Sounds like you are saying that authentication is not working at all.
What are the contents of your server.tab, smtprelay.tab and smtpauth.tab? Bill >---------- >From: V=EB=E9r=EAsh" = "Kh=E5n=F6rk=E3r[SMTP:[EMAIL PROTECTED]] >Sent: Thursday, May 02, 2002 1:40 AM >To: [EMAIL PROTECTED] >Subject: [xmail] Re: Might be A Bug [Part II] > > >I had made EHLO mandatory in the XMail server by >commenting the code which acknowledges the "HELO" >command,hence the only command that is accepeted by >the email server is "EHLO". And later when the server >was built I tested it again, and found that if the >authentication is failed stil the server will allow >the mail delivery. In my case the email server has no >chance accepting mail from another email server and >hence there is no need for allowing "HELO" command, >users can ofcourse use "EHLO". However while testing >the security, I found this security hole. I did change >the code a bit by rejecting the session as soon as the >authentication fails. However I thought I should >inform Davide abt. it. It could be a potential loop >hole. Try it out yourself, > >*) EHLO somedomain >*) MAIL FROM: <[EMAIL PROTECTED]> >*) RCPT To: <[EMAIL PROTECTED]> > >Now the mail server should object at the second >command itself, however that doesnt happen either.=20 >And the message gets delivered, its the same as mail >delivery without authentication with EHLO. > > >Veeresh >--- Bill Healy <[EMAIL PROTECTED]> wrote: >>=20 >> Try your test again without even trying to >> authenticate. Your system >> might not require authentication to send e-mail >> because either your ip >> is in smtprelay, you have smtp after pop enabled or >> you have left your >> system open some other way. When you have your >> system configured so that >> it won't take your test message without >> authentication then try your >> test again with authentication and post the results. >>=20 >> Bill >>=20 >> >---------- >> >From: V=3DEB=3DE9r=3DEAsh" =3D >> "Kh=3DE5n=3DF6rk=3DE3r[SMTP:[EMAIL PROTECTED]] >> >Sent: Wednesday, May 01, 2002 1:17 AM >> >To: [EMAIL PROTECTED] >> >Subject: [xmail] Re: Might be A Bug [Part II] >> > >> > >> >Agreed if the session is in non-authenticated state >> >then the user should not be allowed to send mail >> and >> >thats what is exactly happening. In such case any >> user >> >who knows this failure in authentication but still >> >maildelivery can give rise to spam, dont you think >> so? >> > >> >I mean if the authentication is not succeeded then >> >mail delivery should be denied. But thats not >> occuring >> >here. Anyone who knows this point can exploit it >> for >> >spamming. >> > >> >-Veeresh >> > >> >--- Davide Libenzi <[EMAIL PROTECTED]> wrote: >> >>=3D20 >> >> On Tue, 30 Apr 2002, V=3D3DEB=3D3DE9r=3D3DEAsh >> Kh=3D3DE5n=3D3DF6rk=3D3DE3r >> >> wrote: >> >>=3D20 >> >> > >> >> > Another dump check it out: >> >> > >> >> > The underlined command shouldnt be allowed >> IMHO. >> >> Check >> >> > it out: >> >> > After the user has given EHLO, the user is >> >> supposed to >> >> > give AUTH, but in the below case if the user >> gives >> >> > _MAIL FROM_ its still accepted. Isnt it a >> security >> >> > lapse? >> >> > >> >> > Please do reply back. >> >>=3D20 >> >> no, if the auth fails the server state remain in >> >> non-authenticated. that's >> >> it. >> >>=3D20 >> >>=3D20 >> >>=3D20 >> >> - Davide >> >>=3D20 >> >>=3D20 >> >> - >> >> To unsubscribe from this list: send the line >> >> "unsubscribe xmail" in >> >> the body of a message to [EMAIL PROTECTED] >> >> For general help: send the line "help" in the >> body >> >> of a message to >> >> [EMAIL PROTECTED] >> >>=3D20 >> > >> > >> >__________________________________________________ >> >Do You Yahoo!? >> >Yahoo! Health - your guide to health and wellness >> >http://health.yahoo.com >> >- >> >To unsubscribe from this list: send the line >> "unsubscribe xmail" in >> >the body of a message to [EMAIL PROTECTED] >> >For general help: send the line "help" in the body >> of a message to >> >[EMAIL PROTECTED] >> > >> > >> - >> To unsubscribe from this list: send the line >> "unsubscribe xmail" in >> the body of a message to [EMAIL PROTECTED] >> For general help: send the line "help" in the body >> of a message to >> [EMAIL PROTECTED] >>=20 > > >__________________________________________________ >Do You Yahoo!? >Yahoo! Health - your guide to health and wellness >http://health.yahoo.com >- >To unsubscribe from this list: send the line "unsubscribe xmail" in >the body of a message to [EMAIL PROTECTED] >For general help: send the line "help" in the body of a message to >[EMAIL PROTECTED] > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
