One of our users graciously gave her Messagestore account password to a
spammer who spent the weekend using our system via Squirrelmail to send
out a few hundred thousand spams.
I found this out yesterday as I was leaving for an appointment and disusered
the guily account which appears to have had no effect at all since the
logs show that the spammer continued to log in unimpeded all night.
We authenticate to Messagestore with LDAP. Does the disuser flag have no
effect if authentication is done with LDAP????
I'm getting tired of squirrelmail...
--
Richard Loken VE6BSV, Unix System Administrator : "Anybody can be a father
Athabasca University : but you have to earn
Athabasca, Alberta Canada : the title of 'daddy'"
** rich...@admin.athabascau.ca ** : - Lynn Johnston
(I assume you mean you've configured security.cnf to authenticate usernames
and passwords using the LDAP authentication source.)
Yes, that is correct. Security.cnf does not know that the username and
password that it is authenticating refers to a msgstore account or some
other kind of account. All it knows is it has a username string and a
password string and a list of authentication sources to use to check them.
Valerie Miller
Process Software
> Yes, that is correct. Security.cnf does not know that the username and
> password that it is authenticating refers to a msgstore account or some
> other kind of account. All it knows is it has a username string and a
> password string and a list of authentication sources to use to check them.
Alas, more is the pity. Anyway, I have gone to the gods of authentication
and received permission and access to change the password for recalcicrant
users so I can better attack these problems in the future.