[vchkpw] Re: Qmail-pop3d (with or without ssl) and open-smtp

[Peter Palmreuther]

Hello Andrea,

On Friday, January 16, 2004 at 11:30:31 PM you wrote (at least in
part):

 Why qmail-pop3d via ssl don't open the relay?

Reading your dumps a having a look in vpopmail sources I get the
impression when you're in SSL mode the environment variable
TCPREMOTEIP seems not to be set. I don't know which vpopmail version
you're actually using, so I don't know if there are other versions
when vpopmail does neither read nor write open-smtp, but this could be
/one/ reason.

Please execute this on a command line:

,- [  ]
| #!/bin/sh
| CAFILE=/usr/local/ssl/certs/pop3s.cert
| CERTFILE=/usr/local/ssl/certs/pop3s.cert
| KEYFILE=/usr/local/ssl/certs/pop3s.key
| DHFILE=/usr/local/ssl/certs/dh1024.pem
| export CAFILE CERTFILE KEYFILE DHFILE
| exec /usr/local/bin/softlimit -m 380 \
| /usr/local/bin/sslserver -v -R -H -l 0 0 996 \
| echo IP:  $TCPREMOTEIP 21
`-

And on a different terminal use 'openssl s_client ...' to connect to
port 996. I'd expect the output 'IP: ' and nothing else ...
-- 
Best regards
Peter Palmreuther

Other than that, Mrs. Lincoln, how was the play?

RE: [vchkpw] Re: Qmail-pop3d (with or without ssl) and open-smtp

[Andrea Riela]

Peter Palmreuther wrote:
 Hello Andrea,
 Reading your dumps a having a look in vpopmail sources I get
 the impression when you're in SSL mode the environment
 variable TCPREMOTEIP seems not to be set. I don't know which
 vpopmail version you're actually using, so I don't know if
 there are other versions when vpopmail does neither read nor
 write open-smtp, but this could be /one/ reason.

Well, my version is 5.4.0-rc1.
Now my runscript is:

#!/bin/sh
CAFILE=/usr/local/ssl/certs/pop3s.cert
CERTFILE=/usr/local/ssl/certs/pop3s.cert
KEYFILE=/usr/local/ssl/certs/pop3s.key
DHFILE=/usr/local/ssl/certs/dh1024.pem
export CAFILE CERTFILE KEYFILE DHFILE
exec /usr/local/bin/softlimit -m 380 \
/usr/local/bin/sslserver -v -R -H -l 0 0 996 \ echo IP:  $TCPREMOTEIP 21

I've tried on the same terminal, with 'openssl s_client -connect
127.0.0.1:996', and with 'openssl s_client -connect 'server's_public_IP:996'
from a remote terminal, this is my output:

observe# openssl s_client -connect 127.0.0.1:996
CONNECTED(0004)
cut
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
Session-ID:
564576620745756255D48121BE33D73A63D01F365BC3610D3ECF008EE129C3E3
Session-ID-ctx: 
Master-Key:
ACA2871B120D636E91035E8C61CBEF378BFB241D454CFAD088B2DB5217A81E2747D881946AB1
06CBB564E3F3590FEDF4
Key-Arg   : None
Start Time: 1074331971
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0
observe#

TiG4:~ andrea$ openssl s_client -connect server's_public_ip:996
CONNECTED(0003)
cut
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol  : TLSv1
Cipher: DHE-RSA-AES256-SHA
Session-ID:
EAB08452498F726CC32FE84EEE09E8F2DA2273D42ED6D70382B7D31A980CECEE
Session-ID-ctx: 
Master-Key:
F044319BCC17B487ED2E457F7305F0F1FD6267AC7385A02DFAFDC522B67CDDC2760BD9F7C5E1
2931106380FD54054F30
Key-Arg   : None
Start Time: 1074335061
Timeout   : 300 (sec)
Verify return code: 18 (self signed certificate)
---
read:errno=0
TiG4:~ andrea$ 

Well, I think you've hit the problem.
But what I've to do to resolve it?

Thanks for all
Regards
Andrea

RE: [vchkpw] Re: Qmail-pop3d (with or without ssl) and open-smtp

[Andrea Riela]

Andrea Riela wrote:
 Well, I think you've hit the problem.
 But what I've to do to resolve it?

exec /usr/local/bin/softlimit -m 380 \
ktrace -f /tmp/ktrace.ip /usr/local/bin/sslserver -v -R -H -l 0 0 996 \ echo
IP:  $TCPREMOTEIP 21

The kdump says:

cut
 13884 sslserver GIO   fd 2 wrote 56 bytes   
   sslserver: cafile 13884 /usr/local/ssl/certs/pop3s.cert
   
 13884 sslserver RET   write 56/0x38
 13884 sslserver CALL  write(0x2,0xf558,0x1a)
 13884 sslserver GIO   fd 2 wrote 26 bytes   
   sslserver: ccafile 13884 
   
 13884 sslserver RET   write 26/0x1a
 13884 sslserver CALL  write(0x2,0xf558,0x2c)
 13884 sslserver GIO   fd 2 wrote 44 bytes   
   sslserver: cadir 13884 /usr/local/ssl/certs
   
 13884 sslserver RET   write 44/0x2c
 13884 sslserver CALL  write(0x2,0xf558,0x36)
 13884 sslserver GIO   fd 2 wrote 54 bytes   
   sslserver: cert 13884 /usr/local/ssl/certs/pop3s.cert
   
 13884 sslserver RET   write 54/0x36
 13884 sslserver CALL  write(0x2,0xf558,0x34)
 13884 sslserver GIO   fd 2 wrote 52 bytes   
   sslserver: key 13884 /usr/local/ssl/certs/pop3s.key
   
 13884 sslserver RET   write 52/0x34
 13884 sslserver CALL  write(0x2,0xf558,0x3b)
 13884 sslserver GIO   fd 2 wrote 59 bytes   
   sslserver: param 13884 /usr/local/ssl/certs/dh1024.pem 512
   
 13884 sslserver RET   write 59/0x3b
 13884 sslserver CALL  close(0)
 13884 sslserver RET   close 0 
 13884 sslserver CALL  close(0x1)
 13884 sslserver RET   close 0   
 13884 sslserver CALL  write(0x2,0xf558,0x18)
 13884 sslserver GIO   fd 2 wrote 24 bytes   
   sslserver: status: 0/40
   
 13884 sslserver RET   write 24/0x18
 13884 sslserver CALL  sigprocmask(0x2,0x8)
 13884 sslserver RET   sigprocmask 524288/0x8
 13884 sslserver CALL  accept(0x3,0xcfbfd810,0xcfbfd80c)
 13884 sslserver RET   accept 0
 13884 sslserver CALL  sigprocmask(0x1,0x8)
 13884 sslserver RET   sigprocmask 0
 13884 sslserver CALL  write(0x2,0xf558,0x18)
 13884 sslserver GIO   fd 2 wrote 24 bytes   
   sslserver: status: 1/40
   
 13884 sslserver RET   write 24/0x18
 13884 sslserver CALL  fork
 13884 sslserver RET   fork 32655/0x7f8f
 13884 sslserver CALL  close(0)
 13884 sslserver RET   close 0 
 13884 sslserver CALL  sigprocmask(0x2,0x8)
 13884 sslserver RET   sigprocmask 524288/0x8
 13884 sslserver CALL  accept(0x3,0xcfbfd810,0xcfbfd80c)
 13884 sslserver PSIG  SIGCHLD caught handler=0x26b0 mask=0x0
 13884 sslserver RET   accept -1 errno 4 Interrupted system call
 13884 sslserver CALL  wait4(0x,0xcfbfd6ec,0x1,0)
 13884 sslserver RET   wait4 32655/0x7f8f
 13884 sslserver CALL  write(0x2,0xf558,0x22)
 13884 sslserver GIO   fd 2 wrote 34 bytes   
   sslserver: end 32655 status 28416
   
 13884 sslserver RET   write 34/0x22
 13884 sslserver CALL  write(0x2,0xf558,0x18)
 13884 sslserver GIO   fd 2 wrote 24 bytes   
   sslserver: status: 0/40
   
 13884 sslserver RET   write 24/0x18
 13884 sslserver CALL  wait4(0x,0xcfbfd6ec,0x1,0)
 13884 sslserver RET   wait4 -1 errno 10 No child processes
 13884 sslserver CALL  sigreturn(0xcfbfd708)
 13884 sslserver RET   sigreturn JUSTRETURN 
 13884 sslserver CALL  sigprocmask(0x1,0x8)
 13884 sslserver RET   sigprocmask 0
 13884 sslserver CALL  sigprocmask(0x2,0x8)
 13884 sslserver RET   sigprocmask 524288/0x8
 13884 sslserver CALL  accept(0x3,0xcfbfd810,0xcfbfd80c)

I hope that could help you to define the problem
Thanks
Andrea

RE: [vchkpw] Re: Qmail-pop3d (with or without ssl) and open-smtp [SOLVED]

[Andrea Riela]

Thanks Peter, thanks ml,

Now I've solved my problem.

I need this patch: http://jonaspasche.de/ucspi-ssl/sslserver-compat.patch
Because with ssl connection I haven't the $TCPREMOTEIP, as Peter said.

Thank you very much
Regards
Andrea

[vchkpw] Question about roaming

[Andrea Riela]

Hi folks,

Could you send me your advices about the most secure configuration of
roaming vpopmail's option?
--enable-relay-clear-minutes=# how many minutes?
clearopensmtp: in crontab, but when? Every hour?

Thanks for all
Regards
Andrea

RE: [vchkpw] Question about roaming

[Andrea Riela]

Shane Chrisp wrote:
 I run 15 minutes for open relay and clearopensmtp every minute from
 crontab. 

I'm sorry, Shane, but I'm very tired and I don't understand.
--enable-relay-clear-minutes=15
*/1 *   *   *   *   /home/vpopmail/bin/clearopensmtp
21  /dev/null

?
Thanks
Andrea

RE: [vchkpw] Question about roaming

[Shane Chrisp]

 Andrea,

 Yes that is what I meant. Sorry, im also very tired myself and though I
knew
what I meant I probably typed it in shorthand :)

I should also add that im running a MySQL backend in my setup and that 1
minute 
for clearopensmtp is probably overkill, but it doesn't really add any load
to
the system, so I don't see the harm. I would rather have the relay cleared
from
the table sooner than later.

Shane

-Original Message-
From: Andrea Riela [mailto:[EMAIL PROTECTED] 
Sent: Saturday, 17 January 2004 10:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [vchkpw] Question about roaming

Shane Chrisp wrote:
 I run 15 minutes for open relay and clearopensmtp every minute from
 crontab. 

I'm sorry, Shane, but I'm very tired and I don't understand.
--enable-relay-clear-minutes=15
*/1 *   *   *   *   
/home/vpopmail/bin/clearopensmtp
21  /dev/null

?
Thanks
Andrea

[vchkpw] Vpopmail MySQL Table Layouts

[Jeff Koch]

Are the MySQL table layouts documented anywhere? I went all through the 
doc's and source but maybe someone could give me a pointer please. Thanks

Best Regards,

Jeff Koch 

RE: [vchkpw] Question about roaming

[Brad Davis]

Andrea,

Running every minute or clearing the rules every 15 is probably a little
paranoid. You might want to look into SMTP AUTH so that you don't have to
worry about opening a relay. I set my open relay to 1 day due to people not
checking their email often enough to keep the relay open when they are
sending. If your going to keep the same setup you only need to run
clearopensmtp every 15 minutes or so. I don't think you will see any problem
running it every 15 minutes.




Regards,
Brad Davis

-Original Message-
From: Andrea Riela [mailto:[EMAIL PROTECTED]
Sent: Saturday, January 17, 2004 7:40 AM
To: [EMAIL PROTECTED]
Subject: RE: [vchkpw] Question about roaming


Shane Chrisp wrote:
 I run 15 minutes for open relay and clearopensmtp every minute from
 crontab. 

I'm sorry, Shane, but I'm very tired and I don't understand.
--enable-relay-clear-minutes=15
*/1 *   *   *   *   /home/vpopmail/bin/clearopensmtp
21  /dev/null

?
Thanks
Andrea

RE: [vchkpw] qmail-smtpd-chkusr patch not applying

[tonix (Antonio Nati)]

At 16/01/2004 16/01/2004 -0800, Russell Mann wrote:

Thanks Rick... I'm sure that's where I'm hanging up, but there are no good
instructions on how to do this, just This is what you should do.
You should understand the reason. As you, with vpopmail, could use MySQL, 
ldap, Postgres, etc., I cannot point all possible problems coming from 
those products. I may just give you the direction, you have to do the rest.

So, I've tried several things in the Makefile, to no avail.
..
[snip]
..
-lcrypt /home/vpopmail/lib/libvpopmail.a \
-L/usr/lib/mysql -lmysqlclient
/usr/lib/mysql/libmysqlclient.a(my_compress.o): In function `my_uncompress':
my_compress.o(.text+0x9a): undefined reference to `uncompress'
/usr/lib/mysql/libmysqlclient.a(my_compress.o): In function
`my_compress_alloc':
my_compress.o(.text+0x12a): undefined reference to `compress'
collect2: ld returned 1 exit status
make: *** [qmail-smtpd] Error 1
You should check if mysql client libraries have dependencies, and need 
other external libraries.

Probably you need to add -lz in the Makefile (after -lcrypt), as you could 
miss those libraries.

Ciao,

Tonino

[EMAIL PROTECTED]Interazioni di Antonio Nati
   http://www.interazioni.it  [EMAIL PROTECTED]

[vchkpw] Sorry....

[Alex Borges]

I guess you get this question every day and twice on sundays, although
not on this list since ive checked the archives.


Now, the thing is, i cannot get to compile courier-imap (0.42.2, source
package as distributed in debian sarge. Courier latest stable vanilla
also fails the exact same way) with vpopmail (latest stable vanilla) in
debian  due to two things:

1.- Configure fails due to a missing /home/vpopmail/etc/lib_deps which
is just not there. I 'touch' it and configure continues

2.- After doing that, it fails when linking the vchkpwd auth stuff. This
happens even if i copy /home/vpopmail/lib/libvpopmail.a to /usr/lib. 

Im compling all this from the /usr/local/src directory with all the
flags in the debian package let me show you:

COMMON_CONFOPTS=--prefix=/usr --mandir=\$${prefix}/share/man \
--with-piddir=/var/run/courier \
--sysconfdir=/etc/courier \
--libexecdir=\$${prefix}/lib/courier \
--datadir=\$${prefix}/lib/courier \
--localstatedir=/var/lib/courier \
--sbindir=\$${prefix}/sbin \
--with-mailuser=daemon \
--with-mailgroup=daemon \
--without-socks \
--enable-workarounds-for-imap-client-bugs \
--with-authpam \
--without-authpwd \
--with-authmysql \
--with-mysql-includes=/usr/include/mysql \
--with-mysql-libs=/usr/lib \
--with-authpgsql \
--with-pgsql-includes=/usr/include/postgresql \
--with-pgsql-libs=/usr/lib \
--without-authshadow \
--with-authdaemonvar=/var/run/courier/authdaemon \
--with-authcram \
--with-db=gdbm \
--without-fcgi \
--with-htmllibdir=/usr/share/sqwebmail \
--with-ispell=/usr/bin/ispell \
--enable-imageurl=/sqwebmail \
--with-mailer=/usr/sbin/sendmail \
--enable-sendmail=/usr/sbin/sendmail \
--with-cachedir=/var/cache/sqwebmail \
--with-calendardir=/var/run/courier/calendar \
--with-webadmindir=/usr/share/courier/webadmin \
--enable-userdb \
--enable-syslog=1 \
--enable-unicode \
--disable-root-check

As you can see, i took away the without-vchkpw directive so that it
correctly attempts to configure for vpopmail.

The courier people (from their ml archives) claim it all the vpopmail's
people fault, i think they can be pretty snotty but hey, its their imap
server

So, any help would be greatly appreciated

Re: [vchkpw] Sorry....

[Alex Borges]

No better teacher than one selfsorry for the happy trigger, i
shouldve researched a bit morehere is the solution with the latest
vanilla courier imap:


1.- Dont know why /home/vpopmail/etc/lib_deps and inc_deps is not
created by vpopmail installBUT, you need to put in there the
includes and libs that courier will need to link into vpopmail.
Here is mine:

[EMAIL PROTECTED]:~/courier-imap-2.2.1$ cat /home/vpopmail/etc/lib_deps 
-L/home/vpopmail/lib -lvpopmail -L/usr/lib/ -lmysqlclient -lz
[EMAIL PROTECTED]:~/courier-imap-2.2.1$ cat /home/vpopmail/etc/inc_deps 
-I/home/vpopmail/include

2.- Even then, as vpopmail sets the permissions on the ~/lib directory
to +x to root and to vpopmail.a +r only to root, youll need to either
change (temporarily) the permissions so that the compiling user can read
and change into the directory. To be on the safe side, you can put in
/etc/ld.so.conf the /home/vpopmail/lib directory. Thats what i did, it
worked.

Now, ill keep you posted on DOES IT RUN?

3.- Too much to keep track off with my previous configure options
so, i changed to what the inter7 vpopmail faq recomends

Re: [vchkpw] Sorry....

[Michael Bowe]

What version of vpopmail are you using?

I think you will find that the bugs you mention below are fixed in the
recent vpopmail development versions

Michael.

- Original Message - 
From: Alex Borges [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Sunday, January 18, 2004 7:59 AM
Subject: Re: [vchkpw] Sorry


 No better teacher than one selfsorry for the happy trigger, i
 shouldve researched a bit morehere is the solution with the latest
 vanilla courier imap:


 1.- Dont know why /home/vpopmail/etc/lib_deps and inc_deps is not
 created by vpopmail installBUT, you need to put in there the
 includes and libs that courier will need to link into vpopmail.
 Here is mine:

 [EMAIL PROTECTED]:~/courier-imap-2.2.1$ cat /home/vpopmail/etc/lib_deps
 -L/home/vpopmail/lib -lvpopmail -L/usr/lib/ -lmysqlclient -lz
 [EMAIL PROTECTED]:~/courier-imap-2.2.1$ cat /home/vpopmail/etc/inc_deps
 -I/home/vpopmail/include

 2.- Even then, as vpopmail sets the permissions on the ~/lib directory
 to +x to root and to vpopmail.a +r only to root, youll need to either
 change (temporarily) the permissions so that the compiling user can read
 and change into the directory. To be on the safe side, you can put in
 /etc/ld.so.conf the /home/vpopmail/lib directory. Thats what i did, it
 worked.

 Now, ill keep you posted on DOES IT RUN?

 3.- Too much to keep track off with my previous configure options
 so, i changed to what the inter7 vpopmail faq recomends

Re: [vchkpw] spamassassin patch ready ahead of schedule

[Raboo Treed]

is this a feature that will be added to vpopmail permantly??

if not now it should be in contrib on the stable i think