Bug#336979: exim4: Using courier_authdaemon authentication accepts wrong passwords

Peter Thomassen info at peter-thomassen.de
Wed Nov 2 00:37:35 UTC 2005


Package: exim4
Version: 4.54-1
Severity: normal

When using plain_courier_authdaemon or login_courier_authdaemon
authentication, wrong passwords are accepted (but only correct
usernames).

According to [1], this is Debian-specific.
  [1]: http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php

[2] gives another server_condition which is claimed to not raise this
problem, but I cannot verify that because I just don't understand it.
  [2]: http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730

Since this allows unauthorized people to authenticate with Exim, this is
a security hole (critical).

-- System Information:
Debian Release: testing/unstable
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)




More information about the Pkg-exim4-maintainers mailing list