could't be that there is a huge security hole for sasl authentication
(postfix) in debian
default for sasl2-bin (cyrus-sasl2) /etc/default/saslauthd is
MECHANISMS="pam" without proper pam.d file
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for
example
#if /etc/pam.d/cron specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used. If you really want nothing to happen then use
pam_permit.so or
#pam_deny.so as appropriate.
# We fall back to the system default in /etc/pam.d/common-*
#
@include common-auth
@include common-account
@include common-password
@include common-session
the fallback behaviour for pam ends up in accepting any valid username
without password verification
massivly used by this host for sending hundreds of thousands spam mails
for one day
61.142.81.37
211.141.77.186
194.143.132.115
210.123.124.168
221.130.55.20
202.143.186.250
211.138.9.114
202.96.189.45
200.78.117.240
221.2.96.198
200.78.117.241
66.167.100.59
61.128.110.110
61.130.20.50
84.247.29.103
202.153.248.34
201.222.9.54
202.103.242.100
201.15.145.2
58.21.128.78
200.78.117.236
61.50.157.3
200.230.120.4
193.41.235.105
202.109.121.51
190.67.12.246
202.152.32.59
219.248.126.108
89.28.3.157
85.85.75.18
208.5.148.67
84.109.8.253
211.103.156.233
206.18.219.23
200.164.73.254
sample mail.info log entries:
sasl_method=LOGIN, sasl_username=admin
sasl_method=LOGIN, sasl_username=root
sasl_method=LOGIN, sasl_username=webmaster
please correct me if I'm wrong
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
