Hi all,
It was brought to my attention that dbmail currently authenticates any
user with any password if the client issues an CRAM-MD5 authentication
exchange, while the user - which does need to exist - has it's password
stored in an encrypted format.
This affects all versions supporting cram-md5, so 3.0.0 and later.
Installations using authldap are *not* affected.
You should disable CRAM-MD5 in dbmail.conf if you store password encrypted.
A patch was already pushed to git both on dbmail.eu and github.
I'll release a patched version asap.
--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, skype, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail
It was brought to my attention that dbmail currently authenticates any
user with any password if the client issues an CRAM-MD5 authentication
exchange, while the user - which does need to exist - has it's password
stored in an encrypted format.
This affects all versions supporting cram-md5, so 3.0.0 and later.
Installations using authldap are *not* affected.
You should disable CRAM-MD5 in dbmail.conf if you store password encrypted.
A patch was already pushed to git both on dbmail.eu and github.
I'll release a patched version asap.
--
________________________________________________________________
Paul J Stevens pjstevns @ gmail, twitter, skype, linkedin
www.nfg.nl/info@nfg.nl/+31.85.877.99.97
_______________________________________________
DBmail mailing list
DBmail@dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail