Re: [vchkpw] [SPAM] Password strength bug

2015-09-17 Thread Drew Wells 

On 09/15/2015 03:27 PM, Tonix - Antonio Nati wrote:

Il 15/09/2015 15:03, Drew Wells ha scritto:

On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote:

Il 15/09/2015 11:03, Drew Wells ha scritto:
In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the 
password strength is checked even if a password isn't used (such as 
when -e is used to add the encrypted password).  Patch attached.







I do not understand the problem.

Of course password strenght is checked every time, and if it founds 
a null/empty password it gives error back if password must have a 
minimum lenght.


Your patch instead permit to have null password even if strenght 
policy would not allow it.


Regards,

Tonino
The problem is is that vadduser.c can call vadduser() (in vpopmail.c) 
without a password.  It does this in the situation where vadduser.c 
has had the options "-e" or "-n" passed to it, so if this is the case 
the password can't be checked againts the password strength rules.  
The underlying function vadduser() needs to be able to add a user 
with no password.




I realize additional controls are done before calling vadduser(); but 
I personally would prefer an explicit parameter added to vadduser for 
avoiding password check (it may be a further parameter having default 
= "check").

It would make developers more protected against unwanted security bugs.

Regards,

Tonino

I agree that it would be better to explicitly indicate to vadduser() 
that no password is wanted.  I even looked quicky at setting the 
password to NULL to indicate no password, but both this and an explicit 
parameter would need changes to all the backends, so have left it as is 
for now.



!DSPAM:55faa1a741551399290072!

Re: [vchkpw] [SPAM] valias remove alias

2015-09-17 Thread Drew Wells 

On 09/15/2015 02:26 PM, Alessio Cecchi wrote:

Il 15/09/2015 15:10, Drew Wells ha scritto:

On 09/15/2015 11:06 AM, Alessio Cecchi wrote:


Il 15/09/2015 11:22, Drew Wells ha scritto:

In vpopmail-5.5.0 (and I think all 5.4.x)


Hi Drew,

I suggest to install (and debug) vpopmail-5.4.33 that is more stable,
reliable (and recent) than 5.5.0. Whan I try to use 5.5.0 I found many
bug and problems tha new features.

Why you need vpopmail-5.5.0 ?

I have been using vpopmail-5.4.x (currently vpopmail-5.4.33) for years
and have always added this patch, so in an attempt get 5.5.0 towards
stable I thought I'd send this patch.  This patch is also applicable to
the 5.4.x branch.
The reason I want to use 5.5.0 is the shared library support which means
I don't need to recompile netqmail and dovecot (and others) each time I
make changes to vpopmail.
I've not found that many bugs with vpopmail-5.5.0 to be honest.


I remember some problems with vpopmaild (that I'm using for password 
change via webmail), with large quota size, and a missing flag in 
MySQL limits for disable_maildrop.


Vpomail-5.5.0 was started from 5.4.28 so change from 5.4.29 to 5.4.33 
are missing (please correct me if I'm wrong).


If you have others useful patch for vpopmail-5.4 you are welcome :-)

Thanks

I have created a patch for vpopmail-5.5.0 which incoporates all the 
changes from 5.4.29 to 5.4.33, does anyone want this patch or has work 
in vpopmail-5.5.0 stalled ?


!DSPAM:55faa2a041552051216344!

Re: [vchkpw] [SPAM] Password strength bug

2015-09-17 Thread Tonix - Antonio Nati 

Il 17/09/2015 13:18, Drew Wells ha scritto:

On 09/15/2015 03:27 PM, Tonix - Antonio Nati wrote:

Il 15/09/2015 15:03, Drew Wells ha scritto:

On 09/15/2015 11:00 AM, Tonix - Antonio Nati wrote:

Il 15/09/2015 11:03, Drew Wells ha scritto:
In vpopmail-5.5.0 there seems to be a bug in vpopmail.c where the 
password strength is checked even if a password isn't used (such 
as when -e is used to add the encrypted password).  Patch attached.







I do not understand the problem.

Of course password strenght is checked every time, and if it founds 
a null/empty password it gives error back if password must have a 
minimum lenght.


Your patch instead permit to have null password even if strenght 
policy would not allow it.


Regards,

Tonino
The problem is is that vadduser.c can call vadduser() (in 
vpopmail.c) without a password.  It does this in the situation where 
vadduser.c has had the options "-e" or "-n" passed to it, so if this 
is the case the password can't be checked againts the password 
strength rules.  The underlying function vadduser() needs to be able 
to add a user with no password.




I realize additional controls are done before calling vadduser(); but 
I personally would prefer an explicit parameter added to vadduser for 
avoiding password check (it may be a further parameter having default 
= "check").

It would make developers more protected against unwanted security bugs.

Regards,

Tonino

I agree that it would be better to explicitly indicate to vadduser() 
that no password is wanted.  I even looked quicky at setting the 
password to NULL to indicate no password, but both this and an 
explicit parameter would need changes to all the backends, so have 
left it as is for now.


It could be done in two ways:

 * considering most od c compilers are c++ compilers, and that means we
   can add an implicit parameter (, nocheck_pwd = 0)
 * duplicate the function for this usage, and call the duplicated
   function from avdduser when needed.

Regards,

Tonino


 



--

Inter@zioniInterazioni di Antonio Nati
   http://www.interazioni.it  to...@interazioni.it




!DSPAM:55faa3e241551872413518!

Re: [vchkpw] [SPAM] valias remove alias

2015-09-17 Thread Drew Wells 

On 09/17/2015 04:55 PM, Matt Brookings wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/17/2015 10:52 AM, Drew Wells wrote:

I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to 
5.5.0, some of it
had already been done to 5.5.0 and alot of it centered around the snprintf tidy 
up's and the
string_list implementation. The attached patch does not include any of the 
changes I
recently sent to the mailing list, just the changes from 5.4.[29->33].

This patch was generated from the 5.5.0 .tar.bz2, I had a look at SVN trunk and 
from what I could
see, it was 5.4.34.

The trunk on Sourceforge is the current 5.5.0.  The 5.4 series only appears in 
the tags and branches
area now.  I'll look over this patch and get it applied.  Thanks for putting it 
together!

Not a problem at all.  As you probably saw there are a few patches I 
sent to the list that cover a couple of other issues with the 5.5.0.tar.bz2.


!DSPAM:55fae2d441556321250516!

Re: [vchkpw] [SPAM] valias remove alias

2015-09-17 Thread Drew Wells 

On 09/17/2015 04:04 PM, Matt Brookings wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Was this patch generated with the SVN trunk (5.5.0)?

On 09/17/2015 09:57 AM, Drew Wells wrote:

On 09/17/2015 03:37 PM, Matt Brookings wrote:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1

On 09/17/2015 06:23 AM, Drew Wells wrote:

I have created a patch for vpopmail-5.5.0 which incoporates all the changes 
from 5.4.29 to
5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ?

Drew, I'd be happy to take a look at this.  What changes did you add?


I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to 
5.5.0, some of it had
already been done to 5.5.0 and alot of it centered around the snprintf tidy 
up's and the
string_list implementation. The attached patch does not include any of the 
changes I recently
sent to the mailing list, just the changes from 5.4.[29->33].


This patch was generated from the 5.5.0 .tar.bz2, I had a look at SVN 
trunk and from what I could see, it was 5.4.34.


!DSPAM:55fae1c241551761131543!

Re: [vchkpw] [SPAM] valias remove alias

2015-09-17 Thread Matt Brookings 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/17/2015 10:52 AM, Drew Wells wrote:
>>> I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to 
>>> 5.5.0, some of it
>>> had already been done to 5.5.0 and alot of it centered around the snprintf 
>>> tidy up's and the 
>>> string_list implementation. The attached patch does not include any of the 
>>> changes I
>>> recently sent to the mailing list, just the changes from 5.4.[29->33].
>> 
> This patch was generated from the 5.5.0 .tar.bz2, I had a look at SVN trunk 
> and from what I could
> see, it was 5.4.34.

The trunk on Sourceforge is the current 5.5.0.  The 5.4 series only appears in 
the tags and branches
area now.  I'll look over this patch and get it applied.  Thanks for putting it 
together!
- -- 
/*
Matt Brookings    GnuPG Key 62817373
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
*/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJV+uJcAAoJEOjQVexigXNzXowIALkzVHSRgVq3Ojq1Pv32jdI4
vRaX0jDhbhNzDTCPex5tcwLB71olOm2LYzV/GKBoXudeZYz/SjppccCk43FRhZnj
h76PKiI1484e4kRD1JYkgjP85YKh0I5if2eeL28zm7fDb8qwNG3Djs2xyH9m5+wN
nlPfEtF+e1Pi5PBa8WDFHilF+P6XlV5kwxsuXmZV8JD8EogyplMAs1ksteA6tmJH
vXEAB4xJfstVB6l27mxq1VVNqyE0KUN4inCuxVuuS/nUxJI576V6B/kUQ+DyVANj
ce4gD45L7YzWs4PAwnEcdseai82Jag4J6UaRIhLwTYEwridI1D9GnA7ZSHOmoK8=
=Pl67
-END PGP SIGNATURE-

Re: [vchkpw] [SPAM] valias remove alias

2015-09-17 Thread Drew Wells 

On 09/17/2015 03:37 PM, Matt Brookings wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/17/2015 06:23 AM, Drew Wells wrote:

I have created a patch for vpopmail-5.5.0 which incoporates all the changes 
from 5.4.29 to
5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ?

Drew, I'd be happy to take a look at this.  What changes did you add?

I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff 
to 5.5.0, some of it had already been done to 5.5.0 and alot of it 
centered around the snprintf tidy up's and the string_list implementation.
The attached patch does not include any of the changes I recently sent 
to the mailing list, just the changes from 5.4.[29->33].



!DSPAM:55fad4d841551123915585!
diff -uPr vpopmail-5.5.0.orig/backends/mysql/vmysql.c 
vpopmail-5.5.0/backends/mysql/vmysql.c
--- vpopmail-5.5.0.orig/backends/mysql/vmysql.c 2010-11-05 18:37:23.0 
+
+++ vpopmail-5.5.0/backends/mysql/vmysql.c  2015-09-17 11:41:02.724095923 
+0100
@@ -1785,10 +1785,10 @@
 limits->maxforwards = atoi(row[2]);
 limits->maxautoresponders = atoi(row[3]);
 limits->maxmailinglists = atoi(row[4]);
-limits->diskquota = atoi(row[5]);
-limits->maxmsgcount = atoi(row[6]);
-limits->defaultquota = atoi(row[7]);
-limits->defaultmaxmsgcount = atoi(row[8]);
+limits->diskquota = strtoll(row[5], NULL, 10);
+limits->maxmsgcount = strtoll(row[6], NULL, 10);
+limits->defaultquota = strtoll(row[7], NULL, 10);
+limits->defaultmaxmsgcount = strtoll(row[8], NULL, 10);
 limits->disable_pop = atoi(row[9]);
 limits->disable_imap = atoi(row[10]);
 limits->disable_dialup = atoi(row[11]);
@@ -1808,8 +1808,8 @@
 limits->perm_maillist_users = perm & VLIMIT_DISABLE_ALL;
 perm >>= VLIMIT_DISABLE_BITS;
 limits->perm_maillist_moderators = perm & VLIMIT_DISABLE_ALL;
-limits->perm_quota = atoi(row[23]);
-limits->perm_defaultquota = atoi(row[24]);
+limits->perm_quota = strtoll(row[23], NULL, 10);
+limits->perm_defaultquota = strtoll(row[24], NULL, 10);
 }
 mysql_free_result(res_read);
 
@@ -1830,7 +1830,7 @@
 "diskquota = %d, maxmsgcount = %d, defaultquota = %d, 
defaultmaxmsgcount = %d, "
 "disable_pop = %d, disable_imap = %d, disable_dialup = %d, "
 "disable_passwordchanging = %d, disable_webmail = %d, disable_relay = 
%d, "
-"disable_smtp = %d, disable_spamassassin = %d, delete_spam = %d, 
perm_account = %d, "
+"disable_smtp = %d, disable_spamassassin = %d, delete_spam = %d, 
disable_maildrop = %d, perm_account = %d, "
 "perm_alias = %d, perm_forward = %d, perm_autoresponder = %d, 
perm_maillist = %d, "
 "perm_quota = %d, perm_defaultquota = %d "
 "ON DUPLICATE KEY UPDATE "
@@ -1847,7 +1847,7 @@
 limits->diskquota, limits->maxmsgcount, limits->defaultquota, 
limits->defaultmaxmsgcount,
 limits->disable_pop, limits->disable_imap, limits->disable_dialup,
 limits->disable_passwordchanging, limits->disable_webmail, 
limits->disable_relay,
-limits->disable_smtp, limits->disable_spamassassin, 
limits->delete_spam, limits->perm_account,
+limits->disable_smtp, limits->disable_spamassassin, 
limits->delete_spam, limits->disable_maildrop, limits->perm_account,
 limits->perm_alias, limits->perm_forward, limits->perm_autoresponder,
 (limits->perm_maillist |
 (limits->perm_maillist_users << VLIMIT_DISABLE_BITS) |
diff -uPr vpopmail-5.5.0.orig/backends/mysql/vmysql.h.in 
vpopmail-5.5.0/backends/mysql/vmysql.h.in
--- vpopmail-5.5.0.orig/backends/mysql/vmysql.h.in  2010-11-05 
18:37:23.0 +
+++ vpopmail-5.5.0/backends/mysql/vmysql.h.in   2015-09-17 11:41:02.725095861 
+0100
@@ -268,10 +268,10 @@
   maxforwards  INT(10) NOT NULL DEFAULT -1, \
   maxautorespondersINT(10) NOT NULL DEFAULT -1, \
   maxmailinglists  INT(10) NOT NULL DEFAULT -1, \
-  diskquotaINT(12) NOT NULL DEFAULT 0, \
-  maxmsgcount  INT(12) NOT NULL DEFAULT 0, \
-  defaultquota INT(12) NOT NULL DEFAULT 0, \
-  defaultmaxmsgcount   INT(12) NOT NULL DEFAULT 0, \
+  diskquotaBIGINT UNSIGNED NOT NULL DEFAULT 0, \
+  maxmsgcount  BIGINT UNSIGNED NOT NULL DEFAULT 0, \
+  defaultquota BIGINT UNSIGNED NOT NULL DEFAULT 0, \
+  defaultmaxmsgcount   BIGINT UNSIGNED NOT NULL DEFAULT 0, \
   disable_pop  TINYINT(1) NOT NULL DEFAULT 0, \
   disable_imap TINYINT(1) NOT NULL DEFAULT 0, \
   disable_dialup   TINYINT(1) NOT NULL DEFAULT 0, \
diff -uPr vpopmail-5.5.0.orig/backfill.c vpopmail-5.5.0/backfill.c
--- vpopmail-5.5.0.orig/backfill.c  2010-11-05 18:37:22.0 +
+++ vpopmail-5.5.0/backfill.c   2015-09-17

Re: [vchkpw] [SPAM] valias remove alias

2015-09-17 Thread Matt Brookings 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/17/2015 06:23 AM, Drew Wells wrote:
> I have created a patch for vpopmail-5.5.0 which incoporates all the changes 
> from 5.4.29 to
> 5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ?

Drew, I'd be happy to take a look at this.  What changes did you add?
- -- 
/*
Matt Brookings    GnuPG Key 62817373
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
*/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJV+tA3AAoJEOjQVexigXNzpoAIAJHChv9aNWE5TGdYIRVExQxs
cKyi14LUwIMupA3HX4GNTTBy9bMF6HVgWxMqRA3WOq3KzRGhwi2fT9J1lQseaC5X
U4Fd5qQ8eeiYcl8yakT+ZPjwDRSLbkNX98akynm1QDT92/YNgaZ55F6aE2uH2IVg
8rMDw96OohaJJHGCt9XZouTEuQZgTZKunWoKYMgpqvH5NdCvDxP2SgeOu7uRLPoM
e5w1Gqc2p9xP0VxgmqMPEl5Yp8uTQXfUjQrbw2Soe55OnnJXtxoJ3gCrPxdwAgLj
pHxZXJjon+681cYOJr+xX6grUuPuZIlV1y3WRzvgo8m1sD/VFq8WN/roWNYV0EA=
=LSon
-END PGP SIGNATURE-

Re: [vchkpw] [SPAM] valias remove alias

2015-09-17 Thread Matt Brookings 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Was this patch generated with the SVN trunk (5.5.0)?

On 09/17/2015 09:57 AM, Drew Wells wrote:
> On 09/17/2015 03:37 PM, Matt Brookings wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA1
>> 
>> On 09/17/2015 06:23 AM, Drew Wells wrote:
>>> I have created a patch for vpopmail-5.5.0 which incoporates all the changes 
>>> from 5.4.29 to 
>>> 5.4.33, does anyone want this patch or has work in vpopmail-5.5.0 stalled ?
>> Drew, I'd be happy to take a look at this.  What changes did you add?
>> 
> I basically did a diff from 5.4.29 to 5.4.33 and implemented that diff to 
> 5.5.0, some of it had 
> already been done to 5.5.0 and alot of it centered around the snprintf tidy 
> up's and the
> string_list implementation. The attached patch does not include any of the 
> changes I recently
> sent to the mailing list, just the changes from 5.4.[29->33].

- -- 
/*
Matt Brookings    GnuPG Key 62817373
Software developer Systems technician
Inter7 Internet Technologies, Inc. (815)776-9465
*/
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJV+tZ9AAoJEOjQVexigXNzbnYH/2CBtOVqqKBntlGUYQNMzf46
PEyxaODsZjaBmyJKBSL7lU30UzEanbWTbo1XSCj7lx+YRB7v9e90SMDVSbYXbaDh
I2WGhqD+dHVOBbi7b+WtLPAeixPnFOS5EMcWggL+OK9xbF55WsFDQhz7b3wNJGmR
4klK0mEG6a22l2cScAjH7afXzRJpy/Vz6RpBvW+1wGz8R0nRPw6VDpiiiPbqLSpr
S4uDboSTdo2Ah6dFXQDns2Au/JYYB+Ip33f+rYaTyNjL4dUq9Emg/hZNFyy11KgU
0ldCRPX+h1EKtNoh65FAxRWF8tlCYufjw1M9E30neO48dwDVV5AyDRALKxdOjvA=
=6IBz
-END PGP SIGNATURE-

Re: [vchkpw] vdelivermail writes the wrong ,S= value when spamassassin is enabled

2015-09-17 Thread Rolf Eike Beer 
> When spamassassin is enabled but maildrop is not I see failed assertions in
> dovecots POP server[2], which are caused by vdelivermail using a wrong
> filename. The filename, more exactly the S= value is calculated
> _before_ the mail is piped into spamassassin, which adds two more header
> lines with it's scan results, so the actual size afterwards is bigger than
> what is recorded. The attached patch #5 fixes this for me, with some
> cleanups in #1-#4 I did on the way to find the culprit.

Ping?

signature.asc
Description: This is a digitally signed message part.
!DSPAM:55fafb1041552455840022!