Hello Jean, On Monday, May 24, 2004 at 4:12:15 PM you wrote (at least in part):
> My boss recently noticed something I didnt: vpopmail (noticed on > qmailadmin and squirrelmail using courier-imap) accepts passwords > with garbage at the end. > Lets say, my password is "secret". > If I type "secretJSDSDALSDKJFLASF", qmailadmin will accept it as > a valid password. It doesnt accept with garbage "inside" the > password, or before. Please create a test account with password 'password', test this account and if it is authenticated with "garbage at the end" please post the encrypted password from 'vpasswd' of this account. I assume your installation does not use MD5 routines in 'crypt()' function, and therefore your passwords are limited to a maximum of 8 characters. All passwords with exactly 8 characters (so NOT 'secret' as this are only 6) than will be accepted if the first 8 characters of input match. This is due to the fact 'crypt()', using only DES, only takes the first 8 characters. A MD5-enabled 'crypt()' will not suffer this limitations > How can I correct that? vpopmail should, when available, use automatically MD5-password. To be sure recompile vpopmail (don't forget a 'make clean' before) with all your configure options PLUS '--enable-md5-passwords'. If you have any '--disable-md5-passwords' option set, remove it. I don't know a save way to figure if your libcrypt.so supports MD5-passwords, but I've found that 'strings /lib/libcrypt.so.1 |grep -i md5' returned 'md5-crypt.c' and '__md5_crypt_r', which I'd take as a hint my libcrypt is MD5-enabled and the encrypted passwords in my vpasswd confirm this assumption. > Is this a known issue? Not I'm aware of. > I've tested with vpopmail 5.4.3 + qmailadmin 1.2.0 AND also with > vpopmail 4.9.10 + qmailadmin 0.45 (our "museum" servers), both have > the save problem. Maybe the 'museum' might be the problem: if their libcrypt is too old it might be it's not yet aware of MD5, who knows. -- Best regards Peter Palmreuther Use it up ... Wear it out. Make it do ... Or do without.