Mailbox vulnerable?
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Mon Jun 28 17:38:17 UTC 2004
Am Mo, den 28.06.2004 schrieb Hongwei Li um 18:21:
> I installed the new pine 4.60. When I try a test account's pine, the
> warning message is gone. Thanks!
Good.
> However, the system mail log (not message log) shows warning:
>
> Jun 28 11:13:03 morpheus ipop3d[1183]: pop3 service init from 128.252.85.189
> Jun 28 11:13:03 morpheus ipop3d[1183]: Mailbox vulnerable - directory
> /var/spool/mail must have 1777 protection
>
> after each pop3 user logs in (Outlook Express, etc.), but it seems no
> warning message after squirrelmail user logs in.
>
> Anything else is wrong? or should be changed. I have never touched the
> pop3 service, but just set iptables and open the port for it.
> Hongwei
I can confirm that warning messages appear in the log by uw-imapd.
Normally I do not offer POP3 to my users, just IMAPs and with that I
never had any issue. Now for testing I activated POP3 locally in
addition and telneted to it. In result I get the message too:
==> /var/log/imaplog <==
Jun 28 19:06:12 blacky ipop3d[14128]: Trying to get mailbox lock from
process 29363
Jun 28 19:06:13 blacky ipop3d[14128]: Mailbox vulnerable - directory
/var/spool/mail must have 1777 protection
Jun 28 19:06:13 blacky ipop3d[14128]: Login user=adalloz
host=localhost.localdomain [127.0.0.1] nmsgs=207/207
Jun 28 19:06:27 blacky ipop3d[14128]: Mailbox vulnerable - directory
/var/spool/mail must have 1777 protection
Jun 28 19:06:27 blacky ipop3d[14128]: Logout user=adalloz
host=localhost.localdomain [127.0.0.1] nmsgs=207 ndele=0
So I suggest checking bugzilla for reports about that. If nothing is in
there you might fill in a report yourself. Though I doubt there will be
ever a fix as uw-imapd is no more shipped with current FC2. You may
switch over to dovecot or disable POP3 and let your users use IMAP. Or
you live with the warnings in the log. You too might try setting the
permissions "chmod 1777 /var/spool/mail" and see whether you face other
problems or errors in any logfile.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) on Athlon CPU kernel 2.6.6-1.435
Serendipity 19:30:39 up 1 day, 21:17, load average: 0.17, 0.15, 0.11
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040628/ec811b6c/attachment-0001.sig>
More information about the fedora-list
mailing list