COMMAND

    WinRoute Pro

SYSTEMS AFFECTED

    WinRoute Pro v4.1 all current builds

PROBLEM

    Peter Miller found following.   Affected are all people using  the
    WinRoute Pro  v4.1 mail  server in  a Windows  NT or  Windows 2000
    environment.

    When using  the User  Accounts option  in WrAdmin  you can  import
    users from an NT domain. You can also add users manually.  In both
    cases the "Use Windows NT logon authentication" option is  enabled
    by default.  This  means that by default  users need to use  their
    Windows logon credentials  to access their  POP3 mailboxes on  the
    WinRoute mail server.

    The  problem  is  that  the  current  version of the WinRoute mail
    server does not support  any form of secure  logon authentication.
    This means that  user's Windows logon  credentials are being  sent
    to the mail server in plain text.  Anyone placing a packet sniffer
    on the  network could  totally compromise  domain and/or  firewall
    security  by  capturing  traffic  destined  to the mail server and
    extracting user logon  names and passwords.   The problem is  even
    worse if  the company  is allowing  roaming users  to access their
    POP3 mailboxes from the Internet.

SOLUTION

    Tiny Software  has reported  that WinRoute  Pro v5.0  will support
    secure password authentication using APOP and NTLM.  Unfortunately
    they do not intend including SSL support.  Expected release is  in
    June 2001.

    Work arounds:
    1. Disable the  "Use Windows NT  logon authentication" option  for
       all  users  and  enforce  the  use  of  different passwords for
       mailboxes and domain authentication.   Make sure that  WinRoute
       administrators do  not use  mailboxes with  the same  user name
       and password as the account they use for administering WinRoute
       or your firewall administration could be compromised.
    2. Use an SSH tunnel to encrypt all traffic between users and  the
       mail server.  Set up  firewall rules to prevent direct  traffic
       to port  110 on  the mail  server.   It should  be possible  to
       implement this solution using free software but setup time  and
       maintenance will  be high  for anything  but a  small group  of
       people.
    3. Replace the  WinRoute mail server  with a mail  server that has
       security features.