Re: [qmailtoaster] Re: Authentication methods
Hi, On Fri, Feb 17, 2012 at 2:14 AM, Eric Shubert e...@shubes.net wrote: Have you restarted apache since changing the SM config file? I had not but tried it now. I also read from SM docs: Digest-MD5 authentication needs PHP XML extension. If you have the mhash extension to PHP, it will automatically be used, which may help performance on heavily loaded servers. IMAP server support for these methods. I did not have php-xml nor php-mhash installed, so I installed them with yum and restarted Apache. [root@ol ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@ol ~]# grep md5 /etc/squirrelmail/config.php $imap_auth_mech = 'digest-md5'; But still cram-md5 is used as login fails and in the dovecot log I see: Feb 17 09:56:04 imap-login: Info: Disconnected (tried to use unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured I would be interested in hearing about other people's configs / software versions, if they are using succesfully digest-md5 with SquirrelMail? Best, Peter - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
On Friday 17 February 2012 01:33 PM, Peter Peltonen wrote: Hi, On Fri, Feb 17, 2012 at 2:14 AM, Eric Shuberte...@shubes.net wrote: Have you restarted apache since changing the SM config file? I had not but tried it now. I also read from SM docs: Digest-MD5 authentication needs PHP XML extension. If you have the mhash extension to PHP, it will automatically be used, which may help performance on heavily loaded servers. IMAP server support for these methods. I did not have php-xml nor php-mhash installed, so I installed them with yum and restarted Apache. [root@ol ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@ol ~]# grep md5 /etc/squirrelmail/config.php $imap_auth_mech = 'digest-md5'; But still cram-md5 is used as login fails and in the dovecot log I see: Feb 17 09:56:04 imap-login: Info: Disconnected (tried to use unsupported auth mechanism): method=CRAM-MD5, rip=127.0.0.1, lip=127.0.0.1, secured I would be interested in hearing about other people's configs / software versions, if they are using succesfully digest-md5 with SquirrelMail? I don't use Squirrelmail a lot, but just tested it out with $imap_auth_mech = 'digest-md5'; It authenticates just fine. Are you sure config_local.php is not overriding it in any way? Can you share both files with us please? Feb 17 15:51:58 imap-login: Info: Login: user=x...@example.com, method=DIGEST-MD5, rip=127.0.0.1, lip=127.0.0.1, mpid=14232, secured Feb 17 15:51:58 imap(x...@example.com): Info: Disconnected: Logged out bytes=311/3852 Bharath Bharath - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
Hi! On Fri, Feb 17, 2012 at 12:28 PM, Bharath Chari qmailtoas...@arachnis.com wrote: I don't use Squirrelmail a lot, but just tested it out with $imap_auth_mech = 'digest-md5'; It authenticates just fine. Are you sure config_local.php is not overriding it in any way? Can you share both files with us please? Stupid me! It's been such a long time since I've touched SquirrelMail configuration that I wasn't even aware that there was a /etc/squirrelmail/config_local.php file And yes, that was overriding the config.php Setting digest-md5 as auth method there works just fine. Good, now I feel confident enought to update my prod server. Thanks, Peter - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
On Friday 17 February 2012 04:50 PM, Peter Peltonen wrote: Hi! On Fri, Feb 17, 2012 at 12:28 PM, Bharath Chari qmailtoas...@arachnis.com wrote: I don't use Squirrelmail a lot, but just tested it out with $imap_auth_mech = 'digest-md5'; It authenticates just fine. Are you sure config_local.php is not overriding it in any way? Can you share both files with us please? Stupid me! It's been such a long time since I've touched SquirrelMail configuration that I wasn't even aware that there was a /etc/squirrelmail/config_local.php file And yes, that was overriding the config.php Setting digest-md5 as auth method there works just fine. Good, now I feel confident enought to update my prod server. Good for you. I personally use roundcube for webmail. One of these days, I'll try to find the strength of character to roll out an RPM for QMT. Don't hold me to that though :) Bharath - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Authentication methods
On 02/17/2012 04:37 AM, Bharath Chari wrote: Good for you. I personally use roundcube for webmail. One of these days, I'll try to find the strength of character to roll out an RPM for QMT. Don't hold me to that though :) I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). I'd like to get the infrastructure transition closer to completion before doing much with this, but perhaps it's not too soon to discuss some ideas. Let's take this up on the devel list. I'll try to get a thread started today. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] qmailtoaster migration
I need to move vps' - one hosts a qmailtoaster instance and I'd like to migrate all my existing data and spamassassin spam database over to the new server. Can anyone tell me what exactly needs to be moved to accomplish this and point out anything that I might be missing? Seems to me, to move my virtual domains/users/email I need to copy over what resides within /home/vpopmail. If it matters here's the versions I'm running for some of the stuff: [user@vps ~]$ rpm -qa | grep qmail* qmail-pop3d-toaster-1.03-1.3.15 qmailadmin-toaster-1.2.11-1.3.4 qmail-toaster-1.03-1.3.15 [user@vps ~]$ rpm -qa | grep spam* spamassassin-toaster-3.1.8-1.3.8 [user@vps ~]$ rpm -qa | grep vpop* vpopmail-toaster-5.4.17-1.3.4 Thanks. - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
Eric Shubert wrote: I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). My recollection of horde is that it's a horror to install and administer, but I may be behind the times. Atmail and Roundcube are pretty, but last time I looked at them (which admittedly was a while ago) they both had some odd glitches. Maybe I should take another look. Squirrelmail has at least the virtue of simplicity. Just my 2c. Angus - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
[qmailtoaster] Re: Authentication methods
On 02/17/2012 10:01 AM, Angus McIntyre wrote: Eric Shubert wrote: I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). My recollection of horde is that it's a horror to install and administer, but I may be behind the times. Atmail and Roundcube are pretty, but last time I looked at them (which admittedly was a while ago) they both had some odd glitches. Maybe I should take another look. Squirrelmail has at least the virtue of simplicity. Just my 2c. Angus Angus, If you're not already on the devel list, please join us there. We'd love to have your participation with future developments. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Authentication methods
On 02/17/2012 08:46 AM, Eric Shubert wrote: On 02/17/2012 04:37 AM, Bharath Chari wrote: Good for you. I personally use roundcube for webmail. One of these days, I'll try to find the strength of character to roll out an RPM for QMT. Don't hold me to that though :) I've been wanting for some time now to get a team of people together to address webmail for QMT. The horde toaster project stalled because of me (sorry for that). I'd like to get the infrastructure transition closer to completion before doing much with this, but perhaps it's not too soon to discuss some ideas. Let's take this up on the devel list. I'll try to get a thread started today. I'll second the difficulty level with Horde. While feature rich, it's a PITA to set up and keep working. I currently use RoundCube. It's pretty simple and straight forward to setup and install. Has some limitations, but nothing too serious. While SM works well it's interface is outdated, although Nutsmail is an option. -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 | http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: Future Distros - RHEL/CentOS ONLY
On 02/15/2012 08:15 AM, Eric Shubert wrote: On 02/15/2012 08:33 AM, Dan McAllister wrote: I know I'm almost always the odd man out on issues like this one - the squeaky wheel, so to speak - but I too would like to see us additionally support Debian (or Ubuntu), as they are gaining in popularity... and I like the idea of being a supporter/developer on a mail system that is gaining in popularity (as QMT is). I agree. That being said, I see no reason to try to support it with a binary build, as I fully support the idea of moving towards a _*QMT as an appliance*_ approach (which is to say as a virtual machine that has multiple storage options -- on the VM, on the host system, or even on a NAS.) As an appliance, we could run QMT on Fedora Core 1, if we so chose... (not that we would, but as an appliance, the choice of maintained OS becomes far less important!) I agree with this as well. While this seems to contradict the previous paragraph in some senses, I think we can provide QMT in a variety of distribution formats (first), and a variety of platform/distros (secondarily, later on). FWIW, I'm thinking of making QMT not a single appliance necessarily, but a set of appliances, each with a specific role which operates in harmony with the others (MTA, MSA, MUA, ...). For a single mega-appliance (which is what QMT is presently), all of the individual appliances could be combined into one. Or you could combine whichever ones you'd like, as you see fit. This sort of flexibility will allow QMT to scale much more easily, among other benefits. Stay tuned on the developers list for more about this. ClearOS is what I view as the ideal toaster. It does exactly what your describing. While it's called a gateway, it can be easily used as a web or e mail server with a very nice interface. I personally prefer CLI, but for the masses the simplicity of the GUI is a consideration. CentOS is stable in every sense. I use SuSe on my desktop and have for server use and it's been very good too. I think it's the # 1 Distro for enterprise IIRC. I think both are good choices for QMT Personally, this is the way I'm moving (virtualization) -- not only for my QMT, but also for my apache (HTTP) and DNS/DHCP/Auth systems... I believe that most people are with you there. I'm leaning toward nginx instead of apache these days though. ;) Just my 2-cents worth... Closer to $2. ;) PS: I use Ubuntu 10.4 LTS as a desktop on old laptops -- other than HD media (where they just don't have enough horsepower) and some Windoze Media (where there just aren't codecs that I can find), these little laptops do everything a kid normally wants to do on a computer -- and on hardware that costs less than $200! (I have tried CentOS on these same laptops have far more issues with media than with Ubuntu -- haven't had time to figure out why, I'm just satisfied that there IS such a thing!) I use Ubuntu LTS 10.4 on my desk/laptop (workstation). I'll have some big decisions to make come this summer. I didn't actually install 10.4 until about the time that 10.10 came out though, so I won't be in a hurry to get to 12.4. I *do* like stable things. :) BTW: I use CentOS 5 on most of my older servers (having migrated to CentOS from Fedora 8 some years ago), and CentOS 6 on my newer ones... as I have pointed out on several occasions here, I have had NO PROBLEMS building QMT on CentOS 6, and don't personally care about the lack of the toaster-admin web-GUI... in fact, several people have pointed out that a change to the php.ini file could fix those problems, but I haven't tested it out because I simply don't use the GUI interface to begin with, and I just haven't gotten around to it! While I don't discourage anyone from being on the bleeding edge if that's their preference, I don't want to be in any hurry getting to COS6. There's no urgency (5 is supported 'til 2017), and there are some new system features (systemd and rsyslog to be specific )that I'd like to consider using if possible. Migrating to these common system services will make inclusion of other distros a bit easier as well. As you can see, I don't drink anyone's Kool-Aid... the RIGHT tool in the RIGHT place, regardless of who its from or what update mechanism is used! :-) Right. Which is why I'm giving OBS serious consideration. ;) Thanks Dan. -- Cecil Yother, Jr. cj cj's 2318 Clement Ave Alameda, CA 94501 tel 510.865.2787 | http://yother.com Check out the new Volvo classified resource http://www.volvoclassified.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for
[qmailtoaster] Re: Authentication methods
On 02/16/2012 09:48 PM, Pak Ogah wrote: On 02/16/12 0:26, Eric Shubert wrote: As part of the upgrade to vpopmail, we're considering removing clear text passwords from the database. This will improve security, but at the same time remove some (somewhat insecure) capabilitiy. The biggest impact I think this will have is that admins will no longer be able to look up someone's password. In the event that a user loses their password, the administrator would reset the password to something temporary, and the user would subsequently change it to whatever they like. This is the practice followed in many (if not most) other environments. I use clear text password for: - if my manager asked by his superior/co-manager to peek his sub-ordinate email-account This can be done more securely by using taps (http://wiki.qmailtoaster.com/index.php/Taps). If taps has not been activated yet, the system admin could grep through a user's email. That would be up to the system admin's discretion. Companies should have a policy regarding email that does not include the compromising of passwords. - jabberd authentication by creating a view on vpopmail's table Which jabberd implementation/version are you using? If you use ejabberd, you might try this: http://www.ejabberd.im/check_vpopmail Or, this appears to use hashed passwords: http://www.ejabberd.im/check_mysql_python Or, you might have ejabberd validate via dovecot: http://www.ejabberd.im/files/contributions/check_dovecot.pl.txt I think that there is most likely a way to use vpopmail's database for your jabberd authentication without needing clear text passwords. We may be of more help if when you tell us your specific jabberd setup. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Authentication methods
+1 Rock it man.. On 2/15/2012 11:26 AM, Eric Shubert wrote: As part of the upgrade to vpopmail, we're considering removing clear text passwords from the database. This will improve security, but at the same time remove some (somewhat insecure) capabilitiy. The biggest impact I think this will have is that admins will no longer be able to look up someone's password. In the event that a user loses their password, the administrator would reset the password to something temporary, and the user would subsequently change it to whatever they like. This is the practice followed in many (if not most) other environments. The other impact will be the elimination of cram-md5 as an authentication option. While this doesn't really make QMT any less secure, it might mean that some clients that were formerly configured to use cram-md5 would fail to work until their configuration options were changed. I honestly do not have a good feel for which or how many devices may be using cram-md5. There's also a chance that there exists some older devices (old Nokia phones perhaps?) that use cram-md5 and are unable to use TLS/SSL. I do doubt that such devices exist, but there's always that possibility. In any case, I think it would be prudent for QMT to provide SMTPS (port 465) before or at the same time that cram-md5 support is removed. This is something we've talked about already, so assume that there will be SMTPS capability should cram-md5 (and clear text passwords) be removed. That's all I have on this at the moment. Any thoughts? shubes ducks -- David Milholen Project Engineer P:501-318-1300
