Re: [vchkpw] vpopmail 5.4.22 breaks qmailadmin 1.2.X

Tue, 18 Sep 2007 14:29:37 -0700 

On 2007-09-17, at 1751, Jeremy Kister wrote:

On 9/17/2007 5:28 PM, John Simpson wrote:



which reminds me... how about a patch to change the maximum  
password  length to a more realistic limit? i've been doing this  
for several  years, after applying patches but before running "./ 
configure"...



Also, since only the first eight characters of a password matter on  
Solaris < 10 (or any DES vs MD5), perhaps there should be a maximum  
limit of 8 when using --disable-md5-passwords.  This way, users who  
think [EMAIL PROTECTED]:: is a secure password are enlightened.


good idea. i just wrote a patch to do both items.


sourceforge has it as #1797464, or you can also download it from my  
web site.


        http://qmail.jms1.net/vpopmail/#passlen


my one concern is this- i would rather see the decision of "128 or 8"  
happen within vpopmail.h. my first thought was to just add an #ifdef  
around the "#define MAX_PW_CLEAR_PASSWD" line in vpopmail.h, but the  
MD5_PASSWORDS flag that i would use as a test, is defined within  
"config.h", and i don't know if it would break anything to include  
"config.h" within vpopmail.h. i doubt it would affect anything within  
vpopmail, but how many other packages out there (qmailadmin, courier- 
authlib, etc.) use vpopmail.h as part of their compile process, and  
also have a "config.h" file in their source code?



so what i did is added the "#ifdef" block at the top of vpopmail.c,  
after both vpopmail.h and config.h have been included. this works,  
and for now it's safe because vpopmail.c is the only file which  
actually uses MAX_PW_CLEAR_PASSWD. however, if some future version of  
vpopmail uses this value in a different source file, that source file  
would need the same "#ifdef" block at the top. finding a way to  
safely add that "#ifdef" to vpopmail.h itself would solve this  
potential problem.


----------------------------------------------------------------
| John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
| http://www.jms1.net/                         <[EMAIL PROTECTED]> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------





Attachment:
PGP.sig

Description: This is a digitally signed message part






















					Reply via email to