Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: bt628.txt

possible open relay hole in qmail-smtpd-auth patch





--Boundary-02=_61CF/fS8eBwGEmA
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

the qmail-smtpd-auth patch is a commonly used patch to qmail which allows=20
the qmail-smtpd program to support the AUTH extension, by specifying a=20
"checkpassword" program on the command line. the homepage for the patch is:

http://members.elysium.pl/brush/qmail-smtpd-auth/

the patch modifies qmail-smtpd so that it can be called with three=20
command-line parameters: the local host name (used for generating CRAM-MD5=
=20
challenges), the checkpassword program itself, and a "dummy" program which=
=20
is run by the checkpassword program after a successful authentication.

the "dummy" program is needed because checkpassword programs are designed=20
for use in a POP3 or IMAP situation, where they would validate the user's=20
credentials and then run the actual POP3 or IMAP server program.

the current version of the SMTP-AUTH patch contains a serious bug which can=
=20
accidentally allow somebody who forgets one or more of the command line=20
parameters to start running an open relay by accident. it has been reported=
=20
in several places over the last week, including this message on the qmail=20
mailing list:

http://marc.theaimsgroup.com/?l=3Dqmail&m=3D105452174430616&w=3D2

if the user forgets the hostname parameter to qmail-smtpd and uses /bin/tru=
e=20
as the dummy program (/bin/true is the suggested dummy program), they will=
=20
actually be using /bin/true as the checkpassword program, which allows ANY=
=20
combination of userid and password to use your server as a relay.

i have written a revision to the qmail-smtpd-auth patch which compensates=20
for this common error by not supporting the AUTH command unless all three=20
command line arguments are present.

the version 0.31 patch does not correctly check for this- with a missing=20
command line argument, it ends up reading memory beyond the end of argv[],=
=20
which is NOT filled with zeros- on most *nix systems it's actually the=20
beginning of the environment block.

http://www.jms1.net/qmail/ has the modified "auth.patch" file available for=
=20
download.

the changes i've made (actually CHECKING argc instead of assuming there wil=
l=20
be something there) need to be incorporated into the qmail-smtpd-auth patch=
=20
as soon as possible. the author of the patch seems to have not touched it=20
since may 2002.

=2D-=20
=2D----------------------------------------------
| John Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/        <jms1@jms1.net> |
=2D----------------------------------------------

--Boundary-02=_61CF/fS8eBwGEmA
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/FC16EB9RczMG/PsRAjIbAKCSlYaV0RHp5FiPR7tr8TkPdqFwjgCghI6K
toVFSvpC/vrSVDADRX58N4o=
=/6Zb
-----END PGP SIGNATURE-----

--Boundary-02=_61CF/fS8eBwGEmA--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH