[vchkpw] Re: smtp-auth problem
Hello Jeremy, On Friday, July 8, 2005 at 2:33:44 AM Jeremy wrote: On Thursday 07 July 2005 02:31 am, Peter Palmreuther wrote: On Wednesday, July 6, 2005 at 3:36:39 PM patrick wrote: Please post the output of /var/qmail/bin/qmail-showctl rcpthosts: (Default.) SMTP clients may send messages to any recipient. *THIS* is your problem: you don't have any domain in 'rcpthosts' and therefore your qmail-smtpd feels responsible for *all* domains = your installation is an open relay. while this certainly is the problem, it's not as you describe. if rcpthosts exists, but is empty, clients must have RELAYCLIENT to send messages. My fault. I should have writte as you don't have the file rcpthosts instead of don't have any domain in. But the point was qmail-showctl saying clients may send messages to any recipient and to make something to change this ;-) -- Best regards Peter Palmreuther Ansi-Artists do it creatively...
[vchkpw] Re: smtp-auth problem
Hello List, On Wednesday, July 6, 2005 at 3:36:39 PM patrick wrote: Please post the output of /var/qmail/bin/qmail-showctl rcpthosts: (Default.) SMTP clients may send messages to any recipient. *THIS* is your problem: you don't have any domain in 'rcpthosts' and therefore your qmail-smtpd feels responsible for *all* domains = your installation is an open relay. Put ,- | linux.koneg.de | koneg.de | gs-altneudorf.de `- into 'rcpthosts', this will make your installation accept only mail to one of these domains, unless RELAYCLIENT is set (which is done if you SMTP-AUTH). Additionally follow Jeremys advice to delete these domains from 'locals' and insert them formatted correctly into 'virtualdomains' to make vpopmail handle them again. -- Best regards Peter Palmreuther Your true value depends entirely on what you are compared with.
AW: [vchkpw] Re: smtp-auth problem
Hello List, On Wednesday, July 6, 2005 at 3:36:39 PM patrick wrote: Please post the output of /var/qmail/bin/qmail-showctl rcpthosts: (Default.) SMTP clients may send messages to any recipient. *THIS* is your problem: you don't have any domain in 'rcpthosts' and therefore your qmail-smtpd feels responsible for *all* domains = your installation is an open relay. Yepp...! That's what I figured out yesterday night... All the time I thought, for any reason, that smtp-auth controls every incoming mail and blocks every mail without a vpopmail account, while rcpthosts must be open... but it actually let's vpopmail-users send mail to remote clients, while the sending possibility is actually blocked by the rcpthosts-file... I feel quite ashame for having the solution so obviously in front of me without seeing it... But thanx to all of you... Now everything works fine! (Receiving email did't work because I had the domains in my locals-file) Regards Patrick Gehm Put ,- | linux.koneg.de | koneg.de | gs-altneudorf.de `- into 'rcpthosts', this will make your installation accept only mail to one of these domains, unless RELAYCLIENT is set (which is done if you SMTP-AUTH). Additionally follow Jeremys advice to delete these domains from 'locals' and insert them formatted correctly into 'virtualdomains' to make vpopmail handle them again. -- Best regards Peter Palmreuther Your true value depends entirely on what you are compared with.
Re: [vchkpw] Re: smtp-auth problem
On Thursday 07 July 2005 02:31 am, Peter Palmreuther wrote: Hello List, On Wednesday, July 6, 2005 at 3:36:39 PM patrick wrote: Please post the output of /var/qmail/bin/qmail-showctl rcpthosts: (Default.) SMTP clients may send messages to any recipient. *THIS* is your problem: you don't have any domain in 'rcpthosts' and therefore your qmail-smtpd feels responsible for *all* domains = your installation is an open relay. while this certainly is the problem, it's not as you describe. if rcpthosts exists, but is empty, clients must have RELAYCLIENT to send messages. If rcpthosts doesn't exist, then you are an open relay. -Jeremy -- Jeremy Kitchen + kitchen @ #qmail #gentoo on EFnet IRC kitchen at scriptkitchen dot com pgp2GI9vFPIwi.pgp Description: PGP signature
AW: [vchkpw] Re: smtp-auth problem
Please post the output of /var/qmail/bin/qmail-showctl Still haven't found a solution... Here's the output of /var/qmail/bin/qmail-showctl: qmail home directory: /var/qmail. user-ext delimiter: -. paternalism (in decimal): 2. silent concurrency limit: 120. subdirectory split: 23. user ids: 60003, 60004, 60005, 0, 60006, 60007, 60008, 60009. group ids: 60003, 60004. badmailfrom: (Default.) Any MAIL FROM is allowed. bouncefrom: (Default.) Bounce user name is MAILER-DAEMON. bouncehost: (Default.) Bounce host name is linux.koneg.de. concurrencylocal: (Default.) Local concurrency is 10. concurrencyremote: (Default.) Remote concurrency is 20. databytes: (Default.) SMTP DATA limit is 0 bytes. defaultdomain: Default domain name is koneg.de. defaulthost: (Default.) Default host name is linux.koneg.de. doublebouncehost: (Default.) 2B recipient host: linux.koneg.de. doublebounceto: (Default.) 2B recipient user: postmaster. envnoathost: (Default.) Presumed domain name is linux.koneg.de. helohost: (Default.) SMTP client HELO host name is linux.koneg.de. idhost: (Default.) Message-ID host name is linux.koneg.de. localiphost: (Default.) Local IP address becomes linux.koneg.de. locals: Messages for linux.koneg.de are delivered locally. Messages for koneg.de are delivered locally. Messages for gs-altneudorf.de are delivered locally. me: My name is linux.koneg.de. percenthack: (Default.) The percent hack is not allowed. plusdomain: Plus domain name is koneg.de. qmqpservers: (Default.) No QMQP servers. queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds. rcpthosts: (Default.) SMTP clients may send messages to any recipient. morercpthosts: (Default.) No rcpthosts; morercpthosts is irrelevant. morercpthosts.cdb: (Default.) No effect. smtpgreeting: (Default.) SMTP greeting: 220 linux.koneg.de. smtproutes: (Default.) No artificial SMTP routes. timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds. timeoutremote: (Default.) SMTP client data timeout is 1200 seconds. timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds. virtualdomains: (Default.) No virtual domains. concurrencyincoming: I have no idea what this file does. defaultdelivery: I have no idea what this file does. -- Best regards Peter Palmreuther A boy gets to be a man when a man is needed.
AW: Re: [vchkpw] Re: smtp-auth problem
Hi List, Fixed the problem with smtp-auth... Really a big Thanx to everyone trying to help. Right now after several reinstallations another problem came up... I can't send emails to my server pop-accounts... Of course I copied the /var/qmail/users folder to my current running qmail-version, but when sending mails to an Adress I get this Error-Message back: Hi. This is the qmail-send program at 213.239.219.168. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. (#5.4.6) --- Below this line is a copy of the message. Return-Path: Received: (qmail 4278 invoked by uid 6); 6 Jul 2005 17:02:40 - Received: from moutng.kundenserver.de (212.227.126.173) by 213.239.219.168 with SMTP; 6 Jul 2005 17:02:40 - Received: from [212.227.126.200] (helo=mrvnet.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1DqDLC-0006tm-00 for [EMAIL PROTECTED]; Wed, 06 Jul 2005 19:05:42 +0200 Received: from [172.23.4.158] (helo=pustefix158.kundenserver.de) by mrvnet.kundenserver.de with esmtp (Exim 3.35 #1) id 1DqDLC-00055V-00 for [EMAIL PROTECTED]; Wed, 06 Jul 2005 19:05:42 +0200 Message-Id: From: [EMAIL PROTECTED] To: Subject: testmail extern Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Priority: 3 X-Binford: 6100 (more power) X-Mailer: Webmail X-Originating-From: 6506715 X-Routing: DE X-Message-Id: X-Received: from pustefix158.kundenserver.de by 84.172.62.224 with HTTP id 6506715 for [EMAIL PROTECTED]; Wed, 6 Jul 2005 19:05:42 CEST Date: Wed, 06 Jul 2005 19:05:42 +0200 X-Provags-ID: kundenserver.de [EMAIL PROTECTED] ident:@172.23.4.158 Hm... seems to be pretty strange because I had everything running before... also after I reinstalled qmail once. qmailctl stat shows no problems... no supervise errors... Anyone knows a solutions for that? Regards Patrick
RE: Re: [vchkpw] Re: smtp-auth problem
Hi List, Fixed the problem with smtp-auth... Really a big Thanx to everyone trying to help. Right now after several reinstallations another problem came up... I can't send emails to my server pop-accounts... Of course I copied the /var/qmail/users folder to my current running qmail-version, but when sending mails to an Adress I get this Error-Message back: Hi. This is the qmail-send program at 213.239.219.168. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. (#5.4.6) Have you verified the content of /var/qmail/control/locals? This message is pretty clear about that being the cause. Hm... seems to be pretty strange because I had everything running before... also after I reinstalled qmail once. qmailctl stat shows no problems... no supervise errors... Anyone knows a solutions for that? Regards Patrick Reinstalling qmail and moving stuff around like you did may have caused locals to not contain what you think it contains. Hope that helps, Nick Harring System Administrator Parus Interactive
AW: RE: Re: [vchkpw] Re: smtp-auth problem
Reinstalling qmail and moving stuff around like you did may have caused locals to not contain what you think it contains. Hope that helps, hm... no... one more hint please? I allready did this, i guess... and it worked. I also installed a new user over Visas... can't send mails to that either... Nick Harring System Administrator Parus Interactive
Re: [vchkpw] Re: smtp-auth problem
On Jul 6, 2005, at 10:37 AM, Nick Harring wrote: Hi. This is the qmail-send program at 213.239.219.168. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. If it's a local domain (users in /etc/passwd), it should appear in /var/qmail/control/locals. If it's a vpopmail domain, it should appear in /var/qmail/control/virtualdomains. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
RE: [vchkpw] Re: smtp-auth problem
On Jul 6, 2005, at 10:37 AM, Nick Harring wrote: Hi. This is the qmail-send program at 213.239.219.168. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. If it's a local domain (users in /etc/passwd), it should appear in /var/qmail/control/locals. If it's a vpopmail domain, it should appear in /var/qmail/control/virtualdomains. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com For whatever reason vadddomain puts it in locals, rcpthosts and virtualdomains. Nick
AW: RE: [vchkpw] Re: smtp-auth problem
I rechecked virtualdomains locals and rcpthosts... every domain ist there... but still the same error-message... any settings in vpopmail I need to take care of? Any settings in /etc/passwd that could be wrong? Defaultdelivery should be ./Maildir/ right? Anything in the run script for qmail-send maybe? This is becoming more and more an eternal battle between me and qmail... Thanx for your help so far! Regards Patrick On Jul 6, 2005, at 10:37 AM, Nick Harring wrote: Hi. This is the qmail-send program at 213.239.219.168. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. If it's a local domain (users in /etc/passwd), it should appear in /var/qmail/control/locals. If it's a vpopmail domain, it should appear in /var/qmail/control/virtualdomains. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: a href=http://qmailadmin.sf.net/;http://qmailadmin.sf.net//a Vpopmail: a href=http://vpopmail.sf.net/;http://vpopmail.sf.net//a You don't need a laptop to troubleshoot high-speed Internet: sniffter.com For whatever reason vadddomain puts it in locals, rcpthosts and virtualdomains. Nick
Re: [vchkpw] Re: smtp-auth problem
On Wednesday 06 July 2005 03:22 pm, Nick Harring wrote: If it's a local domain (users in /etc/passwd), it should appear in /var/qmail/control/locals. If it's a vpopmail domain, it should appear in /var/qmail/control/virtualdomains. For whatever reason vadddomain puts it in locals, rcpthosts and virtualdomains. negative. vadddomain puts the domain in rcpthosts, virtualdomains, and sets up a pseudo-user in users/assign. -Jeremy -- Jeremy Kitchen + kitchen @ #qmail #gentoo on EFnet IRC kitchen at scriptkitchen dot com pgptRyQUETcjq.pgp Description: PGP signature
Re: AW: [vchkpw] Re: smtp-auth problem
On Wednesday 06 July 2005 08:36 am, [EMAIL PROTECTED] wrote: Please post the output of /var/qmail/bin/qmail-showctl Still haven't found a solution... Here's the output of /var/qmail/bin/qmail-showctl: locals: Messages for linux.koneg.de are delivered locally. Messages for koneg.de are delivered locally. Messages for gs-altneudorf.de are delivered locally. virtualdomains: (Default.) No virtual domains. there are no virtualdomains, therefore, none of these domains are being handled by vpopmail. if they are supposed to be handled by vpopmail, then remove the domains from the locals file, put them in the virtualdomains file like so: example.com:example.com example.org:example.org example.net:example.net and send qmail-send a HUP signal. If they are not to be handled by vpopmail, please re-post your question, along with qmail-showctl output, to the qmail mailing list. -Jeremy -- Jeremy Kitchen + kitchen @ #qmail #gentoo on EFnet IRC kitchen at scriptkitchen dot com pgpGQYCYjOVfX.pgp Description: PGP signature
RE: [vchkpw] Re: smtp-auth problem
On Wednesday 06 July 2005 03:22 pm, Nick Harring wrote: If it's a local domain (users in /etc/passwd), it should appear in /var/qmail/control/locals. If it's a vpopmail domain, it should appear in /var/qmail/control/virtualdomains. For whatever reason vadddomain puts it in locals, rcpthosts and virtualdomains. negative. vadddomain puts the domain in rcpthosts, virtualdomains, and sets up a pseudo-user in users/assign. -Jeremy Oops, I misread the strace output. When I went back to the source it in fact removes the domain from locals if it exists. My bad! Nick
[vchkpw] Re: smtp-auth problem
Hello List, On Monday, July 4, 2005 at 11:47:36 PM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using /home/vpopmail/bin/vchkpw in my ~/qmail-smtpd/run-script... Please post complete run script because parameter order matters. While using Outlook Express to send emails over my server everything works like it should work when I select Server uses authentification (server denies to send mail with wrong password), but if I DON'T select Server uses auth.. my server just sends everything via smtp... Might you have still compiled roaming users relay control into your vpopmail? Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? How comes checkpassword in that? What? I haven't installed this cmd5check...something-tool... Do I need to? What 'cmd5check...something-tool'? I can't remember any 'cmd5check...something-tool' regarding to vpopmail. -- Best regards Peter Palmreuther I belong to no organized party - I am a democrat.
AW: [vchkpw] Re: smtp-auth problem
Hello List, On Monday, July 4, 2005 at 11:47:36 PM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using Version 0.31 I'm using /home/vpopmail/bin/vchkpw in my ~/qmail-smtpd/run-script... Please post complete run script because parameter order matters. My script: #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` if [ -z $QMAILDUID -o -z $NOFILESGID -o -z $MAXSMTPD -o -z $LOCAL ]; then echo QMAILDUID, NOFILESGID, MAXSMTPD oder LOCAL ist nicht gesetzt in echo /var/qmail/supervise/qmail-smtpd/run exit 1 fi exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd \ koneg.de /home/vpopmail/bin/vchkpw /bin/true 21 While using Outlook Express to send emails over my server everything works like it should work when I select Server uses authentification (server denies to send mail with wrong password), but if I DON'T select Server uses auth.. my server just sends everything via smtp... Might you have still compiled roaming users relay control into your vpopmail? How can I check that? Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? I don't think so... I restartet Outlook Express with wrong Password-Settings for POP3, an tried to send mail without getting the pop-box before... it still works without auth. How comes checkpassword in that? What? I haven't installed this cmd5check...something-tool... Do I need to? What 'cmd5check...something-tool'? I can't remember any 'cmd5check...something-tool' regarding to vpopmail. I read in several manuals that they use cmd5checkpw or the checkpassword-tool with smtp-auth. But as far as I understood vchkpw should do the job... but maybe not? Is there anyway to solve this problem in vpopmail? With hopefull regards Patrick Gehm -- Best regards Peter Palmreuther I belong to no organized party - I am a democrat.
[vchkpw] Re: smtp-auth problem
Hello List, On Tuesday, July 5, 2005 at 8:50:01 AM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using Version 0.31 From which source exactly? What's the complete download URL you used to get this patch? exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd \ koneg.de /home/vpopmail/bin/vchkpw /bin/true 21 Look fine. Might you have still compiled roaming users relay control into your vpopmail? How can I check that? You should know which parameters your used to compile vpopmail. You should have seen a summary of used parameters when you './configure'-ed vpopmail. Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? I don't think so... I restartet Outlook Express with wrong Password-Settings for POP3, an tried to send mail without getting the pop-box before... it still works without auth. What's the output of strings /etc/tcp.smtp.cdb ??? Is your clients IP enumerated there? I read in several manuals that they use cmd5checkpw or the checkpassword-tool with smtp-auth. But as far as I understood vchkpw should do the job... Correct. *You* use 'vchkpw' as password checking tool, because you want to check against vpopmail handled user pool. Forget about the other tools, unless you want to authenticate against a different data base than vpopmails. -- Best regards Peter Palmreuther Blessed are they that run around in circles, for they shall be known as wheels.
AW: [vchkpw] Re: smtp-auth problem
Hello List, On Tuesday, July 5, 2005 at 8:50:01 AM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using Version 0.31 From which source exactly? What's the complete download URL you used to get this patch? http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0.31.tar.gz exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd \ koneg.de /home/vpopmail/bin/vchkpw /bin/true 21 Look fine. Might you have still compiled roaming users relay control into your vpopmail? How can I check that? You should know which parameters your used to compile vpopmail. You should have seen a summary of used parameters when you './configure'-ed vpopmail. Well, I did not compile vpopmail by myself. It was pre-installed on my root-server (Suse Linux 9.2). Any way to find out and maybe change now? Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? I don't think so... I restartet Outlook Express with wrong Password-Settings for POP3, an tried to send mail without getting the pop-box before... it still works without auth. What's the output of strings /etc/tcp.smtp.cdb nothing ??? Is your clients IP enumerated there? no.. and I don't know why it should be... My client doesn't have a fixed external IP either. Besides that I know that other hosts can send over my server 'cause I can see spammails in my queue from time to time, last week I had about 33000 of them in my queue... That was exactly the point of time when I started to check that smtp-authentification... I read in several manuals that they use cmd5checkpw or the checkpassword-tool with smtp-auth. But as far as I understood vchkpw should do the job... Correct. *You* use 'vchkpw' as password checking tool, because you want to check against vpopmail handled user pool. Forget about the other tools, unless you want to authenticate against a different data base than vpopmails. Right, but isn't there also a way to use one of these tools, because I also got a vpopmail-user in my System? But actually I would be more happy to use just vchkpw... Regards Patrick Gehm -- Best regards Peter Palmreuther Blessed are they that run around in circles, for they shall be known as wheels.
[vchkpw] Re: smtp-auth problem
Hello List again, How do I need to chmod /home/vpopmail/bin/vchkpw to use it the right way with qmail smtp-auth-patched? Any other vpopmail-things i need to take care of in this case? Is there way to tell smtp to control every incoming mail with the vchkpw? How does tcp.smtp.cdb needs to look like and how do I do it? I'm getting more and more desperate on this thing... Hoping for help nice regards Patrick Gehm Hello List, On Tuesday, July 5, 2005 at 8:50:01 AM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using Version 0.31 From which source exactly? What's the complete download URL you used to get this patch? a href=http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0. 31.tar.gzhttp://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-au th-0.31.tar.gz/a exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd \ koneg.de /home/vpopmail/bin/vchkpw /bin/true 21 Look fine. Might you have still compiled roaming users relay control into your vpopmail? How can I check that? You should know which parameters your used to compile vpopmail. You should have seen a summary of used parameters when you './configure'-ed vpopmail. Well, I did not compile vpopmail by myself. It was pre-installed on my root-server (Suse Linux 9.2). Any way to find out and maybe change now? Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? I don't think so... I restartet Outlook Express with wrong Password-Settings for POP3, an tried to send mail without getting the pop-box before... it still works without auth. What's the output of strings /etc/tcp.smtp.cdb nothing ??? Is your clients IP enumerated there? no.. and I don't know why it should be... My client doesn't have a fixed external IP either. Besides that I know that other hosts can send over my server 'cause I can see spammails in my queue from time to time, last week I had about 33000 of them in my queue... That was exactly the point of time when I started to check that smtp-authentification... I read in several manuals that they use cmd5checkpw or the checkpassword-tool with smtp-auth. But as far as I understood vchkpw should do the job... Correct. *You* use 'vchkpw' as password checking tool, because you want to check against vpopmail handled user pool. Forget about the other tools, unless you want to authenticate against a different data base than vpopmails. Right, but isn't there also a way to use one of these tools, because I also got a vpopmail-user in my System? But actually I would be more happy to use just vchkpw... Regards Patrick Gehm -- Best regards Peter Palmreuther Blessed are they that run around in circles, for they shall be known as wheels.
Re: [vchkpw] Re: smtp-auth problem
Hi Patrick, pls. read: http://www.fehcom.de/qmail/smtpauth.html regards. --eh. At 19:18 05.07.2005 +0200, you wrote: Hello List again, How do I need to chmod /home/vpopmail/bin/vchkpw to use it the right way with qmail smtp-auth-patched? Any other vpopmail-things i need to take care of in this case? Is there way to tell smtp to control every incoming mail with the vchkpw? How does tcp.smtp.cdb needs to look like and how do I do it? I'm getting more and more desperate on this thing... Hoping for help nice regards Patrick Gehm Hello List, On Tuesday, July 5, 2005 at 8:50:01 AM patrick wrote: I'm using qmail and vpopmail and just patched up with smtp-auth, Which SMTP-AUTH-patch? I'm using Version 0.31 From which source exactly? What's the complete download URL you used to get this patch? a href=http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-au th-0. 31.tar.gzhttp://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smt pd-au th-0.31.tar.gz/a exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp /var/qmail/bin/qmail-smtpd \ koneg.de /home/vpopmail/bin/vchkpw /bin/true 21 Look fine. Might you have still compiled roaming users relay control into your vpopmail? How can I check that? You should know which parameters your used to compile vpopmail. You should have seen a summary of used parameters when you './configure'-ed vpopmail. Well, I did not compile vpopmail by myself. It was pre-installed on my root-server (Suse Linux 9.2). Any way to find out and maybe change now? Might your Outlook Express have POP3-authenticated while you were testing SMTP-AUTH and your IP therefore still be allowed to relay? I don't think so... I restartet Outlook Express with wrong Password-Settings for POP3, an tried to send mail without getting the pop-box before... it still works without auth. What's the output of strings /etc/tcp.smtp.cdb nothing ??? Is your clients IP enumerated there? no.. and I don't know why it should be... My client doesn't have a fixed external IP either. Besides that I know that other hosts can send over my server 'cause I can see spammails in my queue from time to time, last week I had about 33000 of them in my queue... That was exactly the point of time when I started to check that smtp-authentification... I read in several manuals that they use cmd5checkpw or the checkpassword-tool with smtp-auth. But as far as I understood vchkpw should do the job... Correct. *You* use 'vchkpw' as password checking tool, because you want to check against vpopmail handled user pool. Forget about the other tools, unless you want to authenticate against a different data base than vpopmails. Right, but isn't there also a way to use one of these tools, because I also got a vpopmail-user in my System? But actually I would be more happy to use just vchkpw... Regards Patrick Gehm -- Best regards Peter Palmreuther Blessed are they that run around in circles, for they shall be known as wheels. Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
[vchkpw] Re: smtp-auth problem
On Tuesday, July 5, 2005 at 10:35:30 AM patrick wrote: From which source exactly? What's the complete download URL you used to get this patch? http://members.elysium.pl/brush/qmail-smtpd-auth/dist/qmail-smtpd-auth-0.31.tar.gz OK, than parameters should be OK. Well, I did not compile vpopmail by myself. It was pre-installed on my root-server (Suse Linux 9.2). Any way to find out and maybe change now? Change? No. Not without recompiling. But as you said your clients IP ain't listed it can't be the reason for you being allowed to relay without authenticating. Besides that I know that other hosts can send over my server 'cause I can see spammails in my queue from time to time, last week I had about 33000 of them in my queue... That was exactly the point of time when I started to check that smtp-authentification... Well, that looks in fact like an open relay. Please post the output of /var/qmail/bin/qmail-showctl -- Best regards Peter Palmreuther A boy gets to be a man when a man is needed.
[vchkpw] Re: smtp auth - md5 learn pass
Hello Casey, On Sunday, June 19, 2005 at 12:22:05 AM Casey wrote: On Saturday 18 June 2005 10:13, Peter Palmreuther wrote: How did you log in? SMTP-AUTH using CRAM-MD5? PLAIN with IMAP (dovecot). And dovecot is configured to explicitly use 'vchkpw' and 'vchkpw' is for sure the version from 'compile with --enable-clear-password' build? I'm asking because I used the 'silent convert' myself already several times and 'fetched' plain text passwords this way to be inserted into 'vpasswd'. Though I haven't used it recently with a current version (latest I tested with is 5.4.5), but I can't imagine why it should be broken, as I don't see any index somebody changed something in this functionality. You might try this: - Edit 'vpasswd' to remove clear password - run 'vmkpasswd $DOMAIN' - run printf [EMAIL PROTECTED] |vchkpw /usr/bin/env 30 - check if environment was printed (should be with correct password presented) - check 'vpasswd' and 'vpasswd.cdb'. If clear text password is present in both now for modified account, dovecot uses something different than 'vchkpw' yo ujust used. If not: double and triple check if 'vchkpw' is the same as in build directory; if so: compile without any '-O' and with '-g2' option and debug vchkpw e.g. using gdb. -- Best regards Peter Palmreuther Dew knot trussed yore spell checquer two fined awl mistakes.
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Sunday 19 June 2005 13:53, Peter Palmreuther wrote: And dovecot is configured to explicitly use 'vchkpw' and 'vchkpw' is for sure the version from 'compile with --enable-clear-password' build? Yes, there is only one vchkpw on the system. If it's not using the correct vchkpw then it's reading the vpasswd files directly. printf [EMAIL PROTECTED] |vchkpw /usr/bin/env 30 - check if environment was printed (should be with correct password presented) - check 'vpasswd' and 'vpasswd.cdb'. That works, but that's not useful since none of the client logins (pop3 or imap) update the password file. SMTP logins *do*, but they are considerably more rare... Cheers, -- Casey Allen Shobe | http://casey.shobe.info [EMAIL PROTECTED] | cell 425-443-4653 AIM Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Sunday 19 June 2005 19:52, Casey Allen Shobe wrote: That works, but that's not useful since none of the client logins (pop3 or imap) update the password file. SMTP logins *do*, but they are considerably more rare... And many accounts exist for POP3 polling only, and the end user only uses one account to SMTP auth with for any address he sends from. Cheers, -- Casey Allen Shobe | http://casey.shobe.info [EMAIL PROTECTED] | cell 425-443-4653 AIM Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com
[vchkpw] Re: smtp auth - md5 learn pass
Hello Casey, On Sunday, June 19, 2005 at 9:52:55 PM Casey wrote: printf [EMAIL PROTECTED] |vchkpw /usr/bin/env 30 - check if environment was printed (should be with correct password presented) - check 'vpasswd' and 'vpasswd.cdb'. That works [...] If *THAT* works your dovecot must use something else but this 'vchkpw' you used, or use non-plain authentication (I don't know dovecot, so I don't know about its capabilities), because else it does nothing different than printing username-password string to file descriptor 3 of vchkpw and vchkpw than updates vpasswd. -- Best regards Peter Palmreuther A woman is like a dresser ... some man always goin' through her drawers.
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Jun 19, 2005, at 12:55 PM, Casey Allen Shobe wrote: On Sunday 19 June 2005 19:52, Casey Allen Shobe wrote: That works, but that's not useful since none of the client logins (pop3 or imap) update the password file. SMTP logins *do*, but they are considerably more rare... And many accounts exist for POP3 polling only, and the end user only uses one account to SMTP auth with for any address he sends from. Does dovecot link directly to libvpopmail? If so, did you recompile dovecot after enabling learn passwords and cleartext passwords in vpopmail? If not, it's still linked to the old vpopmail code. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
[vchkpw] Re: smtp auth - md5 learn pass
Hello Casey, On Saturday, June 18, 2005 at 10:35:58 AM Casey wrote: AFAIR it does exactly what you said. Nope, doesn't seem to. I rebuilt vpopmail with it enabled, edited out the cleartext portions of a vpasswd file, and logged in a bunch of times as that user. No updates to vpasswd. :( How did you log in? SMTP-AUTH using CRAM-MD5? If so the clear text password can't be added to vpasswd, because the clear text password didn't made it to the server. You'll need to authenticate using a plain text method, like LOGIN or PLAIN or POP3 login (not using APOP). Additionally you should make sure you rebuilt vpasswd.cdb after you edited vpasswd, because else vchkpw will still see the clear text password in vpasswd.cdb and therefore see no reason to update anything. vchkpw does *not* look into vpasswd if everything is OK, it just updates clear text password in there if it fails to find one in .cdb file. -- Best regards Peter Palmreuther We care a lot about the Garbage Pail Kids, they never lie...
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Saturday, June 18, 2005, 12:13:54 PM, Peter wrote: AFAIR it does exactly what you said. Nope, doesn't seem to. I rebuilt vpopmail with it enabled, edited out the cleartext portions of a vpasswd file, and logged in a bunch of times as that user. No updates to vpasswd. :( How did you log in? SMTP-AUTH using CRAM-MD5? If so the clear text password can't be added to vpasswd, because the clear text password didn't made it to the server. You'll need to authenticate using a plain text method, like LOGIN or PLAIN or POP3 login (not using APOP). I've checked in mysql log what happens if I auth via POP3 - vpopmail makes select from vpopmail where pw_name='x' and pw_domain='x.com' and the connection is being closed. As far as I understand well I should get an update to vpopmail pw_clear_passwd field, right ? Additionally you should make sure you rebuilt vpasswd.cdb after you edited vpasswd, because else vchkpw will still see the clear text password in vpasswd.cdb and therefore see no reason to update anything. vchkpw does *not* look into vpasswd if everything is OK, it just updates clear text password in there if it fails to find one in .cdb file. Casey was talking about mysql not .cdb for user databases. -- regards, Sylwester Biernacki [EMAIL PROTECTED]
Re[2]: [vchkpw] Re: smtp auth - md5 learn pass
On Saturday, June 18, 2005, 4:32:17 PM, Sylwester wrote: Casey was talking about mysql not .cdb for user databases. blah... I've read bad lines: Nope, doesn't seem to. I rebuilt vpopmail with it enabled, edited out the cleartext portions of a vpasswd file sorry for misunderstanding. -- regs, Sylwester Biernacki [EMAIL PROTECTED]
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Jun 18, 2005, at 7:32 AM, Sylwester S. Biernacki wrote:
I've checked in mysql log what happens if I auth via POP3 - vpopmail
makes select from vpopmail where pw_name='x' and pw_domain='x.com'
and the connection is being closed. As far as I understand well I
should get an update to vpopmail pw_clear_passwd field, right ?
I'm not sure why this isn't happening -- here's the relevant code in
vchkpw:
#ifdef ENABLE_LEARN_PASSWORDS
#ifdef CLEAR_PASS
/* User with pw_clear_passwd unset but pw_passwd set
* should have the pw_clear_passwd field filled in
*/
if ( vpw-pw_clear_passwd==NULL||vpw-pw_clear_passwd[0]==0) {
vpw-pw_clear_passwd = ThePass;
vauth_setpw(vpw, TheDomain);
}
#endif
#endif
It gets to this code after confirming that the user has a valid
password. If you're using Courier for POP logins, then it doesn't call
vchkpw, and that's why learn passwords isn't working.
If you're using qmail's pop3 server, you could add some debugging to
vchkpw.c (and recompile and reinstall it) to do some printfs around
that code to see why it isn't running.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet:
sniffter.com
Re[2]: [vchkpw] Re: smtp auth - md5 learn pass
On Saturday, June 18, 2005, 7:06:49 PM, Tom wrote: If you're using qmail's pop3 server, you could add some debugging to vchkpw.c (and recompile and reinstall it) to do some printfs around that code to see why it isn't running. I love open free software ;P It's called tchechien debug ;-) I will check and write everything here tommorow ;-) -- regards, Sylwester Biernacki [EMAIL PROTECTED]
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Saturday 18 June 2005 10:13, Peter Palmreuther wrote: How did you log in? SMTP-AUTH using CRAM-MD5? PLAIN with IMAP (dovecot). Cheers, -- Casey Allen Shobe | http://casey.shobe.info [EMAIL PROTECTED] | cell 425-443-4653 AIM Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Saturday 18 June 2005 14:32, Sylwester S. Biernacki wrote: Casey was talking about mysql not .cdb for user databases. I certainly was not! I do not wish to use mysql, though I do want to start using postgresql soon. I will try rm'ing the cdb. Cheers, -- Casey Allen Shobe | http://casey.shobe.info [EMAIL PROTECTED] | cell 425-443-4653 AIM Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com
Re: [vchkpw] Re: smtp auth - md5 learn pass
On Saturday 18 June 2005 10:13, Peter Palmreuther wrote: Additionally you should make sure you rebuilt vpasswd.cdb after you edited vpasswd, because else vchkpw will still see the clear text password in vpasswd.cdb and therefore see no reason to update anything. vchkpw does *not* look into vpasswd if everything is OK, it just updates clear text password in there if it fails to find one in .cdb file. I rm'd the cdb so that it was rebuilt: this did not help. Cheers, -- Casey Allen Shobe | http://casey.shobe.info [EMAIL PROTECTED] | cell 425-443-4653 AIM Yahoo: SomeLinuxGuy | ICQ: 1494523 SeattleServer.com, Inc. | http://www.seattleserver.com
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
i've followed the qmailrocks installation method. But i've a problem i need to port the old mails to this new mail server. the problem is the old mail server is using mbox format and the newer one is using Maildir. is there a way to convert these mbox messages to Maildir mails. On Wed, 2005-01-12 at 07:03, Allie D wrote: Actually I did...but then I found the problem. It was the user and group of the .pem files. It looks as though when my corn job ran update_tmprsadh, the script changes the user and group. That broke it, I updated the script to make the user vpopmail.vchkpw and it's all good. I tested it from about 5 different clients across 3 OS's and now it takes about 5 seconds. MUCH BETTER...thanks for sending me down the right path... Adi Pircalabu said: On Mon, 10 Jan 2005 22:52:54 -0800 Allie D [EMAIL PROTECTED] wrote: Ok fine...I did exactly as it states and it didn't make a difference. It takes from 20 to 40 seconds to send an email...that's horrible. If I disable TLS it's immediateI can see qmail-smtpd just sitting there while it's authenticating..the entire time. Should I use http://inoa.net/qmail-tls/ instead of Bill Shupp's patch Hi, I think your problem is not related to vpopmail. I think you missed few steps from Bill Shupp's setup. You should run make tmprsadh from qmail source directory and setup a cronjob that updates three files: /var/qmail/control/rsa512.pem /var/qmail/control/dh512.pem /var/qmail/control/dh1024.pem If you followed Bill Shupp's tutorial you could insert a cronjob like this: 01 01 * * * /var/qmail/bin/update_tmprsadh Best regards -- Adrian Pircalabu Public KeyID = 0xF902393A -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
this question has nothing to do with the message you replied to. When posting to the list to ask a new question you should start a new thread by using your MTA's 'new' function. On Friday 14 January 2005 02:32 am, Rizwan Iqbal Malik wrote: i've followed the qmailrocks installation method. But i've a problem i need to port the old mails to this new mail server. the problem is the old mail server is using mbox format and the newer one is using Maildir. is there a way to convert these mbox messages to Maildir mails. yes, and google will help you find it. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED] pgppfjxxcB5Hp.pgp Description: PGP signature
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
On Jan 14, 2005, at 12:32 AM, Rizwan Iqbal Malik wrote: i've followed the qmailrocks installation method. But i've a problem i need to port the old mails to this new mail server. the problem is the old mail server is using mbox format and the newer one is using Maildir. is there a way to convert these mbox messages to Maildir mails. There's a website called Google at google.com. You can search the entire Internet with it. I just tried it with the phrase 'convert mbox to Maildir' and this was the first result: http://batleth.sapienti-sat.org/projects/mb2md/ It looks like it will do what you want. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
On Mon, 10 Jan 2005 22:52:54 -0800 Allie D [EMAIL PROTECTED] wrote: Ok fine...I did exactly as it states and it didn't make a difference. It takes from 20 to 40 seconds to send an email...that's horrible. If I disable TLS it's immediateI can see qmail-smtpd just sitting there while it's authenticating..the entire time. Should I use http://inoa.net/qmail-tls/ instead of Bill Shupp's patch Hi, I think your problem is not related to vpopmail. I think you missed few steps from Bill Shupp's setup. You should run make tmprsadh from qmail source directory and setup a cronjob that updates three files: /var/qmail/control/rsa512.pem /var/qmail/control/dh512.pem /var/qmail/control/dh1024.pem If you followed Bill Shupp's tutorial you could insert a cronjob like this: 01 01 * * * /var/qmail/bin/update_tmprsadh Best regards -- Adrian Pircalabu Public KeyID = 0xF902393A -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
Actually I did...but then I found the problem. It was the user and group of the .pem files. It looks as though when my corn job ran update_tmprsadh, the script changes the user and group. That broke it, I updated the script to make the user vpopmail.vchkpw and it's all good. I tested it from about 5 different clients across 3 OS's and now it takes about 5 seconds. MUCH BETTER...thanks for sending me down the right path... Adi Pircalabu said: On Mon, 10 Jan 2005 22:52:54 -0800 Allie D [EMAIL PROTECTED] wrote: Ok fine...I did exactly as it states and it didn't make a difference. It takes from 20 to 40 seconds to send an email...that's horrible. If I disable TLS it's immediateI can see qmail-smtpd just sitting there while it's authenticating..the entire time. Should I use http://inoa.net/qmail-tls/ instead of Bill Shupp's patch Hi, I think your problem is not related to vpopmail. I think you missed few steps from Bill Shupp's setup. You should run make tmprsadh from qmail source directory and setup a cronjob that updates three files: /var/qmail/control/rsa512.pem /var/qmail/control/dh512.pem /var/qmail/control/dh1024.pem If you followed Bill Shupp's tutorial you could insert a cronjob like this: 01 01 * * * /var/qmail/bin/update_tmprsadh Best regards -- Adrian Pircalabu Public KeyID = 0xF902393A -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
Thanks for the direction...but I appear to be following it as is. Stuff of interest follows from my run file: exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -vR -l $LOCAL -c $MAXSMTPD \ -u $VPOPMAILUID -g $VPOPMAILGID 0 smtp \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 Any other options ??? Peter Palmreuther said: Hello Allie, On Monday, January 10, 2005 at 5:43:11 AM Allie wrote: I'm running vpopmail-5.4.9, netqmail-1.05, and Bill Shupp's TLS + SMTP-AUTH patch. It runs great...but the delay is bordering on grueling. No matter what the client is it takes a goods 10-20 seconds to send mail. The server is 2G P4..so it's not the server. Is it the patch...or something else ??? Thanks in advance ;) http://www.lifewithqmail.org/lwq.html#smtp-slow -- Best regards Peter Palmreuther Do not follow in the footsteps of men of old; seek what they sought.
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
Allie D wrote: Thanks for the direction...but I appear to be following it as is. Stuff of interest follows from my run file: exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -vR -l $LOCAL -c $MAXSMTPD \ -u $VPOPMAILUID -g $VPOPMAILGID 0 smtp \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 Any other options ??? Did you read the link? It clearly says to add certain options to tcpserver! Here it is again: http://www.lifewithqmail.org/lwq.html#smtp-slow Peter Palmreuther said: Hello Allie, On Monday, January 10, 2005 at 5:43:11 AM Allie wrote: I'm running vpopmail-5.4.9, netqmail-1.05, and Bill Shupp's TLS + SMTP-AUTH patch. It runs great...but the delay is bordering on grueling. No matter what the client is it takes a goods 10-20 seconds to send mail. The server is 2G P4..so it's not the server. Is it the patch...or something else ??? Thanks in advance ;) http://www.lifewithqmail.org/lwq.html#smtp-slow -- Best regards Peter Palmreuther Do not follow in the footsteps of men of old; seek what they sought.
Re: [vchkpw] Re: SMTP Auth delay...can it be sped up ????
Ok fine...I did exactly as it states and it didn't make a difference. It takes from 20 to 40 seconds to send an email...that's horrible. If I disable TLS it's immediateI can see qmail-smtpd just sitting there while it's authenticating..the entire time. Should I use http://inoa.net/qmail-tls/ instead of Bill Shupp's patch vpopmail 15967 0.0 0.180 760 ?? I 10:35PM0:00.00 /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /usr/bin/tru How many seconds does it take to send an email for others using this patch ? Rick Widmer([EMAIL PROTECTED])@Mon, Jan 10, 2005 at 06:45:20PM -0700: Allie D wrote: Thanks for the direction...but I appear to be following it as is. Stuff of interest follows from my run file: exec /usr/local/bin/softlimit -m 400 \ /usr/local/bin/tcpserver -vR -l $LOCAL -c $MAXSMTPD \ -u $VPOPMAILUID -g $VPOPMAILGID 0 smtp \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 Any other options ??? Did you read the link? It clearly says to add certain options to tcpserver! Here it is again: http://www.lifewithqmail.org/lwq.html#smtp-slow Peter Palmreuther said: Hello Allie, On Monday, January 10, 2005 at 5:43:11 AM Allie wrote: I'm running vpopmail-5.4.9, netqmail-1.05, and Bill Shupp's TLS + SMTP-AUTH patch. It runs great...but the delay is bordering on grueling. No matter what the client is it takes a goods 10-20 seconds to send mail. The server is 2G P4..so it's not the server. Is it the patch...or something else ??? Thanks in advance ;) http://www.lifewithqmail.org/lwq.html#smtp-slow -- Best regards Peter Palmreuther Do not follow in the footsteps of men of old; seek what they sought. -- Drain Fade (A Daneman) '98 ZX9R http://drainfade.com
[vchkpw] Re: SMTP Auth delay...can it be sped up ????
Hello Allie, On Monday, January 10, 2005 at 5:43:11 AM Allie wrote: I'm running vpopmail-5.4.9, netqmail-1.05, and Bill Shupp's TLS + SMTP-AUTH patch. It runs great...but the delay is bordering on grueling. No matter what the client is it takes a goods 10-20 seconds to send mail. The server is 2G P4..so it's not the server. Is it the patch...or something else ??? Thanks in advance ;) http://www.lifewithqmail.org/lwq.html#smtp-slow -- Best regards Peter Palmreuther Do not follow in the footsteps of men of old; seek what they sought.
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Monday, May 24, 2004 at 11:16:58 PM you wrote (at least in part): 10092 write(4, [EMAIL PROTECTED], 27) = 27 However your Base64-encoded your login data, something went wrong. There's a '\n' that shouldn't be there. The correct B64-data would be: Username: YnJvb2tzQGJyb29rc3JveS5jb20= Password: amo= Please try again with these data and report in. -- Best regards Peter Palmreuther I have been guilty of kicking myself in the teeth...
Re: [vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Peter Palmreuther wrote: However your Base64-encoded your login data, something went wrong. There's a '\n' that shouldn't be there. The correct B64-data would be: Username: YnJvb2tzQGJyb29rc3JveS5jb20= Password: amo= Please try again with these data and report in. Peter, After tyring with these values I get: ps1:/tmp # tail -f qmail.log 24162 write(2, tcpserver: status: 0/20\n, 24) = 24 24162 write(2, tcpserver: status: 1/20\n, 24) = 24 24403 write(2, tcpserver: pid 24403 from 192.168.5.50\n, 39) = 39 24403 write(2, tcpserver: ok 24403 0:192.168.5.50:25 :192.168.5.50::32838\n, 59) = 59 24403 write(1, 220 box.prostream.net ESMTP\r\n, 29) = 29 24403 write(1, 250-box.prostream.net\r\n250-PIPELINING\r\n250-8BITMIME\r\n250 AUTH LOGIN PLAIN CRAM-MD5\r\n, 84) = 84 24403 write(1, 334 VXNlcm5hbWU6\r\n, 18) = 18 24403 write(1, 334 UGFzc3dvcmQ6\r\n, 18) = 18 24403 write(4, [EMAIL PROTECTED], 25) = 25 24597 write(4, \33\0\0\1\215 \0\0\0root\0[_O\\SRHM\0vpopmail, 31) = 31 24597 write(4, \240\0\0\0\3select pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell , pw_clear_passwd from vpopmail where pw_name = \brooks\ and pw_domain = \brooksroy.com\ , 164) = 164 24597 --- SIGSEGV (Segmentation fault) @ 0 (0) --- 24403 --- SIGCHLD (Child exited) @ 0 (0) --- 24403 write(1, 454 oops, problem with child and I can\'t auth (#4.3.0)\r\n, 56) = 56 Also in my /var/log/messages I am seeing: vchkpw[24597]: segfault at rip rsp 007fb450 error 14 Thanks!
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Tuesday, May 25, 2004 at 6:22:11 PM you wrote (at least in part): After tyring with these values I get: 24597 --- SIGSEGV (Segmentation fault) @ 0 (0) --- That's not necessarily easy to debug. First try this: $printf [EMAIL PROTECTED] /tmp/auth.data $setuidgid /usr/local/vpopmail/bin/vchkpw \ /bin/sh -c 'echo Yes' /tmp/auth.data 30 And if this does not output 'Yes' please 'strace' it without '-e' option. If this segfaults too, one /might/ be able to guess why from the strace and the last action done. If this is not possible you'd have to 'dbg' vchkpw, to figure what's wrong. Nevertheless 'til now your original problem was not reproduced. So it seems something is really going wrong in your installation. -- Best regards Peter Palmreuther Clap on! clap clap Clap off! clap clap ~2v2h~#bu4bNO CARRIER
Re: [vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Am Dienstag, 25. Mai 2004 19:18 schrieb Peter Palmreuther: Hello Blist, On Tuesday, May 25, 2004 at 6:22:11 PM you wrote (at least in part): After tyring with these values I get: [...] If this segfaults too, one /might/ be able to guess why from the strace and the last action done. If this is not possible you'd have to 'dbg' vchkpw, to figure what's wrong. Nevertheless 'til now your original problem was not reproduced. So it seems something is really going wrong in your installation. Hi Peter, hi blist, hi all others. Peter, you are wrong! Same behaviour here. The only difference is, that I use Gentoo and not SuSE. What Erwin and I found out today, is, that we get the same error when using checkpassword. So Jeremy was partly right on IRC when he said it's not vpopmail. If it is qmail, which he thiught it wouldn't bee, too, can't be said right now. Of course, it is not stock qmail, but IMHO it _could_ be the smtp-auth-patch. Peter, I'll contact you in replay of your mail which you wrote me off-list. Greetings Tobias
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Sunday, May 23, 2004 at 9:28:35 PM you wrote (at least in part): == /var/log/mail == May 23 15:10:53 ps1 vpopmail[14133]: vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED] :192.168.5.50 Where does the space character after '.com' comes from? Seems there's something wrong with Base64-decoding / handing decoded values over to vchkpw. I might be wrong, but all logs similar to this found in my system logs have 'username:IP' instead of 'username :IP'. I'd say this is a case for strace/truss, to see if qmail already write the blank into fd #3 or if vchpw insertes it, and in the former case it's a file for 'dbg' or similar (and a '-g2' compiled qmail), to figure who inserts it. In the latter case one has to 'dbg' vchpw to see when this blank appears first. -- Best regards Peter Palmreuther I am not part of the problem. I am a Republican. -- Dan Quayle trivia --
Re: [vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Peter Palmreuther wrote:
Where
does the space character after '.com' comes from? Seems there's
something wrong with Base64-decoding / handing decoded values over to
vchkpw. I might be wrong, but all logs similar to this found in my
system logs have 'username:IP' instead of 'username :IP'.
I'd say this is a case for strace/truss, to see if qmail already write
the blank into fd #3 or if vchpw insertes it, and in the former case
it's a file for 'dbg' or similar (and a '-g2' compiled qmail), to
figure who inserts it. In the latter case one has to 'dbg' vchpw to
see when this blank appears first.
Peter,
Here is a copy of the strace log:
ps1:/service/qmail-smtpd # strace /usr/local/bin/softlimit -m 2000
/usr/local/bin/tcpserver -v -H -R -l 0 -x
/usr/local/vpopmail/etc/tcp.smtp.cdb -c 20 -u 616 -g 616 0 25
/var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /bin/true
21
execve("/usr/local/bin/softlimit", ["/usr/local/bin/softlimit", "-m",
"2000", "/usr/local/bin/tcpserver", "-v", "-H", "-R", "-l", "0",
"-x", "/usr/local/vpopmail/etc/tcp.smtp.cdb", "-c", "20", "-u", "616",
"-g", "616", "0", "25", "/var/qmail/bin/qmail-smtpd",
"/usr/local/vpopmail/bin/vchkpw", "/bin/true"], [/* 44 vars */]) = 0
uname({sys="Linux", node="ps1", ...}) = 0
brk(0) = 0x504000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2a9556b000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=43645, ...}) = 0
mmap(NULL, 43645, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a9556c000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\20\335\1"..., 640) =
640
fstat(3, {st_mode=S_IFREG|0755, st_size=1534814, ...}) = 0
mmap(NULL, 2365888, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x2a9566d000
mprotect(0x2a95791000, 1169856, PROT_NONE) = 0
mmap(0x2a9586d000, 253952, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x10) = 0x2a9586d000
mmap(0x2a958ab000, 14784, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2a958ab000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2a958af000
munmap(0x2a9556c000, 43645) = 0
getrlimit(0x2, 0x7fb410) = 0
setrlimit(RLIMIT_DATA, {rlim_cur=2000, rlim_max=RLIM_INFINITY}) = 0
getrlimit(0x3, 0x7fb410) = 0
setrlimit(RLIMIT_STACK, {rlim_cur=2000, rlim_max=RLIM_INFINITY}) = 0
getrlimit(0x8, 0x7fb410) = 0
setrlimit(RLIMIT_MEMLOCK, {rlim_cur=2000, rlim_max=RLIM_INFINITY})
= 0
getrlimit(0x9, 0x7fb410) = 0
setrlimit(RLIMIT_AS, {rlim_cur=2000, rlim_max=RLIM_INFINITY}) = 0
execve("/usr/local/bin/tcpserver", ["/usr/local/bin/tcpserver", "-v",
"-H", "-R", "-l", "0", "-x", "/usr/local/vpopmail/etc/tcp.smtp"...,
"-c", "20", "-u", "616", "-g", "616", "0", "25", ...], [/* 44 vars */])
= 0
uname({sys="Linux", node="ps1", ...}) = 0
brk(0) = 0x50d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2a9556b000
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=43645, ...}) = 0
mmap(NULL, 43645, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a9556c000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\20\335\1"..., 640) =
640
fstat(3, {st_mode=S_IFREG|0755, st_size=1534814, ...}) = 0
mmap(NULL, 2365888, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0x2a9566d000
mprotect(0x2a95791000, 1169856, PROT_NONE) = 0
mmap(0x2a9586d000, 253952, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED,
3, 0x10) = 0x2a9586d000
mmap(0x2a958ab000, 14784, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2a958ab000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x2a958af000
munmap(0x2a9556c000, 43645) = 0
rt_sigprocmask(SIG_BLOCK, [CHLD], NULL, 8) = 0
rt_sigaction(SIGCHLD, {0x401ac0, [], 0x400}, NULL, 8) = 0
rt_sigaction(SIGTERM, {0x401ab0, [], 0x400}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0
open("/etc/dnsrewrite", O_RDONLY|O_NONBLOCK) = -1 ENOENT (No such file
or directory)
open("/etc/resolv.conf", O_RDONLY|O_NONBLOCK) = 3
read(3, "nameserver 127.0.0.1\nnameserver "..., 64) = 64
read(3, "t\n", 64) = 2
read(3, "", 64) = 0
close(3) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
fcntl(3, F_GETFL) = 0x2 (flags O_RDWR|O_LARGEFILE)
fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [-4611694294829367295], 4) = 0
bind(3, {sa_family=AF_INET, sin_port=htons(25),
sin_addr=inet_addr("0.0.0.0")}, 16) = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(25),
sin_addr=inet_addr("0.0.0.0")}, [1801439859538133008]) = 0
listen(3, 20) = 0
fcntl(3, F_GETFL) = 0x802 (flags
O_RDWR|O_NONBLOCK|O_LARGEFILE)
fcntl(3, F_SETFL, O_RDWR) = 0
setgroups(1, [616]) = 0
setgid(616) = 0
setuid(616) = 0
close(0) = 0
[vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Hello Blist, On Monday, May 24, 2004 at 4:47:43 PM you wrote (at least in part): I'd say this is a case for strace [...] Here is a copy of the strace log: Please replace your strace call by strace -fF -s 4096 -o /tmp/qmail.log -e write ... (replace '...' with 'softlimit -m ...' and so on). else we'll not see what qmail hands over to vchkpw. -- Best regards Peter Palmreuther SLIDING DOWN THE RAZOR BLADES OF LIFE
Re: [vchkpw] Re: SMTP Auth HOW? *UPDATE* AMD64
Peter Palmreuther wrote: Please replace your strace call by strace -fF -s 4096 -o /tmp/qmail.log -e write ... (replace '...' with 'softlimit -m ...' and so on). else we'll not see what qmail hands over to vchkpw. 3906 write(2, "tcpserver: status: 0/20\n", 24) = 24 3906 write(2, "tcpserver: status: 1/20\n", 24) = 24 10092 write(2, "tcpserver: pid 10092 from 192.168.5.50\n", 39) = 39 10092 write(2, "tcpserver: ok 10092 0:192.168.5.50:25 :192.168.5.50::32817\n", 59) = 59 10092 write(1, "220 box.prostream.net ESMTP\r\n", 29) = 29 10092 write(1, "504 auth type unimplemented (#5.5.1)\r\n", 38) = 38 10092 write(1, "250-box.prostream.net\r\n250-PIPELINING\r\n250-8BITMIME\r\n250 AUTH LOGIN PLAIN CRAM-MD5\r\n", 84) = 84 10092 write(1, "334 VXNlcm5hbWU6\r\n", 18) = 18 10092 write(1, "334 UGFzc3dvcmQ6\r\n", 18) = 18 10092 write(4, "[EMAIL PROTECTED]", 27) = 27 10412 write(2, "domain invalid brooksroy.com\n\n", 30) = 30 10412 write(5, "\33\0\0\1\215 \0\0\0root\0W_OYDVUA\0vpopmail", 31) = 31 10412 write(5, "\v\1\0\0\3INSERT INTO vlog set user=\"brooks\", passwd=\"jj\n\", domain=\"brooksroy.com\n\", logon=\"[EMAIL PROTECTED]", remoteip=\"192.168.5.50\", message=\"vchkpw-smtp: invalid user/domain characters [EMAIL PROTECTED]:192.168.5.50\", error=3, timestamp=1085433138", 271) = 271 10412 write(5, "\1\0\0\0\1", 5) = 5 10092 --- SIGCHLD (Child exited) @ 0 (0) --- 10092 write(1, "535 authentication failed (#5.7.1)\r\n", 36) = 36
Re: [vchkpw] Re: SMTP Auth HOWTO?
Am Sonntag, 23. Mai 2004 03:02 schrieb Eric Ziegast: I know this is a shameless plug, but I'm a happy customer. Have Inter7 do a SugarBox install for less time/money than it takes to figure it out using online resources and googled howtos. I didn't have to second-guess or debug anything. Within 4 hours of the consultant logging in via SSH, I had SMTP-AUTH, POP-before-SMTP, SMTP/SSL, POP3, POP3/SSL, IMAP, IMAP/SSL, CRAM-MD5 and a complement of TinyDNS and SqWebMail all working together. Within another hour, he had MySQL replication and redundancy working. He left all the source code on my box so that I could make modifications and customizations later using make install and even build additional servers later. If you don't make a living installing Qmail/Vpopmail servers, it's less expensive and more practical to just let someone else do it. I've installed qmail/vpopmail from scratch before and believe that it can be a PITA to get done right. -- Eric Ziegast Hi Eric, I could bet, it was on a 32bit environment... :-) IMHO it's been only partly a good deal to take Inter7-support. First of all, it saved you time and money. But especially, if you don't know the internals of such a system and are using it in productive environment e.g. as ISP or in a bigger company you might be left alone unless you pay for support every time. I set up all the stuff on other servers a couple of times before and I would do it the same way again: from the bleeding edge. This was the way I learned how it works and which helps me to solve problems in daily business with these machines. But: if you like it the way you did, ok - I like it the other way... Just my $.05... Greetings Tobias
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Friday, May 21, 2004 at 5:21:36 PM [EMAIL PROTECTED] wrote (at least in part): In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. [...] This is only true for SMTP Authentication of type plain and login. With CRAM-MD5 its quite save. [...] Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. Well, as you are this enlightened you'll for sure be able to tell me the difference to POP authentication than, aren't you? I don't talk about the different protocol; but in my limited (inherited from my ancestors, which, as you stated, /pretended/ to be the most bright) mind and with a lot of ignorance I thought POP3 sends my username and pass as well. Using vpopmail for POP3 server the username will most the time be my e-mail-address; exactly the same you say it's insecure to send. But I'm pretty sure you'll be able to tell me where my mistake is located, because POP-b4-SMTP is, as you claimed yourself (see above), MUCH MORE secure than SMTP-AUTH. More, Your mail is sent in plaintext. Why do you mix authentication method and connection security? It's two VERY different layers in communication model. The one is layer 3/4, the other is layer 7 in OSI model. There is NOTHING you can mix about them, there is NOTHING you can compare them on. It's like comparing apples and plants. The plant MIGHT be an apple tree, but you simply can't tell. So please stop whining, write a SMTP-over-SSL-HOWTO and be happy. I prefer encrypted streams, You're free to do. But what's the relation to a SMTP-AUTH problem? -- Best regards Peter Palmreuther I am evil, I make the devil sign.
Re: [vchkpw] Re: SMTP Auth HOWTO?
Hello Peter, Saturday, May 22, 2004, 6:34:03 PM, you wrote: PP Hello List, PP On Friday, May 21, 2004 at 5:21:36 PM [EMAIL PROTECTED] wrote (at PP least in part): In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. PP [...] This is only true for SMTP Authentication of type plain and login. With CRAM-MD5 its quite save. PP [...] Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. PP Well, as you are this enlightened you'll for sure be able to tell me PP the difference to POP authentication than, aren't you? PP I don't talk about the different protocol; but in my limited PP (inherited from my ancestors, which, as you stated, /pretended/ to be PP the most bright) mind and with a lot of ignorance I thought POP3 sends PP my username and pass as well. Using vpopmail for POP3 server the PP username will most the time be my e-mail-address; exactly the same you PP say it's insecure to send. PP But I'm pretty sure you'll be able to tell me where my mistake is PP located, because POP-b4-SMTP is, as you claimed yourself (see above), PP MUCH MORE secure than SMTP-AUTH. More, Your mail is sent in plaintext. PP Why do you mix authentication method and connection security? It's PP two VERY different layers in communication model. PP The one is layer 3/4, the other is layer 7 in OSI model. PP There is NOTHING you can mix about them, there is NOTHING you can PP compare them on. It's like comparing apples and plants. The plant PP MIGHT be an apple tree, but you simply can't tell. PP So please stop whining, write a SMTP-over-SSL-HOWTO and be happy. I prefer encrypted streams, PP You're free to do. But what's the relation to a SMTP-AUTH problem? Before You make comments, first read the previous post. I am talking about TLS, smtps adn You are talking about pop3, complete out of the road. When I see word like 'enligtment' and I some sarcasm, seems You are German either, see my previous comment. Stop Your sarcasm, and rebuild first Your country and mentality. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] Re: SMTP Auth HOWTO?
please remove this troll from the list. i'm tired of hearing this bigotry on a technical mailing list. there is no content in this post that has anything to do with either the list, or the thread in question. At 11:06 AM 5/22/2004, [EMAIL PROTECTED] wrote: Before You make comments, first read the previous post. I am talking about TLS, smtps adn You are talking about pop3, complete out of the road. When I see word like 'enligtment' and I some sarcasm, seems You are German either, see my previous comment. Stop Your sarcasm, and rebuild first Your country and mentality. Paul Theodoropoulos http://www.anastrophe.com
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Saturday, May 22, 2004 at 8:06:41 PM [EMAIL PROTECTED] wrote (at least in part): [full quote snipped] Before You make comments, first read the previous post. Well, ok. *erm* I just recognize: already done. I am talking about TLS, smtps You are. In fact you are. But maybe I just have to repeat my question, maybe you did not recognize it, because there was too much confusing text around it: Why do you mix authentication method and connection security? adn You are talking about pop3, complete out of the road. No. Now I'm pretty sure the whole mass of text confused you. I told you, SMTP-AUTH sends the e-mail-address and password as well as POP3-AUTH does. This was related to your comment (I'm allowed to quote your comment in mid:[EMAIL PROTECTED]): ,- | In the OLD days, people were happy with SMTP-Auth. I consider it LESS | security as SMTP after POP, `- You YOU started comparing SMTP-AUTH to other, POP3-invocating, authentication / relay-allowing, methods. So IF POP3 is out of the road, it is only YOU who brought it into this thread. When I see word like 'enligtment' and I some sarcasm, seems You are German either, You're so ... so ... amusing. You need the word enlightment (which I did not even write; I wrote you're enlightened) and some sarcasm for recognizing a fact, which can easily be obtained from the senders address? You ARE funny. see my previous comment. The one in mid:[EMAIL PROTECTED]? I saw. And I had to laugh out loudly about such a simple minded attitude. Stop Your sarcasm, Why? Who are you to tell me stopping sarcasm? What makes you better than anybody else? What makes you assume my ancestors gave me that beautiful gift of sarcasm? What makes you sure you can even think about any comparison between times of WWI and WWII and my behavior just right now? What makes you French existence better than mine? and rebuild first Your country I won't. There're some million people in this country, I don't see a single reason why I should rebuild it. - First: I don't see a necessity to /rebuild/ it. Some (partly major) changes might be suitable, but a complete rebuild is far too much. - Second: I'm personally am much to less of a being for having the ability to rebuild the whole country. - Third: even if I would start, there are s many (mostly politicians, nevertheless enough commercial leaders) people guiding this country into it's current misery. My work would not stop this. There are some other reasons, but this would become too much OT. But I'm quite sure you know what you're talking about. At least it's just the reality that's far behind your statements. and mentality. ??? You're is better? Your Q: I don't get SMTP-AUTH to work. Please help A: Use SSL! way of participating and helping others, your You're sarcastic, you're a f*g German! You're behaving like your ancestors 1900-1945! [which implies I'm a either a Caesars fellow or a national socialist; and you don't even now me enough for being at least 1% sure about this facts] is a better mentality? C'mon, guy. You don't want to tell me, you're the better human being? You don't really want to do EXACTLY what you blame me to do: [pretend] to be the most bright race??? You don't really want to tell me (us) we Germans are (still? again?) the bad, ugly, fascistic people and it's the French that'll help the world out of the misery, because of their perfect mind set, given by place of birth and live??? If you really do, you're much poorer than I thought and you don't even deserve being read on this list. P.S.: If you feel the need to reply: please try trimming your quotes to the relevant parts. It's is not necessary to full quote and increase list traffic above the unavoidable level. I don't even ask for slightly reducing your signature; 18 lines is quite a lot. -- Best regards Peter Palmreuther Eggheads unite! You have nothing to lose but your yolks. - Adlai Stevenson
Re: [vchkpw] Re: SMTP Auth HOWTO?
Hello Peter, Saturday, May 22, 2004, 9:03:21 PM, you wrote: PP Hello List, PP On Saturday, May 22, 2004 at 8:06:41 PM [EMAIL PROTECTED] wrote (at PP least in part): PP [full quote snipped] Before You make comments, first read the previous post. PP Well, ok. *erm* I just recognize: already done. I am talking about TLS, smtps PP You are. In fact you are. PP But maybe I just have to repeat my question, maybe you did not PP recognize it, because there was too much confusing text around it: PP Why do you mix authentication method and connection security? adn You are talking about pop3, complete out of the road. PP No. Now I'm pretty sure the whole mass of text confused you. I told PP you, SMTP-AUTH sends the e-mail-address and password as well as PP POP3-AUTH does. This was related to your comment (I'm allowed to quote PP your comment in mid:[EMAIL PROTECTED]): PP ,- PP | In the OLD days, people were happy with SMTP-Auth. I consider it LESS PP | security as SMTP after POP, PP `- PP You YOU started comparing SMTP-AUTH to other, POP3-invocating, PP authentication / relay-allowing, methods. PP So IF POP3 is out of the road, it is only YOU who brought it into PP this thread. When I see word like 'enligtment' and I some sarcasm, seems You are German either, PP You're so ... so ... amusing. You need the word enlightment (which PP I did not even write; I wrote you're enlightened) and some sarcasm PP for recognizing a fact, which can easily be obtained from the senders PP address? You ARE funny. see my previous comment. PP The one in mid:[EMAIL PROTECTED]? I saw. And I had PP to laugh out loudly about such a simple minded attitude. Stop Your sarcasm, PP Why? Who are you to tell me stopping sarcasm? What makes you better PP than anybody else? What makes you assume my ancestors gave me that PP beautiful gift of sarcasm? What makes you sure you can even think PP about any comparison between times of WWI and WWII and my behavior PP just right now? What makes you French existence better than mine? and rebuild first Your country PP I won't. There're some million people in this country, I don't see a PP single reason why I should rebuild it. PP - First: I don't see a necessity to /rebuild/ it. Some (partly major) PP changes might be suitable, but a complete rebuild is far too much. PP - Second: I'm personally am much to less of a being for having the PP ability to rebuild the whole country. PP - Third: even if I would start, there are s many (mostly PP politicians, nevertheless enough commercial leaders) people guiding PP this country into it's current misery. My work would not stop this. PP There are some other reasons, but this would become too much OT. But PP I'm quite sure you know what you're talking about. At least it's just PP the reality that's far behind your statements. and mentality. PP ??? You're is better? Your PP Q: I don't get SMTP-AUTH to work. Please help PP A: Use SSL! PP way of participating and helping others, your You're sarcastic, PP you're a f*g German! You're behaving like your ancestors 1900-1945! PP [which implies I'm a either a Caesars fellow or a national socialist; PP and you don't even now me enough for being at least 1% sure about this PP facts] is a better mentality? PP C'mon, guy. You don't want to tell me, you're the better human PP being? You don't really want to do EXACTLY what you blame me to do: PP [pretend] to be the most bright race??? PP You don't really want to tell me (us) we Germans are (still? again?) PP the bad, ugly, fascistic people and it's the French that'll help the PP world out of the misery, because of their perfect mind set, given by PP place of birth and live??? If you really do, you're much poorer than PP I thought and you don't even deserve being read on this list. PP P.S.: If you feel the need to reply: please try trimming your quotes PP to the relevant parts. It's is not necessary to full quote and PP increase list traffic above the unavoidable level. I don't even ask PP for slightly reducing your signature; 18 lines is quite a lot. I didn't, sometimes people think what You mean, and one word brings another. I started about smtp ssl and the improuvements abouve smtp-auth, and at some moment others read half words and start a to answer in terms of encryption. if You append some Germans, who start to flame with words like quote Erwin Hoffman : 'You are joking, troll.' quote Peter Palmreuther : 'as you are this enlightened' quote Paul Theodoropoulos [EMAIL PROTECTED] : '... this troll..' Well You known You have to do with egotrippers, people You don't have the maturity to do a nice discussion about the topic. The only professional answer in this case was from some other people, defently people who are working for major companies, who don't need their ego to defend themselves. I was helping a guy out here, i don't need an appended answers from people
Re: [vchkpw] Re: SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your first message, which started this flamewar. snip Roy, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. Well, considering you send your entire email over the line to get access to pop, this claim is not true. Just thought id bring this up, as everywhere else you are suggesting that it is not true that you said that. Hell, pop3-ssl would be the same as smtp-ssl both would allow secure authentication. SMTP after POP is a pain, and it doesnt help against these so called man in the middle attacks. Unless off course you would also provide a patch to make it pop3-ssl, in which cause the next thing you say would be a better solution. I suggest You use: SHUPP's version with netqmail like : fetch http://www.qmail.org/netqmail-1.05.tar.gz tar xzvf netqmail-1.05.tar.gz.tar cd netqmail-1.05 ./collate.sh # patch with Shupp's TLS and SMTP-Auth fetch http://shupp.org/patches/netqmail-1.05-tls-smtpauth-20040207.patch patch ./netqmail-1.05-tls-smtpauth-20040207.patch So now that we have smtp-ssl, or smtps, how is SMTP after POP still more secure? Why not just start an SSL connection and then auth with SMTP? I dont see a difference at all. You brough POP in for no apperant reason at all. Hell, id rather use SMTP auth than first pop and then sending the mail, as its a pain in the ass to configure most mail clients to do POP before SMTP. certificate: You can copy thoses (extension .pem) from : freeBSD, vpopmail stuff cd /var/qmail/control cp /usr/local/cert/ipop3d.pem servercert.pem ln -s servercert.pem ./clientcert.pem Breached# ls /usr/local/cert/ipop3d.pem ls: /usr/local/cert/ipop3d.pem: No such file or directory hrm, thats FreeBSD BTW. Activate TLS by create a certificate, and You will be much better off to create an encrypted connecton to Your SMTP server by the SMTP Enc smtps 465/tcp#smtp protocol over TLS/SSL (was ssmtp) smtps 465/udp#smtp protocol over TLS/SSL (was ssmtp) snip 500 million line sig X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAr8DYJukONu5DUaQRAt+1AJ4rE88Og4vvjtJmrr6an0jCZYrduwCgk1C5 WKsxNOR6msDCJFK7wwaboqs= =vm3x -END PGP SIGNATURE-
Re[2]: [vchkpw] Re: SMTP Auth HOWTO?
Hello X-Istence, Saturday, May 22, 2004, 11:06:33 PM, you wrote: XI -BEGIN PGP SIGNED MESSAGE- XI Hash: SHA1 XI Your first message, which started this flamewar. snip Roy, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. XI Well, considering you send your entire email over the line to get access XI to pop, this claim is not true. Just thought id bring this up, as XI everywhere else you are suggesting that it is not true that you said that. XI Hell, pop3-ssl would be the same as smtp-ssl both would allow secure XI authentication. XI SMTP after POP is a pain, and it doesnt help against these so called man XI in the middle attacks. Unless off course you would also provide a patch XI to make it pop3-ssl, in which cause the next thing you say would be a XI better solution. I suggest You use: SHUPP's version with netqmail like : fetch http://www.qmail.org/netqmail-1.05.tar.gz tar xzvf netqmail-1.05.tar.gz.tar cd netqmail-1.05 ./collate.sh # patch with Shupp's TLS and SMTP-Auth fetch http://shupp.org/patches/netqmail-1.05-tls-smtpauth-20040207.patch patch ./netqmail-1.05-tls-smtpauth-20040207.patch XI So now that we have smtp-ssl, or smtps, how is SMTP after POP still more XI secure? Why not just start an SSL connection and then auth with SMTP? I XI dont see a difference at all. You brough POP in for no apperant reason XI at all. Hell, id rather use SMTP auth than first pop and then sending XI the mail, as its a pain in the ass to configure most mail clients to do XI POP before SMTP. certificate: You can copy thoses (extension .pem) from : freeBSD, vpopmail stuff cd /var/qmail/control cp /usr/local/cert/ipop3d.pem servercert.pem ln -s servercert.pem ./clientcert.pem XI Breached# ls /usr/local/cert/ipop3d.pem XI ls: /usr/local/cert/ipop3d.pem: No such file or directory XI hrm, thats FreeBSD BTW. Activate TLS by create a certificate, and You will be much better off to create an encrypted connecton to Your SMTP server by the SMTP Enc smtps 465/tcp#smtp protocol over TLS/SSL (was ssmtp) smtps 465/udp#smtp protocol over TLS/SSL (was ssmtp) snip 500 million line sig XI X-Istence XI -BEGIN PGP SIGNATURE- XI Version: GnuPG v1.2.4 (FreeBSD) XI Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org XI iD8DBQFAr8DYJukONu5DUaQRAt+1AJ4rE88Og4vvjtJmrr6an0jCZYrduwCgk1C5 XI WKsxNOR6msDCJFK7wwaboqs= XI =vm3x XI -END PGP SIGNATURE- 'SMTP after POP' is a technique. I clearly stated to do POP3-SSL, to have afterwards a 'SMTP after POP' functionality. You authenticate completely with encruption, You get the smtp server open due to Your authentication for several minutes (for Your IP, if You wish), and You have Your 'SMTP after POP'. If I try to define it 'SMTP after POP3_SSL', well we have a new definition. You can take worsds out of the sentense, espescialy when someone writes terrible English, like I do, but I really known every topic what You mean. First try to understand, and answer on the same road I explained and not of the road. And if some people start with flaming... The flamewar did NOT start with my message. It started with Mr Doctor Hoffmans words, I quote 'troll' Well if we You to the road of ego, I can put other things on the table, but this serves not this list, and it was already a waste of time. This is my final answer, You can help out the guy with his problem. I leave it all to You, nice guys. I have a company to run. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info *
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Saturday, May 22, 2004 at 11:24:43 PM [EMAIL PROTECTED] wrote (at least in part): The flamewar did NOT start with my message. PLOconnection interrupt *beep* -- Best regards Peter Palmreuther Bumper sticker: All the parts falling off this car are of the very finest British manufacture
[vchkpw] Re: SMTP Auth HOWTO?
Hello List, On Saturday, May 22, 2004 at 11:24:43 PM [EMAIL PROTECTED] wrote (at least in part): I clearly stated to do POP3-SSL, to have afterwards a 'SMTP after POP' functionality. Sure. I may quote your first reply: ,- [ mid:[EMAIL PROTECTED] ] | Activate TLS by create a certificate, and You will be much better off | to create an encrypted connecton to Your SMTP server by the SMTP Enc | smtps 465/tcp#smtp protocol over TLS/SSL (was ssmtp) | smtps 465/udp#smtp protocol over TLS/SSL (was ssmtp) `- -- Best regards Peter Palmreuther Computer Science is merely the post-Turing decline in formal systems theory.
Re: [vchkpw] Re: SMTP Auth HOWTO?
I know this is a shameless plug, but I'm a happy customer. Have Inter7 do a SugarBox install for less time/money than it takes to figure it out using online resources and googled howtos. I didn't have to second-guess or debug anything. Within 4 hours of the consultant logging in via SSH, I had SMTP-AUTH, POP-before-SMTP, SMTP/SSL, POP3, POP3/SSL, IMAP, IMAP/SSL, CRAM-MD5 and a complement of TinyDNS and SqWebMail all working together. Within another hour, he had MySQL replication and redundancy working. He left all the source code on my box so that I could make modifications and customizations later using make install and even build additional servers later. If you don't make a living installing Qmail/Vpopmail servers, it's less expensive and more practical to just let someone else do it. I've installed qmail/vpopmail from scratch before and believe that it can be a PITA to get done right. -- Eric Ziegast
Re: [vchkpw] Re: SMTP-Auth question
(Apologies for the delayed reply - I've been on the road) On Thu, 2004-04-01 at 13:52, Peter Palmreuther wrote: Even if RELAYCLIENT is set, (the Auth patched) qmail-smtpd *WILL* ask for Authentication. No. It'll /OFFER/ SMTP-ATUH, for those that want to set up their mail client to always use SMTP-AUTH instead of relying on a formerly done POP3. You absolutely don't have to make ANY use of this offer. If your IP is set to RELAYCLIENT= by a former POP3 (or whatever) connection, or even is set statically to be allowed to relay, the MUA can simply go I read this: ,- [ mid:[EMAIL PROTECTED] ] | Is there any way to set up SMTP-Auth, while still allowing pop-b4-smtp? | So far when I've rebuilt the system with SMTP-Auth patching, it will | ONLY accept SMTP-Auth to allow relaying... :( `- as follows: - I want both method, SMTP-Auth and POP3-b4-SMTP, for allowing a client to relay. - I don't want the system to /require/ SMTP-Auth when POP3-b4-SMTP already set RELAYCLIENT= But maybe I got it wrong ... Joel? No, you got it right. When I'd tested after rebuilding with SMTP-Auth, I was unable to send mail through without authentication. It could, however, have been caused by my MUA (Evolution 1.4) and my own local configuration, rather than the server - I'll be looking into that tomorrow. Thanks. j -- Not all those who wander are lost. - JRR Tolkien
Re: [vchkpw] Re: SMTP-Auth question
Joel Newkirk schrieb: - I want both method, SMTP-Auth and POP3-b4-SMTP, for allowing a client to relay. - I don't want the system to /require/ SMTP-Auth when POP3-b4-SMTP already set RELAYCLIENT= Hi, I have such a setup. I use qmail-spamcontrol+vpopmail+mysql+courier+relay-ctrl my smtpd run file: #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/envdir /etc/relay-ctrl \ /usr/local/bin/tcpserver -v -R -H -c $MAXSMTPD -x /home/vpopmail/etc/tcp.smtp.cdb \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/relay-ctrl-check \ /usr/local/bin/rblsmtpd -b \ -r relays.ordb.org \ -r sbl-xbl.spamhaus.org \ -r opm.blitzed.org \ -r bl.spamcop.net \ -r list.dsbl.org \ -r relays.visi.com \ -r obsl.outblaze.com \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /bin/true 21 Both auth methods work well on my system Werner
Re: [vchkpw] Re: SMTP-Auth question
Hi Peter,
At 17:24 31.03.04 +0200, you wrote:
Hello Erwin,
On Wednesday, March 31, 2004 at 10:09:29 AM you wrote (at least in
part):
In case a client is accepted via pop-4-smtpd, the $RELAYCLIENT environment
variable is set. It might be useful to define this variable explicitely,
ie. RELAYCLIENT=PB4S.
No. It will, for sure, not be useful.
I somehow disagree.
,- [ man qmail-smtpd ]
| [...]
| Exception: If the environment variable RELAYCLIENT is
| set, qmail-smtpd will ignore rcpthosts, and will
| append the value of RELAYCLIENT to each incoming
| recipient address.
| [...]
`-
Setting RELAYCLIENT to something different than an empty string is
only useful when one KNOWS what he/she does. The overwhelming majority
only wants RELAYCLIENT unlocks relay restrictions and therefore has to
set it empty.
Yes. But this is *EXACTLY* what we want.
The reason is twofold:
1. Relayclients which are identfied by - let's say - static IP addresses
(ie. NOT by POP-b4-SMTP) have RELAYCLIENT=.
2. Relayclients identfied by POP-b4-SMTP carrying RELAYCLIENT=P4S (sample).
Ok. qmail-smtpd will append this string to the Recipient address ([EMAIL PROTECTED]
= [EMAIL PROTECTED]). However, using ie. ksh capabilities you can do
${RECIPIENT%P4S} thus retaining the old RECIPIENT variable.
Check it and call qmail-smtpd without any arguments.
In case the variable is not set or empty, call qmail-smtpd with the proper
SMTP Auth args.
This whole wrapper-stuff should not be necessary. If tcpserver sets
RELAYCLIENT due to .cdb or SQL-lookup it'll be passed to qmail-smtpd.
qmail-smtpd than will allow relaying even w/o SMTP-Auth.
Correct.
I'm running a SMTP which offers SMTP-Auth and POP3-b4-SMTP and it
works w/o any wrappers at all. The SMTP-Auth patch simply sets
RELAYCLIENT for qmail-smtpd /WHEN/ someone authenticated successful,
if not the formerly set RELAYCLIENT (passed as ENV-var from tcpserver,
when set) is not reset when authentication fails.
@Joel:
How about this: Copy your current qmail-smtpd invocation, remove all
the 'qmail-smtpd foo bar bla' stuff and replace it with a simply
'/usr/bin/env'. Make the tcpserver listen on port 26. Prepend an
environment clearing 'env' call. Start the stuff on command line. It
can be something similar to this:
env -i PATH=/var/qmail/bin:/usr/local/bin tcpserver -vRX \
0 26 /usr/bin/env
(plus adding the stuff necessary for tcpserver reading the database
for potentially set environment vars like RELAYCLIENT)
Than connect to this server from a client-IP that should be set to
relaying allowed (e.g. by formerly executed POP3 authentication):
telnet $SERVER 26
You should see a line with PATH=... and some TCPREMOTExxx and
TCPLOCALxxx lines. Additionally you should see a line 'RELAYCLIENT='.
If this is there and your qmail-smtpd invocation looks up the same
database for possible RELAYCLIENT settings try this:
telnet $SERVER 35
EHLO _
MAIL FROM:
RCPT TO:[EMAIL PROTECTED]
QUIT
If this fails: please post the error you get, your qmail-smtpd startup
script and the result of above 'env'-test.
But thats not the question:
Even if RELAYCLIENT is set, (the Auth patched) qmail-smtpd *WILL* ask for
Authentication.
If I understood correctly, thats *EXACTLY* what should be avoided.
regards.
--eh.
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/
Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24
[vchkpw] Re: SMTP-Auth question
Hello Erwin,
On Thursday, April 1, 2004 at 3:23:49 PM you wrote (at least in part):
[RELAYCLIENT set to something different than ]
2. Relayclients identfied by POP-b4-SMTP carrying RELAYCLIENT=P4S (sample).
Ok. qmail-smtpd will append this string to the Recipient address ([EMAIL PROTECTED]
= [EMAIL PROTECTED]). However, using ie. ksh capabilities you can do
${RECIPIENT%P4S} thus retaining the old RECIPIENT variable.
Why would you want to fork more processes and waste more ressources
than necessary when a SMTP-connection is about to be accepted?
Even if RELAYCLIENT is set, (the Auth patched) qmail-smtpd *WILL* ask for
Authentication.
No. It'll /OFFER/ SMTP-ATUH, for those that want to set up their mail
client to always use SMTP-AUTH instead of relying on a formerly done
POP3.
You absolutely don't have to make ANY use of this offer. If your IP is
set to RELAYCLIENT= by a former POP3 (or whatever) connection, or
even is set statically to be allowed to relay, the MUA can simply go
on in SMTP dialog:
EHLO _
MAIL FROM:
RCPT TO:[EMAIL PROTECTED]
DATA
qwertzuiop
.
QUIT
The MUA can and should ignore the initial (after EHLO) greeting
telling about smtpd's capabilities, if not explicitly set to do
SMTP-auth.
If I understood correctly, thats *EXACTLY* what should be avoided.
I read this:
,- [ mid:[EMAIL PROTECTED] ]
| Is there any way to set up SMTP-Auth, while still allowing pop-b4-smtp?
| So far when I've rebuilt the system with SMTP-Auth patching, it will
| ONLY accept SMTP-Auth to allow relaying... :(
`-
as follows:
- I want both method, SMTP-Auth and POP3-b4-SMTP, for allowing a client
to relay.
- I don't want the system to /require/ SMTP-Auth when POP3-b4-SMTP
already set RELAYCLIENT=
But maybe I got it wrong ... Joel?
--
Best regards
Peter Palmreuther
Can you imagine a world without men?? No crime and lots of happy, fat
women.
[vchkpw] Re: SMTP-Auth question
Hello Erwin, On Wednesday, March 31, 2004 at 10:09:29 AM you wrote (at least in part): In case a client is accepted via pop-4-smtpd, the $RELAYCLIENT environment variable is set. It might be useful to define this variable explicitely, ie. RELAYCLIENT=PB4S. No. It will, for sure, not be useful. ,- [ man qmail-smtpd ] | [...] | Exception: If the environment variable RELAYCLIENT is | set, qmail-smtpd will ignore rcpthosts, and will | append the value of RELAYCLIENT to each incoming | recipient address. | [...] `- Setting RELAYCLIENT to something different than an empty string is only useful when one KNOWS what he/she does. The overwhelming majority only wants RELAYCLIENT unlocks relay restrictions and therefore has to set it empty. Check it and call qmail-smtpd without any arguments. In case the variable is not set or empty, call qmail-smtpd with the proper SMTP Auth args. This whole wrapper-stuff should not be necessary. If tcpserver sets RELAYCLIENT due to .cdb or SQL-lookup it'll be passed to qmail-smtpd. qmail-smtpd than will allow relaying even w/o SMTP-Auth. I'm running a SMTP which offers SMTP-Auth and POP3-b4-SMTP and it works w/o any wrappers at all. The SMTP-Auth patch simply sets RELAYCLIENT for qmail-smtpd /WHEN/ someone authenticated successful, if not the formerly set RELAYCLIENT (passed as ENV-var from tcpserver, when set) is not reset when authentication fails. @Joel: How about this: Copy your current qmail-smtpd invocation, remove all the 'qmail-smtpd foo bar bla' stuff and replace it with a simply '/usr/bin/env'. Make the tcpserver listen on port 26. Prepend an environment clearing 'env' call. Start the stuff on command line. It can be something similar to this: env -i PATH=/var/qmail/bin:/usr/local/bin tcpserver -vRX \ 0 26 /usr/bin/env (plus adding the stuff necessary for tcpserver reading the database for potentially set environment vars like RELAYCLIENT) Than connect to this server from a client-IP that should be set to relaying allowed (e.g. by formerly executed POP3 authentication): telnet $SERVER 26 You should see a line with PATH=... and some TCPREMOTExxx and TCPLOCALxxx lines. Additionally you should see a line 'RELAYCLIENT='. If this is there and your qmail-smtpd invocation looks up the same database for possible RELAYCLIENT settings try this: telnet $SERVER 35 EHLO _ MAIL FROM: RCPT TO:[EMAIL PROTECTED] QUIT If this fails: please post the error you get, your qmail-smtpd startup script and the result of above 'env'-test. -- Best regards Peter Palmreuther Boob's Law: You always find something in the last place you look.
[vchkpw] Re: SMTP-Auth bug in passwords?
Mike Miller writes: Nope. Not using MD5 passwords. That would explain it then. As Tom said, DES-style crypt ignores everything after the first eight characters of the password. MD5-style crypt has a higher limit, from memory I believe it's something like 126. -- Paul Allen Softflare Support
Re: [vchkpw] Re: SMTP-Auth bug in passwords?
Okay, but should it be _allowing_ this as a password or don't you think that it should reject it? There is a very big difference between 'webmaste' and 'webmaster23445' in terms of security, as I just found out. The reasoning for my use of CRYPT is that most of my users are still from when VPOPMAIL didn't support MD5. But in terms of this situation, the base64 password that the user sends would likely be better decode_base64()'d and then compared against the clear-text password. -M From: Paul L. Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: [vchkpw] Re: SMTP-Auth bug in passwords? Date: Wed, 10 Sep 2003 13:30:27 GMT Mike Miller writes: Nope. Not using MD5 passwords. That would explain it then. As Tom said, DES-style crypt ignores everything after the first eight characters of the password. MD5-style crypt has a higher limit, from memory I believe it's something like 126. -- Paul Allen Softflare Support _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
[vchkpw] Re: SMTP-Auth bug in passwords?
Mike Miller writes: Okay, but should it be _allowing_ this as a password or don't you think that it should reject it? I think that it is behaving at it is documented to behave and that your expectations are wrong. There is a very big difference between 'webmaste' and 'webmaster23445' in terms of security, as I just found out. Not a big difference, but more than the difference between webmaste and webmaster00 which is what you said was being used. Password cracker programs try using the username as a password in combination with one or two digits at the end as the FIRST thing they do. Mail authentication is not tarpitted like user logins so a cracker can happily try all combinations very quickly. If that mail login also happens to be the username and password for a user login you start to have serious problems. If you think webmaster23445 is secure you need to think again. The reasoning for my use of CRYPT is that most of my users are still from when VPOPMAIL didn't support MD5. Crypt is capable of supporting both styles of password in the system passwd file so if vpopmail has been coded correctly then it ought also to support both types of password. It is a simple matter of using the crypted password itself as salt when doing a trial crypt of the plain password. But in terms of this situation, the base64 password that the user sends would likely be better decode_base64()'d and then compared against the clear-text password. Comparing against the plain text password would allow longer passwords. Having plain text passwords is, itself, a security problem. Think about users who use the same username and password everywhere, including their on-line banking. Think about being the only one of the systems that user uses which holds the password in plain text. Think about what happens if that user claims there was an unauthorized on-line withdrawal. Your system being the only one to have the password in plain text is not proof of guilt and the others having the password crypted is not proof of innocence, but you try convincing a jury of that... -- Paul Allen Softflare Support
Re: [vchkpw] Re: SMTP-Auth bug in passwords?
I'm in no way stating that that webmaster21312 password is secure, however I'd say that length issues are important here as often the complex parts of a password are near the end [ie: dogguy45b]. If this was me, I'd completely agree and never have a password like that. However it seems that my users on the other hand do like this sort of thing, which is a security consideration in its own respect. Yes those numbers are a bigger difference, but has the same effect in my case- webmaste is identical to webmastejashfdajsfhasfjashfasj - which is the furthest thing from the truth. I believe what you say (that if I enable MD5 passwords, then it will work for both), but I think that might be a documentation issue. --enable-md5-passwords=y|n Turn on (y default ) or off (n) to store encrypted passwords as md5. There should really be a note that it will accept existing crypt passwords but store new ones in MD5. This would ensure that users looking to migrate know what's going on. I just didn't want it to stop working when migrated users. -M From: Paul L. Allen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [vchkpw] Re: SMTP-Auth bug in passwords? Date: Wed, 10 Sep 2003 13:44:03 GMT Mike Miller writes: Okay, but should it be _allowing_ this as a password or don't you think that it should reject it? I think that it is behaving at it is documented to behave and that your expectations are wrong. There is a very big difference between 'webmaste' and 'webmaster23445' in terms of security, as I just found out. Not a big difference, but more than the difference between webmaste and webmaster00 which is what you said was being used. Password cracker programs try using the username as a password in combination with one or two digits at the end as the FIRST thing they do. Mail authentication is not tarpitted like user logins so a cracker can happily try all combinations very quickly. If that mail login also happens to be the username and password for a user login you start to have serious problems. If you think webmaster23445 is secure you need to think again. The reasoning for my use of CRYPT is that most of my users are still from when VPOPMAIL didn't support MD5. Crypt is capable of supporting both styles of password in the system passwd file so if vpopmail has been coded correctly then it ought also to support both types of password. It is a simple matter of using the crypted password itself as salt when doing a trial crypt of the plain password. But in terms of this situation, the base64 password that the user sends would likely be better decode_base64()'d and then compared against the clear-text password. Comparing against the plain text password would allow longer passwords. Having plain text passwords is, itself, a security problem. Think about users who use the same username and password everywhere, including their on-line banking. Think about being the only one of the systems that user uses which holds the password in plain text. Think about what happens if that user claims there was an unauthorized on-line withdrawal. Your system being the only one to have the password in plain text is not proof of guilt and the others having the password crypted is not proof of innocence, but you try convincing a jury of that... -- Paul Allen Softflare Support _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
[vchkpw] Re: SMTP-Auth bug in passwords?
Mike Miller writes: Any way to convert an entire large site of cdb files (probably 150 domains) into MD5? Actually coverting is the wrong word [since you can't do that unless there is clear text passwords], but rather to have it choose between both MD5 and CRYPT passwords (based on length) to migrate from crypt to MD5? I don't know how vpopmail handles this. If it was written correctly then on most recent releases of *nix then both types of crypted password in the same cdb ought to be possible. DES crypt requires two characters of salt chosen from A-Za-z0-9./ while MD5 crypt requires eight characters from the same character set prefixed by $1$. The wrong way to code things is to examine the crypted password (which starts with whatever salt has been used) and figure out whether it's DES or MD5, extract the appropriate amount of salt and pass that with the plaintext password to crypt and see if the result matches the crypted password. The really wrong way to code it is to fix at compile time what type of crypt should be used when validating passwords. The right way to code this is to use the crypted password itself, in its entirety, as the salt for crypting the plaintext password when you validate the password. Versions of crypt which support MD5 also support using the entirety of the crypted password as salt and then figure out how much of that really is salt without you having to bother. Do it this way and both types of crypted password can be used in the same file even though when passwords are set or modified they will be converted to whichever type of crypt you said you wanted to use. If vpopmail does it that way then you can happily turn on MD5, with existing passwords continuing to work and new or changed passwords being MD5 crypted. If vpopmail doesn't do it that way then you have problems until the next release appears. -- Paul Allen Softflare Support
[vchkpw] Re: SMTP-Auth bug in passwords?
Mike Miller writes: I believe what you say (that if I enable MD5 passwords, then it will work for both), I didn't say that. I said that if vpopmail were written correctly then it would work for both. There should really be a note that it will accept existing crypt passwords but store new ones in MD5. If it actually does work that way then I would agree with you. I just didn't want it to stop working when migrated users. If I were you I'd look through the source or try it on a test box before risking it on a production server. -- Paul Allen Softflare Support
[vchkpw] Re: SMTP-Auth
Hello Rob, On Saturday, March 1, 2003 at 10:23:09 PM you wrote (at least in part): Does anyone have a patch for Qmail/vpopmail that will allow SMTP-Authentication instead of Pop before SMTP .. or if someone could show me how I would do this using the vpopmail database that would be greatly appreciated. Damn it! Is Google THAT hard to use? http://www.google.com/search?ie=UTF-8oe=utf-8q=qmail+SMTP-Auth The _VERY FIRST_ hit is your solution, and you'd have had the answer _LONG_ before any answer from this list reaches your inbox!!! -- Regards Peter Palmreuther The Falklands war was a quarrel between two bald men over a comb.
Re: [vchkpw] Re: SMTP-AUTH, yet again...
Kit, you're reinventing the wheel! Yes, there are significant problems with simply merging together a bunch of the qmail patches. It took me quite some time to get all the patches I wanted to play nicely together. Now that it's done, feel free to use it: http://matt.simerson.net/computing/mail/toaster/. Pay particular attention to the Install Qmail (with a few hacks) section. Bill Shupp also has similar patches that I've also heard work well but are linux oriented where mine focuses on the FreeBSD platform. It wouldn't take too much effort to use my setup on Open/NetBSD but those are down the list for me, after making it work on Darwin. (Mac OS X) :) Matt On Thursday, December 5, 2002, at 12:23 AM, Kit Halsted wrote: Thanks for the pointers, everybody... At 11:22 PM -0500 12/3/02, Kit Halsted wrote: ... Tried 0.31 tonight, no luck. Maybe my other patches are interfering? I'll try it at home as the only patch see how that goes. 2.) Try to run qmail-smtpd as root. Just for testing, but this avoids access denied to vpasswd.cdb and therefore excludes one possible culprit. Also no luck. Urgh. Just tried again on my home box, which starts qmail/vpopmail from rc.local instead daemontools. (OpenBSD 3.1, virgin qmail 1.03 + elysium.pl 0.31 auth patch only, vpopmail 5.2.1... D'oh!, okay, vpopmail 5.3.9 now.) I'm back to square one now with relay by IP only, but it sure did fail interestingly for a while. Below is what I was trying to do, I've since reverted back to a working setup so I can send receive. - From rc.local: /usr/local/bin/tcpserver -u 1001 -g 1000 -x /home/vpopmail/etc/tcp.smtp.cdb 0 25 \ /var/qmail/bin/qmail-smtpd yabox.kithalsted.com /home/vpopmail/bin/vchkpw /usr/b in/true \ 21 | /var/qmail/bin/splogger smtpd 3 ... /usr/local/bin/tcpserver -u 1001 -g 1000 -H -R 0 110 \ /var/qmail/bin/qmail-popup yabox.kithalsted.com \ /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir (Linewraps courtesy of less, the files are wrapped correctly.) - yabox# ls -al /var/qmail/bin/qmail-smtpd -rwxr-xr-x 1 vpopmail vchkpw 40960 Dec 4 20:54 /var/qmail/bin/qmail-smtpd yabox# ls -al /home/vpopmail/etc/tcp.smtp.cdb -rwxr-xr-x 1 vpopmail vchkpw 4359 Dec 4 22:09 /home/vpopmail/etc/tcp.smtp.cdb - Log entries corresponding to failed send/check from Eudora on my TiBook: yabox# tail /var/log/maillog Dec 4 23:36:51 yabox qmail: 1039063011.757314 end msg 889600 Dec 4 23:41:18 yabox qmail: 1039063278.163871 status: local 0/10 remote 0/20 Dec 4 23:41:18 yabox qmail: 1039063278.270637 new msg 889600 Dec 4 23:41:18 yabox qmail: 1039063278.270823 info msg 889600: bytes 230 from [EMAIL PROTECTED] qp 24677 uid 0 Dec 4 23:41:18 yabox qmail: 1039063278.328081 end msg 889600 Dec 4 23:41:36 yabox vpopmail[5686]: vchkpw-smtp: password fail [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:36 yabox vpopmail[32015]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:37 yabox vpopmail[26305]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:56 yabox vpopmail[30076]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:56 yabox vpopmail[18542]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 - (Yes, uid 1001 is vpopmail gid 1000 is vchkpw.) -Kit -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin ...qui desiderat pacem, praeparet bellum (...if you would have peace, be prepared for war) -Flavius Vegetius Renatus
Re: [vchkpw] Re: SMTP-AUTH, yet again...
Hi Matt: At 1:06 PM -0500 12/5/02, Matt Simerson wrote: Kit, you're reinventing the wheel! Thanks for getting in touch, but the attempt below is actually qmail with just the SMTP-AUTH patch. I figure if I can't get 1 patch working, my chances for the rest are pretty low. :} Yes, there are significant problems with simply merging together a bunch of the qmail patches. It took me quite some time to get all the patches I wanted to play nicely together. Now that it's done, feel free to use it: http://matt.simerson.net/computing/mail/toaster/. Pay particular attention to the Install Qmail (with a few hacks) section. IIRC, your stuff looked good when I was first setting this stuff up but I thought it was overkill for what I was doing. I'm doing more now, so maybe it's time to reevaluate that sentiment. Bill Shupp also has similar patches that I've also heard work well but are linux oriented where mine focuses on the FreeBSD platform. It wouldn't take too much effort to use my setup on Open/NetBSD but those are down the list for me, after making it work on Darwin. (Mac OS X) :) Cool. I'll look at it when I have a chance (waay too much going on right now!) let you know if I uncover any OpenBSD-specific issues. Thanks, -Kit Matt On Thursday, December 5, 2002, at 12:23 AM, Kit Halsted wrote: Thanks for the pointers, everybody... At 11:22 PM -0500 12/3/02, Kit Halsted wrote: ... Tried 0.31 tonight, no luck. Maybe my other patches are interfering? I'll try it at home as the only patch see how that goes. 2.) Try to run qmail-smtpd as root. Just for testing, but this avoids access denied to vpasswd.cdb and therefore excludes one possible culprit. Also no luck. Urgh. Just tried again on my home box, which starts qmail/vpopmail from rc.local instead daemontools. (OpenBSD 3.1, virgin qmail 1.03 + elysium.pl 0.31 auth patch only, vpopmail 5.2.1... D'oh!, okay, vpopmail 5.3.9 now.) I'm back to square one now with relay by IP only, but it sure did fail interestingly for a while. Below is what I was trying to do, I've since reverted back to a working setup so I can send receive. - From rc.local: /usr/local/bin/tcpserver -u 1001 -g 1000 -x /home/vpopmail/etc/tcp.smtp.cdb 0 25 \ /var/qmail/bin/qmail-smtpd yabox.kithalsted.com /home/vpopmail/bin/vchkpw /usr/b in/true \ 21 | /var/qmail/bin/splogger smtpd 3 ... /usr/local/bin/tcpserver -u 1001 -g 1000 -H -R 0 110 \ /var/qmail/bin/qmail-popup yabox.kithalsted.com \ /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir (Linewraps courtesy of less, the files are wrapped correctly.) - yabox# ls -al /var/qmail/bin/qmail-smtpd -rwxr-xr-x 1 vpopmail vchkpw 40960 Dec 4 20:54 /var/qmail/bin/qmail-smtpd yabox# ls -al /home/vpopmail/etc/tcp.smtp.cdb -rwxr-xr-x 1 vpopmail vchkpw 4359 Dec 4 22:09 /home/vpopmail/etc/tcp.smtp.cdb - Log entries corresponding to failed send/check from Eudora on my TiBook: yabox# tail /var/log/maillog Dec 4 23:36:51 yabox qmail: 1039063011.757314 end msg 889600 Dec 4 23:41:18 yabox qmail: 1039063278.163871 status: local 0/10 remote 0/20 Dec 4 23:41:18 yabox qmail: 1039063278.270637 new msg 889600 Dec 4 23:41:18 yabox qmail: 1039063278.270823 info msg 889600: bytes 230 from [EMAIL PROTECTED] qp 24677 uid 0 Dec 4 23:41:18 yabox qmail: 1039063278.328081 end msg 889600 Dec 4 23:41:36 yabox vpopmail[5686]: vchkpw-smtp: password fail [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:36 yabox vpopmail[32015]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:37 yabox vpopmail[26305]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:56 yabox vpopmail[30076]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:56 yabox vpopmail[18542]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 - (Yes, uid 1001 is vpopmail gid 1000 is vchkpw.) -Kit -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin ...qui desiderat pacem, praeparet bellum (...if you would have peace, be prepared for war) -Flavius Vegetius Renatus -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin ...qui desiderat pacem, praeparet bellum (...if you would have peace, be prepared for war) -Flavius Vegetius Renatus
[vchkpw] Re: SMTP-AUTH, yet again...
Thanks for the pointers, everybody... At 11:22 PM -0500 12/3/02, Kit Halsted wrote: ... Tried 0.31 tonight, no luck. Maybe my other patches are interfering? I'll try it at home as the only patch see how that goes. 2.) Try to run qmail-smtpd as root. Just for testing, but this avoids access denied to vpasswd.cdb and therefore excludes one possible culprit. Also no luck. Urgh. Just tried again on my home box, which starts qmail/vpopmail from rc.local instead daemontools. (OpenBSD 3.1, virgin qmail 1.03 + elysium.pl 0.31 auth patch only, vpopmail 5.2.1... D'oh!, okay, vpopmail 5.3.9 now.) I'm back to square one now with relay by IP only, but it sure did fail interestingly for a while. Below is what I was trying to do, I've since reverted back to a working setup so I can send receive. - From rc.local: /usr/local/bin/tcpserver -u 1001 -g 1000 -x /home/vpopmail/etc/tcp.smtp.cdb 0 25 \ /var/qmail/bin/qmail-smtpd yabox.kithalsted.com /home/vpopmail/bin/vchkpw /usr/b in/true \ 21 | /var/qmail/bin/splogger smtpd 3 ... /usr/local/bin/tcpserver -u 1001 -g 1000 -H -R 0 110 \ /var/qmail/bin/qmail-popup yabox.kithalsted.com \ /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir (Linewraps courtesy of less, the files are wrapped correctly.) - yabox# ls -al /var/qmail/bin/qmail-smtpd -rwxr-xr-x 1 vpopmail vchkpw 40960 Dec 4 20:54 /var/qmail/bin/qmail-smtpd yabox# ls -al /home/vpopmail/etc/tcp.smtp.cdb -rwxr-xr-x 1 vpopmail vchkpw 4359 Dec 4 22:09 /home/vpopmail/etc/tcp.smtp.cdb - Log entries corresponding to failed send/check from Eudora on my TiBook: yabox# tail /var/log/maillog Dec 4 23:36:51 yabox qmail: 1039063011.757314 end msg 889600 Dec 4 23:41:18 yabox qmail: 1039063278.163871 status: local 0/10 remote 0/20 Dec 4 23:41:18 yabox qmail: 1039063278.270637 new msg 889600 Dec 4 23:41:18 yabox qmail: 1039063278.270823 info msg 889600: bytes 230 from [EMAIL PROTECTED] qp 24677 uid 0 Dec 4 23:41:18 yabox qmail: 1039063278.328081 end msg 889600 Dec 4 23:41:36 yabox vpopmail[5686]: vchkpw-smtp: password fail [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:36 yabox vpopmail[32015]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:37 yabox vpopmail[26305]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:56 yabox vpopmail[30076]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 Dec 4 23:41:56 yabox vpopmail[18542]: vchkpw-pop3: setgid 1001 failed errno 1 [EMAIL PROTECTED]:208.36.84.242 - (Yes, uid 1001 is vpopmail gid 1000 is vchkpw.) -Kit -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin ...qui desiderat pacem, praeparet bellum (...if you would have peace, be prepared for war) -Flavius Vegetius Renatus
[vchkpw] Re: SMTP-AUTH, yet again...
Hello Kit, On Tuesday, December 3, 2002 at 6:18:35 PM you wrote: I have no clue why this is not working 1.) Give 0.31 a try, I don't know what exactly changed, but the syntax is different between 0.30 0.31, maybe you're using the 'new' one, while old (to me unknown) is needed. 2.) Try to run qmail-smtpd as root. Just for testing, but this avoids access denied to vpasswd.cdb and therefore excludes one possible culprit. 3.) Try to run the child process of tcpserver in a strace like program. I don't know how this is named on OpenBSD and what the exact calling syntax is, but make use of it's logging to file, if possible, and see if you can find the position it fails at. I know it ain't much, but maybe it helps to find the correct direction of hunting it down. -- Best regards Peter Palmreuther
RE: [vchkpw] Re: SMTP-AUTH, yet again...
Hmm...I'm not sure if Bill Shupp's big patch will compile for BSD, but it includes the SMTP-Auth patch...just a suggestion. Regards, Tren -Original Message- From: Kit Halsted [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 9:23 PM To: [EMAIL PROTECTED] Subject: [vchkpw] Re: SMTP-AUTH, yet again... Thanks for the tips, Peter... At 11:38 PM +0100 12/3/02, Peter Palmreuther wrote: Hello Kit, On Tuesday, December 3, 2002 at 6:18:35 PM you wrote: I have no clue why this is not working 1.) Give 0.31 a try, I don't know what exactly changed, but the syntax is different between 0.30 0.31, maybe you're using the 'new' one, while old (to me unknown) is needed. Tried 0.31 tonight, no luck. Maybe my other patches are interfering? I'll try it at home as the only patch see how that goes. 2.) Try to run qmail-smtpd as root. Just for testing, but this avoids access denied to vpasswd.cdb and therefore excludes one possible culprit. Also no luck. 3.) Try to run the child process of tcpserver in a strace like program. I don't know how this is named on OpenBSD and what the exact calling syntax is, but make use of it's logging to file, if possible, and see if you can find the position it fails at. I'll look into that if it's not the other patches. I know it ain't much, but maybe it helps to find the correct direction of hunting it down. Your answer is much appreciated. Thanks, -Kit -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin ...qui desiderat pacem, praeparet bellum (...if you would have peace, be prepared for war) -Flavius Vegetius Renatus
[vchkpw] Re: smtp auth
Hello Lists, On Thursday, October 31, 2002 at 2:37:43 AM you wrote: smtp auth is returning user unknown: Oct 30 15:59:27 query vpopmail[9465]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:209.124.141.171 startups are: /usr/bin/tcpserver -u 63 -g 65 -l -R -H 0 smtp /var/qmail/bin/qmail-smtpd \ query.aptedtech.com /var/vpopmail/bin/vchkpw /bin/true Who's 'UID 63' and 'GID 65' on your system? User vpopmail? If not you might simply have an access problem to 'vpasswd.cdb' as it's only readable to root and vpopmail but not to qmaild, which is used in default installations for starting up qmail-smtpd. If you have enabled 'passwd' users as well in vpopmail configuration you'll have to run qmail-smtpd as user root for being able to read '/etc/passwd' and if existing '/etc/shadow', else you'll only need to run qmail-smtpd as UID/GID vpopmail/vchkpw. HTH Pit -- Best regards Peter Palmreuther
RE: [vchkpw] Re: smtp auth
your right. users were not vpopmail/vchkpw. working perfectly now. thanks peter. -chris -Original Message- From: Peter Palmreuther [mailto:lists;pitpalme.de] Sent: Wednesday, October 30, 2002 11:02 PM To: [EMAIL PROTECTED] Subject: [vchkpw] Re: smtp auth Hello Lists, On Thursday, October 31, 2002 at 2:37:43 AM you wrote: smtp auth is returning user unknown: Oct 30 15:59:27 query vpopmail[9465]: vchkpw-smtp: vpopmail user not found [EMAIL PROTECTED]:209.124.141.171 startups are: /usr/bin/tcpserver -u 63 -g 65 -l -R -H 0 smtp /var/qmail/bin/qmail-smtpd \ query.aptedtech.com /var/vpopmail/bin/vchkpw /bin/true Who's 'UID 63' and 'GID 65' on your system? User vpopmail? If not you might simply have an access problem to 'vpasswd.cdb' as it's only readable to root and vpopmail but not to qmaild, which is used in default installations for starting up qmail-smtpd. If you have enabled 'passwd' users as well in vpopmail configuration you'll have to run qmail-smtpd as user root for being able to read '/etc/passwd' and if existing '/etc/shadow', else you'll only need to run qmail-smtpd as UID/GID vpopmail/vchkpw. HTH Pit -- Best regards Peter Palmreuther
Re: [vchkpw] Re: smtp-auth
Hi John, version 5.2.1 no extra compile option. TIA,Paulo Henrique Quoting John Johnson ([EMAIL PROTECTED]): Paulo Henrique Baptista de Oliveira writes: Hi all, I installed qmail smtp-remote-auth patch. It works well for outlook client but with eudora it fails. What I can do to fix this? TIA,Paulo Henrique What version of vpopmail are you running and what are your compile options? -John
[vchkpw] Re: smtp-auth
Paulo Henrique Baptista de Oliveira writes: Hi all, I installed qmail smtp-remote-auth patch. It works well for outlook client but with eudora it fails. What I can do to fix this? TIA, Paulo Henrique What version of vpopmail are you running and what are your compile options? -John
Re: [vchkpw] Re: smtp-auth
At 1:46 PM -0200 10/24/02, Paulo Henrique Baptista de Oliveira wrote: Hi John, version 5.2.1 no extra compile option. TIA, Paulo Henrique Somebody flame me if I'm wrong, but IIRC vpopmail 5.2.1 will not work with SMTP-AUTH Eudora. Eudora requires CRAM-MD5, so vpopmail 5.3.6 looks like the minimum version for your requirements. (5.3.9 is up on the dev page, 5.3.11 is the most current that I know of, 5.3.6 is probably long gone.) HTH, -Kit Quoting John Johnson ([EMAIL PROTECTED]): Paulo Henrique Baptista de Oliveira writes: Hi all, I installed qmail smtp-remote-auth patch. It works well for outlook client but with eudora it fails. What I can do to fix this? TIA, Paulo Henrique What version of vpopmail are you running and what are your compile options? -John -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -Benjamin Franklin ...qui desiderat pacem, praeparet bellum (...if you would have peace, be prepared for war) -Flavius Vegetius Renatus
Re: [vchkpw] Re: smtp-auth
On Thu, 2002-10-24 at 15:35, Kit Halsted wrote: Somebody flame me if I'm wrong, but IIRC vpopmail 5.2.1 will not work with SMTP-AUTH Eudora. Eudora requires CRAM-MD5, so vpopmail 5.3.6 looks like the minimum version for your requirements. (5.3.9 is up on the dev page, 5.3.11 is the most current that I know of, 5.3.6 is probably long gone.) Hrm, in researching more about my problem (vpopmail using the IP of the mail _client_ as the domain to authenticate against). I came across an interesting thread on the google groups. The type of error I'm encountering is this, BTW: Oct 24 12:06:36 kareem vpopmail[411]: vchkpw: vpopmail user not found testuser:10.1.2.101 Is this the author of this post correct in saying that 5.2.1 has known bugs with respect to smtp-auth? http://groups.google.com/groups?hl=enlr=ie=UTF-8oe=UTF-8threadm=1L1c9.304668%24UU1.54038%40sccrnsc03rnum=1prev=/groups%3Fq%3D%2522vchkpw:%2Bvpopmail%2Buser%2Bnot%2Bfound%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D1L1c9.304668%2524UU1.54038%2540sccrnsc03%26rnum%3D1 I downloaded and installed vpopmail 5.3.9, but I'm still running into the same problem. Anyone have any ideas? Thanks, Bill
