Re: [vchkpw] Urgent - vchkpw/vpopmail authenticate even with wrongpw?

[Dave Richardson - Lists]

I apologize for not reading enuf of the thread, this is a diff issue 
than what I wrote.  
Good luck.  Sorry.

Dave Richardson - Lists wrote:

There's something about logging into virtual accounts with the order 
and number of parameters in your smtp run file with the new(er) 
versions of vpopmail.  The parameter count changed and many online 
examples have /bin/true one position too early.  This has the effect 
of allowing all passwords to be authenticated, irrespective of their 
lookup result.

LIST: Can we call this problem something specific: "The /bin/true 
bogus auth issue" and make a link to reference/fix it?

I think this is your issue Jeff.

jeff thomas wrote:

Ok...

What the hell ... I just compiled 5.3.24 WITHOUT
learn-passwords. Installed it. Restarted all mail
services. I can STILL log into any account with any
password.
Someone here must be able to shed some light on this
for me??  Please?
--- jeff thomas <[EMAIL PROTECTED]> wrote:
 

Ok...

So, I just compiled 5.3.24 and installed it. I used
the following configure line:
./configure  --enable-qmaildir=/var/qmail
--enable-tcprules-prog=/usr/local/bin/tcprules
--enable-learn-passwords=y
  
--enable-tcpserver-file=/usr/home/vpopmail/etc/tcp.smtp
 

--enable-defaultquota=10000000 --enable-logging=e
--enable-valias=y --enable-roaming-users=y
--enable-relay-clear-minutes=30 --enable-mysql=y
--enable-sqlincdir=/usr/local/include/mysql
--enable-sqllibdir=/usr/local/lib/mysql
--enable-default-domain=domain.com
--enable-qmail-ext=y --prefix=/usr/home
Same freaking problem. I can log into all of the
accounts with any password. Thoughts?


--- jeff thomas <[EMAIL PROTECTED]> wrote:
  

Ok... I tried this fix.
I edited vchkpw.c and removed the FOOB and ENDIF.
recompiled.
No luck. Same thing. Any password I put in still
works.
Thoughts?

--- Michael Bowe <[EMAIL PROTECTED]> wrote:
    

I just remembered that learn-passwords was
      

broken
  

in
    

5.3.20, and then
eventually fixed in 5.3.24
      

http://sourceforge.net/tracker/index.php?func=detail&aid=783824&group_id=85937&atid=577798 

 

Maybe this has something to do with your
      

problem?
  

Michael.

----- Original Message ----- From: "jeff thomas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 13, 2003 6:47 PM
Subject: Re: [vchkpw] Urgent - vchkpw/vpopmail
authenticate even with wrong
pw?
      

Learn passwords was enabled. However, it
        

should
  

learn
      

only the FIRST password entered for each
        
account....
      

not multiple passwords for each account.

Right?

It would seem logical that with
        

learn-passwords,
  

the
      

first time i put in the password for
        

[EMAIL PROTECTED],
  

it
    

"learns" that password. If I try to log into
        
[EMAIL PROTECTED]
      

with a different password, I should be
        

rejected,
  

as it
      

"learned" the first password.



--- Michael Bowe <[EMAIL PROTECTED]>
        

wrote:
  

I could be barking up the wrong tree here
          

but...
    

Perhaps did you configure vpopmail to "learn
passwords" ?
It rings a bell for me that if you upgrade
          

from
    

an
      

v4.x vpopmail, and you
enable clear passwords in your v5.2
          

vpopmail,
  

you
      

loose all your existing
passwords and the general way to recover
          

from
  

this
      

is to enable vpopmail's
"learn passwords" functionality
This could explain why "any password works".
          

But
    

then again, once the
password has been learned, you shouldn't be
          

able
    

to
      

go back and use some
other password and still get access
Michael.

----- Original Message ----- From: "jeff thomas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, August 13, 2003 10:15 AM
Subject: [vchkpw] Urgent - vchkpw/vpopmail
authenticate even with wrong pw?
          

Hello -

I recently installed vpopmail 5.3.20 from
            

freebsd
      

ports. I used Matt Simerson's FreeBSD
            

Qmail
  

Toaster
          

scripts to install it (it uses ports).

That installed without problem. I
            

installed
  

courier-imap and squirrelmail as well as
            
sqwebmail. I
          

noticed today that I can log into any of
            

the
  

accounts
          

via sqwebmail with any password. I can
            

literally
      

put
          

in "xxx" for the password on my e-mail
            

account
    

and
      

it
          

will let me in. I tried it on squirrelmail
            

with
      

the
          

same problem. So, then I tried simply
            

logging
    

into
      

the
          

POP3 account with "xyz" as the password.
            

It,
  

too,
      

let
          

me in with full access.

This is bad - obviously. Anyone care to
            

shed
  

some
      

light on what I need to do to get this
            

fixed
  

ASAP.
      

I
          

upgraded from 4.9.x and use mysql4 for
            
authentication.
          

Any and all help is appreciated.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web
            

site
      

design software
          

http://sitebuilder.yahoo.com

            
          
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web
        

site
  

design software
      

http://sitebuilder.yahoo.com

        
      
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site
    

=== message truncated ===

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com