Re: [vchkpw] SMTP_VRFY supported?
Quoting Joshua Megerman [EMAIL PROTECTED]: I don't have it enabled, and I have no problems running qmail-smtpd as vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS patch set are you using? I am using the Gentoo ebuild and I have read all the negative information reguarding the state of the ebuild but as I am new to Gentoo and qmail I thought it would be a good route for me. As such, I'm not to sure how to answer the TLS patch question. I do believe I've ran my issue down to a permissions problem. When I run qmail-smtpd as the vpopmail user group chkuser works but TLS does not. The opposite happens when it is ran as the qmail user. I have edited /etc/group and added qmaild to the vpopmail group and vpopmail to the qmaild group (qmail-smtpd was set to run as ${QMAILDUID} by default) but that did not fix the problem. The issue I'm experiencing is compounded by the fact that I'm running qmail-smtpd with chkuser on port 2525 so as not to affect users on the standard port. I have been thus far unable to make logging of the second service work so I can't tell what file(s) are being permission restricted. If anyone has any suggestions as to what file permissions I could check out, I'm all ears. Thanks again for all your help Josh. Matt This message was sent using IMP, the Internet Messaging Program.
Re: [vchkpw] SMTP_VRFY supported?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kane schrieb: Quoting Joshua Megerman [EMAIL PROTECTED]: I don't have it enabled, and I have no problems running qmail-smtpd as vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS patch set are you using? I am using the Gentoo ebuild and I have read all the negative information reguarding the state of the ebuild but as I am new to Gentoo and qmail I thought it would be a good route for me. As such, I'm not to sure how to answer the TLS patch question. I do believe I've ran my issue down to a permissions problem. When I run qmail-smtpd as the vpopmail user group chkuser works but TLS does not. The opposite happens when it is ran as the qmail user. I have edited /etc/group and added qmaild to the vpopmail group and vpopmail to the qmaild group (qmail-smtpd was set to run as ${QMAILDUID} by default) but that did not fix the problem. The issue I'm experiencing is compounded by the fact that I'm running qmail-smtpd with chkuser on port 2525 so as not to affect users on the standard port. I have been thus far unable to make logging of the second service work so I can't tell what file(s) are being permission restricted. If you're running default-setup in gentoo: mkdir /service/$YOURSERVICENAME/log and create a file /service/$YOURSERVICENAME/log/run with the following contents - SNIP #!/bin/sh # Gentoo Startup script for qmail's SMTP daemon (logging) # $Header: # /home/cvsroot/gentoo-x86/net-mail/qmail/files/run-qmailsmtpdlog,v 1.1 # 2003/11/30 11:32:06 robbat2 Exp $ SERVICE=smtp source /var/qmail/bin/qmail-config-system \ exec /usr/bin/setuidgid qmaill /usr/bin/multilog \ ${LOG_OPTS} ${LOG_DEST}2 - --- SNAP -- make it executable (chmod +x) and you'll have your log in /var/log/qmail/qmail-smtpd2/current If anyone has any suggestions as to what file permissions I could check out, I'm all ears. Thanks again for all your help Josh. Maybe try chmod g+s /var/vpopmail/bin/vchkpw Matt This message was sent using IMP, the Internet Messaging Program. - -- Jens Ott Leiter Operations intergenia Webhosting AG Daimlerstr. 9-11 50354 Hürth Tel. : +49 2233 612 503 Fax : +49 2233 612 513 Mail : [EMAIL PROTECTED] GPG-Fingerprint: D190 09C6 FCDF D0B4 3A44 FB6E 440E C024 7E27 ACCF http://www.intergenia.de Vorstand: Andreas Niehaus - Frank Gross - Jochen Berger - Oliver Drifthaus Dr. Stephan Göbel - Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger Gerichtsstand: HRB Köln 58428 - Umsatzsteuer-ID: DE216740823 Bankverbindung: Sparkasse Waldkirchen BLZ: 740 512 30 - Kto. Nr.: 919 85 65 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGUxkPRA7AJH4nrM8RAnJHAKCVmjqViYbsf9yiYsfpP9N7TUBSdwCgiEO3 kIL90NDLRTLWU+vJA/oR+Q8= =gpXB -END PGP SIGNATURE-
Re: [vchkpw] SMTP_VRFY supported?
Jens Josh, Thanks a ton for all your help. I pieced together everything and was able to make tls chkuser happy by doing the following: running qmail-smtp as the vpopmail user changing ownership of /var/qmail/control/servercert.pem to qmaild.vpopmail (440) compiled chkuser2 patch without the uid/gid switching My logging issues were due to not having generated the cdb files in /etc/tcprules.d (tcp.qmail-smtp.cdb); once I created these files the logging started working right away. Looks like everything else was simple a permissions problem. This was a lot harder to figure out without logging. Once I got logging working correctly the problem made itself obvious. Thanks again for all your help. Matt Jens Ott - intergenia AG wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Matt Kane schrieb: Quoting Joshua Megerman [EMAIL PROTECTED]: I don't have it enabled, and I have no problems running qmail-smtpd as vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS patch set are you using? I am using the Gentoo ebuild and I have read all the negative information reguarding the state of the ebuild but as I am new to Gentoo and qmail I thought it would be a good route for me. As such, I'm not to sure how to answer the TLS patch question. I do believe I've ran my issue down to a permissions problem. When I run qmail-smtpd as the vpopmail user group chkuser works but TLS does not. The opposite happens when it is ran as the qmail user. I have edited /etc/group and added qmaild to the vpopmail group and vpopmail to the qmaild group (qmail-smtpd was set to run as ${QMAILDUID} by default) but that did not fix the problem. The issue I'm experiencing is compounded by the fact that I'm running qmail-smtpd with chkuser on port 2525 so as not to affect users on the standard port. I have been thus far unable to make logging of the second service work so I can't tell what file(s) are being permission restricted. If you're running default-setup in gentoo: mkdir /service/$YOURSERVICENAME/log and create a file /service/$YOURSERVICENAME/log/run with the following contents - SNIP #!/bin/sh # Gentoo Startup script for qmail's SMTP daemon (logging) # $Header: # /home/cvsroot/gentoo-x86/net-mail/qmail/files/run-qmailsmtpdlog,v 1.1 # 2003/11/30 11:32:06 robbat2 Exp $ SERVICE=smtp source /var/qmail/bin/qmail-config-system \ exec /usr/bin/setuidgid qmaill /usr/bin/multilog \ ${LOG_OPTS} ${LOG_DEST}2 - --- SNAP -- make it executable (chmod +x) and you'll have your log in /var/log/qmail/qmail-smtpd2/current If anyone has any suggestions as to what file permissions I could check out, I'm all ears. Thanks again for all your help Josh. Maybe try chmod g+s /var/vpopmail/bin/vchkpw Matt This message was sent using IMP, the Internet Messaging Program. - -- Jens Ott Leiter Operations intergenia Webhosting AG Daimlerstr. 9-11 50354 Hürth Tel. : +49 2233 612 503 Fax : +49 2233 612 513 Mail : [EMAIL PROTECTED] GPG-Fingerprint: D190 09C6 FCDF D0B4 3A44 FB6E 440E C024 7E27 ACCF http://www.intergenia.de Vorstand: Andreas Niehaus - Frank Gross - Jochen Berger - Oliver Drifthaus Dr. Stephan Göbel - Thomas Strohe Aufsichtsratsvorsitz: Claudius Schmalschläger Gerichtsstand: HRB Köln 58428 - Umsatzsteuer-ID: DE216740823 Bankverbindung: Sparkasse Waldkirchen BLZ: 740 512 30 - Kto. Nr.: 919 85 65 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGUxkPRA7AJH4nrM8RAnJHAKCVmjqViYbsf9yiYsfpP9N7TUBSdwCgiEO3 kIL90NDLRTLWU+vJA/oR+Q8= =gpXB -END PGP SIGNATURE-
[vchkpw] SMTP_VRFY supported?
Hello, I'm trying to use a mail filter appliance with a qmail/vpopmail (gentoo) install and am running into a issue with the filter generating excessive email accounts due to the way qmail handles invalid email addresses. I'm familiar with the chkuser 2 patch and have tried it with little success. I am using TLS on my system and the chkuser patch works exactly one time then begins rejecting even valid addresses. The vendor that makes the filter suggested using SMTP_VRFY but I'm unable to find a way to implement this in qmail/vpopmail. Can anyone here point me in the right direction? Thanks, Matt Kane [EMAIL PROTECTED]
Re: [vchkpw] SMTP_VRFY supported?
Hello, I'm trying to use a mail filter appliance with a qmail/vpopmail (gentoo) install and am running into a issue with the filter generating excessive email accounts due to the way qmail handles invalid email addresses. I'm familiar with the chkuser 2 patch and have tried it with little success. I am using TLS on my system and the chkuser patch works exactly one time then begins rejecting even valid addresses. The vendor that makes the filter suggested using SMTP_VRFY but I'm unable to find a way to implement this in qmail/vpopmail. Can anyone here point me in the right direction? Sounds like there's something funky going on with the chkuser patch for you - do you have the same problem when not using TLS? I'm not a chkuser expert, but have you double-checked your chkuser settings? Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB (rightly, IMHO) decided that it didn't make sense to let people constantly hammer your system with VRFY commands to determine who was or wasn't a valid user, and so (per the RFC) qmail's VRFY implementation responds with a message that indicates a non-answer (252 send some mail, i'll try my best) and doesn't actually indicate whether the address is valid or not. Chkuser can result in giving the same information, as it will reject non-valid users, but this at least forces spammers to try to send mail, and get rejections (and possibly dropped altogether) rather than just scanning a qmail SMTP server... Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
Re: [vchkpw] SMTP_VRFY supported?
Quoting Joshua Megerman [EMAIL PROTECTED]: Sounds like there's something funky going on with the chkuser patch for you - do you have the same problem when not using TLS? I'm not a chkuser expert, but have you double-checked your chkuser settings? The only extra setting I'm using is the CHKUSER_ENABLE_UIDGID. From what I've read on the Interazioni site this option will cause issues wtih TLS. I enabled this because qmail-smtpd was unable to run vchkpw without it enabled. I assume this is because of users/group permission but even with the qmail vpopmail user in the same group vchkpw didn't run. I don't have it enabled, and I have no problems running qmail-smtpd as vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS patch set are you using? Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB (rightly, IMHO) decided that it didn't make sense to let people constantly hammer your system with VRFY commands to determine who was or wasn't a valid user, and so (per the RFC) qmail's VRFY implementation responds with a message that indicates a non-answer (252 send some mail, i'll try my best) and doesn't actually indicate whether the address is valid or not. Chkuser can result in giving the same information, as it will reject non-valid users, but this at least forces spammers to try to send mail, and get rejections (and possibly dropped altogether) rather than just scanning a qmail SMTP server... This makes sense but doesn't chkuser essentially do the same thing SMTP_VRFY would do? Yes and no. The VRFY command is outside of sending mail - a rogue client could connect to the SMTP server, and after issuing a HELO/EHLO greeting, just run repeated VRFY commands to see if a user is valid or not. Chkuser operates in the RCPT phase of the conversation, so a client has to start with a MAIL FROM command, which can be checked, and then each RCPT command can either be accepted or rejected - and chkuser can also be configured to reject ALL users after a certain number of invalid ones, preventing spam to real users if fake ones are also sent. It's a fine line, but it can make a difference. Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]