Web Hosting Talk






PDA

View Full Version : qmail and smtpd-auth

Darkedge
02-04-2002, 04:17 PM
I am trying to use qmail with smtpd-auth 3.0 I am having considerable trouble.
Could someone perhap lay it out for me I am running on a freebsd4.2 machine. I am usgin smtpd-auth 3.0 instlal this and the cmd password is no problem what gets confuising is what user shoudl own the cmd fiel and the etc/poppaswd file and also what permissions does it need. I am at a lose can soemoen who has thois working please post here or contact me I have been reading forums for liek three days and they all seem to lean towards linux and I have tried everything
MotleyFool
02-05-2002, 01:54 AM
Darkedge,

Are you using it with vpopmail? Can you give some info on what kinds of problems you are having?

Can your checkpassword utility read the shadow file? I have read that this is the most common problem. "Either make it suid root or find another (safer) way to make it read that file."

Are you trying to enable CRAM-MD5?

These kinda problems have nothing to with the OS is what the fool thinks. If you have chosen FreeBSD you have chosen wisely.

Cheers
Balaji
MotleyFool
02-05-2002, 02:55 AM
I also found this on the web- you may want to have a look at it
----
cmd5checkpw Qmail Remote Password Retrieval Vulnerability
BugTraq ID: 1809
Remote: Yes
Date Published: 2000-10-16
Relevant URL:
http://www.securityfocus.com/bid/1809
Summary:

The authentication program cmd5checkpw can function as a plugin to
qmail-smtpd-auth, a patch for qmail which supports the SMTP AUTH protocol.

Due to improper input validation and error trapping, supplying
cmd5checkpw with a non-existent username will cause it to segfault. In
turn, the qmail-smtpd-auth Qmail patch incorrectly interprets this failure
as a successful authentication. As a result, an attacker providing
invalid input to cmd5checkpw can create a falsely-authenticated session,
leaving the victim host open to receiving and forwarding mail from
unauthenticated systems.
----
http://www.security.unicamp.br/docs/informativos/2000/10/b13.txt

I think either QPopper or vpopmail are the most secure pop3 options for qmail

Cheers
Balaji
priyadi
02-05-2002, 04:58 AM
The latest version of qmail-smtpd-auth doesn't have this security problem.