Re: Re[4]: [vchkpw] SMTP Auth HOWTO?
Hi troll, At 21:39 21.05.04 +0200, you wrote: >Hello Erwin, > >Friday, May 21, 2004, 7:37:15 PM, you wrote: >EH> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ >EH> Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 > >To be rude and without respect, this was the speciality of Your >ancestors when they pretended to be the most bright race on Earth. >For Your records annoo 1914-18, 1940-1945. Clearly, some can't deny >their roots. Though I live in Germany, I'm not German. It would be better, to go back to some useful discussion. regards. --eh. Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
Re[4]: [vchkpw] SMTP Auth HOWTO?
Hello Nick, Friday, May 21, 2004, 10:13:29 PM, you wrote: NH> Return-Path: <[EMAIL PROTECTED]> NH> Delivered-To: [EMAIL PROTECTED] NH> Received: (qmail 98433 invoked by uid 1017); 21 May 2004 20:24:45 - NH> Received: from venus.teleshop.name NH> by localhost with POP3 (fetchmail-6.2.5) NH> for [EMAIL PROTECTED] (multi-drop); Fri, 21 May 2004 22:24:45 +0200 (CEST) NH> Received: from venus.teleshop.name ([unix socket]) (author=jurgen_0001) NH> by venus.teleshop.name (Cyrus v2.0.17); Fri, 21 May 2004 20:15:43 + NH> X-Sieve: cmu-sieve 2.0 NH> Envelope-to: [EMAIL PROTECTED] NH> Delivery-date: Fri, 21 May 2004 20:15:43 + NH> Received: from mail.inter7.com ([209.218.8.20]) NH> by venus.teleshop.name with smtp (Exim 3.36 #1) NH> id 1BRGQf-000FiL-00 NH> for [EMAIL PROTECTED]; Fri, 21 May 2004 20:15:41 + NH> Received: (qmail 10317 invoked by uid 511); 21 May 2004 20:15:38 - NH> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm NH> Precedence: bulk NH> List-Post: <mailto:[EMAIL PROTECTED]> NH> List-Help: <mailto:[EMAIL PROTECTED]> NH> List-Unsubscribe: <mailto:[EMAIL PROTECTED]> NH> List-Subscribe: <mailto:[EMAIL PROTECTED]> NH> Reply-To: [EMAIL PROTECTED] NH> Delivered-To: mailing list [EMAIL PROTECTED] NH> Received: (qmail 10307 invoked by uid 0); 21 May 2004 20:15:38 - NH> Message-ID: <[EMAIL PROTECTED]> NH> From: Nick Harring <[EMAIL PROTECTED]> NH> To: Nick Harring <[EMAIL PROTECTED]> NH> Date: Fri, 21 May 2004 15:13:29 -0500 NH> MIME-Version: 1.0 NH> X-Mailer: Internet Mail Service (5.5.2655.55) NH> Content-Type: multipart/alternative; NH> boundary="----_=_NextPart_001_01C43F70.5399BB8C" NH> X-Spam-Score: -98.048 Required 6 NH> X-Scanned-By: MIMEDefang 2.37 NH> Subject: Re: Re[2]: [vchkpw] SMTP Auth HOWTO? NH> X-Fetchmail-Warning: recipient address [EMAIL PROTECTED] didn't match any local name NH> On Fri, 2004-05-21 at 14:36, [EMAIL PROTECTED] wrote: >> Hello Nick, >> >> Friday, May 21, 2004, 8:02:19 PM, you wrote: >> >> NH> >> NH> >> >> Privacy issues are hot topic, You known. If You known, some >> 'sensitive' data is often maintained with a single mailbox. I give >> You some samples. A domainname You own, which can be stolen by >> impersonating You, by a hacked mailbox. Or someone, who use Your >> mailbox to contact your customers (if You have a company). Ok, with >> all worms out, it's common mailboxes are often spoofed, but it's >> realy embarrassing if the mail comes from Your servers ! When Your >> mailserver is server hops away from You, You consider encrypting the >> route to it. I wouldn't care someone snifs my browsing attitudes, but >> I wan't to keep my mails to my customers, my mails to maintain cvs or >> domainnaims protected, so it all starts with a secure mailserver. >> NH> Encrypting traffic between your mail client and your mail server has NH> very little to do with what you're talking about. Keeping email secure NH> is completely different from encrypting the stream of conversation NH> between you and your smtp server. Yes, i understand what You mean. But I am talking about the security issue, not to neglect the security issues when You connect from 'Your home', very often in a C-range/mask 255.255.255.0 with others, You pass a gateway, several routers to reach Your mailserver and You log in, in an unsecured way. With SMTP-auth, You sent in plain or cram Your mailadress and password, which is the same as Your POP(S) account. Every hop can trace Your mailadress and password. Using smtps, You don't have this problem. Encrypting the stream. If You have many customers on the same mailserver, You prefer to encrypt it, because the mail goes encrypted from You to them, and visa versa. There are no other servers involved. I agree on the matter, when You leave Your mailserver to others. In this case, You are correct. NH> Even protecting privacy doesn't really NH> enter into encrypting this stream. NH> Real security comes from applications of cryptography to provide NH> identity and content verification, not just content obfuscation. PGP/GPG NH> signing each email to validate content and identity of origin is a big NH> start. PGP encrypting the contents of sensitive messages directed to NH> specific recipients is an even bigger next step. However the email NH> infrastructure, and its often undirected recipients, makes this a NH> difficult proposition. Right now we have on the serverlevel : virusdetection and spam detection. serverside-signed mails shouldn't be such problem when using the dot qma
Re: Re[2]: [vchkpw] SMTP Auth HOWTO?
Title: Re: Re[2]: [vchkpw] SMTP Auth HOWTO? On Fri, 2004-05-21 at 14:36, [EMAIL PROTECTED] wrote: > Hello Nick, > > Friday, May 21, 2004, 8:02:19 PM, you wrote: > > > NH> > > Privacy issues are hot topic, You known. If You known, some > 'sensitive' data is often maintained with a single mailbox. I give > You some samples. A domainname You own, which can be stolen by > impersonating You, by a hacked mailbox. Or someone, who use Your > mailbox to contact your customers (if You have a company). Ok, with > all worms out, it's common mailboxes are often spoofed, but it's > realy embarrassing if the mail comes from Your servers ! When Your > mailserver is server hops away from You, You consider encrypting the > route to it. I wouldn't care someone snifs my browsing attitudes, but > I wan't to keep my mails to my customers, my mails to maintain cvs or > domainnaims protected, so it all starts with a secure mailserver. > Encrypting traffic between your mail client and your mail server has very little to do with what you're talking about. Keeping email secure is completely different from encrypting the stream of conversation between you and your smtp server. Even protecting privacy doesn't really enter into encrypting this stream. Real security comes from applications of cryptography to provide identity and content verification, not just content obfuscation. PGP/GPG signing each email to validate content and identity of origin is a big start. PGP encrypting the contents of sensitive messages directed to specific recipients is an even bigger next step. However the email infrastructure, and its often undirected recipients, makes this a difficult proposition. > >>I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps > >>to secure the stream up to Your mailserver (one step), but in this > >>step, You 'can' have many hops between You and Your workstation, so > >>this stream is the first to protect anyway. I agree on the fact there > >>aren't many TLS servers, but if everyone do his own part to install > >>the TLS option, we have in a little decade a much nicer place to have > >>secure mail transport. If people stich with smtp-auth, we never get > >>there. > >> > >> > NH> Some of us don't actually have the luxury of smtp-tls because we have > NH> one physical mail server, or cluster thereof, serving multiple domains. > > One physical server can hold many virtual servers in a Unix jail > environment. Sure, however this is significantly more work to configure and maintain. In a large environment this begins to negate the benefits of "virtual" hosting domains. > > NH> These domains are all "hidden" from each other, so unless we start > NH> running separate smtpd instances, with their own configs, separate IPs > NH> we cannot present a certificate to each client that'd match what their > NH> mail client expects. > > Well, we do it that way. By the Jails and IP aliases. Thats great for you, however with a dozen domains on a 6 server cluster, I really prefer not to think about trying to maintain that. Bringing a single server down for maintenance would be a nightmare all by itself. > > >>(note: even Your soft, courier-imap seems to have an option for > >>spamass, would be nice to see Dspam(.org) instead) > >> > >> > NH> I think this'd be a "show us the code" request. There are quite a few > NH> ways to use spamassassin where its not a ridiculous memory hog > NH> (spamc/spamd for one). > > I prefer C code, don't You ? Take a look to dspam. Afterwards, You > may have another point of view. With spam-ass You don't have > problems, if You have a small user base. When You have a lot of users > on Your mailserver, it brings any server to it knees, regardless of > any setup. It's the overhead of perl. Actually I abhor C code. Its hard to read and even harder to write properly. Whats worse is that the more of one you do the more you tend to screw the other. Really well written (i.e. secure and fast) code tends to be unreadable. Really readable code tends to be slow and/or insecure. Perl has overhead, however its not this monstrous thing as people try to claim sometimes. > > I prefer to gain the speed for other services, instead of loosing it to > issues as spam. If you have resource issues then I can see this argument, however for those of us with the luxury of providing the resources a large scale email deployment requires will go with ease of administration and maintenance when choosing an application to fill a need rather than "raw" performance. > &g
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: > I do not have an open relay. I am trying to setup SMTP Auth. It is not > working.. When users try to auth, it just keeps asking for username > password over and over. Never sends. How are they authentication? with [EMAIL PROTECTED] or just username? > > X-Istence wrote: > > Brooks Roy wrote: > > I have put in the patch as described in the contrib README and changed it to be /bin/checkpassword instead of vchkpw and I still have the same senario. > > > What does your data.cdb or smtp.cdb look like that gets created from a > file? > > Also, it should still be to vchkpw if you want to use vpopmail. > > > This is what your run file should look like: > > exec /usr/local/bin/softlimit -m 1000 \ > /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ > /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ > "$QMAILDUID" -g vchkpw 192.168.5.50 25 \ > /usr/local/bin/fixcrio \ > /usr/local/bin/rblsmtpd -r relays.ordb.org \ > /var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /usr/bin/true & > > > Also make sure $QMAILDUID $MAXSMTPD and $LOCAL are set properly. > > > I see that you have your /usr/local/vpopmail/etc/tcp.smtp.cdb, are you > sure that is no causing the open relay? Try pointing it to one that only > has: > > :allow > > in it, and see if you are still an open relay then. > > X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArmIMJukONu5DUaQRAmnpAKCCfD0TAifKW9/j9tV5u9PZRo8c4wCgk/B1 UPQrlLc6uG27pYQXT5Sh1kY= =ry3M -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
PD> Ahhh...yes! A flame war...always nice :) I quote from the one who has bringing 'the gas': EH> You are joking, troll Well, I did't start. This list is to help people. It's not about to be picky or to be arrogant, if someone share another view, he has the right to put his vision forward and to defend his case. You can discuss topics without insulting people and without words like 'troll', maintained in the directory of Dr. Erwin Hoffmann. Maybe I write terrible English, but I am on the internet for a few decades, and some use our programs quite a lot in their BSD stuff. I don't need insults of someone, who thinks to have the right to insult people, because he has a PhD. Well, you dont hear me complain!
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Patrick, Friday, May 21, 2004, 9:34:30 PM, you wrote: PD> [EMAIL PROTECTED] wrote: PD> Hello Erwin, PD> Friday, May 21, 2004, 7:37:15 PM, you wrote: EH>> Hi, EH>> At 17:21 21.05.04 +0200, you wrote: PD> Hello Erwin, PD> Friday, May 21, 2004, 5:14:30 PM, you wrote: EH>> Hi, EH>> At 11:41 21.05.04 +0200, you wrote: PD> Hello blist, PD> In the OLD days, people were happy with SMTP-Auth. I consider it LESS PD> security as SMTP after POP, because with SMTP-Auth, You sent Your PD> e-mailadress and Your password of Your mailbox over the internet. PD> When a man-in-the-middle catch this e-mail (or worse Your PW), he can PD> use it for spam, or access Your mailbox. EH>> This is only true for SMTP Authentication of type "plain" and "login". EH>> With CRAM-MD5 its quite save. EH>> Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK PD> Yes, it's 'quite' safe, but You still reveal Your e-mailadress. PD> If there are many hops between Your workstation and the smtpserver, PD> You can get some spam in return. PD> More, Your mail is sent in plaintext. I prefer encrypted streams, PD> so SUPP's patch which encrypts the stream with SSL, and authenticate PD> afterwards (in plaintext) is still the best way to go, it's not a big PD> effort to realize. EH>> Pls. tell us how you intend to communicate to the rest of the world by EH>> means of email with encrypted addresses. EH>> You are joking, troll. EH>> regards. EH>> --eh. EH>> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/EH> EH>> Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 PD> To be rude and without respect, this was the speciality of Your PD> ancestors when they pretended to be the most bright race on Earth. PD> For Your records annoo 1914-18, 1940-1945. Clearly, some can't deny PD> their roots. PD> Ahhh...yes! A flame war...always nice :) I quote from the one who has bringing 'the gas': EH> You are joking, troll Well, I did't start. This list is to help people. It's not about to be picky or to be arrogant, if someone share another view, he has the right to put his vision forward and to defend his case. You can discuss topics without insulting people and without words like 'troll', maintained in the directory of Dr. Erwin Hoffmann. Maybe I write terrible English, but I am on the internet for a few decades, and some use our programs quite a lot in their BSD stuff. I don't need insults of someone, who thinks to have the right to insult people, because he has a PhD. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] SMTP Auth HOWTO?
[EMAIL PROTECTED] wrote: Hello Erwin, Friday, May 21, 2004, 7:37:15 PM, you wrote: EH> Hi, EH> At 17:21 21.05.04 +0200, you wrote: Hello Erwin, Friday, May 21, 2004, 5:14:30 PM, you wrote: EH> Hi, EH> At 11:41 21.05.04 +0200, you wrote: Hello blist, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. EH> This is only true for SMTP Authentication of type "plain" and "login". EH> With CRAM-MD5 its quite save. EH> Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. More, Your mail is sent in plaintext. I prefer encrypted streams, so SUPP's patch which encrypts the stream with SSL, and authenticate afterwards (in plaintext) is still the best way to go, it's not a big effort to realize. EH> Pls. tell us how you intend to communicate to the rest of the world by EH> means of email with encrypted addresses. EH> You are joking, troll. EH> regards. EH> --eh. EH> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ EH> Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 To be rude and without respect, this was the speciality of Your ancestors when they pretended to be the most bright race on Earth. For Your records annoo 1914-18, 1940-1945. Clearly, some can't deny their roots. Ahhh...yes! A flame war...always nice :)
Re[4]: [vchkpw] SMTP Auth HOWTO?
Hello Erwin, Friday, May 21, 2004, 7:37:15 PM, you wrote: EH> Hi, EH> At 17:21 21.05.04 +0200, you wrote: >>Hello Erwin, >> >>Friday, May 21, 2004, 5:14:30 PM, you wrote: >> >>EH> Hi, >> >>EH> At 11:41 21.05.04 +0200, you wrote: Hello blist, >> In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. >> >>EH> This is only true for SMTP Authentication of type "plain" and "login". >> >>EH> With CRAM-MD5 its quite save. >> >>EH> Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK >> >>Yes, it's 'quite' safe, but You still reveal Your e-mailadress. >>If there are many hops between Your workstation and the smtpserver, >>You can get some spam in return. >>More, Your mail is sent in plaintext. I prefer encrypted streams, >>so SUPP's patch which encrypts the stream with SSL, and authenticate >>afterwards (in plaintext) is still the best way to go, it's not a big >>effort to realize. EH> Pls. tell us how you intend to communicate to the rest of the world by EH> means of email with encrypted addresses. EH> You are joking, troll. EH> regards. EH> --eh. EH> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ EH> Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 To be rude and without respect, this was the speciality of Your ancestors when they pretended to be the most bright race on Earth. For Your records annoo 1914-18, 1940-1945. Clearly, some can't deny their roots. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Nick, Friday, May 21, 2004, 8:02:19 PM, you wrote: NH> [EMAIL PROTECTED] wrote: >>Hello Jeremy, >> >>Friday, May 21, 2004, 5:20:40 PM, you wrote: >> >>JK> On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: >> >> EH> This is only true for SMTP Authentication of type "plain" and "login". EH> With CRAM-MD5 its quite save. NH> CRAM-MD5 makes it safer, not "quite safe". Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. >> >>JK> I am truly amazed at that statement. >> >> NH> This sounds pretty ridiculous to me also. People who spend inordinate NH> amounts of time actually worrying about having their traffic sniffed, NH> probably shouldn't be using anything remotely resembling common internet NH> protocols. NH> Privacy issues are hot topic, You known. If You known, some 'sensitive' data is often maintained with a single mailbox. I give You some samples. A domainname You own, which can be stolen by impersonating You, by a hacked mailbox. Or someone, who use Your mailbox to contact your customers (if You have a company). Ok, with all worms out, it's common mailboxes are often spoofed, but it's realy embarrassing if the mail comes from Your servers ! When Your mailserver is server hops away from You, You consider encrypting the route to it. I wouldn't care someone snifs my browsing attitudes, but I wan't to keep my mails to my customers, my mails to maintain cvs or domainnaims protected, so it all starts with a secure mailserver. >>I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps >>to secure the stream up to Your mailserver (one step), but in this >>step, You 'can' have many hops between You and Your workstation, so >>this stream is the first to protect anyway. I agree on the fact there >>aren't many TLS servers, but if everyone do his own part to install >>the TLS option, we have in a little decade a much nicer place to have >>secure mail transport. If people stich with smtp-auth, we never get >>there. >> >> NH> Some of us don't actually have the luxury of smtp-tls because we have NH> one physical mail server, or cluster thereof, serving multiple domains. One physical server can hold many virtual servers in a Unix jail environment. NH> These domains are all "hidden" from each other, so unless we start NH> running separate smtpd instances, with their own configs, separate IPs NH> we cannot present a certificate to each client that'd match what their NH> mail client expects. Well, we do it that way. By the Jails and IP aliases. >>(note: even Your soft, courier-imap seems to have an option for >>spamass, would be nice to see Dspam(.org) instead) >> >> NH> I think this'd be a "show us the code" request. There are quite a few NH> ways to use spamassassin where its not a ridiculous memory hog NH> (spamc/spamd for one). I prefer C code, don't You ? Take a look to dspam. Afterwards, You may have another point of view. With spam-ass You don't have problems, if You have a small user base. When You have a lot of users on Your mailserver, it brings any server to it knees, regardless of any setup. It's the overhead of perl. I prefer to gain the speed for other services, instead of loosing it to issues as spam. Qmail is a great server, but if You use perl scripts 'to manipulate' the mailqueue, You have something to worry about. Each e-mail triggers the scripts, first qmail-scanner, secondly spamm-ass. NH> Cheers, NH> Nick Harring NH> Webley Systems -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] SMTP Auth HOWTO?
Title: Re: [vchkpw] SMTP Auth HOWTO? [EMAIL PROTECTED] wrote: >Hello Jeremy, > >Friday, May 21, 2004, 5:20:40 PM, you wrote: > >JK> On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: > > >>>EH> This is only true for SMTP Authentication of type "plain" and "login". >>>EH> With CRAM-MD5 its quite save. >>> >>> CRAM-MD5 makes it safer, not "quite safe". >>>Yes, it's 'quite' safe, but You still reveal Your e-mailadress. >>>If there are many hops between Your workstation and the smtpserver, >>>You can get some spam in return. >>> >>> > >JK> I am truly amazed at that statement. > > This sounds pretty ridiculous to me also. People who spend inordinate amounts of time actually worrying about having their traffic sniffed, probably shouldn't be using anything remotely resembling common internet protocols. >I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps >to secure the stream up to Your mailserver (one step), but in this >step, You 'can' have many hops between You and Your workstation, so >this stream is the first to protect anyway. I agree on the fact there >aren't many TLS servers, but if everyone do his own part to install >the TLS option, we have in a little decade a much nicer place to have >secure mail transport. If people stich with smtp-auth, we never get >there. > > Some of us don't actually have the luxury of smtp-tls because we have one physical mail server, or cluster thereof, serving multiple domains. These domains are all "hidden" from each other, so unless we start running separate smtpd instances, with their own configs, separate IPs we cannot present a certificate to each client that'd match what their mail client expects. >(note: even Your soft, courier-imap seems to have an option for >spamass, would be nice to see Dspam(.org) instead) > > I think this'd be a "show us the code" request. There are quite a few ways to use spamassassin where its not a ridiculous memory hog (spamc/spamd for one). Cheers, Nick Harring Webley Systems
Re: Re[2]: [vchkpw] SMTP Auth HOWTO?
Hi, At 17:21 21.05.04 +0200, you wrote: >Hello Erwin, > >Friday, May 21, 2004, 5:14:30 PM, you wrote: > >EH> Hi, > >EH> At 11:41 21.05.04 +0200, you wrote: >>>Hello blist, >>> > >>>In the OLD days, people were happy with SMTP-Auth. I consider it LESS >>>security as SMTP after POP, because with SMTP-Auth, You sent Your >>>e-mailadress and Your password of Your mailbox over the internet. >>>When a man-in-the-middle catch this e-mail (or worse Your PW), he can >>>use it for spam, or access Your mailbox. > >EH> This is only true for SMTP Authentication of type "plain" and "login". > >EH> With CRAM-MD5 its quite save. > >EH> Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK > >Yes, it's 'quite' safe, but You still reveal Your e-mailadress. >If there are many hops between Your workstation and the smtpserver, >You can get some spam in return. >More, Your mail is sent in plaintext. I prefer encrypted streams, >so SUPP's patch which encrypts the stream with SSL, and authenticate >afterwards (in plaintext) is still the best way to go, it's not a big >effort to realize. Pls. tell us how you intend to communicate to the rest of the world by means of email with encrypted addresses. You are joking, troll. regards. --eh. Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Jeremy, Friday, May 21, 2004, 5:20:40 PM, you wrote: JK> On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: >> EH> This is only true for SMTP Authentication of type "plain" and "login". >> EH> With CRAM-MD5 its quite save. >> Yes, it's 'quite' safe, but You still reveal Your e-mailadress. >> If there are many hops between Your workstation and the smtpserver, >> You can get some spam in return. JK> I am truly amazed at that statement. >> More, Your mail is sent in plaintext. I prefer encrypted streams, >> so SUPP's patch which encrypts the stream with SSL, and authenticate >> afterwards (in plaintext) is still the best way to go, it's not a big >> effort to realize. JK> but most servers out there don't have TLS support so your email still goes JK> across unencrypted. JK> for instance, I use smtps to talk to my mail server, purely because I have it JK> available (I'm not using smtp auth or anything) but I realize that when it JK> leaves my server it's not encrypted. JK> If you want end to end encryption of emails, most MUAs support pgp/gpg/s-mime JK> encryption formats. JK> -Jeremy I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps to secure the stream up to Your mailserver (one step), but in this step, You 'can' have many hops between You and Your workstation, so this stream is the first to protect anyway. I agree on the fact there aren't many TLS servers, but if everyone do his own part to install the TLS option, we have in a little decade a much nicer place to have secure mail transport. If people stich with smtp-auth, we never get there. A little bit out of topic, but same can be told about qmail-scanner and Spamm-ass. Two memory hogs due to perl. There are alternatives like qscan and dspam, but to find info to install it, a mess. So a lot use the easy road and stick with those perlscripts and downgrade their qmailserver. (note: even Your soft, courier-imap seems to have an option for spamass, would be nice to see Dspam(.org) instead) -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] SMTP Auth HOWTO?
On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: > EH> This is only true for SMTP Authentication of type "plain" and "login". > EH> With CRAM-MD5 its quite save. > Yes, it's 'quite' safe, but You still reveal Your e-mailadress. > If there are many hops between Your workstation and the smtpserver, > You can get some spam in return. I am truly amazed at that statement. > More, Your mail is sent in plaintext. I prefer encrypted streams, > so SUPP's patch which encrypts the stream with SSL, and authenticate > afterwards (in plaintext) is still the best way to go, it's not a big > effort to realize. but most servers out there don't have TLS support so your email still goes across unencrypted. for instance, I use smtps to talk to my mail server, purely because I have it available (I'm not using smtp auth or anything) but I realize that when it leaves my server it's not encrypted. If you want end to end encryption of emails, most MUAs support pgp/gpg/s-mime encryption formats. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Erwin, Friday, May 21, 2004, 5:14:30 PM, you wrote: EH> Hi, EH> At 11:41 21.05.04 +0200, you wrote: >>Hello blist, >> >>In the OLD days, people were happy with SMTP-Auth. I consider it LESS >>security as SMTP after POP, because with SMTP-Auth, You sent Your >>e-mailadress and Your password of Your mailbox over the internet. >>When a man-in-the-middle catch this e-mail (or worse Your PW), he can >>use it for spam, or access Your mailbox. EH> This is only true for SMTP Authentication of type "plain" and "login". EH> With CRAM-MD5 its quite save. EH> Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK EH> regards. EH> --eh. EH> Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ EH> Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. More, Your mail is sent in plaintext. I prefer encrypted streams, so SUPP's patch which encrypts the stream with SSL, and authenticate afterwards (in plaintext) is still the best way to go, it's not a big effort to realize. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] SMTP Auth HOWTO?
On Friday 21 May 2004 09:11 am, [EMAIL PROTECTED] wrote: > >> In the OLD days, people were happy with SMTP-Auth. I consider it LESS > >> security as SMTP after POP, because with SMTP-Auth, You sent Your > >> e-mailadress and Your password of Your mailbox over the internet. > JKister> Are you insinuating that this is not so with POP3 (or "SMTP after POP") > No not at all, were do You get this ? you said it yourself. > Maybe You read it Your way. no, he read it as you wrote it. > You can authenticate with POP3-SSL, and have a SMTP after POP, so were > is Your point, in this case ? you can also smtp auth over ssl > What I insinuating was to use TLS for SMTP, and not SMTP Auth. you said that later, but that wasn't your original statement. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re: [vchkpw] SMTP Auth HOWTO?
On Thursday 20 May 2004 09:24 pm, Brooks Roy wrote: > I have put in the patch as described in the contrib README and changed > it to be /bin/checkpassword instead of vchkpw and I still have the same > senario. /bin/checkpassword generally needs to be run as root to authenticate users. More than likely you are not doing this. Why did you change from vchkpw to /bin/checkpassword ? post your run script so we can try to attempt to help you. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re: [vchkpw] SMTP Auth HOWTO?
Hi, At 11:41 21.05.04 +0200, you wrote: >Hello blist, > >In the OLD days, people were happy with SMTP-Auth. I consider it LESS >security as SMTP after POP, because with SMTP-Auth, You sent Your >e-mailadress and Your password of Your mailbox over the internet. >When a man-in-the-middle catch this e-mail (or worse Your PW), he can >use it for spam, or access Your mailbox. This is only true for SMTP Authentication of type "plain" and "login". With CRAM-MD5 its quite save. Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK regards. --eh. Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Jeremy, Friday, May 21, 2004, 3:47:18 PM, you wrote: JK> On Friday, May 21, 2004 5:41 AM, DEBO Jurgen E. G. wrote: >> In the OLD days, people were happy with SMTP-Auth. I consider it LESS >> security as SMTP after POP, because with SMTP-Auth, You sent Your >> e-mailadress and Your password of Your mailbox over the internet. JK> Are you insinuating that this is not so with POP3 (or "SMTP after POP") ? JK> LOL JK> Jeremy Kister JK> http://jeremy.kister.com/ No not at all, were do You get this ? Maybe You read it Your way. You can authenticate with POP3-SSL, and have a SMTP after POP, so were is Your point, in this case ? What I insinuating was to use TLS for SMTP, and not SMTP Auth. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] SMTP Auth HOWTO?
On Friday, May 21, 2004 5:41 AM, DEBO Jurgen E. G. wrote: > In the OLD days, people were happy with SMTP-Auth. I consider it LESS > security as SMTP after POP, because with SMTP-Auth, You sent Your > e-mailadress and Your password of Your mailbox over the internet. Are you insinuating that this is not so with POP3 (or "SMTP after POP") ? LOL Jeremy Kister http://jeremy.kister.com/
Re: [vchkpw] SMTP Auth HOWTO?
Hello blist, Friday, May 21, 2004, 2:00:08 AM, you wrote: b> I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail with b> this patch: b>qmail-smtpd-auth-0.31 from b> http://members.elysium.pl/brush/qmail-smtpd-auth/ b> Here is my run tcpserver script for qmail-smtpd: b> exec /usr/local/bin/softlimit -m 1000 \ b> /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ b> /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ b> "$QMAILDUID" -g vchkpw 192.168.5.50 25 \ b> /usr/local/bin/fixcrio \ b> /usr/local/bin/rblsmtpd -r relays.ordb.org \ b> /var/qmail/bin/qmail-smtpd ps1.prostream.net \ b> /usr/local/vpopmail/bin/vchkpw /bin/true & b> I cannot get any users to authenticate when sending email. I then tried b> taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd and it b> lets all users authenticate. I am running SUSE 9.0 x86-64 with vpopmail b> 5.4.0 b> Any ideas why its not working? b> Thanks, b> Brooks Roy Roy, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. I suggest You use: SHUPP's version with netqmail like : fetch http://www.qmail.org/netqmail-1.05.tar.gz tar xzvf netqmail-1.05.tar.gz.tar cd netqmail-1.05 ./collate.sh # patch with Shupp's TLS and SMTP-Auth fetch http://shupp.org/patches/netqmail-1.05-tls-smtpauth-20040207.patch patch < ./netqmail-1.05-tls-smtpauth-20040207.patch certificate: You can copy thoses (extension .pem) from : freeBSD, vpopmail stuff cd /var/qmail/control cp /usr/local/cert/ipop3d.pem servercert.pem ln -s servercert.pem ./clientcert.pem Activate TLS by create a certificate, and You will be much better off to create an encrypted connecton to Your SMTP server by the SMTP Enc smtps 465/tcp#smtp protocol over TLS/SSL (was ssmtp) smtps 465/udp#smtp protocol over TLS/SSL (was ssmtp) -- Best regards, DEBO Jurgen Belgian Chocolates mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] SMTP Auth HOWTO?
I do not have an open relay. I am trying to setup SMTP Auth. It is not working.. When users try to auth, it just keeps asking for username password over and over. Never sends. X-Istence wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: I have put in the patch as described in the contrib README and changed it to be /bin/checkpassword instead of vchkpw and I still have the same senario. What does your data.cdb or smtp.cdb look like that gets created from a file? Also, it should still be to vchkpw if you want to use vpopmail. This is what your run file should look like: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ "$QMAILDUID" -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /usr/bin/true & Also make sure $QMAILDUID $MAXSMTPD and $LOCAL are set properly. I see that you have your /usr/local/vpopmail/etc/tcp.smtp.cdb, are you sure that is no causing the open relay? Try pointing it to one that only has: :allow in it, and see if you are still an open relay then. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArWnTJukONu5DUaQRAvIEAJ4kNtYLR/Kq37/KHIhQT+bowaa2AwCfcfmw T/UiN67ZKxN5Xl8bfb7td2A= =ioO9 -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: > I have put in the patch as described in the contrib README and changed > it to be /bin/checkpassword instead of vchkpw and I still have the > same senario. What does your data.cdb or smtp.cdb look like that gets created from a file? Also, it should still be to vchkpw if you want to use vpopmail. This is what your run file should look like: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ "$QMAILDUID" -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /usr/bin/true & Also make sure $QMAILDUID $MAXSMTPD and $LOCAL are set properly. I see that you have your /usr/local/vpopmail/etc/tcp.smtp.cdb, are you sure that is no causing the open relay? Try pointing it to one that only has: :allow in it, and see if you are still an open relay then. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArWnTJukONu5DUaQRAvIEAJ4kNtYLR/Kq37/KHIhQT+bowaa2AwCfcfmw T/UiN67ZKxN5Xl8bfb7td2A= =ioO9 -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
I have put in the patch as described in the contrib README and changed it to be /bin/checkpassword instead of vchkpw and I still have the same senario. X-Istence wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: So use the patch from the vpopmail contrib directory WITHOUT the hostname in the run script for tcpserver? Wont this make the server an open relay? No, cause that patch doesnt require a hostname on purpose, as to many poeple were unsure if it was needed or not. It is not needed, thus it was removed. So no, you will not make yourself an open relay. X-Istence wrote: My apologies, the solution i provided *WILL* not work. Considering the code still contains the hostname stuff. What i suggest is you grab the patch from the vpopmail contrib directory, it contains a copy that *will* work. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArWgSJukONu5DUaQRApA6AKCM+q+2R0ErkBTWX1AK+swrOrruLgCfbBZs x1XaueBT++M1ovsaIvevqpw= =Ubls -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: > So use the patch from the vpopmail contrib directory WITHOUT the > hostname in the run script for tcpserver? > > Wont this make the server an open relay? No, cause that patch doesnt require a hostname on purpose, as to many poeple were unsure if it was needed or not. It is not needed, thus it was removed. So no, you will not make yourself an open relay. > > X-Istence wrote: > > > My apologies, the solution i provided *WILL* not work. Considering the > code still contains the hostname stuff. > > What i suggest is you grab the patch from the vpopmail contrib > directory, it contains a copy that *will* work. > > X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArWgSJukONu5DUaQRApA6AKCM+q+2R0ErkBTWX1AK+swrOrruLgCfbBZs x1XaueBT++M1ovsaIvevqpw= =Ubls -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
So use the patch from the vpopmail contrib directory WITHOUT the hostname in the run script for tcpserver? Wont this make the server an open relay? X-Istence wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My apologies, the solution i provided *WILL* not work. Considering the code still contains the hostname stuff. What i suggest is you grab the patch from the vpopmail contrib directory, it contains a copy that *will* work. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArV6EJukONu5DUaQRAuMQAJ4oPWzzYWeeAKRlYOop6DWxovBy/wCghqre PvraZ1VWDiBT4Yx++8H0Xho= =pS6m -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My apologies, the solution i provided *WILL* not work. Considering the code still contains the hostname stuff. What i suggest is you grab the patch from the vpopmail contrib directory, it contains a copy that *will* work. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArV6EJukONu5DUaQRAuMQAJ4oPWzzYWeeAKRlYOop6DWxovBy/wCghqre PvraZ1VWDiBT4Yx++8H0Xho= =pS6m -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Kitchen wrote: > On Thursday 20 May 2004 07:00 pm, blist wrote: >>Here is my run tcpserver script for qmail-smtpd: >> >>exec /usr/local/bin/softlimit -m 1000 \ >>/usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ >>/usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ >>"$QMAILDUID" -g vchkpw 192.168.5.50 25 \ >>/usr/local/bin/fixcrio \ >>/usr/local/bin/rblsmtpd -r relays.ordb.org \ >>/var/qmail/bin/qmail-smtpd ps1.prostream.net \ >>/usr/local/vpopmail/bin/vchkpw /bin/true & Simple, remove the hostname, and all should be well. > > > what's the value of $QMAILDUID in that script? > > also, if you take out the hostname you're an open relay, because you're > authenticating with /bin/true Wrong, vchkpw needs another program to change the directory for, check the way qmail-pop3d works. pop3-popup checkpasswrd realpop3 (Which is now in the users directory) If vchkpw is not given another argument to execute after it auth's the user, qmail-smtpd has no way to check if it was successfull. > > -Jeremy > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArV1GJukONu5DUaQRAt/SAJ9Ubh1+KnXuKN9p+AGtnz3OvPEi4wCgmS2k lqa015oQi4ITRgNw0nECxRI= =LOQ4 -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
The patch you are using is incredibly old.
You should consider auth-jms1.4a.patch from
http://www.jms1.net/qmail/auth-jms1.4a.patch
If that link is broken, google on "auth-jms1.4a.patch" and look at the
cached version.
You might also consider the qmail-requireauth.patch that allows you to
set an environment variable to selectively require authentication. I had
to manually apply the patch as some of the line numbers didn't jive.
I've pasted it below.
Greg
*** qmail-smtpd-orig.c Tue May 15 13:21:04 2001
--- qmail-smtpd.c Tue May 15 13:26:04 2001
***
*** 72,77
--- 72,79
int err_authabrt() { out("501 auth exchange cancelled (#5.0.0)\r\n");
return -1; }
int err_input() { out("501 malformed auth input (#5.5.4)\r\n"); return
-1; }
+ void err_authrequired() { out("503 you must authenticate first
(#5.5.1)\r\n"); }
+
stralloc greeting = {0};
void smtp_greet(code) char *code;
***
*** 93,98
--- 95,102
char *remoteinfo;
char *local;
char *relayclient;
+ char *requireauth;
+ int authd = 0;
stralloc helohost = {0};
char *fakehelo; /* pointer into helohost, or 0 */
***
*** 143,148
--- 147,153
if (!remotehost) remotehost = "unknown";
remoteinfo = env_get("TCPREMOTEINFO");
relayclient = env_get("RELAYCLIENT");
+ requireauth = env_get("REQUIREAUTH");
dohelo(remotehost);
}
***
*** 259,264
--- 264,270
}
void smtp_mail(arg) char *arg;
{
+ if (requireauth && !authd) { err_authrequired(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
flagbarf = bmfcheck();
seenmail = 1;
***
*** 425,431
char **childargs;
substdio ssup;
char upbuf[128];
- int authd = 0;
int authgetl(void) {
int i;
--- 431,436
blist wrote:
I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail
with this patch:
qmail-smtpd-auth-0.31 from
http://members.elysium.pl/brush/qmail-smtpd-auth/
Here is my run tcpserver script for qmail-smtpd:
exec /usr/local/bin/softlimit -m 1000 \
/usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \
/usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \
"$QMAILDUID" -g vchkpw 192.168.5.50 25 \
/usr/local/bin/fixcrio \
/usr/local/bin/rblsmtpd -r relays.ordb.org \
/var/qmail/bin/qmail-smtpd ps1.prostream.net \
/usr/local/vpopmail/bin/vchkpw /bin/true &
I cannot get any users to authenticate when sending email. I then
tried taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd
and it lets all users authenticate. I am running SUSE 9.0 x86-64 with
vpopmail 5.4.0
Any ideas why its not working?
Thanks,
Brooks Roy
Re: [vchkpw] SMTP Auth HOWTO?
Jeremy, QMAILDUID = vpopmail I know if i take out the domain its open :(.. That is the only thing so far that works.. I am at loss what I did wrong. Been googling all night :) Jeremy Kitchen wrote: On Thursday 20 May 2004 07:00 pm, blist wrote: I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail with this patch: qmail-smtpd-auth-0.31 from http://members.elysium.pl/brush/qmail-smtpd-auth/ Here is my run tcpserver script for qmail-smtpd: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ "$QMAILDUID" -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd ps1.prostream.net \ /usr/local/vpopmail/bin/vchkpw /bin/true & ok I cannot get any users to authenticate when sending email. I then tried taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd and it lets all users authenticate. I am running SUSE 9.0 x86-64 with vpopmail 5.4.0 what's the value of $QMAILDUID in that script? also, if you take out the hostname you're an open relay, because you're authenticating with /bin/true -Jeremy Any ideas why its not working? Thanks, Brooks Roy
Re: [vchkpw] SMTP Auth HOWTO?
On Thursday 20 May 2004 07:00 pm, blist wrote: > I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail with > this patch: >qmail-smtpd-auth-0.31 from > http://members.elysium.pl/brush/qmail-smtpd-auth/ > > Here is my run tcpserver script for qmail-smtpd: > > exec /usr/local/bin/softlimit -m 1000 \ > /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ > /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ > "$QMAILDUID" -g vchkpw 192.168.5.50 25 \ > /usr/local/bin/fixcrio \ > /usr/local/bin/rblsmtpd -r relays.ordb.org \ > /var/qmail/bin/qmail-smtpd ps1.prostream.net \ > /usr/local/vpopmail/bin/vchkpw /bin/true & ok > I cannot get any users to authenticate when sending email. I then tried > taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd and it > lets all users authenticate. I am running SUSE 9.0 x86-64 with vpopmail > 5.4.0 what's the value of $QMAILDUID in that script? also, if you take out the hostname you're an open relay, because you're authenticating with /bin/true -Jeremy > Any ideas why its not working? > > Thanks, > Brooks Roy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
[vchkpw] SMTP Auth HOWTO?
I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail with this patch: qmail-smtpd-auth-0.31 from http://members.elysium.pl/brush/qmail-smtpd-auth/ Here is my run tcpserver script for qmail-smtpd: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l "$LOCAL" -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" -u \ "$QMAILDUID" -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd ps1.prostream.net \ /usr/local/vpopmail/bin/vchkpw /bin/true & I cannot get any users to authenticate when sending email. I then tried taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd and it lets all users authenticate. I am running SUSE 9.0 x86-64 with vpopmail 5.4.0 Any ideas why its not working? Thanks, Brooks Roy
