[vchkpw] security issue
Hi, Mailsetup: qmail + vpopmail 5.5.27 + dovecot Over the years, we didn't store cleatext versions of passwords. Some time ago, we wanted to change that setup and since that time, we used vpopmail compiled without option --disable-clear-passwd, but know with option --enable-learn-passwords . step by step, we wanted to get user's passwords (we discussed that issue here on the list about 2 years ago). The reason was, we wanted to change our mailsetup (postfix+dovecot). But that did not work, means, cleartext version of password wasn't stored. All other was working fine and so i didn't change anything. This was a big mistake, because since that time, all vpopmail mailboxes could be accessed with an empty passwordstring, at least, if the clients were using cram or digest authentication. I know about the misconfigured vpopmail, but i think this behavor isn't as expected. In the documentation of the option --disable-clear-passwd is explaned, that this option causes vpopmail to store cleartext version of passwords in _addition_ to their encrypted versions, and so i think, the described behavior is at least a security leak. regards Christoph !DSPAM:4d11dbb332714993054289!
Re: [vchkpw] non plaintext authentication methods
hi, >> [..] I'm not able to bring non-plaintext >> authentication methods working on qmails pop3 service (APOP), and on >> dovecots imap service (CRAM-MD5). > > The only reason I can think of that CRAM-MD5 doesn't work with pop or > imap is that clear text passwords are disabled. > > To use CRAM-MD5, you need a clear text password stored locally. > > Did you perhaps compile vpopmail with the --disable-clear-passwd flag ? yes, i did. i tried it without this flag and it was easy to point out that you are in right. thank you. so i think there is no possibility to bring non-plaintext authetication methods working afterwards, i mean for existing mailboxes, isn't it ? regards christoph !DSPAM:4a077bb532684983017589!
[vchkpw] non plaintext authentication methods
hi, I'm running qmail+vpopmail+dovecot on FreeBSD stable system and all worked fine, almost all. I'm not able to bring non-plaintext authentication methods working on qmails pop3 service (APOP), and on dovecots imap service (CRAM-MD5). Maybe this is an OS issue and this question isn't on he right place here, in this case sorry about that. my versions: (net)qmail with tls-smtp-auth patch vpopmail 5.4.27 dovecot 1.1.14 i have tried older versions of vpopmail and dovecot, but with the same result: non-plaintext authentication methods doesn't work. what did i wrong ? can aybody help me ? regards christoph !DSPAM:4a06cb9032681467210846!
Re: [vchkpw] how can I see all error messages about pop3 service ?
hallo > [..] We have Dovecot running under daemontools. some times ago, i tried to run dovecot under daementools, but i failed ( most likley because of my poor knowledge ). can you give me your run script or tell me if there is something special to take account ? sorry for my bad english - christoph !DSPAM:498c102a32689584212841!
Re: [vchkpw] Re: Double bounce message
hi, > > Can any body tell how to configure to delete the double bounce > > messages in qmail. Thanks. create a fie named "/control/doublebounceto" with content: dev-null than create a file named "/.qmail-dev-null" with content: | cat > /dev/null ready best wishes christoph !DSPAM:4799ddaf310541223644580!
Re: [vchkpw] smtp after pop
Hi > > I have vpopmail running with smtp-after-pop functionality > > (--enable-roaming-users). the pop-daemon is from qmail. this works fine > > for normal (unsecure) connection via port 110. but this doesn't work if > > connecting via strunnel on port 995. I know, thats correct, because > > stunnel is connecting to qmail's pop3 daemon from ip 127.0.0.1. > > > > Is there any setup known, that results in writing users ip-address to > > open-smtp file so that smtp-after-pop work's even if connected via > > stunnel ? > > As STunnel proxies the connection, it probably looks like a connection > on 127.0.0.1 to the SMTP server. > > You might want to look at using ucspi-ssl > (http://www.superscript.com/ucspi-ssl/intro.html) which is an > SSL-enabled version of tcpserver. Thanks for that tip. It works fine. for your interest. compiling uscpi-ssl with default conf-* files, my run script (on openbsd4.1 system) looks as follows #!/bin/sh CAFILE="/var/qmail/control/pop3d.pem" CERTFILE="/var/qmail/control/pop3d.pem" KEYFILE="/var/qmail/control/pop3d.pem" DHFILE="/var/qmail/control/dh1024.pem" export CAFILE CERTFILE KEYFILE DHFILE MAX_CON=60 VPOPMAILUID=`id -u vpopmail` VPOPMAILGID=`id -g vpopmail` LOCAL=`head -1 /var/qmail/control/me` LISTEN_IP=123.123.123.123 exec /usr/local/bin/softlimit -m 500 \ sslserver -e -v -HR -l "$LOCAL" \ -c $MAX_CON \ -u"$VPOPMAILUID" -g"$VPOPMAILGID" "$LISTEN_IP" 995 \ /var/qmail/bin/qmail-popup `hostname` \ /home/vpopmail/bin/vchkpw \ /var/qmail/bin/qmail-pop3d Maildir 2>&1 cu Christoph !DSPAM:473794ce32002129798806!
[vchkpw] smtp after pop
Hi, I have vpopmail running with smtp-after-pop functionality (--enable-roaming-users). the pop-daemon is from qmail. this works fine for normal (unsecure) connection via port 110. but this doesn't work if connecting via strunnel on port 995. I know, thats correct, because stunnel is connecting to qmail's pop3 daemon from ip 127.0.0.1. Is there any setup known, that results in writing users ip-address to open-smtp file so that smtp-after-pop work's even if connected via stunnel ? best wishes christoph !DSPAM:4734b62832001556753283!
Re: [vchkpw] relay server
hi, > Hi I wanted to setup a scanning relay server.. I explain I'm using > vpopmail 5.4.13 and qmail-1.03 with john simpson 7 combined patch I add > the domains with ./vadddomain domain.com and later add an smtproutes line > (in this control file) as domain.com:mail.domain.com but the mail always > is treated as local... > > > should be /var/qmail/users/assign file be changed for this purpose? for > having users localy for smtp auth purposes but and users to use this > machine as relay but the mail incoming for this domains to be delivered as > smtproutes line sais? your domain is assigned as local, because you added them with ./vadddomain domain.com. make a ./vdeldomain domain.com. take care, ther is no entry in /control/virtualdomains and also none in /control/users/cdb which is the databse-file for assign-file for your domain, saying domain.com, only entries in /control/rcpthosts like domain.com and in file /control/smtproutes, like domain.com:mail.domain.com are needed cu christoph !DSPAM:47346f8032008919732555!
Re: [vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi, > >- courier-imap (4.1.2) with autentification via courier-authdaemon > > (0.59.1) against vpopmails vchkpw > > Sam has released courier-authlib-0.60.1. You may want to try that. I tried this, but with exactly the same results. no module for authentication against vpopmail's vchkpw was built.
Re: [vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi len > > [..] > > > > *** Warning: linker path does not have real file for library -lvpopmail. > > *** I have the capability to make that library automatically link in when > > *** you link to this library. But I can only do this if you have a > > *** shared version of the library, which you do not appear to have > > *** because I did check the linker path looking for a file starting > > *** with libvpopmail and none of the candidates passed a file format test > > *** using a regex pattern. Last file checked: > > /home/vpopmail/lib/libvpopmail.a > > > > *** Warning: libtool could not satisfy all declared inter-library > > *** dependencies of module libauthvchkpw. Therefore, libtool will create > > *** a static module, that should work as long as the dlopening > > *** application is linked with the -dlopen flag. > > .. > > --- snip --- > > I ran into a problem very similar to this building authdaemon against > vpopmail-5.20 under NetBSD-3.1-i386. After a lot of twists and turns > I modified the vpopmail source to build libvpopmail as a shared lib as > well as static. I am not especially tallented with automake, autoconf > and libtool, in fact I had never modified a build to create shared > libs. I found an excellent resource on how to do this at: > > http://sourceware.org/autobook/autobook/autobook_toc.html > > I successfully built libvpopmail.so, and placed it in a location where my > build of courier-authdaemon would link against it. The build was > successful, and authdaemon is working flawlessly using the authvchkpw > module. It was a good learning experience; glad I know how to do this > if I find myself in this situation again. HTH ok, it's not doing - for me - in a short time. i read this howto last view hours and realy: i learned. but - until know - i was not able to build libvpopmail.so . so i will try it later when i have more time. thank you - Christoph
Re: [vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi, > > [..] > > > > until now, qmail in conjunction with vpopmail works fine. the problem > > appears when building the courier-authdaemon. the module for > > authentication against vchkpw is not build. i miss some file like > > libauthvchkpw.so > > the gmake output looks like: > > Perhaps consider Dovecot in place of courier, current courier authlib > needs patching for some OS's, Sam has known about this since May, but > has not done a thing about it, we got sick of it breaking and use > Dovecot which works beautifully with Vpomail > You could even use Dovecot to handle your POP3 if you wanted to. thanks for that tip. i installed dovecot and it seems to work ( i tried it with one imap and imap-ssl connection). it's not my first solution, but good to known, that i can fall back in this server environment.
[vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi, if this isn't the right place for questions help in such a propblem, please ignore and sorry. and also sorry for my bad english. I like to run a mailserver on my openbsd 4.1. system. the services should be: - qmail (netqmail 1.0.5) - vpopmail (5.4.18) - courier-imap (4.1.2) with autentification via courier-authdaemon (0.59.1) against vpopmails vchkpw - webmailer system staff: os.: i386 openbsd 4.1 cpu: amd 64 (pc-style) until now, qmail in conjunction with vpopmail works fine. the problem appears when building the courier-authdaemon. the module for authentication against vchkpw is not build. i miss some file like libauthvchkpw.so the gmake output looks like: --- snip --- ... Compiling authvchkpw.c authvchkpw.c: In function `auth_vchkpw_changepass': authvchkpw.c:186: warning: passing arg 1 of `parse_email' discards qualifiers from pointer target type Compiling authvchkpwlib.c Compiling preauthvchkpw.c preauthvchkpw.c: In function `auth_vchkpw_pre': preauthvchkpw.c:67: warning: passing arg 1 of `parse_email' discards qualifiers from pointer target type preauthvchkpw.c:141: warning: passing arg 3 of `vset_lastauth' discards qualifiers from pointer target type Linking libauthvchkpw.la *** Warning: linker path does not have real file for library -lvpopmail. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have *** because I did check the linker path looking for a file starting *** with libvpopmail and none of the candidates passed a file format test *** using a regex pattern. Last file checked: /home/vpopmail/lib/libvpopmail.a *** Warning: libtool could not satisfy all declared inter-library *** dependencies of module libauthvchkpw. Therefore, libtool will create *** a static module, that should work as long as the dlopening *** application is linked with the -dlopen flag. .. --- snip --- after finish the authdaemon installation and start it, the log file looks like --- snip --- ... Oct 11 19:33:03 luna authdaemond: Installing libauthcustom Oct 11 19:33:03 luna authdaemond: Installation complete: authcustom Oct 11 19:33:03 luna authdaemond: Installing libauthvchkpw Oct 11 19:33:03 luna authdaemond: File not found ... --- snip --- authdaemon was configured with: ./configure \ --prefix=/usr/local/courier-authlib-0.59.1 \ --with-authvchkpw \ --with-mailuser=vpopmail \ --with-mailgroup=vchkpw vpopmail configure was: ./configure \ --enable-roaming-users \ --enable-tcpserver-file=/home/vpopmail/etc/tcp.smtp \ --enable-tcprules-prog=/usr/local/bin/tcprules \ --enable-relay-clear-minutes=60 \ --enable-learn-passwords \ --enable-qmail-ext \ --enable-logging=v \ --enable-log-name=vpopmail I'm not very firm with compiler/linker staff, so i need help. can and like anyone here on this list help me ? it would be very great. Until now, i tried different versions of vpopmail and courier's authdaemon and combinations of them. i also installed the mailserver services on an x86_64 openbsd 4.1 with exactly the same results. I also tried to configure vpopmail with --enable-shared option - knowing that this flag isn't listed by configure --help -, in order to get a shared version of libvpopmail, but this doesn' work. I thought, this could also solve my problem. best wishes christoph
