Re: [vchkpw] Authentication failure [RESOLVED]
On Thu, November 25, 2004 1:08 pm, Casey Allen Shobe said: > I'll keep digging... Aha, seems that once vchkpw was SUID root, and qmail-smtpd was restarted, everything worked grand. The core of my problem here was that I did not realize chown would remove SUID/SGID bits, and learned the really hard way. Well, all's well that ends well, and I'll not soon forget this lesson. On the bright side, every sort of problem like this becomes a wonderful opportunity to learn much more about the product you're using :-). Thanks for the assistance and advice, especially Tom whose advice proved invaluable! -- Casey Allen Shobe, the Ready-For-Sleep-Now Postmaster [EMAIL PROTECTED]
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
On Thu, November 25, 2004 1:33 pm, Erwin Hoffmann said: > with the standard SMTP-Auth patch (I don't know which is included in your > Gentoo patch) you don't need the hostname in the call of the PAM. > > Check "man qmail-smtpd" and read my > > http://www.fehcom.de/qmail/smtpauth.html Heavy reading..poked around a bit more, but... * The run file has not changed since it was working. * The run file works if I replace vchkpw with checkpassword. So...I'm going to assume, rather than spending too much time looking at all the patches Gentoo applies, that the run file is acceptable. It's not the same as the standard one I applied to my own build before, as it only works after STARTTLS and some other things... Especially with the indication that it's a permissions problem (as it was in the case of qmailadmin). I found that when I execute the following as the qmaild user: printf "[EMAIL PROTECTED]" | /var/vpopmail/bin/vchkpw /bin/id 3<&0 With the binary owned by root and not SUID, I get no response. With the binary owned by vpopmail and SUID, I get no response. With the binary owned by root and SUID, I get: uid=89(vpopmail) gid=89(vpopmail) groups=200(nofiles) I still haven't got smtp auth working with vchkpw yet, though... -- Casey Allen Shobe [EMAIL PROTECTED]
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
Hi, At 11:02 25.11.04 -0800, Casey Allen Shobe wrote: >On Thu, November 25, 2004 9:50 am, Tom Collins said: >> What are the permissions on qmailadmin? >> -rwsr-sr-x1 vpopmail vchkpw 438385 Aug 26 09:53 qmailadmin > >Mine was not ug+s, but that would not have changed. I went ahead and >chmoded it so that it looked identical to yours, however logins still >failed. > >> And what does your qmail-smtpd run file look like? > >It's the stock run file that comes with Gentoo's build of QMail, with a >change out of /bin/checkpassword for /var/vpopmail/bin/vchkpw. After >variable substitution, it boils down to this: >exec /usr/bin/softlimit -m 800 /usr/bin/tcpserver -p -v -R -x >/etc/tcprules.d/tcp.qmail-smtpd -c 40 -u `id -u qmaild` -g `id -g qmaild` >0.0.0.0 smtp rblsmtpd -r relays.ordb.org -r bl.spamcop.net -r >dnsbl.sorbs.net -r sbl-xbl.spamhaus.org /var/qmail/bin/qmail-smtpd >midgard.osss.net /var/vpopmail/bin/vchkpw /bin/true 2>&1 with the standard SMTP-Auth patch (I don't know which is included in your Gentoo patch) you don't need the hostname in the call of the PAM. Check "man qmail-smtpd" and read my http://www.fehcom.de/qmail/smtpauth.html regards. --eh. Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
On Thu, November 25, 2004 11:02 am, Casey Allen Shobe said: > On Thu, November 25, 2004 9:50 am, Tom Collins said: >> What are the permissions on qmailadmin? >> -rwsr-sr-x1 vpopmail vchkpw 438385 Aug 26 09:53 qmailadmin > > Mine was not ug+s, but that would not have changed. I went ahead and > chmoded it so that it looked identical to yours, however logins still > failed. WHOOPS, turns out I was completely wrong here. I tried chmod ug+s on the main copy of qmail admin, but as it happened, I'd copied that file into my web root, rather than symlinked. So I tried ug+s on the correct copy, and it works. I then tried a manual chown 1004:1004 on the file, and saw that the +s attributes were removed (not what I would have thought)! So, long story short, qmailadmin is now working again, it's just smtp auth that's not working now. I'll keep digging...thanks for all your advice so far, -- Casey Allen Shobe [EMAIL PROTECTED]
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
On Thu, November 25, 2004 11:38 am, Tom Collins said: > On Nov 24, 2004, at 9:32 PM, Casey Allen Shobe wrote: >> find / -group 1004 -print0 | xargs -0 chown 89 > > I assume you meant chgrp 89. You are correct, I typoed when typing the email, not the actual command. To verify, I have ensure that there is nothing owned by UID 1004 or GID 1004 on the entire system. > If qmail-smtpd can't run vhckpw, it can't authenticate. I'd look into > why that might be the case. I temporarily changed qmaild's shell to /bin/bash, su - qmaild'd, and successfully executed vchkpw: $ vchkpw vchkpw-pop3: vchkpw is only for talking with qmail-popup and qmail-pop3d. It is not for runnning on the command line. > What is the ownership of the files/directories in /home/vpopmail? # ls -l /var/vpopmail/ (~vpopmail == /var/vpopmail on gentoo) drwxr-xr-x 2 root root 784 Nov 25 07:18 bin/ lrwxrwxrwx 1 root root 33 Nov 25 07:18 doc -> /usr/share/doc/vpopmail-5.4.6-r1/ drwxr-xr-x 5 vpopmail vpopmail 352 Nov 25 14:44 domains/ drwxr-xr-x 3 root root 184 Nov 23 07:34 etc/ drwxr-xr-x 2 root root 200 Nov 25 07:18 include/ drwxr-xr-x 2 vpopmail vpopmail 80 Nov 25 07:18 lib/ And before you ask, vpopmail is the normal name for the group on the gentoo install, as opposed to the more traditional vchkpw. I'm 90% sure that permissions and ownerships aren't the problem here, because all I did was a specific chown which I reversed exactly. I have a feeling that there's a UID tucked away in a file someplace. How can we enable debug logging for vchkpw or something to give an insight? Cheers, -- Casey Allen Shobe [EMAIL PROTECTED]
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
On Nov 24, 2004, at 9:32 PM, Casey Allen Shobe wrote: find / -group 1004 -print0 | xargs -0 chown 89 I assume you meant chgrp 89. I don't know how a typical Gentoo install handles ownership. On my install, qmail-smtpd runs as the vpopmail user. If qmail-smtpd can't run vhckpw, it can't authenticate. I'd look into why that might be the case. What is the ownership of the files/directories in /home/vpopmail? -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
On Thu, November 25, 2004 9:50 am, Tom Collins said: > What are the permissions on qmailadmin? > -rwsr-sr-x1 vpopmail vchkpw 438385 Aug 26 09:53 qmailadmin Mine was not ug+s, but that would not have changed. I went ahead and chmoded it so that it looked identical to yours, however logins still failed. > And what does your qmail-smtpd run file look like? It's the stock run file that comes with Gentoo's build of QMail, with a change out of /bin/checkpassword for /var/vpopmail/bin/vchkpw. After variable substitution, it boils down to this: exec /usr/bin/softlimit -m 800 /usr/bin/tcpserver -p -v -R -x /etc/tcprules.d/tcp.qmail-smtpd -c 40 -u `id -u qmaild` -g `id -g qmaild` 0.0.0.0 smtp rblsmtpd -r relays.ordb.org -r bl.spamcop.net -r dnsbl.sorbs.net -r sbl-xbl.spamhaus.org /var/qmail/bin/qmail-smtpd midgard.osss.net /var/vpopmail/bin/vchkpw /bin/true 2>&1 I don't believe there is anything wrong with that file because it worked fine before with vchkpw, and works fine now with checkpassword, just not vchkpw. > Did you fix the UID/GID in the /etc/passwd file? Of course. Like I said, qmail-send is currently delivering mail fine, and I can access the mail fine via bincimap...the former depends on vpopmail working, and the latter uses vchkpw... I've also found I can run vchangepw and change a password fine, but I still cannot log in to smtp or qmailadmin as that user. > Are you sure your qmail-smtpd is running as user vpopmail (with the correct uid/gid)? Why would it? From the above run file, it appears to run as qmaild:qmaild (201:200) - this has never changed, it was the same when it was working fine yesterday. It is delivering mail to vpopmail users sent in via regular SMTP perfectly...it's just started rejecting SMTP AUTH connections which users of my system use via TLS to relay. Cheers, -- Casey Allen Shobe [EMAIL PROTECTED]
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
On Nov 25, 2004, at 5:06 AM, Casey Allen Shobe wrote: On Wed, November 24, 2004 9:32 pm, Casey Allen Shobe said: Upon restarting services, I've found that bincimap authenticates okay, and qmail-send delivers mail... However qmail-smtpd cannot authenticate And neither qmailadmin. So imap and mail delivery work, but qmailadmin and smtp auth don't. What gives? What are the permissions on qmailadmin? -rwsr-sr-x1 vpopmail vchkpw 438385 Aug 26 09:53 qmailadmin And what does your qmail-smtpd run file look like? Did you fix the UID/GID in the /etc/passwd file? Are you sure your qmail-smtpd is running as user vpopmail (with the correct uid/gid)? -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
[vchkpw] Convert from cdb to ldap
Hi, How i do to migrate my vpopmail base from cdb to ldap? The vconvert tool don't do it, why this tool don't do it? I use vpopmail 5.4.8 version. Thanks Marcos
Re: [vchkpw] just noticed something with chkuser ....
At 18.34 24/11/2004, you wrote: On Wednesday 24 November 2004 04:17 am, tonix (Antonio Nati) wrote: > CORRECTION TO THE PREVIOUS MESSAGE. > > > CHKUSER_ENABLE_NULL_SENDER is in 2.0.7. > > This version may be considered stable, despite of its "devel" attribute. I tried to use it.. looks like I need to patch with 2.0.6 and then patch the 2.0.7 patch against it? No, if you have 2.0.5 means you're not using Toaster (version 2.0.6 contains only the Toaster patch). You have to copy newer chkuser.c, chkuser.h, chkuser_settings.h and patch your Makefile using Makefile.patch. > On next days I'll publish a 2.0.8 "release", and update online > documentation. 2.0.8 that will probably be the definitive stable chkuser, > with the most of RFC compliance. > > One general question, before I publish 2.0.8: > > Does it make sense to have format checking enabled as default? I think it's beyond the scope of the functionality of the chkuser patch, to be honest. Perhaps the code could be split up into chkuser, which does its purpose in validating local recipients, and another patch that attempts to perform some checks on the envelope sender. I'll follow this suggestion: keeping all non RFC options commented (exclude format control, exclude MX control, accept NULL sender, etc.), and improving documentation. Thanks, Tonino -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]
Re: [vchkpw] Authentication failure with qmail-smtpd +auth and vchkpw
On Wed, November 24, 2004 9:32 pm, Casey Allen Shobe said: > Upon restarting services, I've found that bincimap authenticates okay, and > qmail-send delivers mail... However qmail-smtpd cannot authenticate And neither qmailadmin. So imap and mail delivery work, but qmailadmin and smtp auth don't. What gives? -- Casey Allen Shobe [EMAIL PROTECTED]
