Bug#336979: exim4: Using courier_authdaemon authentication accepts
wrong passwords
Peter Thomassen
info at peter-thomassen.de
Wed Nov 2 00:37:35 UTC 2005
Package: exim4
Version: 4.54-1
Severity: normal
When using plain_courier_authdaemon or login_courier_authdaemon
authentication, wrong passwords are accepted (but only correct
usernames).
According to [1], this is Debian-specific.
[1]: http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php
[2] gives another server_condition which is claimed to not raise this
problem, but I cannot verify that because I just don't understand it.
[2]: http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730
Since this allows unauthorized people to authenticate with Exim, this is
a security hole (critical).
-- System Information:
Debian Release: testing/unstable
APT prefers testing-proposed-updates
APT policy: (500, 'testing-proposed-updates'), (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
More information about the Pkg-exim4-maintainers
mailing list