> > Is Eudora 4.3 different from 4.3.1, and if so, is there somewhere where
it
> > can be downloaded? Does anyone know how this can be reproduced without
> > Eudora (what commands to send)? This is starting to sound like an urban
> > legend, but if there truly is a vulnerability, I'd like to know about
it.
>
> When I upped from 4.2.2 to 4.3, I couldn't send mail anymore.
> In the Eud mail personality box, I had to uncheck the
> "authentification allowed" box. So something most definitely
> happened in the Eud 4.3 in the smtp auth area.
This is SMTP AUTH problem #1 (Eudora can't authenticate). It occurs because
of the IMail and Eudora bugs (Eudora using CRAM-MD5 even though IMail says
it won't accept it, and IMail not sending a CRLF after the authentication
string), that causes the client to hang. This bug can be verified pretty
easily (sending EHLO followed by AUTH CRAM-MD5, you'll see the missing CRLF,
which the RFC says should be there).
SMTP AUTH problem #2 is that people using Netscape (and possibly other mail
clients) occasionally can't authenticate. In some reports, the server needs
rebooting. In other reports, the people can authenticate a minute or two
later.
SMTP AUTH problem #3 (which I haven't confirmed) suggests that anyone using
Eudora 4.3 (but probably not 4.3.1) will cause the IMail server (SMTPD
only?) to hang, until Eudora times out. Nobody can do anything more than
say that Eudora 4.3 will cause this; Eudora 4.3 is no longer available for
download. My testing can't reproduce this problem. I'm starting to doubt
that the problem truly exists. If I can get my hands on a copy of Eudora
4.3, or someone can show how it can be reproduced without Eudora 4.3, I'll
believe it.
The neat thing is that SMTP AUTH problem #3, if it does exist, could easily
explain SMTP AUTH problem #2 (which would really only be a symptom of #3,
rather than its own problem).
-SCott
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
