[vchkpw] resetting dir-control
Hi I use vpopmail 5.2.1, with activated directory hashing. Now after several vadddomain's and vdeldomain's i ended up adding new domains to the domains/X/ directory. I would like to start it over again (ie, add the new domains to domains/A/ again). Is there a way to do this? Any pointers appreciated. Thank you greetz Flavio -- http://no-way.org/~fcu/
Re: [vchkpw] How to package up a new release?
I like the way freebsd guys handle this. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/cvs-tags.html They have a current branch which is the latest code, release tags gives you exact release when they released a new version. Thus you can chose to upgrade your operating system via binaries they provide from their ftp site or with the sources, to a release. Of course releases sometimes have bugs so they have a stable branch I believe it would be confusing to have vpopmail-5-3-28-release tag which has different sources than the 5.3.28 release on the web site. So you should have vpopmail-5-3-28-release tag and perhaps vpopmail-5-3 tag for updates over vpopmail-5-3-28-release and the default tag is the current(development) code. (it is represented with a dot . in freebsd cvs) Then you can do vpopmail-5-4 tag for the extensive changes and new features added over vpopmail-5-3 So you would automatically have a stable version and a development version in a few months. The vpopmail-5-3 would become stable when the bugfixes from users are done and new features goes into vpopmail-5-4 so it will be the development branch. What FreeBSD guys do is that they stop adding new features in current after a while. They only do bug fixes, lets say for 3 months. Then when they think the source is stable enough, they declare the new version as stable. I omitted the last number in tags and maybe you should drop the minor number because people really dont like to update every week for newer versions with little changes :) It just cause more trouble for many people who thinks the biggest number is the best. Then they get cold from vpopmail :) Evren On Wed, 10 Sep 2003, Tom Collins wrote: On Wednesday, September 10, 2003, at 04:45 PM, Ken Jones wrote: Untill CVS is up and running, how would I go about packaging up a new release? CVS is up now. Please start with that code, as it includes a few changes to the current tarball. I forgot to mention the following in my previous email: - If you'd like to keep up with changes committed to CVS, you can subscribe to vpopmail-cvs http://lists.sourceforge.net/mailman/listinfo/vpopmail-cvs. - Would it be as simple as: 1) get the current tarball 2) apply changes to my local copy 3) test test test 4) tar up the package with a new version number 5) upload to source forge? With CVS (actual cvs commands in quotes), you should checkout the vpopmail module from the vpopmail CVS repository, make your changes to your checked out version, and commit those changes (with a note explaining what they're for). Whenever you start working on the source, be sure to update your copy from the repository. You can diff your copy with the current repository copy to see where changes are. Or get the status on a file (or all files). I look to others with more experience than I for how to build releases. My understanding is that when we have a stable version of vpopmail in CVS, we'll tag it with a name like vpopmail-5-3-28-release (periods aren't allowed in tags). Then, go to another directory and do a cvs export to get the files as of that release tag, and tgz *that* up for distribution. Ken, please go into the Admin section of the vpopmail project and take a look at the File Releases section. Maybe once we're ready for a release, we can get on the phone and I'll talk you though the process. -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] OT: vpopmail spamd user prefs
torsdagen den 11 september 2003 02.23 skrev Bill Shupp: [...] I'm using this in the context of WebUserPrefs, a PHP config tool for SpamAssassin, plus a new panel that allows for optional deletion of spam. Once I get all this working smoothly, I'll post some docs on how it's working for me. Looks pretty cool, tho. Cool, you might want to check out the hacks I did for webuserprefs and included in the Mandrake package I maintain, a demo is here: http://www.deserve-it.com/Cooker/webuserprefs/ (my hacks is meant for the global spamassassin prefs...) -- Regards // Oden Eriksson, Deserve-IT.com
Re: [vchkpw] Setting Qmailqueue value for virtual domains
Paul Theodoropoulos wrote: you could get away with two stages - run a spam filtering smtpd on an alternate port on your vpopmail server - i use port 26 - then you can use smtproutes on the primary/secondary MX to feed to the different ports, eg: iwantspam.com:myvpopmailserver.com:25 idontwantspam.com:myvpopmailserver.com:26 Thanks Paul, this does seem to be the most likely way. Could you give me some pointers on how I would go about getting another version of qmail-smtpd to listen on a different port? I use supervise scripts to launch qmail. Do I need to add an additional supervise script and add the listening port in some manner? Or, do I need to recompile qmail? Many thanks Martin.
[vchkpw] vpopmail 5.3.23
Have been playing with the above release for a while, with a few domains under test, 8 to be precise. Having just tried to add another one I get the following result: ./vadddomain justadomain.com Please enter password for postmaster: enter password again: Segmentation fault ( you're going to say try the next bug fixed release aren't you? ;-) ) Chris. __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: [vchkpw] vpopmail 5.3.23
Have been playing with the above release for a while, with a few domains under test, 8 to be precise. Having just tried to add another one I get the following result: ./vadddomain justadomain.com Please enter password for postmaster: enter password again: Segmentation fault ( you're going to say try the next bug fixed release aren't you? ;-) ) yep that bug was fixed in 5.3.24 I would recommend you upgrade to 5.3.27 Michael.
Re: [vchkpw] resetting dir-control
On Thursday 11 September 2003 1:05 am, Flavio Curti wrote: Hi I use vpopmail 5.2.1, with activated directory hashing. Now after several vadddomain's and vdeldomain's i ended up adding new domains to the domains/X/ directory. I would like to start it over again (ie, add the new domains to domains/A/ again). Is there a way to do this? Any pointers appreciated. Just delete the .dir-control file (or the dir_control table in mysql). The it will start adding the domains to /domains/ again. Ken Jones
Re: [vchkpw] resetting dir-control
Hi On Thu, Sep 11, 2003 at 07:56:55AM -0500, Ken Jones wrote: On Thursday 11 September 2003 1:05 am, Flavio Curti wrote: domains/X/ directory. I would like to start it over again (ie, add the new domains to domains/A/ again). Is there a way to do this? Any Just delete the .dir-control file (or the dir_control table in mysql). The it will start adding the domains to /domains/ again. Is it necessary to delete the whole table? It seems to hold informations about the domains aswell. I modified the dom_600 entry to say 0 users and 'a' is the next letter. Was this safe to do? Thank you Greetz Flavio Curti -- http://no-way.org/~fcu/
Re: [vchkpw] OT: sourceforge management
Hi, On Wed, 2003-09-10 at 21:09, Ken Jones wrote: Does anyone know how to delete a project at sourceforge. http://sourceforge.net/docman/display_doc.php?docid=14041group_id=1#projectremoval /Anders
Re: [vchkpw] Setting Qmailqueue value for virtual domains
At 03:38 AM 9/11/2003, Martin Horsley wrote: Paul Theodoropoulos wrote: you could get away with two stages - run a spam filtering smtpd on an alternate port on your vpopmail server - i use port 26 - then you can use smtproutes on the primary/secondary MX to feed to the different ports, eg: iwantspam.com:myvpopmailserver.com:25 idontwantspam.com:myvpopmailserver.com:26 Thanks Paul, this does seem to be the most likely way. Could you give me some pointers on how I would go about getting another version of qmail-smtpd to listen on a different port? I use supervise scripts to launch qmail. Do I need to add an additional supervise script and add the listening port in some manner? Or, do I need to recompile qmail? easiest method by far is to use Tetsu Ushimima's qmail-conf package - http://www.din.or.jp/~ushijima/qmail-conf.html then the invocation i used was: qmail-smtpd-conf qmaild qmaill /var/qmail/service/smtpd-sa to indicate 'smtpd SpamAssassin', but you can call it whatever you want. since i also run a *third* smtpd for customers who are on networks that block outbound port 25, i also run one called smtpd-2525, which is the alternate port i offer those customers to use to bypass the blocking. after qmail-conf has built the structure, go into /var/qmail/service/smtpd-sa/env, then echo 26 PORT or again, whatever port you choose to use. then complete the rest of the steps for setting up the service, and you're in business. Paul Theodoropoulos http://www.anastrophe.com
Re: [vchkpw] Setting Qmailqueue value for virtual domains
On Thursday, September 11, 2003, at 08:59 AM, Paul Theodoropoulos wrote: i also run a *third* smtpd for customers who are on networks that block outbound port 25, i also run one called smtpd-2525, which is the alternate port i offer those customers to use to bypass the blocking. There's actually a port reserved for that (called message submission) -- port 587. Many of my customers have been using it (including myself for when I travel and use various dialups or other unfamiliar networks). -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Setting Qmailqueue value for virtual domains
At 09:54 AM 9/11/2003, Tom Collins wrote: On Thursday, September 11, 2003, at 08:59 AM, Paul Theodoropoulos wrote: i also run a *third* smtpd for customers who are on networks that block outbound port 25, i also run one called smtpd-2525, which is the alternate port i offer those customers to use to bypass the blocking. There's actually a port reserved for that (called message submission) -- port 587. Many of my customers have been using it (including myself for when I travel and use various dialups or other unfamiliar networks). yeah, i don't doubt it. however, the concept of ports is difficult enough to understand for most average end-users. by using 2525, it makes it easier mnemonically for them to switch between the well-known port and the alternative. I suppose someday someone may experience a conflict if they try running MS V-Worlds which is the name for 2525, but so far, no problems. ;^) Paul Theodoropoulos http://www.anastrophe.com
Re: [vchkpw] Setting Qmailqueue value for virtual domains
Paul Theodoropoulos wrote: At 09:54 AM 9/11/2003, Tom Collins wrote: On Thursday, September 11, 2003, at 08:59 AM, Paul Theodoropoulos wrote: i also run a *third* smtpd for customers who are on networks that block outbound port 25, i also run one called smtpd-2525, which is the alternate port i offer those customers to use to bypass the blocking. There's actually a port reserved for that (called message submission) -- port 587. Many of my customers have been using it (including myself for when I travel and use various dialups or other unfamiliar networks). yeah, i don't doubt it. however, the concept of ports is difficult enough to understand for most average end-users. by using 2525, it makes it easier mnemonically for them to switch between the well-known port and the alternative. I suppose someday someone may experience a conflict if they try running MS V-Worlds which is the name for 2525, but so far, no problems. ;^) Paul Theodoropoulos http://www.anastrophe.com We run the same thing on port 24, which according to my /etc/services is for private mail systems which I guess an hosted email system being accessed from third party ISPs would qualify as. 2525 is a good idea though, since the mnemonic is pretty strong. Cheers, Nick
[vchkpw] imap before smtp
I've got a LWQ-style qmail configuration, plus vpopmail 5.3.27 and courier-imap-2.1.1.20030902. I have roaming users enabled (as well as qmail-ext), and POP3 before SMTP works perfectly (using qmail-pop3d). IMAP also seems to work just fine, but it does not update open-smtp. My workaround of creating a separate POP account to POP in without retrieving msgs allows me to send via IMAP, but is obviously not an ideal solution. (I'm using Thunderbird .2). I've installed courier-imap numerous times (with different releases up to 20030902), both with authdaemon enabled as well as disabled. In both cases, the results are the same (meaning that I can read mail but not relay). Perhaps my understanding is wrong, but I was under the impression that since these are virtual domains I'm having trouble with (all my domains are virtual), the fact that I am able to read mail at all under IMAP would indicate that vchkpw is being called from courier-imap. Since qmail-pop3d invokes vchkpw and works, I'm puzzled. I'm afraid I don't know where to look log-wise. thanks for any hints. -ted
Re: [vchkpw] imap before smtp
On Thursday, September 11, 2003, at 10:53 AM, ted wrote: I've got a LWQ-style qmail configuration, plus vpopmail 5.3.27 and courier-imap-2.1.1.20030902. I have roaming users enabled (as well as qmail-ext), and POP3 before SMTP works perfectly (using qmail-pop3d). IMAP also seems to work just fine, but it does not update open-smtp. My workaround of creating a separate POP account to POP in without retrieving msgs allows me to send via IMAP, but is obviously not an ideal solution. (I'm using Thunderbird .2). I've installed courier-imap numerous times (with different releases up to 20030902), both with authdaemon enabled as well as disabled. In both cases, the results are the same (meaning that I can read mail but not relay). Perhaps my understanding is wrong, but I was under the impression that since these are virtual domains I'm having trouble with (all my domains are virtual), the fact that I am able to read mail at all under IMAP would indicate that vchkpw is being called from courier-imap. Since qmail-pop3d invokes vchkpw and works, I'm puzzled. I'm afraid I don't know where to look log-wise. Probably the same old problem of courier not detecting roaming users.. Try this: cd (patth to courier) (cd authlib ; make clean) export CFLAGS=-DHAVE_OPEN_SMTP_RELAY make make install Regards, Bill
Re: [vchkpw] imap before smtp
This is a good FAQ item, for when we have a FAQ. Mr. Sam has disabled the imap-before-smtp function in the authvchkpw code. I've looked at the courier archives, and there's no explanation from him as to what the problem is... Just lots of questions. :) Bill's suggestion might not work, as he #undefs the value. In your courier source dir, go into the authlib dir and open preauthvchkpw.c for editing. Look for a line like this: #undef HAVE_OPEN_SMTP_RELAY Go ahead and change that #undef to #define and it will work properly. I can't comment on what the security concerns are, because I don't know what they are. It does work however. Charles On Thu, 11 Sep 2003, ted wrote: I've got a LWQ-style qmail configuration, plus vpopmail 5.3.27 and courier-imap-2.1.1.20030902. I have roaming users enabled (as well as qmail-ext), and POP3 before SMTP works perfectly (using qmail-pop3d). IMAP also seems to work just fine, but it does not update open-smtp. My workaround of creating a separate POP account to POP in without retrieving msgs allows me to send via IMAP, but is obviously not an ideal solution. (I'm using Thunderbird .2). I've installed courier-imap numerous times (with different releases up to 20030902), both with authdaemon enabled as well as disabled. In both cases, the results are the same (meaning that I can read mail but not relay). Perhaps my understanding is wrong, but I was under the impression that since these are virtual domains I'm having trouble with (all my domains are virtual), the fact that I am able to read mail at all under IMAP would indicate that vchkpw is being called from courier-imap. Since qmail-pop3d invokes vchkpw and works, I'm puzzled. I'm afraid I don't know where to look log-wise. thanks for any hints. -ted
Re: [vchkpw] imap before smtp
The preauthvchkpw.c module needs to be modified. The problem is, when a user attempts to authenticate, if their user name exists on the system then it will open up relay. However, at that point in the code the user has not been authenticated. I attempted to fix this before but became confused on which function is called from what file. It's a bit obtuse for me. an quick hack could be to verify the password at that point, then open up relay on a valid password. The real fix would be to trace the fucntions and open up relay after password verification. Perhaps someone could figure it out. Ken Jones On Thursday 11 September 2003 2:35 pm, Charles Sprickman wrote: This is a good FAQ item, for when we have a FAQ. Mr. Sam has disabled the imap-before-smtp function in the authvchkpw code. I've looked at the courier archives, and there's no explanation from him as to what the problem is... Just lots of questions. :) Bill's suggestion might not work, as he #undefs the value. In your courier source dir, go into the authlib dir and open preauthvchkpw.c for editing. Look for a line like this: #undef HAVE_OPEN_SMTP_RELAY Go ahead and change that #undef to #define and it will work properly. I can't comment on what the security concerns are, because I don't know what they are. It does work however. Charles On Thu, 11 Sep 2003, ted wrote: I've got a LWQ-style qmail configuration, plus vpopmail 5.3.27 and courier-imap-2.1.1.20030902. I have roaming users enabled (as well as qmail-ext), and POP3 before SMTP works perfectly (using qmail-pop3d). IMAP also seems to work just fine, but it does not update open-smtp. My workaround of creating a separate POP account to POP in without retrieving msgs allows me to send via IMAP, but is obviously not an ideal solution. (I'm using Thunderbird .2). I've installed courier-imap numerous times (with different releases up to 20030902), both with authdaemon enabled as well as disabled. In both cases, the results are the same (meaning that I can read mail but not relay). Perhaps my understanding is wrong, but I was under the impression that since these are virtual domains I'm having trouble with (all my domains are virtual), the fact that I am able to read mail at all under IMAP would indicate that vchkpw is being called from courier-imap. Since qmail-pop3d invokes vchkpw and works, I'm puzzled. I'm afraid I don't know where to look log-wise. thanks for any hints. -ted
Re: [vchkpw] imap before smtp
mr. varshavchik addressed this on the sqwebmail mailing list: http://www.mail-archive.com/[EMAIL PROTECTED]/msg06068.html it's a lovely little rant. At 12:35 PM 9/11/2003, Charles Sprickman wrote: This is a good FAQ item, for when we have a FAQ. Mr. Sam has disabled the imap-before-smtp function in the authvchkpw code. I've looked at the courier archives, and there's no explanation from him as to what the problem is... Just lots of questions. :) Bill's suggestion might not work, as he #undefs the value. In your courier source dir, go into the authlib dir and open preauthvchkpw.c for editing. Look for a line like this: #undef HAVE_OPEN_SMTP_RELAY Go ahead and change that #undef to #define and it will work properly. I can't comment on what the security concerns are, because I don't know what they are. It does work however. Charles On Thu, 11 Sep 2003, ted wrote: I've got a LWQ-style qmail configuration, plus vpopmail 5.3.27 and courier-imap-2.1.1.20030902. I have roaming users enabled (as well as qmail-ext), and POP3 before SMTP works perfectly (using qmail-pop3d). IMAP also seems to work just fine, but it does not update open-smtp. My workaround of creating a separate POP account to POP in without retrieving msgs allows me to send via IMAP, but is obviously not an ideal solution. (I'm using Thunderbird .2). I've installed courier-imap numerous times (with different releases up to 20030902), both with authdaemon enabled as well as disabled. In both cases, the results are the same (meaning that I can read mail but not relay). Perhaps my understanding is wrong, but I was under the impression that since these are virtual domains I'm having trouble with (all my domains are virtual), the fact that I am able to read mail at all under IMAP would indicate that vchkpw is being called from courier-imap. Since qmail-pop3d invokes vchkpw and works, I'm puzzled. I'm afraid I don't know where to look log-wise. thanks for any hints. -ted Paul Theodoropoulos http://www.anastrophe.com
Re: [vchkpw] imap before smtp
Charles, Bill, Ken, thanks for the quick responses. Indeed Bill's suggestion doesn't do the trick for my configuration. Charles, I'd make your suggested change, but am concerned about Ken's further input on the topic. I don't suppose an older version of Courier-IMAP is the answer? -ted Ken Jones wrote: The preauthvchkpw.c module needs to be modified. The problem is, when a user attempts to authenticate, if their user name exists on the system then it will open up relay. However, at that point in the code the user has not been authenticated. I attempted to fix this before but became confused on which function is called from what file. It's a bit obtuse for me. an quick hack could be to verify the password at that point, then open up relay on a valid password. The real fix would be to trace the fucntions and open up relay after password verification. Perhaps someone could figure it out. Ken Jones On Thursday 11 September 2003 2:35 pm, Charles Sprickman wrote: This is a good FAQ item, for when we have a FAQ. Mr. Sam has disabled the imap-before-smtp function in the authvchkpw code. I've looked at the courier archives, and there's no explanation from him as to what the problem is... Just lots of questions. :) Bill's suggestion might not work, as he #undefs the value. In your courier source dir, go into the authlib dir and open preauthvchkpw.c for editing. Look for a line like this: #undef HAVE_OPEN_SMTP_RELAY Go ahead and change that #undef to #define and it will work properly. I can't comment on what the security concerns are, because I don't know what they are. It does work however. Charles On Thu, 11 Sep 2003, ted wrote: I've got a LWQ-style qmail configuration, plus vpopmail 5.3.27 and courier-imap-2.1.1.20030902. I have roaming users enabled (as well as qmail-ext), and POP3 before SMTP works perfectly (using qmail-pop3d). IMAP also seems to work just fine, but it does not update open-smtp. My workaround of creating a separate POP account to POP in without retrieving msgs allows me to send via IMAP, but is obviously not an ideal solution. (I'm using Thunderbird .2). I've installed courier-imap numerous times (with different releases up to 20030902), both with authdaemon enabled as well as disabled. In both cases, the results are the same (meaning that I can read mail but not relay). Perhaps my understanding is wrong, but I was under the impression that since these are virtual domains I'm having trouble with (all my domains are virtual), the fact that I am able to read mail at all under IMAP would indicate that vchkpw is being called from courier-imap. Since qmail-pop3d invokes vchkpw and works, I'm puzzled. I'm afraid I don't know where to look log-wise. thanks for any hints. -ted
[vchkpw] courier-imap / sql files
Mr Sam's post brings up some interesting topics. The first about a buffer that needs to be cleared has already been dealt with. The issue about sql login being compiled in also brings up another issue.. By putting the sql information into a ~vpopmail/etc file it solves the issue as long as all email domains are owned by vpopmail. If any domains are under a non-vpopmail user, then the sql information file needs to be readable by all. In that case I would recomend not allowing shell access, and chrooting ftp access to a users home directory. what remains is the ip is opened for relay before the password is authenticated. Ken
Re: [vchkpw] imap before smtp
On Thursday, September 11, 2003, at 01:06 PM, Paul Theodoropoulos wrote: mr. varshavchik addressed this on the sqwebmail mailing list: http://www.mail-archive.com/[EMAIL PROTECTED]/msg06068.html it's a lovely little rant. Does someone have an email address for him? I'm trying [EMAIL PROTECTED], hopefully it will get to him. It would be nice to let him know that the current dev version of vpopmail addresses both of his concerns. As of vpopmail 5.3.8, the buffers are cleared properly and the authdaemon has worked just fine. A beta 5.2.2 release is on SourceForge with the same fix in place. As of vpopmail 5.3.27, mysql login information is stored in an external file and libvpopmail has 644 permissions, making it possible to link it into courier-imap without having to run as root. If there are any further problems that prevent courier-imap from working with vpopmail, we'd love to hear about them (either here or via bug reports to the SourceForge project). -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] courier-imap / sql files
On Thursday, September 11, 2003, at 01:22 PM, Ken Jones wrote: The issue about sql login being compiled in also brings up another issue.. By putting the sql information into a ~vpopmail/etc file it solves the issue as long as all email domains are owned by vpopmail. If any domains are under a non-vpopmail user, then the sql information file needs to be readable by all. In that case I would recomend not allowing shell access, and chrooting ftp access to a users home directory. This is an interesting point and I'd love to find a clean solution to this issue. Are you saying that it's possible to run some of the vpopmail utilities as a user other than root or vpopmail? I figured that for the add/del/mod domain commands, you'd have to be root since they modify qmail control files. When running vchkpw on a system that uses cdb, it needs read access to the vpasswd file in the domain directory. Can anyone think of other apps that have to deal with the issue of storing MySQL login information securely? -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] courier-imap / sql files
Hi, On Thu, 2003-09-11 at 22:47, Tom Collins wrote: On Thursday, September 11, 2003, at 01:22 PM, Ken Jones wrote: The issue about sql login being compiled in also brings up another issue.. By putting the sql information into a ~vpopmail/etc file it solves the issue as long as all email domains are owned by vpopmail. If any domains are under a non-vpopmail user, then the sql information file needs to be readable by all. In that case I would recomend not allowing shell access, and chrooting ftp access to a users home directory. This is an interesting point and I'd love to find a clean solution to this issue. Me too, have been thinking about it for long time now (not getting much closer to a solution) Are you saying that it's possible to run some of the vpopmail utilities as a user other than root or vpopmail? I figured that for the add/del/mod domain commands, you'd have to be root since they modify qmail control files. When running vchkpw on a system that uses cdb, it needs read access to the vpasswd file in the domain directory. qmail setuids/setgids to the user/group in /var/qmail/users/assign. I see three solutions... Possibly many more :) 1) More finegrained mysql-permissions. vedelivermail can only read what it's supposed to know. Should not be able to write to anything but log, from which it can't read (like the syslog-model, everybody can write logs, root can read) 2) Make vdelivermail setuid (vpopmail), and do setuid to the real virtualuser-uid after all db stuff. This would be clean, effective and dangerous. 3) Make a mysql-user for each system-user using vpopmail, nightmare - but maybe the cleanest way to do it. The mysql-information could be stored in the domain (system-user) homedirectory, almost as mysql do it default. Say something! Can anyone think of other apps that have to deal with the issue of storing MySQL login information securely? Sorry no. /Anders
Re: [vchkpw] imap before smtp
On Thursday, September 11, 2003, at 01:14 PM, ted wrote: Charles, Bill, Ken, thanks for the quick responses. Indeed Bill's suggestion doesn't do the trick for my configuration. Charles, I'd make your suggested change, but am concerned about Ken's further input on the topic. I don't suppose an older version of Courier-IMAP is the answer? I'm curious.. if you have clients capable of IMAP, are they not capable of SMTP-AUTH? IMO, this is a better solution than roaming users. Regards, Bill
[vchkpw] Setting up vpopmail with qmail and courier-IMAP
Im sorry if this has been posted before but I couldnt find anything: I have previously installed qmail, squirrelmail and courier-imap.. Now when I try to install vpopmail it works incorrectly. I imagine I should have installed courier-imap then vpopmail. Is there a way round the problem?
[vchkpw] Re: courier-imap / sql files
Tom Collins writes: This is an interesting point and I'd love to find a clean solution to this issue. I don't think you'll find a clean solution which doesn't involve set-id. All the others are messy to administer, like a MySQL username per system user or adding a special group to every user (do all *nixes handle that well these days?) How about this: 1) An additional user and group, vpsql, used for absolutely no other purpose (except perhaps as owner of vpopmail database). 2) MySQL username and password in a file readable only by vpsql user and group, and writeable only by vpsql user (if that - most people will probably edit it as root). 3) A very small utility that is setgid vpsql. It does the following when passed a username and password to verify. a) Reads the information in the password file. b) Drops setgid so it can do nothing further with the password file. c) Connects to MySQL. e) Verifies mail username and password against database. f) Returns go or no-go. I expect at least one person will poke holes in that somewhere, but I think the general principle is correct. Assuming you can drop setgid reliably (and not have it resurrected by an exploit later) then it ought to be safe. It would need a very close code audit but there's not going to be much code there to audit. The overhead of an extra process invocation per authentication is undesirable but, I think, unavoidable. You could just build it all into vchkpw but then a code audit would be a lot harder. Admittedly, if you read the password file as the very first thing you do and drop setgid as the very second thing you do then the rest ought not to matter, but with a separate vpsql user/group/program there is far less code containing possible exploits if somebody does know a way of regaining setgid after dropping it. Extending the idea to do allow qmailadmin and the like to modify user details is a SMOP. My preference would be for several utilies each restricted to one task like authentication, get user info, write user info rather than one big one that takes switches telling it what to do. -- Paul Allen Softflare Support
Re: [vchkpw] Setting up vpopmail with qmail and courier-IMAP
You don't say what the problem actually is Tom .. 'works incorrectly' doesn't tell us anything. qmail and vpopmail, and courier IMAP / squirrelmail However, once qmail is in and the daemons are running, a deinstall/make distclean, or otherwise of vpopmail seems to not cause any trouble. Chris. --- Tom Spencer [EMAIL PROTECTED] wrote: I'm sorry if this has been posted before but I couldn't find anything: I have previously installed qmail, squirrelmail and courier-imap.. Now when I try to install vpopmail it works incorrectly. I imagine I should have installed courier-imap then vpopmail. Is there a way round the problem? __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: [vchkpw] Re: courier-imap / sql files
Hi, On Fri, 2003-09-12 at 01:17, Paul L. Allen wrote: This is an interesting point and I'd love to find a clean solution to this issue. I don't think you'll find a clean solution which doesn't involve set-id. All the others are messy to administer, like a MySQL username per system user or adding a special group to every user (do all *nixes handle that well these days?) If you add a special group to every user you are back where you started. I can't see what's wrong with a mysql user per system user. That would be really clean and effective. If the admistrative tools is integrated into vpopmail, i fail to see any troble ahead (user/admin-vice). It would completely remove any use for any setuid/setgid-hacks. It will also remove the possibility of users injecting sql into any data not belonging to them. One problem would be the table-layout, the vpopmail-table would be useless for example. How about this: 1) An additional user and group, vpsql, used for absolutely no other purpose (except perhaps as owner of vpopmail database). 2) MySQL username and password in a file readable only by vpsql user and group, and writeable only by vpsql user (if that - most people will probably edit it as root). 3) A very small utility that is setgid vpsql. It does the following when passed a username and password to verify. You will also need small tools to do all other sorts of operations, quota, valias and so on. a) Reads the information in the password file. b) Drops setgid so it can do nothing further with the password file. c) Connects to MySQL. - and forgets username and password. e) Verifies mail username and password against database. f) Returns go or no-go. It's not as simple as that, think about APOP authentication... [snip]
Re: [vchkpw] Setting up vpopmail with qmail and courier-IMAP
I'm sorry if this has been posted before but I couldn't find anything: I have previously installed qmail, squirrelmail and courier-imap.. Now when I try to install vpopmail it works incorrectly. I imagine I should have installed courier-imap then vpopmail. Is there a way round the problem? I would just recompile courier-imap to use vchkpw and ensure that qmail uses whatever/directory/vpopmail/bin/vchkpw instead of /checkpassword. But Its better if you just re-install everything and make a clean start. MC -- __ Sign-up for your own personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers
[vchkpw] Re: courier-imap / sql files
Anders Brander writes: If you add a special group to every user you are back where you started. I didn't say it was a good solution. I said it was a solution. Compared to that, a lot of the alternatives look good. I can't see what's wrong with a mysql user per system user. That would be really clean and effective. It could get rather unwieldy if you use MySQL for other things. If the admistrative tools is integrated into vpopmail, i fail to see any troble ahead (user/admin-vice). I can see one. I set up a system user. Who wants e-mail. So then I have to use another tool to add that user to vpopmail. It would completely remove any use for any setuid/setgid-hacks. That is the one advantage I see to it. Whether or not one views that advantage as compelling is another matter. 3) A very small utility that is setgid vpsql. It does the following when passed a username and password to verify. You will also need small tools to do all other sorts of operations, quota, valias and so on. I did mention those at the end. And even said that I preferred several small tools to one large one that use switches to decide what it did because that would mean more code and a harder time auditing it. c) Connects to MySQL. - and forgets username and password. OK, I take your point. It no longer needs them at that juncture and it's barely possible there's something exploitable later. It's not as simple as that, think about APOP authentication... I don't have need of APOP so I didn't think about it. I was trying to establish the general principle for doing it setgid with minimal risks. I think something (well, several somethings) along those lines would be feasible without opening up vulnerabilities. None of us like set-id and try to avoid it, but there are times when it is better than the alternatives (if sufficient care is taken). Compared to the major hunk of setuid code that is sendmail and which a lot of systems run, this ought to be far less likely to be exploited. It's not the only solution and it may turn out not to be the best solution, but at least it's there for consideration (and possible improvement). -- Paul Allen Softflare Support
Re: [vchkpw] Re: courier-imap / sql files
Hi, On Fri, 2003-09-12 at 03:16, Paul L. Allen wrote: If you add a special group to every user you are back where you started. I didn't say it was a good solution. I said it was a solution. Compared to that, a lot of the alternatives look good. Agree, alternatives are better. I can't see what's wrong with a mysql user per system user. That would be really clean and effective. It could get rather unwieldy if you use MySQL for other things. Why? If the admistrative tools is integrated into vpopmail, i fail to see any troble ahead (user/admin-vice). I can see one. I set up a system user. Who wants e-mail. So then I have to use another tool to add that user to vpopmail. It could easily be done with vadddomain, the user must pre-exist as it is now, vopmail just have to create the .mysqlpass-file or whatever it is called. Or am i missing something here? Another possibility it will open, is the users who administer their mail with shell-access (mailinglists, other things) could have access to their vpopmail-databases and do with them as they like. They could make ther own internal php-tools for example, their own weird scripting. I think maybe this could be a big selling point. It would completely remove any use for any setuid/setgid-hacks. That is the one advantage I see to it. Whether or not one views that advantage as compelling is another matter. setuid programs can be a very nice solution to many problems, but i think that we should consider the possibility of just using standard filelevel security. That's something that has been audited and proven for years. 3) A very small utility that is setgid vpsql. It does the following when passed a username and password to verify. You will also need small tools to do all other sorts of operations, quota, valias and so on. I did mention those at the end. And even said that I preferred several small tools to one large one that use switches to decide what it did because that would mean more code and a harder time auditing it. It's a great idea to have several small tools to do tasks, my point was just that it's not enough to return 0 or 1 (or 57). It's not as simple as that, think about APOP authentication... I don't have need of APOP so I didn't think about it. I was trying to establish the general principle for doing it setgid with minimal risks. I think something (well, several somethings) along those lines would be feasible without opening up vulnerabilities. None of us like set-id and try to avoid it, but there are times when it is better than the alternatives (if sufficient care is taken). Compared to the major hunk of setuid code that is sendmail and which a lot of systems run, this ought to be far less likely to be exploited. It's not the only solution and it may turn out not to be the best solution, but at least it's there for consideration (and possible improvement). It may turn out to be the best solution - but i see lots of problems with this solution. Mainly the passing of arguments to/from these tools. If it were just TRUE/FALSE-returns i would be all for it - well, almost ;-). /Anders
[vchkpw] Re: courier-imap / sql files
Anders Brander writes: It could get rather unwieldy if you use MySQL for other things. Why? Just a gut feeling that if you have many MySQL users for one purpose and many more MySQL users who are there purely as a fiddle to allow vpopmail to work then it could make life difficult to distinguish the two. But I am easily confused. :) It could easily be done with vadddomain, the user must pre-exist as it is now, vopmail just have to create the .mysqlpass-file or whatever it is called. Or am i missing something here? Yes, you're missing me having to do two things instead of one. There are ways of setting up vpopmail so that if I add a system user then they automatically get mail. Yes, those solutions are non-standard hacks using custom scripts but they exist. My work is finished after I do useradd. Every time I have to do two things to add a user it not only increases my workload it increases the chance that I do one but not the other. As I think I may have said, I am easily confused. :) Another possibility it will open, is the users who administer their mail with shell-access (mailinglists, other things) could have access to their vpopmail-databases and do with them as they like. You may have users like that. We have one user like that (me) and one user who thinks he is like that (my boss, who gets more pointy-haired with each passing day). This is one of the reasons vpopmail goes in so many different directions - it has to attempt to cover so many different usage patterns. For instance, the quota stuff is essential for a company wanting to offer a hotmail/yahoo/whatever service. For us it gets in the way of us billing people extra for going over their allotted usage. They could make ther own internal php-tools for example, You let your users play with PHP? I hope you have something that emulates suexec so you have some rudimentary protection against them using it to explore the filesystem. Then again, in your environment it may not matter. In ours PHP without an suexec equivalent would be a disaster. PHP, without modifications, is a security nightmare for any user who wishes to have a web interface create or modify files. When you have to make directories world-writeable or writeable by the UID of the HTTP server then you have a security nightmare. setuid programs can be a very nice solution to many problems, but i think that we should consider the possibility of just using standard filelevel security. That's something that has been audited and proven for years. Ummm, I don't trust ANYTHING. I remember when the third edition of the Camel book came out reading of many attacks that had not been mentioned in the 2nd edition because they had not been known then but had always been present. How about the race hazard when executing shell or perl scripts (these days largely eliminated)? How about the many race hazards suexec is vulnerable to (I know of no exploits and the checks it does are better than no checks at all)? As we both know, the only way to secure your computer is to ensure it has no connections to the outside world and you are the only one who has physical access - as soon as you relax those constraints you are taking risks. The question is: is this particular solution playing Russian Roulette with 5 out of the 6 chambers loaded or only 1 of the 6 chambers loaded... It's a great idea to have several small tools to do tasks, my point was just that it's not enough to return 0 or 1 (or 57). Again, I was illustrating how the simple case of password authentication (without APOP) would go. The idea was to establish the general model for doing this sort of thing with setgid cleanly. It may turn out to be the best solution - but i see lots of problems with this solution. Mainly the passing of arguments to/from these tools. If it were just TRUE/FALSE-returns i would be all for it - well, almost ;-). I always envisaged that these tools would be passed arguments - you can't do authentication without a username and password. :) And that they would return at least one value. Obviously, any tool which reads userinfo has to return several values. But although it is possible to program such things insecurely and vulnerable to buffer overflox exploits, it is also possible to program them securely (unless Ken Thompson has hacked your C compiler, in which case you're screwed whatever you do). Provided these tools are kept SMALL then a code audit will catch any currently-known vulnerabilities like people allocating a fixed amount of static memory to hold a string which the user determines. And provided they're small, the chance that the C compiler introduces an as-yet unknown vulnerability is also small. Set-id code is not without known hazards and there may be unknown hazards. I was addressing the question of whether there was any way of doing things relatively securely with set-id code. I don't think the risks are significantly higher than with qmail
[vchkpw] IMAP and Pop3
For some reason my pop3d has stopped working. It still running but fails to deliver my mail :(. IMAP gets the messages fine but pop3 refuses to send them. Any ideas or guesses as to why this is would be very helpful, thanks :D Geoff
[vchkpw] RE: I must have missed your answers, vpopmail .quotawarn.msg
Anyone, anything? Shai. Hi all, I'm afraid I was told that some people replied to my msg.. but I MUST have missed it somehow and so I'm making this email again, in HOPE that I'll get help in this issue and not miss it this time around. I made /home/vpopmail/domains/.quotawarn.msg I placed this inside: From: Mail Delivery System [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Valued Customer:; Subject: Mail quota warning Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Your mailbox on the server is now more than 90% full. So that you can continue to receive mail you need to remove some messages from your mailbox. ~~~ I can't seem to understand why this message isn't arriving into the mailbox I made for testing that is now over 90% and standing on 93%. Can anyone give me a hand in figuring this out? Thanks in advance for ANY help on this issue. Cheers, Shai
Re: [vchkpw] RE: I must have missed your answers, vpopmail .quotawarn.msg
question - is the .quotawarn.msg ownership/group set correctly? At 09:55 PM 9/11/2003, Shai Ben-Naphtali wrote: Anyone, anything? Shai. Hi all, I'm afraid I was told that some people replied to my msg.. but I MUST have missed it somehow and so I'm making this email again, in HOPE that I'll get help in this issue and not miss it this time around. I made /home/vpopmail/domains/.quotawarn.msg I placed this inside: From: Mail Delivery System [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Valued Customer:; Subject: Mail quota warning Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Your mailbox on the server is now more than 90% full. So that you can continue to receive mail you need to remove some messages from your mailbox. ~~~ I can't seem to understand why this message isn't arriving into the mailbox I made for testing that is now over 90% and standing on 93%. Can anyone give me a hand in figuring this out? Thanks in advance for ANY help on this issue. Cheers, Shai Paul Theodoropoulos http://www.anastrophe.com
Re: [vchkpw] IMAP and Pop3
On Thu, 2003-09-11 at 22:53, Geoff Byers wrote: For some reason my pop3d has stopped working. It still running but fails to deliver my mail :(. IMAP gets the messages fine but pop3 refuses to send them. Any ideas or guesses as to why this is would be very helpful, thanks :D 'refuses to send them' not very helpful. you get an error message? also, make sure that the message you are trying to retrieve are in your inbox, because pop3 doesn't have the capability to look at anything else. -Jeremy -- Jeremy Kitchen Systems Administrator . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE
RE: [vchkpw] RE: I must have missed your answers, vpopmail .quotawarn.msg
Thanks for the response! # pwd /home/vpopmail/domains # ls -al .quotawarn.msg -rw---1 vpopmail vchkpw371 Sep 9 09:17 .quotawarn.msg Ok? Shai. -Original Message- From: Paul Theodoropoulos [mailto:[EMAIL PROTECTED] Sent: Friday, September 12, 2003 6:03 AM To: [EMAIL PROTECTED] Subject: Re: [vchkpw] RE: I must have missed your answers, vpopmail .quotawarn.msg question - is the .quotawarn.msg ownership/group set correctly? At 09:55 PM 9/11/2003, Shai Ben-Naphtali wrote: Anyone, anything? Shai. Hi all, I'm afraid I was told that some people replied to my msg.. but I MUST have missed it somehow and so I'm making this email again, in HOPE that I'll get help in this issue and not miss it this time around. I made /home/vpopmail/domains/.quotawarn.msg I placed this inside: From: Mail Delivery System [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Valued Customer:; Subject: Mail quota warning Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Your mailbox on the server is now more than 90% full. So that you can continue to receive mail you need to remove some messages from your mailbox. ~~~ I can't seem to understand why this message isn't arriving into the mailbox I made for testing that is now over 90% and standing on 93%. Can anyone give me a hand in figuring this out? Thanks in advance for ANY help on this issue. Cheers, Shai Paul Theodoropoulos http://www.anastrophe.com
[vchkpw] How to completely remove a database
I am trying to wipe out everything and start from scratch. I tried using drop database vpopmail; and creating it again using the instructions to install vpopmail, but I'm unable to add the same domains back again. It keeps saying the domain already exists. If I try to use the command vdeldomain to remove it, it says the domain doesn't exist! The reason I didn't use vdeldomain in the first place is because I had to reload everything all over again and I was installing over the top of a previous installation. I think all I need to do is wipe the slate and start adding my domains back into a clean database. How can I be assured that I'm wiping out everything and starting fresh? Thanks in advance. _ Need more e-mail storage? Get 10MB with Hotmail Extra Storage. http://join.msn.com/?PAGE=features/es
Re: [vchkpw] How to completely remove a database
On Thursday, September 11, 2003, at 10:21 PM, Don Walters wrote: I am trying to wipe out everything and start from scratch. I tried using drop database vpopmail; and creating it again using the instructions to install vpopmail, but I'm unable to add the same domains back again. It keeps saying the domain already exists. If I try to use the command vdeldomain to remove it, it says the domain doesn't exist! The reason I didn't use vdeldomain in the first place is because I had to reload everything all over again and I was installing over the top of a previous installation. I think all I need to do is wipe the slate and start adding my domains back into a clean database. How can I be assured that I'm wiping out everything and starting fresh? In addition to removing the database/recreating it, remove the domain directory, and the entry from /var/qmail/users/assign and run /var/qmail/bin/qmail-newu to update the assign cdb file. Regards, Bill Shupp
Re: [vchkpw] How to completely remove a database
On Fri, 2003-09-12 at 00:21, Don Walters wrote: I am trying to wipe out everything and start from scratch. I tried using drop database vpopmail; and creating it again using the instructions to install vpopmail, but I'm unable to add the same domains back again. It keeps saying the domain already exists. If I try to use the command vdeldomain to remove it, it says the domain doesn't exist! The reason I didn't use vdeldomain in the first place is because I had to reload everything all over again and I was installing over the top of a previous installation. I think all I need to do is wipe the slate and start adding my domains back into a clean database. How can I be assured that I'm wiping out everything and starting fresh? Thanks in advance. try removing it from virtualdomains, rcpthosts, and users/assign too. if that doesn't work you'll likely have to recreate the /home/vpopmail/domains/domain.com directory. hope this helps :) -Jeremy -- Jeremy Kitchen Systems Administrator . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE
