qmail Digest 3 Jul 2000 10:00:00 -0000 Issue 1051
Topics (messages 44038 through 44088):
I crashed a qmail server
44038 by: george
44040 by: Uwe Ohse
44081 by: george
Re: The most secure POP server
44039 by: schinder.leprss.gsfc.nasa.gov
44041 by: Peter van Dijk
44046 by: Gabriel Ambuehl
44047 by: Johan Almqvist
44051 by: clemensF
44052 by: clemensF
conditional forward jump in .qmail
44042 by: Paul Jarc
Error message
44043 by: Roberto Samarone Ara�jo (RSA)
44044 by: Steffan Hoeke
44045 by: Roberto Samarone Ara�jo (RSA)
Error message - Again
44048 by: Roberto Samarone Ara�jo (RSA)
44049 by: Steffan Hoeke
44050 by: Roberto Samarone Ara�jo (RSA)
44053 by: Roberto Samarone Ara�jo (RSA)
What is APOP?
44054 by: Joseph R. Junkin
44056 by: Peter van Dijk
44058 by: Adam McKenna
44062 by: Brian D. Winters
44063 by: Tom Fishwick
44069 by: Brian D. Winters
44071 by: Adam McKenna
44075 by: Troy Frericks
44077 by: Adam McKenna
44078 by: Tom Fishwick
44079 by: Tom Fishwick
44080 by: Adam McKenna
Re: Qmail performance question...
44055 by: Eric Cox
44057 by: Peter van Dijk
SSL POP Authentication ? ? ?
44059 by: System Administrator
rblsmtpd error
44060 by: Todd A. Jacobs
rblsmtp compilation error
44061 by: Todd A. Jacobs
44065 by: Ben Beuchler
44067 by: Ben Beuchler
44072 by: Todd A. Jacobs
44073 by: Ronny Haryanto
44076 by: Todd A. Jacobs
Problem resolved
44064 by: Todd A. Jacobs
relaying based on SSL certificate
44066 by: Adam Mackler
does qmail+ezmlm divid subscribers in "chunks" by domain?
44068 by: ???
44070 by: Paul Jarc
Qmail server
44074 by: Roberto Samarone Ara�jo (RSA)
Problems with qmail-pop3
44082 by: Roberto Samarone Ara�jo (RSA)
Where is sqwebmail in courier-imap?
44083 by: Kristina
44084 by: Colin Humphreys
Can send, but not retrieve mail
44085 by: Lou Hevly
qmail install/svscan question
44086 by: newsman
already delivered error
44087 by: Kimberly Vher
Problems using svscan on Digital UNIX 4.0D
44088 by: Bj�rn Nordb�
Administrivia:
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To bug my human owner, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
About four months ago, I posed a problem to yahoo and hotmail about
a DOS attack against a mail server. It involved looping mail messages
between mail servers until the target was overwhelmed. They assured
me this was not possible - it had been thought of years ago and was
not possible.
Here I am, in charge of 46 servers, each running qmail. All of the have
root's mail forwarded to one server, where I POP in and get my mail.
As fate would have it, a couple servers were being brute-forced, and
they generated a bunch of mail. After a few hours, I reached my quota,
so qmail started bouncing the mail back to the originator. When the
originator received the mail, it forwarded it back to the one account,
which bounced it back to the originator, which forwarded it to the one
account, which bounced it . . .
After a few hours, the "target" slowed to a crawl. It had 61 MB of mail
in an account that was capped at 10 MB. Oops.
I bring this up for one BIG reasons: I read one of qmail's features was
built-in looping control. Apparently, I am doing something wrong with
my QMAIL configuration. Or else it does allow looping, which can be
really bad . . .
Does anyone know how I can keep this loop from happening again?
If this problem (and it's solution) has already been posted, I apologize,
but I thought it was important enough to be posted immediately.
Thank you in advance.
George Toft
WorldMarket Services, Inc
www.world-market.com
On Sun, Jul 02, 2000 at 12:17:14PM +0000, george wrote:
> I bring this up for one BIG reasons: I read one of qmail's features was
> built-in looping control. Apparently, I am doing something wrong with
> my QMAIL configuration.
Yup: You are forwarding postmaster mail. This is a guarantee for trouble
with any mail server.
> Or else it does allow looping, which can be really bad . . .
The messages do not loop. Each bounce generates a new message.
> Does anyone know how I can keep this loop from happening again?
Do not forward postmaster mail, or if you do then make sure that
the forwarding works.
Having said that: i prefer the second way, for ease of use.
Set $DATABYTES to somewhat change the behaviour: qmail-smtpd will
not accept the message, the sending server will generate a double-bounce
and then discard that ...
Regards, Uwe
On Sun, Jul 02, 2000 at 12:17:14PM +0000, Uwe wrote:
> I bring this up for one BIG reasons: I read one of qmail's features was
> built-in looping control. Apparently, I am doing something wrong with
> my QMAIL configuration.
Yup: You are forwarding postmaster mail. This is a guarantee for trouble
with any mail server.
> Or else it does allow looping, which can be really bad . . .
The messages do not loop. Each bounce generates a new message.
> Does anyone know how I can keep this loop from happening again?
Do not forward postmaster mail, or if you do then make sure that
the forwarding works.
Having said that: i prefer the second way, for ease of use.
Set $DATABYTES to somewhat change the behaviour: qmail-smtpd will
not accept the message, the sending server will generate a double-bounce
and then discard that ...
Regards, Uwe
Thank you for your response. I'll be looking into it.
On Sun, Jul 02, 2000 at 01:23:20PM +1000, Brett Randall wrote:
} Ok, here's the deal:
}
} qmail-pop3d is NOT secure, nor are most other standard POP3 daemons. POP
} passwords are sent in cleartext and are not encrypted.
Yes, but if you use APOP, the password goes out in the clear but is
useless afterwards. Any client I can think of, including Eudora on my
Newton (which can't use SSL), supports APOP, and so does qmail-pop3d
with the appropriate checkpassword replacement.
} They can be viewed by
} people snooping a connection (although this is not as easy as it sounds). A
} way of fixing this insecurity is to use SSL, an option many POP3 clients
} (including most Microsoft ones, and Netscape, AFAIK) offer (in Advanced
} options usually). They perform the POP3 operations over the Secure Socket
} Layer (that is SSL), however this requires quite some config which I
} personally have never done before, but I have heard of people doing it.
It's simple using something like stunnel.
}
} Look into it
}
} Brett
}
} Manager
} InterPlanetary Solutions
} http://ipsware.com/
}
}
--
--------
Paul J. Schinder
NASA Goddard Space Flight Center
[EMAIL PROTECTED]
On Sun, Jul 02, 2000 at 08:37:03AM -0400, [EMAIL PROTECTED] wrote:
> On Sun, Jul 02, 2000 at 01:23:20PM +1000, Brett Randall wrote:
> } Ok, here's the deal:
> }
> } qmail-pop3d is NOT secure, nor are most other standard POP3 daemons. POP
> } passwords are sent in cleartext and are not encrypted.
>
> Yes, but if you use APOP, the password goes out in the clear but is
> useless afterwards. Any client I can think of, including Eudora on my
> Newton (which can't use SSL), supports APOP, and so does qmail-pop3d
> with the appropriate checkpassword replacement.
The password does not go out in the clear at all. Your statement is based
on a misconception. APOP authentication is secure from sniffers, they won't
be able to learn anything from your APOP command, except by bruteforcing.
Bruteforcing sniffed non-cleartext data applies to any authentication
technique except one-time-pads.
Greetz, Peter.
--
[EMAIL PROTECTED] - Peter van Dijk [student:developer:ircoper]
> It works exactly the same as SSL and IMAP. You can encapsulate any
> TCP connection in an SSL tunnel. This includes IMAP, POP3, telnet, or
> even ssh or another SSL session, although the last two are pretty
> pointless.
May anyone explain me what sense a SSL tunnel for POP3 does have (I've
been wondering about that for long...)? I mean as long as SMTP
isn't encrypted the message already WAS unencrypted on the net so
why should I encrypt anything beside the password of the user which
can be done using APOP. As already said, if anyone wants to
secure the content of its mails, he will have to use PGP!
Best regards,
Gabriel
On Sun, Jul 02, 2000 at 07:38:30PM +0200, Gabriel Ambuehl wrote:
> May anyone explain me what sense a SSL tunnel for POP3 does have (I've
> been wondering about that for long...)? I mean as long as SMTP
> isn't encrypted the message already WAS unencrypted on the net so
> why should I encrypt anything beside the password of the user which
> can be done using APOP. As already said, if anyone wants to
> secure the content of its mails, he will have to use PGP!
As long as all users on a mail server are either behind the same firewall
as the server or connecting with TLS (both SMTP and POP/IMAP) then local
mail on that server can be regarded secure. IE for extranet purposes, there
is a point.
-Johan
--
Johan Almqvist
> amir:
> How do you plan on using SSL with POP? I know that SSL and IMAP work
> nicely together, but SSL and POP, never heard about that... maybe some
> SSL proxying techniques???
APOP is the variant with challenging secrets.
clemens
> [EMAIL PROTECTED]:
> Yes, but if you use APOP, the password goes out in the clear but is
> useless afterwards. Any client I can think of, including Eudora on my
no, apop challenges the client which has to respond with an encrypted version
of the password thus verifiable at the server. you can reuse that password
as often as you like, but the challenge string and the answer will change
each time.
clemens
Closing the gap slightly between qmail-local and procmail... I've
implemented a flow control feature in qmail-local for .qmail files.
If you have a sequence of lines like:
?label command arg ...
...
:label
it'll deliver the message to the command, and if the command exits
with status 99, qmail-local will skip down to the `:label' line -
delivery instructions in the intervening lines are ignored. `:' lines
are otherwise treated as comments. A label is a (possibly empty)
sequence of non-space, non-tab, nonzero bytes. Text following a label
on a `:' line is ignored. If there is no command, it's an
unconditional jump. If a command exits 99 and the corresponding label
is not found, all following delivery instructions are skipped (as with
`|command'). There are no backward jumps. This makes the .qmail
language a little more useful, IMO, but not enough to cause
trouble. :) (You get if-then-else, but not while.) The syntax is a
little ugly, but it gets the job done.
The same functionality is already available with `|' command lines,
but then you need multiple .qmail files, which exposes extra addresses
to outside senders, so it gets a little more complicated.
Does anyone know:
- whether this has already been done?
- whether this is already in the works for qmail proper?
- whether this would be likely to be accepted into qmail proper?
(Does DJB read this list?)
If you use it, let me know if it breaks, so I can fix it, or if it
works, so I'll have a feeling of accomplishment. (It's passed my
tests.)
Also, while writing this I noticed what appears to be a bug:
qmail-local trims trailing whitespace from a delivery instruction
before processing it. This breaks instructions like `|command foo\ '.
The fix, I guess, would be to do the trimming only for lines beginning
with other than `|' (and `?', and, as long as we're special-casing,
`#', to save a few cycles). mbox files could have names ending in
spaces, too, but if whitespace were left at the end of `.' and `/'
lines, then `./foo/ ' would be reinterpreted as an mbox instead of a
maildir, as it is now, so that might not be a good idea.
Here's the diff -u:
--------8<--------
--- qmail-local.c Sat Jun 17 05:02:16 2000
+++ qmail-local.c~ Mon Jun 15 05:53:16 1998
@@ -653,7 +653,6 @@
if (i) break;
strerr_die1x(111,"Uh-oh: first line of .qmail file is blank. (#4.2.1)");
case '#':
- case ':':
break;
case '.':
case '/':
@@ -671,46 +670,6 @@
if (flagforwardonly) strerr_die1x(111,"Uh-oh: .qmail has prog delivery but
has x bit set. (#4.7.0)");
if (flagdoit) mailprogram(cmds.s + i + 1);
else sayit("program ",cmds.s + i + 1,k - i - 1);
- break;
- case '?':
- ++i;
- {
- int l;
- for (l = i;l < k;++l)
- if (cmds.s[l] == ' ' || cmds.s[l] == '\t') {
- cmds.s[l] = 0;
- for (++l;l < k;++l)
- if (cmds.s[l] != ' ' && cmds.s[l] != '\t') {
- ++count_program;
- if (flagforwardonly) strerr_die1x(111,"Uh-oh: .qmail has prog
delivery but has x bit set. (#4.7.0)");
- if (flagdoit) mailprogram(cmds.s + l);
- else sayit("program ",cmds.s + l,k - l);
- break;
- }
- break;
- }
- if (l == k || flag99) {
- flag99 = 0;
- cmds.s[j] = '\n';
- for (;j + 1 < cmds.len;++j)
- if (cmds.s[j] == '\n' && cmds.s[j + 1] == ':') {
- j += 2;
- l = j;
- for (; j < cmds.len;++j) {
- if (cmds.s[j] == 0) break;
- if (cmds.s[j] == '\t') break;
- if (cmds.s[j] == '\n') break;
- if (cmds.s[j] == ' ') break;
- }
- if (!str_diffn(cmds.s + i,cmds.s + l,j - l)) {
- for (; j < cmds.len;++j)
- if (cmds.s[j] == '\n') break;
- break;
- }
- --j;
- }
- }
- }
break;
case '+':
if (str_equal(cmds.s + i + 1,"list"))
--------8<--------
paul
I would like to know what I need to do to solve this error message :
qmail: 962558237.142034 delivery 162: deferral:
Unable_to_chdir_to_maildir._(#4.2.1)/
Roberto Samarone Araujo
On Mon, Jan 01, 1996 at 06:12:42AM -0200, Roberto Samarone Ara�jo (RSA) wrote:
> I would like to know what I need to do to solve this error message :
>
> qmail: 962558237.142034 delivery 162: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
What's the command line for qmail-start ?
How did you create the Maildir ?
What are the permissions on $HOME/Maildir (and sub-tree) ?
> Roberto Samarone Araujo
Greetz,
Steffan
--
http://therookie.dyndns.org
> > qmail: 962558237.142034 delivery 162: deferral:
Unable_to_chdir_to_maildir._(#4.2.1)/
>
> What's the command line for qmail-start ?
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start ./Maildir/ splogger qmail&
> How did you create the Maildir ?
maildirmake
> What are the permissions on $HOME/Maildir (and sub-tree) ?
The same of the user
Roberto Samarone Araujo
>qmail: 962558237.142034 delivery 162: deferral:
> Unable_to_chdir_to_maildir._(#4.2.1)/
I was trying to solve this problem when I discovered that when I send an
internal email , it arrive in Maildir but , if I send an email from another
place , the qmail logs this message . Could you please help me ??
Roberto Samarone Araujo
On Sun, Jul 02, 2000 at 03:19:23PM -0300, Roberto Samarone Ara�jo (RSA) wrote:
> >qmail: 962558237.142034 delivery 162: deferral:
> > Unable_to_chdir_to_maildir._(#4.2.1)/
>
> I was trying to solve this problem when I discovered that when I send an
> internal email , it arrive in Maildir but , if I send an email from another
> place , the qmail logs this message . Could you please help me ??
Have you got any virtual domains ?
> Roberto Samarone Araujo
Steffan
PS: I see you fixed the system date/time ;-)
--
http://therookie.dyndns.org
> On Sun, Jul 02, 2000 at 03:19:23PM -0300, Roberto Samarone Ara�jo (RSA)
wrote:
> > >qmail: 962558237.142034 delivery 162: deferral:
> > > Unable_to_chdir_to_maildir._(#4.2.1)/
> >
> > I was trying to solve this problem when I discovered that when I send an
> > internal email , it arrive in Maildir but , if I send an email from
another
> > place , the qmail logs this message . Could you please help me ??
> Have you got any virtual domains ?
No , what I saw is that I need to send an email to @server.domain . It
doesn't accept @domain ://
Roberto Samarone Araujo
I don't have any alias ... If a remote host send me an email , the qmail
doesn't put it in Maildir ... it logs the error message :
delivery 38: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
Roberto Samarone Araujo
What exactly is APOP?
Is it supported by outlook and Netscape (ie typical clients)?
At qmail.org, I found :
http://www.geocities.co.jp/SiliconValley/4777/qmail/checkpw/index.html
This program seems to put the qmail password into the user's directory
for both POP and APOP.
Is the idea to allow Qmail to authenticate using a 'dummy' password,
only good for checkpwd/checkapoppwd?
This appears to be a nice solution, because then the actual password of
the user would never be transmitted.
So,
How secure is this, have others been using it?
Please forgive my ignorance, I don't spend much time with qmail admin
because it works so well I don't have to. Yet I have always been
bothered by sending users passwords over the net, even though those
users are not allowed a shell i.e. /bin/false.
Thanks,
Joe Junkin
[EMAIL PROTECTED]
http://www.datacrawler.com
On Sun, Jul 02, 2000 at 12:53:04PM -0700, Joseph R. Junkin wrote:
> What exactly is APOP?
APOP is an authentication mechanism for POP, in which passwords are not
transmitted cleartext but *do* need to be in a cleartext-list on the
server.
> Is it supported by outlook and Netscape (ie typical clients)?
As far as I know, yes.
[snip]
> So,
> How secure is this, have others been using it?
I have not tried it, but it should be quite secure. I do intend to support
it in the virtualdomain checkpassword replacement I am building (and will
opensource, but don't ask, it will take it's time :)
> Please forgive my ignorance, I don't spend much time with qmail admin
> because it works so well I don't have to. Yet I have always been
> bothered by sending users passwords over the net, even though those
> users are not allowed a shell i.e. /bin/false.
That is a very good thing to be concerned of indeed :)
Greetz, Peter.
--
[EMAIL PROTECTED] - Peter van Dijk [student:developer:ircoper]
On Sun, Jul 02, 2000 at 11:47:20PM +0200, Peter van Dijk wrote:
> On Sun, Jul 02, 2000 at 12:53:04PM -0700, Joseph R. Junkin wrote:
> > What exactly is APOP?
>
> APOP is an authentication mechanism for POP, in which passwords are not
> transmitted cleartext but *do* need to be in a cleartext-list on the
> server.
Which is the reason I'll never use it.
> > Is it supported by outlook and Netscape (ie typical clients)?
>
> As far as I know, yes.
Nope. The only client (afaik) that supports APOP is Eudora. I know for sure
that Outlook and Outlook Express do not, and I'm pretty sure that Netscape
doesn't either.
The most supported way of doing (more) secure email is to run it over SSL.
--Adam
Initially I thought I saw your point, but I was wrong. You don't seem
to be making any sense.
On Sun, Jul 02, 2000 at 10:17:23PM -0400, Adam McKenna wrote:
[this sentence originally came after the next quoted block]
> If he can find a security hole that allows him to read files
> that don't belong to him, he now has the entire list of passwords.
Make the list readable only by root. Now a local user effectively
needs root access to read the APOP secrets. Once that local user has
rooted the box, I don't see why it matters that the secrets were
cleartext.
> That was entirely my point. IMO the "security cost" of saving cleartext
> passwords on the server is not worth the "security gain" of having POP3
> passwords encrypted when the user checks his mail. If someone is sniffing
> pop3 passwords then he has the ability to (most likely) only obtain a small
> number of passwords that way, as opposed to the attacker who has an account
> on the server.
So you don't care if anyone with network access has "a small number of
passwords"? Why is one user password better than another? If there
are local root vulnerabilities present on the system, any single user
account should be good enough to exploit them. Allowing someone to
sniff any number of passwords sounds like a Bad Thing(tm).
I have yet to work in an environment where it is harder to run a
packet sniffer than it is to find a local root vulnerability.
> If you're concerned about email security, APOP is not worth it. Go with SSL
> or another security model (like having virtual POP3 accounts that aren't UNIX
> users).
I think the point you are missing is that APOP effectively creates
virtual POP3 accounts with the same usernames as existing users. APOP
secrets are good for one thing and one thing only: accessing the POP
server. Once your local user has rooted the box to obtain all of the
APOP secrets, are you really concerned that they might subsequently
use those secrets to access user e-mail through the POP server?
APOP has the significant advantage that the string which goes over the
wire cannot be replayed in the future, while virtual POP3 accounts
have static passwords. APOP is not vulnerable to sniffing (*), but
POP3+virtual accounts is.
(*) This is wrt granting unauthorized access to the system. SMTP
isn't encrypted, so being able to sniff the contents of the e-mail as
it comes from the POP3 server isn't very exciting.
Yes, SSL covers all of these bases and then some, but the existance of
SSL doesn't mean that APOP is useless. Since there is no real
encryption involved (just one hash on each side), APOP will use far
fewer system resources. Combine that with the fact that SMTP is also
unencrypted, and a strong case can be made that POP3+SSL is major
overkill in a lot of situations.
Brian
PS Somewhere else in this thread someone mentioned that the only APOP
client they were aware of is Eudora. FWIW, fetchmail also supports
APOP.
Adam McKenna wrote:
>
> On Sun, Jul 02, 2000 at 04:52:25PM -0700, Tom Fishwick wrote:
> > Adam McKenna wrote:
> > >
> > > On Sun, Jul 02, 2000 at 11:47:20PM +0200, Peter van Dijk wrote:
> > > > On Sun, Jul 02, 2000 at 12:53:04PM -0700, Joseph R. Junkin wrote:
> > > > > What exactly is APOP?
> > > >
> > > > APOP is an authentication mechanism for POP, in which passwords are not
> > > > transmitted cleartext but *do* need to be in a cleartext-list on the
> > > > server.
> > >
> > > Which is the reason I'll never use it.
> >
> > The way I understand it is that apop uses more of a secret and not a password. I
>just finished
> > putting in apop support for a pop server I wrote for a webmail system. Users
>don't use their normal
> > password, but instead have the server generate a random secret that is about 50
>characters long,
> > then they cut/paste that secret into their MUA. Also, according to rfc1939 a
>pop3 account
> > shouldn't allow both user/pass and apop for a given user.
>
> First of all, I really didn't need 4 copies of that e-mail.
sorry bout that
>
> What I said was that I'll never use APOP because it requires the passwords to
> be stored in cleartext on the server. Which part of that are you disagreeing
> with?
I'm not disagreeing with anything. Just wanted to point out that the password that's
being stored
on the server for apop is not (well, shouldn't be) the same password you would use for
user/pass
auth. Sure it's not totally secure, but I think it protects well enough against the
average user
that checks for new mail every 5 min.
>
> --Adam
On Mon, Jul 03, 2000 at 12:17:05AM -0400, Adam McKenna wrote:
> On Sun, Jul 02, 2000 at 08:44:23PM -0700, Brian D. Winters wrote:
> > Make the list readable only by root. Now a local user effectively
> > needs root access to read the APOP secrets. Once that local user has
> > rooted the box, I don't see why it matters that the secrets were
> > cleartext.
>
> There have been several exploits in the past that allowed a local user to
> read files on the system without obtaining root. Granted, if someone found
> a vulnerability like this he could read the shadow file, but at least the
> passwords in the shadow file are encrypted (as opposed to the passwords in
> the apop.secrets file).
Right, but that class of exploits don't change anything in this
discussion. (I almost mentioned this case in my last message, but I
was curious how thoroughly you had thought this through. Apparently
the answer is "not as thoroughly as you think.") The same exploit
which reads the secrets file could also be used to read the user's
mail file(s). Since APOP secrets are only useful for reading mail,
nothing has been gained by reading the APOP secrets file by this
means.
> As you've pointed out, an attacker with sniffing ability can already read the
> e-mail, which is the only thing that the password protects. If a sniffer can
> read the e-mail, then who cares if he has the password?
In the absense of APOP, my POP3 password protects a lot more than just
my e-mail. My understanding from what you've said so far is that this
is why you like dummy accounts. For my situation dummy accounts are a
headache. I also like the one-time nature of a sniffed APOP token,
but if you can sniff then you can probably also hijack.... Anyway, I
agree to disagree with you here. Each situation is different. We've
both made our cases. This horse looks dead.
> I'd rather make sure
> that if he DOES get the password, it will be useless except for reading the
> e-mail.
So you are advocating APOP then? ;) (Sorry. I should know better,
but I couldn't resist one more swipe at the corpse on my way out.)
Brian
On Sun, Jul 02, 2000 at 08:44:23PM -0700, Brian D. Winters wrote:
> Initially I thought I saw your point, but I was wrong. You don't seem
> to be making any sense.
>
> On Sun, Jul 02, 2000 at 10:17:23PM -0400, Adam McKenna wrote:
> [this sentence originally came after the next quoted block]
> > If he can find a security hole that allows him to read files
> > that don't belong to him, he now has the entire list of passwords.
>
> Make the list readable only by root. Now a local user effectively
> needs root access to read the APOP secrets. Once that local user has
> rooted the box, I don't see why it matters that the secrets were
> cleartext.
There have been several exploits in the past that allowed a local user to
read files on the system without obtaining root. Granted, if someone found
a vulnerability like this he could read the shadow file, but at least the
passwords in the shadow file are encrypted (as opposed to the passwords in
the apop.secrets file).
> > That was entirely my point. IMO the "security cost" of saving cleartext
> > passwords on the server is not worth the "security gain" of having POP3
> > passwords encrypted when the user checks his mail. If someone is sniffing
> > pop3 passwords then he has the ability to (most likely) only obtain a small
> > number of passwords that way, as opposed to the attacker who has an account
> > on the server.
>
> So you don't care if anyone with network access has "a small number of
> passwords"? Why is one user password better than another? If there
> are local root vulnerabilities present on the system, any single user
> account should be good enough to exploit them. Allowing someone to
> sniff any number of passwords sounds like a Bad Thing(tm).
>
> I have yet to work in an environment where it is harder to run a
> packet sniffer than it is to find a local root vulnerability.
As you've pointed out, an attacker with sniffing ability can already read the
e-mail, which is the only thing that the password protects. If a sniffer can
read the e-mail, then who cares if he has the password? I'd rather make sure
that if he DOES get the password, it will be useless except for reading the
e-mail.
I guess the point I'm trying to make is that APOP is akin to putting all of
your eggs in one basket. I believe in the security practice that passwords
should _never_ be stored in cleartext, and I really don't see a reason to
go against that practice, especially when there are other, better methods of
securing e-mail.
Also, in the day of $150 500-MHz cpu's, I'm not really convinced by the
system resources argument.
> > If you're concerned about email security, APOP is not worth it. Go with SSL
> > or another security model (like having virtual POP3 accounts that aren't UNIX
> > users).
>
> I think the point you are missing is that APOP effectively creates
[...]
> overkill in a lot of situations.
You are entitled to your opinion, and I certainly won't stop you from using
APOP on any of your servers. I am merely stating that I'll never use it on
any of mine.
> Brian
>
> PS Somewhere else in this thread someone mentioned that the only APOP
> client they were aware of is Eudora. FWIW, fetchmail also supports
> APOP.
Heh. I'll leave my opinion of fetchmail out of this.
--Adam
At 07:11 PM 7/2/2000 , Tom Fishwick wrote:
>Adam McKenna wrote:
>>
[snip]
>auth. Sure it's not totally secure, but I think it protects well enough
>against the average user
>that checks for new mail every 5 min.
Especially (as was pointed out earlier) since the item the password is
protecting was sent over the internet in clear text. That's why most
people are only slightly concerned about POP, not overly concerned.
#
>
>>
>> --Adam
On Sun, Jul 02, 2000 at 08:43:56PM -0500, Troy Frericks wrote:
> At 07:11 PM 7/2/2000 , Tom Fishwick wrote:
> >Adam McKenna wrote:
> >>
> [snip]
> >auth. Sure it's not totally secure, but I think it protects well enough
> >against the average user
> >that checks for new mail every 5 min.
>
> Especially (as was pointed out earlier) since the item the password is
> protecting was sent over the internet in clear text. That's why most
> people are only slightly concerned about POP, not overly concerned.
> #
That was entirely my point. IMO the "security cost" of saving cleartext
passwords on the server is not worth the "security gain" of having POP3
passwords encrypted when the user checks his mail. If someone is sniffing
pop3 passwords then he has the ability to (most likely) only obtain a small
number of passwords that way, as opposed to the attacker who has an account
on the server. If he can find a security hole that allows him to read files
that don't belong to him, he now has the entire list of passwords.
If you're concerned about email security, APOP is not worth it. Go with SSL,
or another security model (like having virtual POP3 accounts that aren't UNIX
users).
--Adam
Adam McKenna wrote:
>
> On Sun, Jul 02, 2000 at 11:47:20PM +0200, Peter van Dijk wrote:
> > On Sun, Jul 02, 2000 at 12:53:04PM -0700, Joseph R. Junkin wrote:
> > > What exactly is APOP?
> >
> > APOP is an authentication mechanism for POP, in which passwords are not
> > transmitted cleartext but *do* need to be in a cleartext-list on the
> > server.
>
> Which is the reason I'll never use it.
The way I understand it is that apop uses more of a secret and not a password. I just
finished
putting in apop support for a pop server I wrote for a webmail system. Users don't
use their normal
password, but instead have the server generate a random secret that is about 50
characters long,
then they cut/paste that secret into their MUA. Also, according to rfc1939 a pop3
account
shouldn't allow both user/pass and apop for a given user.
>
> > > Is it supported by outlook and Netscape (ie typical clients)?
> >
> > As far as I know, yes.
>
> Nope. The only client (afaik) that supports APOP is Eudora. I know for sure
> that Outlook and Outlook Express do not, and I'm pretty sure that Netscape
> doesn't either.
>
> The most supported way of doing (more) secure email is to run it over SSL.
>
> --Adam
Adam McKenna wrote:
>
> On Sun, Jul 02, 2000 at 11:47:20PM +0200, Peter van Dijk wrote:
> > On Sun, Jul 02, 2000 at 12:53:04PM -0700, Joseph R. Junkin wrote:
> > > What exactly is APOP?
> >
> > APOP is an authentication mechanism for POP, in which passwords are not
> > transmitted cleartext but *do* need to be in a cleartext-list on the
> > server.
>
> Which is the reason I'll never use it.
The way I understand it is that apop uses more of a secret and not a password. I just
finished
putting in apop support for a pop server I wrote for a webmail system. Users don't
use their normal
password, but instead have the server generate a random secret that is about 50
characters long,
then they cut/paste that secret into their MUA. Also, according to rfc1939 a pop3
account
shouldn't allow both user/pass and apop for a given user.
>
> > > Is it supported by outlook and Netscape (ie typical clients)?
> >
> > As far as I know, yes.
>
> Nope. The only client (afaik) that supports APOP is Eudora. I know for sure
> that Outlook and Outlook Express do not, and I'm pretty sure that Netscape
> doesn't either.
>
> The most supported way of doing (more) secure email is to run it over SSL.
>
> --Adam
On Sun, Jul 02, 2000 at 04:52:25PM -0700, Tom Fishwick wrote:
> Adam McKenna wrote:
> >
> > On Sun, Jul 02, 2000 at 11:47:20PM +0200, Peter van Dijk wrote:
> > > On Sun, Jul 02, 2000 at 12:53:04PM -0700, Joseph R. Junkin wrote:
> > > > What exactly is APOP?
> > >
> > > APOP is an authentication mechanism for POP, in which passwords are not
> > > transmitted cleartext but *do* need to be in a cleartext-list on the
> > > server.
> >
> > Which is the reason I'll never use it.
>
> The way I understand it is that apop uses more of a secret and not a password. I
>just finished
> putting in apop support for a pop server I wrote for a webmail system. Users don't
>use their normal
> password, but instead have the server generate a random secret that is about 50
>characters long,
> then they cut/paste that secret into their MUA. Also, according to rfc1939 a pop3
>account
> shouldn't allow both user/pass and apop for a given user.
First of all, I really didn't need 4 copies of that e-mail.
What I said was that I'll never use APOP because it requires the passwords to
be stored in cleartext on the server. Which part of that are you disagreeing
with?
--Adam
[EMAIL PROTECTED] wrote:
>
> On Thu, Jun 29, 2000 at 11:54:55AM -0500, Ian Layton wrote:
> > Hello.
> >
> Your solution is to put your queue on a disk subsystem that can sync
> at the rate you want to submit (and deliver). Some do this with a faster
> disk, some do this with a partition that is spread across multiple
> spindles. How you do this depends on your OS type and what sort
> of hardware you are willing to throw at it.
Just out of curiosity, has anyone tried loading up a machine with
gobs of RAM and then placing the queue on a ramdisk? I know this
would be dangerous for a production machine though, and I don't even
know if the whold consept of inodes is the same on a ramdisk...
Eric
On Sun, Jul 02, 2000 at 01:58:40PM -0700, Eric Cox wrote:
[snip]
>
> Just out of curiosity, has anyone tried loading up a machine with
> gobs of RAM and then placing the queue on a ramdisk? I know this
> would be dangerous for a production machine though, and I don't even
> know if the whold consept of inodes is the same on a ramdisk...
I have not tried, but the inodes cannot be a problem. The ramdisk behaves
just like any other device, what the filesystem does on top of that is
completely irrelevant. UNIX is quite modular at times ;P
Greetz, Peter.
--
[EMAIL PROTECTED] - Peter van Dijk [student:developer:ircoper]
Hi all
can anyone tell me how do i implement Pop Authentication on SSL ? i'm
using qmail-pop3d currently with checkpasswd..
regards,
Parag Mehta <[EMAIL PROTECTED]>
System Administrator.
Puretech Internet Pvt. Ltd. http://puretech.co.in/
77 Atlanta. Nariman Point.
Mumbai - 400021. India. Tel: +91-22-2833158
============================================================
Support is now available thru our Web Based Support System.
http://support.puretech.co.in
============================================================
A previously-compiled version is on my system. Qmail with rblsmtpd is the
only thing running from inetd, and I'm getting the following errors (a lot
of them):
Jul 2 20:21:31 cyrix inetd[810]: pid 27892: exit status 1
That seems to point to rblsmtpd. When I tried to recompile, thinking
perhaps something in RHL had changed, it refused to compile.
So, aside from the compiling issue, does this error means something was
found in the RBL, or does it mean that the rblsmtpd program is failing?
--
Todd A. Jacobs
Senior Network Consultant
I get the following errors when attempting to compile rblsmtpd-0.70 on Red
Hat 6.2 running kernel 2.2.16-3. Any ideas about how I can get this to
compile?
In file included from /usr/include/bits/posix1_lim.h:126,
from /usr/include/limits.h:30,
from
/usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/include/limits.h:117,
from
/usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/include/syslimits.h:7,
from
/usr/lib/gcc-lib/i386-redhat-linux/egcs-2.91.66/include/limits.h:11,
from /usr/include/bits/socket.h:31,
from /usr/include/sys/socket.h:34,
from /usr/include/netdb.h:31,
from txt.c:2:
/usr/include/bits/local_lim.h:27: linux/limits.h: No such file or directory
In file included from /usr/include/sys/socket.h:34,
from /usr/include/netdb.h:31,
from txt.c:2:
/usr/include/bits/socket.h:295: asm/socket.h: No such file or directory
In file included from /usr/include/arpa/nameser.h:87,
from txt.c:5:
/usr/include/sys/param.h:24: linux/limits.h: No such file or directory
/usr/include/sys/param.h:25: linux/param.h: No such file or directory
In file included from /usr/include/errno.h:36,
from txt.c:7:
/usr/include/bits/errno.h:25: linux/errno.h: No such file or directory
make: *** [txt.o] Error 1
--
Todd A. Jacobs
Senior Network Consultant
On Sun, Jul 02, 2000 at 08:37:24PM -0700, Todd A. Jacobs wrote:
> /usr/include/bits/errno.h:25: linux/errno.h: No such file or directory
> make: *** [txt.o] Error 1
Do you have the linux source tree installed on your box? I'm guessing
not.
Ben
--
The spectre of a polity controlled by the fads and whims of voters who
actually believe that there are significant differences between Bud Lite
and Miller Lite, and who think that professional wrestling is for real, is
naturally alarming to people who don't.
-- Neal Stephenson
On Sun, Jul 02, 2000 at 09:30:41PM -0700, Todd A. Jacobs wrote:
> On Sun, 2 Jul 2000, Ronny Haryanto wrote:
>
> > Installing the package kernel-headers will suffice. It's not necessary
> > to install the whole kernel source tree just to compile.
>
> I have those, too: kernel-headers-2.2.16-3
Where are they located? If they are in /usr/src/linux, are the perms
correct? The quickest way to check, assuming the RPM was created
correctly, would be to run 'rpm -V kernel-source' and 'rpm -V
kernel-headers'.
Ben
--
The spectre of a polity controlled by the fads and whims of voters who
actually believe that there are significant differences between Bud Lite
and Miller Lite, and who think that professional wrestling is for real, is
naturally alarming to people who don't.
-- Neal Stephenson
On Sun, 2 Jul 2000, Ronny Haryanto wrote:
> Installing the package kernel-headers will suffice. It's not necessary
> to install the whole kernel source tree just to compile.
I have those, too: kernel-headers-2.2.16-3
--
Todd A. Jacobs
Senior Network Consultant
On 02-Jul-2000, Ben Beuchler wrote:
> On Sun, Jul 02, 2000 at 08:37:24PM -0700, Todd A. Jacobs wrote:
> > /usr/include/bits/errno.h:25: linux/errno.h: No such file or directory
> > make: *** [txt.o] Error 1
>
> Do you have the linux source tree installed on your box? I'm guessing
> not.
Installing the package kernel-headers will suffice. It's not necessary
to install the whole kernel source tree just to compile.
Ronny
On Sun, 2 Jul 2000, Ben Beuchler wrote:
> Do you have the linux source tree installed on your box? I'm guessing
> not.
Yes, I do: kernel-source-2.2.16-3.
--
Todd A. Jacobs
Senior Network Consultant
The compile problem has been resolved. Even though rpm confirmed that all
the files where there, and working, things were still broken until I
forced an upgrade of the identical packages. *shrug* Who knows why? The
point is it works now.
I'm still curious to know what those exit 1 and exit 111 messages are,
though.
--
Todd A. Jacobs
Senior Network Consultant
Hi:
How can I get qmail to allow SMTP relaying based on my client SSL
certificate? When travelling my IP number changes, and I want to use
my secure SMTP server to send my mail.
TIA,
Adam Mackler
for example:
If I use ezmlm to build a mailling list.
Which has 26 subscribers : [EMAIL PROTECTED] -- [EMAIL PROTECTED]
All on the same host "remote.host"
Then I send a message to the mailling list, does qmail+ezmlm
1.Send ONE message to "remote.host". And let the MTA of "remote.host"
deliver the message to
these 26 accounts?
or
2.Send 26 message to "remote.host"?
thanks
??? writes:
> Then I send a message to the mailling list, does qmail+ezmlm
> 1.Send ONE message to "remote.host". And let the MTA of "remote.host"
> deliver the message to
> these 26 accounts?
> or
> 2.Send 26 message to "remote.host"?
2. Sending separate messages means bounces are handled much more
easily, among other things.
paul
I'd like to know which IMAP server do you sugest to use .
Roberto Samarone Araujo
I've read the qmail faq where I discovered how to set qmail-pop3d ... After
start it through the prompt :
tcpserver 0 110 /var/qmail/bin/qmail-popup myhost \
/bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir &
I could receive the emails but , after forget to put the password , I saw
that without password it was work ...
I tried to put pwd after the checkpassword but , after that it
doesn't understood the password and ask me it again .
How can I solve this ??
Roberto Samarone Araujo
The sqwebmail page says that courier-imap includes
sqwebmail so there is no need to download sqwebmail
if you have courier-imap.
I cannot seem to find sqwebmail in my courier-imap-0.31
installation!
Anyone know where it could be?
I have done a find / -name sqwebmail -print.
Thanks,
Kristina
I think the courier mail server has it, not courier-imap (which is a
component of courier....
just use the www.inter7.com site...
-Colin
Kristina writes:
>
> The sqwebmail page says that courier-imap includes
> sqwebmail so there is no need to download sqwebmail
> if you have courier-imap.
>
> I cannot seem to find sqwebmail in my courier-imap-0.31
> installation!
>
> Anyone know where it could be?
>
> I have done a find / -name sqwebmail -print.
>
>
> Thanks,
> Kristina
>
<- This is a Sig ->
Greetings:
I have installed qmail and vpopmail on a dedicated server. The hostname is
inloc.inloc.com and there are 5 IP's on this machine. I've registered a domain name
(ducaniveaux.com) to one of them, using a host-provided program called 'spectro', and
I want to do virtual subhosting under it.
I receive mail as expected in the Maildir,
/home/vpopmail/domains/ducaniveaux.com/postmaster/Maildir/new, but I can't retrieve
it; I get a:
Connection reset by remote side (10054) message.
Is it perhaps because I don't have the DNS MX records set up correctly? There is no
'named.hosts' file on my machine. Because this is a dedicated server, perhaps they are
handling this elsewhere.
Moreover, when I installed qmail, I got the following message:
---
Checking local IP addresses:
127.0.0.1: Adding localhost to control/locals...
216.71.84.136: Adding inloc.inloc.com to control/locals...
64.33.89.34: PTR lookup failed. I assume this address has no DNS name.
64.33.89.35: PTR lookup failed. I assume this address has no DNS name.
64.33.89.36: PTR lookup failed. I assume this address has no DNS name.
64.33.89.71: PTR lookup failed. I assume this address has no DNS name.
64.33.89.72: PTR lookup failed. I assume this address has no DNS name.
---
64.33.89.36 is the IP assigned to ducaniveaux.com. I used vadddomain and vadduser to
add the ducaniveaux.com domain and [EMAIL PROTECTED] user. vpopmail added
'ducaniveaux.com:ducaniveaux.com' to /var/qmail/control/virtualdomains (it is not in
/locals).
My control/defaultdelivery is set to ./Maildir/
Here's the relevant part of my qmail startup script:
#!/bin/sh
PATH=/var/qmail/bin:/usr/local/bin:/usr/bin:/bin
export PATH
case "$1" in
start)
echo -n "Starting qmail: svscan"
tcpserver -H -R 0 pop-3 \
/var/qmail/bin/qmail-popup inloc.inloc.com \
/home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir &
cd /var/qmail/supervise
env - PATH="$PATH" svscan &
echo $! > /var/run/svscan.pid
echo "."
;;
stop)
I believe 'pop-3' is right; here's what's in services:
pop-3 110/tcp # PostOffice V.3
pop 110/tcp # PostOffice V.3
I haven't edited /etc/inetd.conf.
Anything else? :�)
Thanks for your help.
--
Lou Hevly
[EMAIL PROTECTED]
Hi all,
Just installed qmail on my first Linux server (easily converted from
NT when I had a new project that called for a *stable* web/mail
server :-).
I've read the install docs, and am following Dave Sill's LWQ install
directions. When it comes time to start qmail, I get this error loop:
starting qmail:svscan
supervise: fatal: unable to acquire log/supervise/lock: temporary
failure
supervise: fatal: unable to acquire qmail-send/supervise/lock:
temporary failure
supervise: fatal: unable to acquire log/supervise/lock: temporary
failure
supervise: fatal: unable to acuire qmail-smtpd/supervise/lock:
temporary failure
What needs to be changed where to make qmail/svscan happy?
My directories and permissions are set as described in LWQ:
http://web.infoave.net/~dsill/lwq.html#start-qmail
Thanks,
J!M
jim (at) symbolicsite.com
hi i set up virtual domain i have a virtual user nery (to be forward to
kitty) got this error please help me out
<[EMAIL PROTECTED]>:
This message is looping: it already has my Delivered-To line. (#5.4.6)
--- Below this line is a copy of the message.
Return-Path: <[EMAIL PROTECTED]>
Received: (qmail 921 invoked by uid 509); 3 Jul 2000 09:10:01 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 918 invoked by uid 509); 3 Jul 2000 09:10:01 -0000
Delivered-To: [EMAIL PROTECTED]
Received: (qmail 915 invoked from network); 3 Jul 2000 09:09:59 -0000
I administer a legacy server running tha above mentioned operating
system, and decided to try out qmail on it to get some hands on
experience. I follow the HOWTO (v2) closely, and everything seems
fine until I try to start the svscan init script. Then I get the
following error:
.
.
20362:/sbin/loader: Fatal Error: cannot malloc
24040:/sbin/loader: Fatal Error: cannot malloc
18016:/sbin/loader: Fatal Error: cannot malloc
20391:/sbin/loader: Fatal Error: cannot malloc
22058:/sbin/loader: Fatal Error: cannot malloc
.
.
And I have a really hard time killing it off. :)
I have spendt half the weekend looking for a solution, but at no
avail. I have tried out several versions of daemontools (0.60,
0.61 and 0.70), both native and gcc compilers. I also don't think
there is a memory problem as the compile goes fine and the system
should have plenty of memory.
I anyone have any idea about what causes this problem, I would
really appreciate it!
--
Bj�rn Nordb�
