>> during development of a pop3 tool I found an issue that makes it possible >> for any user to check the validity of a user on a target system. If a user >> is valid and an invalid password has been supplied, then the system waits >> ~10 seconds until it sends a disconnect message and disconnect. If the >> username was not correct, then it disconnect immediately after the wrong >> password.
Is this really true? If so, I think it may be system dependent.
On our mailserver running qpopper 4.04 on RH Linux 7.1 with PAM authentication, I don't see the claimed behavior. The username/password pair is submitted to PAM and if it fails there is the 10 second delay even if the username was invalid.
hmmm...
our system (4.0.5 on linux) there is a 10 sec. delay before qpopper
tells "-ERR [AUTH] Pass...."
but then there is a second delay (approx. 10 sec.) if the username exists, before
qpopper quits the connection.
if the user does not exists, qpopper quits immediately after "-ERR [AUTH] Pass...."
M. Kellermann [EMAIL PROTECTED]
sk datentechnik GmbH
Stalleickenweg 5
44867 Bochum
Tel 02327-9501-0
Fax 02327-9501-25