Re: [vchkpw] [SPAM] Password strength bug
On 09/15/2015 03:27 PM, Tonix - Antonio Nati wrote: Il 15/09/2015 15:03, Drew Wells ha scritto: On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote: Il 15/09/2015 11:03, Drew Wells ha scritto: In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached. I do not understand the problem. Of course password strenght is checked every time, and if it founds a null/empty password it gives error back if password must have a minimum lenght. Your patch instead permit to have null password even if strenght policy would not allow it. Regards, Tonino The problem is is that vadduser.c can call vadduser() (in vpopmail.c) without a password. It does this in the situation where vadduser.c has had the options "-e" or "-n" passed to it, so if this is the case the password can't be checked againts the password strength rules. The underlying function vadduser() needs to be able to add a user with no password. I realize additional controls are done before calling vadduser(); but I personally would prefer an explicit parameter added to vadduser for avoiding password check (it may be a further parameter having default = "check"). It would make developers more protected against unwanted security bugs. Regards, Tonino I agree that it would be better to explicitly indicate to vadduser() that no password is wanted. I even looked quicky at setting the password to NULL to indicate no password, but both this and an explicit parameter would need changes to all the backends, so have left it as is for now. !DSPAM:55faa1a741551399290072!
Re: [vchkpw] [SPAM] valias remove alias
On 09/15/2015 02:26 PM, Alessio Cecchi wrote: Il 15/09/2015 15:10, Drew Wells ha scritto: On 09/15/2015 11:06 AM, Alessio Cecchi wrote: Il 15/09/2015 11:22, Drew Wells ha scritto: In vpopmail-5.5.0 (and I think all 5.4.x) Hi Drew, I suggest to install (and debug) vpopmail-5.4.33 that is more stable, reliable (and recent) than 5.5.0. Whan I try to use 5.5.0 I found many bug and problems tha new features. Why you need vpopmail-5.5.0 ? I have been using vpopmail-5.4.x (currently vpopmail-5.4.33) for years and have always added this patch, so in an attempt get 5.5.0 towards stable I thought I'd send this patch. This patch is also applicable to the 5.4.x branch. The reason I want to use 5.5.0 is the shared library support which means I don't need to recompile netqmail and dovecot (and others) each time I make changes to vpopmail. I've not found that many bugs with vpopmail-5.5.0 to be honest. I remember some problems with vpopmaild (that I'm using for password change via webmail), with large quota size, and a missing flag in MySQL limits for disable_maildrop. Vpomail-5.5.0 was started from 5.4.28 so change from 5.4.29 to 5.4.33 are missing (please correct me if I'm wrong). If you have others useful patch for vpopmail-5.4 you are welcome :-) Thanks I have created a patch for vpopmail-5.5.0 which incoporates all the changes from 5.4.29 to 5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ? !DSPAM:55faa2a041552051216344!
Re: [vchkpw] [SPAM] Password strength bug
Il 17/09/2015 13:18, Drew Wells ha scritto: On 09/15/2015 03:27 PM, Tonix - Antonio Nati wrote: Il 15/09/2015 15:03, Drew Wells ha scritto: On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote: Il 15/09/2015 11:03, Drew Wells ha scritto: In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the password strength is checked even if a password isn't used (such as when -e is used to add the encrypted password). Patch attached. I do not understand the problem. Of course password strenght is checked every time, and if it founds a null/empty password it gives error back if password must have a minimum lenght. Your patch instead permit to have null password even if strenght policy would not allow it. Regards, Tonino The problem is is that vadduser.c can call vadduser() (in vpopmail.c) without a password. It does this in the situation where vadduser.c has had the options "-e" or "-n" passed to it, so if this is the case the password can't be checked againts the password strength rules. The underlying function vadduser() needs to be able to add a user with no password. I realize additional controls are done before calling vadduser(); but I personally would prefer an explicit parameter added to vadduser for avoiding password check (it may be a further parameter having default = "check"). It would make developers more protected against unwanted security bugs. Regards, Tonino I agree that it would be better to explicitly indicate to vadduser() that no password is wanted. I even looked quicky at setting the password to NULL to indicate no password, but both this and an explicit parameter would need changes to all the backends, so have left it as is for now. It could be done in two ways: * considering most od c compilers are c++ compilers, and that means we can add an implicit parameter (, nocheck_pwd = 0) * duplicate the function for this usage, and call the duplicated function from avdduser when needed. Regards, Tonino -- Inter@zioniInterazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it !DSPAM:55faa3e241551872413518!
Re: [vchkpw] [SPAM] valias remove alias
On 09/17/2015 04:55 PM, Matt Brookings wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/17/2015 10:52 AM, Drew Wells wrote: I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to 5.5.0, some of it had already been done to 5.5.0 and alot of it centered around the snprintf tidy up's and the string_list implementation. The attached patch does not include any of the changes I recently sent to the mailing list, just the changes from 5.4.[29->33]. This patch was generated from the 5.5.0 .tar.bz2, I had a look at SVN trunk and from what I could see, it was 5.4.34. The trunk on Sourceforge is the current 5.5.0. The 5.4 series only appears in the tags and branches area now. I'll look over this patch and get it applied. Thanks for putting it together! Not a problem at all. As you probably saw there are a few patches I sent to the list that cover a couple of other issues with the 5.5.0.tar.bz2. !DSPAM:55fae2d441556321250516!
Re: [vchkpw] [SPAM] valias remove alias
On 09/17/2015 04:04 PM, Matt Brookings wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Was this patch generated with the SVN trunk (5.5.0)? On 09/17/2015 09:57 AM, Drew Wells wrote: On 09/17/2015 03:37 PM, Matt Brookings wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/17/2015 06:23 AM, Drew Wells wrote: I have created a patch for vpopmail-5.5.0 which incoporates all the changes from 5.4.29 to 5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ? Drew, I'd be happy to take a look at this. What changes did you add? I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to 5.5.0, some of it had already been done to 5.5.0 and alot of it centered around the snprintf tidy up's and the string_list implementation. The attached patch does not include any of the changes I recently sent to the mailing list, just the changes from 5.4.[29->33]. This patch was generated from the 5.5.0 .tar.bz2, I had a look at SVN trunk and from what I could see, it was 5.4.34. !DSPAM:55fae1c241551761131543!
Re: [vchkpw] [SPAM] valias remove alias
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/17/2015 10:52 AM, Drew Wells wrote: >>> I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to >>> 5.5.0, some of it >>> had already been done to 5.5.0 and alot of it centered around the snprintf >>> tidy up's and the >>> string_list implementation. The attached patch does not include any of the >>> changes I >>> recently sent to the mailing list, just the changes from 5.4.[29->33]. >> > This patch was generated from the 5.5.0 .tar.bz2, I had a look at SVN trunk > and from what I could > see, it was 5.4.34. The trunk on Sourceforge is the current 5.5.0. The 5.4 series only appears in the tags and branches area now. I'll look over this patch and get it applied. Thanks for putting it together! - -- /* Matt BrookingsGnuPG Key 62817373 Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJV+uJcAAoJEOjQVexigXNzXowIALkzVHSRgVq3Ojq1Pv32jdI4 vRaX0jDhbhNzDTCPex5tcwLB71olOm2LYzV/GKBoXudeZYz/SjppccCk43FRhZnj h76PKiI1484e4kRD1JYkgjP85YKh0I5if2eeL28zm7fDb8qwNG3Djs2xyH9m5+wN nlPfEtF+e1Pi5PBa8WDFHilF+P6XlV5kwxsuXmZV8JD8EogyplMAs1ksteA6tmJH vXEAB4xJfstVB6l27mxq1VVNqyE0KUN4inCuxVuuS/nUxJI576V6B/kUQ+DyVANj ce4gD45L7YzWs4PAwnEcdseai82Jag4J6UaRIhLwTYEwridI1D9GnA7ZSHOmoK8= =Pl67 -END PGP SIGNATURE-
Re: [vchkpw] [SPAM] valias remove alias
On 09/17/2015 03:37 PM, Matt Brookings wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/17/2015 06:23 AM, Drew Wells wrote: I have created a patch for vpopmail-5.5.0 which incoporates all the changes from 5.4.29 to 5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ? Drew, I'd be happy to take a look at this. What changes did you add? I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to 5.5.0, some of it had already been done to 5.5.0 and alot of it centered around the snprintf tidy up's and the string_list implementation. The attached patch does not include any of the changes I recently sent to the mailing list, just the changes from 5.4.[29->33]. !DSPAM:55fad4d841551123915585! diff -uPr vpopmail-5.5.0.orig/backends/mysql/vmysql.c vpopmail-5.5.0/backends/mysql/vmysql.c --- vpopmail-5.5.0.orig/backends/mysql/vmysql.c 2010-11-05 18:37:23.0 + +++ vpopmail-5.5.0/backends/mysql/vmysql.c 2015-09-17 11:41:02.724095923 +0100 @@ -1785,10 +1785,10 @@ limits->maxforwards = atoi(row[2]); limits->maxautoresponders = atoi(row[3]); limits->maxmailinglists = atoi(row[4]); -limits->diskquota = atoi(row[5]); -limits->maxmsgcount = atoi(row[6]); -limits->defaultquota = atoi(row[7]); -limits->defaultmaxmsgcount = atoi(row[8]); +limits->diskquota = strtoll(row[5], NULL, 10); +limits->maxmsgcount = strtoll(row[6], NULL, 10); +limits->defaultquota = strtoll(row[7], NULL, 10); +limits->defaultmaxmsgcount = strtoll(row[8], NULL, 10); limits->disable_pop = atoi(row[9]); limits->disable_imap = atoi(row[10]); limits->disable_dialup = atoi(row[11]); @@ -1808,8 +1808,8 @@ limits->perm_maillist_users = perm & VLIMIT_DISABLE_ALL; perm >>= VLIMIT_DISABLE_BITS; limits->perm_maillist_moderators = perm & VLIMIT_DISABLE_ALL; -limits->perm_quota = atoi(row[23]); -limits->perm_defaultquota = atoi(row[24]); +limits->perm_quota = strtoll(row[23], NULL, 10); +limits->perm_defaultquota = strtoll(row[24], NULL, 10); } mysql_free_result(res_read); @@ -1830,7 +1830,7 @@ "diskquota = %d, maxmsgcount = %d, defaultquota = %d, defaultmaxmsgcount = %d, " "disable_pop = %d, disable_imap = %d, disable_dialup = %d, " "disable_passwordchanging = %d, disable_webmail = %d, disable_relay = %d, " -"disable_smtp = %d, disable_spamassassin = %d, delete_spam = %d, perm_account = %d, " +"disable_smtp = %d, disable_spamassassin = %d, delete_spam = %d, disable_maildrop = %d, perm_account = %d, " "perm_alias = %d, perm_forward = %d, perm_autoresponder = %d, perm_maillist = %d, " "perm_quota = %d, perm_defaultquota = %d " "ON DUPLICATE KEY UPDATE " @@ -1847,7 +1847,7 @@ limits->diskquota, limits->maxmsgcount, limits->defaultquota, limits->defaultmaxmsgcount, limits->disable_pop, limits->disable_imap, limits->disable_dialup, limits->disable_passwordchanging, limits->disable_webmail, limits->disable_relay, -limits->disable_smtp, limits->disable_spamassassin, limits->delete_spam, limits->perm_account, +limits->disable_smtp, limits->disable_spamassassin, limits->delete_spam, limits->disable_maildrop, limits->perm_account, limits->perm_alias, limits->perm_forward, limits->perm_autoresponder, (limits->perm_maillist | (limits->perm_maillist_users << VLIMIT_DISABLE_BITS) | diff -uPr vpopmail-5.5.0.orig/backends/mysql/vmysql.h.in vpopmail-5.5.0/backends/mysql/vmysql.h.in --- vpopmail-5.5.0.orig/backends/mysql/vmysql.h.in 2010-11-05 18:37:23.0 + +++ vpopmail-5.5.0/backends/mysql/vmysql.h.in 2015-09-17 11:41:02.725095861 +0100 @@ -268,10 +268,10 @@ maxforwards INT(10) NOT NULL DEFAULT -1, \ maxautorespondersINT(10) NOT NULL DEFAULT -1, \ maxmailinglists INT(10) NOT NULL DEFAULT -1, \ - diskquotaINT(12) NOT NULL DEFAULT 0, \ - maxmsgcount INT(12) NOT NULL DEFAULT 0, \ - defaultquota INT(12) NOT NULL DEFAULT 0, \ - defaultmaxmsgcount INT(12) NOT NULL DEFAULT 0, \ + diskquotaBIGINT UNSIGNED NOT NULL DEFAULT 0, \ + maxmsgcount BIGINT UNSIGNED NOT NULL DEFAULT 0, \ + defaultquota BIGINT UNSIGNED NOT NULL DEFAULT 0, \ + defaultmaxmsgcount BIGINT UNSIGNED NOT NULL DEFAULT 0, \ disable_pop TINYINT(1) NOT NULL DEFAULT 0, \ disable_imap TINYINT(1) NOT NULL DEFAULT 0, \ disable_dialup TINYINT(1) NOT NULL DEFAULT 0, \ diff -uPr vpopmail-5.5.0.orig/backfill.c vpopmail-5.5.0/backfill.c --- vpopmail-5.5.0.orig/backfill.c 2010-11-05 18:37:22.0 + +++ vpopmail-5.5.0/backfill.c 2015-09-17
Re: [vchkpw] [SPAM] valias remove alias
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/17/2015 06:23 AM, Drew Wells wrote: > I have created a patch for vpopmail-5.5.0 which incoporates all the changes > from 5.4.29 to > 5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ? Drew, I'd be happy to take a look at this. What changes did you add? - -- /* Matt BrookingsGnuPG Key 62817373 Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJV+tA3AAoJEOjQVexigXNzpoAIAJHChv9aNWE5TGdYIRVExQxs cKyi14LUwIMupA3HX4GNTTBy9bMF6HVgWxMqRA3WOq3KzRGhwi2fT9J1lQseaC5X U4Fd5qQ8eeiYcl8yakT+ZPjwDRSLbkNX98akynm1QDT92/YNgaZ55F6aE2uH2IVg 8rMDw96OohaJJHGCt9XZouTEuQZgTZKunWoKYMgpqvH5NdCvDxP2SgeOu7uRLPoM e5w1Gqc2p9xP0VxgmqMPEl5Yp8uTQXfUjQrbw2Soe55OnnJXtxoJ3gCrPxdwAgLj pHxZXJjon+681cYOJr+xX6grUuPuZIlV1y3WRzvgo8m1sD/VFq8WN/roWNYV0EA= =LSon -END PGP SIGNATURE-
Re: [vchkpw] [SPAM] valias remove alias
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Was this patch generated with the SVN trunk (5.5.0)? On 09/17/2015 09:57 AM, Drew Wells wrote: > On 09/17/2015 03:37 PM, Matt Brookings wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >> >> On 09/17/2015 06:23 AM, Drew Wells wrote: >>> I have created a patch for vpopmail-5.5.0 which incoporates all the changes >>> from 5.4.29 to >>> 5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ? >> Drew, I'd be happy to take a look at this. What changes did you add? >> > I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to > 5.5.0, some of it had > already been done to 5.5.0 and alot of it centered around the snprintf tidy > up's and the > string_list implementation. The attached patch does not include any of the > changes I recently > sent to the mailing list, just the changes from 5.4.[29->33]. - -- /* Matt BrookingsGnuPG Key 62817373 Software developer Systems technician Inter7 Internet Technologies, Inc. (815)776-9465 */ -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJV+tZ9AAoJEOjQVexigXNzbnYH/2CBtOVqqKBntlGUYQNMzf46 PEyxaODsZjaBmyJKBSL7lU30UzEanbWTbo1XSCj7lx+YRB7v9e90SMDVSbYXbaDh I2WGhqD+dHVOBbi7b+WtLPAeixPnFOS5EMcWggL+OK9xbF55WsFDQhz7b3wNJGmR 4klK0mEG6a22l2cScAjH7afXzRJpy/Vz6RpBvW+1wGz8R0nRPw6VDpiiiPbqLSpr S4uDboSTdo2Ah6dFXQDns2Au/JYYB+Ip33f+rYaTyNjL4dUq9Emg/hZNFyy11KgU 0ldCRPX+h1EKtNoh65FAxRWF8tlCYufjw1M9E30neO48dwDVV5AyDRALKxdOjvA= =6IBz -END PGP SIGNATURE-
Re: [vchkpw] vdelivermail writes the wrong ,S= value when spamassassin is enabled
> When spamassassin is enabled but maildrop is not I see failed assertions in > dovecots POP server[2], which are caused by vdelivermail using a wrong > filename. The filename, more exactly the S= value is calculated > _before_ the mail is piped into spamassassin, which adds two more header > lines with it's scan results, so the actual size afterwards is bigger than > what is recorded. The attached patch #5 fixes this for me, with some > cleanups in #1-#4 I did on the way to find the culprit. Ping? signature.asc Description: This is a digitally signed message part. !DSPAM:55fafb1041552455840022!