RE: [vchkpw] Setting up vpopmail with qmail and courier-IMAP
The problem I had was that even though a username and password was set for a user the username and pass wouldn't work, then when I tried out of interest with my pass for shell access both imap and pop3 boxes were emptied into outlook. When I try to recompile IMAP-courier I get an error about gdbm or gbdm, unfortunately I don't have access to the exact error from here. I think I may have to reinstall everything, does any1 have any advice on saving settings / emails? If I use the same maildir format then it shouldn't affect already delivered emails should it? Many thanks Tom PS. Sorry for noobness, I have not installed vpopmail before. -Original Message- From: Chris Pugh [mailto:[EMAIL PROTECTED] Sent: 12 September 2003 00:26 To: [EMAIL PROTECTED] Subject: Re: [vchkpw] Setting up vpopmail with qmail and courier-IMAP You don't say what the problem actually is Tom .. 'works incorrectly' doesn't tell us anything. qmail and vpopmail, and courier IMAP / squirrelmail However, once qmail is in and the daemons are running, a deinstall/make distclean, or otherwise of vpopmail seems to not cause any trouble. Chris. --- Tom Spencer [EMAIL PROTECTED] wrote: I'm sorry if this has been posted before but I couldn't find anything: I have previously installed qmail, squirrelmail and courier-imap.. Now when I try to install vpopmail it works incorrectly. I imagine I should have installed courier-imap then vpopmail. Is there a way round the problem? __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
[vchkpw] CVS sources and all
Hi to all Glad to see fights are over :) Few things to mention please indent ALL c source files :) think about dividing roles for auth modules to explain first when I started (long time ago) playing with vldap.c|h I had big problems reading it because all of us have different ways of writing things but when you indent(1) it it will look same on everyones monitor ;) (almost) and reasons for second is faster work on vpopmail :) because every developer will know what is his part of job Mojih 2 dinara (My 2 cents) :) Boris Manojlovic
Re: [vchkpw] Re: courier-imap / sql files
Hi, Phew, this mail is getting longer and longer... On Fri, 2003-09-12 at 04:23, Paul L. Allen wrote: It could get rather unwieldy if you use MySQL for other things. Why? Just a gut feeling that if you have many MySQL users for one purpose and many more MySQL users who are there purely as a fiddle to allow vpopmail to work then it could make life difficult to distinguish the two. But I am easily confused. :) IMHO it's the correct (tm) way to do things. It's not just a fiddle, it's the best solution. I would say that the setuid-thing is a fiddle. It could easily be done with vadddomain, the user must pre-exist as it is now, vopmail just have to create the .mysqlpass-file or whatever it is called. Or am i missing something here? Yes, you're missing me having to do two things instead of one. There are ways of setting up vpopmail so that if I add a system user then they automatically get mail. Yes, those solutions are non-standard hacks using custom scripts but they exist. My work is finished after I do useradd. Every time I have to do two things to add a user it not only increases my workload it increases the chance that I do one but not the other. As I think I may have said, I am easily confused. :) I think we confused eachother, we were talking about two different cases. I: When domain.tld is given a systemuser for their mail. You: When systemusers needed personal mail. - and now i can see the trouble ahead, but not that much trouble. [snip, user types] different usage patterns. For instance, the quota stuff is essential for a company wanting to offer a hotmail/yahoo/whatever service. For us it gets in the way of us billing people extra for going over their allotted usage. OT: We use the billing-model too :) But we also have skilled users, the kind that just sends you the conf-file, the kind that writes their own zone data. The kind that never calls, and when they do - you KNOW that they have a very good reason to do so. They could make ther own internal php-tools for example, You let your users play with PHP? I hope you have something that emulates suexec so you have some rudimentary protection against them using it to explore the filesystem. Then again, in your environment it may not matter. In ours PHP without an suexec equivalent would be a disaster. PHP, without modifications, is a security nightmare for any user who wishes to have a web interface create or modify files. When you have to make directories world-writeable or writeable by the UID of the HTTP server then you have a security nightmare. Let's leave PHP-(in)security out of this. setuid programs can be a very nice solution to many problems, but i think that we should consider the possibility of just using standard filelevel security. That's something that has been audited and proven for years. Ummm, I don't trust ANYTHING. I remember when the third edition of the Camel book came out reading of many attacks that had not been mentioned in the 2nd edition because they had not been known then but had always been present. How about the race hazard when executing shell or perl scripts (these days largely eliminated)? How about the many race hazards suexec is vulnerable to (I know of no exploits and the checks it does are better than no checks at all)? As we both know, the only way to secure your computer is to ensure it has no connections to the outside world and you are the only one who has physical access - as soon as you relax those constraints you are taking risks. The question is: is this particular solution playing Russian Roulette with 5 out of the 6 chambers loaded or only 1 of the 6 chambers loaded... Very well said about the roulette thing. It's a great idea to have several small tools to do tasks, my point was just that it's not enough to return 0 or 1 (or 57). Again, I was illustrating how the simple case of password authentication (without APOP) would go. The idea was to establish the general model for doing this sort of thing with setgid cleanly. I was illustrating that it could quickly get hairy, when arguments have to be passing to/from these tools. Mainly the passing of arguments to/from these tools. If it were just TRUE/FALSE-returns i would be all for it - well, almost ;-). I always envisaged that these tools would be passed arguments - you [snip] I think we already adressed this - and agreed... Set-id code is not without known hazards and there may be unknown hazards. I was addressing the question of whether there was any way of doing things relatively securely with set-id code. I don't think the risks are significantly higher than with qmail set-id code and I think they are vastly lower than with sendmail's monolithic, gigantic block of set-id code which has been exploited many times. Ohh boy i'm glad we are on a qmail-oriented list, elsewise we would have the great sendmail-flamefest now :) I really don't know
[vchkpw] Re: courier-imap / sql files
Hi Anders Anders Brander writes: IMHO it's the correct (tm) way to do things. It's not just a fiddle, it's the best solution. I would say that the setuid-thing is a fiddle. I think which way you regard as a fiddle depends very much upon what you do on your system. I think we confused eachother, we were talking about two different cases. I: When domain.tld is given a systemuser for their mail. Ah, we don't do that. We probably could, since we have to give them a system user to FTP their web site, but why bother when vpopmail lets you get away with a single user? Oh, unless you're using a PHP webmail interface, in which case you'd be forced into giving each domain a separate system user to prevent people reading mail for other domains. Hmmm, but unless you have an equivalent of suexec for PHP then you'd have to leave directories writeable by the httpd user so that people can delete mail, which means that a malicious user could delete mail for other domains (the malicious user would have to guess at filenames and it would take many guesses to stand a chance of hitting one, but it's your CPU cycles he's burning not his). I know you asked me to leave PHP insecurity out of this, but I'm guessing that the reason you have a system user for each domain is a fiddle to work around PHP insecurity in the first place. You: When systemusers needed personal mail. - and now i can see the trouble ahead, but not that much trouble. The trouble is that vpopmail can be used in so many different ways. OT: We use the billing-model too :) But we also have skilled users, the kind that just sends you the conf-file, the kind that writes their own zone data. The kind that never calls, and when they do - you KNOW that they have a very good reason to do so. Our users are almost all technically incompetent. We expect them to call and blame us for what turns out to be their own problem. We charge them for that. I was illustrating that it could quickly get hairy, when arguments have to be passing to/from these tools. I think argument and value passing is reasonably well understood, relatively easy to code and the methods of avoiding buffer overflows known if not always widely applied. Provided the utilities are restricted to reading and writing the database it should be easy to ensure there are no known exploitable holes. Ohh boy i'm glad we are on a qmail-oriented list, elsewise we would have the great sendmail-flamefest now :) Indeed. But it's a valid point. Given the number of systems running sendmail which has had many exploits, a few very small pieces of well-audited setgid code pose far less of a risk. Particularly when sendmail is setuid root and the code I'm proposing would be setgid to a group used for no other purpose. Sendmail has bullets in 5 of the chambers and people play Russian Roulette with it all the time yet surprisingly few are killed. -- Paul Allen Softflare Support
Re: [vchkpw] Re: courier-imap / sql files
Hi Paul and others, On Fri, 2003-09-12 at 14:32, Paul L. Allen wrote: IMHO it's the correct (tm) way to do things. It's not just a fiddle, it's the best solution. I would say that the setuid-thing is a fiddle. I think which way you regard as a fiddle depends very much upon what you do on your system. Yep indeed :) I think we confused eachother, we were talking about two different cases. I: When domain.tld is given a systemuser for their mail. Ah, we don't do that. We probably could, since we have to give them a system user to FTP their web site, but why bother when vpopmail lets you get away with a single user? Extra security? I've always hated the vpopmail model, all users are one user Oh, unless you're using a PHP webmail [snip] There could be many other reasons to give domainmail-admins system-users. Admin'ing mailinglists for one. You: When systemusers needed personal mail. - and now i can see the trouble ahead, but not that much trouble. The trouble is that vpopmail can be used in so many different ways. Yep, or maybe the biggest feature. But hey, qmail is delivering to systemusers isn't it? vdeliver doesn't even get run? I was illustrating that it could quickly get hairy, when arguments have to be passing to/from these tools. I think argument and value passing is reasonably well understood, relatively easy to code and the methods of avoiding buffer overflows known if not always widely applied. Provided the utilities are restricted to reading and writing the database it should be easy to ensure there are no known exploitable holes. But theres much more to it than buffer overflows. How do we trust the calling program, for one thing? Ohh boy i'm glad we are on a qmail-oriented list, elsewise we would have the great sendmail-flamefest now :) Indeed. But it's a valid point. Given the number of systems running [snip] I didn't say that it wasn't a valid point! /Anders
[vchkpw] Re: courier-imap / sql files
Hi Anders Anders Brander writes: Extra security? I've always hated the vpopmail model, all users are one user It has advantages and disavantages. It means that vpopmail runs under a dedicated user and group without (at the moment) any need for set-id. IMAP and POP servers do need setuid root if they are to work for system users and so I'd be more worried about them being compromised for root privilege than them being compromised so that somebody could turn himself into the vpopmail user and read other people's mail. I would go so far as to say that on a system where all users have vpopmail-owned mail and if the IMAP and POP3 servers were setuid vpopmail then you would have more security not less because only the mail system is exposed if somebody finds a hole (I'm not saying that somebody trashing mail is desirable but it's better than them trashing the whole system including mail).. Oh, unless you're using a PHP webmail [snip] There could be many other reasons to give domainmail-admins system-users. Admin'ing mailinglists for one. I've never played with it, but qmailadmin appears to support ezmlm mailing lists without needing system users. Yep, or maybe the biggest feature. But hey, qmail is delivering to systemusers isn't it? vdeliver doesn't even get run? As I understand things. But I have never looked too deeply into that. We don't have system users in the traditional sense. Clients have user accounts for FTP to their web sites but do not have shell access. Although we have a few admins as system users that's only so they can su root when necessary, their mail is handled through a virtual domain just like our customers. We don't have people who log into our servers to read mail in between playing nethack or whatever. But theres much more to it than buffer overflows. How do we trust the calling program, for one thing? You don't trust the calling program. You ensure that the directory these utilities are in is rx only to vpopmail:vchkpw. If somebody can su to those or insert a malicious program into ~vpopmail/bin and get it executed then you have more problems than a calling problem passing something weird. Those risks are present in the current model anyway, so adding these utilities does not make matters worse. If somebody can make a calling program maliciously call the database modify utility to wipe out arbitrary users they can do so under the current model too. The only thing these utilities would be doing in addition to what is currently done is providing a way of hiding the MySQL password. Essentially you would be extracting a few functions from libvpopmail, putting them into separate programs and adding the get MySQL password stuff to those additional programs. I don't see that this imposes an additional risk provided those additional programs are kept small and written well. Compared to having the password wired into libvpopmail.a, it is a significant improvement... I suppose we could always look how Courier does it to see if there's a better way, but that's cheating. -- Paul Allen Softflare Support
Re: [vchkpw] IMAP and Pop3
Please keep your replies on the list so others can share their knowledge, and so everything stays nice and archived, thanks! :) On Fri, 2003-09-12 at 06:51, Geoff Byers wrote: The messages are in my folder in the qmail home dir, for my account and virtual domain, but it wont send them when my client goes to check for new mail. It doesnt understand they are new i guess. I can download them from the server with IMAP but not pop3. Any ideas? so is it in your local home directory or in your vpopmail-run domain? Also, you still haven't said if it gives you any errors, which is important to know. -- Jeremy Kitchen Systems Administrator . Inter7 Internet Technologies, Inc. www.inter7.com 866.528.3530 toll free 847.492.0470 int'l 847.492.0632 fax GNUPG key ID: 93BDD6CE
RE: [vchkpw] How to package up a new release?
Thank you Tom and Ken for solving your differences maturely and politely. We all appreciate your work. Kind regards. -Mensaje original- De: Tom Collins [mailto:[EMAIL PROTECTED] Enviado el: jueves, 11 de septiembre de 2003 7:34 Para: vpopmail list Asunto: Re: [vchkpw] How to package up a new release? On Wednesday, September 10, 2003, at 04:45 PM, Ken Jones wrote: Untill CVS is up and running, how would I go about packaging up a new release? CVS is up now. Please start with that code, as it includes a few changes to the current tarball. I forgot to mention the following in my previous email: - If you'd like to keep up with changes committed to CVS, you can subscribe to vpopmail-cvs http://lists.sourceforge.net/mailman/listinfo/vpopmail-cvs. - Would it be as simple as: 1) get the current tarball 2) apply changes to my local copy 3) test test test 4) tar up the package with a new version number 5) upload to source forge? With CVS (actual cvs commands in quotes), you should checkout the vpopmail module from the vpopmail CVS repository, make your changes to your checked out version, and commit those changes (with a note explaining what they're for). Whenever you start working on the source, be sure to update your copy from the repository. You can diff your copy with the current repository copy to see where changes are. Or get the status on a file (or all files). I look to others with more experience than I for how to build releases. My understanding is that when we have a stable version of vpopmail in CVS, we'll tag it with a name like vpopmail-5-3-28-release (periods aren't allowed in tags). Then, go to another directory and do a cvs export to get the files as of that release tag, and tgz *that* up for distribution. Ken, please go into the Admin section of the vpopmail project and take a look at the File Releases section. Maybe once we're ready for a release, we can get on the phone and I'll talk you though the process. -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] How to completely remove a database
Ok, that worked great. I was able to kill the database and all of those entries from the various files and I was able to recreate the database and add my domains back. Only one problem remains: I'm unable to pop into the account and get my mail. There are no errors that I can see happening in any of the log files, but I am popping like crazy and no mail is coming. I can see that the messages were delivered to the right mailbox because I went to the ~vpopmail/domains folder and I could see the messages were stored in the appropriate mailbox. Here's an exceprt from my log file located at /var/log/qmail/pop3d/current @40003f61fe982c0320c4 tcpserver: status: 1/40 @40003f61fe982c033c1c tcpserver: pid 22184 from 24.116.177.127 @40003f61fe982c0343ec tcpserver: ok 22184 0:192.168.0.50:110 :24.116.177.127::41746 @40003f61fe9835c5210c tcpserver: end 22184 status 256 @40003f61fe9835c53c64 tcpserver: status: 0/40 So there were no errors that I can see, and when I keep hitting the Send/Receive button of my mail client (outlook) it adds another entry similar to this in the log. I don't know if this is related, but when I do... ps -efl | grep service errors | grep -v grep as suggested in Life With Qmail, I get... 0 S root 19866 19857 0 84 0- 336 pipe_w Sep11 ? 00:00:00 readproctitle service errors: Should I be worried about this? I get no other messages from running this command. Maybe it's OK as is. From: Bill Shupp [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [vchkpw] How to completely remove a database Date: Thu, 11 Sep 2003 22:24:58 -0700 On Thursday, September 11, 2003, at 10:21 PM, Don Walters wrote: I am trying to wipe out everything and start from scratch. I tried using drop database vpopmail; and creating it again using the instructions to install vpopmail, but I'm unable to add the same domains back again. It keeps saying the domain already exists. If I try to use the command vdeldomain to remove it, it says the domain doesn't exist! The reason I didn't use vdeldomain in the first place is because I had to reload everything all over again and I was installing over the top of a previous installation. I think all I need to do is wipe the slate and start adding my domains back into a clean database. How can I be assured that I'm wiping out everything and starting fresh? In addition to removing the database/recreating it, remove the domain directory, and the entry from /var/qmail/users/assign and run /var/qmail/bin/qmail-newu to update the assign cdb file. Regards, Bill Shupp _ Express yourself with MSN Messenger 6.0 -- download now! http://www.msnmessenger-download.com/tracking/reach_general
Re: [vchkpw] Unable to access mail using POP and domain issues with vpopmail
i want to check my mail using Outlook express. i am unable to do so. i am getting the following error. There was a problem logging onto your mail server. Your Password was rejected. Account: '192.168.0.3', Server: '192.168.0.3', Protocol: POP3, Server Response: '-ERR this user has no $HOME/Maildir', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC92 thats why i tried to telnet locally and trying to find out whats the issue. -B --- VeNoMouS [EMAIL PROTECTED] wrote: then why are you trying to login as a virtual user - Original Message - From: Balaji NJL [EMAIL PROTECTED] To: VeNoMouS [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, September 11, 2003 4:35 PM Subject: Re: [vchkpw] Unable to access mail using POP and domain issues with vpopmail i am able to check the mails using sqwebmail. but i am still unable to check it via outlook express by POP. this is the error i am getting There was a problem logging onto your mail server. Your Password was rejected. Account: '192.168.0.3', Server: '192.168.0.3', Protocol: POP3, Server Response: '-ERR this user has no $HOME/Maildir', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC92 i also tried this on my mailserver directly telnet localhost 110 user [EMAIL PROTECTED] pass x -ERR this user has no $HOME/Maildir this is true because this is a virtual user and this user doesnt hv Maildir. thanks --- VeNoMouS [EMAIL PROTECTED] wrote: what is the actal problem again, as we fixed so many for you. __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: [vchkpw] Unable to access mail using POP and domain issues with vpopmail
pardon my ignorance. how to find it out. my qmail-pop3d run states exec /usr/local/bin/softlimit -m 200 /usr/local/bin/tcpserver -v -R -H -l 0 (zero) -u $VPOPMAILUID -g $VPOPMAILGID 0 110 /var/qmail/bin/qmail-popup mail.ojoobala.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 21 -B --- Tom Collins [EMAIL PROTECTED] wrote: On Wednesday, September 10, 2003, at 09:35 PM, Balaji NJL wrote: i also tried this on my mailserver directly telnet localhost 110 user [EMAIL PROTECTED] pass x -ERR this user has no $HOME/Maildir this is true because this is a virtual user and this user doesnt hv Maildir. What POP server are you using, and does it know about vpopmail? -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Re: [vchkpw] Unable to access mail using POP and domain issues with vpopmail
figured it out. there was a carriage return between qmail-pop3d and Maildir in my run file. i fixed it now its working fine. thanks a ton. -B --- Balaji NJL [EMAIL PROTECTED] wrote: pardon my ignorance. how to find it out. my qmail-pop3d run states exec /usr/local/bin/softlimit -m 200 /usr/local/bin/tcpserver -v -R -H -l 0 (zero) -u $VPOPMAILUID -g $VPOPMAILGID 0 110 /var/qmail/bin/qmail-popup mail.ojoobala.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir 21 -B --- Tom Collins [EMAIL PROTECTED] wrote: On Wednesday, September 10, 2003, at 09:35 PM, Balaji NJL wrote: i also tried this on my mailserver directly telnet localhost 110 user [EMAIL PROTECTED] pass x -ERR this user has no $HOME/Maildir this is true because this is a virtual user and this user doesnt hv Maildir. What POP server are you using, and does it know about vpopmail? -- Tom Collins [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
