Re: [vchkpw] vpopmail misusing qmail's control files (Was: can't relay any more)

2005-04-19 Thread Rick van Vliet 
Kyle Wheeler wrote:
On Tuesday, April 19 at 04:34 PM, quoth Jeremy Kitchen:
I do know, however, that if you remove a domain from virtualdomains, 
vchkpw will still function without problem.  IMHO, this is wrong 
behavior.  What happens if you take a domain and move it into the 
locals file, and use vchkpw configured with --enable-passwd for 
authenticating local users?  Where will vpopmail start when looking 
where to authenticate?  It SHOULD look in locals/virtualdomains first.

Well, there's something to be said for rejecting domains that aren't in 
virtualdomains, I agree.

~Kyle

Well, I'm glad I asked /that/ question :)
rick

Re: [vchkpw] vpopmail misusing qmail's control files (Was: can't relay any more)

2005-04-19 Thread Kyle Wheeler 
On Tuesday, April 19 at 04:34 PM, quoth Jeremy Kitchen:
> I do know, however, that if you remove a domain from virtualdomains, 
> vchkpw will still function without problem.  IMHO, this is wrong 
> behavior.  What happens if you take a domain and move it into the 
> locals file, and use vchkpw configured with --enable-passwd for 
> authenticating local users?  Where will vpopmail start when looking 
> where to authenticate?  It SHOULD look in locals/virtualdomains first.

Well, there's something to be said for rejecting domains that aren't in 
virtualdomains, I agree.

> vpopmail has to determine where to look for the password database to 
> authenticate against, as well as telling qmail how to deliver the 
> messages to vpopmail.  It's only logical that it would follow the same 
> lookup mechanisms qmail does in order to find where a domain's home 
> directory is.

Fair enough. Cut-and-paste from qmail's source, I imagine, right?

> > Imagine this: you used to have lists.domain.com as a vpopmail 
> > domain, just to logically separate out your mailing lists (like 
> > list.cr.yp.to). Then you decide that you want to migrate that domain 
> > from ezmlm to GNU Mailman... but it's still on the same machine, so 
> > it still has an entry in virtualdomains. Should vpopmail be able to 
> > detect that the virtualdomains redirection of mail no longer sends 
> > mail to vpopmail but to a mailman frontend script?
> 
> sure, but why does it need to?  It would look up the domain in 
> virtualdomains, find out what user the domain belongs to.. find out 
> where the domain is located (either because of a listing in 
> users/assign or an /etc/passwd entry, etc) go to that directory, and 
> look for a vpasswd.cdb file.  If it finds one, it tries to 
> authenticate the user using it.. if it does not find one, it assumes 
> the domain is not vpopmail and rejects the authentication.

It can't rely on the presence of a vpasswd.cdb file - it might be that 
all the user records were stored in ldap or mysql.

... and if I do that, then migrate a domain as I describe, then I, the 
administrator, need to change the ldap/mysql database - which is akin to 
fully deleting the domain rather than just twiddling my virtualdomains 
config file and assuming it'll Just Work (tm).

> vdelivermail doesn't care about domains.. it simply cares about environment 
> variables passed to it via qmail-local.

I know.

> > What if, instead, I wanted to merely move 
> > where lists.domain.com gets delivered and stored (not that I can come up
> > with a good reason for wanting to do so, but its certainly within my
> > rights as an admin)... should vpopmail follow the virtualdomain entries
> > out to the eventual delivery to make sure that they're getting delivered
> > to a vdelivermail script?
> 
> find out where the domain's directory should be and look for a vpasswd.cdb 
> file.. I don't see the complication.

They don't have to be there, obviously.

> > Upon reflection, I think there's probably too much flexibility in the
> > virtualdomains setup for vpopmail to parse and attempt to interpret the
> > qmail virtualdomains file fully. It could take a simplistic approach,
> > but that simplistic approach would limit the configurable power of
> > qmail. If you start throwing qmail-users into the mix, it becomes
> > astonishingly complex for vpopmail to decide whether or not a given
> > address is going to be delivered to a vpopmail domain.
> 
> not overly, unless you're using address-based virtualdomains entries, which 
> are extremely rare, and not relevant to the architecture of vpopmail.

If I use virtualdomains to change the extension delimiter (to, say, an 
underscore rather than a hyphen), it's still valid to send it to a 
vpopmail domain, but would confuse the heck out of a chkuser patch 
unless it fully supported all the permutations of configuration that I 
can swizzle into my virtualdomains file. Then let's say I have another 
virtual domain that I want set to deliver to a virtual user, configured 
like so:

domain1.com:domain1.com
domain2.com:domain1.com_joe

Will I confuse vchkpw? How much of this should it actually be 
responsible for? 

Now let's say I have a different server for people in my company to use 
for sending (and authenticating) than I do for storing my domain's 
email. This machine may have an empty rcpthosts and virtualdomains file, 
because it's not supposed to receive un-authenticated mail. Why should 
it be required to deliver un-authenticated mail just to make vchkpw 
work? Why does it need access to my mailstore backend?

I'm not saying it couldn't be done, I'm just saying it's more 
complicated and more restrictive than you seem to imply and don't think 
such "features" are a requirement for a decent virtual domain package.

~Kyle
-- 
The liberty of a democracy is not safe if the people tolerate the growth 
of a private power to a point where it becomes stronger than the 
democratic state itself.
-- Franklin

Re: [vchkpw] can't get vpopmail to rebuild tcp.smtp.cdb

2005-04-19 Thread Matt MacDougall 
I think I may have misled you folks by mentioning how I've fixed this issue in 
the past.  I haven't been able to solve it this time no matter what I've been 
trying.  Anyone have a clue as to why even though permissions are set 
correctly, vpopmail still won't rebuild my tcp.smtp file?

Thanks everyone,

-Matt



On Monday 18 April 2005 08:14 pm, Matt MacDougall wrote:
> Thanks Rick.  I'm not seeing any open.smtp files in the dir:
>
> Here's the permissions:
>
> drwxr-xr-x  2 vpopmail  vchkpw  512 Apr 18 15:24 etc
>
> and the contents:
>
> -rw-r--r--  1 root  vchkpw29 Apr 18 15:22 inc_deps
> -rw-r--r--  1 root  vchkpw91 Apr 18 15:22 lib_deps
> -rw-r--r--  1 vpopmail  vchkpw   131 Apr 18 13:22 tcp.smtp
> -rw-r--r--  1 vpopmail  vchkpw  2243 Apr 18 15:24 tcp.smtp.cdb
> -rw-r--r--  1 vpopmail  vchkpw  1107 Apr 18 15:22 vlimits.default
> -rw-r-  1 vpopmail  vchkpw39 Apr 18 15:23 vpopmail.mysql
>
> I've setup a couple qmail boxes myself, ran into this issue and just fixed
> it by changing the owner of tcp.smtp.cdb from root to vpopmail ... so I'm
> pretty stumped at this point.
>
> I'd hate to go with smtp auth at this point cause that would mean schooling
> hundreds of clients on how to change their mail settings ... barf.
>
> See anything else sticking out here?
>
> -Matt
>

Re: [vchkpw] vpopmail misusing qmail's control files (Was: can't relay any more)

2005-04-19 Thread Jeremy Kitchen 
On Tuesday 19 April 2005 03:45 pm, Kyle Wheeler wrote:
> > > > > But if we can stretch this topic - why doesn't vpopmail 'pay
> > > > > attention to locals or virtualdomains'? Is it just late and I'm
> > > > > space-y?
> > > >
> > > > It doesn't do it for any real reason, it just does it because it was
> > > > poorly designed, and nobody has changed it.
> > >
> > > What do you expect it to do?
> >
> > I expect it to look at the virtualdomains file to determine what user the
> > domain should be handled by (or that it's even there!) and then look up
> > the user using standard qmail lookup procedures (check qmail-users first,
> > then system users)
> >
> > I recently had a problem with a customer who was moving one of his
> > domains to an exchange server but leaving the qmail server in place for
> > filtering.  I took the domain out of virtualdomains and sent qmail-send a
> > HUP signal, however, the chkuser patch was still looking for 'valid'
> > users inside the vpopmail databases.  This is wrong behavior on
> > vpopmail's part.
>
> Wouldn't that instead be wrong behavior on the chkuser patch's part?

probably not, but I haven't looked into the code enough to determine that in 
that particular situation.

I do know, however, that if you remove a domain from virtualdomains, vchkpw 
will still function without problem.  IMHO, this is wrong behavior.  What 
happens if you take a domain and move it into the locals file, and use vchkpw 
configured with --enable-passwd for authenticating local users?  Where will 
vpopmail start when looking where to authenticate?  It SHOULD look in 
locals/virtualdomains first.

> I imagine vchkpw would need to be altered to do the same to prevent
> people from authenticating to the wrong server.
>
> On the other hand, how many software products do you use that parse the
> config files of other systems? Do many sendmail milters parse the
> /etc/sendmail.cf? Should php parse apache's config files?

milter != virtualdomains package
milters have a standard interface for interacting with sendmail, and generally 
have their own configuration files.  If for some reason the milter were to 
have to know some sort of configuration option from sendmail, it might have 
to parse the config file (unless it can query sendmail for it.. I don't know, 
I don't use sendmail)

php != virtualdomains package
apache provides everything php needs when it executes the script.

vpopmail has to determine where to look for the password database to 
authenticate against, as well as telling qmail how to deliver the messages to 
vpopmail.  It's only logical that it would follow the same lookup mechanisms 
qmail does in order to find where a domain's home directory is.

> I'm not saying it wouldn't be useful if vpopmail did go through qmail's
> config files, especially since they're so semantically simple; I think
> it would be a good idea! But does that necessarily make ignoring the
> config files of a separate piece of software WRONG? I don't think so.

well, /var/qmail/users/assign IS a qmail control file, and has NOTHING to do 
with domains.  I could understand if vpopmail had its own list of 
domain->homedir assignments and such elsewhere, but since it's using qmail's 
control files, it may as well use them properly.

> Imagine this: you used to have lists.domain.com as a vpopmail domain,
> just to logically separate out your mailing lists (like list.cr.yp.to).
> Then you decide that you want to migrate that domain from ezmlm to GNU
> Mailman... but it's still on the same machine, so it still has an entry
> in virtualdomains. Should vpopmail be able to detect that the
> virtualdomains redirection of mail no longer sends mail to vpopmail but
> to a mailman frontend script?

sure, but why does it need to?  It would look up the domain in virtualdomains, 
find out what user the domain belongs to.. find out where the domain is 
located (either because of a listing in users/assign or an /etc/passwd entry, 
etc) go to that directory, and look for a vpasswd.cdb file.  If it finds one, 
it tries to authenticate the user using it.. if it does not find one, it 
assumes the domain is not vpopmail and rejects the authentication.

vdelivermail doesn't care about domains.. it simply cares about environment 
variables passed to it via qmail-local.

> What if, instead, I wanted to merely move 
> where lists.domain.com gets delivered and stored (not that I can come up
> with a good reason for wanting to do so, but its certainly within my
> rights as an admin)... should vpopmail follow the virtualdomain entries
> out to the eventual delivery to make sure that they're getting delivered
> to a vdelivermail script?

find out where the domain's directory should be and look for a vpasswd.cdb 
file.. I don't see the complication.

> Upon reflection, I think there's probably too much flexibility in the
> virtualdomains setup for vpopmail to parse and attempt to interpret the
> qmail virtualdomains file fully. It could take a si

Re: [vchkpw] can't relay any more

2005-04-19 Thread Kyle Wheeler 
On Tuesday, April 19 at 03:24 PM, quoth Jeremy Kitchen:
> On Tuesday 19 April 2005 03:04 pm, Kyle Wheeler wrote:
> > On Tuesday, April 19 at 12:32 PM, quoth Jeremy Kitchen:
> > > On Monday 18 April 2005 10:48 pm, Rick van Vliet wrote:
> > > > You're right  -- Thought I had that one. :\
> > > > But if we can stretch this topic - why doesn't vpopmail 'pay attention
> > > > to locals or virtualdomains'? Is it just late and I'm space-y?
> > >
> > > It doesn't do it for any real reason, it just does it because it was
> > > poorly designed, and nobody has changed it.
> >
> > What do you expect it to do?
> 
> I expect it to look at the virtualdomains file to determine what user the 
> domain should be handled by (or that it's even there!) and then look up the 
> user using standard qmail lookup procedures (check qmail-users first, then 
> system users)
> 
> I recently had a problem with a customer who was moving one of his domains to 
> an exchange server but leaving the qmail server in place for filtering.  I 
> took the domain out of virtualdomains and sent qmail-send a HUP signal, 
> however, the chkuser patch was still looking for 'valid' users inside the 
> vpopmail databases.  This is wrong behavior on vpopmail's part.

Wouldn't that instead be wrong behavior on the chkuser patch's part?

I imagine vchkpw would need to be altered to do the same to prevent 
people from authenticating to the wrong server.

On the other hand, how many software products do you use that parse the 
config files of other systems? Do many sendmail milters parse the 
/etc/sendmail.cf? Should php parse apache's config files?

I'm not saying it wouldn't be useful if vpopmail did go through qmail's 
config files, especially since they're so semantically simple; I think 
it would be a good idea! But does that necessarily make ignoring the 
config files of a separate piece of software WRONG? I don't think so.

Imagine this: you used to have lists.domain.com as a vpopmail domain, 
just to logically separate out your mailing lists (like list.cr.yp.to). 
Then you decide that you want to migrate that domain from ezmlm to GNU 
Mailman... but it's still on the same machine, so it still has an entry 
in virtualdomains. Should vpopmail be able to detect that the 
virtualdomains redirection of mail no longer sends mail to vpopmail but 
to a mailman frontend script? What if, instead, I wanted to merely move 
where lists.domain.com gets delivered and stored (not that I can come up 
with a good reason for wanting to do so, but its certainly within my 
rights as an admin)... should vpopmail follow the virtualdomain entries 
out to the eventual delivery to make sure that they're getting delivered 
to a vdelivermail script?

Upon reflection, I think there's probably too much flexibility in the 
virtualdomains setup for vpopmail to parse and attempt to interpret the 
qmail virtualdomains file fully. It could take a simplistic approach, 
but that simplistic approach would limit the configurable power of 
qmail. If you start throwing qmail-users into the mix, it becomes 
astonishingly complex for vpopmail to decide whether or not a given 
address is going to be delivered to a vpopmail domain.

~Kyle
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of 
zeal, well-meaning but without understanding.
-- Brandeis


signature.asc
Description: Digital signature

Re: [vchkpw] can't relay any more

2005-04-19 Thread Jeremy Kitchen 
On Tuesday 19 April 2005 03:04 pm, Kyle Wheeler wrote:
> On Tuesday, April 19 at 12:32 PM, quoth Jeremy Kitchen:
> > On Monday 18 April 2005 10:48 pm, Rick van Vliet wrote:
> > > You're right  -- Thought I had that one. :\
> > > But if we can stretch this topic - why doesn't vpopmail 'pay attention
> > > to locals or virtualdomains'? Is it just late and I'm space-y?
> >
> > It doesn't do it for any real reason, it just does it because it was
> > poorly designed, and nobody has changed it.
>
> What do you expect it to do?

I expect it to look at the virtualdomains file to determine what user the 
domain should be handled by (or that it's even there!) and then look up the 
user using standard qmail lookup procedures (check qmail-users first, then 
system users)

I recently had a problem with a customer who was moving one of his domains to 
an exchange server but leaving the qmail server in place for filtering.  I 
took the domain out of virtualdomains and sent qmail-send a HUP signal, 
however, the chkuser patch was still looking for 'valid' users inside the 
vpopmail databases.  This is wrong behavior on vpopmail's part.

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
[EMAIL PROTECTED] ++ inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l
  kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail
 GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]


pgpCm2FI1Nsjw.pgp
Description: PGP signature

Re: [vchkpw] can't relay any more

2005-04-19 Thread Kyle Wheeler 
On Tuesday, April 19 at 12:32 PM, quoth Jeremy Kitchen:
> On Monday 18 April 2005 10:48 pm, Rick van Vliet wrote:
> > You're right  -- Thought I had that one. :\
> > But if we can stretch this topic - why doesn't vpopmail 'pay attention
> > to locals or virtualdomains'? Is it just late and I'm space-y?
> 
> It doesn't do it for any real reason, it just does it because it was poorly 
> designed, and nobody has changed it.

What do you expect it to do?

I expect to be able to use my virtualdomains file for more than JUST 
vpopmail domains (for example, I have several lists.* domains that are 
handled exclusively by GNU Mailman).

~Kyle
-- 
Power always thinks it has a great soul and vast views beyond the 
comprehension of the weak; and that it is doing God's service when it is 
violating all his laws.
-- John Adams


signature.asc
Description: Digital signature

[vchkpw] RE: [qmailadmin] qmailadmin 1.2.3 cannot read vpopmail.mysql

2005-04-19 Thread Ricardo Moreno 
I have the same problem.. but not with qmailadmin

I have the problem login with pop3

Sometimes happen sometimes does not..

first time error loading shared libraries
second time everything went fine
third time couldn't read vpopmail.mysql

I think it is a problem related to fedora Core 3,=20

Are people with this problem running fedora Core 3.??

look=20

[EMAIL PROTECTED] vpopmail-5.4.6]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK <[EMAIL PROTECTED]>
user rmoreno
+OK
pass cojelon
/home/vpopmail/bin/vchkpw: error while loading shared libraries:
libnsl.so.1: failed to map segment from shared object: Cannot allocate
memory
-ERR unable to write pipe
Connection closed by foreign host.
[EMAIL PROTECTED] vpopmail-5.4.6]#
[EMAIL PROTECTED] vpopmail-5.4.6]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK <[EMAIL PROTECTED]>
user rmoreno
+OK
pass cojelon
+OK
list
+OK
1 290
2 350
.
q
quit
Connection closed by foreign host.
[EMAIL PROTECTED] vpopmail-5.4.6]# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK <[EMAIL PROTECTED]>
user rmoreno
+OK
pass cojelon
vmysql: can't read settings from /home/vpopmail/etc/vpopmail.mysql
-ERR authorization failed
Connection closed by foreign host.

Re: [vchkpw] can't relay any more

2005-04-19 Thread Jeremy Kitchen 
On Monday 18 April 2005 10:48 pm, Rick van Vliet wrote:
> You're right  -- Thought I had that one. :\
> But if we can stretch this topic - why doesn't vpopmail 'pay attention
> to locals or virtualdomains'? Is it just late and I'm space-y?

It doesn't do it for any real reason, it just does it because it was poorly 
designed, and nobody has changed it.

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
[EMAIL PROTECTED] ++ inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l
  kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail
 GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]


pgpHUUZok61kx.pgp
Description: PGP signature

RE: [vchkpw] Re: (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Samir Noshy 
> -Original Message-
> From: Peter Palmreuther [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 19, 2005 5:49 PM
> To: Samir Noshy in vpop
> Subject: [vchkpw] Re: (Urgent) qmail-smtpd Bug !
> 
> Hello Samir,
> 
> On Tuesday, April 19, 2005 at 5:35:43 PM Samir wrote:
> 
> [SMTP-AUTH not preventing "forged" From-header]
> >> Dude this is normal behavior.
> 
> > No I don't think so, It is a big security issue.
> 
> You name it "big security issue", that doesn't necessarily 
> make it one. It *IS* normal behavior for a (patched) 
> qmail-installation.
> 
> If you don't like the way SMTP-AUTH is integrated within 
> qmail: use a different MTA that fits your needs or rewrite 
> the SMTP-AUTH patch to make qmail acting the way you like it. 
> If you are unable to handle the C-code of qmail and the 
> SMTP-AUTH-patch: pay someone to make the necessary changes 
> who can handle C.
> 
> But:
> 
> 1) Stop crying. The way you find it is the way it *works*
> 2) Stop bothering this list. This mailing list is about *vpopmail*,
>you have a problem with qmail-smtpd. qmail has it's own mailing
>list.
> --



Thanks a lot and Best Regards.
 
Samir Noshy

RE: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread tonix (Antonio Nati) 


At 16.42 19/04/2005, you wrote:
> -Original
Message-
> From: tonix (Antonio Nati)
[
mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, April 19, 2005 5:24 PM
> To: vchkpw@inter7.com
> Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !
> 
> 
> You may disable acceptance of message from not authenticated 
> users only if you make one of these changes:
> 
> - delete any entry from rcpthosts
If I did so, no one can send emails to my local domains.

So now you may understand why this not a bug neither a security hole.
It's a standard feature, and cannot be another way.
> or
> - modify auth patch so that only auth relaying is allowed.
>
I think that is a good solution , but how I can modify it ??

You must setup a dedicated qmail-smtpd server for these domains, and
change code: within smtp_rcpt, before chkuser (if you use it), or after
these lines (I use Shupp's patch)

  if (flagbarfbmt) {
    strerr_warn4("qmail-smtpd: badmailto:
",addr.s," at ",remoteip,0);
    err_bmt();
    return;
  }
add code like this:
  if (!relayclient) {
    strerr_warn4("qmail-smtpd: not auth sender:
",addr.s," at ",remoteip,0);
    err_notauth();
    return;
  }
where err_notauth() can be:
void err_notauth() { out("553 sorry, you must authenticate before
using this server (#5.7.1)\r\n"); }
It would be much better if this would be a configurable option of auth
patch, that would force authentication in the first smtp steps, and not
within rcpt dialog (but this is better than nothing).
Tonino

> Tonino

 
Thanks and Best Regards.
 
Samir Noshy

At 16.24 19/04/2005, you wrote:
>Hi Everybody,
>
>I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
>courier-imap-4.0.2 and SM and QS.
>
>I think that there is a bug in the qmail-smtpd.
>
>the bug that I can send mail as/from a local account to any other
local 
>account Although I use SMTP auth provided by :
>
http://www.fehcom.de/qmail/smtpauth.html.
>
>smtpd and SMTP Auth.  must prevent anyone to Impersonate and
send mail 
>from an Local Account other than his Local Account to any other
Local
account.
>
>Imagine that I host the two domains: companyXX.com and companyYY.com

>for example.
>
>So , an any person who did not belong to companyXX.com can
Impersonate 
>as [EMAIL PROTECTED] and send a formal email - w/o authenticating
of 
>course - to [EMAIL PROTECTED] or [EMAIL PROTECTED]
>
>I want to do that to prevent any other third party - or even any
local 
>account users- to Impersonate and send mail from an other Local
Account 
>to any other Local account.
>
>By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :
>
>
>
>#!/bin/sh
>
># when QMAILQUEUE is set, all mail will be sent to the nominated
script 
>QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export
QMAILQUEUE
>
>QMAILDUID=`id -u vpopmail`
>
>QMAILDGID=`id -g vchkpw`
>
>exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver
\
>
>-v -x /etc/tcp.smtp.cdb \
>
>-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \

>/usr/local/bin/rblsmtpd -b -C \
>
>-r 'relays.ordb.org:Your message was rejected because the mail server

>you use is configured to allow OPEN RELAY - More detailed information

>regarding this problem is available from 
>
http://www.ordb.org/lookup/?host=%IP%
><
http://www.ordb.org/lookup/?host=%IP%>  - Please forward this
error 
>through to your email server support staff for easy resolution.'
\
>
>-r 'list.dsbl.org:Your message was rejected because the message was

>sent from a server listed in DSBL - More information regarding this

>problem is available at

http://dsbl.org/listing?%IP% 
><
http://dsbl.org/listing?%IP%>  - Please forward this error to
your 
>email server support staff for resolution.' \
>
>-r 'sbl-xbl.spamhaus.org:Your message was rejected because the
message 
>was sent from a server listed in the Spamhaus RBL - More information

>regarding this problems is available at 
>
http://www.spamhaus.org/query/bl?ip=%IP%
><
http://www.spamhaus.org/query/bl?ip=%IP%>  - Please forward
this error 
>to your email server support staff for resolution.' \
>
>/var/qmail/bin/qmail-smtpd \
>
>/home/vpopmail/bin/vchkpw /bin/true 2>&1
>
>
>
>Can anyone help me to work around this problem 
>
>
>Best Regards.
>
>Samir Noshy

Re: [vchkpw] Re: (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Davide Giunchi 
Alle 17:49, martedì 19 aprile 2005, Peter Palmreuther ha scritto:
> 1) Stop crying. The way you find it is the way it *works*
> 2) Stop bothering this list. This mailing list is about *vpopmail*,
>    you have a problem with qmail-smtpd. qmail has it's own mailing
>    list.

Absolutely!
I'd like to add:
3) Learn to quote correctly

Regards.

Re: [vchkpw] Re: (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Remo Mattei 
Peter well answered. I tried to tell him that it's a normal behavior but he 
is not listening..

Oh well  he can use postfix or sendmail.
Ciao,
Remo
- Original Message - 
From: "Peter Palmreuther" <[EMAIL PROTECTED]>
To: "Samir Noshy in vpop" 
Sent: Tuesday, April 19, 2005 9:49 AM
Subject: [vchkpw] Re: (Urgent) qmail-smtpd Bug !


Hello Samir,
On Tuesday, April 19, 2005 at 5:35:43 PM Samir wrote:
[SMTP-AUTH not preventing "forged" From-header]
Dude this is normal behavior.

No I don't think so, It is a big security issue.
You name it "big security issue", that doesn't necessarily make it
one. It *IS* normal behavior for a (patched) qmail-installation.
If you don't like the way SMTP-AUTH is integrated within qmail: use a
different MTA that fits your needs or rewrite the SMTP-AUTH patch to
make qmail acting the way you like it. If you are unable to handle the
C-code of qmail and the SMTP-AUTH-patch: pay someone to make the
necessary changes who can handle C.
But:
1) Stop crying. The way you find it is the way it *works*
2) Stop bothering this list. This mailing list is about *vpopmail*,
  you have a problem with qmail-smtpd. qmail has it's own mailing
  list.
--
Best regards
Peter Palmreuther
Ever notice how a cat's tail looks like a fuse?

[vchkpw] Re: (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Peter Palmreuther 
Hello Samir,

On Tuesday, April 19, 2005 at 5:35:43 PM Samir wrote:

[SMTP-AUTH not preventing "forged" From-header]
>> Dude this is normal behavior.

> No I don't think so, It is a big security issue.

You name it "big security issue", that doesn't necessarily make it
one. It *IS* normal behavior for a (patched) qmail-installation.

If you don't like the way SMTP-AUTH is integrated within qmail: use a
different MTA that fits your needs or rewrite the SMTP-AUTH patch to
make qmail acting the way you like it. If you are unable to handle the
C-code of qmail and the SMTP-AUTH-patch: pay someone to make the
necessary changes who can handle C.

But:

1) Stop crying. The way you find it is the way it *works*
2) Stop bothering this list. This mailing list is about *vpopmail*,
   you have a problem with qmail-smtpd. qmail has it's own mailing
   list.
-- 
Best regards
Peter Palmreuther

Ever notice how a cat's tail looks like a fuse?

RE: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Samir Noshy 
> -Original Message-
> From: Boris Pavlov [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 19, 2005 5:45 PM
> To: vchkpw@inter7.com
> Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !
> 
> samir,
> 
> you mean, you want to reject mail where from: and to: are from (the
> same?) local domains, and the sender is not in permitted to relay?

NO Of course.

> wwell edi
> 
> Samir Noshy wrote:
> 
> >>-Original Message-
> >>From: Remo Mattei [mailto:[EMAIL PROTECTED]
> >>Sent: Tuesday, April 19, 2005 5:21 PM
> >>To: vchkpw@inter7.com
> >>Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !
> >>
> >>Dude this is normal behavior.
> >>
> >>
> >
> >
> >No I don't think so, It is a big security issue.
> >
> >
> >
> >  
> >
> >>- Original Message -
> >>From: "Samir Noshy" <[EMAIL PROTECTED]>
> >>To: "Qmail List" ; "[EMAIL PROTECTED] Com" 
> >>
> >>Sent: Tuesday, April 19, 2005 9:24 AM
> >>Subject: [vchkpw] (Urgent) qmail-smtpd Bug !
> >>
> >>
> >>
> >>
> >>>Hi Everybody,
> >>>
> >>>I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
> >>>courier-imap-4.0.2 and SM and QS.
> >>>
> >>>I think that there is a bug in the qmail-smtpd.
> >>>
> >>>the bug that I can send mail as/from a local account to any
> >>>  
> >>>
> >>other local
> >>
> >>
> >>>account Although I use SMTP auth provided by :
> >>>http://www.fehcom.de/qmail/smtpauth.html.
> >>>
> >>>smtpd and SMTP Auth.  must prevent anyone to Impersonate
> >>>  
> >>>
> >>and send mail
> >>
> >>
> >>>from
> >>>an Local Account other than his Local Account to any other
> >>>  
> >>>
> >>Local account.
> >>
> >>
> >>>Imagine that I host the two domains: companyXX.com and
> >>>  
> >>>
> >>companyYY.com for
> >>
> >>
> >>>example.
> >>>
> >>>So , an any person who did not belong to companyXX.com can
> >>>  
> >>>
> >>Impersonate as
> >>
> >>
> >>>[EMAIL PROTECTED] and send a formal email - w/o 
> authenticating of 
> >>>course - to [EMAIL PROTECTED] or [EMAIL PROTECTED]
> >>>
> >>>I want to do that to prevent any other third party - or
> >>>  
> >>>
> >>even any local
> >>
> >>
> >>>account users- to Impersonate and send mail from an other
> >>>  
> >>>
> >>Local Account to
> >>
> >>
> >>>any other Local account.
> >>>
> >>>By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :
> >>>
> >>>
> >>>
> >>>#!/bin/sh
> >>>
> >>># when QMAILQUEUE is set, all mail will be sent to the
> >>>  
> >>>
> >>nominated script
> >>
> >>
> >>>QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export 
> QMAILQUEUE
> >>>
> >>>QMAILDUID=`id -u vpopmail`
> >>>
> >>>QMAILDGID=`id -g vchkpw`
> >>>
> >>>exec /usr/local/bin/softlimit -m 1500 \
> >>>  
> >>>
> >>/usr/local/bin/tcpserver \
> >>
> >>
> >>>-v -x /etc/tcp.smtp.cdb \
> >>>
> >>>-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \ 
> >>>/usr/local/bin/rblsmtpd -b -C \
> >>>
> >>>-r 'relays.ordb.org:Your message was rejected because the
> >>>  
> >>>
> >>mail server you
> >>
> >>
> >>>use is configured to allow OPEN RELAY - More detailed information 
> >>>regarding this problem is available from 
> >>>http://www.ordb.org/lookup/?host=%IP%
> >>>  - Please forward
> >>>  
> >>>
> >>this error
> >>
> >>
> >>>through
> >>>to your email server support staff for easy resolution.' \
> >>>
> >>>-r 'list.dsbl.org:Your message was rejected because the
> >>>  
> >>>
> >>message was sent
> >>
> >>
> >>>from a server listed in DSBL - More information regarding
> >>>  
> >>>
> >>this problem is
> >>
> >>
> >>>available at http://dsbl.org/listing?%IP% 
> >>>http://dsbl.org/listing?%IP%>  - Please forward this error to your 
> >>>email server support staff for resolution.' \
> >>>
> >>>-r 'sbl-xbl.spamhaus.org:Your message was rejected because
> >>>  
> >>>
> >>the message was
> >>
> >>
> >>>sent from a server listed in the Spamhaus RBL - More
> >>>  
> >>>
> >>information regarding
> >>
> >>
> >>>this problems is available at
> >>>  
> >>>
> >>http://www.spamhaus.org/query/bl?ip=%IP%
> >>
> >>
> >>>  - Please
> >>>  
> >>>
> >>forward this error to
> >>
> >>
> >>>your email server support staff for resolution.' \
> >>>
> >>>/var/qmail/bin/qmail-smtpd \
> >>>
> >>>/home/vpopmail/bin/vchkpw /bin/true 2>&1
> >>>
> >>>
> >>>
> >>>Can anyone help me to work around this problem 
> >>>
> >>>
> >>>Best Regards.
> >>>
> >>>Samir Noshy
> >>>
> >>>
> >>>
> >>>  
> >>>
> >
> >
> >  
> >
> 
>

Re: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Boris Pavlov 
samir,
you mean, you want to reject mail where from: and to: are from (the 
same?) local domains, and the sender is not in permitted to relay?

wwell edi
Samir Noshy wrote:
-Original Message-
From: Remo Mattei [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 19, 2005 5:21 PM
To: vchkpw@inter7.com
Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !

Dude this is normal behavior.
   


No I don't think so, It is a big security issue.

 

- Original Message -
From: "Samir Noshy" <[EMAIL PROTECTED]>
To: "Qmail List" ; "[EMAIL PROTECTED] Com" 

Sent: Tuesday, April 19, 2005 9:24 AM
Subject: [vchkpw] (Urgent) qmail-smtpd Bug !

   

Hi Everybody,
I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
courier-imap-4.0.2 and SM and QS.
I think that there is a bug in the qmail-smtpd.
the bug that I can send mail as/from a local account to any 
 

other local
   

account Although I use SMTP auth provided by :
http://www.fehcom.de/qmail/smtpauth.html.
smtpd and SMTP Auth.  must prevent anyone to Impersonate 
 

and send mail 
   

from
an Local Account other than his Local Account to any other 
 

Local account.
   

Imagine that I host the two domains: companyXX.com and 
 

companyYY.com for
   

example.
So , an any person who did not belong to companyXX.com can 
 

Impersonate as
   

[EMAIL PROTECTED] and send a formal email - w/o authenticating of 
course -
to [EMAIL PROTECTED] or [EMAIL PROTECTED]

I want to do that to prevent any other third party - or 
 

even any local
   

account users- to Impersonate and send mail from an other 
 

Local Account to
   

any other Local account.
By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :

#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the 
 

nominated script
   

QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
QMAILDGID=`id -g vchkpw`
exec /usr/local/bin/softlimit -m 1500 \ 
 

/usr/local/bin/tcpserver \
   

-v -x /etc/tcp.smtp.cdb \
-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \ 
/usr/local/bin/rblsmtpd -b
-C \

-r 'relays.ordb.org:Your message was rejected because the 
 

mail server you
   

use is configured to allow OPEN RELAY - More detailed information 
regarding
this problem is available from http://www.ordb.org/lookup/?host=%IP%
  - Please forward 
 

this error 
   

through
to your email server support staff for easy resolution.' \
-r 'list.dsbl.org:Your message was rejected because the 
 

message was sent
   

from a server listed in DSBL - More information regarding 
 

this problem is
   

available at http://dsbl.org/listing?%IP% 
http://dsbl.org/listing?%IP%>  -
Please forward this error to your email server support staff for
resolution.' \

-r 'sbl-xbl.spamhaus.org:Your message was rejected because 
 

the message was
   

sent from a server listed in the Spamhaus RBL - More 
 

information regarding
   

this problems is available at 
 

http://www.spamhaus.org/query/bl?ip=%IP%
   

  - Please 
 

forward this error to
   

your email server support staff for resolution.' \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1

Can anyone help me to work around this problem 
Best Regards.
Samir Noshy

RE: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Samir Noshy 

> -Original Message-
> From: tonix (Antonio Nati) [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 19, 2005 5:24 PM
> To: vchkpw@inter7.com
> Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !
> 
> 
> You may disable acceptance of message from not authenticated 
> users only if you make one of these changes:
> 
> - delete any entry from rcpthosts
If I did so, no one can send emails to my local domains.

> or
> - modify auth patch so that only auth relaying is allowed.
>

I think that is a good solution , but how I can modify it ??

> Tonino


 
Thanks and Best Regards.
 
Samir Noshy


At 16.24 19/04/2005, you wrote:
>Hi Everybody,
>
>I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
>courier-imap-4.0.2 and SM and QS.
>
>I think that there is a bug in the qmail-smtpd.
>
>the bug that I can send mail as/from a local account to any other local 
>account Although I use SMTP auth provided by :
>http://www.fehcom.de/qmail/smtpauth.html.
>
>smtpd and SMTP Auth.  must prevent anyone to Impersonate and send mail 
>from an Local Account other than his Local Account to any other Local
account.
>
>Imagine that I host the two domains: companyXX.com and companyYY.com 
>for example.
>
>So , an any person who did not belong to companyXX.com can Impersonate 
>as [EMAIL PROTECTED] and send a formal email - w/o authenticating of 
>course - to [EMAIL PROTECTED] or [EMAIL PROTECTED]
>
>I want to do that to prevent any other third party - or even any local 
>account users- to Impersonate and send mail from an other Local Account 
>to any other Local account.
>
>By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :
>
>
>
>#!/bin/sh
>
># when QMAILQUEUE is set, all mail will be sent to the nominated script 
>QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
>
>QMAILDUID=`id -u vpopmail`
>
>QMAILDGID=`id -g vchkpw`
>
>exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver \
>
>-v -x /etc/tcp.smtp.cdb \
>
>-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \ 
>/usr/local/bin/rblsmtpd -b -C \
>
>-r 'relays.ordb.org:Your message was rejected because the mail server 
>you use is configured to allow OPEN RELAY - More detailed information 
>regarding this problem is available from 
>http://www.ordb.org/lookup/?host=%IP%
>  - Please forward this error 
>through to your email server support staff for easy resolution.' \
>
>-r 'list.dsbl.org:Your message was rejected because the message was 
>sent from a server listed in DSBL - More information regarding this 
>problem is available at http://dsbl.org/listing?%IP% 
>  - Please forward this error to your 
>email server support staff for resolution.' \
>
>-r 'sbl-xbl.spamhaus.org:Your message was rejected because the message 
>was sent from a server listed in the Spamhaus RBL - More information 
>regarding this problems is available at 
>http://www.spamhaus.org/query/bl?ip=%IP%
>  - Please forward this error 
>to your email server support staff for resolution.' \
>
>/var/qmail/bin/qmail-smtpd \
>
>/home/vpopmail/bin/vchkpw /bin/true 2>&1
>
>
>
>Can anyone help me to work around this problem 
>
>
>Best Regards.
>
>Samir Noshy

RE: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Samir Noshy 

> -Original Message-
> From: Remo Mattei [mailto:[EMAIL PROTECTED] 
> Sent: Tuesday, April 19, 2005 5:21 PM
> To: vchkpw@inter7.com
> Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !
> 
> Dude this is normal behavior.


No I don't think so, It is a big security issue.



> - Original Message -
> From: "Samir Noshy" <[EMAIL PROTECTED]>
> To: "Qmail List" ; "[EMAIL PROTECTED] Com" 
> 
> Sent: Tuesday, April 19, 2005 9:24 AM
> Subject: [vchkpw] (Urgent) qmail-smtpd Bug !
> 
> 
> > Hi Everybody,
> >
> > I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
> > courier-imap-4.0.2 and SM and QS.
> >
> > I think that there is a bug in the qmail-smtpd.
> >
> > the bug that I can send mail as/from a local account to any 
> other local
> > account Although I use SMTP auth provided by :
> > http://www.fehcom.de/qmail/smtpauth.html.
> >
> > smtpd and SMTP Auth.  must prevent anyone to Impersonate 
> and send mail 
> > from
> > an Local Account other than his Local Account to any other 
> Local account.
> >
> > Imagine that I host the two domains: companyXX.com and 
> companyYY.com for
> > example.
> >
> > So , an any person who did not belong to companyXX.com can 
> Impersonate as
> > [EMAIL PROTECTED] and send a formal email - w/o authenticating of 
> > course -
> > to [EMAIL PROTECTED] or [EMAIL PROTECTED]
> >
> > I want to do that to prevent any other third party - or 
> even any local
> > account users- to Impersonate and send mail from an other 
> Local Account to
> > any other Local account.
> >
> > By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :
> >
> >
> >
> > #!/bin/sh
> >
> > # when QMAILQUEUE is set, all mail will be sent to the 
> nominated script
> > QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
> >
> > QMAILDUID=`id -u vpopmail`
> >
> > QMAILDGID=`id -g vchkpw`
> >
> > exec /usr/local/bin/softlimit -m 1500 \ 
> /usr/local/bin/tcpserver \
> >
> > -v -x /etc/tcp.smtp.cdb \
> >
> > -c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \ 
> > /usr/local/bin/rblsmtpd -b
> > -C \
> >
> > -r 'relays.ordb.org:Your message was rejected because the 
> mail server you
> > use is configured to allow OPEN RELAY - More detailed information 
> > regarding
> > this problem is available from http://www.ordb.org/lookup/?host=%IP%
> >   - Please forward 
> this error 
> > through
> > to your email server support staff for easy resolution.' \
> >
> > -r 'list.dsbl.org:Your message was rejected because the 
> message was sent
> > from a server listed in DSBL - More information regarding 
> this problem is
> > available at http://dsbl.org/listing?%IP% 
> > http://dsbl.org/listing?%IP%>  -
> > Please forward this error to your email server support staff for
> > resolution.' \
> >
> > -r 'sbl-xbl.spamhaus.org:Your message was rejected because 
> the message was
> > sent from a server listed in the Spamhaus RBL - More 
> information regarding
> > this problems is available at 
> http://www.spamhaus.org/query/bl?ip=%IP%
> >   - Please 
> forward this error to
> > your email server support staff for resolution.' \
> >
> > /var/qmail/bin/qmail-smtpd \
> >
> > /home/vpopmail/bin/vchkpw /bin/true 2>&1
> >
> >
> >
> > Can anyone help me to work around this problem 
> >
> >
> > Best Regards.
> >
> > Samir Noshy
> >
> >
> > 
>

Re: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread tonix (Antonio Nati) 
You may disable acceptance of message from not authenticated users only if 
you make one of these changes:

- delete any entry from rcpthosts
or
- modify auth patch so that only auth relaying is allowed.
Tonino
At 16.24 19/04/2005, you wrote:
Hi Everybody,
I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
courier-imap-4.0.2 and SM and QS.
I think that there is a bug in the qmail-smtpd.
the bug that I can send mail as/from a local account to any other local
account Although I use SMTP auth provided by :
http://www.fehcom.de/qmail/smtpauth.html.
smtpd and SMTP Auth.  must prevent anyone to Impersonate and send mail from
an Local Account other than his Local Account to any other Local account.
Imagine that I host the two domains: companyXX.com and companyYY.com for
example.
So , an any person who did not belong to companyXX.com can Impersonate as
[EMAIL PROTECTED] and send a formal email - w/o authenticating of course -
to [EMAIL PROTECTED] or [EMAIL PROTECTED]
I want to do that to prevent any other third party - or even any local
account users- to Impersonate and send mail from an other Local Account to
any other Local account.
By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :

#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
QMAILDGID=`id -g vchkpw`
exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver \
-v -x /etc/tcp.smtp.cdb \
-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \ /usr/local/bin/rblsmtpd -b
-C \
-r 'relays.ordb.org:Your message was rejected because the mail server you
use is configured to allow OPEN RELAY - More detailed information regarding
this problem is available from http://www.ordb.org/lookup/?host=%IP%
  - Please forward this error through
to your email server support staff for easy resolution.' \
-r 'list.dsbl.org:Your message was rejected because the message was sent
from a server listed in DSBL - More information regarding this problem is
available at http://dsbl.org/listing?%IP%   -
Please forward this error to your email server support staff for
resolution.' \
-r 'sbl-xbl.spamhaus.org:Your message was rejected because the message was
sent from a server listed in the Spamhaus RBL - More information regarding
this problems is available at http://www.spamhaus.org/query/bl?ip=%IP%
  - Please forward this error to
your email server support staff for resolution.' \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1

Can anyone help me to work around this problem 
Best Regards.
Samir Noshy

Re: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Remo Mattei 
Dude this is normal behavior.
Remo
- Original Message - 
From: "Samir Noshy" <[EMAIL PROTECTED]>
To: "Qmail List" ; "[EMAIL PROTECTED] Com" 

Sent: Tuesday, April 19, 2005 9:24 AM
Subject: [vchkpw] (Urgent) qmail-smtpd Bug !


Hi Everybody,
I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
courier-imap-4.0.2 and SM and QS.
I think that there is a bug in the qmail-smtpd.
the bug that I can send mail as/from a local account to any other local
account Although I use SMTP auth provided by :
http://www.fehcom.de/qmail/smtpauth.html.
smtpd and SMTP Auth.  must prevent anyone to Impersonate and send mail 
from
an Local Account other than his Local Account to any other Local account.

Imagine that I host the two domains: companyXX.com and companyYY.com for
example.
So , an any person who did not belong to companyXX.com can Impersonate as
[EMAIL PROTECTED] and send a formal email - w/o authenticating of 
course -
to [EMAIL PROTECTED] or [EMAIL PROTECTED]

I want to do that to prevent any other third party - or even any local
account users- to Impersonate and send mail from an other Local Account to
any other Local account.
By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :

#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE
QMAILDUID=`id -u vpopmail`
QMAILDGID=`id -g vchkpw`
exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver \
-v -x /etc/tcp.smtp.cdb \
-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \ 
/usr/local/bin/rblsmtpd -b
-C \

-r 'relays.ordb.org:Your message was rejected because the mail server you
use is configured to allow OPEN RELAY - More detailed information 
regarding
this problem is available from http://www.ordb.org/lookup/?host=%IP%
  - Please forward this error 
through
to your email server support staff for easy resolution.' \

-r 'list.dsbl.org:Your message was rejected because the message was sent
from a server listed in DSBL - More information regarding this problem is
available at http://dsbl.org/listing?%IP% 
http://dsbl.org/listing?%IP%>  -
Please forward this error to your email server support staff for
resolution.' \

-r 'sbl-xbl.spamhaus.org:Your message was rejected because the message was
sent from a server listed in the Spamhaus RBL - More information regarding
this problems is available at http://www.spamhaus.org/query/bl?ip=%IP%
  - Please forward this error to
your email server support staff for resolution.' \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 2>&1

Can anyone help me to work around this problem 
Best Regards.
Samir Noshy

[vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!

2005-04-19 Thread Samir Noshy 
Hi Everybody,

I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
courier-imap-4.0.2 and SM and QS. 

I think that there is a bug in the qmail-smtpd.
 
the bug that I can send mail as/from a local account to any other local
account Although I use SMTP auth provided by :
http://www.fehcom.de/qmail/smtpauth.html.
 
smtpd and SMTP Auth.  must prevent anyone to Impersonate and send mail from
an Local Account other than his Local Account to any other Local account.

Imagine that I host the two domains: companyXX.com and companyYY.com for
example.

So , an any person who did not belong to companyXX.com can Impersonate as
[EMAIL PROTECTED] and send a formal email - w/o authenticating of course -
to [EMAIL PROTECTED] or [EMAIL PROTECTED]

I want to do that to prevent any other third party - or even any local
account users- to Impersonate and send mail from an other Local Account to
any other Local account.

By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :

 

#!/bin/sh

# when QMAILQUEUE is set, all mail will be sent to the nominated script
QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl" export QMAILQUEUE

QMAILDUID=`id -u vpopmail`

QMAILDGID=`id -g vchkpw`

exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver \

-v -x /etc/tcp.smtp.cdb \

-c 20 -R -u "$QMAILDUID" -g "$QMAILDGID" 0 smtp \ /usr/local/bin/rblsmtpd -b
-C \

-r 'relays.ordb.org:Your message was rejected because the mail server you
use is configured to allow OPEN RELAY - More detailed information regarding
this problem is available from http://www.ordb.org/lookup/?host=%IP%
  - Please forward this error through
to your email server support staff for easy resolution.' \

-r 'list.dsbl.org:Your message was rejected because the message was sent
from a server listed in DSBL - More information regarding this problem is
available at http://dsbl.org/listing?%IP%   -
Please forward this error to your email server support staff for
resolution.' \

-r 'sbl-xbl.spamhaus.org:Your message was rejected because the message was
sent from a server listed in the Spamhaus RBL - More information regarding
this problems is available at http://www.spamhaus.org/query/bl?ip=%IP%
  - Please forward this error to
your email server support staff for resolution.' \

/var/qmail/bin/qmail-smtpd \

/home/vpopmail/bin/vchkpw /bin/true 2>&1

 
 
Can anyone help me to work around this problem 

 
Best Regards.
 
Samir Noshy

Re: [vchkpw] how to deny smtp request from an IP

2005-04-19 Thread Rainer Duffner 
Cristi Tauber wrote:
 It have to work ... still ... you have iptables/ipf ;)
  Cristi
 


Maybe try ~vpopmail/etc/tcp.smtp  ???

Rainer

RE: [vchkpw] how to deny smtp request from an IP

2005-04-19 Thread Cristi Tauber 
  It have to work ... still ... you have iptables/ipf ;)

   Cristi

-Original Message-
From: Manish Jain [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, April 19, 2005 2:58 PM
To: vchkpw@inter7.com
Subject: Re: [vchkpw] how to deny smtp request from an IP

I ahve done the same bu it didn't work.

Manish Jain
(Network Administrator)
C-DAC "Anusandhan Bhawan"
C-56/1, Sector-62, Noida- 210307
Ph: 91 120 2402551-60 (Extn.- 718)
  91 120 2402563 (Direct)

- Original Message - 
From: "Adam Ossenford" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, April 19, 2005 4:54 PM
Subject: Re: [vchkpw] how to deny smtp request from an IP


> echo "x.x.x.x:deny" >> /etc/tcp.smtp && qmailctl cdb && qmailctl reload
> where x.x.x.x is the ip of the affected machine
> > I am using qmail+vpopmail.
> > In my LAN some machines are affected with some virus which is generating
> > SPAM.
> > I got the IPs of those machines from /var/log/qmail/smtp/current
> > How can I deny smtp requests from those IPs.
> >
> > thanx in advance,
> >
> > Manish Jain
> > (Network Administrator)
> > C-DAC "Anusandhan Bhawan"
> > C-56/1, Sector-62, Noida- 210307
> > Ph: 91 120 2402551-60 (Extn.- 718)
> >   91 120 2402563 (Direct)
> >
> >
> >
>
>
> -- 
> Sincerely,
>
> Adam Ossenford
> Linux Administrator
> ShoMeCom Wireless Solutions
>
>
>
>



---
This message and its contents have been scanned and certified for
transmission as being free from malicious code by <>. This
message may contain confidential, privileged or other legally protected
information. It is intended for the addressee(s) only. If you are not the
addressee, or someone the addressee authorized to receive this message, you
are prohibited from copying, distributing or otherwise using it. Please
notify the sender and return it.Thank you.
  
 



---
This message and its contents have been scanned and certified for
transmission as being free from malicious code by <>. This
message may contain confidential, privileged or other legally protected
information. It is intended for the addressee(s) only. If you are not the
addressee, or someone the addressee authorized to receive this message, you
are prohibited from copying, distributing or otherwise using it. Please
notify the sender and return it.Thank you.

Re: [vchkpw] how to deny smtp request from an IP

2005-04-19 Thread Manish Jain 
I ahve done the same bu it didn't work.

Manish Jain
(Network Administrator)
C-DAC "Anusandhan Bhawan"
C-56/1, Sector-62, Noida- 210307
Ph: 91 120 2402551-60 (Extn.- 718)
  91 120 2402563 (Direct)

- Original Message - 
From: "Adam Ossenford" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, April 19, 2005 4:54 PM
Subject: Re: [vchkpw] how to deny smtp request from an IP


> echo "x.x.x.x:deny" >> /etc/tcp.smtp && qmailctl cdb && qmailctl reload
> where x.x.x.x is the ip of the affected machine
> > I am using qmail+vpopmail.
> > In my LAN some machines are affected with some virus which is generating
> > SPAM.
> > I got the IPs of those machines from /var/log/qmail/smtp/current
> > How can I deny smtp requests from those IPs.
> >
> > thanx in advance,
> >
> > Manish Jain
> > (Network Administrator)
> > C-DAC "Anusandhan Bhawan"
> > C-56/1, Sector-62, Noida- 210307
> > Ph: 91 120 2402551-60 (Extn.- 718)
> >   91 120 2402563 (Direct)
> >
> >
> >
>
>
> -- 
> Sincerely,
>
> Adam Ossenford
> Linux Administrator
> ShoMeCom Wireless Solutions
>
>
>
>

Re: [vchkpw] how to deny smtp request from an IP

2005-04-19 Thread Adam Ossenford 
echo "x.x.x.x:deny" >> /etc/tcp.smtp && qmailctl cdb && qmailctl reload
where x.x.x.x is the ip of the affected machine
> I am using qmail+vpopmail.
> In my LAN some machines are affected with some virus which is generating
> SPAM.
> I got the IPs of those machines from /var/log/qmail/smtp/current
> How can I deny smtp requests from those IPs.
>
> thanx in advance,
>
> Manish Jain
> (Network Administrator)
> C-DAC "Anusandhan Bhawan"
> C-56/1, Sector-62, Noida- 210307
> Ph: 91 120 2402551-60 (Extn.- 718)
>   91 120 2402563 (Direct)
>
>
>


-- 
Sincerely,

Adam Ossenford
Linux Administrator
ShoMeCom Wireless Solutions

[vchkpw] how to deny smtp request from an IP

2005-04-19 Thread Manish Jain 
I am using qmail+vpopmail.
In my LAN some machines are affected with some virus which is generating
SPAM.
I got the IPs of those machines from /var/log/qmail/smtp/current
How can I deny smtp requests from those IPs.

thanx in advance,

Manish Jain
(Network Administrator)
C-DAC "Anusandhan Bhawan"
C-56/1, Sector-62, Noida- 210307
Ph: 91 120 2402551-60 (Extn.- 718)
  91 120 2402563 (Direct)

[vchkpw] vpopmail and drbd

2005-04-19 Thread Alessio Cecchi 
Hello
i'm testing a configuration of qmail+vpopmail+drbd+heartbeat on two 
servers, master and slave. My intentions are to share with drbd the home 
of vpopmail, /var/qmail/users and /var/qmail/control, for setting up the 
slave server in case of down of the primary server.

Nobody has experiences of this type or suggestions?
Thanks
--
Alessio Cecchi ++ www.skye.it