Re: [vchkpw] Urgent - vchkpw/vpopmail authenticate even with wrongpw?

[Dave Richardson - Lists]

There's something about logging into virtual accounts with the order and 
number of parameters in your smtp run file with the new(er) versions of 
vpopmail.  The parameter count changed and many online examples have 
/bin/true one position too early.  This has the effect of allowing all 
passwords to be authenticated, irrespective of their lookup result.

LIST: Can we call this problem something specific: "The /bin/true bogus 
auth issue" and make a link to reference/fix it?

I think this is your issue Jeff.

jeff thomas wrote:

Ok...

What the hell ... I just compiled 5.3.24 WITHOUT
learn-passwords. Installed it. Restarted all mail
services. I can STILL log into any account with any
password.
Someone here must be able to shed some light on this
for me??  Please?
--- jeff thomas <[EMAIL PROTECTED]> wrote:
 

Ok...

So, I just compiled 5.3.24 and installed it. I used
the following configure line:
./configure  --enable-qmaildir=/var/qmail
--enable-tcprules-prog=/usr/local/bin/tcprules
--enable-learn-passwords=y
   

--enable-tcpserver-file=/usr/home/vpopmail/etc/tcp.smtp
 

--enable-defaultquota=10000000 --enable-logging=e
--enable-valias=y --enable-roaming-users=y
--enable-relay-clear-minutes=30 --enable-mysql=y
--enable-sqlincdir=/usr/local/include/mysql
--enable-sqllibdir=/usr/local/lib/mysql
--enable-default-domain=domain.com
--enable-qmail-ext=y --prefix=/usr/home
Same freaking problem. I can log into all of the
accounts with any password. Thoughts?


--- jeff thomas <[EMAIL PROTECTED]> wrote:
   

Ok... I tried this fix. 

I edited vchkpw.c and removed the FOOB and ENDIF.
recompiled. 

No luck. Same thing. Any password I put in still
works.
Thoughts?

--- Michael Bowe <[EMAIL PROTECTED]> wrote:
     

I just remembered that learn-passwords was
       

broken
   

in
     

5.3.20, and then
eventually fixed in 5.3.24
       

http://sourceforge.net/tracker/index.php?func=detail&aid=783824&group_id=85937&atid=577798
 

Maybe this has something to do with your
       

problem?
   

Michael.

----- Original Message ----- 
From: "jeff thomas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 13, 2003 6:47 PM
Subject: Re: [vchkpw] Urgent - vchkpw/vpopmail
authenticate even with wrong
pw?

       

Learn passwords was enabled. However, it
         

should
   

learn
       

only the FIRST password entered for each
         

account....
       

not multiple passwords for each account.

Right?

It would seem logical that with
         

learn-passwords,
   

the
       

first time i put in the password for
         

[EMAIL PROTECTED],
   

it
     

"learns" that password. If I try to log into
         

[EMAIL PROTECTED]
       

with a different password, I should be
         

rejected,
   

as it
       

"learned" the first password.



--- Michael Bowe <[EMAIL PROTECTED]>
         

wrote:
   

I could be barking up the wrong tree here
           

but...
     

Perhaps did you configure vpopmail to "learn
passwords" ?
It rings a bell for me that if you upgrade
           

from
     

an
       

v4.x vpopmail, and you
enable clear passwords in your v5.2
           

vpopmail,
   

you
       

loose all your existing
passwords and the general way to recover
           

from
   

this
       

is to enable vpopmail's
"learn passwords" functionality
This could explain why "any password works".
           

But
     

then again, once the
password has been learned, you shouldn't be
           

able
     

to
       

go back and use some
other password and still get access
Michael.

----- Original Message ----- 
From: "jeff thomas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 13, 2003 10:15 AM
Subject: [vchkpw] Urgent - vchkpw/vpopmail
authenticate even with wrong pw?

           

Hello -

I recently installed vpopmail 5.3.20 from
             

freebsd
       

ports. I used Matt Simerson's FreeBSD
             

Qmail
   

Toaster
           

scripts to install it (it uses ports).

That installed without problem. I
             

installed
   

courier-imap and squirrelmail as well as
             

sqwebmail. I
           

noticed today that I can log into any of
             

the
   

accounts
           

via sqwebmail with any password. I can
             

literally
       

put
           

in "xxx" for the password on my e-mail
             

account
     

and
       

it
           

will let me in. I tried it on squirrelmail
             

with
       

the
           

same problem. So, then I tried simply
             

logging
     

into
       

the
           

POP3 account with "xyz" as the password.
             

It,
   

too,
       

let
           

me in with full access.

This is bad - obviously. Anyone care to
             

shed
   

some
       

light on what I need to do to get this
             

fixed
   

ASAP.
       

I
           

upgraded from 4.9.x and use mysql4 for
             

authentication.
           

Any and all help is appreciated.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web
             

site
       

design software
           

http://sitebuilder.yahoo.com

             

           

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web
         

site
   

design software
       

http://sitebuilder.yahoo.com

         

       

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site
     

=== message truncated ===

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com