|
--Boundary-02=_61CF/fS8eBwGEmA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline the qmail-smtpd-auth patch is a commonly used patch to qmail which allows=20 the qmail-smtpd program to support the AUTH extension, by specifying a=20 "checkpassword" program on the command line. the homepage for the patch is: http://members.elysium.pl/brush/qmail-smtpd-auth/ the patch modifies qmail-smtpd so that it can be called with three=20 command-line parameters: the local host name (used for generating CRAM-MD5= =20 challenges), the checkpassword program itself, and a "dummy" program which= =20 is run by the checkpassword program after a successful authentication. the "dummy" program is needed because checkpassword programs are designed=20 for use in a POP3 or IMAP situation, where they would validate the user's=20 credentials and then run the actual POP3 or IMAP server program. the current version of the SMTP-AUTH patch contains a serious bug which can= =20 accidentally allow somebody who forgets one or more of the command line=20 parameters to start running an open relay by accident. it has been reported= =20 in several places over the last week, including this message on the qmail=20 mailing list: http://marc.theaimsgroup.com/?l=3Dqmail&m=3D105452174430616&w=3D2 if the user forgets the hostname parameter to qmail-smtpd and uses /bin/tru= e=20 as the dummy program (/bin/true is the suggested dummy program), they will= =20 actually be using /bin/true as the checkpassword program, which allows ANY= =20 combination of userid and password to use your server as a relay. i have written a revision to the qmail-smtpd-auth patch which compensates=20 for this common error by not supporting the AUTH command unless all three=20 command line arguments are present. the version 0.31 patch does not correctly check for this- with a missing=20 command line argument, it ends up reading memory beyond the end of argv[],= =20 which is NOT filled with zeros- on most *nix systems it's actually the=20 beginning of the environment block. http://www.jms1.net/qmail/ has the modified "auth.patch" file available for= =20 download. the changes i've made (actually CHECKING argc instead of assuming there wil= l=20 be something there) need to be incorporated into the qmail-smtpd-auth patch= =20 as soon as possible. the author of the patch seems to have not touched it=20 since may 2002. =2D-=20 =2D---------------------------------------------- | John Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <jms1@jms1.net> | =2D---------------------------------------------- --Boundary-02=_61CF/fS8eBwGEmA Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA/FC16EB9RczMG/PsRAjIbAKCSlYaV0RHp5FiPR7tr8TkPdqFwjgCghI6K toVFSvpC/vrSVDADRX58N4o= =/6Zb -----END PGP SIGNATURE----- --Boundary-02=_61CF/fS8eBwGEmA--