If the '#' character appear anywhere in your password, and that you
put it in the /etc/ssmtp/ssmtp.conf file using the AuthPass option,
an empty password will be sent instead and the authentication will
fails with a message such as:

535 5.7.0 Error: authentication failed: authentication failure
sendmail: Authorization failed (535 5.7.0 Error: authentication failed: authentication failure)


But if you pass the exact same password using directly
"sendmail -v -ap my#password", then it will works as expected.

At first, I tought that maybe I had to escape it like this: \#,
but after some more investigations I realized that whenever a password
contain a '#', only 2 bytes are returned to the mailhub.

Those 2 bytes are likely a carriage return, but I was too lazy to check.


My guess is that if a '#' character appear anywhere on a line, then the
full line is considered as a comment. To test this idea, I used a username
such as AuthUser=some#User and as expected, the username is never sent to
the mailhub.


This affect both Lenny and Etch, and the latest version in Squeeze (2.63-1)
is probably affected as well.


Here is basically the config file I used:


# /etc/ssmtp/ssmtp.conf
root=postmaster

mailhub=your.smtp.server.tld

hostname=whatever.tld
UseTLS=YES
UseSTARTTLS=YES

FromLineOverride=YES

AuthUser=someUser
AuthPass=my#password


Thank you,

Simon Valiquette

This bug was also reported via the bug tracking system of Gentoo Linux
by David Shen. In doing so, he also contributed a patch which has not
yet been reviewed. Perhaps Anibal would be so kind as to review it?

http://bugs.gentoo.org/show_bug.cgi?id=258018
http://bugs.gentoo.org/attachment.cgi?id=242899

I should also add that another bug was filed downstream, reporting a
segfault in the event that the password contains a '# character.
Curiously, it doesn't seem to happen to everyone; for instance, David
Shen did not allude to a segfault (merely an authentication failure).
Here's a backtrace, courtesy of Joel Koglin:

gdb backtrace:

Thread 1 (Thread 0xb73758f0 (LWP 14276)):
#0  0x0804bd62 in ssmtp (argv=0x804f1e0) at ssmtp.c:1536
        buf = '\000' <repeats 2048 times>
        p = <value optimized out>
        q = <value optimized out>
        pw = 0xb7729c20
        sock = 5
        uid = 0
        minus_v_save = <value optimized out>
        timeout = <value optimized out>
#1  0x0804c4ff in main (argc=2, argv=0xbfd5d924) at ssmtp.c:2070
        new_argv = 0x0

Original report here: http://bugs.gentoo.org/show_bug.cgi?id=313017

Hello,

This problem still exists in version 2.64 of ssmtp. I hit this problem on my Gentoo box this week.
I also created a patch for this problem. I will attach it (probably later on in this reportbug program :) )

Hello,

Well, the reportbug program didn't ask for any file that I wanted to send, so
I'm sending an e-mail directly with my e-mail program. The promised patch is
attached.

Regards,
Cybertinus

Hello,

I've updated my Debian install to Wheezy, just to be sure that the problem still
exists everywhere. And it still did. Then I downloaded the sourcecode of the
version that is in Wheezy (2.64-7) and applied my patch to it. And then the
problem was gone :).

Is it still possible to have this fixed for the Wheezy release? Or does the
freeze prevent that? Or is the freeze just in place to fix bugs like this?

Well, I'll just see if this is fixed in Wheezy and if it flows down to other
distro's like Gentoo :).

Best regards,
Cybertinus

Hello,

I've updated my Debian install to Wheezy, just to be sure that the problem still
exists everywhere. And it still did. Then I downloaded the sourcecode of the
version that is in Wheezy (2.64-7) and applied my patch to it. And then the
problem was gone :).

Is it still possible to have this fixed for the Wheezy release? Or does the
freeze prevent that? Or is the freeze just in place to fix bugs like this?

Well, I'll just see if this is fixed in Wheezy and if it flows down to other
distro's like Gentoo :).

Best regards,
Cybertinus

Dear Customer,

Your item has arrived at March 07, but our courier was not able to deliver the parcel.

Postal label is enclosed to this e-mail. Please check the attachment!

Warm regards,
Roger Small,
UPS Parcels Delivery Manager.

Try to apply fix for this example:

https://svnweb.freebsd.org/ports?view=revision&revision=454801

Same problem here.
Is it possible to have this fixed?

The manpage states "Lines starting with ‘#’ and empty lines are interpreted as comments."
So comments should not start in the middle of a word / line.

attached is a minimal patch.

(the freebsd patch also works and cleans a lot, but IMHO the (char)NULL should be patched separately and their pointer arithmetic is weird and unneeded)