Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-10 Thread Mike Miller
Nope. Not using MD5 passwords. 5.3.20 at present. -M From: Tom Collins [EMAIL PROTECTED] To: vpopmail list [EMAIL PROTECTED] Subject: Re: [vchkpw] SMTP-Auth bug in passwords? Date: Tue, 9 Sep 2003 21:24:31 -0700 On Tuesday, September 9, 2003, at 08:40 PM, Mike Miller wrote: Looking just below

Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-10 Thread Mike Miller
PROTECTED] Subject: Re: [vchkpw] SMTP-Auth bug in passwords? Date: Wed, 10 Sep 2003 00:10:30 -0500 I apologize for sending a copy directly to you Anthony, reply button in evolution is a little crazy sometimes :) On Wed, 2003-09-10 at 00:06, Anthony Baratta wrote: Tom... Doesn't the AUTH LOGIN state

Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-10 Thread Mike Miller
PROTECTED] Subject: Re: [vchkpw] SMTP-Auth bug in passwords? Date: Tue, 9 Sep 2003 22:23:27 -0700 On Tuesday, September 9, 2003, at 10:06 PM, Anthony Baratta wrote: Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If he put in AUTH CRAM-MD5 then it would be expecting MD5

[vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Mike Miller
Hi, This is in regards to SMTP-AUTH and an interesting bug which is creeping up somewhere. We had a customer who recently had a username of webmaster and a password of webmaster00. From the standard pop3 authentication, there was no issue with this username and password. For some reason,

Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Tom Collins
On Tuesday, September 9, 2003, at 08:40 PM, Mike Miller wrote: Looking just below, the SPAMmer who made use of this, used the same username and password. I then tried the base64 password for their 'webmaster00' password and that [d2VibWFzdGVyMDA=] works as well. I then tried truncating their

Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Anthony Baratta
At 09:24 PM 9/9/2003, Tom Collins wrote: Are you using MD5 passwords (go to your vpopmail source directory and `grep MD5 config.h`)? If not, I think crypt() only uses the first 8 characters of the password. I'm not sure what the limit is if you're using MD5. Tom... Doesn't the AUTH LOGIN

Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Jeremy Kitchen
I apologize for sending a copy directly to you Anthony, reply button in evolution is a little crazy sometimes :) On Wed, 2003-09-10 at 00:06, Anthony Baratta wrote: Tom... Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If he put in AUTH CRAM-MD5 then it would be

Re: [vchkpw] SMTP-Auth bug in passwords?

2003-09-09 Thread Tom Collins
On Tuesday, September 9, 2003, at 10:06 PM, Anthony Baratta wrote: Doesn't the AUTH LOGIN state that he's going to use Base64 encoding?? If he put in AUTH CRAM-MD5 then it would be expecting MD5 encoding. So this appears to be a problem with LOGIN, either in the patch or with vPopmail. When