On 2007-09-17, at 1751, Jeremy Kister wrote:
On 9/17/2007 5:28 PM, John Simpson wrote:

which reminds me... how about a patch to change the maximum password length to a more realistic limit? i've been doing this for several years, after applying patches but before running "./ configure"...

Also, since only the first eight characters of a password matter on Solaris < 10 (or any DES vs MD5), perhaps there should be a maximum limit of 8 when using --disable-md5-passwords. This way, users who think [EMAIL PROTECTED]:: is a secure password are enlightened.

good idea. i just wrote a patch to do both items.

sourceforge has it as #1797464, or you can also download it from my web site.


my one concern is this- i would rather see the decision of "128 or 8" happen within vpopmail.h. my first thought was to just add an #ifdef around the "#define MAX_PW_CLEAR_PASSWD" line in vpopmail.h, but the MD5_PASSWORDS flag that i would use as a test, is defined within "config.h", and i don't know if it would break anything to include "config.h" within vpopmail.h. i doubt it would affect anything within vpopmail, but how many other packages out there (qmailadmin, courier- authlib, etc.) use vpopmail.h as part of their compile process, and also have a "config.h" file in their source code?

so what i did is added the "#ifdef" block at the top of vpopmail.c, after both vpopmail.h and config.h have been included. this works, and for now it's safe because vpopmail.c is the only file which actually uses MAX_PW_CLEAR_PASSWD. however, if some future version of vpopmail uses this value in a different source file, that source file would need the same "#ifdef" block at the top. finding a way to safely add that "#ifdef" to vpopmail.h itself would solve this potential problem.

| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <[EMAIL PROTECTED]> |
| http://video.google.com/videoplay?docid=-1656880303867390173 |

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to