Package: exim4 Version: 4.54-1 Severity: normal When using plain_courier_authdaemon or login_courier_authdaemon authentication, wrong passwords are accepted (but only correct usernames).
According to [1], this is Debian-specific. [1]: http://www.devco.net/archives/2004/06/10/smtp_auth_with_exim_and_courier_authdaemon.php [2] gives another server_condition which is claimed to not raise this problem, but I cannot verify that because I just don't understand it. [2]: http://www.exim.org/eximwiki/FAQ/Policy_controls/Q0730 Since this allows unauthorized people to authenticate with Exim, this is a security hole (critical). -- System Information: Debian Release: testing/unstable APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-386 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
