Hi Gordon, Hi List,

no Problem. Glad I could help and you were able to reproduce it. I guess it happens if you install apache2 and php5 with the default meta packages or something like that.

My biggest issue with vexim/exim4u is the clear text password. It's 2015 now and cleartext passwords is a evil thing to have in ANY database. I didn't had time to deeply look into the code and produce a patch to remove it yet. Every modern mail client should be able to handle starttls and ssl tunnels so plain , crypt and other legacy authentications can be called obsolete and should be removed sooner than later, IMHO.

Maybe someone could spend a few hours to complety remove it? It would be a huge security improvement.

Kind regards 

Michael Seidel 
Sysadmin
http://www.fai.ag

Send via Mobile Phone


-------- Urspr��ngliche Nachricht --------
Von: Gordon Dickens <gecko@exim4u.org>
Datum: 09.03.2015 14:52 (GMT+01:00)
An: Exim4U General Discussion <users@exim4u.org>
Betreff: Re: [Exim4U] Web Portal Login w/ MD5

On 03/07/2015 02:46 PM, Torry Crass wrote:
THE PROBLEM
However, I've come up with a problem. Any time an account is created with the MD5 hash, e-mail and logging into e-mail directly works fine, but logging into the exim4u web portal does not so people are not able to manage their accounts via the web interface. It simply returns a login failed message.

Hi Torry,

Sorry about your problem and that I have not replied sooner, however, I've been away with limited access to my email since last Wednesday.  Also, a big thanks to Rimas Kudelis and Michael Seidel for their posts.


Then, on 03/08/2015 04:59 AM, Seidel, Michael wrote:
Hi Torry, please have a look at my old post on this list from August 2014:

http://exim4u.org/pipermail/users/2014-August/000226.html

Hi Michael,

Looks like you may have identified the problem and a potential solution.  I should have been more proactive back in August, when you first posted your problem/solution, however, I had not yet seen the issue myself in my installations which include two Debian Wheezy installs.  Nevertheless, I am now able to reproduce the problem on my Wheezy installs. On the other hand, the problem does not appear in my Debian Squeeze, CentOS and FreeBSD installs.  As an aside, this suhosin patch issue was not introduced into Wheezy until sometime in mid 2014 since I know for certain that everything worked fine until then on Wheezy.


Then, on 03/08/2015 02:15 PM, Torry Crass wrote:
Michael, Your post is spot on to what the problem I'm running into is related to. Even in the newer source off of github that I was looking at it isn't resolved (and several other things are currently broken in that version, like no submit button on editing an existing account). -- though the old one does use MD5 passwords successfully.

I've modified the function as you suggested but login is still not functioning properly, tossing a login failure to any SHA512 accounts.

I'm still working on it but thought I would send a message thanking you for that guidance.

Torry, please let us know your findings.  I will spend some time on this myself, however, it will probably be later in the week.

Also, I am curious about what wasn't working in the github version.  I've got a FreeBSD installation running the current github version and I am not seeing the missing submit button that you reported and I am unaware of any other current issues.  However, I am in the middle of porting alot of the recent Vexim mods and, while I have done some situational testing,  I have not yet thoroughly tested all of the recent mods.  So, please report any bugs that you find and I will work to address them.

Thanks,

Gordon