From a5d827d596efcd35c9a545512ce22fb4031a5b3a Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Sat, 25 May 2019 08:32:58 +0000
Subject: [PATCH] inbound_auth_cb(): report a "Password mismatch" error (over
 BinkP) if one of the configured linked-nodes matching the remote address(es)
 is set for CRAM-MD5 passwords only and a plain-text password was provided by
 the remote. Previously, the function would log a warning: "CRAM-MD5 required
 (and not provided) by <addr>" but succeeed (the actual password value was not
 check) and it woudl flag the session as "non-secure" (sending M_OK
 non-secure), looking like this on the remote side:   Authentication
 successful: non-secure and any received files would go into the configured
 non-secure inbound. This may explain why some sysops sometimes get
 unexplained files in their non-secure inbound (looking for "non-secure" in
 the logs should confirm). Now, you should still see (on the answering side)
 the log message: "CRAM-MD5 required (and not provided) ...", but it'll also
 send a M_ERR Passowrd mismatch error to the remote, thus ending the session.

---
 exec/binkit.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/exec/binkit.js b/exec/binkit.js
index 0922e794dc..90211ff986 100644
--- a/exec/binkit.js
+++ b/exec/binkit.js
@@ -1014,8 +1014,10 @@ function inbound_auth_cb(pwd, bp)
 			}
 			else {
 				// TODO: Deal with arrays of passwords?
-				if (!bp.cb_data.binkitcfg.node[addr].nomd5)	// BinkpAllowPlainAuth=false
+				if (!bp.cb_data.binkitcfg.node[addr].nomd5) {	// BinkpAllowPlainAuth=false
 					log(LOG_WARNING, "CRAM-MD5 required (and not provided) by " + addr);
+					invalid = true;
+				}
 				else if (bp.cb_data.binkitcfg.node[addr].pass === pwd[0]) {
 					log(LOG_INFO, "Plain-text password match for " + addr);
 					addrs.push(addr);
-- 
GitLab