Hi,
This is in regards to SMTP-AUTH and an interesting bug which is creeping up somewhere.


We had a customer who recently had a username of webmaster and a password of webmaster00. From the standard pop3 authentication, there was no issue with this username and password. For some reason, only when used with AUTH LOGIN, the same username and password work for webmaster. This then allowed the user to SMTP-relay.

Looking just below, the SPAMmer who made use of this, used the same username and password. I then tried the base64 password for their 'webmaster00' password and that [d2VibWFzdGVyMDA=] works as well. I then tried truncating their password character by character. What I found was that only when I brought the password to 'webmast' (webmaste still worked), did it stop authenticating properly.

Is there a limitation on how many characters it uses to authenticate? Any help would be appreciated.

220 haven.epicworks.com ESMTP
< EHLO breaded
250-haven.epicworks.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-PIPELINING
250 8BITMIME
< AUTH LOGIN
334 VXNlcm5hbWU6
< d2VibWFzdGVy
334 UGFzc3dvcmQ6
< d2VibWFzdGVy
235 ok, go ahead (#2.0.0)

I'm not sure if this is in vchkpw or in the patch to qmail-smtpd, however I'm looking for anyone's experience or maybe even to identify a bug.


Thanks in advance,
-Mike

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail





Reply via email to