Hi list.
Regarding Nessus reporting XMail having security holes (http://home.domaindlx.com/xmail/topic.asp?TOPIC_ID=227), I recall this issue has been up for discussion before. Davide then stated this wasn't true at all. This was merely a flawed presumption on Nessus' buggy behalf based on the fact that XMail in contrary to most other SMTP servers, drops the Nessus test connections assuming the connected client isn't there on a good purpose rather than continuing the session. By this Nessus takes for granted the remote peer gone DOS and happily reports this as a succeeded buffer overflow. This recent discussion looks seemingly alike the thread way back then, in that case, again; XMail 1.9+ has NO known security issues, the Nessus alert is BS. Quoting Davide's post "About XMail security.." dated back Tue, 02 Oct 2001. http://www.mail-archive.com/[email protected]/msg00153.html "I received emails from a bunch of XMail users saying that tools like nessus reports XMail buffer overflow and security holes. It's definitely not true and it's these tools that are bugged. They try to send very loooong command lines with length that exceed the rfc constraint and, when XMail sees such behaviour does not even try to be pretty with these clients and it drops the connection. These tools then thinks that the server died but it's not. XMail has another protection that check the command line string for the correct encoding ( us ascii ) and, if it detect binary chars, it drops the connection. In these way if buffer overflows will ever exist, the hacker will never be able to execute its code due the lack of available chars. Another XMail unique protection against buffer overflows is the random stack pointer shifting at thread startup. When every XMail thread starts the stack pointer is randomly "moved" by making the SP guessing for hackers almost impossible. The hacker will be forced, probabilistically, to try a huge number of times and the user will perceive this like server crashes." /Thomas. ________________________________S_a_l_t_s_t_o_r_m____ - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
