Re: [vchkpw] chkuser 2.0.8b
Aleks, these are some flags I'm using (I have smtp auth ON for all users, so disabling flag is OFF): #disable_smtp #disable_pop #disable_imap In this case, SMTP auth would be ON if line is commented (as in previous lines), OFF if line is active. Check both your default switches in /home/vpopmail/etc/vlimits.default and in your domain .qmailadmin-limits (or in your MySQL limits). Tonino At 23.05 21/09/2005, you wrote: Im not really suer what flags you are aiming for tonix. But i guess they could be enabled/disabled? Aleks On 9/21/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: Sorry for the dumb question. Are your users/domains smtp flags not disabled? Tonino At 14.38 21/09/2005, you wrote: Thanks Bruno, but im not that keen on the TLS support anymore. Perhaps i'll toast next time :) For now im going to figure out why i cant auth with the vpopmail/contrib/auth patch or the newest version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin . 4549 220 mx.domain.com ESMTP 4549 EHLO [192.168.0.100] 4549 250-mx.domain.com 4549 250-PIPELINING 4549 250-8BITMIME 4549 250-SIZE 0 4549 250 AUTH LOGIN PLAIN CRAM-MD5 4549 AUTH CRAM-MD5 4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg== 4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ== 4549 535 authentication failed (#5.7.1) 4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8= 4549 535 authentication failed (#5.7.1) 4549 AUTH LOGIN 4549 334 VXNlcmbWU6 4549 YWxla3NhlckBvbHNlbi5jbg== 4549 334 UGFzc3dvcmQ6 4549 eWY4NpdG8= 4549 535 authentication failed (#5.7.1) Thanks! On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote: Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/ already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other nice guys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else {
Re: [vchkpw] chkuser 2.0.8b
On 2005-09-21, at 0614, Aleks Olsen wrote: - Now, it seems the patch didnt like working with auth-jms1.4a.patch (auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). both of which are ANCIENT. my combined patch is up to version 6b now. and it doesn't use chkuser... i doctored up a different way to handle the same problem, using a validrcptto.cdb file containing every valid email address on the system. whenever you add or remove a user, you rebuild the cdb file. http://qmail.jms1.net/patches/ has information on both patches. I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] chkuser 2.0.8b
On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] chkuser 2.0.8b
Just for the fun of it; If I was to, (in this lifetime) get tls/auth to work with chkuser, what/who's tls and auth code should i use? Since jms obvious dont need to make he's patches compatible since he's got the needed stuff for himself in validrcptto, i was hoping someone knew what works or not. I stand corrected about the hole auth and no tls security breach jms pointed out. If you want auth you should use tls i guess. Thanks, /Aleks On 9/22/05, John Simpson [EMAIL PROTECTED] wrote: On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --
[vchkpw] a problem during ldapadd
Hello Iinstalled openldap2.3 on qmail. Also Iusevpopmail. when I run command that "ldapadd -f vpopmail.ldif -x -wpassword -D'cn=vpopmail,o=vpopmail'" I got an error as below; adding new entry "dc=example,dc=com "ldapadd: update failed: dc=example,dc=com ldap_add: Server is unwilling to perform (53) additional info: referral missing file of vpopmail.ldif contains ; dn: dc=example,dc=comobjectclass: dcObjectobjectclass: organizationo: Example Companydc: example dn: cn=vpopmail,dc=example,dc=comobjectclass: organizationalRolecn: Manager slapd is running slapd.conf contains; # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26 17:06:18 kurt Exp $## See slapd.conf(5) for details on configuration options.# This file should NOT be world readable.#include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/qmailUser.schema# we need to turn schema checking off as a workaround to a problem# with the qmailUser schema. The issue is that qmailUser objectclass# is defined as top $ person $ organizationalPerson, but according# to core.schema, a person MUST have a cn and sn. But these fields# dont exist in the vpopmail implementation. We can either modify# core.schema to make cn and sn MAY rather than MUST, or we can# disable schemacheckschemacheck off pidfile /var/run/slapd.pidargsfile /var/run/slapd.args database bdbsuffix "o=vpopmail"rootdn "cn=vpopmail, o=vpopmail"rootpw SeptemberUNXdirectory /usr/local/var/openldap-dataindex objectClass pres,eqindex cn,sn,uid eqindex qmailUID,qmailGID eqaccess to * by self write by dn="cn=vpopmail,o=vpopmail" write by * write ### finish What shall I do ?
Re: [vchkpw] chkuser 2.0.8b
Aleks, sorry to repeat what has been already said, but to make it short use Shupp's Toaster. There inside chkuser + TLS + auth work fine together (since years). You'll build it in minuts, and will never regret of making this step. Ciao, Tonino At 13.18 22/09/2005, you wrote: Just for the fun of it; If I was to, (in this lifetime) get tls/auth to work with chkuser, what/who's tls and auth code should i use? Since jms obvious dont need to make he's patches compatible since he's got the needed stuff for himself in validrcptto, i was hoping someone knew what works or not. I stand corrected about the hole auth and no tls security breach jms pointed out. If you want auth you should use tls i guess. Thanks, /Aleks On 9/22/05, John Simpson [EMAIL PROTECTED] wrote: On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --
Re: [vchkpw] chkuser 2.0.8b
I have just rebuild it last week and it works fine. Remo - Original Message - From: tonix (Antonio Nati) [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, September 22, 2005 08:07 Subject: Re: [vchkpw] chkuser 2.0.8b Aleks, sorry to repeat what has been already said, but to make it short use Shupp's Toaster. There inside chkuser + TLS + auth work fine together (since years). You'll build it in minuts, and will never regret of making this step. Ciao, Tonino At 13.18 22/09/2005, you wrote: Just for the fun of it; If I was to, (in this lifetime) get tls/auth to work with chkuser, what/who's tls and auth code should i use? Since jms obvious dont need to make he's patches compatible since he's got the needed stuff for himself in validrcptto, i was hoping someone knew what works or not. I stand corrected about the hole auth and no tls security breach jms pointed out. If you want auth you should use tls i guess. Thanks, /Aleks On 9/22/05, John Simpson [EMAIL PROTECTED] wrote: On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --
[vchkpw] intermittent smtp auth errors
I've got an odd error that is coming up and I can't quite put my finger on it. I have 3 mail servers running qmail/vpopmail (5.4.10) and MySQL 3.23.58. I also have mysql replication running and vpopmail is configured in accordance with that (reads on localhost, writes on the db server). We've been receiving complaints from customers about intermittent smtp errors and when I tail the maillog I'm seeing errors like this: Sep 22 08:58:37 qmail1 vpopmail[64930]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:1.2.3.4 Sep 22 08:58:39 qmail1 vpopmail[64995]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:1.2.3.4 Sep 22 08:58:40 qmail1 vpopmail[65022]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:1.2.3.4 In the interest of our users' privacy I have replaced the various email ip addresses with the [EMAIL PROTECTED] and 1.2.3.4. What's strange is that it's not happening with any other authentication method (pop3, imap, etc), only smtp. It fails out saying user not found and yet a 'vuserinfo' on that user reveals they actually do exist. I have qmail patched with the smtp auth patch from: http://members.elysium.pl/brush/qmail-smtpd-auth/ I'm happy to provide any other information that might be helpful in figuring this out. Any suggestions are, of course, welcomed. Thanks, Clayton
Re: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
sounds good to me! Remo - Original Message - From: Tom Collins [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, September 22, 2005 10:34 Subject: Re: [vchkpw] chkuser 2.0.8b On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
Tom Collins wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. If screen shots were provided, any of the PDF generators for PHP could provide a custom PDF file with ISP branding for downloading on demand. Interesting Idea.. We are in the middle of moving our entire operation, NOC and office. But afterwards maybe, would anyone be interested in this if I did it? DAve -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
I would Dave.. Remo - Original Message - From: DAve [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, September 22, 2005 10:50 Subject: Re: [vchkpw] chkuser 2.0.8b Tom Collins wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. If screen shots were provided, any of the PDF generators for PHP could provide a custom PDF file with ISP branding for downloading on demand. Interesting Idea.. We are in the middle of moving our entire operation, NOC and office. But afterwards maybe, would anyone be interested in this if I did it? DAve -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] intermittent smtp auth errors
Clayton Weise wrote: I've got an odd error that is coming up and I can't quite put my finger on it. I have 3 mail servers running qmail/vpopmail (5.4.10) and MySQL 3.23.58. I also have mysql replication running and vpopmail is configured in accordance with that (reads on localhost, writes on the db server). We've been receiving complaints from customers about intermittent smtp errors and when I tail the maillog I'm seeing errors like this: Sep 22 08:58:37 qmail1 vpopmail[64930]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:1.2.3.4 Sep 22 08:58:39 qmail1 vpopmail[64995]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:1.2.3.4 Sep 22 08:58:40 qmail1 vpopmail[65022]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:1.2.3.4 In the interest of our users' privacy I have replaced the various email ip addresses with the [EMAIL PROTECTED] and 1.2.3.4. What's strange is that it's not happening with any other authentication method (pop3, imap, etc), only smtp. It fails out saying user not found and yet a 'vuserinfo' on that user reveals they actually do exist. I have qmail patched with the smtp auth patch from: http://members.elysium.pl/brush/qmail-smtpd-auth/ I'm happy to provide any other information that might be helpful in figuring this out. Any suggestions are, of course, welcomed. You might be running out of mysql connections. Check your my.cnf file for max_connections variable. The default value is 100 connections. You'll need the max_connections to cover your max smtp, imap, pop3 local concurrency and any other services that connect to the mysql database. Hope that helps, Ken Jones
Re: [vchkpw] chkuser 2.0.8b
At 17.34 22/09/2005, you wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. A better idea... The most of probably use qmail because there is vpopmail. What about rewriting around vpopmail a modern, robust and customizable MTA that does not force us to be acrobats in order to add functionalities to qmail? First step would be to mantain the same schema and code of qmail, rewriting all the code step by step, module after module. So, free from Bernstein license, we could finally update and upgrade the MTA in a serious way. Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
RE: [vchkpw] intermittent smtp auth errors
I knew I forgot to mention something. I've got max connections set to 500 and if I log into mysql and run a 'SHOW PROCESSLIST' I get anywhere from 40-60 records returned back. Is there another good way to measure the number of connections coming into mysql? -Original Message- From: Ken Jones [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 10:09 AM To: vchkpw@inter7.com Subject: Re: [vchkpw] intermittent smtp auth errors --- TRUNCATED --- You might be running out of mysql connections. Check your my.cnf file for max_connections variable. The default value is 100 connections. You'll need the max_connections to cover your max smtp, imap, pop3 local concurrency and any other services that connect to the mysql database. Hope that helps, Ken Jones
Re: [vchkpw] chkuser 2.0.8b
Hi, At 18:12 22.09.2005 +0100, tonix (Antonio Nati) wrote: At 17.34 22/09/2005, you wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. You should start teaching yourself. http://www.fehcom.de/qmail/smtpauth.html is your friend. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. A better idea... The most of probably use qmail because there is vpopmail. What about rewriting around vpopmail a modern, robust and customizable MTA that does not force us to be acrobats in order to add functionalities to qmail? Do you have considered how many changes vpopmail has undergone the last years ? Did you ever do a code digest ? Do you have the slightest idea how vchkpw works ? First step would be to mantain the same schema and code of qmail, rewriting all the code step by step, module after module. So, free from Bernstein license, we could finally update and upgrade the MTA in a serious way. If anything needs a rewrite, its vpopmail - qmail is perfect in the way it is defined. Or course, since 1998 the requirements have changed. In particular, most of the SMTP add-ones (as defined in the latest RFCs) are (according to my personal oppinion) - useless. We do have AC in our cars, DVD + surround sound, airbags, automatic adjusting seats - but we still use four wheels and a benzine motor, driving on badly-paved roads. Qmail is a good car, but the road gets increasingly worse - adding DVD players to your car doesn't really help. Greets from the hurrican free Germany. --eh. Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote: If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 encoded cleartext and you can determine the password from them. CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash and determine the cleartext password. Each time you connect, a different challenge results in a different response. The only way the server and client can generate the correct response is to have the same cleartext password available. Given the challenge and response, it is not possible to generate the cleartext password. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
RE: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote: If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 encoded cleartext and you can determine the password from them. CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash and determine the cleartext password. Each time you connect, a different challenge results in a different response. The only way the server and client can generate the correct response is to have the same cleartext password available. Given the challenge and response, it is not possible to generate the cleartext password. I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get the password unpossible excepting brute force. The only real problem it has is that MD5 collisions are increasingly easy to generate (down from 2^63 to the range of 2^48), however they're still far from a practical means of faking authentication.
RE: [vchkpw] chkuser 2.0.8b
A better idea... The most of probably use qmail because there is vpopmail. What about rewriting around vpopmail a modern, robust and customizable MTA that does not force us to be acrobats in order to add functionalities to qmail? Do you have considered how many changes vpopmail has undergone the last years ? And what exactly does this have to do with the subject being discussed? Since vpopmail changes so much qmail is the only mta to use? Hell, if the vpopmail folks would get their butts into the 21st century and use shared libraries all of the hell of upgrading vpopmail from one version to the next would also disappear. And I can get on my high horse about this since I submitted patches to facilitate this ages ago. They worked, weren't too ugly, and I offered to make any cleanups people wanted to see. I disagree with the concept of writing a new MTA (we've got several really good ones out there already), but I agree with the end result of vpopmail being more useable by more people. Did you ever do a code digest ? Again, wtf is the relevance? Do you have the slightest idea how vchkpw works ? Since I do have a pretty solid understanding, I'm quite confident in saying that I think vpopmail really ought to be ported to work with postfix or exim in a much cleaner fashion. While I admire qmail a lot, especially when considering its late 90s tech, I definitely am cognizant of its short comings. The lack of a license, and the resultant patch nightmare it creates is probably the single largest liability of qmail.
RE: [vchkpw] chkuser 2.0.8b
Hi, At 15:41 22.09.2005 -0500, you wrote: On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote: If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 encoded cleartext and you can determine the password from them. CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash and determine the cleartext password. Each time you connect, a different challenge results in a different response. The only way the server and client can generate the correct response is to have the same cleartext password available. Given the challenge and response, it is not possible to generate the cleartext password. I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get the password unpossible excepting brute force. The only real problem it has is that MD5 collisions are increasingly easy to generate (down from 2^63 to the range of 2^48), however they're still far from a practical means of faking authentication. C'm on. The generation of the challenge and the way its used in qmail is well documented on my web site http://www.fehcom.de/qmail/smtpauth.html. Everyone can read that and download the code to do it. The only free parameters are the timestamp and the pid of the current process. regards. --eh.
RE: [vchkpw] chkuser 2.0.8b
C'm on. The generation of the challenge and the way its used in qmail is well documented on my web site http://www.fehcom.de/qmail/smtpauth.html. Everyone can read that and download the code to do it. The only free parameters are the timestamp and the pid of the current process. I'm obviously missing something here, though I did reread the site for the umpteenth time in the last few years. Yes using the pid and timestamp as part of the challenge is weak. Yes the implementation ought to be fixed. No it doesn't compromise security because the challenge isn't the important part. You claimed that by recording the smtp conversation, or at least the portion relating to the AUTH process, was enough to encrypt the password. I'm assuming you meant decrypt (which would be the wrong word here since you don't decrypt a hash since it isn't encryption in the normal sense but is much more accurately described as obfuscation). So we're at the original situation as stated by Tom Collins and myself, namely that you can't go from an MD5 hash of the password and challenge to the password itself. Its not done anywhere in the code, because it's mathematically not doable. That's the whole point of one-way hashing as I'm sure you're aware. Can you please provide a description of exactly how you would take such a network dump and return the password? I'd even be willing to provide such a dump and publicly declare you right if you sent me the correct password and only the correct password in one try. If you're unable to do the above, I'd really appreciate if you'd stop spreading FUD and acknowledge that while CRAM-MD5 has its weak points vulnerability to network snooping is not one of them at this point in time. Cheers, Nick
Re: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 2:10 PM, Erwin Hoffmann wrote: C'm on. The generation of the challenge and the way its used in qmail is well documented on my web site http://www.fehcom.de/qmail/smtpauth.html. Everyone can read that and download the code to do it. The only free parameters are the timestamp and the pid of the current process. And the code to generate the response is freely available in an RFC. I know -- I implemented SMTP AUTH client code to work with PLAIN, LOGIN and CRAM-MD5. Even so, it's a one-way function. Given the challenge and the response, you cannot derive the cleartext password. This is the reason vpopmail requires cleartext passwords if you want to use CRAM-MD5. There's no way for it to derive the cleartext password from CRAM-MD5 in order to run it through crypt() with the proper salt and compare it to the stored, encrypted version. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com