Re: [vchkpw] chkuser patch causes problems with qmails sendmail binary
What you see is chkuser logging, that is handled correctly is you send using smtp port. So, you can either disable chkuser logging or send using smtp local port. Ciao, Tonino At 20.17 04/06/2005, you wrote: Ever since I installed chkuser (which has been great, might I add), pine has had issues using the sendmail binary replacement qmail provides. After some stracing I've determined this is because after sending: RCPT TO:[EMAIL PROTECTED] It is getting a responce of CHKUSER accepted rcpt: from mik... instead of a 220 ok. Sendmail is called from pine by default (on debian, at least) with these flags: -bs -odb -oem So I tested it out myself: $ /usr/sbin/sendmail -bs -odb -oem 220 webserv2.divide0.net ESMTP ehlo localhost 250-webserv2.divide0.net 250-STARTTLS 250-PIPELINING 250-8BITMIME 250 AUTH LOGIN PLAIN CRAM-MD5 RSET 250 flushed MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:[EMAIL PROTECTED] CHKUSER accepted rcpt: from [EMAIL PROTECTED]:sendmail-bs: remote :localhost:127.0.0.1 rcpt [EMAIL PROTECTED] : found existing recipient 250 ok This is the same sequence of commands pine writes, and as you see, the CHKUSER response is given after the RCPT TO causing pine to hang. That response shouldn't be in there. Any suggestions/hints as to how to stop this? Thanks, Mike Garrison
Re: [vchkpw] chkuser patch
On Wednesday, July 07, 2004 5:32 AM, tonix (Antonio Nati) wrote: I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Hi, Antonio Could you make chkusr work with djb's serialmail (http://cr.yp.to/serialmail.html) ? instead of just having a .qmail-1:2:3:4-default, bounce-no-mailbox could be in the default, and have the rest of the .qmail-1:2:3:4-usernames, like normal.. Jeremy Kister http://jeremy.kister.net/
Re: [vchkpw] chkuser patch
Jeremy, pls switch to private, as I need more info on serial mail. Tonino At 11/07/2004 11/07/2004 -0400, you wrote: On Wednesday, July 07, 2004 5:32 AM, tonix (Antonio Nati) wrote: I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Hi, Antonio Could you make chkusr work with djb's serialmail (http://cr.yp.to/serialmail.html) ? instead of just having a .qmail-1:2:3:4-default, bounce-no-mailbox could be in the default, and have the rest of the .qmail-1:2:3:4-usernames, like normal.. Jeremy Kister http://jeremy.kister.net/ [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser patch
At 07/07/2004 07/07/2004 -0400, you wrote: There's some larger issue here that involves a moderately loaded machine running both mysql and qmail (and incidentally, vpopmail) having trouble getting some sql queries out in time. The mysql people (mostly Zawodny) don't think it's a bug/problem with mysql but that qmail can easily swamp a system to the point that mysql bogs down, even with all the tables cached in memory. For most vpopmail operations, it's not a big deal; an occasional login failure or mail being deferred. But on the chkusr side, a mysql burp leads to rejected mail. Personally, I feel MySQL unsafe for such operations, and I'll switch to OpenLDAP before or later. I'm really worried about MySQL reliability. When I used cdb I did not have a problem for years. Now the message MysQL server is gone terrifies me. This is a known problem, that will be resolved as vpopmail will integrate such checks (I've been told these checks on DB connects are going to be put inside vpopmail CVS). I hope that gets backported to 5.4.x, sounds like a good fix. I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Excellent. I also have a coworker looking at the patch to see if he can build a workaround. I'm also considering just changing the patch to return a temporary failure. Considering most of what chkusr blocks is spam, why not let it queue on the remote end? Nasty, but oddly appropriate. Charles, if you are willing to test, I'll send you a pre-release of chkuser 2.0, so your coworker may test new vpopmail vauth_open routines and new chkuser functionalities. Just I need one week to release a fully working and tested pre-release. Tonino [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser patch
On Thu, 8 Jul 2004, tonix (Antonio Nati) wrote: For most vpopmail operations, it's not a big deal; an occasional login failure or mail being deferred. But on the chkusr side, a mysql burp leads to rejected mail. Personally, I feel MySQL unsafe for such operations, and I'll switch to OpenLDAP before or later. Yeah, I'd been away from mysql for quite some time, and I'd assumed the reliability issues had been taken care of. I'm going to have to take a stab at PostgreSQL. It's not as whiz-bang fast, but it's rock solid. I think replication is a reality there now as well. I'm really worried about MySQL reliability. When I used cdb I did not have a problem for years. Now the message MysQL server is gone terrifies me. Heh. Mine isn't gone, but it does seem to take a nap a few times a day. if you are willing to test, I'll send you a pre-release of chkuser 2.0, so your coworker may test new vpopmail vauth_open routines and new chkuser functionalities. Sure. I have to fast-track my upgrade from 5.3.30 to 5.4.whatever. I was hoping to have some more prep time. Hopefully I can find some tips on what's changed in the archives. Thanks, Charles Just I need one week to release a fully working and tested pre-release. Tonino [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser patch
On Wed, 7 Jul 2004, Tom Collins wrote: On Jul 7, 2004, at 7:22 PM, Rick Widmer wrote: Should I make a patch with just this feature against 5.4.5? Will someone merge it - or can I? If you can isolate that change, I'll make sure it gets into the 5.4 series. Yeah! We can make it available for testing first, and then roll it into a release. I'm going to try and get off of 5.3.30 shortly, so I'd be more than happy to do some testing. Thanks, Charles -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] chkuser patch
At 06/07/2004 06/07/2004 -0400, you wrote: Hi, I believe there was some discussion about this some time ago, but recent events have made me think of this again... The standard chkuser patch that vpopmail uses (see Bill Shupp's update to the original: http://www.shupp.org/patches/chkuser-0.6.mysql.patch) has some rather nasty behaviours. Probably you have not read carefully previous posts on this topic. The standard chkusr patch uses standard vpopmail calls, that do NOT handle return status from DB operations (Bill's version just include some Makefile changes, in order to semplify compilation, code is untouched), and this happens for every DB. So the problem is not inside chkusr, but inside the vpopmail library. This is a known problem, that will be resolved as vpopmail will integrate such checks (I've been told these checks on DB connects are going to be put inside vpopmail CVS). I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Cheers, Tonino Thanks, Charles [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser patch
tonix (Antonio Nati) wrote: So the problem is not inside chkusr, but inside the vpopmail library. Simply put the vpopmail library does not distinguish between 'no such user' and 'cant open database'. This is a known problem, that will be resolved as vpopmail will integrate such checks (I've been told these checks on DB connects are going to be put inside vpopmail CVS). It definitely is in HEAD of the SourceFORGE CVS. It is well tested with CDB, and lightly tested with MySQL. There are functions that at least vpopmaild requires that are not included in any other authentication module. I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. I don't have a lot of time right now, but I promise if you find any bugs in HEAD with one of the tested authentication modules I'll get them fixed quickly. There may be one other person testing. If things seem to work maybe we can get the code released sooner. Rick
RE: [vchkpw] chkuser patch
The standard chkuser patch that vpopmail uses (see Bill Shupp's update to the original: http://www.shupp.org/patches/chkuser-0.6.mysql.patch) has some rather nasty behaviours. If for some reason your mysql server is unavailable (load has shot so high that mysql can't return a prompt reply, you're upgrading mysql, taking db down for maintenance, etc.) the chkusr patch will start telling remote smtp clients that the user doesn't exist. This is not good; you never want to send a 550 on a user that really does exist; people get upset when things bounce, and mailing lists start looking at auto-removal. That explains a lot. I thought the chkuser patch was awesome until I started seeing 550's bouncing to customers for email addresses that aren't actually 550. I'll be happy when the new patch comes about that fixes this issue. -Russell
Re: [vchkpw] chkuser patch
On Wed, 7 Jul 2004, tonix (Antonio Nati) wrote: At 06/07/2004 06/07/2004 -0400, you wrote: Hi, I believe there was some discussion about this some time ago, but recent events have made me think of this again... The standard chkuser patch that vpopmail uses (see Bill Shupp's update to the original: http://www.shupp.org/patches/chkuser-0.6.mysql.patch) has some rather nasty behaviours. Probably you have not read carefully previous posts on this topic. Yeah, I should have read the patch before posting. :) Sorry Antonio. The standard chkusr patch uses standard vpopmail calls, that do NOT handle return status from DB operations (Bill's version just include some Makefile changes, in order to semplify compilation, code is untouched), and this happens for every DB. So the problem is not inside chkusr, but inside the vpopmail library. Yeah, and it's pretty nasty... In digging around on various mailing lists I'm finding more and more people that either have a problem with 550's or just discovered after reading my posts that they did. There's some larger issue here that involves a moderately loaded machine running both mysql and qmail (and incidentally, vpopmail) having trouble getting some sql queries out in time. The mysql people (mostly Zawodny) don't think it's a bug/problem with mysql but that qmail can easily swamp a system to the point that mysql bogs down, even with all the tables cached in memory. For most vpopmail operations, it's not a big deal; an occasional login failure or mail being deferred. But on the chkusr side, a mysql burp leads to rejected mail. This is a known problem, that will be resolved as vpopmail will integrate such checks (I've been told these checks on DB connects are going to be put inside vpopmail CVS). I hope that gets backported to 5.4.x, sounds like a good fix. I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Excellent. I also have a coworker looking at the patch to see if he can build a workaround. I'm also considering just changing the patch to return a temporary failure. Considering most of what chkusr blocks is spam, why not let it queue on the remote end? Nasty, but oddly appropriate. Thanks, Charles Cheers, Tonino Thanks, Charles [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser patch
Charles Sprickman wrote: I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Excellent. I also have a coworker looking at the patch to see if he can build a workaround. I'm also considering just changing the patch to return a temporary failure. Considering most of what chkusr blocks is spam, why not let it queue on the remote end? Nasty, but oddly appropriate. Take a look at vpopmail CVS HEAD. What I did was add a vauth_open() function in vmysql.c, and every other authentication back end that did not already have one. It returns 0 if the database opens properly or some negative number if there was an error. I really think the right thing to do is make that change to vpopmail, then in the chkuser patch return a temporary failure if the database does not open properly. Should I make a patch with just this feature against 5.4.5? Will someone merge it - or can I? Rick
Re: [vchkpw] chkuser patch
On Jul 7, 2004, at 7:22 PM, Rick Widmer wrote: Should I make a patch with just this feature against 5.4.5? Will someone merge it - or can I? If you can isolate that change, I'll make sure it gets into the 5.4 series. We can make it available for testing first, and then roll it into a release. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] chkuser patch
Charles Sprickman wrote: I'm also wondering if there are any plans for the vpopmail stuff to support talking to multiple databases; ie: if no answer or timeout on one, hit a slave that's replicating off the master. I don't see anything happening with multiple databases beyond specifying a read database and an update database, but I have made some changes in vpopmail that will allow the patch to tell the difference between 'Unable to open database' and 'user does not exist'. Once that code gets released the patch author can return a temporary failure on 'can't open', and correctly report 'user does not exist' when appropriate. I am just starting a new job, so my open source efforts are a bit behind... Rick
RE: [vchkpw] Chkuser patch and bouncer messages?
You can either setup the chkusr patch or you can set doublebounces to go to the bit bucket by adding a file echo doublebounce /var/qmail/control/doublebounceto echo # /var/qmail/alias/.qmail-doublebounce Shane -Original Message- From: Thomas Lojmann Jorgensen [mailto:[EMAIL PROTECTED] Sent: Friday, 19 September 2003 4:48 PM To: [EMAIL PROTECTED] Subject: [vchkpw] Chkuser patch and bouncer messages? Hello vchkpw, When someone send a mail to xxx and this user dosen't exist on my domain. Then my server send a report back to the sender. When the senders address dosen't exist, my postmaster account recive a bouncer message that tell me that the bounce bounced... I'm tiret of getting this messages, can I change the return-path in bounce messages send from my server? -- Best regards, Thomas mailto:[EMAIL PROTECTED]
Re: [vchkpw] chkuser patch and mysql on different machine
Hi, Dave Richardson - Lists wrote: I want to build a mail gateway to deny incoming SMTP for unknown virtual domain users by building it with the chkuser patch (correct patch name?). I use MySQL for my user database on the mail server. Can I hook the gateway (via VPN) to the user database on the mail server for the auth checks?? I haven't worked with the chkuser patch so this is very new ground for me. No, I'd rather not start replicating MySQL databases if I can help it. I want the gateway to save resources for scanning virii and stopping this Sobig crap. The short answer is no. The chkuser patch does check local settings and read local files such as .qmail-default to check on the bounce-no-mailbox settings. It also won't check for domains not listed in virtualdomains. I suppose it could be hacked to operate correctly but a quick glace at the patch tells me I'd have to read through the vpopmail source to see how it handles alias's etc and if it reads them from a local disk store as well. What you COULD do, is mount the vpopmail home dir over NFS and maybe the qmail/control and qmail/users and run it as a second delivery mail server. That would work and remove the problem with my above statements. Regards, Rick http://www.limelyte.net Mail and Web server servicing and hosting.
Re: [vchkpw] chkuser patch
Hi Rick, read carefully the running instructions on my page at www.interazioni.it/qmail. You must not use SUID and GUID bits on qmail-smtpd with the Easy-version, but must run it directly as vpopmail root from tcpserver (or root if you have different users for different domains), and all will work nicely. (This specific problem is due to the access() routine, that does not care of SUID and GUID bits. In the next release I'll make a step back and will change the access() routine back to the open() I used in the first version.) Ciao, Tonino At 04/07/03 04/07/03 -0400, Rick Macdougall wrote: Hi, I think I just possibly found a bug in the chkuser patch. If you have a .qmail alias with a . in the name, it gives a 553 user unknown. Yes, the alias is correctly defined with : replacing the . I've tested this with Bill Shupp's modified patch and the easy-way patch. Running an strace on the qmail-smtpd-chkuser program locally works fine open(/home/vpopmail/domains/0/rkg-inc.com/.qmail-jerry.rosenblatt, O_RDONLY) = -1 ENOENT (No such file or directory) access(/home/vpopmail/domains/0/rkg-inc.com/.qmail-jerry:rosenblatt, F_OK) = 0 alarm(1200) = 0 write(1, 250 ok\r\n, 8250 ok ) = 8 Doing it remotely gives mail from:[EMAIL PROTECTED] 250 ok rcpt to:[EMAIL PROTECTED] 550 sorry, no mailbox here by that name (#5.1.1 - chkusr) qmail-smtpd-chkuser is suid root (multiple domains in seperate home directories) -r-sr-sr-x1 root nofiles 80572 Jul 3 10:52 qmail-smtpd-chkuser Any ideas? vpopmail 5.3.20 qmail 1.03 Oh, and using rcpt to:jerry:[EMAIL PROTECTED] does work, so it's not a permissions problem I don't think. Regards, Rick [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]