Re: [vchkpw] CHKUSER for non-netqmail, non-stock-qmail
tonix (Antonio Nati) schrieb: At 16.15 15/06/2006, you wrote: Thanks, Tonino. But isn't that snippet needed for the TLS-support? If you are using specific certificates on client side you probably need it, otherwise it is completely unuseful. Ah, yes. So the TLS-patch would support authentication by client-certificates? Cool ;-) Anyway, I will try this ASAP. Thanks a lot, again. cheers, Rainer
[vchkpw] Re: Segfaulting in vadddomain
Manuzhai wrote: > What trips up vpopmail: the localhost line. I'm not sure whether this > *should* be valid or not, but the extract_domain() function in > vpopmail.c sure doesn't like it. I hit this problem too: http://sourceforge.net/mailarchive/forum.php?thread_id=9950580&forum_id=34827 R.
Re: [vchkpw] CHKUSER for non-netqmail, non-stock-qmail
At 16.15 15/06/2006, you wrote:
tonix (Antonio Nati) wrote:
Cut away all these lines:
and put the following code:
/* start chkuser
code */
switch (chkuser_realrcpt (&mailfrom, &addr)) {
case CHKUSER_KO:
return;
break;
case CHKUSER_RELAYING:
--addr.len;
if (!stralloc_cats(&addr,relayclient))
die_nomem();
if (!stralloc_0(&addr)) die_nomem();
break;
}
/* end chkuser code */
Ciao,
Tonino
Thanks, Tonino.
But isn't that snippet needed for the TLS-support?
If you are using specific certificates on client side you probably
need it, otherwise it is completely unuseful.
I must admit that I'm not familiar with the code here - according to
a .spec-file, this is a qmail that is patched with:
errno.h fix
qmail-0.0.0.0 patch
qmail local patch
qmail-smtpd-auth-close3 patch
big concurrency patch
qregex patch
qmail-queue patch
mfcheck patch
tarpit patch
oversize dns patch
maildir quota patch
smtp-auth patch
tls patch
qmail smtpd viruscan patch
Probably you can save a lot of work if you use Shupp's toaster, that
includes the most of those patch (more chkuser), and after you can
add what you lack.
Also, the current qmail-smtpd seems to be linked to libssl, too.
(And the spec-file also says:
%define ccflags %{optflags} -DTLS -I/usr/kerberos/include)
Do you think there is a problem?
No problem.
Ciao,
Tonino
Best Regards,
Rainer
Re: [vchkpw] Re: Segfaulting in vadddomain
Manuzhai wrote: Manuzhai wrote: Any ideas on what I can do to fix this? (Always nice, a little self-quoting...) Okay, so I figured out what the problem is, I think. Lots of nice little fprintf(stderr, "...")'s later, I've come to the conclusion that Matt Brookings was right on the money stating that "your assign file has some sort of syntax error in it". Indeed it does. I posted my assign file in a later message: enrai users # cat assign +localhost-:localhost:89:89:/var/vpopmail/domains/localhost:-:: +arlman.com-:arlman.com:89:89:/var/vpopmail/domains/arlman.com:-:: +leden.hebe.nl-:leden.hebe.nl:89:89:/var/vpopmail/domains/leden.hebe.nl:-:: +manuzhai.nl-:manuzhai.nl:89:89:/var/vpopmail/domains/manuzhai.nl:-:: +xavamedia.nl-:xavamedia.nl:89:89:/var/vpopmail/domains/xavamedia.nl:-:: . What trips up vpopmail: the localhost line. I'm not sure whether this *should* be valid or not, but the extract_domain() function in vpopmail.c sure doesn't like it. Here's what it looks like with the fprintf statements that are already in the code doing their work: enrai vpopmail-5.4.16 # vadddomain ochtman.nl test extract_domain - line: +ochtman.nl-:ochtman.nl:89:89:/var/vpopmail/domains/ochtman.nl:-:: extract_domain - result: ochtman.nl extract_domain - i: 0 part: ochtman extract_domain - i: 1 part: nl extract_domain - modified i: 0 part: ochtman extract_domain - modified i: 1 part: nl extract_domain - final result: ochtman.nl BEFORE READING AFTER TRIMMING BEFORE EXTRACTION extract_domain - line: +localhost-:localhost:89:89:/var/vpopmail/domains/localhost:-:: extract_domain - result: localhost extract_domain - i: 0 part: localhost Segmentation fault enrai vpopmail-5.4.16 # (The three uppercase ones are from me.) So. I'm not sure how I got it in there; vdeldomain seems to think localhost is an invalid domain, so I'm guessing vadddomain would do so too. I may have used one of the qmail tools to add it. Now, would it be safe for me to just remove the offending line from the assign file, or is there some other, better way to get it out? And, if anyone would be so kind as to offer me some advice on this somewhat off-topic question, that would be appreciated: how *do* I make sure any email to [EMAIL PROTECTED] (especially for [EMAIL PROTECTED]) gets forwarded to some other (remote) email address? In any case, thanks for any help, and for the (otherwise ;) great software. It might be the sorting code is looking for domains with dots in them and the single hostname with no dot confuses the sort. Ken Jones
[vchkpw] Re: Segfaulting in vadddomain
Manuzhai wrote: Any ideas on what I can do to fix this? (Always nice, a little self-quoting...) Okay, so I figured out what the problem is, I think. Lots of nice little fprintf(stderr, "...")'s later, I've come to the conclusion that Matt Brookings was right on the money stating that "your assign file has some sort of syntax error in it". Indeed it does. I posted my assign file in a later message: enrai users # cat assign +localhost-:localhost:89:89:/var/vpopmail/domains/localhost:-:: +arlman.com-:arlman.com:89:89:/var/vpopmail/domains/arlman.com:-:: +leden.hebe.nl-:leden.hebe.nl:89:89:/var/vpopmail/domains/leden.hebe.nl:-:: +manuzhai.nl-:manuzhai.nl:89:89:/var/vpopmail/domains/manuzhai.nl:-:: +xavamedia.nl-:xavamedia.nl:89:89:/var/vpopmail/domains/xavamedia.nl:-:: . What trips up vpopmail: the localhost line. I'm not sure whether this *should* be valid or not, but the extract_domain() function in vpopmail.c sure doesn't like it. Here's what it looks like with the fprintf statements that are already in the code doing their work: enrai vpopmail-5.4.16 # vadddomain ochtman.nl test extract_domain - line: +ochtman.nl-:ochtman.nl:89:89:/var/vpopmail/domains/ochtman.nl:-:: extract_domain - result: ochtman.nl extract_domain - i: 0 part: ochtman extract_domain - i: 1 part: nl extract_domain - modified i: 0 part: ochtman extract_domain - modified i: 1 part: nl extract_domain - final result: ochtman.nl BEFORE READING AFTER TRIMMING BEFORE EXTRACTION extract_domain - line: +localhost-:localhost:89:89:/var/vpopmail/domains/localhost:-:: extract_domain - result: localhost extract_domain - i: 0 part: localhost Segmentation fault enrai vpopmail-5.4.16 # (The three uppercase ones are from me.) So. I'm not sure how I got it in there; vdeldomain seems to think localhost is an invalid domain, so I'm guessing vadddomain would do so too. I may have used one of the qmail tools to add it. Now, would it be safe for me to just remove the offending line from the assign file, or is there some other, better way to get it out? And, if anyone would be so kind as to offer me some advice on this somewhat off-topic question, that would be appreciated: how *do* I make sure any email to [EMAIL PROTECTED] (especially for [EMAIL PROTECTED]) gets forwarded to some other (remote) email address? In any case, thanks for any help, and for the (otherwise ;) great software. Regards, Manuzhai
Re: [vchkpw] Re: Segfaulting in vadddomain
On Thu, 2006-06-15 at 17:24 +0200, Manuzhai wrote: > Well, it wasn't the kernel, and it also wasn't glibc. I upgraded to a > newer /bin/login, could that have anything to do with it? It was something on your box, and you'll have to figure out what it was that changed. You can follow the bugzilla report I submitted for clues as to what to look for. All I know is that I YUM updated my FC4 system and the problem went away. I didn't care to look to see what component was actually at fault. I don't really care. For me it must have been a kernel or related package because when I down graded to an older kernel, the problem also went away. It was only with the most recent kernel at the time and possibly whatever it drags in that the problem manifested itself. After another kernel upgrade, the problem disappeared. > Regardless, it seems like no user-facing tools should ever segfault. Agreed. But by the same logic, NOTHING should ever fail. If by user facing tools, you mean a vpopmail component, you must remember that vpopmail like most applications uses libraries of object modules for a good portion of its functionality. Those libraries sometimes evolve to contain a bug of some sort, and then vpopmail inherits the problem. -- Bill Gradwohl
[vchkpw] Re: Segfaulting in vadddomain
Bill Gradwohl wrote: It may not have been the kernel directly, but clib or one of the other O/S components. Think about it, Something changed on your box and you're segfaulting. That's exactly what happened to me and it was O/S related. Had nothing to do with vpopmail. Well, it wasn't the kernel, and it also wasn't glibc. I upgraded to a newer /bin/login, could that have anything to do with it? Regardless, it seems like no user-facing tools should ever segfault. Regards, Manuzhai
Re: [vchkpw] CHKUSER for non-netqmail, non-stock-qmail
tonix (Antonio Nati) wrote:
Cut away all these lines:
and put the following code:
/* start chkuser
code */
switch (chkuser_realrcpt (&mailfrom, &addr)) {
case CHKUSER_KO:
return;
break;
case CHKUSER_RELAYING:
--addr.len;
if (!stralloc_cats(&addr,relayclient))
die_nomem();
if (!stralloc_0(&addr)) die_nomem();
break;
}
/* end chkuser code */
Ciao,
Tonino
Thanks, Tonino.
But isn't that snippet needed for the TLS-support?
I must admit that I'm not familiar with the code here - according to a
.spec-file, this is a qmail that is patched with:
errno.h fix
qmail-0.0.0.0 patch
qmail local patch
qmail-smtpd-auth-close3 patch
big concurrency patch
qregex patch
qmail-queue patch
mfcheck patch
tarpit patch
oversize dns patch
maildir quota patch
smtp-auth patch
tls patch
qmail smtpd viruscan patch
Also, the current qmail-smtpd seems to be linked to libssl, too.
(And the spec-file also says:
%define ccflags %{optflags} -DTLS -I/usr/kerberos/include)
Do you think there is a problem?
Best Regards,
Rainer
Re: [vchkpw] Re: Segfaulting in vadddomain
On Thu, 2006-06-15 at 15:41 +0200, Manuzhai wrote: > Bill Gradwohl wrote: > > I had this problem a few weeks ago on a Fedora Core 4 system, and it > > turned out to be a problem somewhere in the kernel or support libraries. > > I reported it and it was resolved when a new kernel build came out. > > It's not a kernel problem for me; it worked fine a few days/weeks ago, > using exactly the same kernel. It may not have been the kernel directly, but clib or one of the other O/S components. Think about it, Something changed on your box and you're segfaulting. That's exactly what happened to me and it was O/S related. Had nothing to do with vpopmail. -- Bill Gradwohl
[vchkpw] Re: Segfaulting in vadddomain
Rainer Duffner wrote: > I've got everything owned by vpopmail:vchkpw. > Maybe that is the problem. Both enrai bin # chown root:root vchkpw and enrai bin # chown vpopmail:vpopmail * don't work; it still segfaults. Rainer Duffner wrote: Also, the output of id vpopmail is of interest. (To see if it matches the uid/gid in the assign-file) [EMAIL PROTECTED] ~ $ id vpopmail uid=89(vpopmail) gid=89(vpopmail) groups=89(vpopmail) Regards, Manuzhai
[vchkpw] Re: Segfaulting in vadddomain
Bill Gradwohl wrote: I had this problem a few weeks ago on a Fedora Core 4 system, and it turned out to be a problem somewhere in the kernel or support libraries. I reported it and it was resolved when a new kernel build came out. It's not a kernel problem for me; it worked fine a few days/weeks ago, using exactly the same kernel. Regards, Manuzhai
Re: [vchkpw] CHKUSER for non-netqmail, non-stock-qmail
Cut away all these lines:
if (relayclient) {
--addr.len;
if (!stralloc_cats(&addr,relayclient)) die_nomem();
if (!stralloc_0(&addr)) die_nomem();
}
else
#ifndef TLS
if (!addrallowed()) { err_nogateway(); return; }
#else
if (!addrallowed())
{
if (ssl)
{ STACK_OF(X509_NAME) *sk;
X509 *peercert;
stralloc tlsclients = {0};
struct constmap maptlsclients;
int r;
SSL_set_verify(ssl,
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
verify_cb);
if ((sk =
SSL_load_client_CA_file("control/clientca.pem")) == NULL)
{ err_nogateway(); return;
}
SSL_set_client_CA_list(ssl,
sk);
if((control_readfile(&tlsclients,"control/tlsclients",0) !=
1) ||
!constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0))
{ err_nogateway();
return; }
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
ssl->state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
if ((r = SSL_get_verify_result(ssl))
!= X509_V_OK)
{out("553 no valid cert
for gatewaying: ");
out(X509_verify_cert_error_string(r));
out("
(#5.7.1)\r\n");
return;
}
if (peercert =
SSL_get_peer_certificate(ssl))
{char
emailAddress[256];
X509_NAME_get_text_by_NID(X509_get_subject_name(
SSL_get_peer_certificate(ssl)),
NID_pkcs9_emailAddress, emailAddress, 256);
if
(!stralloc_copys(&clientcert, emailAddress)) die_nomem();
if
(!constmap(&maptlsclients,clientcert.s,clientcert.len))
{
err_nogwcert(); return; }
relayclient =
"";
}
else { err_nogwcert();
return; }
}
else { err_nogateway(); return; }
}
#endif
and put the following code:
/* start chkuser
code */
switch (chkuser_realrcpt (&mailfrom, &addr)) {
case CHKUSER_KO:
return;
break;
case CHKUSER_RELAYING:
--addr.len;
if (!stralloc_cats(&addr,relayclient))
die_nomem();
if (!stralloc_0(&addr)) die_nomem();
break;
}
/* end chkuser code */
Ciao,
Tonino
At 12.53 15/06/2006, you
wrote:Hi,
it seems I need to outfit a custom-patched version of qmail with
CHKUSER.
In qmail-smtpd.c it has the following code:
void smtp_rcpt(arg) char *arg; {
if (!seenmail) { err_wantmail(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
if (flagbarfspf) { err_spf(); return; }
switch (flagbarf) {
case 1: logit("badmailfrom: "); err_bmf();
return;
case 2: /* should not occur, falltrough to 3 --
logit("domainrbl: "); err_drbl(); return; */
case 3: logit("mfcheck-address unknown: ");
err_mfcheck(); return;
case 4: logit("mfcheck-domain does not resolve:
"); err_smf(); return;
case 5: logit("mfcheck-socket failure: ");
err_smf(); return;
case 6: logit("mfcheck-no mx or unreachable: ");
err_smf(); return;
case 7: logit("mfcheck-permanent dns failure: ");
err_hmf(); return;
case 8: logit("mfcheck-temporary dns failure: ");
err_smf(); return;
}
if (relayclient) {
--addr.len;
if (!stralloc_cats(&addr,relayclient)) die_nomem();
if (!stralloc_0(&addr)) die_nomem();
}
else
#ifndef TLS
if (!addrallowed()) { err_nogateway(); return; }
#else
if (!addrallowed())
{
if (ssl)
{ STACK_OF(X509_NAME) *sk;
X509 *peercert;
stralloc tlsclients = {0};
struct constmap maptlsclients;
int r;
SSL_set_verify(ssl,
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
verify_cb);
if ((sk =
SSL_load_client_CA_file("control/clientca.pem")) == NULL)
{ err_nogateway(); return;
}
SSL_set_client_CA_list(ssl,
sk);
if((control_readfile(&tlsclients,"control/tlsclients",0) !=
1) ||
!constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0))
{ err_nogateway();
return; }
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
ssl->state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
if ((r = SSL_get_verify_result(ssl))
!= X509_V_OK)
{out("553 no valid cert
for gatewaying: ");
out(X509_verify_cert_error_string(r));
out("
(#5.7.1)\r\n");
return;
}
if (peercert =
SSL_get_peer_certificate(ssl))
{char
emailAddress[256];
X509_NAME_get_text_by_NID(X509_get_subject_name(
SSL_get_peer_certificate(ssl)),
NID_pkcs9_emailAddress, emailAddress, 256);
if
(!stralloc_copys(&clientcert, emailAddress)) die_nomem();
if
(!constmap(&maptlsclients,clientcert.s,clientcert.len))
{
err_nogwcert(); return; }
relayclient =
"";
}
else { err_nogwcert();
return; }
}
else { err_nogateway(); return; }
}
#endif
if (!stralloc_cats(&rcptto,"T")) die_nomem();
if (!stralloc_cats(&rcptto,addr.s)) die_nomem();
if (!st
[vchkpw] CHKUSER for non-netqmail, non-stock-qmail
Hi,
it seems I need to outfit a custom-patched version of qmail with CHKUSER.
In qmail-smtpd.c it has the following code:
void smtp_rcpt(arg) char *arg; {
if (!seenmail) { err_wantmail(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
if (flagbarfspf) { err_spf(); return; }
switch (flagbarf) {
case 1: logit("badmailfrom: "); err_bmf(); return;
case 2: /* should not occur, falltrough to 3 -- logit("domainrbl:
"); err_drbl(); return; */
case 3: logit("mfcheck-address unknown: "); err_mfcheck(); return;
case 4: logit("mfcheck-domain does not resolve: "); err_smf(); return;
case 5: logit("mfcheck-socket failure: "); err_smf(); return;
case 6: logit("mfcheck-no mx or unreachable: "); err_smf(); return;
case 7: logit("mfcheck-permanent dns failure: "); err_hmf(); return;
case 8: logit("mfcheck-temporary dns failure: "); err_smf(); return;
}
if (relayclient) {
--addr.len;
if (!stralloc_cats(&addr,relayclient)) die_nomem();
if (!stralloc_0(&addr)) die_nomem();
}
else
#ifndef TLS
if (!addrallowed()) { err_nogateway(); return; }
#else
if (!addrallowed())
{
if (ssl)
{ STACK_OF(X509_NAME) *sk;
X509 *peercert;
stralloc tlsclients = {0};
struct constmap maptlsclients;
int r;
SSL_set_verify(ssl,
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
verify_cb);
if ((sk = SSL_load_client_CA_file("control/clientca.pem")) == NULL)
{ err_nogateway(); return; }
SSL_set_client_CA_list(ssl, sk);
if((control_readfile(&tlsclients,"control/tlsclients",0) != 1) ||
!constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0))
{ err_nogateway(); return; }
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
ssl->state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
if ((r = SSL_get_verify_result(ssl)) != X509_V_OK)
{out("553 no valid cert for gatewaying: ");
out(X509_verify_cert_error_string(r));
out(" (#5.7.1)\r\n");
return;
}
if (peercert = SSL_get_peer_certificate(ssl))
{char emailAddress[256];
X509_NAME_get_text_by_NID(X509_get_subject_name(
SSL_get_peer_certificate(ssl)),
NID_pkcs9_emailAddress,
emailAddress, 256);
if (!stralloc_copys(&clientcert, emailAddress)) die_nomem();
if (!constmap(&maptlsclients,clientcert.s,clientcert.len))
{ err_nogwcert(); return; }
relayclient = "";
}
else { err_nogwcert(); return; }
}
else { err_nogateway(); return; }
}
#endif
if (!stralloc_cats(&rcptto,"T")) die_nomem();
if (!stralloc_cats(&rcptto,addr.s)) die_nomem();
if (!stralloc_0(&rcptto)) die_nomem();
++rcptcount;
out("250 ok\r\n");
}
How should I deal with that?
Thanks in advance,
Rainer
Re: [vchkpw] Re: Segfaulting in vadddomain
On Thu, 2006-06-15 at 12:54 +0300, Boris Pavlov wrote: > can you post here some more info - it will not be fedora, but if this is > a kernel problem it can catch all of the distros. My report : https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=191543 got rolled up into another existing error and a new kernel corrected the problem. However, as you can see, some folks don't think it's really "Fixed". -- Bill Gradwohl
Re: [vchkpw] Re: Segfaulting in vadddomain
Bill Gradwohl wrote: I had this problem a few weeks ago on a Fedora Core 4 system, and it turned out to be a problem somewhere in the kernel or support libraries. I reported it and it was resolved when a new kernel build came out. can you post here some more info - it will not be fedora, but if this is a kernel problem it can catch all of the distros. edi PS debian with stock kernel
Re: [vchkpw] Re: Segfaulting in vadddomain
I had this problem a few weeks ago on a Fedora Core 4 system, and it turned out to be a problem somewhere in the kernel or support libraries. I reported it and it was resolved when a new kernel build came out. -- Bill Gradwohl
Re: [vchkpw] Re: Segfaulting in vadddomain
Manuzhai wrote: Paul Oehler wrote: I believe I've seen this happen when the vpopmail/vchkpw user/group ids are incorrect - that is, they don't match the value specified in the assign file. Well, this looks maybe kind of off: enrai users # cd /var/vpopmail/bin/ enrai bin # ls -l total 1504 -rwx--x--x 1 root root 60696 Jun 14 12:17 clearopensmtp -rwx--x--x 1 root root 60952 Jun 14 12:17 dotqmail2valias -rwx--x--x 1 root root 60696 Jun 14 12:17 vaddaliasdomain -rwx--x--x 1 root root 61720 Jun 14 12:17 vadddomain -rwx--x--x 1 root root 60888 Jun 14 12:17 vadduser -rwx--x--x 1 root root 60824 Jun 14 12:17 valias -rwx--x--x 1 root root 60696 Jun 14 12:17 vchangepw -rws--x--x 1 root vpopmail 67124 Jun 14 12:17 vchkpw -rwx--x--x 1 root root 62424 Jun 14 12:17 vconvert -rwx--x--x 1 root root 60696 Jun 14 12:17 vdeldomain -rwx--x--x 1 root root 69016 Jun 14 12:17 vdelivermail -rwx--x--x 1 root root 60696 Jun 14 12:17 vdeloldusers -rwx--x--x 1 root root 60696 Jun 14 12:17 vdeluser -rwx--x--x 1 root root 60792 Jun 14 12:17 vdominfo -rwx--x--x 1 root root 60696 Jun 14 12:17 vipmap -rwx--x--x 1 root root 60696 Jun 14 12:17 vkill -rwx--x--x 1 root root 60696 Jun 14 12:17 vmkpasswd -rwx--x--x 1 root root 6 Jun 14 12:17 vmoddomlimits -rwx--x--x 1 root root 62584 Jun 14 12:17 vmoduser -rwx--x--x 1 root root 59768 Jun 14 12:17 vpasswd -rwx--x--x 1 root root 62552 Jun 14 12:17 vpopbull -rwx--x--x 1 root root 77592 Jun 14 12:17 vpopmaild -rwx--x--x 1 root root 60696 Jun 14 12:17 vsetuserquota -rwx--x--x 1 root root 64792 Jun 14 12:17 vuserinfo Is vchkpw supposed to have the different bits? Regards, Manuzhai I've got everything owned by vpopmail:vchkpw. Maybe that is the problem. Also, the output of id vpopmail is of interest. (To see if it matches the uid/gid in the assign-file) cheers, Rainer
