Re: Problems with FTGate

[glynn () SENSEI CO UK (Glynn Clements)]

Jeremy C. Reed wrote:

> > FTGate's POP3 server responds to invalid USER requests with a -ERR code
> > and doesn't disconnect you. This means that it is possible to bruteforce
> > usernames and passwords with ease.
>
> What does "invalid USER requests" mean? It is normal for (at least RFC
> 1939-based) POP3 servers to output an "-ERR" message and to then allow the
> user to attempt another USER/PASS attempt.
>
> From RFC 1939:
>
>              To authenticate using the USER and PASS command
>              combination, the client must first issue the USER
>              command.  If the POP3 server responds with a positive
>              status indicator ("+OK"), then the client may issue
>              either the PASS command to complete the authentication,
>              or the QUIT command to terminate the POP3 session.  If
>              the POP3 server responds with a negative status indicator
>              ("-ERR") to the USER command, then the client may either
>              issue a new authentication command or may issue the QUIT
>              command.

RFC 1939 goes on to say:

             The server may return a positive response even though no
             such mailbox exists.  The server may return a negative
             response if mailbox exists, but does not permit plaintext
             password authentication.

AFAIK, it is considered good practice not to make any distinction
between a bad username and a good username with a bad password when
performing username/password authentication.

The UCD-derived pop3d works this way:

        +OK cerise POP3 Server (Version 1.005l) ready at <Thu Jun 29 07:45:26 2000>
        USER foo
        +OK please send PASS command
        PASS xyz
        -ERR invalid usercode or password, please try again

[NB: user "foo" does not exist.]

--
Glynn Clements <glynn () sensei co uk>