> It is my understanding that
> setenv CFLAGS="-DHAVE_OPEN_SMTP_RELAY"
> is not sufficient to enable the roaming user functionality in
> Instead you need to edit the file
> and remove the line :
> #undef HAVE_OPEN_SMTP_RELAY
> and then recompile courier-imap
> This roaming user functionality was hardcoded off on purpose,
> because there is a flaw in the current design. If you enable
> roaming users in courier, then any user will be able to relay
> after performing an auth attempt, regardless of whether the
> auth contained a valid username/password.
I think you have hit the problem!
Then what I've to do?
If I remove the line #undef HAVE_OPEN_SMTP_RELAY, I've the auth bug that you
I've to apply your patch courier-imap-2.1.1-vchkpw-updates.diff.txt?
Probably my steps will be:
cd into courier-imap-2.1.1/authlib
patch -u < courier-imap-2.1.1-vchkpw-updates.diff.txt
./configure --prefix=/usr/local/courier-imap --disable-root-check
--without-authpam --without-authldap --without-authpwd --without-authmysql
--without-authpgsql --without-authshadow --without-authuserdb
--without-authcustom --without-authcram --without-authdaemon
--with-authvchkpw --with-ssl --with-piddir=/var/run
With your patch, I've already a security problem? Or removing the
open_smtp_relay() calls from the preauthvchmpw.c file to authvchkpw.c,
you've fixed that?
Thanks for all