Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: bt628.txt

possible open relay hole in qmail-smtpd-auth patch

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

the qmail-smtpd-auth patch is a commonly used patch to qmail which allows=20
the qmail-smtpd program to support the AUTH extension, by specifying a=20
"checkpassword" program on the command line. the homepage for the patch is:

the patch modifies qmail-smtpd so that it can be called with three=20
command-line parameters: the local host name (used for generating CRAM-MD5=
challenges), the checkpassword program itself, and a "dummy" program which=
is run by the checkpassword program after a successful authentication.

the "dummy" program is needed because checkpassword programs are designed=20
for use in a POP3 or IMAP situation, where they would validate the user's=20
credentials and then run the actual POP3 or IMAP server program.

the current version of the SMTP-AUTH patch contains a serious bug which can=
accidentally allow somebody who forgets one or more of the command line=20
parameters to start running an open relay by accident. it has been reported=
in several places over the last week, including this message on the qmail=20
mailing list:

if the user forgets the hostname parameter to qmail-smtpd and uses /bin/tru=
as the dummy program (/bin/true is the suggested dummy program), they will=
actually be using /bin/true as the checkpassword program, which allows ANY=
combination of userid and password to use your server as a relay.

i have written a revision to the qmail-smtpd-auth patch which compensates=20
for this common error by not supporting the AUTH command unless all three=20
command line arguments are present.

the version 0.31 patch does not correctly check for this- with a missing=20
command line argument, it ends up reading memory beyond the end of argv[],=
which is NOT filled with zeros- on most *nix systems it's actually the=20
beginning of the environment block. has the modified "auth.patch" file available for=

the changes i've made (actually CHECKING argc instead of assuming there wil=
be something there) need to be incorporated into the qmail-smtpd-auth patch=
as soon as possible. the author of the patch seems to have not touched it=20
since may 2002.

| John Simpson - KG4ZOW - Programmer At Large |
|        <> |

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH