On 2007-08-21, at 0433, Metin KAYA wrote:
I am aware of your "onchange" script, but our topic is security. I think that we cannot give remote client IP as parameter in your onchange script. We took note of our customers' complaints. They claim that somebody always logging in system via qmailadmin. Then he/she alters the users' properties (such as passwords, quotas), adds new users to system and also removes some users from system. In this position, we want to know who (which IP?) did these things.
check your apache logs and see who's accessing the URL of your qmailadmin page.
i would also suggest that you tell these "users" (who i'm assuming are in control of one or more full domains, rather than individual mailboxes, and therefore know what qmailadmin is) to change the password on their "poastmaster" account.
and before you do this: if your qmailadmin interface is available on a non-SSL web site, that needs to be changed. otherwise, anybody with a packet sniffer in the right place will be able to literally WATCH your users log into their domains, and read their passwords right off the wire.
this is dangerous, not only because it lets them go back in and change mailboxes around, but because if you allow people to relay using the AUTH command, this gives the attacker an email/password combination which can be used to relay spam through your server.
Moreover, qmailadmin-logger.patch is a C code, and do not have performance problems. However, onchange is a basic script.
you obviously don't understand how the "onchange" mechanism works... here's the short version:
at certain points within the code of the vpopmail library functions (i.e. after a mailbox is added, after a password is changed, just before a mailbox is deleted, etc.) the code within the vpopmail library runs a shell script called "~vpopmail/etc/onchange".
because qmailadmin uses the vpopmail library to carry out these functions (i.e. adding mailboxes, changing passwords, etc.) it already triggers this "onchange" script to be called whenever one of these actions occurs. the same is true of "vpopmaild"- because it uses the library, it also triggers the script to be called when needed.
you are correct, the "onchange" script is just a normal shell script (which is what i'm assuming you mean by "basic script", even though it's not written in basic.) this is what makes it so powerful- by customizing this script, you can make it do ANYTHING YOU WANT- which includes running "/usr/bin/logger" to send messages into the syslog mechanism.
in fact, the sample "onchange" script on my web site does just that- whatever data it receives from its command line (i.e. from the vpopmail library) is sent to the syslog, so there's a record of what actions were taken when. if you want these logs to be kept separate, you could add a "-p" option to your "logger" command line (i.e. "-p local4.info") and configure syslogd to send messages of that type to a specific file.
this means that if you want qmailadmin to start logging things like this... first make sure you're using a version of vpopmail which has the "onchnage" code enabled (i.e. use a recent version, and make sure to use "--enable-onchange-script=yes" in your "./configure" command line) and then make sure your "onchange" script includes a suitable "logger" command. the sample script on my web site does.
http://qmail.jms1.net/vpopmail/onchange
the nice part about this is that if you set up the logging within the
"onchange" script, the same logging will be done no matter WHAT
program (qmailadmin, vpopmaild, command-line commands, etc.) actually
does them.
the "onchange patch for qmailadmin" adds in a few explicit calls to run this script, in cases where qmailadmin does something which doesn't involve the vpopmail library, such as creating a mailing list. this is because, if you're using the "validrcptto.cdb" functionality, adding a mailing list creates another valid email address within your domain- and therefore the validrcptto.cdb file needs to be rebuilt, otherwise qmail-smtpd would refuse to accept incoming mail for the new list.
as for logging the web client's IP address... i know that apache passes an entire collection of environment variables to qmailadmin when it runs it. i don't think qmailadmin or the vpopmail library has any code which explicitly drops environment variables, so i'm pretty sure those same variables would be available while the "onchange" script is running.
you may want to try something like this in your "onchange" script. it will log an IP address if it can find one- the TCPREMOTEIP variable is set by tcpserver, which is how most people run "vpopmaild", and the REMOTE_ADDR variable is set by apache, so whichever one it finds, it will log, along with whatever messages came from the vpopmail library.
if [ -n "$TCPREMOTEIP" ]
then
logger -t onchange "[$TCPREMOTEIP]" "$*"
elif [ -n "$REMOTE_ADDR" ]
then
logger -t onchange "[$REMOTE_ADDR]" "$*"
else
logger -t onchange "$*"
fi
if you want to see a list of all of the environment variables that
apache makes available to CGI scripts on your server, install this as
"env.cgi" on your system and then access http://whatever/env.cgi ...
#!/usr/bin/perl
print "Content-type: text/plain\n\n" ;
map { printf "%30s = %s\n" , $_ , $ENV{$_} } sort keys %ENV ;
exit 0 ;
===
also, when replying to a message on a mailing list, make sure your
reply goes to the list. there is no need to reply directly to me,
either "instead of" or "in addition to", replying to the list. i
suggest when you get a few minutes, you read this web page:
http://www.catb.org/~esr/faqs/smart-questions.html
----------------------------------------------------------------
| John M. Simpson --- KG4ZOW --- Programmer At Large |
| http://www.jms1.net/ <[EMAIL PROTECTED]> |
----------------------------------------------------------------
| http://video.google.com/videoplay?docid=-1656880303867390173 |
----------------------------------------------------------------
PGP.sig
Description: This is a digitally signed message part
