Hello,
It seems that auth-ldap allows you to log in using no password. This is
somewhat of a problem. I am using the lastest patch
qmail-ldap-1.03-20010301, with courier-imap-1.3.7. I have gotten the same
results on Linux (redhat-6.2 and 7.0) and FreeBSD-4.2. A sample of a few
sessions.
[andreas@corundum andreas]$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Courier-IMAP ready. Copyright 1998-2001 Double Precision, Inc. See
COPYING for distribution information.
a001 login andreas goodpass
a001 OK LOGIN Ok.
So, it gets me in using the correct password, excellent.
[andreas@corundum andreas]$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Courier-IMAP ready. Copyright 1998-2001 Double Precision, Inc. See
COPYING for distribution information.
a001 login andreas badpass
Connection closed by foreign host.
Ok, rejects me using a badpassword, also excellent, but.....
[andreas@corundum andreas]$ telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Courier-IMAP ready. Copyright 1998-2001 Double Precision, Inc. See
COPYING for distribution information.
a001 login andreas ""
a001 OK LOGIN Ok.
Hmm, seems like a problem. Turns out, a blank password in Netscape
will do the same thing, leaving all accounts wide open to anyone.
So for the time being, we are using the ldap authorization module that
comes with courier-imap, but this one has the problem that is lets you
login even if the ldap account is set to "nopop" So we're a bit stuck, run
a totally insecure mail server, or no be able to expire users who cancel
or don't pay. If more info is needed, tell me what to provide, I've got
logs galore.
thanks for any help provided.
Andreas
