[vchkpw] security issue
Hi, Mailsetup: qmail + vpopmail 5.5.27 + dovecot Over the years, we didn't store cleatext versions of passwords. Some time ago, we wanted to change that setup and since that time, we used vpopmail compiled without option --disable-clear-passwd, but know with option --enable-learn-passwords . step by step, we wanted to get user's passwords (we discussed that issue here on the list about 2 years ago). The reason was, we wanted to change our mailsetup (postfix+dovecot). But that did not work, means, cleartext version of password wasn't stored. All other was working fine and so i didn't change anything. This was a big mistake, because since that time, all vpopmail mailboxes could be accessed with an empty passwordstring, at least, if the clients were using cram or digest authentication. I know about the misconfigured vpopmail, but i think this behavor isn't as expected. In the documentation of the option --disable-clear-passwd is explaned, that this option causes vpopmail to store cleartext version of passwords in _addition_ to their encrypted versions, and so i think, the described behavior is at least a security leak. regards Christoph !DSPAM:4d11dbb332714993054289!
[vchkpw] non plaintext authentication methods
hi, I'm running qmail+vpopmail+dovecot on FreeBSD stable system and all worked fine, almost all. I'm not able to bring non-plaintext authentication methods working on qmails pop3 service (APOP), and on dovecots imap service (CRAM-MD5). Maybe this is an OS issue and this question isn't on he right place here, in this case sorry about that. my versions: (net)qmail with tls-smtp-auth patch vpopmail 5.4.27 dovecot 1.1.14 i have tried older versions of vpopmail and dovecot, but with the same result: non-plaintext authentication methods doesn't work. what did i wrong ? can aybody help me ? regards christoph !DSPAM:4a06cb9032681467210846!
Re: [vchkpw] non plaintext authentication methods
hi, [..] I'm not able to bring non-plaintext authentication methods working on qmails pop3 service (APOP), and on dovecots imap service (CRAM-MD5). The only reason I can think of that CRAM-MD5 doesn't work with pop or imap is that clear text passwords are disabled. To use CRAM-MD5, you need a clear text password stored locally. Did you perhaps compile vpopmail with the --disable-clear-passwd flag ? yes, i did. i tried it without this flag and it was easy to point out that you are in right. thank you. so i think there is no possibility to bring non-plaintext authetication methods working afterwards, i mean for existing mailboxes, isn't it ? regards christoph !DSPAM:4a077bb532684983017589!
Re: [vchkpw] how can I see all error messages about pop3 service ?
hallo [..] We have Dovecot running under daemontools. some times ago, i tried to run dovecot under daementools, but i failed ( most likley because of my poor knowledge ). can you give me your run script or tell me if there is something special to take account ? sorry for my bad english - christoph !DSPAM:498c102a32689584212841!
Re: [vchkpw] Re: Double bounce message
hi, Can any body tell how to configure to delete the double bounce messages in qmail. Thanks. create a fie named qmail-home/control/doublebounceto with content: dev-null than create a file named alias-home/.qmail-dev-null with content: | cat /dev/null ready best wishes christoph !DSPAM:4799ddaf310541223644580!
Re: [vchkpw] smtp after pop
Hi I have vpopmail running with smtp-after-pop functionality (--enable-roaming-users). the pop-daemon is from qmail. this works fine for normal (unsecure) connection via port 110. but this doesn't work if connecting via strunnel on port 995. I know, thats correct, because stunnel is connecting to qmail's pop3 daemon from ip 127.0.0.1. Is there any setup known, that results in writing users ip-address to open-smtp file so that smtp-after-pop work's even if connected via stunnel ? As STunnel proxies the connection, it probably looks like a connection on 127.0.0.1 to the SMTP server. You might want to look at using ucspi-ssl (http://www.superscript.com/ucspi-ssl/intro.html) which is an SSL-enabled version of tcpserver. Thanks for that tip. It works fine. for your interest. compiling uscpi-ssl with default conf-* files, my run script (on openbsd4.1 system) looks as follows #!/bin/sh CAFILE=/var/qmail/control/pop3d.pem CERTFILE=/var/qmail/control/pop3d.pem KEYFILE=/var/qmail/control/pop3d.pem DHFILE=/var/qmail/control/dh1024.pem export CAFILE CERTFILE KEYFILE DHFILE MAX_CON=60 VPOPMAILUID=`id -u vpopmail` VPOPMAILGID=`id -g vpopmail` LOCAL=`head -1 /var/qmail/control/me` LISTEN_IP=123.123.123.123 exec /usr/local/bin/softlimit -m 500 \ sslserver -e -v -HR -l $LOCAL \ -c $MAX_CON \ -u$VPOPMAILUID -g$VPOPMAILGID $LISTEN_IP 995 \ /var/qmail/bin/qmail-popup `hostname` \ /home/vpopmail/bin/vchkpw \ /var/qmail/bin/qmail-pop3d Maildir 21 cu Christoph !DSPAM:473794ce32002129798806!
Re: [vchkpw] relay server
hi, Hi I wanted to setup a scanning relay server.. I explain I'm using vpopmail 5.4.13 and qmail-1.03 with john simpson 7 combined patch I add the domains with ./vadddomain domain.com and later add an smtproutes line (in this control file) as domain.com:mail.domain.com but the mail always is treated as local... should be /var/qmail/users/assign file be changed for this purpose? for having users localy for smtp auth purposes but and users to use this machine as relay but the mail incoming for this domains to be delivered as smtproutes line sais? your domain is assigned as local, because you added them with ./vadddomain domain.com. make a ./vdeldomain domain.com. take care, ther is no entry in qmail-dir/control/virtualdomains and also none in qmail-dir/control/users/cdb which is the databse-file for assign-file for your domain, saying domain.com, only entries in qmail-dir/control/rcpthosts like domain.com and in file qmail-dir/control/smtproutes, like domain.com:mail.domain.com are needed cu christoph !DSPAM:47346f8032008919732555!
[vchkpw] smtp after pop
Hi, I have vpopmail running with smtp-after-pop functionality (--enable-roaming-users). the pop-daemon is from qmail. this works fine for normal (unsecure) connection via port 110. but this doesn't work if connecting via strunnel on port 995. I know, thats correct, because stunnel is connecting to qmail's pop3 daemon from ip 127.0.0.1. Is there any setup known, that results in writing users ip-address to open-smtp file so that smtp-after-pop work's even if connected via stunnel ? best wishes christoph !DSPAM:4734b62832001556753283!
Re: [vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi, - courier-imap (4.1.2) with autentification via courier-authdaemon (0.59.1) against vpopmails vchkpw Sam has released courier-authlib-0.60.1. You may want to try that. I tried this, but with exactly the same results. no module for authentication against vpopmail's vchkpw was built.
Re: [vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi len [..] *** Warning: linker path does not have real file for library -lvpopmail. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have *** because I did check the linker path looking for a file starting *** with libvpopmail and none of the candidates passed a file format test *** using a regex pattern. Last file checked: /home/vpopmail/lib/libvpopmail.a *** Warning: libtool could not satisfy all declared inter-library *** dependencies of module libauthvchkpw. Therefore, libtool will create *** a static module, that should work as long as the dlopening *** application is linked with the -dlopen flag. .. --- snip --- I ran into a problem very similar to this building authdaemon against vpopmail-5.20 under NetBSD-3.1-i386. After a lot of twists and turns I modified the vpopmail source to build libvpopmail as a shared lib as well as static. I am not especially tallented with automake, autoconf and libtool, in fact I had never modified a build to create shared libs. I found an excellent resource on how to do this at: http://sourceware.org/autobook/autobook/autobook_toc.html I successfully built libvpopmail.so, and placed it in a location where my build of courier-authdaemon would link against it. The build was successful, and authdaemon is working flawlessly using the authvchkpw module. It was a good learning experience; glad I know how to do this if I find myself in this situation again. HTH ok, it's not doing - for me - in a short time. i read this howto last view hours and realy: i learned. but - until know - i was not able to build libvpopmail.so . so i will try it later when i have more time. thank you - Christoph
Re: [vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi, [..] until now, qmail in conjunction with vpopmail works fine. the problem appears when building the courier-authdaemon. the module for authentication against vchkpw is not build. i miss some file like libauthvchkpw.so the gmake output looks like: Perhaps consider Dovecot in place of courier, current courier authlib needs patching for some OS's, Sam has known about this since May, but has not done a thing about it, we got sick of it breaking and use Dovecot which works beautifully with Vpomail You could even use Dovecot to handle your POP3 if you wanted to. thanks for that tip. i installed dovecot and it seems to work ( i tried it with one imap and imap-ssl connection). it's not my first solution, but good to known, that i can fall back in this server environment.
[vchkpw] vpopmail+courier-authdaemon problem on openbsd4.1
hi, if this isn't the right place for questions help in such a propblem, please ignore and sorry. and also sorry for my bad english. I like to run a mailserver on my openbsd 4.1. system. the services should be: - qmail (netqmail 1.0.5) - vpopmail (5.4.18) - courier-imap (4.1.2) with autentification via courier-authdaemon (0.59.1) against vpopmails vchkpw - webmailer system staff: os.: i386 openbsd 4.1 cpu: amd 64 (pc-style) until now, qmail in conjunction with vpopmail works fine. the problem appears when building the courier-authdaemon. the module for authentication against vchkpw is not build. i miss some file like libauthvchkpw.so the gmake output looks like: --- snip --- ... Compiling authvchkpw.c authvchkpw.c: In function `auth_vchkpw_changepass': authvchkpw.c:186: warning: passing arg 1 of `parse_email' discards qualifiers from pointer target type Compiling authvchkpwlib.c Compiling preauthvchkpw.c preauthvchkpw.c: In function `auth_vchkpw_pre': preauthvchkpw.c:67: warning: passing arg 1 of `parse_email' discards qualifiers from pointer target type preauthvchkpw.c:141: warning: passing arg 3 of `vset_lastauth' discards qualifiers from pointer target type Linking libauthvchkpw.la *** Warning: linker path does not have real file for library -lvpopmail. *** I have the capability to make that library automatically link in when *** you link to this library. But I can only do this if you have a *** shared version of the library, which you do not appear to have *** because I did check the linker path looking for a file starting *** with libvpopmail and none of the candidates passed a file format test *** using a regex pattern. Last file checked: /home/vpopmail/lib/libvpopmail.a *** Warning: libtool could not satisfy all declared inter-library *** dependencies of module libauthvchkpw. Therefore, libtool will create *** a static module, that should work as long as the dlopening *** application is linked with the -dlopen flag. .. --- snip --- after finish the authdaemon installation and start it, the log file looks like --- snip --- ... Oct 11 19:33:03 luna authdaemond: Installing libauthcustom Oct 11 19:33:03 luna authdaemond: Installation complete: authcustom Oct 11 19:33:03 luna authdaemond: Installing libauthvchkpw Oct 11 19:33:03 luna authdaemond: File not found ... --- snip --- authdaemon was configured with: ./configure \ --prefix=/usr/local/courier-authlib-0.59.1 \ --with-authvchkpw \ --with-mailuser=vpopmail \ --with-mailgroup=vchkpw vpopmail configure was: ./configure \ --enable-roaming-users \ --enable-tcpserver-file=/home/vpopmail/etc/tcp.smtp \ --enable-tcprules-prog=/usr/local/bin/tcprules \ --enable-relay-clear-minutes=60 \ --enable-learn-passwords \ --enable-qmail-ext \ --enable-logging=v \ --enable-log-name=vpopmail I'm not very firm with compiler/linker staff, so i need help. can and like anyone here on this list help me ? it would be very great. Until now, i tried different versions of vpopmail and courier's authdaemon and combinations of them. i also installed the mailserver services on an x86_64 openbsd 4.1 with exactly the same results. I also tried to configure vpopmail with --enable-shared option - knowing that this flag isn't listed by configure --help -, in order to get a shared version of libvpopmail, but this doesn' work. I thought, this could also solve my problem. best wishes christoph
