Rajesh,Tonino:

Without even modifying qmail wouldn't chkuser be disabled completely with the RELAYCLIENT setting:

RELAYCLIENT=""

Eric


On 9/19/2017 3:57 AM, Tonix - Antonio Nati wrote:
Rajesh,

I don't know which version of chkuser is included in qmailtoaster.
Behaviour has changed sometimes. I always tried to configurations stable, but sometimes evolutions lead to a change.
So, which is the version in qmailtoaster?

About forcing to authenticate, you need the *CHKUSER_EXTRA_MUSTAUTH_VARIABLE* feature, but it exists from 2.0.9.

Check documentation in http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html.

Regards,

Tonino

Il 19/09/2017 11:39, Rajesh M ha scritto:
Tonino,

thanks for the detailed information

just wanted a final clarification

i require chkuser for smtp authentication purpose only on port 587 for my 
customers who need unrestricted email sending with authentication.

I have compiled a separate cdb file called tcp.smtp.587.cdb exclusively for 
port 587.

in my chkuser_settings.h i have uncommented and recompiled qmailtoaster

#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

so in my tcp.smtp, if i set

CHKUSER_START="NONE"

it should allow my customers to authenticate and send out emails without any 
chkuser checks other than smtp authentication, right ?

thanks,
rajesh



will that disable all other aspects for


----- Original Message -----
From: Tonix - Antonio Nati [mailto:to...@interazioni.it]
To:qmailtoaster-list@qmailtoaster.com
Sent: Tue, 19 Sep 2017 09:23:01 +0200
Subject:

Eric,

it looks like I told and wrote wrong instructions (and I remembered
wrong sequences in last reply).

Let's say there is a potential bug in the application, which I'm seeing
only now, after years. It is not really a code bug. It is that I wrote
something in the code and something different in documentation.

Logic (in version 2.0.9 of chkuser code) says:

  1. if CHKUSER_ALWAYS_ON is declared, chkuser is always ON:
     starting_value = 1 (this option is not compatible in compilation
     with CHKUSER_STARTING_VARIABLE; only one of them may be defined).
  2. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is NOT
     declared checkuser works on domain base (starting_value = 0)
  3. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is declared
     and NOT assigned, checkuser is disabled (starting_value = -1)
  4. if CHKUSER_STARTING_VARIABLE is declared and assigned AND equal to
     ALWAYS, checkuser is always ON (starting_value = 1)
  5. if CHKUSER_STARTING_VARIABLE is declared and assigned AND equal to
     DOMAIN, checkuser works on domains base (starting_value = 0)
  6. if CHKUSER_STARTING_VARIABLE is declared and assigned with values
     different from ALWAYS and DOMAIN, checkuser works on domains bases
     (starting_value = 0)
  7. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is NOT
     declared checkuser works on domains base (starting_value = 0)

So, the real default is chekuser working on domains base. Other options
lead to different behaviours. If you want to disable it, you must
declare a variable and not assign it (not assign it is different than
assigning "" or empty value).

For a better code and a better usage, it should be (in red the code I
added):

     <code>

     +#if defined CHKUSER_STARTING_VARIABLE
     +        starting_string = env_get (CHKUSER_STARTING_VARIABLE);
     +        if (starting_string) {
     +                if (strcasecmp(starting_string, "ALWAYS") == 0) {
     +                        starting_value = 1;
     +                } else if (strcasecmp(starting_string, "DOMAIN") ==
     0) {
     +                        starting_value = 0;
     +                } else if (strcasecmp(starting_string, "NONE") == 0) {
     +                        starting_value = -1;
     +                }
     +        } else {
     +                starting_string = "";
     +                starting_value = -1;
     +        }
     +#endif

     </code>

In such a case value "NONE" and absence of variable assign would disable
chkuser. ALWAYS would enable it forever, any other value would enable it
on domain base.

Sorry, and thanks for forcing me to read again the code.

Tonino


Hi Tonino,

When CHKUSER_START is set, or not set, the ensuing logic of chkuser
keys on the value of 'starting_value', correct?

1) CHKUSER_START="NONE" (starting_value=1)
2) CHKUSER_START="ANYTHING ELSE" (starting_value=1)
3) CHKUSER_START="" (starting_value=0)
4) unset -v CHKUSER_START (starting_value=-1) *A situation where CHKUSER_START 
is not even specified in either either the smtpd run file or tcp.smtp.

In the code the logic falls out in a different manner for -1, 0, or 1.

So wouldn't CHKUSER_START="NONE" (starting_value=1) fall out differently than 
CHKUSER_START="" (starting_value=0) or CHKUSER_START not specified (starting_value=-1)?

Eric



On 9/18/2017 1:58 PM, Tonix - Antonio Nati wrote:
Eric,

you are right. I wrote "NONE" instead of "everything different from
ALWAYS or DOMAIN" in order to semplify things, but the concept is
clear: every value different from DOMAIN or ALWAYS will disable chkuser.

Note: everything is disabled except the
*CHKUSER_EXTRA_MUSTAUTH_VARIABLE* functionality.

Regards,

Tonino

Il 18/09/2017 21:51, Eric Broch ha scritto:
Rajesh,

I apologize for the responses that have not been helpful. After
looking at the settings (below) from here
<http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html> and going through the code, I'm convinced that the "NONE" option
will not be helpful or do what you expect or what the documentation
even states (Tonix, please review):

<settings>

CHKUSER_STARTING_VARIABLE 2.0.5 commented "CHKUSER_START"
Sets the variable that must be read, at qmail-smtpd start, in order
to understand how to use chkuser for any domain. The variable must
be filled with the following values:

     NONE = chkuser will not work
     ALWAYS = chkuser will work always
     DOMAIN = chkuser will work depending on single domain settings

Any other value, or a missing value, will disable chkuser.
Incompatible with CHKUSER_ALWAYS_ON since 2.0.9

</settings>

Since you've already defined 'CHKUSER_STARTING_VARIABLE' at compile
time in chkuser_settings.h, I think simply leaving the variable
CHKUSER_START (null) out of both the run file and the tcp.smtp file
you will get what you've been expecting (stop and start qmail of
course). The settings section indicates this as well:
"Any other value, or a missing value, will disable chkuser."
In fact, in my study of the code, I don't think the NONE option does
anything. If Tonix is looking at this thread maybe he could help
*fingers crossed*.

Please let me know how it goes.

Eric

On 9/18/2017 12:33 PM, Eric Broch wrote:
Rajesh,

Can you set this in /var/qmail/supervise/smtp/run

CHKUSER_START="NONE"
export CHKUSER_START

exec
/usr/bin/softlimit....................................................................................



On 9/18/2017 12:10 PM, Eric Broch wrote:
Sorry, my mistake, Rajesh,

#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

sets CHKUSER_STARTING_VARIABLE to CHKUSER_START


On 9/18/2017 11:53 AM, Eric Broch wrote:
Rajesh,

In the code there is no check for 'CHKUSER_START' but there is
for 'CHKUSER_STARTING_VARIABLE'. So, in tcp.smtp use
'CHKUSER_STARTING_VARIABLE' like so:

CHKUSER_STARTING_VARIABLE="NONE"

then stop and start qmail.

Here's the code and the environment variable chkuser checks:

<code>

starting_string = env_get (CHKUSER_STARTING_VARIABLE);
         if (starting_string) {
                 if (strcasecmp(starting_string, "ALWAYS") == 0) {
                         starting_value = 1;
                 } else if (strcasecmp(starting_string, "DOMAIN")
== 0) {
                         starting_value = 0;
                 }
         } else {
                 starting_string = "";
                 starting_value = -1;
         }

</code>

Eric

On 9/18/2017 11:38 AM, Eric Broch wrote:
Sorry to ask this, but did you restart qmail after the change?

On 9/18/2017 8:52 AM, Rajesh M wrote:
hi eric

i wished to disable chkusr mx check, format check etc .. and turn off chkuser using 
CHKUSER_START="NONE"

the default installation of qmail always keeps chkuser on with no control
so i rebuild chkuser from source

CHANGES FOR CHK USER
EXTRA SOURCE FROM RPM
rpm -Uvh qmail-1.03-1.qt.src.rpm
nano /root/rpmbuild/SPECS/qmail.spec
put a sleep in this for 120 seconds

open 2nd window of ssh
service qmail stop

in first window run
rpmbuild -bb --define "dist .qt.el6" qmail.spec
the process will now for halt for 180 seconds which gives us time to modify 
chkuser_settings.h settings

in second window go to
cd /root/rpmbuild/BUILD/qmail-1.03
nano chkuser_settings.h

UNCOMMENT THIS
#define CHKUSER_STARTING_VARIABLE "CHKUSER_START"

comment out the following
/* #define CHKUSER_RCPT_MX */
/* #define CHKUSER_ENABLE_USERS_EXTENSIONS */
/* #define CHKUSER_USERS_DASH '-' */


now the problem is that even if I set CHKUSER_START="NONE" i get errors

here is my tcp.smtp file for submission port (i use separate tcp.smtp files for 
25 and 587)

:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_START="NONE"

i still get errors as such

2017-09-18 11:48:08.810159500 CHKUSER rejected rcpt: 
from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:>   remote 
<FTLPCS27:unknown:182.73.35.162> rcpt<slncubm...@domain1.com>   : max number of 
recipients
2017-09-18 11:48:09.894092500 CHKUSER rejected intrusion: 
from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:>   remote 
<FTLPCS27:unknown:182.73.35.162> rcpt <sreecharanbank@domain2> : rcpt ignored, 
session over intrusion threshold
2017-09-18 11:48:11.226284500 CHKUSER rejected intrusion: 
from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:>   remote 
<FTLPCS27:unknown:182.73.35.162> rcpt<sreekumarga...@gmail.com>   : rcpt ignored, 
session over intrusion threshold

help required please

rajesh





---------------------------------------------------------------------
To unsubscribe,e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands,e-mail:qmailtoaster-list-h...@qmailtoaster.com
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
Eric Broch
White Horse Technical Consulting (WHTC)
--
------------------------------------------------------------
          Inter@zioni            Interazioni di Antonio Nati
http://www.interazioni.it to...@interazioni.it ------------------------------------------------------------
--
Eric Broch
White Horse Technical Consulting (WHTC)


---------------------------------------------------------------------
To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com


--
------------------------------------------------------------
         Inter@zioni            Interazioni di Antonio Nati
http://www.interazioni.it to...@interazioni.it ------------------------------------------------------------

--
Eric Broch
White Horse Technical Consulting (WHTC)

Reply via email to