Hello everybody, I've made some modification to qmailadmin, in order to be able to disable the use of catch-all accounts (which are a bane in our setup, as they will be abused by spammers) and to refuse passwords which are too guessable (some of our customers use the login name as password). I've also update the configure.in script in order to enable/disable the features. I'm attaching the patch; I hope that it'll be useful to someone else, and maybe find the way of the inclusion in the next releases.
-- Simone Lazzaris INTERACTIVE NETWORK SRL Via Roggia Vignola 9, 24047 Treviglio (BG) tel : +39 0363.302820 fax : +39 0363.304352 web : http://www.interactive.eu email : [email protected]
--- qmailadmin-1.2.12/configure.in 2007-11-14 05:28:51.000000000 +0100
+++ qmailadmin-1.2.12-nostro/configure.in 2009-02-26 10:46:58.000000000 +0100
@@ -350,6 +350,40 @@
;;
esac
+
+CATCHALL_ENABLED=yes
+AC_ARG_ENABLE(catchall, [ --disable-catchall Disable the use of catchall accounts.],
+ CATCHALL_ENABLED="$enableval",)
+
+case $CATCHALL_ENABLED in
+1*|y*|Y*)
+ CATCHALL_ENABLED=yes
+ AC_DEFINE_UNQUOTED(CATCHALL_ENABLED,1,"")
+ echo "checking whether to enable catchall accounts... yes"
+ ;;
+*)
+ CATCHALL_ENABLED=no
+ echo "checking whether to enable catchall accounts... no"
+ ;;
+esac
+
+
+TRIVIAL_PASSWORD_ENABLED=yes
+AC_ARG_ENABLE(trivial-password, [ --disable-trivial-password Disable the use of trivial password.],
+ TRIVIAL_PASSWORD_ENABLED="$enableval",)
+
+case $TRIVIAL_PASSWORD_ENABLED in
+1*|y*|Y*)
+ TRIVIAL_PASSWORD_ENABLED=yes
+ AC_DEFINE_UNQUOTED(TRIVIAL_PASSWORD_ENABLED,1,"")
+ echo "checking whether to enable trivial password... yes"
+ ;;
+*)
+ TRIVIAL_PASSWORD_ENABLED=no
+ echo "checking whether to enable trivial password... no"
+ ;;
+esac
+
AC_ARG_ENABLE(spamcmd-needs-email, [ --enable-spamcmd-needs-email Append the user's email to the end of the spam command.],
SPAM_NEED_EMAIL="$enableval",)
@@ -444,6 +478,8 @@
echo " help = "$enable_help""
echo " modify quota = "$MODIFY_QUOTA""
echo " domain autofill = "$DOMAIN_AUTOFILL""
+echo " catchall accounts = "$CATCHALL_ENABLED""
+echo " trivial passwords = "$TRIVIAL_PASSWORD_ENABLED""
echo " modify spam check = "$MODIFY_SPAM""
if test "$MODIFY_SPAM" = "yes"
then
--- qmailadmin-1.2.12/config.h.in 2007-11-14 05:28:51.000000000 +0100
+++ qmailadmin-1.2.12-nostro/config.h.in 2009-02-26 10:50:19.000000000 +0100
@@ -13,6 +13,12 @@
#undef DOMAIN_AUTOFILL
/* "" */
+#undef CATCHALL_ENABLED
+
+/* "" */
+#undef TRIVIAL_PASSWORD_ENABLED
+
+/* "" */
#undef ENABLE_MYSQL
/* "" */
--- qmailadmin-1.2.12/user.c 2007-11-03 18:44:12.000000000 +0100
+++ qmailadmin-1.2.12-nostro/user.c 2009-02-26 10:47:03.000000000 +0100
@@ -223,17 +223,18 @@
if (bounced==0 && strncmp(pw->pw_name,TmpBuf3,sizeof(TmpBuf3)) == 0) {
printf ("<img src=\"%s/radio-on.png\" border=\"0\"></a>",
IMAGEURL);
+#ifdef CATCHALL_ENABLED
} else if (AdminType==DOMAIN_ADMIN) {
printh ("<a href=\"%s&deluser=%C&page=%s\">",
cgiurl("setdefault"), pw->pw_name, Pagenumber);
printf ("<img src=\"%s/radio-off.png\" border=\"0\"></a>",
IMAGEURL);
+#endif
} else {
printf ("<img src=\"%s/disabled.png\" border=\"0\">",
IMAGEURL);
}
printf ("</td>");
-
printf ("</tr>\n");
}
pw = vauth_getall(dom,0,0);
@@ -254,21 +255,27 @@
printh ("<a href=\"%s&page=%d\">%s</a>", cgiurl ("showusers"),
atoi(Pagenumber)-1 ? atoi(Pagenumber)-1 : atoi(Pagenumber),
html_text[135]);
- printf (" | ");
+ // printf (" | ");
}
if (moreusers && atoi(Pagenumber) < totalpages) {
+ if (atoi(Pagenumber)>1)
+ printf (" | ");
printh ("<a href=\"%s&page=%d\">%s</a>",
cgiurl("showusers"), atoi(Pagenumber)+1, html_text[137]);
+#ifdef CATCHALL_ENABLED
printf (" | ");
+#endif
}
/* printf (" | ");*/
#endif
+#ifdef CATCHALL_ENABLED
printh ("<a href=\"%s\">%s</a>", cgiurl ("deleteall"), html_text[235]);
printf (" | ");
printh ("<a href=\"%s\">%s</a>", cgiurl ("bounceall"), html_text[134]);
printf (" | ");
printh ("<a href=\"%s\">%s</a>", cgiurl("setremotecatchall"), html_text[206]);
+#endif
printf (" ]");
printf ("</b></font>");
printf ("</td></tr>\n");
@@ -380,6 +387,15 @@
exit(0);
}
+#ifndef TRIVIAL_PASSWORD_ENABLED
+ if ( strstr(Newu,Password1)!=NULL) {
+ snprintf (StatusMessage, sizeof(StatusMessage), "%s\n", html_text[318]);
+ adduser();
+ vclose();
+ exit(0);
+ }
+#endif
+
#ifndef ENABLE_LEARN_PASSWORDS
if ( strlen(Password1) <= 0 ) {
snprintf (StatusMessage, sizeof(StatusMessage), "%s\n", html_text[234]);
@@ -773,6 +789,14 @@
vclose();
exit(0);
}
+#ifndef TRIVIAL_PASSWORD_ENABLED
+ if ( strstr(ActionUser,Password1)!=NULL) {
+ snprintf (StatusMessage, sizeof(StatusMessage), "%s\n", html_text[318]);
+ moduser();
+ vclose();
+ exit(0);
+ }
+#endif
ret_code = vpasswd( ActionUser, Domain, Password1, USE_POP);
if ( ret_code != VA_SUCCESS ) {
snprintf (StatusMessage, sizeof(StatusMessage), "%s (%s)", html_text[140],
--- qmailadmin-1.2.12/qmailadmin.c 2007-09-22 01:27:39.000000000 +0200
+++ qmailadmin-1.2.12-nostro/qmailadmin.c 2009-02-26 10:47:06.000000000 +0100
@@ -211,8 +211,13 @@
snprintf (StatusMessage, sizeof(StatusMessage), "%s", html_text[234]);
} else if (vpasswd (User, Domain, Password1, USE_POP) != VA_SUCCESS) {
snprintf (StatusMessage, sizeof(StatusMessage), "%s", html_text[140]);
+#ifndef TRIVIAL_PASSWORD_ENABLED
+ } else if ( strstr(User,Password1)!=NULL) {
+ snprintf (StatusMessage, sizeof(StatusMessage), "%s\n", html_text[318]);
+#endif
} else {
/* success */
+// snprintf (StatusMessage, sizeof(StatusMessage), "%s: %s %s", html_text[139],Password1,User);
snprintf (StatusMessage, sizeof(StatusMessage), "%s", html_text[139]);
*Password = '\0';
send_template ("change_password_success.html");
--- qmailadmin-1.2.12/lang/it 2003-12-23 04:35:11.000000000 +0100
+++ qmailadmin-1.2.12-nostro/lang/it 2009-02-25 11:36:09.000000000 +0100
@@ -281,3 +281,4 @@
313 l'indirizzo
314 Quota non valida
315 Utente cancellato. Impossibile impostare forward a '%s'.
+318 Password non accettata. Può essere facilmente indovinata sapendo il nome utente
--- qmailadmin-1.2.12/lang/en 2005-08-10 19:42:49.000000000 +0200
+++ qmailadmin-1.2.12-nostro/lang/en 2009-02-25 11:35:38.000000000 +0100
@@ -283,3 +283,4 @@
315 User deleted. Unable to set forward to '%s'.
316 Change Password
317 You cannot delete the postmaster account.
+318 Invalid password: it can be easly guessed from the username
signature.asc
Description: This is a digitally signed message part.
!DSPAM:49a672cf32687516861642!
