done before checking the password, so any putz that
tries to fake a login can dork the contents of the table.

Plus - it never updates the lastauth with a real ip, so that table is
essentially useless when used with courier. 

        2. The open_smtp_relay() call is also done prior to login, so it's not
actually protecting anything.

Seems like the current code implements "Last time someone TRIED to log
in from this IP", as opposed to "last successful auth from this ip". 

Anyone have a patch to courier to fix this completely useless/broken

-- Nathan

Nathan Neulinger                       EMail:  [EMAIL PROTECTED]
University of Missouri - Rolla         Phone: (573) 341-4841
Computing Services                       Fax: (573) 341-4216

Reply via email to