Re: [vchkpw] User defined .qmail files
On 2005-11-23, at 1154, Tom Collins wrote: On Nov 22, 2005, at 8:50 PM, John Simpson wrote: vpopmail isn't the cause of this problem- you're simply running into the limit of what qmailadmin allows the user to do. it probably wouldn't take much for them to add the ability to enter arbitrary lines (including "|" lines) but they haven't done it- probably because very few people need it. Actually, it was possible during some development releases, but we realized that it opened up a big security hole. Since the .qmail file is run as the vpopmail user, it would be very dangerous to allow a user to put anything in there. A malicious user could delete ~vpopmail/domains via their .qmail file or even have the contents of ~vpopmail/etc/vpopmail.mysql emailed to them. yeah. that's why the qmailadmin work-alike that i wrote before qmailadmin came out didn't have the ability to let a normal user put arbitrary lines in there... but it did allow the administrator (not domain-level postmaster, but machine-level administrator, who had full rights to do anything in any domain) to do it. i wrote it in there because at the time i had one client who needed it. there's also the fact that this would expose another bug (or poor design decision) in vpopmail- when vpopmail is tied to mysql, the "valias" table (which contains the lines normally stored in .qmail- * files) have no sequence field- so if you have a .qmail file which requires a definite sequence (i.e. runs "condredirect" on one line, and then something else after it) and store those lines in the mysql "valias" table, there would be no guarantee that the "condredirect" line would be run first. A poor design decision that at least I've been aware of for awhile, but haven't had time to address. Simply adding an auto-increment field to that table and sorting on it would be a good start. yup. i knew you guys were aware of it and just backlogged, i only mentioned it so he would be aware of it and not move forward with the mysql integration if he had a need for definite sequencing- because he would lose that capability... trying to head off the problem before it happens. if i weren't backlogged myself at the moment, this is one of those things i would probably write the fix for- however it would be fairly extensive. it would involve changes to vdelivermail, valias, vuserinfo, and probably a few other vpopmail programs... as well as qmailadmin, to add the multi-line and sequencing support options. lots of little changes, and i'm not as familiar with the code for vpopmail and qmailadmin as i am with qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] User defined .qmail files
On Nov 22, 2005, at 8:50 PM, John Simpson wrote: vpopmail isn't the cause of this problem- you're simply running into the limit of what qmailadmin allows the user to do. it probably wouldn't take much for them to add the ability to enter arbitrary lines (including "|" lines) but they haven't done it- probably because very few people need it. Actually, it was possible during some development releases, but we realized that it opened up a big security hole. Since the .qmail file is run as the vpopmail user, it would be very dangerous to allow a user to put anything in there. A malicious user could delete ~vpopmail/domains via their .qmail file or even have the contents of ~vpopmail/etc/vpopmail.mysql emailed to them. there's also the fact that this would expose another bug (or poor design decision) in vpopmail- when vpopmail is tied to mysql, the "valias" table (which contains the lines normally stored in .qmail-* files) have no sequence field- so if you have a .qmail file which requires a definite sequence (i.e. runs "condredirect" on one line, and then something else after it) and store those lines in the mysql "valias" table, there would be no guarantee that the "condredirect" line would be run first. A poor design decision that at least I've been aware of for awhile, but haven't had time to address. Simply adding an auto-increment field to that table and sorting on it would be a good start. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] User defined .qmail files
On Nov 22, 2005, at 5:15 PM, James Longstreet wrote: - Mail comes in for [EMAIL PROTECTED] - qmail-local delivers mail as vpopmail/vpopmail using ~vpopmail/domains/example.com/joe/.qmail - Something in vpopmail kicks in, recognizes that joe has his own .qmail file in /home/joe/.qmail, which should be processed as joe - /home/joe/.qmail processed as joe - Delivery as normal Put "&[EMAIL PROTECTED]" in ~vpopmail/domains/example.com/joe/.qmail, where localservername is something in control/locals. This will forward the mail back out to qmail to be delivered to local user joe. Tom Collins Tom Logic LLC PO Box 5717 Napa, CA 94581 (707) 265-6622 (707) 265-6646 fax [EMAIL PROTECTED]
Re: [vchkpw] User defined .qmail files
On 2005-11-22, at 2015, James Longstreet wrote: Is there any way, with vpopmail, to have specify a .qmail file to be processed as a user? For instance: - Mail comes in for [EMAIL PROTECTED] - qmail-local delivers mail as vpopmail/vpopmail using ~vpopmail/domains/example.com/joe/.qmail - Something in vpopmail kicks in, recognizes that joe has his own .qmail file in /home/joe/.qmail, which should be processed as joe if "example.com" is handled using vpopmail, then the fact that there happens to be a system account with the name "joe" is meaningless. if "example.com" is handled as a "local" domain (i.e. "example.com" is listed in control/locals or control/me) then vpopmail never enters the picture. - /home/joe/.qmail processed as joe - Delivery as normal if you need "example.com" to be handled by vpopmail for every mailbox EXCEPT joe, then you need to add a line to control/virtualdomains which looks like this: [EMAIL PROTECTED]:joe then send an ALRM signal to (or just stop and restart) qmail-send. and then the .qmail file in joe's home directory would handle email addressed to "[EMAIL PROTECTED] locals me`", while .qmail-default (or .qmail- joe) would handle mail sent to [EMAIL PROTECTED] the qmail-send man page explains this (maybe not with so much detail, but the raw facts are there) in the section about the virtualdomains file. I (and my users) can modify ~vpopmail/domains/example.com/user/.qmail through qmailadmin, but they can't add | lines. Is there a sensible way to allow this? Frankly, it seems that I'm defeating the purpose of vpopmail -- I would get rid of it if it didn't mean getting rid of better control/management of lists. vpopmail isn't the cause of this problem- you're simply running into the limit of what qmailadmin allows the user to do. it probably wouldn't take much for them to add the ability to enter arbitrary lines (including "|" lines) but they haven't done it- probably because very few people need it. it is entirely possible to write your own web interface to run instead of qmailadmin (and of course in place of vqadmin, which i still believe to be pure and utter crap) and in fact i wrote one years ago, after vpopmail came out but before qmailadmin existed. there's also the fact that this would expose another bug (or poor design decision) in vpopmail- when vpopmail is tied to mysql, the "valias" table (which contains the lines normally stored in .qmail-* files) have no sequence field- so if you have a .qmail file which requires a definite sequence (i.e. runs "condredirect" on one line, and then something else after it) and store those lines in the mysql "valias" table, there would be no guarantee that the "condredirect" line would be run first. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
[vchkpw] User defined .qmail files
Is there any way, with vpopmail, to have specify a .qmail file to be processed as a user? For instance: - Mail comes in for [EMAIL PROTECTED] - qmail-local delivers mail as vpopmail/vpopmail using ~vpopmail/domains/example.com/joe/.qmail - Something in vpopmail kicks in, recognizes that joe has his own .qmail file in /home/joe/.qmail, which should be processed as joe - /home/joe/.qmail processed as joe - Delivery as normal I (and my users) can modify ~vpopmail/domains/example.com/user/.qmail through qmailadmin, but they can't add | lines. Is there a sensible way to allow this? Frankly, it seems that I'm defeating the purpose of vpopmail -- I would get rid of it if it didn't mean getting rid of better control/management of lists.
