> It is my understanding that
>    setenv CFLAGS="-DHAVE_OPEN_SMTP_RELAY"
> is not sufficient to enable the roaming user functionality in
> courier-imap. 
> 
> Instead you need to edit the file
>   authlib/preauthvchkpw.c
> and remove the line  :
>   #undef HAVE_OPEN_SMTP_RELAY
> and then recompile courier-imap
> 
> This roaming user functionality was hardcoded off on purpose,
> because there is a flaw in the current design. If you enable
> roaming users in courier, then any user will be able to relay
> after performing an auth attempt, regardless of whether the
> auth contained a valid username/password.

Thanks Michael,

I think you have hit the problem!
Then what I've to do?
If I remove the line #undef HAVE_OPEN_SMTP_RELAY, I've the auth bug that you
say.
I've to apply your patch courier-imap-2[1].1.1-vchkpw-updates.diff.txt?

Probably my steps will be:

cd into courier-imap-2.1.1/authlib
patch -u < courier-imap-2[1].1.1-vchkpw-updates.diff.txt
./configure --prefix=/usr/local/courier-imap --disable-root-check
--without-authpam --without-authldap --without-authpwd --without-authmysql
--without-authpgsql --without-authshadow --without-authuserdb
--without-authcustom --without-authcram --without-authdaemon
--with-authvchkpw --with-ssl --with-piddir=/var/run
setenv CFLAGS="-DHAVE_OPEN_SMTP_RELAY"
gmake
gmake install
gmake install-configure

With your patch, I've already a security problem? Or removing the
open_smtp_relay() calls from the preauthvchmpw.c file to authvchkpw.c,
you've fixed that?

Thanks for all
Regards
Andrea

Reply via email to