Re: [vchkpw] SMTP-AUTH problem with vchkpw
Hi, On 27.07.2011 at 00:56 a...@ltmd.org wrote: Just want to add that I tested right now and found that the same fresh programs configurations and settings on the clean 32-bit system working pretty good. Should I try once again to use recordio program on a 64-bit system? 'recordio' only tells what's happening on the outside, which, as you already know, is a rejection. I'd use 'strace -fF -s 4096 -o /tmp/auth.err -p TCPSERVER-PID' to monitor what's behind the curtain. Execute this command immediately before you start your next test and stop it immediately after you failed, because it'll gather data from all connections and therefore collect a lot. Within the output (/tmp/auth.err) you might need to sort out information from test-unrelated processes. But you should also see who's gonna be called for actually doing the authentication and why it return non-success. -- Regards, Peter !DSPAM:4e2faa3332713543020530!
Re: [vchkpw] vpopmail clear password
On 20.02.10 05:19, april majd wrote: I actually wanted to migrate from a qmail/vpopmail setup to a postfix/dovecot which uses mysql table. I tried copying the encryted password from vpasswd to the mysql table, but it is not authenticating, so I assumed the encryption method is different in the two cases. Is there any way to migrate the passwords? That depends on how your postfix/dovecot installation is set up. If they're using plain old POP3 authentication and are capable of using MD5 hashed passwords there shouldn't be a problem in re-using them. OTOH you could leave your clear text enabled recompiled vpopmail running and it should learn the clear text passwords as the users log in next time to get their mail. -- HTH Peter !DSPAM:4b7fc75632711682955139!
[vchkpw] Re: Newbie - vpopmail: ERR authorization failed
Hello Jeremy, PMFJI ... On Wednesday, February 8, 2006 at 2:00:54 AM Jeremy wrote: On Tuesday 07 February 2006 09:39, Tom Collins wrote: On Feb 7, 2006, at 12:25 AM, ??? wrote: exec /usr/local/bin/softlimit -m 200 \ /usr/local/bin/tcpserver -v -R -H -l 0 0 110 \ For starters, try a higher softlimit (like 1000). You should also include the user and group to run as (add -u89 -g89 to your tcpserver parameters) even for pop3? doesn't vchkpw setuid() to the vpopmail user after authenticating? Sure. But the earlier root privileges are dropped the more secure. Every process running as UID 0 is a potential security problem, every process not being run as root ever gives an attacker a little more distance to the aimed root-shell. And if you *know* your POP3-Daemon will always suid() to user 'vpopmail' *and* if you know pop3d doesn't need anything more then vpopmails permissions to authenticate all incoming requests: why risk the (admitted: very low) possibility somebody becoming root through pop3d? -- Best regards Peter Palmreuther Never try to outstubborn a cat... The cat will win! P.S.: I don't intend to say pop3d is insecure or has potential to become remotely hacked. But you never know the future and if you get used to run as less processes with UID 0 as possible chances raise you don't forget about this *when* is is necessary ;-)
[vchkpw] Re: Password format?
Hello David, On Thursday, August 18, 2005 at 11:34:16 PM David wrote: So since it uses crypt, which isn't md5, there is no way for me to convert it to an md5. It uses crypt() with MD5, if available. But that's not the same as only MD5 hashing the password, correct. An not, you can't convert the passwords, as the crypted password is not suitable to figure the plain text password, needed for creating a plain MD5-hash. I guess the best thing to do then is just to store the pw's as plain text, then convert them to whatever I need to, to operate with my other systems? Yes, you'd have to store the plain text password (which vpopmail already does, if './configure'-ed properly) and operate with it, if your other program(s) can't handle standard crypt()-ed passwords. Or is there a patch to have vpopmail store them as md5's? Not I'm aware of. But honestly: why would you want to give up a good portion of security by reverting from crypt()-MD5 to pure MD5? crypt(), using MD5, creates much more secure encrypted passwords, because of the changing SALT, while plain MD5 hashing will create the same hash over and over again, if several people use the same password. This is the reason for SALT-ing in crypt(); different encryption runs on the same password will result in a different encrypted password-string as a different SALT is used every time. So an attacker can *not* guess if two passwords are the same by having a look only at the crypt()-ed version! Tell your vpopmail to store plain text version of passwords additional to crypt()-ed version and make your other program(s) work on that version. If you need a MD5-hashed version it should be rather easy to patch vpopmail to store this additional value in database whenever it changes the password, it's just one additional column to store and vpopmail does not even have to MD5 the string itself, it just has to insert a value 'MD5(passwd)' in SQL-[INSERT|UPDATE] for MySQL storing the MD5 hash of the password. I'll take a look at the source later today or tomorrow, but it shouldn't be much work (except for me, I have to compile and set up a MySQL-driven vpopmail *doh*; so if anyone with vpopmail already fed by MySQL could take a look ...?). -- Best regards Peter Palmreuther In space, lemmings need only open their helmets.
[vchkpw] Re:
Hello, On Friday, August 19, 2005 at 10:34:23 AM Peter (I) wrote: If you need a MD5-hashed version it should be rather easy to patch vpopmail to store this additional value in database whenever it changes the password, it's just one additional column to store and vpopmail does not even have to MD5 the string itself, it just has to insert a value 'MD5(passwd)' in SQL-[INSERT|UPDATE] for MySQL storing the MD5 hash of the password. I'll take a look at the source later today or tomorrow [...] And I did take a look. The patch is rather simple, I just sent it to David. As don't I expect much interest in MD5-hashed[1] passwords stored in database I didn't sent it here. If somebody is interested please drop me a note. [1] not to mix up with crypt() using MD5 to hash the password -- Best regards Peter Palmreuther Economics is extremely useful as a form of employment for economists.
[vchkpw] Re: POP not working.. am at a loss
Hello Wouter, Remove the 'recordio' calls, they won't tell you anything you wouldn't see in 'telnet' also. Open a telnet to port 110, use 'ps' to figure the PID of 'qmail-popup' you're connected to and execute strace -fFtTo /tmp/qmail-popup.log -s 128 -p $PID Than try to log in. The log you provided does not contain enough information and seems to be a trace of the wrong process for figuring out the reason of your problem (you seems to have traced the telnet, not the qmail-popup process). Please send the *complete*, unaltered trace output; every cutting, editing or information hiding might lead to wrong results. I'd therefore assume you use a test account you are about to delete after your problem is solved, for not accidentally revealing a real e-mail address or password. -- Best regards Peter Palmreuther ...My coat contained a furnace where there used to be a guy.
[vchkpw] Re: a vpopbull question
Hello List, On Monday, August 8, 2005 at 11:34:54 PM mbeltran wrote: Somebody knows how can I post an email in html format to serveral virtualdomains in my system box with vpopbull? Yes. Create the mail using your favorite MUA, save the mail source to your server into a text file. Use 'vpopbull -f' plus '-h', 's' or 'c' to put the mail into mailboxes. What's the problem? What did you already try to do? Where did you fail? -- Best regards Peter Palmreuther Keyboard: Device used to enter errors into the computer.
[vchkpw] Re: Apache and qmail (with vpopmail) account in the same directory
Hello Adi, On Wednesday, July 27, 2005 at 4:44:11 PM Adi wrote: Everything is possible, but I think you'd better switch Apache's DocumentRoot to (let's say) /home/vpopmail/domains/blabla/htdocs/ than to modify vpopmail's default locations. Why? Well, assuming he has an already established, up and running setup, I think it's easier to move existing www directories than to move the existing virtual mail domains. For example, on a running system it's quite handy (IMO) to restart Apache with a modified configuration for virtual hosts and test the changes, instead of playing with the email system. Confirmed this is most probably right, shouldn't the decision not be what's easier now to change but better what's the necessity behind this change? What if I've already set up additional to Apache vpopmail a ProFTPD which authenticates virtual users against a database and uses their home directory somewhere within these several htdocs? And/or if there are already scripts that assume file locations in one/some of the htdocs-dirs? Or a lot of other possibilities that show a dependency on old htdocs-directories? Or if 'htdocs' are located on a partition with far more disk space available (because domains might host a *very* lot of / very big files) and vpopmail is on a smaller one, that might not be big enough for vpopmail *and* htdocs (while the other one is). That would *maybe* make it easier to migrate vpopmail-domains to the new location, wouldn't it? Don't get me wrong, I don't intend to say this is the case anytime, anywhere. I just think it is *not* _better_ to switch Apaches DocumentRoot, but it is just *one* possible way that *might* end up in lesser work to do. *MIGHT*, if circumstances are good. So we should be careful with advises what's better or worse, unless we know all the facts. I think we should concentrate on advises *what's possible* and let decide the originator to decide what's better (or ask again about that ;-) ). As always: no offense intended ;-) -- Best regards Peter Palmreuther The Delta-United Ring Formation Theory states that the rings of Saturn are composed entirely of lost airline luggage.
[vchkpw] Re: Apache and qmail (with vpopmail) account in the same directory
Hello Listas, On Tuesday, July 26, 2005 at 5:18:52 PM Listas wrote: So far everything works just fine but it would be great if the email accounts and web hosting space could be setup on the same directory. Instead of web sites in /home/virtuals/DOMAIN/www/htdocs and vpopmail domain in /home/vpopmail/DOMAIN/blablabla I want to setup up vpopmail so than everything is located in /home/virtual/DOMAIN/blablabla Is this possible? Yes. Use '-d' switch for 'vadddomain': mkdir /home/virtual/DOMAIN/mail vadddomain -d /home/virtual/DOMAIN/mail DOMAIN and vpopmail will put all DOMAIN related files to '/home/virtual/DOMAIN/mail' and set up '/var/qmail/users/assign' accordingly. Beware: vpopmail will create a directory named 'domains' in './mail/', so the final structure will be: /home/virtual/DOMAIN/mail/domains/DOMAIN but that shouldn't really matter as long as the goal is to get all files of a DOMAIN into one directory and its children. -- Best regards Peter Palmreuther Matrimony isn't a word, it's a sentence.
[vchkpw] Re: Apache and qmail (with vpopmail) account in the same directory
Hello Adi, On Tuesday, July 26, 2005 at 5:41:24 PM Adi wrote: Everything is possible, but I think you'd better switch Apache's DocumentRoot to (let's say) /home/vpopmail/domains/blabla/htdocs/ than to modify vpopmail's default locations. Why? -- Best regards Peter Palmreuther Unleaded Sunshine: Where the sun shines darkness...
[vchkpw] Re: Apache and qmail (with vpopmail) account in the same directory
Hello Listas, On Tuesday, July 26, 2005 at 6:59:19 PM Listas wrote: So far everything works just fine but it would be great if the email accounts and web hosting space could be setup on the same directory. Instead of web sites in /home/virtuals/DOMAIN/www/htdocs and vpopmail domain in /home/vpopmail/DOMAIN/blablabla I want to setup up vpopmail so than everything is located in /home/virtual/DOMAIN/blablabla Is this possible? Yes. Use '-d' switch for 'vadddomain': mkdir /home/virtual/DOMAIN/mail vadddomain -d /home/virtual/DOMAIN/mail DOMAIN and vpopmail will put all DOMAIN related files to '/home/virtual/DOMAIN/mail' and set up '/var/qmail/users/assign' accordingly. Beware: vpopmail will create a directory named 'domains' in './mail/', so the final structure will be: /home/virtual/DOMAIN/mail/domains/DOMAIN but that shouldn't really matter as long as the goal is to get all files of a DOMAIN into one directory and its children. What if I intead of /home/virtual/DOMAIN for each web site domain I use /home/virtual/domains/DOMAIN/...? That way I can setup the email accounts with the following: vadddomain -d /home/ test1.com.ar vadddomain -d /home/ test2.com.ar vadddomain -d /home/ test3.com.ar 1) vadddomain -d /home/virtual ... 2) Maybe it's easier to * usermod -d /home/virtual vpopmail * recompile vpopmail * modify paths in /var/qmail/assign * modify paths in /home/vpopmail/domains/*/.qmail-* [ * modify paths in /home/vpopmail/domains/*/*/.qmail ] This way you don't have to '-d' parameter every vadddomain call, but still have domains mail and can have their HTDOCS in /home/virtual. The only problem would be the permissions. How would that be? Apache can be run as user vpopmail, if it only serves domains from your vpopmail name space. Two Apaches with x (x = 2) IP addresses solve the problem of domain not handled by vpopmail being served. First one running as vpopmail, second (third, whatever) one running as usual web user. What's your concrete problem/desire/imagination/wish? -- Best regards Peter Palmreuther A man's got to know his limitations. (Clint Eastwood)
[vchkpw] Re: Qmail mail in queue and not being delivered
Hello Taki, On Monday, July 25, 2005 at 9:33:24 PM Taki wrote: I am running FreeBSD 4.11 with Qmail. When I start the qmail process I see the emails coming in to the Mail Queue but they are not being delievered locally. What do the logs say? Why do you think the mail sticks in queue? The mail is not going to the /var/mail/username. Why do you expect the mail to end up in /var/mail/username? If you use vpopmail, which I assume, as you write to it's list which handles *vpopmail* issues, not qmail issues in general, I'd expect the mail go to '~vpopmail/domains/$DOMAIN/$USER/Maildir/'. Any ideas why this isn't working? Yes. - Either you set up something wrong - Or it is working, you just don't see it. -- Best regards Peter Palmreuther Choosy perverts choose .GIF!
[vchkpw] Re: QMail will not deliver email
Hello List, On Sunday, July 17, 2005 at 7:06:05 AM BSUMRALLL wrote: /usr/bin/qmailctl cdb Which told me /usr/bin/qmailctl: line 102: /etc/tcp.smtp: No such file or directory chmod: cannot access `/etc/tcp.smtp.cdb': No such file or directory Reloaded /etc/tcp.smtp. This is not supposed to be looking for it there is it? It is. qmailctl expects the file at this location. vpopmail can be compiled to use *this* file too (if not configured it does not guess where the file is, but simply assumes you configure the rest to use *its* file). Replace '/etc/tcp.smtp' and '/etc/tcp.smtp.cdb' with symlinks to files in '/home/vpopmail/etc' and you're done. Mail is being accepted by QMail in the logs error free, but not being delivered. This has nothing to do with 'tc.smtp.cdb'. Suggestions? Yes: what (exactly) do the logs say? What does 'qmail-showctl' say? -- Best regards Peter Palmreuther US out of North America, NOW!! - Richard O'Rourke
[vchkpw] Re: vpasswd
Hello Mike, On Saturday, July 16, 2005 at 1:37:28 AM Mike wrote: Vpopmail admin here...no genius though. Am running vpopmail w/o clear text passwords - started with older version - Wondering if there is any way to export domain users to TSV file, or CSV file - hopefully with passwords. Any funky utilities out there? Perl, awk. If you really need the plain text passwords, compile a current vpopmail version enabling 'learn-password' feature, let it run a few days/weeks until all users have logged in successfully via POP3 (and w/o you using a current Courier daemon method, as this does not lead to passwords being remembered in vpasswd). Than run Perl/awk to export 'vpasswd' to whatever format you need, it really is only splitting the records up on ':', each line a user. -- Best regards Peter Palmreuther Push any key. Then push the any other key.
[vchkpw] Re: smtp-auth problem
Hello Jeremy, On Friday, July 8, 2005 at 2:33:44 AM Jeremy wrote: On Thursday 07 July 2005 02:31 am, Peter Palmreuther wrote: On Wednesday, July 6, 2005 at 3:36:39 PM patrick wrote: Please post the output of /var/qmail/bin/qmail-showctl rcpthosts: (Default.) SMTP clients may send messages to any recipient. *THIS* is your problem: you don't have any domain in 'rcpthosts' and therefore your qmail-smtpd feels responsible for *all* domains = your installation is an open relay. while this certainly is the problem, it's not as you describe. if rcpthosts exists, but is empty, clients must have RELAYCLIENT to send messages. My fault. I should have writte as you don't have the file rcpthosts instead of don't have any domain in. But the point was qmail-showctl saying clients may send messages to any recipient and to make something to change this ;-) -- Best regards Peter Palmreuther Ansi-Artists do it creatively...
[vchkpw] Re: smtp-auth problem
Hello List, On Wednesday, July 6, 2005 at 3:36:39 PM patrick wrote: Please post the output of /var/qmail/bin/qmail-showctl rcpthosts: (Default.) SMTP clients may send messages to any recipient. *THIS* is your problem: you don't have any domain in 'rcpthosts' and therefore your qmail-smtpd feels responsible for *all* domains = your installation is an open relay. Put ,- | linux.koneg.de | koneg.de | gs-altneudorf.de `- into 'rcpthosts', this will make your installation accept only mail to one of these domains, unless RELAYCLIENT is set (which is done if you SMTP-AUTH). Additionally follow Jeremys advice to delete these domains from 'locals' and insert them formatted correctly into 'virtualdomains' to make vpopmail handle them again. -- Best regards Peter Palmreuther Your true value depends entirely on what you are compared with.
[vchkpw] Re: smtp-auth problem
Hello List, On Monday, July 4, 2005 at 11:47:36 PM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using /home/vpopmail/bin/vchkpw in my ~/qmail-smtpd/run-script... Please post complete run script because parameter order matters. While using Outlook Express to send emails over my server everything works like it should work when I select Server uses authentification (server denies to send mail with wrong password), but if I DON'T select Server uses auth.. my server just sends everything via smtp... Might you have still compiled roaming users relay control into your vpopmail? Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? How comes checkpassword in that? What? I haven't installed this cmd5check...something-tool... Do I need to? What 'cmd5check...something-tool'? I can't remember any 'cmd5check...something-tool' regarding to vpopmail. -- Best regards Peter Palmreuther I belong to no organized party - I am a democrat.
[vchkpw] Re: smtp-auth problem
Hello List, On Tuesday, July 5, 2005 at 8:50:01 AM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using Version 0.31 From which source exactly? What's the complete download URL you used to get this patch? exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd \ koneg.de /home/vpopmail/bin/vchkpw /bin/true 21 Look fine. Might you have still compiled roaming users relay control into your vpopmail? How can I check that? You should know which parameters your used to compile vpopmail. You should have seen a summary of used parameters when you './configure'-ed vpopmail. Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? I don't think so... I restartet Outlook Express with wrong Password-Settings for POP3, an tried to send mail without getting the pop-box before... it still works without auth. What's the output of strings /etc/tcp.smtp.cdb ??? Is your clients IP enumerated there? I read in several manuals that they use cmd5checkpw or the checkpassword-tool with smtp-auth. But as far as I understood vchkpw should do the job... Correct. *You* use 'vchkpw' as password checking tool, because you want to check against vpopmail handled user pool. Forget about the other tools, unless you want to authenticate against a different data base than vpopmails. -- Best regards Peter Palmreuther Blessed are they that run around in circles, for they shall be known as wheels.
[vchkpw] Re: smtp-auth problem
On Tuesday, July 5, 2005 at 10:35:30 AM patrick wrote: From which source exactly? What's the complete download URL you used to get this patch? http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0.31.tar.gz OK, than parameters should be OK. Well, I did not compile vpopmail by myself. It was pre-installed on my root-server (Suse Linux 9.2). Any way to find out and maybe change now? Change? No. Not without recompiling. But as you said your clients IP ain't listed it can't be the reason for you being allowed to relay without authenticating. Besides that I know that other hosts can send over my server 'cause I can see spammails in my queue from time to time, last week I had about 33000 of them in my queue... That was exactly the point of time when I started to check that smtp-authentification... Well, that looks in fact like an open relay. Please post the output of /var/qmail/bin/qmail-showctl -- Best regards Peter Palmreuther A boy gets to be a man when a man is needed.
[vchkpw] Re: smtp after pop
Hello List, On Tuesday, July 5, 2005 at 7:24:19 PM patrick wrote: by the way: does anyone know a good howto to use smtp after pop with vpopmail? regards That's exactly 'roaming users' feature of vpopmail. Ask your provider if the pre-installed vpopmail was compiled enabling this feature, if not: rebuild vpopmail (recompile, maybe repack for not disturbing the package management). Read vpopmail documentation about 'roamong users', 'clearopensmtp' and daemontools' documentation about the meaning of '-x' parameter for 'tcpserver'. See most of the stuff is already set up, as I've seen in your 'run'-script ('-x' is present and just needs to point to the correct file, which can be achieved with the help of a symlink). -- Best regards Peter Palmreuther Blessed are the censors, for they shall inhibit the earth.
[vchkpw] Re: block non-relay from remote to local?
Hello Billy, On Saturday, July 2, 2005 at 6:32:47 PM Billy wrote: N.B.: Number of authentication should not play a role in accessing your cdb-file, if you're configured vpopmail to only use MySQL the cdb will be as static as your kernel: unless *you* change it, it won't change. (I'm going by memory, so this is a paraphrase.) If you aren't familiar with the Matt Simerson mysql patch, it was born because there can be major lookup problems with the cdb file, especially using POP before SMTP. Have tested it a long time ago and know why it was developed, albeit I don't actively use it. Mysql has no problem with the above scenario, as it is designed for heavy accesses and changes to its tables. Absolutely right. But: what's the matter with 'POP-before-SMTP done through MySQL' and additionally using a .cdb-file for static entries? Does the patch nevertheless a MySQL-lookup, even if something is found in .cdb-file? In this case a .cdb-file in fact wouldn't make much sense, except the fact the answer from MySQL could kept short (no result) and some parsing time could be spared. -- Best regards Peter Palmreuther An authority: someone who knows lots of things you could care less about.
[vchkpw] Re: block non-relay from remote to local?
Hello Paul, On Friday, July 1, 2005 at 1:05:50 AM Paul wrote: okay, i presume then that there's a way to add permanent relay entries into the mysql database. no need for this, just edit your tcp.smtp file and add a static entry. i wish - except for this config option when i built vpopmail: --disable-rebuild-tcpserver-file \ neither my /service/smtpd/tcp.cdb nor /u1/etc/tcp.smtp.cdb are being accessed. vpopmail does not need to access these files. tcpserver needs to. Just add some static entries and tell tcpserver to use 'tcp.smtp.cdb' (which ever of the two you prefer) and let tcpserver *additionally* use MySQL database to look for dynamic relay allowances. -- Best regards Peter Palmreuther Wonder what my life would be without me.
[vchkpw] Re: block non-relay from remote to local?
Hello Paul, On Friday, July 1, 2005 at 9:09:22 AM Paul wrote: i wish - except for this config option when i built vpopmail: --disable-rebuild-tcpserver-file \ neither my /service/smtpd/tcp.cdb nor /u1/etc/tcp.smtp.cdb are being accessed. vpopmail does not need to access these files. tcpserver needs to. Just add some static entries and tell tcpserver to use 'tcp.smtp.cdb' (which ever of the two you prefer) and let tcpserver *additionally* use MySQL database to look for dynamic relay allowances. sure - i know i can do that. but with the rate of connections and authentications that take place on my systems, i don't want to go back to the overhead of having that file touched multiple times per second. YMMD, but 'fopen()', a fast, hash-driven, seek (the way 'cdb' works) and a quick 'read' for a few bytes should be less overhead than a complete SQL query, including parsing the result. Even if your MySQL would run locally and accessed through UNIX-socket I'd expect it to be not only more overhead, but also taking more time than this quick local, read-only, precise access in a small file. But it's your system, whatever makes you happy and serves your needs can be your solution. N.B.: Number of authentication should not play a role in accessing your cdb-file, if you're configured vpopmail to only use MySQL the cdb will be as static as your kernel: unless *you* change it, it won't change. -- Best regards Peter Palmreuther Are you still here? The message is over. Go away!
[vchkpw] Re: smtp auth - md5 learn pass
Hello Casey, On Sunday, June 19, 2005 at 12:22:05 AM Casey wrote: On Saturday 18 June 2005 10:13, Peter Palmreuther wrote: How did you log in? SMTP-AUTH using CRAM-MD5? PLAIN with IMAP (dovecot). And dovecot is configured to explicitly use 'vchkpw' and 'vchkpw' is for sure the version from 'compile with --enable-clear-password' build? I'm asking because I used the 'silent convert' myself already several times and 'fetched' plain text passwords this way to be inserted into 'vpasswd'. Though I haven't used it recently with a current version (latest I tested with is 5.4.5), but I can't imagine why it should be broken, as I don't see any index somebody changed something in this functionality. You might try this: - Edit 'vpasswd' to remove clear password - run 'vmkpasswd $DOMAIN' - run printf [EMAIL PROTECTED] |vchkpw /usr/bin/env 30 - check if environment was printed (should be with correct password presented) - check 'vpasswd' and 'vpasswd.cdb'. If clear text password is present in both now for modified account, dovecot uses something different than 'vchkpw' yo ujust used. If not: double and triple check if 'vchkpw' is the same as in build directory; if so: compile without any '-O' and with '-g2' option and debug vchkpw e.g. using gdb. -- Best regards Peter Palmreuther Dew knot trussed yore spell checquer two fined awl mistakes.
[vchkpw] Re: smtp auth - md5 learn pass
Hello Casey, On Sunday, June 19, 2005 at 9:52:55 PM Casey wrote: printf [EMAIL PROTECTED] |vchkpw /usr/bin/env 30 - check if environment was printed (should be with correct password presented) - check 'vpasswd' and 'vpasswd.cdb'. That works [...] If *THAT* works your dovecot must use something else but this 'vchkpw' you used, or use non-plain authentication (I don't know dovecot, so I don't know about its capabilities), because else it does nothing different than printing username-password string to file descriptor 3 of vchkpw and vchkpw than updates vpasswd. -- Best regards Peter Palmreuther A woman is like a dresser ... some man always goin' through her drawers.
[vchkpw] Re: smtp auth - md5 learn pass
Hello Casey, On Saturday, June 18, 2005 at 10:35:58 AM Casey wrote: AFAIR it does exactly what you said. Nope, doesn't seem to. I rebuilt vpopmail with it enabled, edited out the cleartext portions of a vpasswd file, and logged in a bunch of times as that user. No updates to vpasswd. :( How did you log in? SMTP-AUTH using CRAM-MD5? If so the clear text password can't be added to vpasswd, because the clear text password didn't made it to the server. You'll need to authenticate using a plain text method, like LOGIN or PLAIN or POP3 login (not using APOP). Additionally you should make sure you rebuilt vpasswd.cdb after you edited vpasswd, because else vchkpw will still see the clear text password in vpasswd.cdb and therefore see no reason to update anything. vchkpw does *not* look into vpasswd if everything is OK, it just updates clear text password in there if it fails to find one in .cdb file. -- Best regards Peter Palmreuther We care a lot about the Garbage Pail Kids, they never lie...
[vchkpw] Re: no $HOME/Maildir
Hello Ruslan, On Friday, June 17, 2005 at 3:02:52 PM Ruslan wrote: +OK 2948.1119011293@/home/vpopmail/bin/vchkpw Check your POP3 daemon startup script. Seems you're starting ... qmail-popup vchkpw ... instead of ... qmail-popup HOSTNAME vchkpw ... -- Best regards Peter Palmreuther It seems like the less a statesman amounts to, the more he loves the
[vchkpw] Re: Request for new feature: Internal-only accounts
Hello Casey, On Wednesday, June 15, 2005 at 9:08:38 AM Casey wrote: On Tuesday 14 June 2005 20:44, Peter Palmreuther wrote: Maybe because of easier mail user management and the lack of necessity to create a system user ID for every mail recipient?! Well, I suppose it's a matter of opinion, but I find it easier to manage system users (who need not be able to log in) on a dedicated mail server than to deal with the complexities of vpopmail. A single interface to manage either style could be made easily enough. Guess I made myself not clear. 'mail user management' was meant for 'e-mail only users' only! Even with only one e-mail-domain I find it easier to maintain these users e.g. using 'qmailadmin' than to maintain '/etc/passwd' entries. I'm not quite sure why you add the '?!' on there, because an entry in /etc/passwd is less complex than an entry in /var/vpopmail/domain/whatever/vpasswd, certainly not moreso! I added '?!' because you wondered about why somebody would want to use vpopmail for only a single domain and I can not answer this question for everybody else. So '?' meant to say: Maybe somebody has different reasons for doing this? and '!' was intended to express: This is the reason why I do install vpopmail even on single-domain servers! :-) -- Best regards Peter Palmreuther The only difference between a rut and a grave is their dimensions.
[vchkpw] Re: REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
Hello Bruno, On Tuesday, June 14, 2005 at 2:29:58 PM Bruno wrote: Let me see if I understood your plan. You say that, in order to disable the RELAYCLIENT to just some accounts, and this way, setting them as partially** internal-only, I should: 1 - Disable the pop-before-smtp scheme by recompiling vpopmail. ( OR disable it just to a specific domain by running vmoduser -r domainname. ), AND Remove the RELAYCLIENT variable for the whole network, AND Enable the SMTP-AUTH scheme on the qmail server, AND configure full accounts (not internal-only) to authenticate via SMTP-AUTH. Correct. Is this what you planned? Yes. As it was rather late yesterday when I wrote my mail I wasn't 100% concentrated. Sorry. 'vmoduser -r' will disable 'open_relay()'-calling when these users authenticate via POP3 or IMAP. This way they wont end up in 'tcp.smtp.cdb' and RELAYCLIENT will not be set next time they SMTP-connect. 'vmoduser -rs' will disable relay *AND* disable SMTP-AUTH ability for given e-mail-address, so even if they set up their MUA to do SMTP-AUTH they'll not be allowed and therefore not gain RELAYCLIENT-privileges. Only problem left: external *incoming* mail ... as far as I can see there's no ready to use solution build into vpopmail; you'd have to create '.qmail-*' files for every no external mail allowed that call a script which checks if mail is sent from external. This can for sure be made dynamic and used by creating a template .qmail and (sym)linking the other .qmail files against it, so a change affects all at the same time. The script checking for external incoming can e.g. inspect $ENV{SENDER} for internal domain and if not 'exit(100)' to bounce the message. If the mail is internal simply 'exit(0)' and have |vdelivermail '' bounce-no-mailbox in .qmail file. -- Best regards Peter Palmreuther The end move in politics is always to pick up a gun. - Buckminster Fuller
[vchkpw] Re: Request for new feature: Internal-only accounts
Hello Casey, On Tuesday, June 14, 2005 at 8:48:26 PM Casey wrote: 'vmoduser -rs' will disable relay *AND* disable SMTP-AUTH ability for given e-mail-address, so even if they set up their MUA to do SMTP-AUTH they'll not be allowed and therefore not gain RELAYCLIENT-privileges. Keep in mind though, that this is not really a valid solution unless you host only one domain on the mail server, in which case I have to wonder why you run vpopmail at all. Maybe because of easier mail user management and the lack of necessity to create a system user ID for every mail recipient?! If joe.com and bob.com are hosted on the same server, they'll be able to send each other mail even with the above measures. Sure. I interpreted 'external' as 'not my server', not 'outside this particular domain' ... a limitation I included silently one should in fact be aware of. -- Best regards Peter Palmreuther A woman is only a woman, but a good cigar is a smoke.
[vchkpw] Re: REQUEST FOR NEW FEATURE: INTERNAL-ONLY ACCOUNTS
Hello Bruno, On Monday, June 13, 2005 at 9:22:50 PM Bruno wrote: Now, the director of one of the companies I give support asked me to set a bunch of e-mail accounts as internal-only, i.e., they can send e-mail internally but cannot send or receive external e-mails. vmoduser -r $ADDRESS At least 5.4.5 has this possibility. If you further enforce SMTP-AUTH for all SMTP-connections that need to relay (i.e.: don't set RELAYCLIENT for anything other than 127.0.0.1) and disable roaming users you should have gained what you're looking for. -- Best regards Peter Palmreuther hselF ruoY eM roF...luoS ruoY doG roF
[vchkpw] Re: many roaming users
Hello Jeremy, On Tuesday, May 24, 2005 at 10:11:21 PM Jeremy wrote: vpopmail's roaming-users support is poorly designed, slow, and prone to failure. I'd like to see some evidence to back up this assertion. the fact that it's based around one file (actually, 3) that can theoretically be attempted to be updated many times simultaneously (requiring locking, etc) the open-smtp file has to be locked, old entries purged, then the cdb file has to be locked, and rebuilt. 'open-smtp' has to be locked, yes. But cdb file hasn't. It's rebuild in a temporary file and if build successfully the old one is removed and the new one renamed. In fact vpopmail makes use of 'tcprules' to create cdb file. with relay-ctrl, it simply creates a file in a directory for each IP allowed, and checks for old ones that should be removed. This is NFS safe, requires no locking (who cares if two processes try to create the same empty file at the same time), and is a lot more fault-tolerant. And with 10k users adds a lot of things to do to find the correct file to the file system, especially if this special directory is located on an ext2 or ext3 partition, which as we all know, does not scale very well if there are a lot of directory entries. Plus, since the relay-ctrl software is independent of any other qmail process, no other qmail process needs to know the location of the relay-ctrl directory, whereas vpopmail's roaming users either requires you to change where your cdb file is, or tell it specifically where your cdb file is. ** Deleting whatever '-x' points existing tcpserver-processes and replacing it with a symlink really is hard to do ... If one does not want to adjust startup script and edit '-x' parameter directly. Also.. some people use scripts to generate their tcp.smtp.cdb file, since tcprules simply generates a cdb file based on stdin. vpopmail's roaming users breaks this. Where? As far as I've understood vpopmail source it it simply opens 'tcprules' process, passes 'open-smtp' and 'tcp.smtp' contents to STDIN of this process, and that's it. Nothing that looks to me like 'breaking generating a cdb file based on stdin', especially nothing I'd call prone to fail. Sure, for some 10k users cdb might become slow, when it comes to many necessary cdb file recreations (i.e. many altering IP addresses). But that does not necessarily mean it's slow, poorly designed or prone to fail for anybody else with much less users. It's a good, known to work reliable, solution that perfectly integrates into existing tcpserver usage ... -- Best regards Peter Palmreuther Rap is to music what Etch-A-Sketch is to art.
[vchkpw] Re: Getting segmentation fault with chkusr patch for qmail-smtpd
Hello Glenn, On Sunday, May 1, 2005 at 5:28:34 PM Glenn wrote: You should at least examine smtp_rcpt and post it. Attached are the smtp_mail and smtp_rcpt from my qmailrocks source. My smtp_rcpt seems to be patched with some TLS code. I really don't need that since no clients use it. So if that's in the way it can be removed. The posted 'smtp_mail()' excerpt from 'qmail-smtpd.c' ain't patched with 'chkuser'-patch at all ... So chkuser-patch can't be the culprit, if this is the source you actually compiled. -- Best regards Peter Palmreuther It is morally wrong to allow suckers to keep their money.
[vchkpw] Re: Getting segmentation fault with chkusr patch for qmail-smtpd
Hello Glenn, On Thursday, April 28, 2005 at 11:44:06 PM Glenn wrote: *exactly*? Compile qmail without and '-O' and with '-g2' and run qmail-smtpd in 'dbg' (or similar). Use 'strace' or 'truss' (with follow fork option) I'm obviously abit over my head here on the Linux platform. :-) I don't have truss or dbg on my machine. I have strace however but I didn't get any smarter. Removed -O2 from conf-cc, touched *.c and ran make but strace didn't display anything more. 'truss' is (can be) present on Unix while Linux has 'strace'. As I didn't know which system you're on I gave you both commands. Please execute 'strace' as follows: strace -fF -o /tmp/qmail-smtpd.log -s 4096 ./qmail-smtpd and post the (complete) file /tpm/qmail-smtpd.log (as text attachment). -- Best regards Peter Palmreuther Never put off till tomorrow what you can ignore entirely.
[vchkpw] Re: Getting segmentation fault with chkusr patch for qmail-smtpd
Hello Glenn, On Thursday, April 28, 2005 at 9:55:57 PM Glenn wrote: [chkusr patch applied to qmailrocks setup qmail] But when I test it afterwards I get a segmentation fault whenever I type mail on a line. [...] Is there any way I can figure out exactly where in chkusr it fails? *exactly*? Compile qmail without and '-O' and with '-g2' and run qmail-smtpd in 'dbg' (or similar). Rough first guess? Use 'strace' or 'truss' (with follow fork option) to get an estimated idea about when it segfaults. -- Best regards Peter Palmreuther Petrified Spare Ribs: Jurassic Pork
[vchkpw] Re: (Urgent) qmail-smtpd Bug !!!!!!!!!
Hello Samir, On Tuesday, April 19, 2005 at 5:35:43 PM Samir wrote: [SMTP-AUTH not preventing forged From-header] Dude this is normal behavior. No I don't think so, It is a big security issue. You name it big security issue, that doesn't necessarily make it one. It *IS* normal behavior for a (patched) qmail-installation. If you don't like the way SMTP-AUTH is integrated within qmail: use a different MTA that fits your needs or rewrite the SMTP-AUTH patch to make qmail acting the way you like it. If you are unable to handle the C-code of qmail and the SMTP-AUTH-patch: pay someone to make the necessary changes who can handle C. But: 1) Stop crying. The way you find it is the way it *works* 2) Stop bothering this list. This mailing list is about *vpopmail*, you have a problem with qmail-smtpd. qmail has it's own mailing list. -- Best regards Peter Palmreuther Ever notice how a cat's tail looks like a fuse?
[vchkpw] Re: compile vpopmail with -fPIC on x86_64
Hello Marco, On Tuesday, April 5, 2005 at 5:17:53 AM Marco wrote: I did compile vpopmail the way you suggested ... and now i'm getting another error - different but same nature. Have you done a 'make distclean' in vpopmail source tree before you run the new configure? -- Best regards Peter Palmreuther If God is Love, and Love is Blind, is Ray Charles God?
[vchkpw] Re: SMTP Auth delay...can it be sped up ????
Hello Allie, On Monday, January 10, 2005 at 5:43:11 AM Allie wrote: I'm running vpopmail-5.4.9, netqmail-1.05, and Bill Shupp's TLS + SMTP-AUTH patch. It runs great...but the delay is bordering on grueling. No matter what the client is it takes a goods 10-20 seconds to send mail. The server is 2G P4..so it's not the server. Is it the patch...or something else ??? Thanks in advance ;) http://www.lifewithqmail.org/lwq.html#smtp-slow -- Best regards Peter Palmreuther Do not follow in the footsteps of men of old; seek what they sought.
[vchkpw] Re: Rebuilding vpasswd.cdb
Hello Andryan, On Saturday, November 27, 2004 at 1:55:18 PM Andryan wrote: I have been searching Google today for solutions on rebuilding vpasswd.cdb without using any vpopmail stuff (vmoduser and vpasswd). Is there an easy way? No. If you don't want to use 'vmkpasswd' you'd have to rely on 'cdbmake' from cdb-tools [1] which is for sure a fine program, but the raw-format it needs is anything but easy (to build manually). [1] http://cr.yp.to/cdb.html -- Best regards Peter Palmreuther I'm too sexy for this origin
[vchkpw] Re: sending/receiving messages to/from Selective Domains
Hello Edilmar, On Friday, July 23, 2004 at 4:24:09 AM you wrote (at least in part): I said about /etc/tcp.smtp and control/rcpthosts because when I had to used non smtp-auth schema, I saved into control/rcpthosts the domains abled to communicate with internal users. Now, with smtp-auth, the users can send/receive to/from anyone. Why not turn off SMTP AUTH? Because I have users that connect from other internet providers in many cities, and I don't want to allow open relay or maintain the /etc/tcp.smtp. Sometimes, there are users using dial-up connections, and to maintain /etc/tcp.smtp is hard. I guess I don't understand your original email. It sounded like you were saying: I only want to accept mail for domains in rcpthosts. Yes, I want to save into rcpthosts database, all domains that I need to communicate. I have my users using the mail system from any place in the Internet, so from any dinamic IPs. Then, I need smtp-auth to increase secutiry for these external accesses to my mail server. No, you don't. SMTP-AUTH is used to set RELAYCLIENT, which is required for being allowed to RELAY. If you don't want anybody to relay you don't need to set RELAYCLIENT anytime. W/o this set qmail will never relay. Therefore if somebody with dynamic IP connects to your server he/she is allowed to send mails to domains in 'rcpthosts' only, unless something sets RELAYCLIENT. If you now disable SMTP-AUTH nobody will be able to send mails to anything except domains in 'rcpthosts'. Having RELAYCLIENT *never* set, not even through SMTP-AUTH is the *most secure* setup you can have. If that's the case, turn of relaying entirely. You would only have to worry about external users sending email to other external users (@x.com sends to @y.com). I deleted RELAYCLIENT= from /etc/tcp.smtp but the users with smtp-auth may send/receive emails to/from any other domains, not only domains listed into rcpthosts database. Because SMTP-AUTH code sets RELAYCLIENT environment variable after successful authentication. I can't think of an easy way to tell qmail: 1) Accept mail for local users [but only from a limited list of external domains?]. Yes... and accept mail from external users in external limited list domains. You'll have to write a script/program that is called via QMAILQUEUE and checks envelope sender and rejects the message if this from does not match allowed domain/sender. A different possible solution /could/ be to use 'mailfront' [1] with it's mailrules as SMTP frontend. I haven't tested it, but maybe it's possible to defined a rule: :sender k[[@/var/qmail/control/rcpthosts]]:[[@/var/qmail/control/rcpthosts]] As I said: this is untested, but maybe mailfront-mailinglist can provide more information about it this kind of setup is possible with mailfront rules. I need SMTP AUTH to increase security for these users. I don't want something like a external hacker using my SMTP server to send SPAM for my users and using a email like [EMAIL PROTECTED] You can't prevent somebody sending mail to '[EMAIL PROTECTED]' if 'mydomain.com' is in your 'rcpthosts'. No matter if you enable SMTP-AUTH or not. [1]: http://untroubled.org/mailfront/ -- Best regards Peter Palmreuther In case of fire, yell FIRE!
[vchkpw] Re: error on pop3
Hello Remo, On Sunday, June 13, 2004 at 12:40:28 AM you wrote (at least in part): Hello guys any suggestions on this error? [EMAIL PROTECTED] qmail-smtpd]# telnet localhost 110 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. +OK [EMAIL PROTECTED]/home/vpopmail/bin/vchkpw user [EMAIL PROTECTED] +OK pass me -ERR this user has no $HOME/Maildir Connection closed by foreign host. Check your POP3 startup command. It's (roughly): tcpserver TCPSERVER_OPTIONS qmail-popup HOSTNAME vchkpw qmail-pop3d Maildir/ Seems your command line misses the HOSTNAME part. P.S.: Please try to configure your MUA to send plain text only, these pseudo attachments LookOut send are only annoying, but in no way useful on a mailing list like this. About 2/3 of your messages size was occupied by this superfluous 'winmail.dat' attachment. -- Best regards Peter Palmreuther Weekend, where are you?
[vchkpw] Re: passwords
Hello Jean, On Tuesday, May 25, 2004 at 2:31:26 PM you wrote (at least in part): Is it possible to convert all old passwords from the old format (MD5-disabled crypt()) to the new format? If you have plain passwords enabled: yes. (..) Unfortunately this isn't my case. :( I guess it's not possible then, right? Right. The passwords are non recoverable and therefore you can't convert them into a state that enables you to reencrypt using MD5. Send an e-mail to all affected accounts and please them to change the password for their own safety using qmailadmin (or whatever front end you have set up). -- Best regards Peter Palmreuther There are never enough hours in a day, but always too many days before Saturday.
[vchkpw] Re: How could I set multilog to be more verbose
Hello Andrew, On Tuesday, May 25, 2004 at 11:17:34 AM you wrote (at least in part): How could I set multilog to be more verbose?? 1.) Wrong list. multilog is not part of vpopmail. 2.) You can't. Multilog only logs what it gets from STDIN. Multilog itself does not create log output, except in case of an error in which case you'd see it via 'ps' and a 'grep' for 'readproctitle' -- Best regards Peter Palmreuther Life sucks. Then you die
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Monday, May 24, 2004 at 11:16:58 PM you wrote (at least in part): 10092 write(4, [EMAIL PROTECTED], 27) = 27 However your Base64-encoded your login data, something went wrong. There's a '\n' that shouldn't be there. The correct B64-data would be: Username: YnJvb2tzQGJyb29rc3JveS5jb20= Password: amo= Please try again with these data and report in. -- Best regards Peter Palmreuther I have been guilty of kicking myself in the teeth...
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Tuesday, May 25, 2004 at 6:22:11 PM you wrote (at least in part): After tyring with these values I get: 24597 --- SIGSEGV (Segmentation fault) @ 0 (0) --- That's not necessarily easy to debug. First try this: $printf [EMAIL PROTECTED] /tmp/auth.data $setuidgid /usr/local/vpopmail/bin/vchkpw \ /bin/sh -c 'echo Yes' /tmp/auth.data 30 And if this does not output 'Yes' please 'strace' it without '-e' option. If this segfaults too, one /might/ be able to guess why from the strace and the last action done. If this is not possible you'd have to 'dbg' vchkpw, to figure what's wrong. Nevertheless 'til now your original problem was not reproduced. So it seems something is really going wrong in your installation. -- Best regards Peter Palmreuther Clap on! clap clap Clap off! clap clap ~2v2h~#bu4bNO CARRIER
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Sunday, May 23, 2004 at 9:28:35 PM you wrote (at least in part): == /var/log/mail == May 23 15:10:53 ps1 vpopmail[14133]: vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED] :192.168.5.50 Where does the space character after '.com' comes from? Seems there's something wrong with Base64-decoding / handing decoded values over to vchkpw. I might be wrong, but all logs similar to this found in my system logs have 'username:IP' instead of 'username :IP'. I'd say this is a case for strace/truss, to see if qmail already write the blank into fd #3 or if vchpw insertes it, and in the former case it's a file for 'dbg' or similar (and a '-g2' compiled qmail), to figure who inserts it. In the latter case one has to 'dbg' vchpw to see when this blank appears first. -- Best regards Peter Palmreuther I am not part of the problem. I am a Republican. -- Dan Quayle trivia --
[vchkpw] Re: passwords
Hello Jean, On Monday, May 24, 2004 at 4:12:15 PM you wrote (at least in part): My boss recently noticed something I didnt: vpopmail (noticed on qmailadmin and squirrelmail using courier-imap) accepts passwords with garbage at the end. Lets say, my password is secret. If I type secretJSDSDALSDKJFLASF, qmailadmin will accept it as a valid password. It doesnt accept with garbage inside the password, or before. Please create a test account with password 'password', test this account and if it is authenticated with garbage at the end please post the encrypted password from 'vpasswd' of this account. I assume your installation does not use MD5 routines in 'crypt()' function, and therefore your passwords are limited to a maximum of 8 characters. All passwords with exactly 8 characters (so NOT 'secret' as this are only 6) than will be accepted if the first 8 characters of input match. This is due to the fact 'crypt()', using only DES, only takes the first 8 characters. A MD5-enabled 'crypt()' will not suffer this limitations How can I correct that? vpopmail should, when available, use automatically MD5-password. To be sure recompile vpopmail (don't forget a 'make clean' before) with all your configure options PLUS '--enable-md5-passwords'. If you have any '--disable-md5-passwords' option set, remove it. I don't know a save way to figure if your libcrypt.so supports MD5-passwords, but I've found that 'strings /lib/libcrypt.so.1 |grep -i md5' returned 'md5-crypt.c' and '__md5_crypt_r', which I'd take as a hint my libcrypt is MD5-enabled and the encrypted passwords in my vpasswd confirm this assumption. Is this a known issue? Not I'm aware of. I've tested with vpopmail 5.4.3 + qmailadmin 1.2.0 AND also with vpopmail 4.9.10 + qmailadmin 0.45 (our museum servers), both have the save problem. Maybe the 'museum' might be the problem: if their libcrypt is too old it might be it's not yet aware of MD5, who knows. -- Best regards Peter Palmreuther Use it up ... Wear it out. Make it do ... Or do without.
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Monday, May 24, 2004 at 4:47:43 PM you wrote (at least in part): I'd say this is a case for strace [...] Here is a copy of the strace log: Please replace your strace call by strace -fF -s 4096 -o /tmp/qmail.log -e write ... (replace '...' with 'softlimit -m ...' and so on). else we'll not see what qmail hands over to vchkpw. -- Best regards Peter Palmreuther SLIDING DOWN THE RAZOR BLADES OF LIFE
[vchkpw] Re: passwords
Hello Jean, On Monday, May 24, 2004 at 8:25:42 PM you wrote (at least in part): I assume your installation does not use MD5 routines in 'crypt()' function, [...] Very interesting. It seems that the problem occured only with the migrated domains from other servers (the museum ones). Accounts created in the new server, or accounts which had its password changed in the new server does not have this problem. Would make sense. Thanks a lot, Peter! You're welcome. Is it possible to convert all old passwords from the old format (MD5-disabled crypt()) to the new format? If you have plain passwords enabled: yes. Should be sufficient to delete the encrypted passwords from vpasswd (empty the second field) with 'awk') and let the users log in again. Authentication will/should succeed, because the clear password is still there and encrypted password will be set, as vchkpw recognizes it is empty. This is from the top of my head, I haven't tested recently or with one of the latest releases, so you're advised to test yourself with a non-important account before applying the change globally. Don't forget to run 'vmkpasswd $DOMAIN' after you modified the 'vpasswd' file(s) and before you try to login (e.g. via POP3). -- Best regards Peter Palmreuther If the probability of success is not almost one, then it is damn near zero.
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Friday, May 21, 2004 at 5:21:36 PM [EMAIL PROTECTED] wrote (at least in part): In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. [...] This is only true for SMTP Authentication of type plain and login. With CRAM-MD5 its quite save. [...] Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. Well, as you are this enlightened you'll for sure be able to tell me the difference to POP authentication than, aren't you? I don't talk about the different protocol; but in my limited (inherited from my ancestors, which, as you stated, /pretended/ to be the most bright) mind and with a lot of ignorance I thought POP3 sends my username and pass as well. Using vpopmail for POP3 server the username will most the time be my e-mail-address; exactly the same you say it's insecure to send. But I'm pretty sure you'll be able to tell me where my mistake is located, because POP-b4-SMTP is, as you claimed yourself (see above), MUCH MORE secure than SMTP-AUTH. More, Your mail is sent in plaintext. Why do you mix authentication method and connection security? It's two VERY different layers in communication model. The one is layer 3/4, the other is layer 7 in OSI model. There is NOTHING you can mix about them, there is NOTHING you can compare them on. It's like comparing apples and plants. The plant MIGHT be an apple tree, but you simply can't tell. So please stop whining, write a SMTP-over-SSL-HOWTO and be happy. I prefer encrypted streams, You're free to do. But what's the relation to a SMTP-AUTH problem? -- Best regards Peter Palmreuther I am evil, I make the devil sign.
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Saturday, May 22, 2004 at 8:06:41 PM [EMAIL PROTECTED] wrote (at least in part): [full quote snipped] Before You make comments, first read the previous post. Well, ok. *erm* I just recognize: already done. I am talking about TLS, smtps You are. In fact you are. But maybe I just have to repeat my question, maybe you did not recognize it, because there was too much confusing text around it: Why do you mix authentication method and connection security? adn You are talking about pop3, complete out of the road. No. Now I'm pretty sure the whole mass of text confused you. I told you, SMTP-AUTH sends the e-mail-address and password as well as POP3-AUTH does. This was related to your comment (I'm allowed to quote your comment in mid:[EMAIL PROTECTED]): ,- | In the OLD days, people were happy with SMTP-Auth. I consider it LESS | security as SMTP after POP, `- You YOU started comparing SMTP-AUTH to other, POP3-invocating, authentication / relay-allowing, methods. So IF POP3 is out of the road, it is only YOU who brought it into this thread. When I see word like 'enligtment' and I some sarcasm, seems You are German either, You're so ... so ... amusing. You need the word enlightment (which I did not even write; I wrote you're enlightened) and some sarcasm for recognizing a fact, which can easily be obtained from the senders address? You ARE funny. see my previous comment. The one in mid:[EMAIL PROTECTED]? I saw. And I had to laugh out loudly about such a simple minded attitude. Stop Your sarcasm, Why? Who are you to tell me stopping sarcasm? What makes you better than anybody else? What makes you assume my ancestors gave me that beautiful gift of sarcasm? What makes you sure you can even think about any comparison between times of WWI and WWII and my behavior just right now? What makes you French existence better than mine? and rebuild first Your country I won't. There're some million people in this country, I don't see a single reason why I should rebuild it. - First: I don't see a necessity to /rebuild/ it. Some (partly major) changes might be suitable, but a complete rebuild is far too much. - Second: I'm personally am much to less of a being for having the ability to rebuild the whole country. - Third: even if I would start, there are s many (mostly politicians, nevertheless enough commercial leaders) people guiding this country into it's current misery. My work would not stop this. There are some other reasons, but this would become too much OT. But I'm quite sure you know what you're talking about. At least it's just the reality that's far behind your statements. and mentality. ??? You're is better? Your Q: I don't get SMTP-AUTH to work. Please help A: Use SSL! way of participating and helping others, your You're sarcastic, you're a f*g German! You're behaving like your ancestors 1900-1945! [which implies I'm a either a Caesars fellow or a national socialist; and you don't even now me enough for being at least 1% sure about this facts] is a better mentality? C'mon, guy. You don't want to tell me, you're the better human being? You don't really want to do EXACTLY what you blame me to do: [pretend] to be the most bright race??? You don't really want to tell me (us) we Germans are (still? again?) the bad, ugly, fascistic people and it's the French that'll help the world out of the misery, because of their perfect mind set, given by place of birth and live??? If you really do, you're much poorer than I thought and you don't even deserve being read on this list. P.S.: If you feel the need to reply: please try trimming your quotes to the relevant parts. It's is not necessary to full quote and increase list traffic above the unavoidable level. I don't even ask for slightly reducing your signature; 18 lines is quite a lot. -- Best regards Peter Palmreuther Eggheads unite! You have nothing to lose but your yolks. - Adlai Stevenson
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Saturday, May 22, 2004 at 11:24:43 PM [EMAIL PROTECTED] wrote (at least in part): The flamewar did NOT start with my message. PLOconnection interrupt *beep* -- Best regards Peter Palmreuther Bumper sticker: All the parts falling off this car are of the very finest British manufacture
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Saturday, May 22, 2004 at 11:24:43 PM [EMAIL PROTECTED] wrote (at least in part): I clearly stated to do POP3-SSL, to have afterwards a 'SMTP after POP' functionality. Sure. I may quote your first reply: ,- [ mid:[EMAIL PROTECTED] ] | Activate TLS by create a certificate, and You will be much better off | to create an encrypted connecton to Your SMTP server by the SMTP Enc | smtps 465/tcp#smtp protocol over TLS/SSL (was ssmtp) | smtps 465/udp#smtp protocol over TLS/SSL (was ssmtp) `- -- Best regards Peter Palmreuther Computer Science is merely the post-Turing decline in formal systems theory.
[vchkpw] Re: vdelivermail bounce-no-mailbox. Can I drop?
Hello List, On Monday, May 10, 2004 at 3:02:09 PM [EMAIL PROTECTED] wrote (at least in part): does vdelivermail mail have a drop-no-mailbox option? || /home/vpopmail/bin/vdelivermail '' delete [...] stupid me, here I was reading the manual for the thing and never got that answer. http://www.inter7.com/vpopmail/doc/vdelivermail.html Thanks Pit! Thanks for your reply that shows the incompleteness in docs. I've created and send a patch to CVS version. Maybe it's incorporated and Inter7 website updated accordingly. -- Best regards Peter Palmreuther How can I believe that everything in this world is going to be fine?
[vchkpw] Re: vdelivermail bounce-no-mailbox. Can I drop?
Hello List, On Monday, May 10, 2004 at 2:20:31 PM [EMAIL PROTECTED] wrote (at least in part): I don't care about handling bounces for typo'd addresses and I want to /dev/null them. does vdelivermail mail have a drop-no-mailbox option? Yes: ,- [ vpopmail FAQ ] | 32. I don't want to bounce emails for non existent users. Instead I want | to delete them, how? | |The last parameter in the .qmail-default file tells vdelivermail |what to do with non-matching emails. The default is to bounce |the email back to the sender. But you can also delete it instead. | |update your .qmail-default file from something like this: || /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox | |to something like this: || /home/vpopmail/bin/vdelivermail '' delete `- Reading s***s, I know. -- Best regards Peter Palmreuther If at first you don't succeed, skydiving is not for you.
[vchkpw] Re: Vchkpw@inter7.com - Paypal account limited.
Hello Jeremy, On Sunday, May 9, 2004 at 5:53:14 PM you wrote (at least in part): this is one of those times I wish ezmlm{,-idx} put the original envelope sender in the headers of the email somehwere. So anywho, I looked in the archive/ directory for this message, found it, and it appears [EMAIL PROTECTED] somehow got added to the list. Might be, but who sent this particular message? The %XX-encoded URL is in plain text form: https://211.28.155.210/.verification/hide/index2.htm This isn't PayPal, this is somebody else who tries to fake users. When this URL is opened a popup opens and a faked PayPal Login form appears. Additionally this page then presents a looks like an address bar item, that displays a paypal.com address, so IE-users might think they're in the correct location. Non-IE users are nearly immediately redirected to the real PayPal site, I guess whoever intends to get user logins this way does rely on some glitches of IE that make it hard to recognize one is on the wrong page and he/she does not want somebody else being able to figure easily this mail was a big fake. For all interested: popup opened by above mentioned URL is this page: https://211.28.155.210/.verification/hide/sysdll.php Open with deactivated JavaScript to fully enjoy it without being sent somewhere else :-) -- Best regards Peter Palmreuther Nothing is impossible for anyone impervious to reason.
[vchkpw] Re: Vchkpw@inter7.com - Paypal account limited.
Hello Jeremy, On Sunday, May 9, 2004 at 7:35:45 PM you wrote (at least in part): https://url.removed Open with deactivated JavaScript to fully enjoy it without being sent somewhere else :-) or wget and vim ;) Which is one kind of deactivated JavaScript, if I'm right :-) The FireFox w/ deactivated JS way has advantage of some more visual effects like Wow, this looks incredible similar to a real PayPal login form :-) -- Best regards Peter Palmreuther An android would never rip your head off! --Kryten.
[vchkpw] .
[vchkpw] Re: strange behavior in from header.
Hello Sebastien, On Saturday, May 1, 2004 at 8:25:34 PM you wrote (at least in part): I tried without the SMTP AUTH Patch so I recompiled the netqmail-1.05, remove the vchkpw part from the qmail-smtpd/run file, Compile with SMTP AUTH patch and nevertheless keep vchkpw part removed. Test (with and without SMTP; to a domain that is in 'rcpthosts). Insert vchkpw again. Test again, but don't authenticate but send a mail to a domain that is in 'rcpthosts'. You'll see the messages pass through. Than test again with authentication. You'll see the '@IP' part again in received headers, that's because the SMTP-AUTH patch set's TCPREMOTEINFO. But all this is not responsible for a line like this: From: tino [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] or this: To: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] as you presented them in your mail mid:[EMAIL PROTECTED] THIS is set by MUA, the same applies to: Return-Path: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Your MUA sent: MAIL FROM:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Even if we'd assume netqmail+SMTP_AUTH_+vpopmail would modify Return-Path (envelope from) it'd NEVER EVER modify 'From:' or 'To:' header lines. So please test a full patched, full configured (incl. vchkpw) installation using command line and telnet: $ perl -MMIME::Base64 -e 'print encode_base64(username);' dXNlcm5hbWU= $ perl -MMIME::Base64 -e 'print encode_base64(password);' cGFzc3dvcmQ= $ telnet HOST 25 C: EHLO _ S: 250 ... C: AUTH LOGIN S: 334 VXNlcm5hbWU6 C: dXNlcm5hbWU= S: 334 UGFzc3dvcmQ6 C: cGFzc3dvcmQ= S: 235 ok, go ahead (#2.0.0) C: MAIL FROM:[EMAIL PROTECTED] S: 250 ok C: RCPT TO:[EMAIL PROTECTED] S: 250 ok C: DATA S: 354 go ahead C: From: tino [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: test foobar . S: 2xx ... C: QUIT Replace 'username' and 'password' in Perl script line with working values, remember to masquerade '@' in any of these strings with '\' (i.e. a username of '[EMAIL PROTECTED]' will be '[EMAIL PROTECTED]'). 'S:' indicates lines the server sends, 'C:' indicates lines you should type / copypaste or enter any other way for them being sent to the server. I'm quite sure this test will success and than you know it's the MUA that sends these cryptic envelope from, From: and To: strings. The '@IP' in 'Received:' lines is not part of your problem, as it is never used for any delivery action, neither forward nor for the bounce. -- Best regards Peter Palmreuther What do you mean, QWK? It took me over an hour to read!
[vchkpw] Re: strange behavior in from header.
Hello Sebastien, On Saturday, May 1, 2004 at 6:02:00 PM you wrote (at least in part): I tried many configurations and it appears that it's the vchkpw that adds my email adress to my IP when I send a mail. I wouldn't know why and how vchkpw would or could do this. First of all I tried with or without vpopmail and without vpopmail I did not get that strange line. How exactly did you try without vpopmail? What changes have been done, what exactly was different from with vpopmail trial? Obelix:/var/qmail# cat /var/qmail/supervise/qmail-smtpd/run #!/bin/sh exec /usr/local/bin/tcpserver -H -p -R -x /home/vpopmail/etc/tcp.smtp.cdb -u98 -g98 -v -c100 0 smtp rblsmtpd -r relays.ordb.org /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /usr/bin/true 21 As I expected I don't see anything that would make qmail-smtpd append '@IP-Address' just because 'vchkpw' is present. 'vchkpw' can't modify anything within qmail-smtpd's memory area and qmail-smtpd does not fetch anything 'vchkpw' could 'pass back'. It only has an eye open if vchkpw exits '0' or not. So I'm still convinced it is not vpopmail that is the culprit, of course unless you've done heavy modifications on vpopmail or qmail or have another setup not shown yet. -- Best regards Peter Palmreuther If you're happy and you know it clunk your chains.
[vchkpw] Re: strange behavior in from header.
Hello Sebastien, On Friday, April 30, 2004 at 11:43:40 PM you wrote (at least in part): I tried many configurations and it appears that it's the vchkpw that adds my email adress to my IP when I send a mail. I wouldn't know why and how vchkpw would or could do this. 1. What's your qmail-smtpd invocation line? 2. Are you sure this ain't a qmail problem and should be discussed on qmail list? -- Best regards Peter Palmreuther Canadian DOS: Yer sure, eh? [y/n]
[vchkpw] Re: SMTP Slowness
Hello Chris, On Monday, April 26, 2004 at 3:42:40 PM you wrote (at least in part): Now I've got another problem with SMTP. When I try to connect, it takes FOREVER to send the welcome message. Go ahead and telnet into rhost1.zfx.com on port 25 and issue a HELO, and you'll see what I mean. Both, connecting and issuing a EHLO (or HELO), is just a matter of seconds from here. I thought that it could be something with DNS, but everything seems fine with DNS. The hostname and reverse DNS entries for the box are in there, and the DNS servers on the server are set correctly so it should be able to resolve it's self pretty quickly (the DNS server it uses is on the local box, as is the zone for the domain). Well, it nevertheless could be a DNS related problem. The self referring reverse entries are not that much of a matter. What takes time most times this behavior is seen is reverse resolving of connecting client. So what's your 'tcpserver ... qmail-smtpd' invocation line[1]? [1]: ps auxwww |grep '[t]cpserver .*qmail-smtpd' -- Best regards Peter Palmreuther Progress is made on alternate Fridays.
[vchkpw] Re: Domain with home!= ~vpopmail/domains
Hello jasmine, Friday, April 16, 2004, 3:05:20 AM, you wrote: I got strange problem. I don;t know when (what version) but suddenly a domain that have different that ~vpopmail/domains home stopped authorizing using vchkpw. [...] Is this a bug in vchkpw? Probably not. What user is qmail-popup run as? Probably not a user (UID) that is allowed to chdir() to 'klub.olga.pl' domain directory or read vchkpw.cdb in there? What user should qmail-popup run as? mine runs as root. From PoV authentication this should be OK. And my problem is that my vuser isnt being authenticated at all! What do the logs say? [tm] P.S.: Please respond to the list, I've set 'Reply-To' and 'Mail-FollowUp-To' accordingly. -- Best regards, Petermailto:[EMAIL PROTECTED]
[vchkpw] Re: read receipt things...
Hello Tom, On Wednesday, April 14, 2004 at 4:02:56 PM you wrote (at least in part): I'm not sure what these 'read receipt' emails are with the winmail.dat files attached, I will, for now, assume they are some new form of virus, as they have come in via many different addresses. Actually, it's Peter Palmreuther's fault, he included a return receipt request in the following email (Disposition-Notification-To). This is actually true and I'm deeply sorry. I still don't know what set this flag over here, for sure it wasn't set intentionally. Must have been set by accident and I wasn't able to find other recent mails of mine that have it set. So it's not (as I first assumed) a misconfiguration over here and it should NOT continue to appear in mails from me. I don't usually make any use of this options, so it must have been activated accidentally, maybe my cat walked the keyboard and I did not recognize the reading confirmation was turned on. A good solution would be to add that header to the headerremove file for this list. 100% ACK. Not only for preventing me stupid (my cat) doing this accidentally again, but also for all those male-configured Outlook and Outlook Express installations out there. Getting your mail I immediately searched if I sent other mails with read confirmation set as well and it turned out this was (luckily) my only one, but within the last year there were 58 mails from different people having this flag set. I can only repeat I'm really sorry for this inconvenience :-( -- Best regards Peter Palmreuther Pros are those who do their jobs well even when they don`t feel like it.
[vchkpw] Re: How to avoid rblsmtpd for smtp authenticated users
Hello Devendra, On Monday, April 12, 2004 at 12:42:53 PM you wrote (at least in part): Is it possible to not to do rblsmtpd look-up for smtp-authenticated users? No, because rblsmtpd looks up the IP before SMTP-AUTH is (or can be) done. -- Best regards Peter Palmreuther Since we're all here, we must not be all there. -- Bob Mountain Beck
[vchkpw] Re: pros and cons of smtp auth and pop before smtp
Hello Jeff, On Monday, April 12, 2004 at 4:48:28 PM you wrote (at least in part): 2. pop before smtp? - creates problems with qmail-scanner. Servers authorized to relay skip qmail-scanner virus checks. *err* _Clients_ authorized to relay skip qmail-scanner _SpamAssassin_ checks. But there is nothing that prevents you from editing qmail-scanner source code (pure Perl) and change the line that checks for $RELAYCLIENT and skips the SA-tests. Make the 'if' statement always return false (e.g. by prepending '0 ' in front of 'defined($ENV{'RELAYCLIENT'}' and you're done. Or alter vpopmail sources to set QS_SPAMASSASSIN additionally to RELAYCLIENT for POP3 authenticated users. -- Best regards Peter Palmreuther Man steps in with a terminal grin... blue skies turn to grey...
[vchkpw] Re: a lost passwords files
Hello David, On Monday, April 12, 2004 at 11:22:47 PM you wrote (at least in part): it's very important for me to keep the original passwords for each user...How can import the passwords files Put the encrypted password from sqwebmail password files in vpopmail password field. If you enable --learn-password for your new vpopmail it should fill the clear password fields automatically after successful authentication done by the user. -- Best regards Peter Palmreuther What do you call a sorority girl with a runny nose? Full.
[vchkpw] Re: Domain with home!= ~vpopmail/domains
Hello Marcin, On Wednesday, April 7, 2004 at 11:44:05 PM you wrote (at least in part): I got strange problem. I don;t know when (what version) but suddenly a domain that have different that ~vpopmail/domains home stopped authorizing using vchkpw. [...] Is this a bug in vchkpw? Probably not. What user is qmail-popup run as? Probably not a user (UID) that is allowed to chdir() to 'klub.olga.pl' domain directory or read vchkpw.cdb in there? I use mysql backend. qmail-popup runs as vpopmail and klub.olga.pl is 770 for apache.vchkpw what is corresponding to /var/qmail/users/assign. So go on and debug manually where it fails: su -c 'printf [EMAIL PROTECTED] | \ strace -fF -o /tmp/x -s 4096 \ ~vpopmail/bin/vchkpw printenv 30 || echo Failed: $?' - vpopmail Inspect /tmp/x where vchkpw failed. This assumes you're: - running Bash - using Linux If you're not using Linux but a *BSD replace 'strace' with an appropriate call to 'truss'. Why does Hawaii have interstate highways? And why..? Don't know. It's a tagline from a 2k+ lines file, randomly choosen (not even by myself, but by my MUA). -- Best regards Peter Palmreuther Mankind has been on a bad trip for a long time now.
[vchkpw] Re: Domain with home!= ~vpopmail/domains
Hello Marcin, On Wednesday, April 7, 2004 at 10:53:32 AM you wrote (at least in part): I got strange problem. I don;t know when (what version) but suddenly a domain that have different that ~vpopmail/domains home stopped authorizing using vchkpw. [...] Is this a bug in vchkpw? Probably not. What user is qmail-popup run as? Probably not a user (UID) that is allowed to chdir() to 'klub.olga.pl' domain directory or read vchkpw.cdb in there? -- Best regards Peter Palmreuther Why does Hawaii have interstate highways?
[vchkpw] Re: Making vpopmail recognize # as @
Hello Eduardo, On Tuesday, April 6, 2004 at 8:31:17 PM you wrote (at least in part): I need to make vpopmail recognize user#domain.com as the same way it recognizes [EMAIL PROTECTED]. Is there a way to do it changing configuration files or I'll have to edit the source code/include files and recompile? You have to recompile. Edit 'vpopmail.h', the line that says: #define ATCHARS @%/ -- Best regards Peter Palmreuther Government is a burden on the people.
[vchkpw] Re: Making vpopmail recognize # as @
Hello Eduardo, On Tuesday, April 6, 2004 at 8:58:28 PM you wrote (at least in part): I need to make vpopmail recognize user#domain.com as the same way it recognizes [EMAIL PROTECTED]. It's needed only when RECEIVING messages via SMTP. Than forget about my previous answer and forget about a solution. You'd have to hack qmail for it recognizing the '#' first before you could enter editing vpopmail sources. qmail will, without modifications, not be able to find the domain part of a mail addressed to 'user#domain.com', it'll append '/var/qmail/control/defaulthost' and handle the mail according to how this 'defaulthost' is set up. You'll have to make qmail check for '#' first and translating it into '@'. Might be better to enforce incoming mail are addressed correctly and according to a few RFC with '@' as domain delimiter, instead of '#'. -- Best regards Peter Palmreuther C'mon everybody, here we gooo! Off to Neverland! - Peter Pan
[vchkpw] Re: Blackholing a sender
Hello Devendra, On Friday, April 2, 2004 at 7:26:47 AM you wrote (at least in part): This gives me a clue that perhaps we should be able to do it using qmail-scanner-queue.pl code. Let me try it out. If anyone else too can give some pointer on this angle do let us know. qmail_requeue() seems to be the function that does pass the mail to qmail-queue after qmail-scanner has processed it. So before AV- and spam-check simply check for $sender (or $env_returnpath, or whatever the variable is named at the location you introduce the check) and instead of init_scanners call a the requeue with different recipient ($env_recips or the like). The new recipient should be a local/virtualdomain recipient address that has a blackholed delivery: a dot-qmail file containing only one line: ,- [ .qmail-blackhole ] | # `- HTH -- Best regards Peter Palmreuther All Tagelines are currently busy. Please try again later.
[vchkpw] Re: pw_gid flags was: OT: Radius server
Hello Charles, On Friday, April 2, 2004 at 6:21:55 AM you wrote (at least in part): I hope this isn't some kind of bitmasking thing, because that just makes my head spin. That is exactly what it is... So how does one deal with that? Carefully. How does this work? Good. :-) OK, an example: PW_GID is set to 44 (0x2C), that's 0x04 + 0x08 + 0x20, means NO_WEBMAIL, NO_IMAP NO_RELAY. To figure if the user is set to NO_DIALUP check: PW_GID 64 (0x40 for NO_DIALUP): 4464 = 0 0x2C 0x40 = 0 Or in binary notation: 00101100 0100 == = 0x00 == 0 decimal. So this user has not NO_DIALUP set. No imagine a user set to NO_DIALUP, NO_WEBMAIL and NO_RELAY: 0x04 + 0x20 + 0x40 = 0x64 4 + 32 + 64 = 100 (decimal) PW_GID 64 (0x40 for NO_DIALUP): 10064 = 64 (decimal) 0x64 0x40 = 0x40 01100100 0100 == 0100 = 0x40 == 64 decimal. So to see if a flag is set AND operate on PW_GID and FLAG and see if the result is different from zero. As every flag gets a different bit assigned this bit, and only this bit, will be set when you AND operate and this bit was set in PW_GID's value. In cat it is really quite easy to handle and most programming languages should be able to bit-operate with integer values too. So you wouldn't even have to convert PW_GID into a real bitmask, in fact the integer already is one: just use an arbitrary calculator to translate an arbitrary decimal value into binary representation. No translate all the hex values for different flags into binary and you'll see: they all have /exactly/ one bit set to 1. Not more, not less. And this is all about how it works :-) HTH -- Best regards Peter Palmreuther Once a job is fouled up, anything done to improve it only makes it worse.
[vchkpw] Re: SMTP-Auth question
Hello Erwin, On Thursday, April 1, 2004 at 3:23:49 PM you wrote (at least in part): [RELAYCLIENT set to something different than ] 2. Relayclients identfied by POP-b4-SMTP carrying RELAYCLIENT=P4S (sample). Ok. qmail-smtpd will append this string to the Recipient address ([EMAIL PROTECTED] = [EMAIL PROTECTED]). However, using ie. ksh capabilities you can do ${RECIPIENT%P4S} thus retaining the old RECIPIENT variable. Why would you want to fork more processes and waste more ressources than necessary when a SMTP-connection is about to be accepted? Even if RELAYCLIENT is set, (the Auth patched) qmail-smtpd *WILL* ask for Authentication. No. It'll /OFFER/ SMTP-ATUH, for those that want to set up their mail client to always use SMTP-AUTH instead of relying on a formerly done POP3. You absolutely don't have to make ANY use of this offer. If your IP is set to RELAYCLIENT= by a former POP3 (or whatever) connection, or even is set statically to be allowed to relay, the MUA can simply go on in SMTP dialog: EHLO _ MAIL FROM: RCPT TO:[EMAIL PROTECTED] DATA qwertzuiop . QUIT The MUA can and should ignore the initial (after EHLO) greeting telling about smtpd's capabilities, if not explicitly set to do SMTP-auth. If I understood correctly, thats *EXACTLY* what should be avoided. I read this: ,- [ mid:[EMAIL PROTECTED] ] | Is there any way to set up SMTP-Auth, while still allowing pop-b4-smtp? | So far when I've rebuilt the system with SMTP-Auth patching, it will | ONLY accept SMTP-Auth to allow relaying... :( `- as follows: - I want both method, SMTP-Auth and POP3-b4-SMTP, for allowing a client to relay. - I don't want the system to /require/ SMTP-Auth when POP3-b4-SMTP already set RELAYCLIENT= But maybe I got it wrong ... Joel? -- Best regards Peter Palmreuther Can you imagine a world without men?? No crime and lots of happy, fat women.
[vchkpw] Re: Blackholing a sender
Hello Devendra, On Thursday, April 1, 2004 at 8:29:02 AM you wrote (at least in part): [blackholing a sender] I wished not to give the sender any clue as why his mail is disappearing -- blackholed. Write your own qmail-queue replacement that filters for sender and drops mails from the notorious. All other mail is than passed to qmail-queue as usual. This way you don't have to fiddle with qmail sources, you only have to have a QMAILQUEUE-patched qmail. If this sender is worth the work ... additionally other might benefit from your work, maybe there are other people that like to really blackhole some senders instead of simply rejecting their messages. -- Best regards Peter Palmreuther In the middle of a fight, a hockey game broke out.
[vchkpw] Re: Blackholing a sender
Hello Devendra, On Wednesday, March 31, 2004 at 6:52:31 AM you wrote (at least in part): I have a peculiar requirement of just trashing a particular Mail From: to any of the virtual domains hosted on a Server. echo SENDERADDRESS /var/qmail/control/badmailfrom Thanks for your solution. But, the badmailfrom would give a bounce from qmail-smtpd (MTA). No, it'd give a 5xx code from your qmail-smtpd and the bounce is created by somebody else. Your system does /NOT/ bounce the message, it just rejects it. If the other side bounces is not within your responsibility. I just wanted to blackhole it, without sending any intimation even if it violates any RFC. Than you have two options: 1) hacking qmail source to read a dev-null list and deliver all mails with sender address on this list to /dev/null (i.e. to drop the message) 2) manipulate all dot-qmail files that could be involved in a delivery and check if the message came from $BAD_SENDER. If so exit(99) from this check and no further delivery instructions in this dot-qmail file will be processed. Quite a lot of work to do, and you'd have to take care of all new created dot-qmail files in your setup. -- Best regards Peter Palmreuther COBOL: Crappy Obsolete Butthead Oriented Language.
[vchkpw] Re: SMTP-Auth question
Hello Erwin, On Wednesday, March 31, 2004 at 10:09:29 AM you wrote (at least in part): In case a client is accepted via pop-4-smtpd, the $RELAYCLIENT environment variable is set. It might be useful to define this variable explicitely, ie. RELAYCLIENT=PB4S. No. It will, for sure, not be useful. ,- [ man qmail-smtpd ] | [...] | Exception: If the environment variable RELAYCLIENT is | set, qmail-smtpd will ignore rcpthosts, and will | append the value of RELAYCLIENT to each incoming | recipient address. | [...] `- Setting RELAYCLIENT to something different than an empty string is only useful when one KNOWS what he/she does. The overwhelming majority only wants RELAYCLIENT unlocks relay restrictions and therefore has to set it empty. Check it and call qmail-smtpd without any arguments. In case the variable is not set or empty, call qmail-smtpd with the proper SMTP Auth args. This whole wrapper-stuff should not be necessary. If tcpserver sets RELAYCLIENT due to .cdb or SQL-lookup it'll be passed to qmail-smtpd. qmail-smtpd than will allow relaying even w/o SMTP-Auth. I'm running a SMTP which offers SMTP-Auth and POP3-b4-SMTP and it works w/o any wrappers at all. The SMTP-Auth patch simply sets RELAYCLIENT for qmail-smtpd /WHEN/ someone authenticated successful, if not the formerly set RELAYCLIENT (passed as ENV-var from tcpserver, when set) is not reset when authentication fails. @Joel: How about this: Copy your current qmail-smtpd invocation, remove all the 'qmail-smtpd foo bar bla' stuff and replace it with a simply '/usr/bin/env'. Make the tcpserver listen on port 26. Prepend an environment clearing 'env' call. Start the stuff on command line. It can be something similar to this: env -i PATH=/var/qmail/bin:/usr/local/bin tcpserver -vRX \ 0 26 /usr/bin/env (plus adding the stuff necessary for tcpserver reading the database for potentially set environment vars like RELAYCLIENT) Than connect to this server from a client-IP that should be set to relaying allowed (e.g. by formerly executed POP3 authentication): telnet $SERVER 26 You should see a line with PATH=... and some TCPREMOTExxx and TCPLOCALxxx lines. Additionally you should see a line 'RELAYCLIENT='. If this is there and your qmail-smtpd invocation looks up the same database for possible RELAYCLIENT settings try this: telnet $SERVER 35 EHLO _ MAIL FROM: RCPT TO:[EMAIL PROTECTED] QUIT If this fails: please post the error you get, your qmail-smtpd startup script and the result of above 'env'-test. -- Best regards Peter Palmreuther Boob's Law: You always find something in the last place you look.
[vchkpw] Re: Blackholing a sender
Hello Devendra, On Tuesday, March 30, 2004 at 4:07:31 PM you wrote (at least in part): I have a peculiar requirement of just trashing a particular Mail From: to any of the virtual domains hosted on a Server. echo SENDERADDRESS /var/qmail/control/badmailfrom In that case even I do not want to bounce the mail just trash (/dev/null) it. using badmailfrom is like /dev/null'ing for you. You'll neither see the bounce nor does your qmail have to handle it (even if it can't be delivered). That the absolutely easiest and cleanest solution for that problem. -- Best regards Peter Palmreuther He who laughs last uses OS/2.
[vchkpw] Re: qscanq + qmail-spamc
Hello Jeremy, On Thursday, March 25, 2004 at 6:18:33 PM you wrote (at least in part): Your question is not related to vpopmail, it should probably be on the qmail mailing list. That being said: ACK. And to make a long story short my diff follows as hint how your suggested patch can look like ... I have just setup qscanq to drop the load on the mail server a bit and I have also compiled the qmail-spamc wrapper from spamassassin, but im now stuck as to how to call them both with the qmailqueue patch. Has someone done this that can give me a hint as to how your calling them one after the other? both of them call qmail-queue to deliver the email. You can easily edit the simple c code of either wrapper to call a different program. I would suggest calling qscanq first, then qmail-spamc, as there's no sense in checking a message for spam if it's a virus. Over here I've changed it like this: ,- [ ] | --- qscanq-0.38.orig/src/conf-qmailqTue Mar 9 12:59:15 2004 | +++ qscanq-0.38/src/conf-qmailq Wed Mar 10 22:15:00 2004 | @@ -1,3 +1,4 @@ | +/usr/local/sbin/qmail-spamc | /var/qmail/bin/qscanq | | The first line of this file gives the full path to the folder to which | [EMAIL PROTECTED]:/package/mail# diff -u qscanq-0.38.orig/src/Makefile qscanq-0.38/src/Makefile | --- qscanq-0.38.orig/src/Makefile Tue Mar 9 12:59:15 2004 | +++ qscanq-0.38/src/MakefileWed Mar 10 22:24:34 2004 | @@ -111,9 +111,9 @@ | ./compile auto_qmailbin.c | | auto_qmailq.c: auto-strarr conf-qmailq | - ./auto-strarr auto_qmailq `head -1 conf-qmailq`/qmail-queue \ | + ./auto-strarr auto_qmailq `head -1 conf-qmailq` \ | auto_qmailq.c.tmp mv auto_qmailq.c.tmp auto_qmailq.c | - | +#/qmail-queue | auto_qmailq_destdir.c: auto-str conf-qmailq | ./auto-str auto_qmailq_destdir `head -1 conf-qmailq` \ | auto_qmailq_destdir.c.tmp mv auto_qmailq_destdir.c.tmp \ `- -- Best regards Peter Palmreuther Paint a number on her head and Sinead's a billiard ball.
[vchkpw] Re: Move to new server
Hello Kit, On Monday, March 15, 2004 at 2:45:37 AM you wrote (at least in part): Here is what I plan on doing: vadddomain each domain on the new server Stop qmail-smtpd on the old server Stop POP on the old server rsync domain directories from old-new Change DNS so new server responds on old servers name What about - vadddomain - change DNS for A records pointing to new IP - 1 * * * * /usr/local/sbin/sync_the_two ,- [ /usr/local/sbin/sync_the_two ] | #!/bin/sh | PATH=/var/qmail/bin:/usr/bin | nmails=`qmail-qstat |tr -d '[a-zA-Z0: \n]'` | if [ -n $nmails ]; then | exec rsync $PARAM | fi `- this way you'll not have any downtime of your services, have no problem with existing queue and have all mails on the new server. The worst that can happen is somebody getting a/some mail/s twice when - you rsync - they first POP3 using old IP (their DNS might not have reflected the changes at this point) - they POP3 again but this time use the new IP (their upstream DNS updated it's cache, e.g. because expire was reached). This risk can be minimized by using '--delete' parameter for rsync, as this should delete files not existing at $old, as long as the rsync call is between the two POP3 sessions. If you care to much about twice fetched messages stop SMTP and POP3 /after/ you changed DNS and before you rsync first time, this'll keep outage at a minimum. Nevertheless rsync regularly, moving the queue over can be a PITA as qmail is quiet picky about the queue structure. A minimum of difference between the two systems and the queue might be corrupted. -- Best regards Peter Palmreuther To a dog his owner is Napoleon; hence their popularity.
[vchkpw] Re: Howto block querys from user?
Hello List, On Sunday, March 14, 2004 at 3:45:52 PM [EMAIL PROTECTED] wrote (at least in part): Mar 14 15:29:26 icebear vpopmail[3787]: vchkpw-pop3: vpopmail user not found web150p1@:217.233.6.196 [...] Have someone of you an idea how I can block these user or how I can add this IP temp. into iptables? $ echo '217.233.6.196:deny' ~vpopmail/etc/tcp.smtp $ clearopensmtp Assuming your tcp.smtp file is located in ~vpopmail/etc. You'll not need to make an effort and configure IPTABLES, tcpserver is able to reject the connection by itself (when told in .cdb file). -- Best regards Peter Palmreuther The Greatest of Faults Is To Be Conscious of None
[vchkpw] Re: Howto block querys from user?
Hello Jeremy, On Sunday, March 14, 2004 at 4:51:45 PM you wrote (at least in part): Mar 14 15:29:26 icebear vpopmail[3787]: vchkpw-pop3: vpopmail user not found web150p1@:217.233.6.196 [...] Have someone of you an idea how I can block these user or how I can add this IP temp. into iptables? $ echo '217.233.6.196:deny' ~vpopmail/etc/tcp.smtp $ clearopensmtp Assuming your tcp.smtp file is located in ~vpopmail/etc. You'll not need to make an effort and configure IPTABLES, tcpserver is able to reject the connection by itself (when told in .cdb file). but what you missed is that this is a pop3 connection. Actually it's not that hard to figure: - this .cdb file is used by tcpserver - tcpserver of POP3 process can use one too - One can enter the same line into a different text file and make an appropriate .cdb file from it or tell POP3 server to use the same .cdb file as SMTP server; qmail-popup and qmail-pop3d will not be disturbed by set RELAYCLIENT or even QMAILQUEUE variables. Somebody who deals with his own mail server I simply expect to be able to read documentation to make it as secure as possible. When this person got a hint I expect it to be able to carry over this knowledge to other problems as well. That's the responsibility someone has when he/she wants to have his/her own server. Sorry for that opinion. -- Best regards Peter Palmreuther Death is God's way of telling you not to be such a wise guy.
[vchkpw] Re: Howto block querys from user?
Hello List, On Sunday, March 14, 2004 at 4:57:06 PM [EMAIL PROTECTED] wrote (at least in part): Mar 14 15:29:26 icebear vpopmail[3787]: vchkpw-pop3: vpopmail user not found web150p1@:217.233.6.196 [...] Have someone of you an idea how I can block these user or how I can add this IP temp. into iptables? $ echo '217.233.6.196:deny' ~vpopmail/etc/tcp.smtp $ clearopensmtp Assuming your tcp.smtp file is located in ~vpopmail/etc. You'll not need to make an effort and configure IPTABLES, tcpserver is able to reject the connection by itself (when told in .cdb file). Will I have a chance to fight against BruteForce-Attacks? No. Not this way. You'll need a patch discussed not long ago which logs the login attempts and reacts according to this data. Have a look at the archive for further information. The subject of corresponding thread was Heureka! Finished POP3-Frequency-Patch (against bruteforcing) initiated by knom knom19 at gmx.net -- Best regards Peter Palmreuther Wealthy people are no happier than those of modest means.
[vchkpw] Re: Aliases and forwards
Hello, On Sun, Feb 29, 2004 at 11:25:05PM +0100, Mathias Haas wrote: Maybe the first questions should be: Where can I find some good info on the 'vaddaliasdomain'- command in vpopmail? UTSL[0] The little documentation I've found is sparse. I assume I haven't searched in the right places. =) Maybe you should simply read the qmail documentation, understand it, use 'vaddaliasdomain', see which files it affects[1] and get the idea how simply this program works. Do you need an existing account to add an alias or foward from in Qmail, No. Bouncing mails because of No Mailbox here by that name can be generated even with 500 forwarding instructions, each pointing to the next. It's possible to do this in qmailadmin without errors, so that is why I'm asking. Forwards: yes. Aliases: No. Nevertheless Aliases to non existing mailboxes could be created manually using dot-qmail files (and qmailadmin does nothing else than manipulating dot-qmail files and if necessary vpasswd{,.cdb}). If you use the 'vaddaliasdomain' command, can you erase all accounts in the forwarded domain? An 'aliased' domain is not the same as a 'forwarded' one. So the answer is: No. A domain alias ends in all aliased domain use the same data. So if you delete or add or change anything in one of them you alter it for all of them. Aliasing a domain only creates a different name this domain can be dealt with. How can you tell if you have used the 'vaddaliasdomain' with vpopmail? By examining files of [1]. (Is it /var/qmail/users/assign ?) How do I interprete this file if that's the one? man qmail-users [0] http://www.acronymfinder.com/af-query.asp?Acronym=UTSL [1] /var/qmail/users/{assign,cdb} -- Best regards Peter
[vchkpw] Re: Problems with SMTP Relay
Hello, On Fri, Feb 27, 2004 at 10:57:37AM -0300, Juliano Primavesi - CyberWeb Networks wrote: Your other option is to run the mysql patch for tcpserver. This lets tcpserver lookup the relay table instead of using the cdb. Far more efficient in my finding so far. Where can I find this patch? I the Internet. From the Feeling lucky result[1] of a very popular search engine[0] it's only one click[2]. It really ain't that hard to /use/ the Internet and it's abilities. [0] Guess what, yes I'm talking about Google. [1] http://www.tnpi.biz/internet/mail/qmail/qmail.toaster1.5.shtml [2] tcpserver Mysql patch: http://www.tnpi.biz/internet/mail/toaster/patches/tcpserver-mysql.shtml -- Best regards Peter
[vchkpw] Re: vpopmail - stunnel
On Wed, Feb 25, 2004 at 01:45:53PM -0500, Jeff Koch wrote: I have started seeing stunnel processes owned by vpopmail in the process log. Can anyone explain what that's about? or should I be concerned? vpopmail 6977 0.0 0.0 3272 848 ?SFeb19 0:00 /usr/sbin/stunnel -f -p /var/qmail/control/servercert.pem -l /var/qma Probably POP, IMAP or SMTP over SSL. If you get a longer listing (ps auxw) you'd probably see that it's qmail-popup or qmail-smtpd running. Thanks. That's interesting. So we can do encrypted smtp and pop or imap sessions without bothering with PGP? PGP does not encrypt a 'SMTP|POP3|IMAP4' /session/, but the /message content/. SSL in fact does only encrypt the 'session', i.e. the transfer from 'client A to server B'. PGP ( Co.) protects your mail being read from /anybody/ without proper key, SSL protects your mail from being intercepted and read on transport over SSL encrypted path. This means: if you SSL connect your primary SMTP server your message is 'safe'. If this very server send the mail out using a not SSL protected connection anybody else can again reasd it, if he somehow manages it to fetch the packets. Any idea which email clients support that? There're some: Lookout Quickly can do, IIRC, so can 'The Bat!', 'Pocomai', 'Becky' and Eudora (to name the Windows fraction). Some of them even can 'STARTTLS'. For *nix there also a few: I know at least about 'mutt' and 'Sylpheed', but I'm quite sure 'Evolution' has SSL support as well, if not it's on the straight way to having it. SSL for mail issues at client side is not that uncommon anymore, albeits it's use is rather limited. It can be of use if you send/receive your mail using an external SMTP/POP3/IMAP server and do not want your ISP to be able to read it. For any unkown term or program: use Google to locate it or it's meaning, I'm to lazy to provide all applicable URLs. :-) -- Best regards Peter
[vchkpw] Re: Re: vpopmail - stunnel
On Wed, Feb 25, 2004 at 04:30:56PM -0500, X-Istence wrote: Any idea which email clients support that? [SSL] There're some: Lookout Quickly can do, IIRC, so can 'The Bat!', 'Pocomai', 'Becky' and Eudora (to name the Windows fraction). Some of them even can 'STARTTLS'. For *nix there also a few: I know at least about 'mutt' and 'Sylpheed', but I'm quite sure 'Evolution' has SSL support as well, if not it's on the straight way to having it. Forgot to mention the lovely ThunderBird, which runs on both windows and Linux, BSD, Solaris, and many more. Its nice and fast, and easy to use. Sure. It simply didn't came to my mind but is, of course, not the least in this list :-) -- Best regards Peter
[vchkpw] Re: Processing of .qmail files of users that have DOT (.) in username
Hello Aleksandar, On Sunday, February 15, 2004 at 4:03:30 PM you wrote (at least in part): I have problem that vpopmail-5.4.0 doesn't process .qmail files of users that have dot in name, like [EMAIL PROTECTED] What are the names of this dot-qmail files and where are they located? -- Best regards Peter Palmreuther You don't sew with a fork, so I see no reason to eat with knitting needles.
[vchkpw] Re: a copy for all mails/all users to an adrress
Hello PIETRARU, On Friday, February 13, 2004 at 12:58:00 PM you wrote (at least in part): If you avoid usage of /ANY/ .qmail files in ~vpopmail/domains/domain/ you can misuse .qmail-default there. How I do that? How I use .qmail file or how I misuse the .qmail-default? I try to modify .qmail-default but vdelivermail cannot permit to move somewhere else the mails. man dot-qmail -- Best regards Peter Palmreuther Politicians should read science fiction, not westerns and detective stories.
[vchkpw] Re: a copy for all mails/all users to an adrress
Hello PIETRARU, On Thursday, February 12, 2004 at 12:06:24 PM you wrote (at least in part): It's posible under vpopmail to make an alias for receive a copy of all the mails of all the user to a specific adrress? Yes/No. If you avoid usage of /ANY/ .qmail files in ~vpopmail/domains/domain/ you can misuse .qmail-default there. Else you'd have to follow: ,- [ http://cr.yp.to/qmail/faq/admin.html#copies ] | How do I keep a copy of all incoming and outgoing mail messages? | | Answer: Set QUEUE_EXTRA to Tlog\0 and QUEUE_EXTRALEN to 5 in | extra.h. Recompile qmail. Put ./msg-log into ~alias/.qmail-log. | | You can also use QUEUE_EXTRA to, e.g., record the Message-ID of | every message: run | | | awk '/^$/ { exit } /^[mM][eE][sS][sS][aA][gG][eE]-/ { print }' | | from ~alias/.qmail-log. `- And filter yourself. -- Best regards Peter Palmreuther You don't have to be crazy, but it sure helps
[vchkpw] Re: multimaildir in .qmail
Hello Tom, On Thursday, February 12, 2004 at 6:51:49 PM you wrote (at least in part): Here's my version of the patch, currently in CVS. The only thing I'm considering changing is the vexit(111) to return(0) to have it skip the mbox delivery instead of deferring the message. Please, don't do this. This would potentially break the reliability factor. If a mail is silently dropped and a 'delivery successful' is returned I'd be not amused (to be polite) in case I search for the error. A 'temporary error while delivery' would give a more concrete hint and the message(s) wouldn't be lost. So the admin can correct the problem and there's nothing lost but a little time. -- Best regards Peter Palmreuther Veni, Vedi, Visa. - I came, I saw, I did a little shopping.
[vchkpw] Re: Problem with qmail-scanner
Hello Devendra, On Friday, February 6, 2004 at 11:34:34 AM you wrote (at least in part): [QMAILUEUE RELAYCLIENT] In my Case I am using smtp-auth patch from http://www.fehcom.de/qmail/smtpauth.html Don't know which version you're using, as I don't know when this site first listed 0.4.2. If you're using 0.31 it does not set RELAYCLIENT for authenticated users, 0.4.2 should do set it. and it is calling spamassassin for the authenticated users sending out mails. Perhaps the RELAYCLIENT is not set for authenticated users. Quite easy to check: 'strings /var/qmail/bin/qmail-smtpd |less' and search for 'RELAYCLIENT='. -- Best regards Peter Palmreuther How do you tell when you run out of invisible ink?
[vchkpw] Re: qmail-scanner replacement
Hello Eduardo, On Wednesday, February 4, 2004 at 5:08:21 PM you wrote (at least in part): I would like to know if there's some program to replace qmail-scanner (I don't even need the anti-spam feature, I wanna just scan my messages with ClamAV). Yes. http://freshmeat.net/projects/qscanq/ - http://budney.homeunix.net:8080/users/budney/software/qscanq/ I have lots of mail servers and some of them are too large to run things written in perl. I'm looking for something made with real programming language, like C or C++. qscanq meets your requirements. -- Best regards Peter Palmreuther Rave on darlin', rave on, I'll buy you clothes of rayon...
[vchkpw] Re: qmail-scanner replacement
Hello Tom, On Wednesday, February 4, 2004 at 6:29:58 PM you wrote (at least in part): I am curious about qmail-qfilter though... It's only a wrapper for you being able to use a arbitrary filter program. You'd have to write one that extracts the mail first and passes it parts to AV-scanner nevertheless when using qmail-qfilter. All instructions in qmail-qfilter I've found point at least to shell scripts as interim, surely a plus over loading Perl engine all the time, but not the goal IMHO. qmail-qscan execs 'ripmime' (a C written program as well) to extract messages and than invokes (for performance: hopefully C written) AV-scanner. It finally passed the message (when AV test returned negative) to qmail-queue (unless one modified the config, as I did ;-) ). IMHO this is (from PoV performance) not comparable with qmail-qfilter or qmail-scanner. But if one does not need the full power of qmail-scanner a good choice as it seems. -- Best regards Peter Palmreuther There is no 'I' in 'team', yet there is an MVP.
[vchkpw] Re: multimaildir in .qmail
Hello Tom, On Tuesday, February 3, 2004 at 3:48:24 PM you wrote (at least in part): I have two server running vpopmail (5.3.27 on the first and 5.3.30 on the second), some user have a particular .qmail file (with some command executed with | command) and all work fine. The problem (on both version) come when I try to put a multiple maildir delivery command in .qmail file, like this: ./Maildir/ ./Maildir2/ I'm pretty sure that vdelivermail is assuming the second line is an address and not a Maildir since it doesn't contains the string /Maildir/. I'll look into updating vpopmail to do Maildir delivery if the line starts with . or /. If you adjust the code, please adjust it in a way 'man dot-qmail' describes the syntax: ,- [ from 'man dot-qmail' ] | (4) An mbox line begins with a slash or dot, and does not end with a slash: | | /home/djb/Mailbox.sos | ... | (5) A maildir line begins with a slash or dot, and ends with a slash: | | /home/djb/Maildir/ `- If vdelivermail is (currently) unable to deliver to mailboxes, make it exit 111 when it hit's mailbox delivery instruction. -- Best regards Peter Palmreuther Alimony: the screwing you get for the screwing you got.
[vchkpw] Re: Problem with qmail-scanner
Hello Andrea, On Tuesday, February 3, 2004 at 4:06:55 PM you wrote (at least in part): An easier solution should be to add the following to your qmail-smtpd/run file: export QMAIL_QUEUE=/var/qmail/bin/qmail-scanner-queue And then restart qmail-smtpd. First: Make the above 'QMAILQUEUE=...', without the underscore. In this case, I apply the qmail-scanner-queue for the emails from LAN or loopback (127.). I wouldn't, better I could not would that. Insert 127.:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/qmail-queue 129.168.1.:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/qmail-queue to your 'tcp.smtp' file that is merged with 'open-smtp' (the 127. should already be there, so simply modify it). Ain't that hard, isn't it? Mine patch works only with open-smtp connections, not at all. What what are most of your connections? foreigners from out there and open-smtp users? And don't you want exactly their mails to be run through qmail-scanner? So create a few rules for the exceptions (connections from 127. and LAN) and hit the rest by a 'export QMAILQUEUE' DEFAULT. Why is better the qmail-smtpd/run change? The I patch vpopmail as little as necessary to achieve something I can do without patching. Simply because it is easily preserved across vpopmail updates, while the other one requires repatching every time a new vpopmail is released (and requires the original author to adjust the patch maybe every time a new version is released). -- Best regards Peter Palmreuther This message is already too long - no tagline pleasack!
[vchkpw] Re: About open-smtp, tcp.smtp and qmail-scanner
Hello Andrea, On Monday, February 2, 2004 at 9:37:53 PM you wrote (at least in part): Now my tcp.smtp: # No Qmail-Scanner at all for mail from 127.0.0.1 127.0.0.1:allow,RELAYCLIENT=,RBLSMTPD=,QMAILQUEUE=/var/qmail/bin/qmail-queue Correct. # Use Qmail-Scanner without SpamAssassin on any mail from the LAN 192.168.:allow,RELAYCLIENT=,RBLSMTPD=,TCPREMOTEIP=Protected, \ QMAILQUEUE=/var/qmail/bin/qmail-queue No. This line sends mail coming in over a connection from 192.168.X directly to qmail-queue, without invoking qmail-scanner. # Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world :allow,QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl Well, how could I use qmail-scanner-queue with emails from pop-before-smtp users? As mentioned in mid:[EMAIL PROTECTED] and mid:[EMAIL PROTECTED]: make QMAILQUEUE=/path/to/qmail-scanner-queue.pl an exported variable from smtpd-run-script (and spare the ':allow,QMAILQUEUE=...' line, it's superfluous, at least the QMAILQUEUE=... part). -- Best regards Peter Palmreuther The end move in politics is always to pick up a gun. - Buckminster Fuller
[vchkpw] Re: Problem with qmail-scanner
Hello Trey, On Tuesday, February 3, 2004 at 7:06:33 PM you wrote (at least in part): An easier solution should be to add the following to your qmail-smtpd/run file: export QMAIL_QUEUE=/var/qmail/bin/qmail-scanner-queue And then restart qmail-smtpd. While this is easier, it doesn't allow you to realize the full functionality of qmail-scanner. Why not? A 'QMAILQUEUE' set to 'qmail-scanner' will invoke it. Regardless if it was set by surrounding environment or tcpserver. By passing the variables with tcpserver, you can configure qmail-scanner not to check any messages that come from localhost, for instance. This can be done by a '127.:allow,QMAILQUEUE=.../qmail-queue,...' rule in .cdb file. That way all messages from localhost are not inspected by qmail-scanner. But what's your problem with this? We also don't check anything coming from our local LAN for spam (only for viruses) and check everything else for both. So the mentioned solution would be the as less to configure as possible one. Set 'qmail-scanner' for all connections and define exceptions (localhost, LAN) separately. What's your problem with this? You can't do that with the method above. You can. And before you try to argue qmail-scanner will not scan for anything when only RELAYCLIENT is set by a .cdb file rule: it WILL parse the message through virus scanner! Set 'RELAYCLIENT' only prevents qmail-scanner from passing message through spamassassin! Please inspect qmail-scanner sources if you don't trus me. -- Best regards Peter Palmreuther File not found, I'll load something *I* think is interesting.
[vchkpw] Re: About open-smtp, tcp.smtp and qmail-scanner
Hello Andrea, On Monday, February 2, 2004 at 10:34:16 AM you wrote (at least in part): The email above is a worm. That is, my qmail-scanner in tcp.smtp hasn't checked the email, probably because there's nothing that says the tcp.smtp rules have precedence instead of open-smtp. Because this kind of rule CANNOT exist. 'tcp.smtp' and 'open-smtp' are merged into /ONE/ file. 'tcpserver' chooses /the most appropriate/ entry when it looks up this .cdb file. So you 'rest of the world' rule will never apply to anybody who got added with a concrete IP by POP3-b4-SMTP. # Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world :allow,DENYMAIL=DNSCHECK,QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl Spare this two lines in tcp.smtp. Export 'DENYMAIL' and 'QMAILQUEUE' with the above mentioned values in your smtpd-startup script. They'll be applied to all connections than automatically and only if overwritten by a rule in .cdb file not take effect. A problem could be your 'DENYMAIL' rule. I don't know what it is good for, but as vpopmail-roaming does not insert an empty 'DENYMAIL' all connections will feel it's consequences. Exception: you modify vpopmail to insert a 'DENYMAIL=' additionally to already inserted 'RELAYCLIENT='. P.S.: Before anybody cries qmail-scanner will not check on RELAYCLIENT enabled connections than: IT WILL!. It only returns immediately from 'sub spamassassin' if RELAYCLIENT is set, it does NOT refrain from running AV-tests. Please have a look at the sources yourself before next time repeating such a wrong statement THAT often. Thank you. -- Best regards Peter Palmreuther Monday is an awful way to spend one-seventh of your life.
[vchkpw] Re: Qmail-pop3d (with or without ssl) and open-smtp
Hello Andrea, On Friday, January 16, 2004 at 11:30:31 PM you wrote (at least in part): Why qmail-pop3d via ssl don't open the relay? Reading your dumps a having a look in vpopmail sources I get the impression when you're in SSL mode the environment variable TCPREMOTEIP seems not to be set. I don't know which vpopmail version you're actually using, so I don't know if there are other versions when vpopmail does neither read nor write open-smtp, but this could be /one/ reason. Please execute this on a command line: ,- [ ] | #!/bin/sh | CAFILE=/usr/local/ssl/certs/pop3s.cert | CERTFILE=/usr/local/ssl/certs/pop3s.cert | KEYFILE=/usr/local/ssl/certs/pop3s.key | DHFILE=/usr/local/ssl/certs/dh1024.pem | export CAFILE CERTFILE KEYFILE DHFILE | exec /usr/local/bin/softlimit -m 380 \ | /usr/local/bin/sslserver -v -R -H -l 0 0 996 \ | echo IP: $TCPREMOTEIP 21 `- And on a different terminal use 'openssl s_client ...' to connect to port 996. I'd expect the output 'IP: ' and nothing else ... -- Best regards Peter Palmreuther Other than that, Mrs. Lincoln, how was the play?