Re: [vchkpw] [SPAM] Password strength bug
Il 21/09/2015 14:59, Drew Wells ha scritto: On 09/17/2015 12:28 PM, Tonix - Antonio Nati wrote: Il 17/09/2015 13:18, Drew Wells ha scritto: On 09/15/2015 03:27 PM, Tonix - Antonio Nati wrote: Il 15/09/2015 15:03, Drew Wells ha scritto: On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote: Il 15/09/2015 11:03, Drew Wells ha scritto: In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached. I do not understand the problem. Of course password strenght is checked every time, and if it founds a null/empty password it gives error back if password must have a minimum lenght. Your patch instead permit to have null password even if strenght policy would not allow it. Regards, Tonino The problem is is that vadduser.c can call vadduser() (in vpopmail.c) without a password. It does this in the situation where vadduser.c has had the options "-e" or "-n" passed to it, so if this is the case the password can't be checked againts the password strength rules. The underlying function vadduser() needs to be able to add a user with no password. I realize additional controls are done before calling vadduser(); but I personally would prefer an explicit parameter added to vadduser for avoiding password check (it may be a further parameter having default = "check"). It would make developers more protected against unwanted security bugs. Regards, Tonino I agree that it would be better to explicitly indicate to vadduser() that no password is wanted. I even looked quicky at setting the password to NULL to indicate no password, but both this and an explicit parameter would need changes to all the backends, so have left it as is for now. It could be done in two ways: * considering most od c compilers are c++ compilers, and that means we can add an implicit parameter (, nocheck_pwd = 0) * duplicate the function for this usage, and call the duplicated function from avdduser when needed. Regards, Tonino I have looked at the backends and it turns out that some of the backends can handle a NULL gecos, so expanding on this I have changed all the backends to be able to handle a NULL gecos (in which case they now all use the user as a gecos) and also handle a NULL password. So vadduser.c can pass a NULL password to vadduser(), vadduser() can then check the password_strength() when the password is not NULL. I think that permitting a null password, if policy does not admit it, is a security hole. Prefer you you add another explicit call to be called for no password checking (at all). Regards, Tonino This is going to be the patch I use here, does anyone want this patch ? -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:5600059741551931516382!
Re: [vchkpw] [SPAM] Password strength bug
Il 17/09/2015 13:18, Drew Wells ha scritto: On 09/15/2015 03:27 PM, Tonix - Antonio Nati wrote: Il 15/09/2015 15:03, Drew Wells ha scritto: On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote: Il 15/09/2015 11:03, Drew Wells ha scritto: In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached. I do not understand the problem. Of course password strenght is checked every time, and if it founds a null/empty password it gives error back if password must have a minimum lenght. Your patch instead permit to have null password even if strenght policy would not allow it. Regards, Tonino The problem is is that vadduser.c can call vadduser() (in vpopmail.c) without a password. It does this in the situation where vadduser.c has had the options "-e" or "-n" passed to it, so if this is the case the password can't be checked againts the password strength rules. The underlying function vadduser() needs to be able to add a user with no password. I realize additional controls are done before calling vadduser(); but I personally would prefer an explicit parameter added to vadduser for avoiding password check (it may be a further parameter having default = "check"). It would make developers more protected against unwanted security bugs. Regards, Tonino I agree that it would be better to explicitly indicate to vadduser() that no password is wanted. I even looked quicky at setting the password to NULL to indicate no password, but both this and an explicit parameter would need changes to all the backends, so have left it as is for now. It could be done in two ways: * considering most od c compilers are c++ compilers, and that means we can add an implicit parameter (, nocheck_pwd = 0) * duplicate the function for this usage, and call the duplicated function from avdduser when needed. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:55faa3e241551872413518!
Re: [vchkpw] [SPAM] Password strength bug
Il 15/09/2015 11:03, Drew Wells ha scritto: In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached. I do not understand the problem. Of course password strenght is checked every time, and if it founds a null/empty password it gives error back if password must have a minimum lenght. Your patch instead permit to have null password even if strenght policy would not allow it. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:55f7ec4641551939410840!
Re: [vchkpw] [SPAM] Password strength bug
Il 15/09/2015 15:03, Drew Wells ha scritto: On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote: Il 15/09/2015 11:03, Drew Wells ha scritto: In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached. I do not understand the problem. Of course password strenght is checked every time, and if it founds a null/empty password it gives error back if password must have a minimum lenght. Your patch instead permit to have null password even if strenght policy would not allow it. Regards, Tonino The problem is is that vadduser.c can call vadduser() (in vpopmail.c) without a password. It does this in the situation where vadduser.c has had the options "-e" or "-n" passed to it, so if this is the case the password can't be checked againts the password strength rules. The underlying function vadduser() needs to be able to add a user with no password. I realize additional controls are done before calling vadduser(); but I personally would prefer an explicit parameter added to vadduser for avoiding password check (it may be a further parameter having default = "check"). It would make developers more protected against unwanted security bugs. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:55f82abc41552085678254!
Re: [vchkpw] Re: !!! CHECK SENDER !!![vchkpw] [SPAM] Re: [SPAM] Rrdirection problem
Stéphane, try in this way: * delete the forward ss...@piemont.fr * create one normal account ss...@piemont.fr * insert within this account a forward to spa...@piemont.fr In this way it should work. Tonino Il 24/04/2014 19:45, Eric Shubert ha scritto: That could very well be, Tom. Stéphane, I believe the odd behavior is due to qmail's 'extension' feature, which comes into play with accounts that contain a '-', and the portion before the dash matches another account or forward. You could avoid this 'collision' (or 'conflict' or 'commonality') by choosing different address names, such as 'ssiad_secretariat@' or 'ssiad.secretariat@' or 'secretariat-ssiad@' (providing there is no account or forward called 'secretariat@' in this last case). Email extensions are a handy feature for some users, but admins need to be careful when using a '-' in account names. -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:5359502434261244028932!
Re: [vchkpw] Re: [SPAM] Qmail TAP not working
Il 01/03/2012 17:32, Eric Shubert ha scritto: I don't know for sure, but I can hazard a guess. You see, tap works on both sender and recipient addresses. More like sender *or* recipient addresses. Since the email is send from pqr, that tap is matched and no others are tried (apparently). Someone would need to have a look at the code, but I suspect that's what's happening. Perhaps the process should continue to tap a recipient addresses after matching a sending address. Or maybe the tap process should tap all matching configuration lines. I don't know if it's supposed to do that already or not, and I've no idea if this is an easy patch or not. As far as I know, tap stops after the first match is found. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4f4fb6fb34171370380159!
Re: [vchkpw] SMTP authentication not work
You sould find in maillog the reason of failure. Regards, Tonino Il 05/05/2011 10:05, OVH ha scritto: Hi, Since few days I try smtp-auth and chkuser on qmail 1.03. I managed to apply the patch manually, when tested sending smtp-auth it never authenticate using vpopmail. In my config I have: env - PATH=/var/qmail/bin:/usr/local/bin CHKUSER_START=DOMAIN \ tcpserver -v -H -R -x /etc/tcp.smtp.cdb -c100 -u508 -g503 0 smtp \ /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw true 21 \ | /usr/local/bin/tai64n \ | /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog s50 n60 /var/log/qmailsmtp/ and gives me the test with telnet: 220 x.net ESMTP ehlo x.net 250- x.net 250-PIPELINING 250-STARTTLS 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN auth login 334 VXNlcm5hbWU6 UUU 334 UGFzc3dvcmQ6 PPP 535 authentication failed (#5.7.1) You know why it does not work? -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4dc25b8e32711010717463!
Re: [vchkpw] qmail aliases fail; chkuser 2.0.9 + vpopmail 5.4.25
aliases are .qmail-aliasname files. matt-foo is not an alias. It is an extension of name matt. For enabling extensions you must enable (uncomment) CHKUSER_ENABLE_USERS_EXTENSIONS For enabling ezmlm lists, you must enable (uncomment) CHKUSER_ENABLE_EZMLM_LISTS. See http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html for more info. Regards, Tonino I have several domains hosted via vpopmail, and I use chkuser 2.0.9 to block dictionary-attack spam. chkuser appears to have broken my ability to use qmail's dash aliases for vpopmail domains. For example, if I had a vpopmail account called m...@example.com, prior to chkuser I was able to send mail to matt-...@example.com and it would be delivered to the m...@example.com Maildir. After installing chkuser 2.0.9, this feature stopped working. chkuser 2.0.9 appears supports dash aliases by default. This is the relevant line from chkuser_settings.h: #define CHKUSER_ENABLE_ALIAS But this doesn't seem to work for vpopmail-hosted domains -- only for the domain that is hosted natively within qmail (listed in /var/qmail/control/locals). The specific problem this causes me now is that ezmlm-idx mailing lists cannot be used for vpopmail domains, because ezmlm relies on dash aliases. For example, a moderation reply address looks like: listname-accept-h...@example.com whereas the delivery address is actually: listname-acc...@example.com Subscription confirmation requests are similarly broken. Is chkuser known to support qmail aliases within vpopmail? Related to the above, is chkuser 2.0.9 known to be compatible with ezmlm-idx 7.1.1? Thank you. -- matt. -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4dbe7ad532711580627967!
[vchkpw] Error in punycode (xn-- domains) handling by chkuser
Actually chkuser handles xn-- domains, but in the wrong way (it does not consider more levels of xn-- names, like xn-subdomain.xn--domain.com). To eliminate any problem, with current version, installations should be modified in this way: Or disable/comment in chkuser_settings.h #define CHKUSER_RCPT_FORMAT #define CHKUSER_SENDER_FORMAT or delete/comment within chkuser.c two separates occurrences of if (strncmp (domain-s, xn--, 4) == 0) { if (strstr (domain-s[4], --) != NULL) return 0; } else { if (strstr (domain-s, --) != NULL) return 0; } Recompile after change. Regards, Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4cb7108d32711560260518!
Re: [vchkpw] submission port 587
Il 12/09/2010 01:39, jeffk...@intersessions.com ha scritto: This may be the wrong forum for this but I can't seem to find any info. Does anyone have information on how to setup a second SMTP process within qmail that listens on port 587 and accepts ONLY authenticated smtp connections? In this scenario port 25 would accept normal smtp (non-relay) and smtp-auth traffic but now could also be filtered to block dynamic IP ranges. Thanks, Jeff Koch If you use chkuser, look here: http://www.interazioni.it/opensource/chkuser/documentation/faq/general.html#D4 Regards, Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4c8d1dfa32712048411877!
Re: [vchkpw] no mailbox here by that name (chkuser) ?
Il 09/09/2010 11:50, Julien Escario ha scritto: Hello, I'm managing an email server that recently started to refuse inbound mail to a few domains. I checked almost everything and the declaration seems to be exactly the same for others domains. For example : postmas...@restaurantlatuilerie.fr: 195.200.217.34 does not like recipient. Remote host said: 550 5.1.1 sorry, no mailbox here by that name (chkuser) Giving up on 195.200.217.34. Every address for this domain is refused (even aliases). # vadduser -v version: 5.4.17 vpopmail + mysql. No mysql connection error. Declaration in /var/qmail/control/(rcpthosts|virtualdomains|users/assign) is the same as other domains that works. User is declared in the vpopmail mysql database. I destroyed the domain and recreate it on the shell and in qmailadmin without success. User can authenticate in the webmail (squirrelmail, IMAP, dovecot). I googled a few hours on this subject without finding a clue. What else may I check ? Thans for your help, Julien Escario Did you make ANY change in software recently? What does say your virtualdomains? Are there other domains working? Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4c88c8fb32714400880215!
Re: [vchkpw] no mailbox here by that name (chkuser) ?
Il 09/09/2010 15:26, Julien Escario ha scritto: Le 09/09/2010 13:45, Tonix (Antonio Nati) a écrit : Il 09/09/2010 11:50, Julien Escario ha scritto: Did you make ANY change in software recently? No. The server only rebooted but some times ago ... What does say your virtualdomains? restaurantlatuilerie.fr:restaurantlatuilerie.fr Same for all domains. I just tried to pass over vpopmail with a .qmail-contact file : it works. Are there other domains working? Yeah several of them. Created with the same method. Does someone know exactly what are the tests made by chkuser whose can answer with this error ? (perhaps some file's owner check ...) Thanks, Julien Escario You could setup a version of qmail-smtpd with chkuser debug on, and run it on a different port, then see detailed log. You can add custom logging instructions if needed. Check http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html#Debugging for compilation instructions. But, before that, if you add a brand new domain, and simulate a delivery, do you have the same problem? Tonino Then -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4c88e54e32712140553239!
Re: [vchkpw] no mailbox here by that name (chkuser) ?
Il 09/09/2010 16:16, Julien Escario ha scritto: Le 09/09/2010 15:46, Tonix (Antonio Nati) a écrit : Il 09/09/2010 15:26, Julien Escario ha scritto: Le 09/09/2010 13:45, Tonix (Antonio Nati) a écrit : Il 09/09/2010 11:50, Julien Escario ha scritto: You could setup a version of qmail-smtpd with chkuser debug on, and run it on a different port, then see detailed log. You can add custom logging instructions if needed. Check http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html#Debugging for compilation instructions. But, before that, if you add a brand new domain, and simulate a delivery, do you have the same problem? Yeah ! I think we made it ;-) Actually, creating another new domain reproduce the same problem. And I fianlly found what is different from the other domains : the content of .qmail-default. I changed from : | /var/lib/vpopmail/bin/vdelivermail '' bounce-no-mailbox To : | /var/lib/vpopmail/bin/vdelivermail '' delete And it works ! Yeah, I checked the message is in the maildir. I'll now have to check why bounce-no-mailbox is giving a chkuser error. Many thanks for your help, Julien Escario You have a problem with chkuser setup... Could be it is linked to a old vpopmail library, before important changes... or something else like that (like not opening vpopmail.mysql). With that change (delete instead of bounce), you are excluding chkuser except chkuser logging. Double check your configuration, because bounce is better than delete. Regards, Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4c88f01b32711282214076!
Re: [vchkpw] chkuser to exit immediately
Hi Nick, actually, chkuser can do just that, for a well tought (I hope) reason: when an intruder tries your addresses, it is important to deny informations to him; if we drop connection, he will restart and next two attempts (thinking to your limit=2) will have a true answer... In this way, at the price of some resource wasting, until he tries we refuse to give him a valid information. Hope this clarifies. Tonino Nick ha scritto: Hi i successfully aplied chkuser to curent vpopmail qmail, i put the 'maxwrongrcpt' limit to just 2 attempts. i noticed in the logs sometimes spamserver stubbornly keep trying to send, and chkuser keep denying it. CHKUSER rejected intrusion: from closeness...@legendpartys.com:: remote OGFZIZVEA:unknown:58.145.28.218 rcpt dody.setya...@ : rcpt ignored, session over intrusion threshold what i wanna know is, when this happen.. is it possible to just interrupt the smtp session, drop it and make qmail forget about it ? e.g just exit the whole session ? so it won't even bother to send bounce to the sender ? Thanks. -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4c134ba832711019415128!
Re: [vchkpw] vmysql: sql error[3]: MySQL server has gone away
Joe Littleton ha scritto: I have searched for two days trying to figure out why I keep getting this error. I am using vpopmail 5.4.30 and mysql 5.0.77-4 on CentOS 5.4 I can reproduce the error by restarting the mysql server. The only way to make it work after restarting mysql is to also restart authdaemond. I did find some info on the mailing list that says: To describe the problem: when you run vpopmail in MySQL mode, with courier-authdaemond and MySQL v5.0 or later, you will find that for the first 8 hours, everything works just fine, but after 8 hours, nobody will be able to authenticate to the email server and you will see MySQL server has gone away errors in the maillog. The cause of the problem is that in MySQL 5.0 (and probably some 4.1 releases), MySQL implements a new timeout definition for connections, a timeout that ignores traffic. This timeout will shut down the socket thread from the MySQL side. The problem is that the client (vchkpw and friends) do not know/understand about this timeout and socket termination so they continue on in ignorate bliss until they try to send to the socket and find that it's no longer valid - literally the server has gone away. And a patch is offered but the version of vpop that I am running already has that patch installed. Anyone else have any ideas? Disclaimer For Citizens National Bank The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this message in error, please contact the sender and delete the material from all computers. This original email was sent to the internet for delivery at 13 May 2010 10:37:55 -0400 Usually people pacthes and recompiles vpopmail, then forgets to recompile authdaemond, which continues to use old libraries. Hope it is your problem :-) . Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4bec0ff332711979667883!
Re: [vchkpw] Re: disable-many-domains - enable-many-domains
Eric Shubert ha scritto: Thibault Richard wrote: Hello, I'm using vpopmail since a few years with the compilation option --disable-many-domains (for historical reason because I followed Qmailrocks guide for my first installation). If I've well understand, one one the difference between those compilation option is the MySQL table structure (if the option --enable-auth-module=mysql is used). Could someone confirm that ? If I'm wrong, could someone tell me what are the option to use one table per domain or one table for every domain I'm pretty sure this is correct. --disable-many-domains = one table for each domain --enable-many-domains = one table for all domains One table for all domains seems to be a better database design. OTOH, can someone explain the reasons why one table for each domain (--disable-many-domains) might be a better choice? If you have one or a few huge domains with hundreds of thousands of accounts (or you are gmail/hotmail/yahoo), you save space, as you don't have the domain field repeated for each record. If you have a normal installation, if has no sense. Ciao, Tonino Is there a MySQL script to convert the table structure between the two options ? Not that I'm aware of, but I expect it would be fairly simple. I know of someone else who might be interested in this as well. Thank you Thibault -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4be97ed332711506113019!
Re: [vchkpw] Re: chkuser parameters via tcp.smtp environment variables
Eric Shubert ha scritto: Tonix (Antonio Nati) wrote: Eric Shubert ha scritto: Tonino, I've wondered for a while about this but haven't had a chance to test it, so I'm going to ask the expert. ;) If /* #define CHKUSER_ALLOW_SENDER_CHAR_3 '' */ is commented out of the build, can it be added as an environment variable such as CHKUSER_ALLOW_SENDER_CHAR_3='/' (from the tcp.smtp file)? If #define CHKUSER_ALLOW_SENDER_CHAR_3 '?' is defined in the build, can its value be changed by an environment variable such as CHKUSER_ALLOW_SENDER_CHAR_3='/' (from the tcp.smtp file)? If CHKUSER_SENDER_FORMAT is left commented (the default) in the build, can it be activated by setting the environment variable CHKUSER_SENDER_FORMAT=1? Thanks for your great work on chkuser, and your superb support. Hello Eric, actually they cannot be defined as environment variable, but must be set in compiled executable. I'm wondering if these controls are still actual, as usage of email has extented a lot, and it is more easy to find strange addresses. I'm also starting to think to further chkuser improvements... but my biggest thought is towards qmail improvements... Anything to suggest? Tonino Hey Tonino, Thanks for your prompt reply, and your interest in improvements. As you probably know, I'm pretty active with the qmail-toaster community, and we've been using chkuser since before I came aboard in '06. We certainly appreciate your work with chkuser. Jake's the project owner presently and he's calling the shots regarding configuration, so I've cc'd him on this discussion. The 'stock' (std) QMT configuration includes a patch file for chkuser that includes the following non-default values in chkuser_settings.h: #define CHKUSER_ALLOW_SENDER_SRS #define CHKUSER_ALLOW_RCPT_SRS #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK #define CHKUSER_ALLOW_SENDER_CHAR_1 '$' #define CHKUSER_ALLOW_SENDER_CHAR_2 '%' #define CHKUSER_ALLOW_SENDER_CHAR_4 '?' #define CHKUSER_ALLOW_SENDER_CHAR_5 '*' #define CHKUSER_ALLOW_RCPT_CHAR_1 '$' #define CHKUSER_ALLOW_RCPT_CHAR_2 '%' #define CHKUSER_ALLOW_RCPT_CHAR_4 '?' #define CHKUSER_ALLOW_RCPT_CHAR_5 '*' In addition, it appears that Jake has made the following changes manually (since v2.0.8): #define CHKUSER_RCPT_FORMAT #define CHKUSER_RCPT_MX #define CHKUSER_SENDER_FORMAT #define CHKUSER_SENDER_MX There is primarily one situation that comes to mind where users have been required to customize the stock chkuser settings. This is due to users with blackberry devices, which has recently become more frequent. The sender address with blackberrys sometimes contains the '/' character, so to circumvent the problem, we have added the following customization: #define CHKUSER_ALLOW_SENDER_CHAR_3 '/' #define CHKUSER_ALLOW_RCPT_CHAR_3 '/' This works well, with no ill effects noticed to date. This brings into question the purpose of these checks in chkuser. My understanding is that these special characters used to be thought of as a security risk, but I believe that rationale has become outdated. IMO, the best practice for chkuser would be to allow whatever digits are defined in the standard for email. See http://en.wikipedia.org/wiki/E-mail_address#RFC_specification for details. If there needs to be any customization of the allowed characters, it would be best to have CHKUSER_DISALLOW_RCPT_CHAR_1...n values that DISallow certain digits. I can't think of a good reason for these though, especially since the recipient address is verified with vpopmail. I can see no purpose at all in restricting sender address digits beyond what's allowed in the spec. Bottom line is that I would simply like chkuser to check for the digits as specified in the RFC, and leave it at that. I'm wondering, what is the reasoning behind changing the default to turn off the _FORMAT and _MX settings in v2.0.8? I'm thinking that this was a good choice, and that perhaps the stock QMT should follow suit making it the default. Doing so would eliminate this blackberry problem entirely (and permanently), as well as solving another less common problem regarding the SENDER_MX not found error. If Jake concurs, then the only settings different between the stock QMT and the default chkuser would be: #define CHKUSER_ALLOW_SENDER_SRS #define CHKUSER_ALLOW_RCPT_SRS #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK Would it cause a problem to make these the default settings in chkuser? If not, could you make these the defaults in the next chkuser release? That would simplify things for Jake, as we would use the default chkuser settings across the board in the stock QMT. Bottom line to me is that I'd like to see the stock QMT include the default chkuser configuration. I think that would be a good thing for everyone involved, as there would be no 'exceptions' to document or worry about, no patch file, etc. Thanks for your time, effort, and attention to this. It's really a pretty
Re: [vchkpw] Re: chkuser parameters via tcp.smtp environment variables
Eric Shubert ha scritto: I agree with this as well, for the most part. This is why I think that the option(s) would be better suited as CHKUSER_DISALLOW. IOW, start with things wide open, and let admins specify which characters they choose not to allow. I did not consider it this way. It is reasonable. The problem I see with the present implementation is that there is nothing (optional or otherwise) which checks for RFC compliance. There does need to be some sort of sanity check. In situations where the system is configured with a catchall account, there would be no other mechanism for ensuring that the recipient address contained only RFC-compliant characters. There should also be a check on the sender address, as it's easily modified by end users. I would like to see chkuser check for RFC compliance of both sender and recipient addresses. I can see no reason why anyone would not want this feature enabled. If it is optional, I think the default should be enabled, as it's consistent with RFC rules. Is there a list of defined RFC permitted chars? In the past I looked for simple RFC rules to check, but probably i did not check very deeply. I remember all characters were permitted. So to sum this up, I'd like to see chkuser enforce RFC rules by default. Optional parameters would be to loosen things with CHKUSER_ALLOW characters, and to tighten things up with CHKUSER_DISALLOW characters. The default behavior would be strict RFC compliance (the starting point). I believe this would give the best flexibility, along with configuration simplicity. But, as said before, it is not easy to chose the right settings, so I'm open to discuss. I hear you on that. It takes discussion to arrive at the best solution. While one size won't fit all, I think we can come up a reasonable default which allows for easy tailoring for the exceptions. OK. Let me think on all again. What you say is a good starting point. Anyway, speaking in a wider way, I'm going to plan new changes on chkuser, but I'm having the impression qmail limits now are limiting me more than chkuser limits, so I'm thinking if it would be the case to start a wider project, integrating and extending qmail. I've registered openqmail.org, and thinking to what can be done in order to extend qmail in a simpler way. I've done small changes to qmail, besides chkuser,and I'm willing to make more changes, and I feel what I need (I'm an ISP) probably is what others need, and viceversa. What do you think? I'm happy to hear this. Rather than starting something on your own though, I'd really like to see you join with us on the qmail-toaster project. I believe that QMT has a promising future for qmail. There is a large (estimated 12k+ hosts) user base, many of which are ISPs. We have lists for users and development, both of which are fairly active and responsive. We can certainly use your expertise and abilities, and I'm sure your participation will be well received. See http://wiki.qmailtoaster.com/index.php/Main_Page for info about QMT. This is a good point for starting another thread... I like the idea, but I'd love to stop with patching. Now qmail is in public domain, so I don't see reasons why we should not have a decent Makefile, a complete source distribution, decent common libraries, mysql integration, and a rewrite/improvement of some (a lot) parts of code. A lot could be improved, but the horrible DJB coding makes it hard. Just for example: actually, you don't have a way to associate together all logs for a single message. So, I've changed a lot of coding for adding message and delivery numbers to logs, but internal qmail behaviour make it impossible to have it working as it should. Numbers associated to emails and deliveries are the i-node numbers of messages, so when you use again a file i-node just released, you use the same message and delivery numbers of previous messages! I'm going to improve and change internal logic for message and delivery numbers, but no more patches! :-) Ciao! Tonino /P.S. I have a dream / /./configure --enable-vpopmail --enable-chkuser --enable-mysql --enable-auth ... make make install/ -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4be3133d32711470415542!
Re: [vchkpw] chkuser parameters via tcp.smtp environment variables
Eric Shubert ha scritto: Tonino, I've wondered for a while about this but haven't had a chance to test it, so I'm going to ask the expert. ;) If /* #define CHKUSER_ALLOW_SENDER_CHAR_3 '' */ is commented out of the build, can it be added as an environment variable such as CHKUSER_ALLOW_SENDER_CHAR_3='/' (from the tcp.smtp file)? If #define CHKUSER_ALLOW_SENDER_CHAR_3 '?' is defined in the build, can its value be changed by an environment variable such as CHKUSER_ALLOW_SENDER_CHAR_3='/' (from the tcp.smtp file)? If CHKUSER_SENDER_FORMAT is left commented (the default) in the build, can it be activated by setting the environment variable CHKUSER_SENDER_FORMAT=1? Thanks for your great work on chkuser, and your superb support. Hello Eric, actually they cannot be defined as environment variable, but must be set in compiled executable. I'm wondering if these controls are still actual, as usage of email has extented a lot, and it is more easy to find strange addresses. I'm also starting to think to further chkuser improvements... but my biggest thought is towards qmail improvements... Anything to suggest? Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4be1352f32717198210662!
Re: [vchkpw] chkuser log mesage, remote helo:remotehostname:remotehostip
Eric Shubert ha scritto: I use qmail-toaster, and recently changed from using -H with tcpserver to using -h, which looks up the rDNS name and puts it in the TCPREMOTEHOST variable. With the former setup (-H), the remote portion of the CHKUSER log message contained the helo value, unknown for the remotehostname, and the remotehostip value. With the current setup (-h, or blank), the message now contains the rDNS name in place of unknown, as expected. The helo portion though, is now blank/null (missing). Is there some reason why the helo value isn't shown when there's a remotehostname value present? Looks like a bug to me. Many thanks, Tonix! Hi Eric, it is not chkuser, it's a qmail behaviour. If the helo is not different from (remote) hostname, qmail-smtpd sets it to NULL. void dohelo(arg) char *arg; { if (!stralloc_copys(helohost,arg)) die_nomem(); if (!stralloc_0(helohost)) die_nomem(); fakehelo = case_diffs(remotehost,helohost.s) ? helohost.s : 0; } Regards, Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4bde8a4932711929022456!
Re: [vchkpw] chkuser and mailbox quotas
DAve ha scritto: Good morning, We have, for a long time now, successfully used MailScanner on our gateway servers and then routing clean mail to our pop toasters. The pop toasters are running netqmail, vpopmail 5-4-17, and chkuser 2.0.8. I am having an issue where users are going overquota and not doing anything about it until mail begins to bounce. What limits cause chkuser to switch from rcpt mailbox is overquota to not existing recipient? I am unable to find the answer, though it might be staring me in the face. chkuser will never switch from overquota to no such user. What can happen is limit set in chkuser settings is not reached (for whatever reason), then the e-mail go to the next stage of delivery, but delivery aborts because quota limit is reached for the recipients. But you never have no such user. Cheers, Tonino Right now if a users don't fix their quota issue in time I have to manually restart milter-ahead on my MailScanner servers to clear the cache of non-existant users. Trying to understand the problem before I decide what to do about it. Thanks, DAve -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4acd986832711652310398!
Re: [vchkpw] Patch to disable vusaged
Simone Lazzaris ha scritto: In data giovedì 03 settembre 2009 hai scritto: Simone Lazzaris wrote: Our setup is spreaded on many servers (think 20), with the mail stored on an NFS share (NetApp). The vusage daemon is written with this in mind, though it's more efficient to have it run on the device providing storage so that it isn't doing disk polling over a network connection. Ok, I can undestand that. The vusage daemon accepts connections from an allowed list of IPs for usage queries so that it can be used in a cluster efficiently. Right now the various tool all use the maildirsize file (Maildir++ I think it's called) to track the usage, updating this as they put/fetch the email. Correct. vusaged supports Maildir++, and at this time, ignores maildirsize because it's redundant, and inefficient means of calculating storage. Later, vusaged will be updated to re-write maildirsize. It's currently set to be in addition to existing quota monitoring systems, with a greater efficiency, as to deprecate other quota configuration systems, but it should not interfere or cause number variances. Is vusaged supposed to work in a similar setup ? I'd have to integrate it with maildrop, dovecot and a couple of perl scripts. That depends upon a great many things, such as, what is checking quotas, and when. In general, if the daemon is running, and it does not have to be, both Maildir++ quotas, and vpopmail's vusage style of quota checking should work fine at the same time. If vusaged is not running, Maildir++ quotas should continue to work. Ok, but how can be syncronized the two vision of the quota, if only vpopmail uses vusaged ? I think that there can be only two cases 1) all tools use vusaged or 2) all tools use traditional Maildir++ quota. In any other combination, the two vision of the real maildir quota will go quickly out of sync. Besides vpopmail, there are a lot of other important tools (like dovecot for example) which as far as I know are not using vpopmail, and rely on Maildirs. When the old domain quota code was going to be released, I told (against the mainstream) the code was bad for this reason, not being compatible with the rest of the world. Code was cut after some years of demostrated incompatibility. I hope the same error is not replicated again. I've looked the code and found that there were no option to disable the usage. Turn off their quota and the vusage daemon shouldn't be looked at. If that isn't what's happening, then that is the bug. No, I want to use the quota, but with the old method, looking at the maildirsize file. That's missing (if I've understood the code). In 5.4.28, if the vusage daemon is not running, traditional Maildir++ quota checking is done. Yes, and this works, but it generate an error message each time the daemon is searched for. For a normal deliver, that means at least 3 error messages on the log file. And 3 attempts to open the socket. I think it's more efficent, and cleaner, to check if one wants to disable the daemon, adding a line in the config file. My patch just do that. I did not imagine vusaged was so intrusive! Is should be completely disabled if not needed. Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4a9fe72932711236566907!
Re: [vchkpw] Re: chkuser random rejects
mail.domain.tld an alias of domain.tld Now authentication only works from time to time. The bounce says: u...@domain.tld mailto:u...@domain.tld: Sorry, no mailbox here by that name. (#5.1.1) Of course, that account exists. Where are domain aliases stored? Can I manually delete a domain alias? I'm using vpopmail 5.4.17 with users stored in a cdb file. Bogdan Tonix (Antonio Nati) wrote: Bogdan Motoc - CRC ha scritto: Tonix (Antonio Nati) wrote: Bogdan Motoc - CRC ha scritto: This most probably is not a vpopmail problem, but a chkuser one. The support page of chkuser (http://www.interazioni.it/opensource/chkuser/support/mailing_lists.html) points to this mailing list, so that's why I'm posting this here. chkuser is simply using basic qmail checks, giving a better log. It is giving back what qmail would give back. Check carefully qmail configuration and files availability. nothing changed between the two events (rejecting a legitimate message and allowing a similar one) all files are world-readable, except the .lock files The mail server in question runs: netqmail 1.05 vpopmail 5.4.17 chkuser 2.0.8b simscan 1.1 install chkuser 2.09, has more checks, new features and solves minor bugs (not related to your question). hard to do on a production server. I've set this one up more than two years ago, and I remember there was a rigid order in which patches were supposed to be applied to qmail, and some of them had to be manually added (thinking of simscan, smtp-auth, chkuser) It should be easy. Copy new chkuser files over old files, check chkuser_settings.h (some have changed) and recompile. In the meantime, I've googled a bit and found an alternative. I'll post a what's your experience with ... ? message later about it. Messages sent to existing and not overquota users on this server randomly (as far as I can tell) are rejected with this message: Remote host said: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser) I've checked and double checked that the user exists and there was no typo when entering the destination email address. Sending again after a while to the same user ends up with the message into his mailbox without any issues. The server's /var/log/qmail/smtpd/current log file shows this about the rejected message: 2009-07-24 12:28:19.035629500 CHKUSER rejected relaying: from sender's_email_address:: remote remote_mail_server:unknown:remote_ip rcpt valid_u...@mail.domain.tld mailto:valid_u...@mail.domain.tld : client not allowed to relay The mailboxes on this machine are all respecting this pattern: u...@domain.tld mailto:u...@domain.tld You say general pattern is u...@domain.tld mailto:u...@domain.tld, while log says u...@mail.domain.tld mailto:u...@mail.domain.tld. Are you sure 100% domain names do not include blank, DEL, strange not visible chars? It could happen when spaces or strange invisible characters are inside mail addresses. Yes, the recipient mail address I've typed correctly (I double-checked it, having faced stupid users before who think that spaces in email adresses can't hurt that much, can they?) Basically, i replied to a user on that server and got the bounce back imidiately. Cursed at the binary gods for allowing functions to return different results when fed the same input, had to leave the office, and when i got back replied again to the same message, checked and it arrived in the users's mailbox. The log shows this: 2009-07-24 18:09:48.389030500 CHKUSER accepted rcpt: from my_email_address:: remote my_email_server:unknown:my_ip rcpt u...@domain.tld mailto:u...@domain.tld : found existing recipient Check if any limit is reached. Like max open files or max MySQL connections. It could happen in a peaik moment you reach some limits. chkuser version you have does not handle mysql refused connections, while 2.0.9 does. What i don't understand is why vpopmail is sometimes being asked to authenticate /u...@domain.tld/ and sometimes /u...@mail.domain.tld/ ? probably some users put the wrong username in Outlook... missing the domain part, so automatically you have the me file added to address... or? Ciao, Tonino Of course, possible solutions to my problem are: 1. getting rid of mail. part completely 2. making mail.domain.tld an alias of domain.tld, so both would work Thanks a lot for any ideeas you might have. Regards, Tonino The /var/qmail/control/me file lists this: mail.domain.tld, which is also the MX for domain.tld /var/qmail/control/rcpthosts lists both domain.tld and mail.domain.tld /var/qmail/control/virtualdomains shows domain.tld /var/qmail/control/locals shows only mail.domain.tld /var/qmail/control/defaultdomain only shows domain.tld What could be wrong, but most of all, why is the error occurring only rarely (but often enough to be annoying)? Thanks in advance for any answers you might be able to provide
Re: [vchkpw] Re: chkuser random rejects
Considering the situation, can you delete these domains and add them again using vpopmail commands? After these operation, do problems remain? Tonino Bogdan Motoc - CRC ha scritto: r...@machine:/home# cd /home r...@machine:/home# ls -l total 8 drwx--x--x 2 myuser users 4096 2008-01-24 18:52 myuser drwxr-xr-x 9 vpopmail vchkpw 4096 2007-02-13 15:40 vpopmail r...@machine:/home# cd vpopmail r...@machine:/home/vpopmail# ls -l total 24 drwxr-xr-x 2 vpopmail vchkpw 4096 2007-02-12 17:00 bin drwxr-xr-x 4 vpopmail vchkpw 4096 2007-02-12 17:00 doc drwx-- 3 vpopmail vchkpw 4096 2007-02-13 17:23 domains drwxr-xr-x 2 vpopmail vchkpw 4096 2009-09-02 18:40 etc drwxr-xr-x 2 vpopmail vchkpw 4096 2007-02-12 17:00 include drwxr-xr-x 2 vpopmail vchkpw 4096 2007-02-12 17:00 lib r...@machine:/home/vpopmail# cd domains r...@machine:/home/vpopmail/domains# ls -l total 4 drwx-- 11 vpopmail vchkpw 4096 2009-06-25 18:17 domain.com r...@machine:/home/vpopmail/domains# cd domain.com r...@machine:/home/vpopmail/domains/domain.com# ls -l total 44 drwx-- 3 vpopmail vchkpw 4096 2007-07-20 15:07 user1 drwx-- 3 vpopmail vchkpw 4096 2007-12-07 00:14 user2 drwx-- 3 vpopmail vchkpw 4096 2008-05-16 17:25 user3 drwx-- 3 vpopmail vchkpw 4096 2007-02-13 17:24 user4 drwx-- 3 vpopmail vchkpw 4096 2007-05-07 16:49 user5 drwx-- 3 vpopmail vchkpw 4096 2007-02-13 17:23 postmaster drwx-- 3 vpopmail vchkpw 4096 2007-02-13 17:24 user6 drwx-- 3 vpopmail vchkpw 4096 2007-09-26 15:28 test drwx-- 3 vpopmail vchkpw 4096 2007-10-21 11:45 user7 -rw-r--r-- 1 vpopmail vchkpw 1156 2009-03-11 13:45 vpasswd -rw--- 1 vpopmail vchkpw 3402 2009-03-11 13:45 vpasswd.cdb r...@machine:/home/vpopmail/domains/domain.com# cd user1 r...@machine:/home/vpopmail/domains/domain.com/user1# ls -l total 8 drwx-- 11 vpopmail vchkpw 4096 2008-11-01 09:17 Maildir -rw--- 1 vpopmail vchkpw4 2008-11-01 09:17 lastauth r...@machine:/home/vpopmail/domains/domain.com/user1# cd Maildir r...@machine:/home/vpopmail/domains/domain.com/user1/Maildir# ls -l total 52 drwx-- 2 vpopmail vchkpw 4096 2007-07-20 15:09 courierimaphieracl drwx-- 2 vpopmail vchkpw 4096 2008-11-01 09:14 courierimapkeywords -rw-r--r-- 1 vpopmail vchkpw 17 2008-11-01 09:17 courierimapsubscribed -rw-r--r-- 1 vpopmail vchkpw 120 2008-11-01 09:14 courierimapuiddb drwx-- 2 vpopmail vchkpw 4096 2008-10-02 08:08 cur -rw-r--r-- 1 vpopmail vchkpw 46 2008-11-01 09:17 maildirsize drwx-- 2 vpopmail vchkpw 4096 2008-07-18 10:44 new -rw--- 1 vpopmail vchkpw 72 2007-07-20 15:10 sqwebmail-config drwx-- 2 vpopmail vchkpw 4096 2007-07-20 15:16 sqwebmail-curcache -rw--- 1 vpopmail vchkpw1 2007-07-20 15:16 sqwebmail-curcache.nfshack -rw--- 1 vpopmail vchkpw0 2007-07-20 15:10 sqwebmail-mailinglists -rw--- 1 vpopmail vchkpw7 2007-07-20 15:09 sqwebmail-sentstamp -rw--- 1 vpopmail vchkpw0 2007-07-20 15:10 sqwebmail-sig -rw--- 1 vpopmail vchkpw1 2007-07-20 15:16 sqwebmail-timestamp drwx-- 2 vpopmail vchkpw 4096 2008-11-01 09:17 tmp Tonix (Antonio Nati) wrote: Which are ownership and privileges of domain directories and mailboxes? chkuser simply checks mysql or cdb, while qmail in delivery checks also for directories. Tonino Tren Blackburn ha scritto: Can you paste the output of the command: /var/qmail/bin/qmail-showctl Thanks :) *From:* Bogdan Motoc - CRC [mailto:bogdan.mo...@crcnet.ro] *Sent:* September-02-09 8:26 AM *To:* vchkpw@inter7.com *Subject:* Re: [vchkpw] Re: chkuser random rejects No. Users on the internal network are able to relay their messages because tcp.smtp has this line: local_subnet:allow,RELAYCLIENT= Just tested right now, even roaming users are able to relay messages via smtp-auth. (haven't tested if the pop-before-smtp function of vpopmail works, as i just configured an imap account in my mail client. if you think it's relevant to know, i'll do it) Funny thing is, when sending to the postmaster account on that server from my client configured to authenticate via smtp-auth via a valid user and pass from that server, the message doesn't arrive anywhere. Here's the log: @40004a9e8c3518c0efdc info msg 30983061: bytes 837 from t...@domain.com mailto:t...@domain.com qp 3674 uid 89 @40004a9e8c351937391c starting delivery 12: msg 30983061 to local postmas...@domain.com mailto:postmas...@domain.com @40004a9e8c35193744d4 status: local 1/10 remote 0/20 @40004a9e8c351959d864 delivery 12: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/ @40004a9e8c351959e41c status: local 0/10 remote 0/20 @40004a9e8c3519b47b84 bounce msg 30983061 qp 3677 @40004a9e8c3519b4873c end msg 30983061 @40004a9e8c3519b71394 new msg 30983148 @40004a9e8c3519b7177c info msg 30983148: bytes 1355 from qp 3677 uid 1007 @40004a9e8c351a367cc4 starting delivery 13: msg 30983148 to local t...@domain.com mailto:t...@domain.com
Re: [vchkpw] chkuser random rejects
Bogdan Motoc - CRC ha scritto: Tonix (Antonio Nati) wrote: Bogdan Motoc - CRC ha scritto: This most probably is not a vpopmail problem, but a chkuser one. The support page of chkuser (http://www.interazioni.it/opensource/chkuser/support/mailing_lists.html) points to this mailing list, so that's why I'm posting this here. chkuser is simply using basic qmail checks, giving a better log. It is giving back what qmail would give back. Check carefully qmail configuration and files availability. nothing changed between the two events (rejecting a legitimate message and allowing a similar one) all files are world-readable, except the .lock files The mail server in question runs: netqmail 1.05 vpopmail 5.4.17 chkuser 2.0.8b simscan 1.1 install chkuser 2.09, has more checks, new features and solves minor bugs (not related to your question). hard to do on a production server. I've set this one up more than two years ago, and I remember there was a rigid order in which patches were supposed to be applied to qmail, and some of them had to be manually added (thinking of simscan, smtp-auth, chkuser) It should be easy. Copy new chkuser files over old files, check chkuser_settings.h (some have changed) and recompile. In the meantime, I've googled a bit and found an alternative. I'll post a what's your experience with ... ? message later about it. Messages sent to existing and not overquota users on this server randomly (as far as I can tell) are rejected with this message: Remote host said: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser) I've checked and double checked that the user exists and there was no typo when entering the destination email address. Sending again after a while to the same user ends up with the message into his mailbox without any issues. The server's /var/log/qmail/smtpd/current log file shows this about the rejected message: 2009-07-24 12:28:19.035629500 CHKUSER rejected relaying: from sender's_email_address:: remote remote_mail_server:unknown:remote_ip rcpt valid_u...@mail.domain.tld : client not allowed to relay The mailboxes on this machine are all respecting this pattern: u...@domain.tld You say general pattern is u...@domain.tld, while log says u...@mail.domain.tld. Are you sure 100% domain names do not include blank, DEL, strange not visible chars? It could happen when spaces or strange invisible characters are inside mail addresses. Yes, the recipient mail address I've typed correctly (I double-checked it, having faced stupid users before who think that spaces in email adresses can't hurt that much, can they?) Basically, i replied to a user on that server and got the bounce back imidiately. Cursed at the binary gods for allowing functions to return different results when fed the same input, had to leave the office, and when i got back replied again to the same message, checked and it arrived in the users's mailbox. The log shows this: 2009-07-24 18:09:48.389030500 CHKUSER accepted rcpt: from my_email_address:: remote my_email_server:unknown:my_ip rcpt u...@domain.tld : found existing recipient Check if any limit is reached. Like max open files or max MySQL connections. It could happen in a peaik moment you reach some limits. chkuser version you have does not handle mysql refused connections, while 2.0.9 does. What i don't understand is why vpopmail is sometimes being asked to authenticate /u...@domain.tld/ and sometimes /u...@mail.domain.tld/ ? probably some users put the wrong username in Outlook... missing the domain part, so automatically you have the me file added to address... or? Ciao, Tonino Of course, possible solutions to my problem are: 1. getting rid of mail. part completely 2. making mail.domain.tld an alias of domain.tld, so both would work Thanks a lot for any ideeas you might have. Regards, Tonino The /var/qmail/control/me file lists this: mail.domain.tld, which is also the MX for domain.tld /var/qmail/control/rcpthosts lists both domain.tld and mail.domain.tld /var/qmail/control/virtualdomains shows domain.tld /var/qmail/control/locals shows only mail.domain.tld /var/qmail/control/defaultdomain only shows domain.tld What could be wrong, but most of all, why is the error occurring only rarely (but often enough to be annoying)? Thanks in advance for any answers you might be able to provide. Bogdan Motoc -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4a6d5a6e32718427955950!
Re: [vchkpw] chkuser random rejects
Bogdan Motoc - CRC ha scritto: This most probably is not a vpopmail problem, but a chkuser one. The support page of chkuser (http://www.interazioni.it/opensource/chkuser/support/mailing_lists.html) points to this mailing list, so that's why I'm posting this here. chkuser is simply using basic qmail checks, giving a better log. It is giving back what qmail would give back. Check carefully qmail configuration and files availability. The mail server in question runs: netqmail 1.05 vpopmail 5.4.17 chkuser 2.0.8b simscan 1.1 install chkuser 2.09, has more checks, new features and solves minor bugs (not related to your question). Messages sent to existing and not overquota users on this server randomly (as far as I can tell) are rejected with this message: Remote host said: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser) I've checked and double checked that the user exists and there was no typo when entering the destination email address. Sending again after a while to the same user ends up with the message into his mailbox without any issues. The server's /var/log/qmail/smtpd/current log file shows this about the rejected message: 2009-07-24 12:28:19.035629500 CHKUSER rejected relaying: from sender's_email_address:: remote remote_mail_server:unknown:remote_ip rcpt valid_u...@mail.domain.tld : client not allowed to relay The mailboxes on this machine are all respecting this pattern: u...@domain.tld You say general pattern is u...@domain.tld, while log says u...@mail.domain.tld. Are you sure 100% domain names do not include blank, DEL, strange not visible chars? It could happen when spaces or strange invisible characters are inside mail addresses. Regards, Tonino The /var/qmail/control/me file lists this: mail.domain.tld, which is also the MX for domain.tld /var/qmail/control/rcpthosts lists both domain.tld and mail.domain.tld /var/qmail/control/virtualdomains shows domain.tld /var/qmail/control/locals shows only mail.domain.tld /var/qmail/control/defaultdomain only shows domain.tld What could be wrong, but most of all, why is the error occurring only rarely (but often enough to be annoying)? Thanks in advance for any answers you might be able to provide. Bogdan Motoc -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4a69e26832719595926624!
Re: [vchkpw] smtp auth with chkuser problems
Brian Lanier ha scritto: - Original Message - *From:* James Cox mailto:ja...@imaj.es *To:* vchkpw@inter7.com mailto:vchkpw@inter7.com *Sent:* Thursday, June 11, 2009 7:44 AM *Subject:* Re: [vchkpw] smtp auth with chkuser problems I just did a fresh install of toaster. i'm still getting these frustrating smtp auth problems - it's conflating the first portion of domain, so if for example i have the user f...@example.com mailto:f...@example.com, it tries to auth foo.com@:myip mailto:foo.com@:myip huh?? -james This may be so obvious that I shouldn't mention it, but did you change your run script to reflect the new smtp_auth patch? If I remember correctly, the older version wanted things in a different order. I just don't remember if that applies to this particular problem as its been awhile and I don't have access to my vpopmail setup right now... Brian Something like /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 21 Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4a311fda32662016013213!
Re: [vchkpw] smtp auth with chkuser problems
Roberto ha scritto: Hi James, what version of netqmail are you using? does anybody knows if chkuser is compatible with 1.06? Roberto James Cox ha scritto: I've had it running for a few hours, and have this: 1 CHKUSER rejected relaying 5 CHKUSER accepted any rcpt 28 CHKUSER relaying rcpt 362 CHKUSER accepted rcpt 1719 CHKUSER rejected rcpt 1758 CHKUSER accepted sender and... in my defines... neither of those two are enabled. version 2.0.9 for me. -james Problem should be the auth patch which breaks the output. In the past other people with other auth patches complained. They passed to the one contained in Shupp's Toaster (the unique one I've checked) and all problems went away. As alternative, should try to disable logs. Ciao! Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4a2fe72032662043116501!
Re: [vchkpw] smtp auth with chkuser problems
James Cox ha scritto: On 10 Jun 2009, at 18:02, Tonix (Antonio Nati) wrote: Roberto ha scritto: Hi James, what version of netqmail are you using? does anybody knows if chkuser is compatible with 1.06? Problem should be the auth patch which breaks the output. In the past other people with other auth patches complained. They passed to the one contained in Shupp's Toaster (the unique one I've checked) and all problems went away. As alternative, should try to disable logs. So, versions- I've got - netqmail 1.06 - smtp auth 1.03 from http://members.elysium.pl/brush/qmail-smtpd-auth/ - chkuser 2.0.9 i tried looking at the toaster, but it is patched against a different netqmail - 1.05? wasn't sure if i should look to back out that patch and rebuild qmail.. --james Patch in Shupp toaster is taken from Erwin Hoffmann's SMTP-AUTH (http://www.fehcom.de/qmail/smtpauth.html). qmail 1.0.5 and 1.0.6 should be extremely similar and I wonder if it is worth using 1.0.6. Trust and use Shupp's toaster! Ciao, Tonino -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4a301f0732661607920333!
Re: [vchkpw] vpopmail now has vusage daemon support
Matt, now that qmail is in public domain, I feel it would have more sense to widen these projects and write some new qmail options, which can be used by upper layers like vpopmail (and dovecot, and so on). Quota code would be great, but I feel it would be better to move index of messages and quota on mysql (or other db) instead of continuing with old methods. A new library could be used for all layers (qmail, vpopmail, dovecot, etc.). Such vusage daemon would be very good for chkuser also, and also for other qmail added features (like auth and so on). But library should be universal, and daemon should be high performaces daemon (like courier auth daemon). What do you think about? Tonino Matt Brookings ha scritto: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I've added to the trunk revision, modifications in maildirquota.c which will attempt to talk with the vpopmail usage daemon. If it's running, and responsive, it will use vusaged for all it's usage information, rather than the disk. If not, it will fall back on the current quota checking code. Please! If you have systems you can test this on, please do and let me know of any problems you come across. Thanks! - -- /* Matt Brookings m...@inter7.com GnuPG Key D9414F70 Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm2mL8ACgkQ6QgvSNlBT3BDHACgmDDJlQl3IIZN+aKOi8Q4re3O s/YAoKmJ4drv1kOrtmU01EvVbbFuKMnG =Wx8o -END PGP SIGNATURE- -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:49b69a6c32681854920087!
Re: [vchkpw] vpopmail now has vusage daemon support
Matt Brookings ha scritto: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tonix (Antonio Nati) wrote: Quota code would be great, but I feel it would be better to move index of messages and quota on mysql (or other db) instead of continuing with old methods. A new library could be used for all layers (qmail, vpopmail, dovecot, etc.). I can't imaging that indexing of every user's messages inside a networked database could be very efficient. Also, moving quota information to a database would also be quite inefficient. Actually IMAP o POP daemons which extract from, subject, date and size size must open every message to get those informations. Also, an update of a db record could be faster than opening, reading and rewriting a maildirsize file (and this cannot be done by two sessions simultaneosly). A centralized daemon working on quota updates also could give an anourmous advantage, keeping in cache most used domains and users and updating 'custom' mysql records (where domain quota could be used). Tonino The daemon's only purpose at this time is to keep disk usage information up to date so that other processes do not need to worry about updating it, or hitting a database for every small query that might even be unrelated to delivery, an expensive operation itself. It solves several problems at once. 1) Provides fast, and accurate disk usage 2) Removes hundreds of lines of broken code from vpopmail involved in keeping disk usage estimates current It also adds direction to the quota support development which was sorely needed. Such vusage daemon would be very good for chkuser also, and also for other qmail added features (like auth and so on). But library should be universal, and daemon should be high performaces daemon (like courier auth daemon). What do you think about? The daemon could easily be reworked to cache authentication information, but currently, that is not the purpose of the daemon. Right now, having working quota enforcement is a critical need. At this time, what I'd most like to see, is support in chkuser for the quota daemon. You already include quota enforcement. If you look at the trunk revision of vpopmail, in maildirquota.c, you will see how easy it is to add support for the usage daemon. - -- /* Matt Brookings m...@inter7.com GnuPG Key D9414F70 Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm2nFIACgkQ6QgvSNlBT3CLsACfcML9jiCYjFK6qVntp/VICan2 5boAnR2+5oXcku3sI/9XsIcY3mANs1Z7 =QVWx -END PGP SIGNATURE- -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:49b6a21232687921351632!
Re: [vchkpw] Can I ask about chkuser 2.0 patch here?
B. Cook ha scritto: I am trying to build a new qmail server to replace our older one here.. We have the chkusr 2.0 (either 2.0.6 or 2.0.5) patch installed on our current qmail working fine. The .qmail-defaults are not being recognized the correct way. it never sees that all mail should be accepted, and instead returns the standard no mailbox here by that name (chkuser) We have one or two domains that we use for internal things which is setup to accept all email sent to it. This is the chkuser_settings.h without the STRING values.. grep ^#define work/qmail-1.03/chkuser_settings.h | egrep -v STRING #define CHKUSER_ALWAYS_ON #define CHKUSER_ALWAYS_ON disables .qmail-default checking. See http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html#Enabling_chkuser Ciao, Tonino #define CHKUSER_VPOPMAIL #define CHKUSER_ENABLE_UIDGID #define CHKUSER_DOMAIN_WANTED #define CHKUSER_ENABLE_USERS #define CHKUSER_ENABLE_ALIAS #define CHKUSER_EZMLM_DASH '-' #define CHKUSER_ENABLE_LOGGING #define CHKUSER_LOG_VALID_RCPT #define CHKUSER_MIN_DOMAIN_LEN 4 #define CHKUSER_LOG_VALID_SENDER #define CHKUSER_RCPT_LIMIT_VARIABLE CHKUSER_RCPTLIMIT #define CHKUSER_WRONGRCPT_LIMIT_VARIABLE CHKUSER_WRONGRCPTLIMIT #define CHKUSER_MBXQUOTA_VARIABLE CHKUSER_MBXQUOTA #define CHKUSER_ERROR_DELAY 1 #define CHKUSER_RCPT_DELAY_ANYERROR #define CHKUSER_SENDER_DELAY_ANYERROR #define CHKUSER_ENABLE_ALIAS_DEFAULT #define CHKUSER_ENABLE_USERS_EXTENSIONS #define CHKUSER_ENABLE_EZMLM_LISTS #define CHKUSER_USERS_DASH '-' #define CHKUSER_DB_CLEANUP #define CHKUSER_ERROR_DELAY_INCREASE 1 #define CHKUSER_ENABLE_DOUBLEBOUNCE_VARIABLE CHKUSER_DOUBLEBOUNCE and this is how I am starting qmail-smtpd.. case ${qmail_smtp_enable} in [Yy][Ee][Ss]) # Start the qmail smtp daemon env - PATH=/var/qmail/bin:/usr/local/bin \ /usr/local/bin/tcpserver -H -R -c255 -x /usr/local/vpopmail/etc/tcp.smtp.cdb \ -u89 -g89 0 8125 /var/qmail/bin/qmail-smtpd \ 21 | splogger qsmtpd echo -n qmail-smtp ;; esac This is the example domain that I am working with.. name: postmaster passwd: $1$mTA57gKn$6DB52U9PX/ksXYWGT3PkE/ clear passwd: UFG7XSYp comment/gecos: Postmaster uid:0 gid:0 flags: 0 gecos: Postmaster limits: No user limits set. dir: /usr/local/vpopmail/domains/test.domain/postmaster quota: 104857600S usage: 0% last auth: Tue Nov 25 17:41:48 2008 last auth ip: imap and here is an example session: r...@chlorine [/usr/local/vpopmail/domains/test.domain]# 121 ls -al total 14 drwx--4 vpopmail vchkpw 512 Jan 5 15:07 . drwx-- 133 vpopmail vchkpw 3584 Dec 1 13:15 .. -rw---1 vpopmail vchkpw60 Jan 5 15:07 .qmail-default -rw---1 vpopmail vchkpw 283 Nov 27 23:40 .qmailadmin-limits drwx--3 vpopmail vchkpw 512 Nov 25 15:58 bcook drwx--3 vpopmail vchkpw 512 Nov 9 18:59 postmaster r...@chlorine [/usr/local/vpopmail/domains/test.domain]# 122 telnet localhost 8125 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.test.domain ESMTP helo blah 250 mail.test.domain mail from:n...@aol.com 250 ok rcpt to:n...@test.domain 550 5.1.1 sorry, no mailbox here by that name (chkuser) quit 221 mail.test.domain Connection closed by foreign host. r...@chlorine [/usr/local/vpopmail/domains/test.domain]# 123 cat .qmail-default | /usr/local/vpopmail/bin/vdelivermail '' bc...@test.domain Everything else is working just fine.. Clues or suggestions would be greatly appreciated.. For what it is worth.. This is a FreeBSD 7.0-p7 amd64 (no zfs) the only patch this has in it is the LOCALTIME_PATCH; I have tried it without the localtime patch and it does not make a difference. -- in...@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:4964d13b32672465817975!
Re: [vchkpw] CHKUSER_ERROR_DELAY
Kis Peter ha scritto: Hi! I noticed, that chkuser_settings.h contains a setting called wait for each not existing recipient. CHKUSER_ERROR_DELAY (Delay, expressed in milliseconds, to wait for each not existing recipient) default value= 1000 Why is it needed? Together with other limits 8above all *CHKUSER_WRONGRCPT_LIMIT_VARIABLE*) , it can help avoid mass testing on recipients. Without delay, thousands of checks may be done easily. With this delay on wrong checks, mass testings are slower and not convenient. Why it has to sleep a vpopmail connection for 1000 ms? Can it be zero instead of 1000 ms? Yes, it can be zero or undefined. But I suggest to use *CHKUSER_ERROR_DELAY_INCREASE*, which keeps growing as more and more not existing recipients are checked. Ciao, Tonino Thanks! Digitális fényképezőgépek akár 5000 Ft ajándék fotókidolgozással a FotoMarket Online Fotóáruházban! - www.fotomarket.hu http://ad.adverticum.net/b/cl,1,6022,99786,162268/click.prm -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:4912c8bd32314137016094!
Re: [vchkpw] Chkuser 2.0.9 installation fails after qmail-smtpd-auth patch
Kis Peter ha scritto: Thanks. I tried this way. Fist I applied qmail-smtpd-auth-059 patch, then I applied chkuser-2.0.9 manually,as seen at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html See result below. ./compile chkuser.c ./load qmail-smtpd chkuser.o dns.o rcpthosts.o commands.o timeoutread.o \ timeoutwrite.o ip.o ipme.o ipalloc.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a getln.a open.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o \ `head -1 /home/vpopmail/etc/lib_deps` `cat dns.lib` \ `cat socket.lib` qmail-smtpd.o: In function `auth_cram': qmail-smtpd.c:(.text+0x101a): undefined reference to `b64encode' qmail-smtpd.c:(.text+0x108e): undefined reference to `b64decode' qmail-smtpd.o: In function `auth_plain': qmail-smtpd.c:(.text+0x11f6): undefined reference to `b64decode' qmail-smtpd.c:(.text+0x1311): undefined reference to `b64decode' qmail-smtpd.o: In function `auth_login': qmail-smtpd.c:(.text+0x135d): undefined reference to `b64decode' qmail-smtpd.c:(.text+0x1396): undefined reference to `b64decode' qmail-smtpd.o:qmail-smtpd.c:(.text+0x13f8): more undefined references to `b64decode' follow collect2: ld returned 1 exit status make: *** [qmail-smtpd] Error 1 Kis Peter e-mail: [EMAIL PROTECTED] Probably you deleted some lines, in Makefile, which are important for other patches. You have only to add what chkuser asks for, keeping what previous patches inserted. In this case, you deleted the lines which contain b64decode routine. Ciao, Tonino Tonix (Antonio Nati) [EMAIL PROTECTED] írta: First apply other patches, then apply chkuser manually. See http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html for more info. Ciao, Tonino Kis Peter ha scritto: Hello! I would like to ask for some help! I have succesfully installed chkuser 2.0.9 on a clean Netqmail-1.05 without any problem. After make and setup, it works fine! But if I first install qmail-smtpd-auth-0.59 patch on a clean Netqmail-1.05, then I try to install Chkuser 2.0.9, I got lot of error messages. Chkuser 2.0 patch installation fails. See output below. # patch ./chkuser-2.0.9-release.patch patching file CHKUSER.automatic_patching patching file CHKUSER.changelog patching file CHKUSER.copyright patching file CHKUSER.log_format patching file CHKUSER.manual_patching patching file CHKUSER.readme patching file CHKUSER.running patching file Makefile Hunk #2 succeeded at 308 (offset 4 lines). Hunk #3 FAILED at 1548. 1 out of 3 hunks FAILED -- saving rejects to file Makefile.rej patching file TARGETS Hunk #1 succeeded at 386 (offset 1 line). patching file chkuser.c patching file chkuser.h patching file chkuser_settings.h patching file conf-cc patching file qmail-smtpd.c Hunk #2 succeeded at 39 with fuzz 2 (offset 5 lines). Hunk #3 FAILED at 259. Hunk #4 succeeded at 366 (offset 98 lines). Hunk #5 succeeded at 377 (offset 98 lines). 1 out of 5 hunks FAILED -- saving rejects to file qmail-smtpd.c.rej I think, that both of these two patches try to patch the qmail-smtpd.c file, and they confuse each other. What can be the solution for this problem? Kis Peter e-mail: [EMAIL PROTECTED] Vujity Tvrtko: Angyali történetek... és ami azóta történt. A népszerű riporter legszebb, legemberibb történeteinek folytatása. http://ad.adverticum.net/b/cl,1,6022,295811,361564/click.prm -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] AEG-ELECTROLUX http://ad.adverticum.net/b/cl,1,6022,295941,361762/click.prm háztartási gépeket ÉJJEL -- NAPPAL http://ad.adverticum.net/b/cl,1,6022,295941,361762/click.prm rendelhetsz kényelmesen ONLINE a MÁRKABOLTBÓL! http://ad.adverticum.net/b/cl,1,6022,295941,361762/click.prm Beépíthető gépek -- mosogatógépek -- mosógépek -- szárítógépek - hűtők akár 5 ÉV kiterjesztett GARANCIÁVAL ITT! http://ad.adverticum.net/b/cl,1,6022,295941,361762/click.prm Több száz VIDEÓ termékbemutató -- ORSZÁGOS házhozszállítás az AEGshop.hu-tól! http://ad.adverticum.net/b/cl,1,6022,295941,361762/click.prm -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED
Re: [vchkpw] Chkuser 2.0.9 installation fails after qmail-smtpd-auth patch
make it all again WITHOUT chkuser, and check in Makefile where the b64encode routine is compiled (probably b64encode in included in other modules). Take care to mantain this routine (or the including module) in the Makefile with chkuser. Tonino Kis Peter ha scritto: I double-checked again everything. I did the steps again as written in the Chkuser 2.0 manual editing page. (Anyway, there is no need to delete or modify any lines which contain b64decode routine.) Doing make, I got the same error. ( undefined reference to `b64encode') Strange!!! Then I modified the Makefile, the TARGETS file, the conf-cc file, but left the original qmail-smtpd.c intact. Doing make, I got the same error :( See below. At least I could find out, that the error couldn't come from qmail-smtpd.c, because this file was left intact. ./compile chkuser.c ./load qmail-smtpd chkuser.o dns.o rcpthosts.o commands.o timeoutread.o \ timeoutwrite.o ip.o ipme.o ipalloc.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a getln.a open.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o \ `head -1 /home/vpopmail/etc/lib_deps` `cat dns.lib` \ `cat socket.lib` qmail-smtpd.o: In function `auth_cram': qmail-smtpd.c:(.text+0x101a): undefined reference to `b64encode' qmail-smtpd.c:(.text+0x108e): undefined reference to `b64decode' qmail-smtpd.o: In function `auth_plain': qmail-smtpd.c:(.text+0x11f6): undefined reference to `b64decode' qmail-smtpd.c:(.text+0x1311): undefined reference to `b64decode' qmail-smtpd.o: In function `auth_login': qmail-smtpd.c:(.text+0x135d): undefined reference to `b64decode' qmail-smtpd.c:(.text+0x1396): undefined reference to `b64decode' qmail-smtpd.o:qmail-smtpd.c:(.text+0x13f8): more undefined references to `b64decode' follow collect2: ld returned 1 exit status make: *** [qmail-smtpd] Error 1 Kis Peter e-mail: [EMAIL PROTECTED] javascript:void(); Tonix (Antonio Nati) [EMAIL PROTECTED] írta: Kis Peter ha scritto: Thanks. I tried this way. Fist I applied qmail-smtpd-auth-059 patch, then I applied chkuser-2.0.9 manually,as seen at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html See result below. ./compile chkuser.c ./load qmail-smtpd chkuser.o dns.o rcpthosts.o commands.o timeoutread.o \ timeoutwrite.o ip.o ipme.o ipalloc.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a getln.a open.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o \ `head -1 /home/vpopmail/etc/lib_deps` `cat dns.lib` \ `cat socket.lib` qmail-smtpd.o: In function `auth_cram': qmail-smtpd.c:(.text+0x101a): undefined reference to `b64encode' qmail-smtpd.c:(.text+0x108e): undefined reference to `b64decode' qmail-smtpd.o: In function `auth_plain': qmail-smtpd.c:(.text+0x11f6): undefined reference to `b64decode' qmail-smtpd.c:(.text+0x1311): undefined reference to `b64decode' qmail-smtpd.o: In function `auth_login': qmail-smtpd.c:(.text+0x135d): undefined reference to `b64decode' qmail-smtpd.c:(.text+0x1396): undefined reference to `b64decode' qmail-smtpd.o:qmail-smtpd.c:(.text+0x13f8): more undefined references to `b64decode' follow collect2: ld returned 1 exit status make: *** [qmail-smtpd] Error 1 Kis Peter e-mail: [EMAIL PROTECTED] javascript:void(); Probably you deleted some lines, in Makefile, which are important for other patches. You have only to add what chkuser asks for, keeping what previous patches inserted. In this case, you deleted the lines which contain b64decode routine. Ciao, Tonino Tonix (Antonio Nati) [EMAIL PROTECTED] írta: First apply other patches, then apply chkuser manually. See http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html for more info. Ciao, Tonino Kis Peter ha scritto: Hello! I would like to ask for some help! I have succesfully installed chkuser 2.0.9 on a clean Netqmail-1.05 without any problem. After make and setup, it works fine! But if I first install qmail-smtpd-auth-0.59 patch on a clean Netqmail-1.05, then I try to install Chkuser 2.0.9, I got lot of error messages. Chkuser 2.0 patch installation fails. See output below. # patch ./chkuser-2.0.9-release.patch patching file CHKUSER.automatic_patching patching file CHKUSER.changelog patching file CHKUSER.copyright patching file CHKUSER.log_format patching file CHKUSER.manual_patching patching file CHKUSER.readme patching file CHKUSER.running
Re: [vchkpw] Chkuser 2.0.9 installation fails after qmail-smtpd-auth patch
First apply other patches, then apply chkuser manually. See http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html for more info. Ciao, Tonino Kis Peter ha scritto: Hello! I would like to ask for some help! I have succesfully installed chkuser 2.0.9 on a clean Netqmail-1.05 without any problem. After make and setup, it works fine! But if I first install qmail-smtpd-auth-0.59 patch on a clean Netqmail-1.05, then I try to install Chkuser 2.0.9, I got lot of error messages. Chkuser 2.0 patch installation fails. See output below. # patch ./chkuser-2.0.9-release.patch patching file CHKUSER.automatic_patching patching file CHKUSER.changelog patching file CHKUSER.copyright patching file CHKUSER.log_format patching file CHKUSER.manual_patching patching file CHKUSER.readme patching file CHKUSER.running patching file Makefile Hunk #2 succeeded at 308 (offset 4 lines). Hunk #3 FAILED at 1548. 1 out of 3 hunks FAILED -- saving rejects to file Makefile.rej patching file TARGETS Hunk #1 succeeded at 386 (offset 1 line). patching file chkuser.c patching file chkuser.h patching file chkuser_settings.h patching file conf-cc patching file qmail-smtpd.c Hunk #2 succeeded at 39 with fuzz 2 (offset 5 lines). Hunk #3 FAILED at 259. Hunk #4 succeeded at 366 (offset 98 lines). Hunk #5 succeeded at 377 (offset 98 lines). 1 out of 5 hunks FAILED -- saving rejects to file qmail-smtpd.c.rej I think, that both of these two patches try to patch the qmail-smtpd.c file, and they confuse each other. What can be the solution for this problem? Kis Peter e-mail: [EMAIL PROTECTED] Vujity Tvrtko: Angyali történetek... és ami azóta történt. A népszerű riporter legszebb, legemberibb történeteinek folytatása. http://ad.adverticum.net/b/cl,1,6022,295811,361564/click.prm -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:490f597632319264758367!
Re: [vchkpw] Set external and internal users
You must be sure your smtp server does not allow internals to relay. Probably you must disable default allowed relay for internals and set up auth smtp. Regards, Tonino Kenny Lee ha scritto: Hi after i set vmoduser -r [EMAIL PROTECTED] ... i tried to use that email address to send out the mail to external like yahoo.com ... and i able to receive the mail from [EMAIL PROTECTED] ... below is the user info ... name: user passwd: $1$UgK2UGPp$QVYOCBRM5zrY4iHRHI/ZD0 clear passwd: comment/gecos: user uid: 1 gid: 32 flags: 32 gecos: user limits: user not allowed to relay mail dir: /home/vpopmail/domains/example.com/user quota: NOQUOTA usage: NOQUOTA last auth: Fri Aug 29 09:03:46 2008 last auth ip: imap - Original Message - From: Manvendra Bhangui [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, August 28, 2008 6:55 PM Subject: Re: [vchkpw] Set external and internal users On Thu, 2008-08-28 at 14:31 +0800, Kenny Lee wrote: Internal group: which mean that those user set in this group can send mail to example.com's users only. vmoduser -r [EMAIL PROTECTED] sets no external relay flag - which means the user should not be able to send mails to external domains. However this needs to be done for each user. I am not sure if there is a concept of groups in vpopmail. -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:48b7bbc432311420514221!
Re: [vchkpw] Set external and internal users
Check if you are using any distribution with includes auth code (like Shupp's toaster). If you have this code working, you must: enable the auth flag in each Firefox/Outlook smtp configuration for users enabled to relay. Set vmoduser -r for each user enabled to relay. Check you tcp.smtp file and delete any line like 192.168.x.x:allow,RELAYCLIENT=, This line permit users from 192.168.x.x to relay to anyone in the world. do not touch :allow In this way, users allowed to relay, are authenticated and authorized to relay. Users without authentication and/or withour relay permission can only send to local domains. Tonino Kenny Lee ha scritto: Hi Tonino, not really understand ... please you tell me where to set the auth smtp or disable the default allowed relay ? thank you regards, Kenny - Original Message - From: Tonix (Antonio Nati) [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Friday, August 29, 2008 5:05 PM Subject: Re: [vchkpw] Set external and internal users You must be sure your smtp server does not allow internals to relay. Probably you must disable default allowed relay for internals and set up auth smtp. Regards, Tonino Kenny Lee ha scritto: Hi after i set vmoduser -r [EMAIL PROTECTED] ... i tried to use that email address to send out the mail to external like yahoo.com ... and i able to receive the mail from [EMAIL PROTECTED] ... below is the user info ... name: user passwd: $1$UgK2UGPp$QVYOCBRM5zrY4iHRHI/ZD0 clear passwd: comment/gecos: user uid: 1 gid: 32 flags: 32 gecos: user limits: user not allowed to relay mail dir: /home/vpopmail/domains/example.com/user quota: NOQUOTA usage: NOQUOTA last auth: Fri Aug 29 09:03:46 2008 last auth ip: imap - Original Message - From: Manvendra Bhangui [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, August 28, 2008 6:55 PM Subject: Re: [vchkpw] Set external and internal users On Thu, 2008-08-28 at 14:31 +0800, Kenny Lee wrote: Internal group: which mean that those user set in this group can send mail to example.com's users only. vmoduser -r [EMAIL PROTECTED] sets no external relay flag - which means the user should not be able to send mails to external domains. However this needs to be done for each user. I am not sure if there is a concept of groups in vpopmail. -- [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:48b7ccd732311702713401!
Re: [vchkpw] vmysql: can't read settings from
Is the command executed inside Apache? So the user executing the command is the apache user, and not vpopmail. Ciao, Tonino Mitja Pirih ha scritto: Hi, Yes, the file exists. The permissions are also OK. # ls -l /home/vpopmail/etc/vpopmail.mysql -rw-r- 1 vpopmail vchkpw 45 Aug 7 14:01 /home/vpopmail/etc/vpopmail.mysql # cat /home/vpopmail/etc/vpopmail.mysql localhost|0|vpopmailuser|vpoppasswd|vpopmail # mysql -h localhost -u vpopmailuser -pvpoppasswd vpopmail Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 5.0.51a-log OpenBSD port: mysql-server-5.0.51a Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql quit Bye Other ideas? Thank you, Mitja Wouter van der Schagt wrote: Hi, Does the file exist ? it should have permissions 640 and owned by vpopmail:vchkpw in a standard installation. The file itself contains mysql login settings like (example contents below). # MYSQL CONNECTION SETTINGS FOR VPOPMAIL # # Line 1 defines the connection to use for database reads, # Line 2 defines the connection to use for database updates/writes. # # If you omit line 2, then the same settings will be # used for both read and write. # # settings for each line: # host|port|user|password|database # #localhost|0|root|secret|vpopmail localhost|0|databaseusername|databasepassword|database # # Note: # The value of host may be either a hostname or an IP address. # If host is 'localhost', then sockets (Unix) or named pipes (Windows) # will be used instead of TCP/IP to connect to the server. I hope this can help, it works for me, im not getting any error messages. - Wouter - Original Message - From: Mitja Pirih [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, August 07, 2008 9:01 PM Subject: [vchkpw] vmysql: can't read settings from Hello, I searched through the mailing lists and did not find a solution to my problem. I am getting in apache log: vmysql: can't read settings from /home/vpopmail/etc/vpopmail.mysql Vpopmail looks fully operational in cmd and it can connect to mysql, so should not be related to permissions. # /home/vpopmail/bin/vuserinfo [EMAIL PROTECTED] name: postmaster passwd: $1$X clear passwd: hello comment/gecos: Postmaster uid:0 gid:0 flags: 0 gecos: Postmaster limits: No user limits set. dir: /home/vpopmail/domains/.yy/postmaster quota: NOQUOTA usage: NOQUOTA account created: Thu Aug 7 14:24:36 2008 last auth: Never logged in mount: /dev/raid0a on / type ffs (local) /dev/raid0f on /tmp type ffs (local, nodev, nosuid, softdep) /dev/raid0g on /usr type ffs (local, nodev, softdep) /dev/raid0d on /var type ffs (local, nodev, nosuid, softdep) /dev/raid0e on /var/log type ffs (local, nodev, nosuid, softdep) /dev/raid1a on /var/mysql type ffs (local, nodev, nosuid, softdep) /dev/raid1d on /var/www/webpages type ffs (local, nodev, nosuid, softdep) /dev/raid1e on /var/qmail type ffs (local, nodev, softdep) vpopmail home dir is in /var/qmail/vpopmail and symlinked to /home/vpopmail. # userinfo vpopmail login vpopmail passwd * uid 98 groups vchkpw change NEVER class gecos dir /home/vpopmail shell /bin/ksh expire NEVER Any ideas what to check? Other details: -OS OpenBSD 4.3-stable -mysql 5.0.51a -php5-core-5.2.5p2 -vpopmail-5.4.18 -netqmail-1.05 -- Mitja __ NOD32 3336 (20080807) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:489af5ab32311952118000!
Re: [vchkpw] migrating to new server
Lampa ha scritto: Hello, i need move from old server to new one. Problem is while DNS are replicated i need disable whole access to domain (delivering - smtp, pop3, imap). I know that via vpopmail is possbile disable access to imap/pop3. but is possible to disable smtp. In best case i need that smtp returns some error and message will be delivered later (to new mail server) Why don't you simply turn off services you don't need? If you turn off SMTP, senders will retry later (according to their policies). Tonino Thank you for help and advices. -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:484f842a32356561114934!
Re: [vchkpw] vpopmail:vchkpw
[EMAIL PROTECTED] ha scritto: Hello I wanted to ask about creation of vpopmail:vchkpw user:group for vpopmail installation.Does every installation of vpopmail requires creation of this user:group pair.What if i want to use root:root for it? Regards, Hina Hayat. vpopmail must be able to read it, so if you make it root:root you must set it readable by world. Instead, if you set it with owner vpopmail:vchkpw (no read/write for world), only vpopmail can read it. Make it just readable for vpopmail, so you are sure only vpopmail can read it and only root can modify it. Tonino -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:481ca16b120501259544542!
Re: [vchkpw] CHKUSER Bug (present in 2.0.9)
Joshua Megerman ha scritto: I just found a chkuser bug, which I will try to fix if the author doesn't beat me to it :) Bounce messages (i.e., from ) are accepted for non-existant remote recipients. In our case, we have a rogue client who we used to perform secondary MX services for and stopped because 99% of the mail was spam that they were rejecting and leaving us to bounce. Unfortunately, no matter how many times we try, they refuse to remove the secondary MX record that lists us, so we get lots of messages sent to us that we reject because the domain is not in any of our control files. However, I noticed a couple of bounce messages for them in our queue today, and upon further investigation found that CHKUSER had allowed the null sender to relay despite the user being non-existant on the system. Even more interestingly, it seems to be a random occasional thing - I see other bounces (including one to the same user) getting rejected. The only difference I see is that they are coming from different hosts out of google, but that's all I can say. Here's the CHKUSER log messages for one accept and on reject for the same user: @4000480f8d7f04132104 15437 CHKUSER relaying rcpt: from :: remote :fg-out-1718.google.com:72.14.220.157 rcpt [EMAIL PROTECTED] : client allowed to relay @4000480f94c100eddc94 18912 CHKUSER rejected relaying: from :: remote :nf-out-0910.google.com:64.233.182.189 rcpt [EMAIL PROTECTED] : client not allowed to relay Any ideas? Do not confuse relaying and CHKUSER. Relaying is allowed only if sending user is authenticated or you have set RELAYCLIENT for the sending IP or for the process. CHKUSER simply shows you what is happening on your system. In this case: * recipients are not local (so chkuser cannot check for their existence). * IP 72.14.220.157 is probably authorized to relay (you have RELAYCLIENT set, that means you can have pop before smtp, or whatever other reason), while 64.233.182.189 is not authorized to relay (RELAYCLIENT not set). Check your system and what is happening before/around your SMTP process. Tonino Josh -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:48149710120501444319316!
Re: [vchkpw] SMTP Authenticaton
Tonix (Antonio Nati) ha scritto: I guess you use vpopmail. Sorry for the stupid deduction, I confused this mailing list with the general qmail mailing list :-). Tonino If you use chkuser patch (on for qmail/vpopmail), or Shupp's toaster which includes chkuser, you can force a server to accept only authenticated sessions. So, you can set up a dedicated port (like the submission port) or a dedicated IP only for this purpose. See http://www.interazioni.it/opensource/chkuser/ for more details. Tonino Wouter van der Schagt ha scritto: My apologies, you already mentioned it.. by firewall restriction. Another question.. spammers could still connect if they knew they were supposed to connect to port 587 am i correct? Or did you find a way around this as well? Thanks - Wouter - Original Message - From: Alastair Battrick [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, April 10, 2008 4:39 PM Subject: Re: [vchkpw] SMTP Authenticaton Wouter van der Schagt wrote: An option for us to setup a different server that only handles smtp functionality for our client, however the problem then is that a domain needs to exist on two servers. one for the popbox and one for smtp authentication to work. Or is it possible for the vpopmail to connect to the database on the other mailserver for authentication or would that be too slow? Does anybody have any other suggestions perhaps? Hi Wouter I ran into this same problem. I got around it by creating a SMTP submission port that accepts SMTP Auth emails into the server on port 587. Port 25 only accepts messages from our spam appliance by firewall restriction. Each mail client has to be set to use port 587 and SMTP Auth of course. -- Alastair Battrick -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:47fdd62d120501018317444!
Re: [vchkpw] SMTP Authenticaton
I guess you use vpopmail. If you use chkuser patch (on for qmail/vpopmail), or Shupp's toaster which includes chkuser, you can force a server to accept only authenticated sessions. So, you can set up a dedicated port (like the submission port) or a dedicated IP only for this purpose. See http://www.interazioni.it/opensource/chkuser/ for more details. Tonino Wouter van der Schagt ha scritto: My apologies, you already mentioned it.. by firewall restriction. Another question.. spammers could still connect if they knew they were supposed to connect to port 587 am i correct? Or did you find a way around this as well? Thanks - Wouter - Original Message - From: Alastair Battrick [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, April 10, 2008 4:39 PM Subject: Re: [vchkpw] SMTP Authenticaton Wouter van der Schagt wrote: An option for us to setup a different server that only handles smtp functionality for our client, however the problem then is that a domain needs to exist on two servers. one for the popbox and one for smtp authentication to work. Or is it possible for the vpopmail to connect to the database on the other mailserver for authentication or would that be too slow? Does anybody have any other suggestions perhaps? Hi Wouter I ran into this same problem. I got around it by creating a SMTP submission port that accepts SMTP Auth emails into the server on port 587. Port 25 only accepts messages from our spam appliance by firewall restriction. Each mail client has to be set to use port 587 and SMTP Auth of course. -- Alastair Battrick -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:47fdd5d1120501953143563!
Re: [vchkpw] checkuser + user's quota
Did you enable checking of quota in chkuser_settings.h, and recompile? Tonino Pierre GEOFFROY ha scritto: Thank you for your reply. Yes, vpopmail shows the correct size and quota: eg: usage: 97% and while testing I receive MAILER-DAEMON stating the user is over quota. PG -Message d'origine- De : Shane Chrisp [mailto:[EMAIL PROTECTED] Envoyé : jeudi 7 février 2008 00:42 À : vchkpw@inter7.com Objet : Re: [vchkpw] checkuser + user's quota What does vpopmail say about the mailbox? Is it showing the correct size and quota for the mailbox? On Thu, 2008-02-07 at 00:20 +0100, Pierre GEOFFROY wrote: Hello We are using checkuser 2.08 and it works fine, rejecting email for non-valid recipients. We are encountering problem trying to have checkuser reject emails based on user's quota. We set CHKUSER_MBXQUOTA=90 in /etc/tcp.smtp but despite the quota being reached emails are accepted by checkuser and the subsequently rejected by qmail. Any advice appreciated. Many thanks PG -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:47aad235310543473182903!
Re: [vchkpw] Qmail rejection of overquota messages instead of bouncing
[EMAIL PROTECTED] ha scritto: [EMAIL PROTECTED] wrote: Quey wrote: Rick Romero wrote: I went looking into this thinking chkuser would be a perfect place for the basic quota check. Of course that would be sort of vpopmail specific, but lo and behold, it's already in there. 'chkuser.c' v.2.0.8 if (vmaildir_readquota(tmp_path.s,format_maildirquota \ (user_passwd-pw_shell)) \ = maxmbxquota_limit) { retstat = CHKUSER_ERR_MBXFULL; } It's not as encompassing as Tom was envisioning, but it does do what the parent is looking for.. Rick I thought this used to work back in the days when we used CDB, but does it still work today (using SQL at least?) on my production it still generates a new bounce, as it does on my test server... Connected to fox. Escape character is '^]'. 220 fox ESMTP mail from: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] 250 ok data 354 go ahead blah .. 250 ok 1197328261 qp 12808 and yes david is well over quota :) Dec 11 09:11:06 fox qmail-send: delivery 65: failure: user_is_over_quota// Dec 11 09:11:06 fox qmail-send: status: local 0/200 remote 0/200 Dec 11 09:11:06 fox qmail-send: bounce msg 131246 qp 12818 Chkusr accepts it like any other user found message... Antonio perhaps I missed a config option to force this? (or has it been so long since i needed to install it, it never actually did it and I'm remembering wrong? no matter, I found what I did wrong, I ommited the variable in tcp.smtp file :) it now works as stated. But I agree it would be nice to do by default without adding into that file if it is defined. Hi! well my current solution is to check all mailboxes with a perl script and add those email addresses to be removed from validrcptto.txt file... then rebuild validrcptto.cdb... and mail won't be accepted for them... but this is a permanent failure error.. should be better to be specified a 450 at smtp time for example as error code... have a nice day! Antonio's Chkusr works perfect maybe you could look at implementing it :) will save a lot of hassle yes but it breaks auth... or unless some month ago It works with auth... it depends which version of auth you are using. Check Shupp's toaster version, it is ok. Tonino -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:475fbac032001751892186!
Re: [vchkpw] Qmail rejection of overquota messages instead of bouncing
Rick Romero ha scritto: Actually, as I was falling asleep last night (isn't that always the case), I wondered why chkuser.c sets maxmbxquota_limit = 0 and not 100 by default. It would seem to me if you're enabling the define, you would already expect that function to just work, not go to another place and enable something else. Having the environment variable is great, then if you want to alter the default, you can set it there... Just my .02. Rick Rick I believe that Tonino has set this for the tcp.smtp otherwise you need to recompile qmail everytime you need to change the setting for the quota. Just my 2 cents. Remo Right - that makes sense, but as it is now when it's enabled, it's not REALLY enabled until the environment is set. The environment is required, it's not an option. This is because in the chkuser.c the limit is set to 0, which disables the check. If, by default, the limit was set to 100, then it would be enabled by the define AND you can change the limit in environment or disable it by setting the environment to 0. To me the environment variables should override the 'standard' - and if you've enabled 'smtp bouncing', you shouldn't have to add the environment as well (imho, enabling it twice). Rick, the standard I'm following in chkuser, whenever possible, is the following: each time a variable is needed/used, it must be defined, otherwise the feature is disabled. You see this for each variable you can use: enabling variable, bad rcpt limit variable, quota variable, etc. This is a double security against unwanted features, very useful for new features within new releases. Tonino Rick -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:475ec7ba32001560123944!
Re: [vchkpw] authdaemond Memory Leak?
There was a memory problem in an old version of vpopmail library. It was related to usage of vlimits in MySQL. Check within mailing list for such information. You have to ugrade/fix, then recompile vpomail and courier-authdaemon. Ciao, Tonino Matthew Goodman ha scritto: Hello, I've noticed that courier-authlib slowly uses up memory over time on my Gentoo linux server. Using 2.6.21-gentoo-r4 kernel, compiler GCC 4.1.2, glibc 2.5-r4. Using the authvchkpw library, authdaemond usage looks like this after about a week: top - 00:42:49 up 22 days, 20:31, 2 users, load average: 2.08, 2.52, 2.54 Tasks: 271 total, 2 running, 269 sleeping, 0 stopped, 0 zombie Mem: 2074712k total, 1966420k used, 108292k free, 134520k buffers Swap: 1951800k total, 1113692k used, 838108k free, 547588k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 7885 root 15 0 217m 68m 932 S0 3.4 0:40.84 /usr/lib/courier/courier-authlib/authdaemond 7884 root 15 0 216m 66m 928 S0 3.3 0:39.71 /usr/lib/courier/courier-authlib/authdaemond 7883 root 15 0 208m 66m 928 S0 3.3 0:38.41 /usr/lib/courier/courier-authlib/authdaemond 7886 root 15 0 217m 65m 928 S0 3.2 0:40.57 /usr/lib/courier/courier-authlib/authdaemond 7882 root 15 0 212m 65m 932 S0 3.2 0:38.97 /usr/lib/courier/courier-authlib/authdaemond Once I restart the service, usage looks much better: root 14565 0.0 0.0 4644 1132 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14569 0.0 0.0 4688 1340 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14570 0.0 0.0 4644 424 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14571 0.0 0.0 4688 1340 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14572 0.0 0.0 4812 1436 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14573 0.0 0.0 4812 1476 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond From /etc/courier/authlib/authdaemonrc: --- authmodulelist=authvchkpw daemons=5 DEFAULTOPTIONS= LOGGEROPTS= There is another post on the courier-users mailing list about this, user is also using a Gentoo environment and he was told to post on the vchkpw mailing list. Link included for reference: http://readlist.com/lists/lists.sourceforge.net/courier-users/0/3901.html Any input would be greatly appreciated. Matt -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:474feded32001983814615!
Re: [vchkpw] authdaemond Memory Leak?
5.4.18 should be fine. Did you rebuild courier-authdaemon after installing 5.4.18? See more on http://www.mail-archive.com/vchkpw@inter7.com/msg24203.html Ciao, Tonino Matthew Goodman ha scritto: Thanks, I am using Vpopmail 5.4.18. Was the fix after that release? Matt *From:* tonix (Antonio Nati) [mailto:[EMAIL PROTECTED] *Sent:* Friday, November 30, 2007 1:03 AM *To:* vchkpw@inter7.com *Subject:* Re: [vchkpw] authdaemond Memory Leak? There was a memory problem in an old version of vpopmail library. It was related to usage of vlimits in MySQL. Check within mailing list for such information. You have to ugrade/fix, then recompile vpomail and courier-authdaemon. Ciao, Tonino Matthew Goodman ha scritto: Hello, I've noticed that courier-authlib slowly uses up memory over time on my Gentoo linux server. Using 2.6.21-gentoo-r4 kernel, compiler GCC 4.1.2, glibc 2.5-r4. Using the authvchkpw library, authdaemond usage looks like this after about a week: top - 00:42:49 up 22 days, 20:31, 2 users, load average: 2.08, 2.52, 2.54 Tasks: 271 total, 2 running, 269 sleeping, 0 stopped, 0 zombie Mem: 2074712k total, 1966420k used, 108292k free, 134520k buffers Swap: 1951800k total, 1113692k used, 838108k free, 547588k cached PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 7885 root 15 0 217m 68m 932 S0 3.4 0:40.84 /usr/lib/courier/courier-authlib/authdaemond 7884 root 15 0 216m 66m 928 S0 3.3 0:39.71 /usr/lib/courier/courier-authlib/authdaemond 7883 root 15 0 208m 66m 928 S0 3.3 0:38.41 /usr/lib/courier/courier-authlib/authdaemond 7886 root 15 0 217m 65m 928 S0 3.2 0:40.57 /usr/lib/courier/courier-authlib/authdaemond 7882 root 15 0 212m 65m 932 S0 3.2 0:38.97 /usr/lib/courier/courier-authlib/authdaemond Once I restart the service, usage looks much better: root 14565 0.0 0.0 4644 1132 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14569 0.0 0.0 4688 1340 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14570 0.0 0.0 4644 424 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14571 0.0 0.0 4688 1340 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14572 0.0 0.0 4812 1436 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond root 14573 0.0 0.0 4812 1476 ?S00:43 0:00 /usr/lib/courier/courier-authlib/authdaemond From /etc/courier/authlib/authdaemonrc: --- authmodulelist=authvchkpw daemons=5 DEFAULTOPTIONS= LOGGEROPTS= There is another post on the courier-users mailing list about this, user is also using a Gentoo environment and he was told to post on the vchkpw mailing list. Link included for reference: http://readlist.com/lists/lists.sourceforge.net/courier-users/0/3901.html Any input would be greatly appreciated. Matt -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:474ffd1832009299229059!
Re: [vchkpw] can't make chkuser 2.09 work
What does chkuser log say about passing messages? Tonino [EMAIL PROTECTED] ha scritto: I patched a fresh netqmail distribution with chkuser 2.09. My chkuser_settings.h file can be seen here: http://sitefoundry.com/misc/chkuser_settings.h I had previously installed vpopmail 5.4.15, and it has been working fine. Building and installing netqmail with the chkuser patch was successful. When I run /var/qmail/bin/qmail-smtpd as root, I get expected results, e.g.: '250 ok' for valid addresses, and '550 5.1.1 sorry, no mailbox here by that name (chkuser)' for bad ones. However, via SMTP, chkuser seems to not run at all. I see no chkuser messages in any logfiles. Mail sent from gmail to bad addresses on my server is accepted, then later bounced back. I use the LWQ setup for qmail, which means my /var/qmail/supervise/qmail-smtpd/run script looked like: #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` ... exec /usr/local/bin/softlimit -m 25165824 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd 21 I have since gathered that qmail-smtpd needs to run as vpopmail for chkuser rather than qmail-smtpd to run properly, so I tried this line instead of the former one: exec /usr/local/bin/softlimit -m 25165824 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $VPOPMAILUID -g $VPOPMAILGID 0 smtp /var/qmail/bin/qmail-smtpd 21 This does indeed spawn qmail-smtpd as UID vpopmail, but it doesn't fix the problem that chkuser doesn't seem to work for inbound mail. Here is `ps` output, in case it is useful: SHELL# ps auxw | grep qmail-smtp root 22851 0.0 0.0 141284 ?S 2006 0:58 supervise qmail-smtpd vpopmail 8176 0.0 0.0 1608 496 ?S18:06 0:00 /usr/local/bin/tcpserver -v -R -l MY.HOSTNAME.HERE -x /etc/tcp.smtp.cdb -c 30 -u 89 -g 89 0 smtp /var/qmail/bin/qmail-smtpd vpopmail 8465 0.0 0.0 1892 560 ?S18:06 0:00 /var/qmail/bin/qmail-smtpd root 10049 0.0 0.3 6736 3144 pts/4S+ 18:15 0:00 vi /var/qmail/supervise/qmail-smtpd/run vpopmail 11614 0.0 0.0 1760 364 ?S18:29 0:00 /var/qmail/bin/qmail-smtpd root 11619 0.0 0.0 2036 660 pts/2R+ 18:29 0:00 grep qmail-smtp Fortunately, mail delivery to vpopmail mailboxes still works, so my server is not broken at the moment. But I'd sure like to get chkuser working. Note: chkuser still works fine when I run qmail-smtpd locally as root, from the command line. -- matt. -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:474a803832001781313702!
Re: [vchkpw] can't make chkuser 2.09 work
[EMAIL PROTECTED] ha scritto: Christopher Chan wrote: what user privileges are you running qmail-smtpd with? May it cannot read vpopmail owned files? Did you do your testing as root and not under the same user id set in the run file for qmail-smtpd? I think this is the right line of inquiry, but I don't know why what I've already tried hasn't worked. Part of the problem is that chkuser is not writing log files, so diagnosis is hindered. Are you seeing any log by smtpd? If yes, you should see also chkuser logs. If no, you have problem elsewhere with logs. Summary: - When I test qmail-smtpd manually (from the command line) as root, chkuser rejects bad addresses. - When I run qmail-smtpd via tcpserver as UID qmaild, chkuser doesn't reject bad addresses -- regardless of the setting for CHKUSER_ENABLE_UIDGID You must run it as vpopmail, and be aware all your .qmail-default are readable by vpopmail. - When I run qmail-smtpd via tcpserver as UID vpopmail, chkuser doesn't reject bad addresses Check if .qmail files are readable by vpopmail. Initially, my /var/qmail/supervise/qmail-smtpd/run script executed qmail-smtpd as UID qmaild, because that is what the LWQ docs recommend -- see section 2.8.2.2, the supervise scripts, here: http://lifewithqmail.org/lwq.html#start-qmail First I tried recompiling qmail+chkuser with the CHKUSER_ENABLE_UIDGID switch enabled. qmail-smtpd ran fine but chkuser would not reject bad addresses. You may use this, but must know carefully what you are doing, because executing script is more complex, and you must do additional actions on the executable; this option is not compatible with TLS Tonino Then I commented out CHKUSER_ENABLE_UIDGID, recompiled qmail again, and changed the qmail-smtpd/run script to run qmail-smtpd as UID vpopmail. chkuser still does not reject bad addresses. Here is the qmail-smtpd invocation from qmail-smtpd/run: exec /usr/local/bin/softlimit -m 25165824 \ /usr/local/bin/tcpserver -v -R -l $LOCAL \ -x /etc/tcp.smtp.cdb \ -c $MAXSMTPD \ -u $VPOPMAILUID -g $VPOPMAILGID 0 smtp \ /var/qmail/bin/qmail-smtpd 21 The two problems currently are: 1- chkuser does not reject any mail received by qmail 2- chkuser does not write to the mail log It is as if chkuser is not compiled in at all -- but it is, as a command-line test reveals. -- matt. -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:474ae47e32009727919739!
Re: [vchkpw] Two qmails in same machine
Rick Romero ha scritto: On Thu, 2007-11-08 at 17:20 +0100, [EMAIL PROTECTED] wrote: On Thu, 08 Nov 2007 08:52:57 -0600 Rick Romero [EMAIL PROTECTED] wrote: Not entirely, If the main issue is timeouts during SMTP, he can move his scanning to '127.0.0.1', and remove it from his external IP. That will ensure he can receive an email from the outside in its entirety. He can throttle connections to 127.0.0.1 to prevent overload, and he won't bounce mail due to SMTP timeouts. You don't want to lose a/v scanning on your external IP, so another qmail install, with spam-only qmail-scanner, would be the cheapest solution. Why not? Moving it to a pool of AV scanning boxes would be a good idea. I'm not suggesting that the caller be moved, but the work is moved. So the MX gets the mail, but uses the clam client to talk to a clam server that's in a pool... somewhere. That would seem to be a good use of resources to me. The resource pool could be a loadbalancer for example, if one works with an office LAN that would be a good use of boxes that are doing nothing more than running a xscreensaver. -- The SCSI Controller to Toshi Station is sending 11 because of the newbie thinking 'halt' means 'exit'. Valve Software is RNA. :: http://www.s5h.net/ :: http://www.s5h.net/gpg Hi! Perhaps I should have said that this server will be housed and that I can't set more than one server because of the cost... so I needed to do something as this... but don't know if it would work or could have problems... I assume not.. because is the same way than setting a ssl smtp on port 465.. it shares everything with qmails 25 port server... but I needed to know if any of you have tested if this works... Yes, basically: Do an alternate qmail install (qmail2) Install your qmail-scanner on qmail2 with only antivirus scanning. Assuming you're running supervised: create a /service/smtp2/run that only binds to your external IP (correct the paths) create a /service/send2/ like /service/send, but with correct paths change/add /var/qmail2/control/smtproutes to contain only: :127.0.0.1 modify your /service/smtp/run so it only binds to 127.0.0.1 What you did was install a blank qmail (make sure the basics are there so you don't have an open relay, etc) into qmail2. All it does is bind to your external IP, recieve email, a/v scan it, and forward it to 127.0.0.1. Since 127.0.0.1 is your original qmail install, it will handle everything as it did before. It can get confusing - so make sure you backup everything before you accidentally edit/delete something in /var/qmail instead of /var/qmail2 :) What about qmail users? Usually qmail cd according to user's home directory. Tonino Rick -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] !DSPAM:47334c5e32003395413649!
Re: [vchkpw] chkuser and qmail ext
Tom Collins ha scritto: What am I doing wrong with my chkuser setup? I want to have an alias of .qmail-fred, yet allow email to be accepted for .qmail-fred-something. I'm using chkuser 2.0.8. Do I need to create .qmail-fred-default and define CHKUSER_ENABLE_ALIAS_DEFAULT? I have CHKUSER_ENABLE_USERS_EXTENSIONS defined, but it only seems to apply for users and not aliases. If I have a .qmail-fred-default, will email for fred come in, or will it only work for fred-something? The second. You should create both .qmail-fred and .qmail-fred-default for having accepted both fred and fred-something. Which is the qmail behaviour without chkuser in such a case? I can change chkuser behaviour if it is in contrast with qmail's one. Tonino -- Tom Collins - [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/ QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/ -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] Vpopmail mysql and aborted clients
If your courier still works without you need to restart it, it means you already have vpopmail in the right configuration, and you are only facing a log warning (which reason is now known). Ciao, Tonino At 11.00 06/10/2007, you wrote: So then no matter for worrying about this? This can't break the database or... don't know cause any type of problem... or should I do any conf in authdaemon for this to be avoided? or is this normal and nothing happens with it? Thanks a lot!!! As told in other messages, the way of playing is different. Each vpopmail/qmail program usually executes brieftly and opens and closes MySQL, so there are no abnormal exits. When courier plays (both imap and pop), it asks auth data to courier's auth daemon. When this daemon is started, it opens MySQL and never closes it, as it supposes to reuse continuosly the same opened connection. But if none is going to use the connection for eigth hours, MySQL itself closes the connection. This will be opened again automatically by vpopmail library in courier's daemon, but you see an error in MySQL stats. Hope I've been clear. Tonino At 12.54 05/10/2007, [EMAIL PROTECTED] wrote: sorry for insisting but this happens when courier enters, it's the same for pop, or imap or... in the moment courier enters in the play for imap only imagine because you use qmail-pop there in the way I told yesterday... after some time of inactivity happens this... sorry for insisting At 04.55 05/10/2007, you wrote: tonix (Antonio Nati) wrote: MysSQL has now an hardcoded timeout of eight hours. Courier uses it's authentication daemon with persistent attach to vpopmail/MySQL, it could be that during the night there are no requests, so MySQL connections are droppped (by MySQL). I thought this was addressed in a recent version of vpopmail? Yes, but you see in the logs that some connections have been dropped. Tonino Yep but wait a minute! if you have a machine in wich you only run qmail for mail scanning or smtp relay, or even with qmail-pop3d you don't get those aborted clients... but if you run there pop and imap with couier, so the problem occurs when you use courier... if you don't use it... you don't see any error... and both use vpopmail equally aren't they (courier and qmail) ? if you have for example qmail-smtpd with smtp auth only and of course vpopmail you will never have that errors... and you go to ask to courier and they say is a vpopmail question... but vpopmail works fine with qmail-smtpd!!! this was an important detail I forgot to tell yesterday... could this give you any more clue???
Re: [vchkpw] Vpopmail mysql and aborted clients
At 04.55 05/10/2007, you wrote: tonix (Antonio Nati) wrote: MysSQL has now an hardcoded timeout of eight hours. Courier uses it's authentication daemon with persistent attach to vpopmail/MySQL, it could be that during the night there are no requests, so MySQL connections are droppped (by MySQL). I thought this was addressed in a recent version of vpopmail? Yes, but you see in the logs that some connections have been dropped. Tonino
Re: [vchkpw] Vpopmail mysql and aborted clients
As told in other messages, the way of playing is different. Each vpopmail/qmail program usually executes brieftly and opens and closes MySQL, so there are no abnormal exits. When courier plays (both imap and pop), it asks auth data to courier's auth daemon. When this daemon is started, it opens MySQL and never closes it, as it supposes to reuse continuosly the same opened connection. But if none is going to use the connection for eigth hours, MySQL itself closes the connection. This will be opened again automatically by vpopmail library in courier's daemon, but you see an error in MySQL stats. Hope I've been clear. Tonino At 12.54 05/10/2007, [EMAIL PROTECTED] wrote: sorry for insisting but this happens when courier enters, it's the same for pop, or imap or... in the moment courier enters in the play for imap only imagine because you use qmail-pop there in the way I told yesterday... after some time of inactivity happens this... sorry for insisting At 04.55 05/10/2007, you wrote: tonix (Antonio Nati) wrote: MysSQL has now an hardcoded timeout of eight hours. Courier uses it's authentication daemon with persistent attach to vpopmail/MySQL, it could be that during the night there are no requests, so MySQL connections are droppped (by MySQL). I thought this was addressed in a recent version of vpopmail? Yes, but you see in the logs that some connections have been dropped. Tonino Yep but wait a minute! if you have a machine in wich you only run qmail for mail scanning or smtp relay, or even with qmail-pop3d you don't get those aborted clients... but if you run there pop and imap with couier, so the problem occurs when you use courier... if you don't use it... you don't see any error... and both use vpopmail equally aren't they (courier and qmail) ? if you have for example qmail-smtpd with smtp auth only and of course vpopmail you will never have that errors... and you go to ask to courier and they say is a vpopmail question... but vpopmail works fine with qmail-smtpd!!! this was an important detail I forgot to tell yesterday... could this give you any more clue???
Re: [vchkpw] Vpopmail mysql and aborted clients
MysSQL has now an hardcoded timeout of eight hours. Courier uses it's authentication daemon with persistent attach to vpopmail/MySQL, it could be that during the night there are no requests, so MySQL connections are droppped (by MySQL). Ciao, Tonino At 09.36 04/10/2007, you wrote: Hi, I'm running vpopmail-5.4.13 with courier-imap-4.0.2 and courier-authlib-0.55... have noticed that each morning for example after all the night without poping or imaping... the next time someone pop or imap in the morning I get no errors on mail client and everything works fine... but have noticed that 10 aborted cliets appear... in show status in mysql... it is as this near 1 year now (since I set up that server) and everything works fine and there's any error and everything fine... but only those aborted clients each morning... why is this happening? I have asked sometime in courier mailing lists but they say me to ask at vpopmail mailing lists... and I know qmail and vpopmail both don't cause this aborteds because I have another machine in the same way configured (of course as the machine in wich this is seeing) but without courier because it's only for mail scanning and have any aborted client... each machine has it's own mysql server... and I'm totally sure this aborted happen when courier talks to vpopmail the first time after a inactivity period... is this normal¿? why happens this?? Have a nice day! P.D. John (John Simpson) perhaps this could be a challenge for you :)
Re: [vchkpw] Chkuser (2.0.9): accepted any recipient for this domain why ?
Hi Michel, you have to check if bouncing is enabled for each domain (DOMAIN setting in CHKUSER_START variable). Check in each domain's .qmail-default or use qmailadmin and set bouncing on for the domain. See http://www.interazioni.it/opensource/chkuser/documentation/faq/enabling.html#D1 for more informations. Ciao, Tonino At 11.15 02/10/2007, you wrote: Hi all, this is my first message so any RTFM is wellcome. I have installed netqmail 1.0.5 and chkuser 2.0.9 with #define CHKUSER_STARTING_VARIABLE CHKUSER_START but not with #define CHKUSER_ALWAYS_ON This is my /etc/tcp.smtp 127.:allow,RELAYCLIENT=,SIMSCAN_DEBUG=3,QMAILQUEUE=/var/qmail/bin/simscan,CHKUSER_START=DOMAIN :allow,QMAILQUEUE=/var/qmail/bin/simscan,NOP0FCHECK='1',SIMSCAN_DEBUG='3',CHKUSER_START=DOMAIN My problem is that chkuser do not check if the rcpt to is an existent user: mail from: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] 250 ok rcpt to: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] 250 ok This is in the log: @400047021726037c0954 CHKUSER accepted any rcpt: from [EMAIL PROTECTED]:: remote :x.x.x.x:y.y.y.y rcpt mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] : accepted any recipient for this domain Why accept any rcpt ? this is my qmail-default of http://test.comtest.com domain: | /opt/vpopmail/bin/vdelivermail '' bounce-no-mailbox Ah, this works: # cd /root/netqmail-1.05/netqmail-1.05 # export CHKUSER_START=DOMAIN # ./qmail-smtpd 220 http://mailmw.merlinwizard.commailmw.merlinwizard.com ESMTP mail from: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] CHKUSER accepted sender: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt : sender accepted 250 ok rcpt to: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] CHKUSER rejected rcpt: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt mailto:[EMAIL PROTECTED][EMAIL PROTECTED] : not existing recipient 550 5.1.1 sorry, no mailbox here by that name (chkuser) Any help is wellcome. M. -- Michel 'ZioBudda' Morelli mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Consulenza sistemistica in ambito OpenSource. Sviluppo applicazioni web dinamiche (LAMP+Ajax) Telefono: +39-3939890025 -- Fax: +39-0291390660 http://www.ziobudda.nethttp://www.ziobudda.net ICQ: 58351764 http://www.ziobuddalabs.ithttp://www.ziobuddalabs.it Skype: zio_budda http://www.ajaxblog.ithttp://www.ajaxblog.it MSN: mailto:[EMAIL PROTECTED][EMAIL PROTECTED]
Re: [vchkpw] Chkuser (2.0.9): accepted any recipient for this domain why ?
Sorry, I did not read carefully your message. It looks like qmail-smtpd is not able to read .qmail-default (infact when you run it directly, probably as root, it works fine). How do you run qmail-smtpd? Are you using the vpopmail user? Tonino At 11.35 02/10/2007, tonix (Antonio Nati) wrote: Hi Michel, you have to check if bouncing is enabled for each domain (DOMAIN setting in CHKUSER_START variable). Check in each domain's .qmail-default or use qmailadmin and set bouncing on for the domain. See http://www.interazioni.it/opensource/chkuser/documentation/faq/enabling.html#D1 for more informations. Ciao, Tonino At 11.15 02/10/2007, you wrote: Hi all, this is my first message so any RTFM is wellcome. I have installed netqmail 1.0.5 and chkuser 2.0.9 with #define CHKUSER_STARTING_VARIABLE CHKUSER_START but not with #define CHKUSER_ALWAYS_ON This is my /etc/tcp.smtp 127.:allow,RELAYCLIENT=,SIMSCAN_DEBUG=3,QMAILQUEUE=/var/qmail/bin/simscan,CHKUSER_START=DOMAIN :allow,QMAILQUEUE=/var/qmail/bin/simscan,NOP0FCHECK='1',SIMSCAN_DEBUG='3',CHKUSER_START=DOMAIN My problem is that chkuser do not check if the rcpt to is an existent user: mail from: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] 250 ok rcpt to: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] 250 ok This is in the log: @400047021726037c0954 CHKUSER accepted any rcpt: from [EMAIL PROTECTED]:: remote :x.x.x.x:y.y.y.y rcpt mailto:[EMAIL PROTECTED] [EMAIL PROTECTED] : accepted any recipient for this domain Why accept any rcpt ? this is my qmail-default of http://test.comtest.com domain: | /opt/vpopmail/bin/vdelivermail '' bounce-no-mailbox Ah, this works: # cd /root/netqmail-1.05/netqmail-1.05 # export CHKUSER_START=DOMAIN # ./qmail-smtpd 220 http://mailmw.merlinwizard.commailmw.merlinwizard.com ESMTP mail from: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] CHKUSER accepted sender: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt : sender accepted 250 ok rcpt to: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] CHKUSER rejected rcpt: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt mailto:[EMAIL PROTECTED][EMAIL PROTECTED] : not existing recipient 550 5.1.1 sorry, no mailbox here by that name (chkuser) Any help is wellcome. M. -- Michel 'ZioBudda' Morelli mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Consulenza sistemistica in ambito OpenSource. Sviluppo applicazioni web dinamiche (LAMP+Ajax) Telefono: +39-3939890025 -- Fax: +39-0291390660 http://www.ziobudda.nethttp://www.ziobudda.net ICQ: 58351764 http://www.ziobuddalabs.ithttp://www.ziobuddalabs.it Skype: zio_budda http://www.ajaxblog.ithttp://www.ajaxblog.it MSN: mailto:[EMAIL PROTECTED][EMAIL PROTECTED]
Re: [vchkpw] Shared libvpopmail thoughts
At 19.48 25/09/2007, you wrote: On Sep 25, 2007, at 10:06 AM, John Simpson wrote: the idea of splitting the domains and mailboxes into different directories has been around forever, there's no excuse for somebody to not have made the adjustment by now. I'm all for keeping it, but someone should fix it. On my server, with a cdb backend, I have the following structure: main directory: 65 domains 0: 25 domains 1: 2 domains 2: 2 domains 3: 0 domains 4: 3 domains 5: 44 domains Just for reference, here's the .dir-control file for that server: 116 0 3 0 0 0 61 61 61 0 2 2 5 0 0 5 I'd love to see vadddomain do a better job of back-filling domains. Maybe vadddomain and vdeldomain could work together to keep directories at a balanced level. Keep track of the next directory to fill in a file (which needs to be protected by a file lock). The .dir-control file is supposed to work that way. On vdeldomain, if the domain came out of a directory less than the next_directory, update next_directory. On vadddomain, if next_directory has 100 domains after the addition, scan forward until you find a directory with 100 domains and update next_directory. It should be possible to make the code generalized enough to work for the domains directory and the individual domain directories (for managing users via vuseradd and vuserdel). Would not it be more easy to add a hash logic and create paths following that hash logic? Example: domain interazioni.it. md5('interazioni.it') = 931d4b6acf6f23d224b7f57c76334286 Path -- /home/vpopmail/domains/in/te/93/1d/interazioni.it Hash could be more or less long depending on site configuration. For sure this hashed path is a lot more balanced than actual. Tonino -- Tom Collins - [EMAIL PROTECTED] Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/ QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
Re: [vchkpw] [chkuser] - CHKUSER_SENDER_MX
At 13.14 24/04/2007, Otto Rodusek (AP-SGP) wrote: Hi, I hope I have the corrent mail list. I have CHKUSER_SENDER_MX enabled (uncommented) in my chkuser_settings.h. I would like to know if its possible to set this option on/off in the qmail-smtpd run script. For example is it possible to set different values (ie on/off or 0/1) for this variable - (see my example below)?? Or would I have to comment it out and re-make qmail?? Thanks for any help / advice in this area. Rgds. Otto Once you compile, option is always the same. You cannot change it at run time. But you can use another define (CHKUSER_SENDER_NOCHECK_VARIABLE ) to set a variable which can disable sender checking for whatever you need. So you should uncomment both CHKUSER_SENDER_MX and CHKUSER_SENDER_NOCHECK_VARIABLE, the define the variable ENDER_NOCHECK when you need to exclude sender checking. Tonino Rodusek. #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` CHKUSER_SENDER_MX=on exec /usr/local/bin/softlimit -m 999 \ /usr/local/bin/tcpserver -v -H -R -l 0 \ -x /home/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /bin/true 21
Re: [vchkpw] [chkuser] - CHKUSER_SENDER_MX
At 13.48 24/04/2007, you wrote: At 13.14 24/04/2007, Otto Rodusek (AP-SGP) wrote: Hi, I hope I have the corrent mail list. I have CHKUSER_SENDER_MX enabled (uncommented) in my chkuser_settings.h. I would like to know if its possible to set this option on/off in the qmail-smtpd run script. For example is it possible to set different values (ie on/off or 0/1) for this variable - (see my example below)?? Or would I have to comment it out and re-make qmail?? Thanks for any help / advice in this area. Rgds. Otto Once you compile, option is always the same. You cannot change it at run time. But you can use another define (CHKUSER_SENDER_NOCHECK_VARIABLE ) to set a variable which can disable sender checking for whatever you need. So you should uncomment both CHKUSER_SENDER_MX and CHKUSER_SENDER_NOCHECK_VARIABLE, the define the variable ENDER_NOCHECK when you need to exclude sender checking. Sorry: So you should uncomment both CHKUSER_SENDER_MX and CHKUSER_SENDER_NOCHECK_VARIABLE, recompile and reinstall qmail, then define the variable SENDER_NOCHECK when you need to exclude sender checking. Tonino Tonino Rodusek. #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` CHKUSER_SENDER_MX=on exec /usr/local/bin/softlimit -m 999 \ /usr/local/bin/tcpserver -v -H -R -l 0 \ -x /home/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /bin/true 21
Re: [vchkpw] chkuser wrongly accept emails for default@
This is not a chkuser problem, as chkuser simply uses qmail philosophy, checking for aliases in the qmail way. Anyway, I'm planning to add an option excluding any acceptance for default user (I'm thinking this since two years, but I've forgot to do until now) . This has nothing to do with the bounce string. I don't see any reason to check for the content of alias, looking for a bouncing string. Apart .qmail-default, I don't see a reason why a .qmail-ALIAS should contain a bouncing string. Instead, we should find a standard notation to identify a custom reject string for a single user. Something that can be put inside .qmail-ALIAS or inside user's .qmail-default. If such a notation is identified, rcpt is rejected with this message. Ciao, Tonino At 20.43 17/04/2007, Stephane Bouvard (ML) wrote: Hi, With chkuser 2.0.8 (not yet updated to 2.0.9, sorry :)), someone reported me that chkuser wrongly accept emails adressed to [EMAIL PROTECTED] , as there is a .qmail-default alias file, even if this file specify bounce-no-mailbox... The same problem occur for any alias defined (why ?) with bounce-no-mailbox... Here's a little fix to verify if the alias is not bounce-no-mailbox... --- chkuser.c Tue Apr 17 20:11:24 2007 +++ chkuser.c Tue Apr 17 20:31:24 2007 @@ -756,12 +756,20 @@ static int realrcpt (stralloc *sender, s if (!stralloc_cats (alias_path, tmp_path.s)) DIE_NOMEM(); if (!stralloc_0 (alias_path)) DIE_NOMEM(); - fd_file = open_read (alias_path.s); - if (fd_file != -1) { - close (fd_file); - retstat = CHKUSER_OK; - break; - } +fd_file = open_read (alias_path.s); +read_char = 0; +if (fd_file != -1) { +read_char = read (fd_file, read_buf, sizeof(read_buf) - 1); +close (fd_file); +if (read_char 0) read_char = 0; +} +read_buf[read_char] = 0; + +if ( strstr(read_buf, CHKUSER_BOUNCE_STRING) == NULL ) { +retstat = CHKUSER_OK; +break; +} + #endif case 9: -- Bien à toi... _ (_' L'informatique est ma passion, vous la simplifier, mon métier ! ,_)téphane Bouvard [antarex AT freenet DOT be] http://www.antarex.be
Re: [vchkpw] Re: chkuser wrongly accept emails for default@
At 10.26 18/04/2007, Stephane Bouvard (ML) wrote: Hi, ,- - [ Le mercredi 18 avril 2007 vers 9:33 tonix (Antonio Nati) écrivait: ] - - | I don't see any reason to check for the content of alias, looking for a bouncing string. Apart .qmail-default, I don't see a reason why a .qmail-ALIAS should contain a bouncing string. There is for me a reason : when using a catch-all if you want to disable some specific address... i know that actually if the .qmail-default specify a catch-all, chkuser does not look further and accept the mail, but it should be easy in that case to still verify if the specific user is not configured to bounce... Internal logic should be changed. I have to change/extend it for other reasons, I will look for this also in case. Anyway, for me, if a .qmail-xyz specify bounce-no-mailbox for any reason, i do not see why chkuser should accept the mail and let qmail bounce it as it's easy to avoid... it's an opengate for spammers. Let's try to distinguish problems. .qmail-default has an architectural reason to exist, as qmail architecture delivers to .qmail-default all emails for not existing users. Inside .qmail-default there is the logic for rejecting/deleting/storing all those messages. We simply know default is a fake alias, that must exist but has nothing to do with whatever other alias you may create. It would be good if chkuser add an option to reject default rcpt, as it is a fake rcpt. This will close a qmail hole. Different matter is to handle in a more extended way users/aliases, despite of bounce/delete/catchall. Additional checking could be done (I'm thinking about quota checking) even if catchall/delete is specified. I suggest also to introduce a new notation for rejecting users/aliases with a custom message (i.e.: reject user has changed address. Write to [EMAIL PROTECTED]). This would be a lot more useful than barely put a generic bounce string. This additional checking should be done on aliases AND on .qmail-default inside each user's directory. Not to mention some parts should be rewritten in local delivery, as it does not use SMTP. Ciao, Tonino | `- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- Bien à vous... _ (_' L'informatique est ma passion, vous la simplifier, mon métier ! ,_)téphane Bouvard [antarex AT freenet DOT be] http://www.antarex.be
Re: [vchkpw] Re: chkuser wrongly accept emails for default@
At 17.34 18/04/2007, you wrote: On Apr 18, 2007, at 2:31 AM, tonix (Antonio Nati) wrote: I suggest also to introduce a new notation for rejecting users/ aliases with a custom message (i.e.: reject user has changed address. Write to [EMAIL PROTECTED]). This would be a lot more useful than barely put a generic bounce string. Until that's a part of chkuser, Stephane (and others) can use qmail's bouncesaying program in their .qmail-alias files. # cat .qmail-someaddress |/var/qmail/bin/bouncesaying 'user has changed address. Write to [EMAIL PROTECTED]' So I should add in chkuser a check about a program called bouncesaying, both as alias .qmail-ALIAS or qmail-default within user's directory, just to complete this check? Which characters are used to contain the string: ' or or any character? Tonino
[vchkpw] chkuser version 2.0.9 released
Version 2.0.9 of chkuser has been released (see http://www.interazioni.it/opensource/chkuser/download/). Short table of changes (more detailed changes in http://www.interazioni.it/opensource/chkuser/download/changelog.html) * corrected some bugs on MySQL checking (problem was only with some particular configurations) * improved logging: now more situations are logged * improved SMTP response code: this should allow Outlook/Eudora to understand codes for rejected recipients. * added a must auth feature: can be used for submission port (see RFC 2476) * changed ezmlm detection: should work with latest ezmlm * added other define/variables. This version is working on my systems since eight/nine months, but I never had time to update documentation until this week. Please check carefully because some defines have changed since 2.0.8; I have tested the most I can but not all for sure! Tonino
Re: [vchkpw] chkuser version 2.0.9 released
Remo, hai ragione, ma non c'è perché non serve. Devi solo copiare i nuovi file sui vecchi (dopo averli salvati) e ricontrollare le impostazioni in chkuser_settings.h. Ora comunque aggiorno la documentazione. Ciao (e grazie), Tonino At 17.58 21/03/2007, you wrote: Tonino ma sulla versione upgrade non vedo il .patch file .. Fammi sapere visto che sulla documentazione dice di usare patch ../patch-net/*.patch Ciao tonix (Antonio Nati) wrote: Version 2.0.9 of chkuser has been released (see http://www.interazioni.it/opensource/chkuser/download/http://www.interazioni.it/opensource/chkuser/download/). Short table of changes (more detailed changes in http://www.interazioni.it/opensource/chkuser/download/changelog.htmlhttp://www.interazioni.it/opensource/chkuser/download/changelog.html) * corrected some bugs on MySQL checking (problem was only with some particular configurations) * improved logging: now more situations are logged * improved SMTP response code: this should allow Outlook/Eudora to understand codes for rejected recipients. * added a must auth feature: can be used for submission port (see RFC 2476) * changed ezmlm detection: should work with latest ezmlm * added other define/variables. This version is working on my systems since eight/nine months, but I never had time to update documentation until this week. Please check carefully because some defines have changed since 2.0.8; I have tested the most I can but not all for sure! Tonino !DSPAM:460111fd210154275821350!
Re: [vchkpw] chkuser on relay server , part II
At 15.52 15/01/2007, you wrote: Hello All especially tonix ;) , well, I see discussion running here ;) but I want move little forward. just my2 cent: qmail is good example of proof of concept which make its own way. Bad luck is that DJB is not working on it, so this nifty features will be slowly lost as more and more patches will come, which is main point of all complaints. Its is nice that we have all the patches, but most of them are incompatible or hard to implement into others so until someone really Im mean really need them (so spending days on them), it will switch to something else, which is not good as qmail, but these days is almost everything good as qmail. If there is no progress,blind by own feeling how it is perfect , no matter that it is best of the best it will become soon or later overcome by others. Remember OS/2 or BeOS ? ;) As qmail server is used as front-relay , there is problem with chkuser to check real rcpt. from discussion I see few aproaches how it can be done: - copy/mount vpopmail (not all files, just needed) to relay server and delete from virtualdomains - well, kinda ugly but working ;) problem is that If I have some offices behind firewall and even on exchange, I cant go this way - using of validrcptto patch - nice, but problem implement into rest of patches (bill shupp/big ISP...), when I use it, im loosing chkuser features ;) and others - so after spending weekend over google ;) I want kindly ask TONIX if he is willing to add smal feature into chkuser 2.0.8, I have idea something like CHECK_EXTERNAL_FILE = 0/1 EXTERNAL_FILE = /bla/bla/list.txt (or even cdb) Let me publish 2.0.9, then I will make you a surprise with 2.0.10! ;) Ciao, Tonino in this case is much easier make list of mailboxes , for example script from David Duserre from fehcom.de can make list of all even aliases and ezmlm lists it will be really helpfull to have something like this, and as I saw code for validrcptto it should be not so much coding ;) thank you very much even if you will not do it ;) Miki (Peter Mikeska)
Re: [vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on dmz
At 14.14 15/01/2007, you wrote: People has not the courage to say that Bernstein design and coding is horrible. ??? QMAIL was a secure product and a good academic programming model, ten years ago. Now, a modern MTA facing millions of emails has completely different problems from the ones Bernstein faced. But he made a closed architecture, not a modular one, adding a no-sense license. Hmm...qmail is STILL a secure and a good programming model. I don't see how it has become unsecure. I said it was because at that time it was the unique one to be so safe. Now that other products give good security, the lack of features outperforms the need of security. Anyway, programming model is horrible, despite of other considerations. Perhaps you can enlighten us on that. As for programming model, I don't see a problem. The only problem I see is the lack of certain capabilities and qmail's current architecture. Actually, not a problem with the design of the architecture but the state of it. postfix uses the same architecture with certain improvements like persistent daemons in the manner of httpd and a more advanced queue manager. If postfix had dot-qmail support, it would become rather complete. You call that same architecture? QMAIL has a lot of problems; the mail world has changed but QMAIL is designed to be impossible to change because of the presunction of Bernstein of being a perfect designer. qmail does not have a lot of problems. Quite bug free and secure :D. DJB is a perfect designer. The fact that Wietse uses the same basic design speaks for itself. We are only complaining that he has stopped and not continued. If the architecture cannot grow, designer wasn't that good. QMAIL is no more mantained because Bernstein is prisoner of his wrong architecture. He cannot improve it, because he should change all the architecture, and none would follow him today on the same licensing scheme. I am sorry but I really doubt you can do any better. Do you plan to show us by writing your own MTA? I've not fear of that. I'll have spare time (I have to work, I'm not that rich) I will do. ROTFL. When you manage a software project that has as clean a record as qmail with respects to bugs, come back and let us know. Are you speaking of Open Source or professional projects? I can tell you about projects I worked on: transactional systems, telex switching systems, and so on. Millions/hundreds thousand lines of code, zero final bug (and very few during development) because of a very good design of systems. Bug free does not mean anything, when software is hard to change and makes easy to add new errors. And difficult code does not mean good code, as in this case. Not even postfix can claim anything near qmail's record. Postfix takes the risk to grow, while qmail is perfect (according to you) and dead. Regards, Tonino Just my 1 eurocent. Soon I will have my 1 plastic HK Dollar.
Re: [vchkpw] chkuser on relay server , part II
Miki, At 15.52 15/01/2007, you wrote: Hello All especially tonix ;) , well, I see discussion running here ;) but I want move little forward. just my2 cent: qmail is good example of proof of concept which make its own way. Bad luck is that DJB is not working on it, so this nifty features will be slowly lost as more and more patches will come, which is main point of all complaints. Its is nice that we have all the patches, but most of them are incompatible or hard to implement into others so until someone really Im mean really need them (so spending days on them), it will switch to something else, which is not good as qmail, but these days is almost everything good as qmail. If there is no progress,blind by own feeling how it is perfect , no matter that it is best of the best it will become soon or later overcome by others. Remember OS/2 or BeOS ? ;) As qmail server is used as front-relay , there is problem with chkuser to check real rcpt. from discussion I see few aproaches how it can be done: - copy/mount vpopmail (not all files, just needed) to relay server and delete from virtualdomains - well, kinda ugly but working ;) problem is that If I have some offices behind firewall and even on exchange, I cant go this way - using of validrcptto patch - nice, but problem implement into rest of patches (bill shupp/big ISP...), when I use it, im loosing chkuser features ;) and others - so after spending weekend over google ;) I want kindly ask TONIX if he is willing to add smal feature into chkuser 2.0.8, I have idea something like CHECK_EXTERNAL_FILE = 0/1 EXTERNAL_FILE = /bla/bla/list.txt (or even cdb) in this case is much easier make list of mailboxes , for example script from David Duserre from fehcom.de can make list of all even aliases and ezmlm lists it will be really helpfull to have something like this, and as I saw code for validrcptto it should be not so much coding ;) thank you very much even if you will not do it ;) I'm thinking a lot how solve this problem (one year ago I was near to start with a client/server chkuser, but I was not totally convincted). I now approaching to a solution that could be more easy than expected (and you suggestion could be another good one to add). But together with this feature I have a lot of other features to add, and I feel a lot within qmail must be rewritten in order to have those features working. I will evaluate a way to move to a really free Open Source qmail clone, more easy to update and be added of new features. If I will not see a feasible way, I'll continue with standard patching. Ciao, Tonino Miki (Peter Mikeska)
[vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on dmz
I'm thinking to extend chkuser, and add an smtp fake delivery for checking recipients existance on end systems (i.e. when domains are external and use me as proxy SMTP). But I'm really tired to fight with qmail. Bernstein programming is accademic and heavy to use, license is criminal. Programming with patches over patches is painful. There is no fun to put new features on this old and overextimated product. You have to run several chained programs just to make an SMTP acceptance... I feel is time to migrate to another product, or is there anyone available to start a new project, that should rewrite a little by little qmail, and free all of us from this criminal license? Project should start with a programmed way to add new features and patch, then making a decent configure, then starting to write new libraries and then substituting the old code, until we have a free mail system. Of course vpopmail would be a library integrated in this new product. I have thrown the first stone. Tonino At 00.25 11/01/2007, you wrote: Hello all, I have this setup : mail coming to relay server located in DMZ, and this server is relaying x domains to internal LAN mail server. Im receiving lot of unwanted mails for nonexistent addresses. Ho I can handle it ? Chkuser is working fine when are domains on server, but how I can check user existency on remote server ? FYI: rsync of passwd.cdb is ok, but how check against aliases ? Please, I need some pointing where to look at. i fit is possible done by chkuser or another way (qmail-ldap) Thank you Peter M.
Re: [vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on dmz
At 18.16 11/01/2007, you wrote: Look at QMAIL-SPP ( http://qmail-spp.sourceforge.net/http://qmail-spp.sourceforge.net/ ). It provides a plugin for vpopmail and gets away from this patching situation. The idea is great, the implementation is good. A mix of this and the existing patches you may have is probably the best way to go. QMAIL-SPP is an old style answer to an old style problem. People has not the courage to say that Bernstein design and coding is horrible. QMAIL was a secure product and a good academic programming model, ten years ago. Now, a modern MTA facing millions of emails has completely different problems from the ones Bernstein faced. But he made a closed architecture, not a modular one, adding a no-sense license. QMAIL-SPP has the same problems of qmail, and from my point of view it uses a terrible approach speaking about performances and impossible sophistication of wanted features. In the end, you make a perl script or something on the RCPT command that: a. matches a line with the domain of the RCPT command in the smtproutes file (making sure it has access to read it) b. if it exists, then opens a socket connection and begins connecting c. returns an accept, reject, or defer based on the output of the program- also possibly adds headers accordingly. The plugin infrastrucutre is really key. It's not as fast due to performance hits of launching these plugins, but it still makes it faster than many applications. Plugin is slow, and does not let do anything important, just side checks. The core is untouched, and here the problem is the core. It makes adding plugins as easy as adding a line to the text file. Think about even just a sleep() command in a shell file could be easily implemented. qmail has been around for a long time and hence has series of feature additions upon feature additions. But remember, these patches aren't fixing problems with qmail. There are very few actual PROBLEMS with qmail, and they're relatively minor and things that softlimit and equivalent fix. QMAIL has a lot of problems; the mail world has changed but QMAIL is designed to be impossible to change because of the presunction of Bernstein of being a perfect designer. People add patches because they want features. Because there is no active development by the creator these have to be added themselves. QMAIL is no more mantained because Bernstein is prisoner of his wrong architecture. He cannot improve it, because he should change all the architecture, and none would follow him today on the same licensing scheme. You add the features you want in your qmail installation. Others have differing opinions as to what should be added. If you want to manipulate simple perl/shell/C scripts to SMTP conversations, install qmail-spp. Qmail doesn't have a need to change. It's still doing the task it was intended to very well. If another product suits your needs better, by all means go to it, but that doesn't mean qmail is bad. Also, patches allow you to add those features that others have wanted. In the old days, you had to program them yourself :) Qmail is only an academic example of programming, that in real life should never be used by expert programmers. Just my 1 eurocent. Tonino -M - Original Message From: tonix (Antonio Nati) [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, January 11, 2007 6:31:40 AM Subject: [vchkpw] Rethinking qmail : was Re: [vchkpw] how use chkuser on dmz I'm thinking to extend chkuser, and add an smtp fake delivery for checking recipients existance on end systems (i.e. when domains are external and use me as proxy SMTP). But I'm really tired to fight with qmail. Bernstein programming is accademic and heavy to use, license is criminal. Programming with patches over patches is painful. There is no fun to put new features on this old and overextimated product. You have to run several chained programs just to make an SMTP acceptance... I feel is time to migrate to another product, or is there anyone available to start a new project, that should rewrite a little by little qmail, and free all of us from this criminal license? Project should start with a programmed way to add new features and patch, then making a decent configure, then starting to write new libraries and then substituting the old code, until we have a free mail system. Of course vpopmail would be a library integrated in this new product. I have thrown the first stone. Tonino At 00.25 11/01/2007, you wrote: Hello all, I have this setup : mail coming to relay server located in DMZ, and this server is relaying x domains to internal LAN mail server. Im receiving lot of unwanted mails for nonexistent addresses. Ho I can handle it ? Chkuser is working fine when are domains on server, but how I can check user existency on remote server ? FYI: rsync of passwd.cdb is ok, but how check against aliases ? Please, I need some pointing where
Re: [vchkpw] ezmlm and chkuser - vpopmail 5.4.10
chkuser 2.0.9 will solve this problem, as last version of ezmlm has no more a file chkuser used for checking the list existence. Enabling alias is another way to solve this problem. Tonino At 19.50 19/12/2006, you wrote: SOLVED: Per this thread (google cache): http://72.14.203.104/search?q=cache:MR4qfHVugXIJ:www.tnpi.biz/support/forums/index.php%3Ft%3Dmsg%26th%3D516%26start%3D0%26rid%3D0+chkuser+ezmlmhl=engl=usct=clnkcd=20 in chkuser_settings.h /* #define CHKUSER_ENABLE_ALIAS_DEFAULT */ to #define CHKUSER_ENABLE_ALIAS_DEFAULT and then re-run make setup check Sorry to bother the list. Dave Richardson wrote: Having trouble getting my first ezmlm list to run on a newly built server with vpopmail 5.4.10 and CHKUSER 2.0.8b. CHKUSER was built using chkuser_settings.h with: -- /* * The following #define set the character used for lists extensions * be careful: this is a single char '-' definition, not a string */ #define CHKUSER_EZMLM_DASH '-' /* * Enables checking for EZMLM lists * this define substitutes #define CHKUSER_ENABLE_LISTS * */ #define CHKUSER_ENABLE_EZMLM_LISTS -- vpopmail was built with: -- ./configure \ --enable-roaming-users \ --enable-logging=p \ --disable-passwd \ --enable-clear-passwd \ --disable-domain-quotas \ --enable-auth-module=mysql \ --enable-auth-logging \ --enable-sql-logging \ --enable-valias \ --disable-users-big-dir \ --disable-mysql-limits \ --enable-tcprules-prog=/usr/local/bin/tcprules \ --enable-tcpserver-file=/home/vpopmail/etc/tcp.smtp \ --enable-relay-clear-minutes=180 -- A message to the list directly with subject subscribe by an unsubscribed user receives a notice: ezmlm-reject: fatal: Sorry, I don't accept commands in the subject line. Please send a message to the -help address shown in the the ``Mailing-List:'' header for command info (#5.7.0) -- A message to the list-subscribe address (i.e. [EMAIL PROTECTED]) with subject subscribe returns [server] does not like recipient. Remote host said: 511 sorry, no mailbox here by that name (#5.1.1 - chkuser) -- So, I conclude that CHKUSER is rejecting an unknown user called list-subscribe even though I think I have correctly enabled ezmlm extension checking for CHKUSER. Advice would be most appreciated! Thanks, Dave.
Re: [vchkpw] [chkuser] Enable '' char in CHKUSER_ALLOW_RCPT_CHAR_
This is a known error. Because of a cut'n'paste error the check_rcpt_address_format() routine uses wrong constants. Inside check_rcpt_address_format() change all CHKUSER_ALLOW_SENDER_CHAR_x to CHKUSER_ALLOW_RCPT_CHAR_x Ciao, Tonino At 12.43 05/12/2006, you wrote: Hello everybody, as in subject I would enable the '' in CHKUSER_ALLOW_RCPT_CHAR_ , I know is possible because I'd read this http://wiki.qmailtoaster.com/index.php/QTP_Wish_List#chkuser_settings.h_changes I use the VM found at http://devel.qmailtoaster.com/info/QmailToaster.zip.html . To change the chkuser_settings.h I use the tip found at http://wiki.qmailtoaster.com/index.php/Chkuser , but when I change this --snip-- #define CHKUSER_ALLOW_RCPT_CHAR_1 '$' /* #define CHKUSER_ALLOW_RCPT_CHAR_2 '%' */ /* #define CHKUSER_ALLOW_RCPT_CHAR_3 '' */ /* #define CHKUSER_ALLOW_RCPT_CHAR_4 '?' */ #define CHKUSER_ALLOW_RCPT_CHAR_5 '*' --snip-- with this --snip-- #define CHKUSER_ALLOW_RCPT_CHAR_1 '$' #define CHKUSER_ALLOW_RCPT_CHAR_2 '' /* #define CHKUSER_ALLOW_RCPT_CHAR_3 '' */ /* #define CHKUSER_ALLOW_RCPT_CHAR_4 '?' */ #define CHKUSER_ALLOW_RCPT_CHAR_5 '*' --snip-- or simply (only for test) with this: --snip-- #define CHKUSER_ALLOW_RCPT_CHAR_1 '$' #define CHKUSER_ALLOW_RCPT_CHAR_2 '%' /* #define CHKUSER_ALLOW_RCPT_CHAR_3 '' */ /* #define CHKUSER_ALLOW_RCPT_CHAR_4 '?' */ #define CHKUSER_ALLOW_RCPT_CHAR_5 '*' --snip-- the process fail with this error (full transcript in footer): --cut-- ./compile qmail-smtpd.c In file included from qmail-smtpd.c:65: tls.h:11:1: warning: _exit redefined In file included from qmail-smtpd.c:42: chkuser.h:50:1: warning: this is the location of the previous definition qmail-smtpd.c: In function `main': qmail-smtpd.c:1343: warning: return type of 'main' is not `int' ./compile spf.c ./compile chkuser.c chkuser.c: In function `check_rcpt_address_format': chkuser.c:321: error: `CHKUSER_ALLOW_SENDER_CHAR_2' undeclared (first use in this function) chkuser.c:321: error: (Each undeclared identifier is reported only once chkuser.c:321: error: for each function it appears in.) make: *** [chkuser.o] Error 1 --cut-- Any idea? Thanks Davide full transcript of: 'rpmbuild -bb --with cnt40 qmail-toaster.spec ' Esecuzione(%prep) in corso: /bin/sh -e /var/tmp/rpm-tmp.12849 + umask 022 + cd /usr/src/redhat/BUILD + LANG=C + export LANG + unset DISPLAY + cd /usr/src/redhat/BUILD + rm -rf qmail-1.03 + /usr/bin/bzip2 -dc /usr/src/redhat/SOURCES/qmail-1.03.tar.bz2 + tar -xf - + STATUS=0 + '[' 0 -ne 0 ']' + cd qmail-1.03 ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chown -Rhf root . ++ /usr/bin/id -u + '[' 0 = 0 ']' + /bin/chgrp -Rhf root . + /bin/chmod -Rf a+rX,u+w,g-w,o-w . + echo 'Patch #0 (qmailtoaster-1.3.1.patch.bz2):' Patch #0 (qmailtoaster-1.3.1.patch.bz2): + /usr/bin/bzip2 -d + patch -p0 -s + STATUS=0 + '[' 0 -ne 0 ']' + echo 'Patch #1 (qmail-chkuser.patch.bz2):' Patch #1 (qmail-chkuser.patch.bz2): + /usr/bin/bzip2 -d + patch -p1 -s + STATUS=0 + '[' 0 -ne 0 ']' + /usr/bin/perl -pi -e 's|\#define AUTHCRAM||g' qmail-smtpd.c + /usr/bin/perl -pi -e 's|LDK_PATH|/usr/lib/libdomainkeys.a|g' Makefile + '[' -f /var/tmp/qmail-1.03-gcc ']' + rm -f /var/tmp/qmail-1.03-gcc + echo gcc + '[' -f /var/tmp/qmail-1.03-show_flags ']' + rm -f /var/tmp/qmail-1.03-show_flags + cat + chmod u+x /var/tmp/qmail-1.03-show_flags + /var/tmp/qmail-1.03-show_flags [40m[001;031m RPM RELEASE: [40m[001;033mqmail-toaster-1.03-1.3.6[0m [40m[001;031m OS TYPE IS : [40m[001;033mCentOS 4 Linux [0m [40m[001;031m BUILD DATE : [40m[001;033mSat Sep 09 2006 [0m [40m[001;031m CCFLAGS: [40m[001;033m-O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -DTLS=20060104 -I/home/vpopmail/include [0m [40m[001;031m LDFLAGS: [40m[001;033m-O2 -g -pipe -m32 -march=i386 -mtune=pentium4 [0m + '[' -f /var/tmp/qmail-1.03-show_flags ']' + rm -f /var/tmp/qmail-1.03-show_flags + exit 0 Esecuzione(%build) in corso: /bin/sh -e /var/tmp/rpm-tmp.36342 + umask 022 + cd /usr/src/redhat/BUILD + cd qmail-1.03 + LANG=C + export LANG + unset DISPLAY + '[' -n /var/tmp/qmail-toaster-1.03 -a /var/tmp/qmail-toaster-1.03 '!=' / ']' + rm -rf /var/tmp/qmail-toaster-1.03 + mkdir -p /var/tmp/qmail-toaster-1.03 ++ /usr/bin/id -g nofiles + '[' -z '' ']' + /usr/sbin/groupadd -g 2107 -r nofiles groupadd: group nofiles exists + : ++ /usr/bin/id -g qmail + '[' -z '' ']' + /usr/sbin/groupadd -g 2108 -r qmail groupadd: group qmail exists + : ++ /usr/bin/id -u alias + '[' -z 7790 ']' ++ /usr/bin/id -u qmaild + '[' -z 7791 ']' ++ /usr/bin/id -u qmaill + '[' -z 7792 ']' ++ /usr/bin/id -u qmailp + '[' -z 7793 ']' ++ /usr/bin/id -u qmailq + '[' -z 7794 ']' ++ /usr/bin/id -u qmailr + '[' -z 7795 ']' ++ /usr/bin/id -u qmails + '[' -z 7796 ']' ++ cat /var/tmp/qmail-1.03-gcc + echo 'gcc -O2 -g -pipe -m32 -march=i386 -mtune=pentium4 -DTLS=20060104 -I/home/vpopmail/include' ++ cat /var/tmp/qmail-1.03-gcc + echo 'gcc -s -O2 -g -pipe -m32 -march=i386 -mtune=pentium4' + '['
Re: [vchkpw] domain quotas
At 03.15 29/10/2006, you wrote: On Oct 28, 2006, at 11:37 AM, Jeff Koch wrote: I remember reading on the list some time ago that domain quotas didn't work. Has this been fixed? If so, are there any doc's on how this works? Specifically when the domain quotas is reached who is notified? I don't think domain quotas worked in any 5.4.x release, and they still don't work. When (and if) they did work, they could put a heavy load on the server if it had lots of mailboxes with lots of emails. Besides heavy load, it was not compatible with other software using the same mailboxes. Tonino -- Tom Collins - [EMAIL PROTECTED] Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/ QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
[vchkpw] OT: tcpserver and rblsmtpd clones
Sorry for the off topic. Does anyone know about good clones/substitutes of tcpserver and rblsmtpd? I'ld like they to have a more open licensing, so developing and deployment of new integrated features could be more easy. Thanks, Tonino
Re: [vchkpw] CHKUSER and smtpd-auth 0.57
At 22.54 03/10/2006, you wrote: Hi, I have installed Netqmail-1.05 / Vpopmail 5.4.17 and qmail-smtpd-auth-0.57(www.fehcom.de) Is it possible to install chkuser 2.0 with this configuration? Do I need to make some changes? Use Shupp's Toaster (www.shupp.org). It includes auth, tls, chkuser and much more. Tonino Thanks in advance, Andrés
Re: [vchkpw] Chkuser settings prevent delivery of mail to second domain within same LAN
At 17.09 21/09/2006, you wrote: Hi, I'm using qmailtoaster.com as both a mail server and a spam-filtering forwarder for two separate organizations. Mail comes in to the outside interface of the firewall and is port-forwarded to the qmail toaster (192.168.1.3). All traffic for domain1.com and it is hosted by the qmailtoaster. All traffic for domain2.com is passed directly to the SBS 2003 Exchange server sitting next to it (192.168.1.5). On the qmailtoaster, Domain2.com is only listed in rcpthosts and smtproutes I can send mail from Domain1.com to Domain2.com with no difficulty. However, When I try to send mail from Domain2.com to Domain1.com it will not go through (Exchange tries to send once every 24 hours for three days, after which it gives up and displays the error code below). One of the more knowledgeable guys on the qmailtoaster list suggested that it was probably a chkuser problem and to ask over here. Has anyone seen this before? Any suggestions? What you show us is too few. You should check in Exchange the reason why messages have been refused. It looks more a problem of DNS/navigation from Exchange server to qmailtoaster server, but I cannot say without knowing more. Ciao, Tonino Thanks, Ron Your message did not reach some or all of the intended recipients. Subject: test from phoenix administrator Sent: 9/18/2006 9:56 PM The following recipient(s) could not be reached: [EMAIL PROTECTED] on 9/20/2006 9:59 PM Could not deliver the message in the time limit specified. Please retry or contact your administrator. phoenixatl.com #4.4.7
RE: [vchkpw] Chkuser settings prevent delivery of mail to second domain within same LAN
At 18.06 21/09/2006, you wrote: What you show us is too few. You should check in Exchange the reason why messages have been refused. It looks more a problem of DNS/navigation from Exchange server to qmailtoaster server, but I cannot say without knowing more. Ciao, Tonino Hi Tonino, I've got Exchange set to give me a higher level of logging for SMTP, but so far there is no mention. I'll check the DNS records for consistency. What information would be helpful? First of all, do you see in qmailtoaster server logs (/var/log/maillog is the usual place) any attempt of delivery from Exchange server? Tonino Thanks Ron
Re: [vchkpw] chkuser 2.0 problem
Please don't consider previous answer, I made a salad of variables mixed in a wrong way. To disable sender checking for selected addresses: #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK :allow,QMAILQUEUE=/var/qmail/bin/simscan 63.245.25.60:allow,SENDER_NOCHECK=,QMAILQUEUE=/var/qmail/bin/simscan In order to enable CHKUSER always for all domains, compile with #define CHKUSER_ALWAYS_ON Ciao, Tonino At 16.04 05/09/2006, you wrote: ?, how do like this? Excuse me please, with old version of chkuser i never make enabling bouncing and chkuser work property, it's my first instalation with version 2 of chkuser, and have this problems. When enable boucing? tonix (Antonio Nati) wrote: Did you enable bouncing for each domain? Tonino At 15.31 05/09/2006, you wrote: Make all the changes, but qmail accept email for users that not existe yet, and my queue is full. Example with info of my logs file. I send a email to [EMAIL PROTECTED] but this address not exist, but my mail server accept the email chkuser say that rcpt [EMAIL PROTECTED] : found existing recipient and this is incorrect. @400044fd7a27211765bc CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote bay0-omc1-s14.bay0.hotmail.com:unknown:65.54.246.86 rcpt [EMAIL PROTECTED] : found existing recipient @400044fd7a282b337c84 simscan:[3085]:CLEAN (1.20/3.00):1.0218s:dfsafadsf:65.54.246.86:[EMAIL PROTECTED]:[EMAIL PROTECTED] tonix (Antonio Nati) wrote: At 22.13 04/09/2006, you wrote: make this changes on my server uncoment this lines #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK #define CHKUSER_STARTING_VARIABLE CHKUSER_START it's my tcp.smtp :allow,QMAILQUEUE=/var/qmail/bin/simscan 63.245.25.60:allow,CHKUSER_SENDER_NOCHECK_VARIABLE=NONE,QMAILQUEUE=/var/qmail/bin/simscan :allow,QMAILQUEUE=/var/qmail/bin/simscan,SENDER_NOCHECK=DOMAIN 63.245.25.60:allow,SENDER_NOCHECK=NONE,QMAILQUEUE=/var/qmail/bin/simscan This is the correct definition, based on your example. Tonino Now, the chkuser not work property, if send a mail to my server with a false email address in the log see the following @400044fc880312a9c36c CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote bay0-omc3-s14.bay0.hotmail.com:unknown:65.54.246.214 rcpt [EMAIL PROTECTED] : found existing recipient but the [EMAIL PROTECTED] email addrees not exist, why now checkuser not work? tonix (Antonio Nati) wrote: At 20.47 01/09/2006, you wrote: Today setup a new mail server. I have 1 mail server with 2 domain, 1 domain to internet access and 1 domain only local user. the server is on my dmz the problem is when the sender is from internal domain the chkuser say the following CHKUSER rejected sender: from [EMAIL PROTECTED]:[EMAIL PROTECTED]: remote ElisaLugo:unknown:publicipaddress rcpt : invalid sender MX domain this user not send email to other domain, only can send mail to my external and internal domain. can disable this option for my internal domain? the option is CHKUSER_SENDERMX_STRING Specifically about sender checking, may use *CHKUSER_SENDER_NOCHECK_VARIABLE* in http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html You may set it to RELAYCLIENT, and it should automatically be excluded for clients coming from IP authorized to relay. A general advice is to disable CHKUSER when connection comes from your LAN. Uncomment CHKUSER_STARTING_VARIABLE in chkuser_settings.h, and set the relative environment variable to NONE for connection from internal LAN, to DOMAIN for all others. Tonino How make disable this? Help please. Thank
Re: [vchkpw] chkuser 2.0 problem
At 16.51 05/09/2006, you wrote: tonix the following information is for my tcp.smtp file? #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK :allow,QMAILQUEUE=/var/qmail/bin/simscan 63.245.25.60:allow,SENDER_NOCHECK=,QMAILQUEUE=/var/qmail/bin/simscan and uncomment #define CHKUSER_ALWAYS_ON on chkuser_setting.h is this correct? #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK is within chkuser_settings.h. You must recompile. :allow,QMAILQUEUE=/var/qmail/bin/simscan 63.245.25.60:allow,SENDER_NOCHECK=,QMAILQUEUE=/var/qmail/bin/simscan is within your tcp.smtp. About uncommenting #define CHKUSER_ALWAYS_ON in chkuser_setting.h, you must have clear (in old installation) if you have chkuser enabled for all or not. Ciao, Tonino tonix (Antonio Nati) wrote: Please don't consider previous answer, I made a salad of variables mixed in a wrong way. To disable sender checking for selected addresses: #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK :allow,QMAILQUEUE=/var/qmail/bin/simscan 63.245.25.60:allow,SENDER_NOCHECK=,QMAILQUEUE=/var/qmail/bin/simscan In order to enable CHKUSER always for all domains, compile with #define CHKUSER_ALWAYS_ON Ciao, Tonino At 16.04 05/09/2006, you wrote: ?, how do like this? Excuse me please, with old version of chkuser i never make enabling bouncing and chkuser work property, it's my first instalation with version 2 of chkuser, and have this problems. When enable boucing? tonix (Antonio Nati) wrote: Did you enable bouncing for each domain? Tonino At 15.31 05/09/2006, you wrote: Make all the changes, but qmail accept email for users that not existe yet, and my queue is full. Example with info of my logs file. I send a email to [EMAIL PROTECTED] but this address not exist, but my mail server accept the email chkuser say that rcpt [EMAIL PROTECTED] : found existing recipient and this is incorrect. @400044fd7a27211765bc CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote bay0-omc1-s14.bay0.hotmail.com:unknown:65.54.246.86 rcpt [EMAIL PROTECTED] : found existing recipient @400044fd7a282b337c84 simscan:[3085]:CLEAN (1.20/3.00):1.0218s:dfsafadsf:65.54.246.86:[EMAIL PROTECTED]:[EMAIL PROTECTED] tonix (Antonio Nati) wrote: At 22.13 04/09/2006, you wrote: make this changes on my server uncoment this lines #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK #define CHKUSER_STARTING_VARIABLE CHKUSER_START it's my tcp.smtp :allow,QMAILQUEUE=/var/qmail/bin/simscan 63.245.25.60:allow,CHKUSER_SENDER_NOCHECK_VARIABLE=NONE,QMAILQUEUE=/var/qmail/bin/simscan :allow,QMAILQUEUE=/var/qmail/bin/simscan,SENDER_NOCHECK=DOMAIN 63.245.25.60:allow,SENDER_NOCHECK=NONE,QMAILQUEUE=/var/qmail/bin/simscan This is the correct definition, based on your example. Tonino Now, the chkuser not work property, if send a mail to my server with a false email address in the log see the following @400044fc880312a9c36c CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote bay0-omc3-s14.bay0.hotmail.com:unknown:65.54.246.214 rcpt [EMAIL PROTECTED] : found existing recipient but the [EMAIL PROTECTED] email addrees not exist, why now checkuser not work? tonix (Antonio Nati) wrote: At 20.47 01/09/2006, you wrote: Today setup a new mail server. I have 1 mail server with 2 domain, 1 domain to internet access and 1 domain only local user. the server is on my dmz the problem is when the sender is from internal domain the chkuser say the following CHKUSER rejected sender: from [EMAIL PROTECTED]:[EMAIL PROTECTED]: remote ElisaLugo:unknown:publicipaddress rcpt : invalid sender MX domain this user not send email to other domain, only can send mail to my external and internal domain. can disable this option for my internal domain? the option is CHKUSER_SENDERMX_STRING Specifically about sender checking, may use *CHKUSER_SENDER_NOCHECK_VARIABLE* in http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html You may set it to RELAYCLIENT, and it should automatically be excluded for clients coming from IP authorized to relay. A general advice is to disable CHKUSER when connection comes from your LAN. Uncomment CHKUSER_STARTING_VARIABLE in chkuser_settings.h, and set the relative environment variable to NONE for connection from internal LAN, to DOMAIN for all others. Tonino How make disable this? Help please. Thank
Re: [vchkpw] chkuser 2.0 problem
At 22.13 04/09/2006, you wrote: make this changes on my server uncoment this lines #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK #define CHKUSER_STARTING_VARIABLE CHKUSER_START it's my tcp.smtp :allow,QMAILQUEUE=/var/qmail/bin/simscan 63.245.25.60:allow,CHKUSER_SENDER_NOCHECK_VARIABLE=NONE,QMAILQUEUE=/var/qmail/bin/simscan :allow,QMAILQUEUE=/var/qmail/bin/simscan,SENDER_NOCHECK=DOMAIN 63.245.25.60:allow,SENDER_NOCHECK=NONE,QMAILQUEUE=/var/qmail/bin/simscan This is the correct definition, based on your example. Tonino Now, the chkuser not work property, if send a mail to my server with a false email address in the log see the following @400044fc880312a9c36c CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote bay0-omc3-s14.bay0.hotmail.com:unknown:65.54.246.214 rcpt [EMAIL PROTECTED] : found existing recipient but the [EMAIL PROTECTED] email addrees not exist, why now checkuser not work? tonix (Antonio Nati) wrote: At 20.47 01/09/2006, you wrote: Today setup a new mail server. I have 1 mail server with 2 domain, 1 domain to internet access and 1 domain only local user. the server is on my dmz the problem is when the sender is from internal domain the chkuser say the following CHKUSER rejected sender: from [EMAIL PROTECTED]:[EMAIL PROTECTED]: remote ElisaLugo:unknown:publicipaddress rcpt : invalid sender MX domain this user not send email to other domain, only can send mail to my external and internal domain. can disable this option for my internal domain? the option is CHKUSER_SENDERMX_STRING Specifically about sender checking, may use *CHKUSER_SENDER_NOCHECK_VARIABLE* in http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html You may set it to RELAYCLIENT, and it should automatically be excluded for clients coming from IP authorized to relay. A general advice is to disable CHKUSER when connection comes from your LAN. Uncomment CHKUSER_STARTING_VARIABLE in chkuser_settings.h, and set the relative environment variable to NONE for connection from internal LAN, to DOMAIN for all others. Tonino How make disable this? Help please. Thank
Re: [vchkpw] vpopmail problem
At 10.56 03/09/2006, you wrote: Hi all Some help please We are running a mail server at one of our clients and have picked up the following error when using squirrel mail. Sep 3 10:44:41 mail imapd: LOGIN FAILED, [EMAIL PROTECTED], ip=[127.0.0.1] Sep 3 10:44:41 mail authdaemond: vmysql: sql error[3]: MySQL server has gone away Sep 3 10:44:46 mail imapd: LOGOUT, ip=[127.0.0.1], rcvd=52, sent=332 we are running the following apache+mod_ssl-1.3.34+2.8.25_3 courier-authlib-base-0.58_2 courier-authlib-vchkpw-0.58_2 courier-imap-4.1.0,1 IMAP qmail freebsd 6.1 Last versions of MySQL now have a general timeout on the connection. You should patch vpopmail with the following patch, and recompile all (vpopmail, courier-authlib) in order to solve the problem. This patch should be also in latest vpopmail release (if I remember fine). See following message and attached patch: Date: Mon, 29 May 2006 10:05:09 -0400 From: Ron Gage [EMAIL PROTECTED] To: vchkpw@inter7.com User-Agent: Internet Messaging Program (IMP) H3 (4.0.3) Subject: [vchkpw] [bug][patch] - vchkpw/vmysql and Mysql 5 Greetings: I don't know if anyone in here is encountering this problem (yet), but it has been affecting me for the past few weeks - ever since I upgraded my MySQL server to 5.0.19. It took quite a bit of digging, but I believe I have found the problem. To describe the problem: when you run vpopmail in MySQL mode, with courier-authdaemond and MySQL v5.0 or later, you will find that for the first 8 hours, everything works just fine, but after 8 hours, nobody will be able to authenticate to the email server and you will see MySQL server has gone away errors in the maillog. The cause of the problem is that in MySQL 5.0 (and probably some 4.1 releases), MySQL implements a new timeout definition for connections, a timeout that ignores traffic. This timeout will shut down the socket thread from the MySQL side. The problem is that the client (vchkpw and friends) do not know/understand about this timeout and socket termination so they continue on in ignorate bliss until they try to send to the socket and find that it's no longer valid - literally the server has gone away. The fix is to simply destroy the internal flags and file handles related to that socket, rebuild a new one, and try again. The included patch (inline and attached) implements this fix. Please note that there doesn't appear to be any way at this time to disable the timeout feature in MySQL. Please feel free to comment, tear apart, beat up, or otherwise rip to shreads my fix! -- Ron Gage (LPIC1 MCP A+ Net+) Westland, Michigan --- vmysql.c~ 2006-05-29 10:17:20.0 -0400 +++ vmysql.c2006-05-29 10:17:20.0 -0400 @@ -465,7 +465,31 @@ ); if (mysql_query(mysql_read,SqlBufRead)) { fprintf(stderr, vmysql: sql error[3]: %s\n, mysql_error(mysql_read)); -return(NULL); +/* Ron Gage - May 29, 2006 - With newer versions of MySQL, there is such a thing +as a connection timeout regardless of activity. By default under MySQL 5, this +timeout is 28800 seconds (8 hours). If your vpopmail system runs fine for the +first 8 hours, then stops authenticating, this timeout is your problem (especially +under authdaemond). + +What this code does is when an error is encountered, it first tries to drop and +rebuild a connection to the SQL server and tries again. If this second attempt +fails, then something other than the connection timeout is the problem. This fix +need to be implemented in other places but in my setup (Slackware 10.2, netqmail, +vpopmail, courier-authdaemond, courier-imapd and a few others), this is always where +the auth attempt died with a SQL server has gone away error. +*/ + +fprintf(stderr, Attempting to rebuild connection to SQL server\n); +vclose(); +verrori = 0; +if ( (err=vauth_open_read()) != 0 ) { + verrori = err; + return(NULL); +} +if (mysql_query(mysql_read, SqlBufRead)) { + fprintf (stderr, vmysql: connection rebuild failed: %s\n, mysql_error(mysql_read)); + return(NULL); +} } if (!(res_read = mysql_store_result(mysql_read))) { --- vmysql.c~ 2006-05-29 10:17:20.0 -0400 +++ vmysql.c2006-05-29 10:17:20.0 -0400 @@ -465,7 +465,31 @@ ); if (mysql_query(mysql_read,SqlBufRead)) { fprintf(stderr, vmysql: sql error[3]: %s\n, mysql_error(mysql_read)); -return(NULL); +/* Ron Gage - May 29, 2006 - With newer versions of MySQL, there is such a thing +as a connection timeout regardless of activity. By default under MySQL 5, this +timeout is 28800 seconds (8 hours). If your vpopmail system runs fine for the +first 8 hours, then stops authenticating, this timeout is your problem (especially +under authdaemond). +
Re: [vchkpw] chkuser 2.0 problem
At 20.47 01/09/2006, you wrote: Today setup a new mail server. I have 1 mail server with 2 domain, 1 domain to internet access and 1 domain only local user. the server is on my dmz the problem is when the sender is from internal domain the chkuser say the following CHKUSER rejected sender: from [EMAIL PROTECTED]:[EMAIL PROTECTED]: remote ElisaLugo:unknown:publicipaddress rcpt : invalid sender MX domain this user not send email to other domain, only can send mail to my external and internal domain. can disable this option for my internal domain? the option is CHKUSER_SENDERMX_STRING Specifically about sender checking, may use CHKUSER_SENDER_NOCHECK_VARIABLE in http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html You may set it to RELAYCLIENT, and it should automatically be excluded for clients coming from IP authorized to relay. A general advice is to disable CHKUSER when connection comes from your LAN. Uncomment CHKUSER_STARTING_VARIABLE in chkuser_settings.h, and set the relative environment variable to NONE for connection from internal LAN, to DOMAIN for all others. Tonino How make disable this? Help please. Thank
Re: [vchkpw] chkuser + localhost as sender MX
At 19.09 16/08/2006, you wrote: On Wed, 16 Aug 2006 09:07:28 -0700 Tom Collins [EMAIL PROTECTED] wrote: I've noticed some spam sending hosts, which use e.g. localhost/ 127.0.0.1 as their sender MX. When my mailserver tries to verify the sending account via bounce check (connecting to 127.0.0.1), the rcpt to: check is ok, because chkuser accepts unknown rcpt to's from localhost. Is there a settings to get rid of that? Better would be a patch to qmail-smtpd that only accepted localhost and 127.0.0.1 as the HELO name on connections from 127.0.0.1. I don't know enough about chkuser to answer your original question. This would be one possibility but in this case the mail is already in the local queue - what we try to prevent. I think an extended chkuser patch is the better way. While chkuser already checks for an existing MX-record it could easily test the received A-Record against 127.0.0.0/8, RFC1918 or in case of a fqdn is it resolveable at all. If you send me more details on how check should be done, I could try to put in in 2.0.10 version of chkuser. Ciao, Tonino regards, Lars Uhlmann
Re: [vchkpw] vchkpw/vmysql and Mysql 5 with courier -authlib
At 23.15 12/07/2006, you wrote: tonix (Antonio Nati) wrote: At 18.24 12/07/2006, you wrote: The vpopmail module to authdaemon is might be missing the vpopmail vclose() function. At a first look, you are right. Following is the code related to closing connection. static void authvchkpwclose() { } It lacks any code relative to vpopmail vclose. But in my logs I don't have any reconnect trace, so I suppose authdaemon is always using the same connection (and I see it is growing anyway). The memory abuse must be elsewhere. Is anyone using authdaemon mysql authentication and having the same problems? Hi, I'm using authdaemon mysql but I'm not seeing that problem. Are you using mysql module instead of authvchkpw? Is the configuration easy as it looks or did you make anything special/tricky on it? Ciao, Tonino Regards, Rick
[vchkpw] vchkpw/vmysql and Mysql 5 with courier -authlib
I don't know if this is a limit of this useful patch (I don't think so), or more likely of the vpopmail library (I feel could be), or yet of courier authdaemon, but after more than ten days of successfull running, I've got this error: Jul 11 16:24:33 myserver authdaemond: ^GOut of memory (Needed 8164 bytes) Jul 11 16:24:33 myserver authdaemond: vmysql: sql error[3]: Jul 11 16:24:33 myserver authdaemond: Attempting to rebuild connection to SQL server Jul 11 16:24:33 myserver authdaemond: ^GOut of memory (Needed 8164 bytes) Jul 11 16:24:33 myserver authdaemond: vmysql: connection rebuild failed: So, I'm adding an authdaemon restart each morning (early) to solve the problem. Note: after stopping and restarting courier authdaemon, 1200 MB of system memory have been released (here I have 4GB of system memory). I feel like vpopmail calls just alloc() memory and never release it, as they have been probably designed for one shot program. When they are used within a permanent service, calling them dozen thousands times, they waste memory and cause problems. Any one else if watching his courier authdaemon growing? Tonino At 21.20 29/06/2006, you wrote: This patch is in the upcoming 5.4.17 release. -Tom On May 29, 2006, at 7:05 AM, Ron Gage wrote: Greetings: I don't know if anyone in here is encountering this problem (yet), but it has been affecting me for the past few weeks - ever since I upgraded my MySQL server to 5.0.19. It took quite a bit of digging, but I believe I have found the problem. To describe the problem: when you run vpopmail in MySQL mode, with courier-authdaemond and MySQL v5.0 or later, you will find that for the first 8 hours, everything works just fine, but after 8 hours, nobody will be able to authenticate to the email server and you will see MySQL server has gone away errors in the maillog. The cause of the problem is that in MySQL 5.0 (and probably some 4.1 releases), MySQL implements a new timeout definition for connections, a timeout that ignores traffic. This timeout will shut down the socket thread from the MySQL side. The problem is that the client (vchkpw and friends) do not know/understand about this timeout and socket termination so they continue on in ignorate bliss until they try to send to the socket and find that it's no longer valid - literally the server has gone away. The fix is to simply destroy the internal flags and file handles related to that socket, rebuild a new one, and try again. The included patch (inline and attached) implements this fix. Please note that there doesn't appear to be any way at this time to disable the timeout feature in MySQL. Please feel free to comment, tear apart, beat up, or otherwise rip to shreads my fix! -- Ron Gage (LPIC1 MCP A+ Net+) Westland, Michigan --- vmysql.c~ 2006-05-29 10:17:20.0 -0400 +++ vmysql.c2006-05-29 10:17:20.0 -0400 @@ -465,7 +465,31 @@ ); if (mysql_query(mysql_read,SqlBufRead)) { fprintf(stderr, vmysql: sql error[3]: %s\n, mysql_error(mysql_read)); -return(NULL); +/* Ron Gage - May 29, 2006 - With newer versions of MySQL, there is such a thing +as a connection timeout regardless of activity. By default under MySQL 5, this +timeout is 28800 seconds (8 hours). If your vpopmail system runs fine for the +first 8 hours, then stops authenticating, this timeout is your problem (especially +under authdaemond). + +What this code does is when an error is encountered, it first tries to drop and +rebuild a connection to the SQL server and tries again. If this second attempt +fails, then something other than the connection timeout is the problem. This fix +need to be implemented in other places but in my setup (Slackware 10.2, netqmail, +vpopmail, courier-authdaemond, courier-imapd and a few others), this is always where +the auth attempt died with a SQL server has gone away error. +*/ + +fprintf(stderr, Attempting to rebuild connection to SQL server\n); +vclose(); +verrori = 0; +if ( (err=vauth_open_read()) != 0 ) { + verrori = err; + return(NULL); +} +if (mysql_query(mysql_read, SqlBufRead)) { + fprintf (stderr, vmysql: connection rebuild failed: %s\n, mysql_error(mysql_read)); + return(NULL); +} } if (!(res_read = mysql_store_result(mysql_read))) { This message was sent using IMP, the Internet Messaging Program. vmysql.diff
Re: [vchkpw] vchkpw/vmysql and Mysql 5 with courier -authlib
At 18.24 12/07/2006, you wrote: The vpopmail module to authdaemon is might be missing the vpopmail vclose() function. I'm giving a fast look, but I don't see either close and open :-( . If so, then every connection to the authdaemon would open a new mysql connection, which allocates memory. Then without the vclose the memory never gets released and eventually runs out of memory. This is what authdaemon should not do. It open a first time for each child and then use the sames connection always (apart from the eight hours problem). So it must be something after the connect phase, something called thousands times. I'm trying to check, but I'll do better next week. Thanks, Tonino Ken Jones tonix (Antonio Nati) wrote: I don't know if this is a limit of this useful patch (I don't think so), or more likely of the vpopmail library (I feel could be), or yet of courier authdaemon, but after more than ten days of successfull running, I've got this error: Jul 11 16:24:33 myserver authdaemond: ^GOut of memory (Needed 8164 bytes) Jul 11 16:24:33 myserver authdaemond: vmysql: sql error[3]: Jul 11 16:24:33 myserver authdaemond: Attempting to rebuild connection to SQL server Jul 11 16:24:33 myserver authdaemond: ^GOut of memory (Needed 8164 bytes) Jul 11 16:24:33 myserver authdaemond: vmysql: connection rebuild failed: So, I'm adding an authdaemon restart each morning (early) to solve the problem. Note: after stopping and restarting courier authdaemon, 1200 MB of system memory have been released (here I have 4GB of system memory). I feel like vpopmail calls just alloc() memory and never release it, as they have been probably designed for one shot program. When they are used within a permanent service, calling them dozen thousands times, they waste memory and cause problems. Any one else if watching his courier authdaemon growing? Tonino At 21.20 29/06/2006, you wrote: This patch is in the upcoming 5.4.17 release. -Tom On May 29, 2006, at 7:05 AM, Ron Gage wrote: Greetings: I don't know if anyone in here is encountering this problem (yet), but it has been affecting me for the past few weeks - ever since I upgraded my MySQL server to 5.0.19. It took quite a bit of digging, but I believe I have found the problem. To describe the problem: when you run vpopmail in MySQL mode, with courier-authdaemond and MySQL v5.0 or later, you will find that for the first 8 hours, everything works just fine, but after 8 hours, nobody will be able to authenticate to the email server and you will see MySQL server has gone away errors in the maillog. The cause of the problem is that in MySQL 5.0 (and probably some 4.1 releases), MySQL implements a new timeout definition for connections, a timeout that ignores traffic. This timeout will shut down the socket thread from the MySQL side. The problem is that the client (vchkpw and friends) do not know/understand about this timeout and socket termination so they continue on in ignorate bliss until they try to send to the socket and find that it's no longer valid - literally the server has gone away. The fix is to simply destroy the internal flags and file handles related to that socket, rebuild a new one, and try again. The included patch (inline and attached) implements this fix. Please note that there doesn't appear to be any way at this time to disable the timeout feature in MySQL. Please feel free to comment, tear apart, beat up, or otherwise rip to shreads my fix! -- Ron Gage (LPIC1 MCP A+ Net+) Westland, Michigan --- vmysql.c~ 2006-05-29 10:17:20.0 -0400 +++ vmysql.c2006-05-29 10:17:20.0 -0400 @@ -465,7 +465,31 @@ ); if (mysql_query(mysql_read,SqlBufRead)) { fprintf(stderr, vmysql: sql error[3]: %s\n, mysql_error(mysql_read)); -return(NULL); +/* Ron Gage - May 29, 2006 - With newer versions of MySQL, there is such a thing +as a connection timeout regardless of activity. By default under MySQL 5, this +timeout is 28800 seconds (8 hours). If your vpopmail system runs fine for the +first 8 hours, then stops authenticating, this timeout is your problem (especially +under authdaemond). + +What this code does is when an error is encountered, it first tries to drop and +rebuild a connection to the SQL server and tries again. If this second attempt +fails, then something other than the connection timeout is the problem. This fix +need to be implemented in other places but in my setup (Slackware 10.2, netqmail, +vpopmail, courier-authdaemond, courier-imapd and a few others), this is always where +the auth attempt died with a SQL server has gone away error. +*/ + +fprintf(stderr, Attempting to rebuild connection to SQL server\n); +vclose(); +verrori = 0; +if ( (err=vauth_open_read()) != 0 ) { + verrori = err; + return
Re: [vchkpw] vchkpw/vmysql and Mysql 5 with courier -authlib
At 18.24 12/07/2006, you wrote: The vpopmail module to authdaemon is might be missing the vpopmail vclose() function. At a first look, you are right. Following is the code related to closing connection. static void authvchkpwclose() { } It lacks any code relative to vpopmail vclose. But in my logs I don't have any reconnect trace, so I suppose authdaemon is always using the same connection (and I see it is growing anyway). The memory abuse must be elsewhere. Is anyone using authdaemon mysql authentication and having the same problems? Tonino If so, then every connection to the authdaemon would open a new mysql connection, which allocates memory. Then without the vclose the memory never gets released and eventually runs out of memory. Ken Jones tonix (Antonio Nati) wrote: I don't know if this is a limit of this useful patch (I don't think so), or more likely of the vpopmail library (I feel could be), or yet of courier authdaemon, but after more than ten days of successfull running, I've got this error: Jul 11 16:24:33 myserver authdaemond: ^GOut of memory (Needed 8164 bytes) Jul 11 16:24:33 myserver authdaemond: vmysql: sql error[3]: Jul 11 16:24:33 myserver authdaemond: Attempting to rebuild connection to SQL server Jul 11 16:24:33 myserver authdaemond: ^GOut of memory (Needed 8164 bytes) Jul 11 16:24:33 myserver authdaemond: vmysql: connection rebuild failed: So, I'm adding an authdaemon restart each morning (early) to solve the problem. Note: after stopping and restarting courier authdaemon, 1200 MB of system memory have been released (here I have 4GB of system memory). I feel like vpopmail calls just alloc() memory and never release it, as they have been probably designed for one shot program. When they are used within a permanent service, calling them dozen thousands times, they waste memory and cause problems. Any one else if watching his courier authdaemon growing? Tonino At 21.20 29/06/2006, you wrote: This patch is in the upcoming 5.4.17 release. -Tom On May 29, 2006, at 7:05 AM, Ron Gage wrote: Greetings: I don't know if anyone in here is encountering this problem (yet), but it has been affecting me for the past few weeks - ever since I upgraded my MySQL server to 5.0.19. It took quite a bit of digging, but I believe I have found the problem. To describe the problem: when you run vpopmail in MySQL mode, with courier-authdaemond and MySQL v5.0 or later, you will find that for the first 8 hours, everything works just fine, but after 8 hours, nobody will be able to authenticate to the email server and you will see MySQL server has gone away errors in the maillog. The cause of the problem is that in MySQL 5.0 (and probably some 4.1 releases), MySQL implements a new timeout definition for connections, a timeout that ignores traffic. This timeout will shut down the socket thread from the MySQL side. The problem is that the client (vchkpw and friends) do not know/understand about this timeout and socket termination so they continue on in ignorate bliss until they try to send to the socket and find that it's no longer valid - literally the server has gone away. The fix is to simply destroy the internal flags and file handles related to that socket, rebuild a new one, and try again. The included patch (inline and attached) implements this fix. Please note that there doesn't appear to be any way at this time to disable the timeout feature in MySQL. Please feel free to comment, tear apart, beat up, or otherwise rip to shreads my fix! -- Ron Gage (LPIC1 MCP A+ Net+) Westland, Michigan --- vmysql.c~ 2006-05-29 10:17:20.0 -0400 +++ vmysql.c 2006-05-29 10:17:20.0 -0400 @@ -465,7 +465,31 @@ ); if (mysql_query(mysql_read,SqlBufRead)) { fprintf(stderr, vmysql: sql error[3]: %s\n, mysql_error(mysql_read)); - return(NULL); + /* Ron Gage - May 29, 2006 - With newer versions of MySQL, there is such a thing + as a connection timeout regardless of activity. By default under MySQL 5, this + timeout is 28800 seconds (8 hours). If your vpopmail system runs fine for the + first 8 hours, then stops authenticating, this timeout is your problem (especially + under authdaemond). + + What this code does is when an error is encountered, it first tries to drop and + rebuild a connection to the SQL server and tries again. If this second attempt + fails, then something other than the connection timeout is the problem. This fix + need to be implemented in other places but in my setup (Slackware 10.2, netqmail, + vpopmail, courier-authdaemond, courier-imapd and a few others), this is always where + the auth attempt died with a SQL server has gone away error. + */ + + fprintf(stderr, Attempting to rebuild connection to SQL server\n); + vclose(); + verrori = 0; + if ( (err=vauth_open_read()) != 0 ) { + verrori = err; + return(NULL); + } + if (mysql_query(mysql_read, SqlBufRead)) { + fprintf (stderr, vmysql: connection rebuild failed: %s\n, mysql_error(mysql_read)); + return(NULL); + } } if (!(res_read
Re: [vchkpw] vchkpw/vmysql and Mysql 5 with courier -authlib
At 23.02 12/07/2006, you wrote: On Wednesday 12 July 2006 13:48, tonix (Antonio Nati) wrote: At 18.24 12/07/2006, you wrote: The vpopmail module to authdaemon is might be missing the vpopmail vclose() function. At a first look, you are right. Following is the code related to closing connection. static void authvchkpwclose() { } It lacks any code relative to vpopmail vclose. But in my logs I don't have any reconnect trace, so I suppose authdaemon is always using the same connection (and I see it is growing anyway). The memory abuse must be elsewhere. how about running authdaemon under valgrind, then performing a couple thousand auth attempts against it? I never used it. I'll give it a try (hope next week). Thanks, Tonino -Jeremy -- Jeremy Kitchen ++ [EMAIL PROTECTED] http://www.pirate-party.us/ -- defend your rights
Re: [vchkpw] CHKUSER for non-netqmail, non-stock-qmail
At 23.09 15/06/2006, you wrote: tonix (Antonio Nati) schrieb: At 16.15 15/06/2006, you wrote: Thanks, Tonino. But isn't that snippet needed for the TLS-support? If you are using specific certificates on client side you probably need it, otherwise it is completely unuseful. Ah, yes. So the TLS-patch would support authentication by client-certificates? I suppose. There is no other logical meaning to the code being in that routine. Ciao, Tonino Cool ;-) Anyway, I will try this ASAP. Thanks a lot, again. cheers, Rainer
Re: [vchkpw] CHKUSER for non-netqmail, non-stock-qmail
Cut away all these lines: if (relayclient) { --addr.len; if (!stralloc_cats(addr,relayclient)) die_nomem(); if (!stralloc_0(addr)) die_nomem(); } else #ifndef TLS if (!addrallowed()) { err_nogateway(); return; } #else if (!addrallowed()) { if (ssl) { STACK_OF(X509_NAME) *sk; X509 *peercert; stralloc tlsclients = {0}; struct constmap maptlsclients; int r; SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_cb); if ((sk = SSL_load_client_CA_file(control/clientca.pem)) == NULL) { err_nogateway(); return; } SSL_set_client_CA_list(ssl, sk); if((control_readfile(tlsclients,control/tlsclients,0) != 1) || !constmap_init(maptlsclients,tlsclients.s,tlsclients.len,0)) { err_nogateway(); return; } SSL_renegotiate(ssl); SSL_do_handshake(ssl); ssl-state = SSL_ST_ACCEPT; SSL_do_handshake(ssl); if ((r = SSL_get_verify_result(ssl)) != X509_V_OK) {out(553 no valid cert for gatewaying: ); out(X509_verify_cert_error_string(r)); out( (#5.7.1)\r\n); return; } if (peercert = SSL_get_peer_certificate(ssl)) {char emailAddress[256]; X509_NAME_get_text_by_NID(X509_get_subject_name( SSL_get_peer_certificate(ssl)), NID_pkcs9_emailAddress, emailAddress, 256); if (!stralloc_copys(clientcert, emailAddress)) die_nomem(); if (!constmap(maptlsclients,clientcert.s,clientcert.len)) { err_nogwcert(); return; } relayclient = ; } else { err_nogwcert(); return; } } else { err_nogateway(); return; } } #endif and put the following code: /* start chkuser code */ switch (chkuser_realrcpt (mailfrom, addr)) { case CHKUSER_KO: return; break; case CHKUSER_RELAYING: --addr.len; if (!stralloc_cats(addr,relayclient)) die_nomem(); if (!stralloc_0(addr)) die_nomem(); break; } /* end chkuser code */ Ciao, Tonino At 12.53 15/06/2006, you wrote:Hi, it seems I need to outfit a custom-patched version of qmail with CHKUSER. In qmail-smtpd.c it has the following code: void smtp_rcpt(arg) char *arg; { if (!seenmail) { err_wantmail(); return; } if (!addrparse(arg)) { err_syntax(); return; } if (flagbarfspf) { err_spf(); return; } switch (flagbarf) { case 1: logit(badmailfrom: ); err_bmf(); return; case 2: /* should not occur, falltrough to 3 -- logit(domainrbl: ); err_drbl(); return; */ case 3: logit(mfcheck-address unknown: ); err_mfcheck(); return; case 4: logit(mfcheck-domain does not resolve: ); err_smf(); return; case 5: logit(mfcheck-socket failure: ); err_smf(); return; case 6: logit(mfcheck-no mx or unreachable: ); err_smf(); return; case 7: logit(mfcheck-permanent dns failure: ); err_hmf(); return; case 8: logit(mfcheck-temporary dns failure: ); err_smf(); return; } if (relayclient) { --addr.len; if (!stralloc_cats(addr,relayclient)) die_nomem(); if (!stralloc_0(addr)) die_nomem(); } else #ifndef TLS if (!addrallowed()) { err_nogateway(); return; } #else if (!addrallowed()) { if (ssl) { STACK_OF(X509_NAME) *sk; X509 *peercert; stralloc tlsclients = {0}; struct constmap maptlsclients; int r; SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, verify_cb); if ((sk = SSL_load_client_CA_file(control/clientca.pem)) == NULL) { err_nogateway(); return; } SSL_set_client_CA_list(ssl, sk); if((control_readfile(tlsclients,control/tlsclients,0) != 1) || !constmap_init(maptlsclients,tlsclients.s,tlsclients.len,0)) { err_nogateway(); return; } SSL_renegotiate(ssl); SSL_do_handshake(ssl); ssl-state = SSL_ST_ACCEPT; SSL_do_handshake(ssl); if ((r = SSL_get_verify_result(ssl)) != X509_V_OK) {out(553 no valid cert for gatewaying: ); out(X509_verify_cert_error_string(r)); out( (#5.7.1)\r\n); return; } if (peercert = SSL_get_peer_certificate(ssl)) {char emailAddress[256]; X509_NAME_get_text_by_NID(X509_get_subject_name( SSL_get_peer_certificate(ssl)), NID_pkcs9_emailAddress, emailAddress, 256); if (!stralloc_copys(clientcert, emailAddress)) die_nomem(); if (!constmap(maptlsclients,clientcert.s,clientcert.len)) { err_nogwcert(); return; } relayclient = ; } else { err_nogwcert(); return; } } else { err_nogateway(); return; } } #endif if (!stralloc_cats(rcptto,T)) die_nomem(); if (!stralloc_cats(rcptto,addr.s)) die_nomem(); if (!stralloc_0(rcptto)) die_nomem(); ++rcptcount; out(250 ok\r\n); } How should I deal with that? Thanks in advance, Rainer
Re: [vchkpw] CHKUSER for non-netqmail, non-stock-qmail
At 16.15 15/06/2006, you wrote: tonix (Antonio Nati) wrote: Cut away all these lines: and put the following code: /* start chkuser code */ switch (chkuser_realrcpt (mailfrom, addr)) { case CHKUSER_KO: return; break; case CHKUSER_RELAYING: --addr.len; if (!stralloc_cats(addr,relayclient)) die_nomem(); if (!stralloc_0(addr)) die_nomem(); break; } /* end chkuser code */ Ciao, Tonino Thanks, Tonino. But isn't that snippet needed for the TLS-support? If you are using specific certificates on client side you probably need it, otherwise it is completely unuseful. I must admit that I'm not familiar with the code here - according to a .spec-file, this is a qmail that is patched with: errno.h fix qmail-0.0.0.0 patch qmail local patch qmail-smtpd-auth-close3 patch big concurrency patch qregex patch qmail-queue patch mfcheck patch tarpit patch oversize dns patch maildir quota patch smtp-auth patch tls patch qmail smtpd viruscan patch Probably you can save a lot of work if you use Shupp's toaster, that includes the most of those patch (more chkuser), and after you can add what you lack. Also, the current qmail-smtpd seems to be linked to libssl, too. (And the spec-file also says: %define ccflags %{optflags} -DTLS -I/usr/kerberos/include) Do you think there is a problem? No problem. Ciao, Tonino Best Regards, Rainer
Re: [vchkpw] [bug][patch] - vchkpw/vmysql and Mysql 5
Please DON'T underextimate this patch, and put it in vpopmail soon. When you stop MySQL, all services working with vpopmail library and using permanent connections to MySQL (like courier-authdaemon) will stop working. You must restart them after any mysql failure. With this patch, no need to restart any service of this kind. Services will reopen MySQL connections automatically! Tonino At 16.05 29/05/2006, you wrote: Greetings: I don't know if anyone in here is encountering this problem (yet), but it has been affecting me for the past few weeks - ever since I upgraded my MySQL server to 5.0.19. It took quite a bit of digging, but I believe I have found the problem. To describe the problem: when you run vpopmail in MySQL mode, with courier-authdaemond and MySQL v5.0 or later, you will find that for the first 8 hours, everything works just fine, but after 8 hours, nobody will be able to authenticate to the email server and you will see MySQL server has gone away errors in the maillog. The cause of the problem is that in MySQL 5.0 (and probably some 4.1 releases), MySQL implements a new timeout definition for connections, a timeout that ignores traffic. This timeout will shut down the socket thread from the MySQL side. The problem is that the client (vchkpw and friends) do not know/understand about this timeout and socket termination so they continue on in ignorate bliss until they try to send to the socket and find that it's no longer valid - literally the server has gone away. The fix is to simply destroy the internal flags and file handles related to that socket, rebuild a new one, and try again. The included patch (inline and attached) implements this fix. Please note that there doesn't appear to be any way at this time to disable the timeout feature in MySQL. Please feel free to comment, tear apart, beat up, or otherwise rip to shreads my fix! -- Ron Gage (LPIC1 MCP A+ Net+) Westland, Michigan --- vmysql.c~ 2006-05-29 10:17:20.0 -0400 +++ vmysql.c2006-05-29 10:17:20.0 -0400 @@ -465,7 +465,31 @@ ); if (mysql_query(mysql_read,SqlBufRead)) { fprintf(stderr, vmysql: sql error[3]: %s\n, mysql_error(mysql_read)); -return(NULL); +/* Ron Gage - May 29, 2006 - With newer versions of MySQL, there is such a thing +as a connection timeout regardless of activity. By default under MySQL 5, this +timeout is 28800 seconds (8 hours). If your vpopmail system runs fine for the +first 8 hours, then stops authenticating, this timeout is your problem (especially +under authdaemond). + +What this code does is when an error is encountered, it first tries to drop and +rebuild a connection to the SQL server and tries again. If this second attempt +fails, then something other than the connection timeout is the problem. This fix +need to be implemented in other places but in my setup (Slackware 10.2, netqmail, +vpopmail, courier-authdaemond, courier-imapd and a few others), this is always where +the auth attempt died with a SQL server has gone away error. +*/ + +fprintf(stderr, Attempting to rebuild connection to SQL server\n); +vclose(); +verrori = 0; +if ( (err=vauth_open_read()) != 0 ) { + verrori = err; + return(NULL); +} +if (mysql_query(mysql_read, SqlBufRead)) { + fprintf (stderr, vmysql: connection rebuild failed: %s\n, mysql_error(mysql_read)); + return(NULL); +} } if (!(res_read = mysql_store_result(mysql_read))) { This message was sent using IMP, the Internet Messaging Program.
Re: [vchkpw] rcpt check user problems with sender - resolution
At 00.07 01/06/2006, you wrote: tonix (Antonio Nati) wrote: At 23.25 31/05/2006, you wrote: tonix (Antonio Nati) wrote: At 21.44 31/05/2006, you wrote: Rick Macdougall wrote: Ken Jones wrote: Hi, Tonino was able to do a fast analysis of the problem. Server: Qmail with Tonino's check user patch. Problem: When an email sender identifying itself as SMTPSVC(6.0.3790.1830) sends an email to multiple rcpt's, where some of the rcpt are valid and some are invalid, not all the emails to valid rcpts are delivered and the sender reports an incorrect list of valid/invalid rcpts. Resolution: Problem due to Outlook not fully supporting SMTP protocol. So there was no real resolution ? Did you have them stop using the ISA firewall ? Regards, Rick I disabled check user for their static IP. Are they using your server as a relay, or are they just sending to everyone from Outlook? I feel chkuser should be disabled when used as relay from Outlook or Eudora. They are just sending using Outlook. Not as a relay. They are an external company sending to local users. We do not have any reported problems from any relay users. I have reported complaints from customers which use Outlook; when they send to multiple recipients (and one is wrong) cannot understand which is the error. So I have a dedicated qmail-smtpd for relaying users where I accept all messages without chkuser. It looks like firefox does not like the error message too. To be more exact, this is not a problem of chkuser, but of every smtp server rejecting not existing rcpt (including qmail + chkuser). I sent a test mail to a valid and an invalid account on our mail server and firefox pops up a message: An error occurred while sending mail. The mail server responded: sorry, no mailbox here by that name (#5.1.1 - chkusr). Please verify that your email address is correct in your Mail preferences and try again. Probably in a future version I'll give the option to have an extended error, specifying which rcpt has not been found. Something like sorry, [EMAIL PROTECTED] is not known/recognized on this server (#chkuser). Looks like I need to disable chkuser when RELAYCLIENT is set. Is there an easy way, with the current version, to disable chk user when the RELAYCLIENT is set? Version 2.0.9 will have such feature. Probably I'll publish a 2.0.9-beta that could help to solve these problems (actual code is stable, but I have to add other features, or more likely I'll freeze 2.0.9 and work on 2.0.10). Tonino Ken
Re: [vchkpw] rcpt check user problems with sender - resolution
At 21.44 31/05/2006, you wrote: Rick Macdougall wrote: Ken Jones wrote: Hi, Tonino was able to do a fast analysis of the problem. Server: Qmail with Tonino's check user patch. Problem: When an email sender identifying itself as SMTPSVC(6.0.3790.1830) sends an email to multiple rcpt's, where some of the rcpt are valid and some are invalid, not all the emails to valid rcpts are delivered and the sender reports an incorrect list of valid/invalid rcpts. Resolution: Problem due to Outlook not fully supporting SMTP protocol. So there was no real resolution ? Did you have them stop using the ISA firewall ? Regards, Rick I disabled check user for their static IP. Are they using your server as a relay, or are they just sending to everyone from Outlook? I feel chkuser should be disabled when used as relay from Outlook or Eudora. Regards, Tonino Ken
Re: [vchkpw] rcpt check user problems with sender - resolution
At 23.25 31/05/2006, you wrote: tonix (Antonio Nati) wrote: At 21.44 31/05/2006, you wrote: Rick Macdougall wrote: Ken Jones wrote: Hi, Tonino was able to do a fast analysis of the problem. Server: Qmail with Tonino's check user patch. Problem: When an email sender identifying itself as SMTPSVC(6.0.3790.1830) sends an email to multiple rcpt's, where some of the rcpt are valid and some are invalid, not all the emails to valid rcpts are delivered and the sender reports an incorrect list of valid/invalid rcpts. Resolution: Problem due to Outlook not fully supporting SMTP protocol. So there was no real resolution ? Did you have them stop using the ISA firewall ? Regards, Rick I disabled check user for their static IP. Are they using your server as a relay, or are they just sending to everyone from Outlook? I feel chkuser should be disabled when used as relay from Outlook or Eudora. They are just sending using Outlook. Not as a relay. They are an external company sending to local users. We do not have any reported problems from any relay users. I have reported complaints from customers which use Outlook; when they send to multiple recipients (and one is wrong) cannot understand which is the error. So I have a dedicated qmail-smtpd for relaying users where I accept all messages without chkuser. Tonino Ken
Re: [vchkpw] Off topic info rblsmtpd
I feel you have to sacrifice an IP address and add a dedicated tcpserver + qmail-smtpd for that domain (setting MX to that IP). Ciao, Tonino At 08.24 27/05/2006, you wrote: Hello everyone. I know this is off topic but maybe someone has already face this issue. If I have rblsmtpd running on the server but a client does not want to use this service (multi domain server) is there a way to just have mail bypass that specific domain without the usage of the rblsmptd? Thanks, Remo
Re: [vchkpw] Off topic info rblsmtpd
Ciao Remo! Che vuol dire il dominio ha già un suo IP? Ha un MX che punta ad un IP solo per lui? Ed in questo caso, da quale tcpserver è gestito questo MX? Ciao, Tonino At 12.54 27/05/2006, you wrote: tonix (Antonio Nati) wrote: I feel you have to sacrifice an IP address and add a dedicated tcpserver + qmail-smtpd for that domain (setting MX to that IP). Ciao, Tonino At 08.24 27/05/2006, you wrote: tonino sai come e' possibile farlo? non l'ho mai fatto con un ip dedicato. Il dominio ha gia' un suo ip
Re: [vchkpw] Off topic info rblsmtpd
Sorry for writing to the list a private answer! Tonino At 14.34 27/05/2006, you wrote: Ciao Remo! Che vuol dire il dominio ha già un suo IP? Ha un MX che punta ad un IP solo per lui? Ed in questo caso, da quale tcpserver è gestito questo MX? Ciao, Tonino At 12.54 27/05/2006, you wrote: tonix (Antonio Nati) wrote: I feel you have to sacrifice an IP address and add a dedicated tcpserver + qmail-smtpd for that domain (setting MX to that IP). Ciao, Tonino At 08.24 27/05/2006, you wrote: tonino sai come e' possibile farlo? non l'ho mai fatto con un ip dedicato. Il dominio ha gia' un suo ip