Hi, I have some security questions. I installed qmail toaster and I noticed the /var/qmail/control/sql file is set world readable by default. Since the vpopmail password is stored in that file cleartext, it seems a fairly egregious security hole. As a precaution I changed the file to be not world readable (but still readable by members of group qmail).
However, when running qmailadmin, I came across the dreaded "invalid login" bug. Searching the mailing list archives I determined that this bug is typically due to a permissions problem. Most of the problems were due to were because nosuid being set in /etc/fstab, but not in my case. In my case after a lot of fiddling about I realized the problems were because I had changed the sql file to be not world-readable --- as a result qmailadmin was unable to access the file. I fixed the problem by making the sql file owned by vpopmail, as a temporary measure. It seems to me that: 1) the /var/qmail/control/sql file should not be world readable OR the password should not be stored in clear text. 2) qmailadmin should give more informative error messages (like "cannot setuid" or "cannot read /var/qmail/control/sql file".) Mitsu
