Re: [vchkpw] Re: 5.4.15 onchange patch
Your vdominfo, cslogin.2 and README.vpopmaild patches are now in SourceForge CVS, in the HEAD branch. I'll try to have your onchange patch in, test a little and see if I can prepare a release before the weekend is over. I won't get much done Saturday since I will be helping out at the local observatory. Rick
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 1442, John Simpson wrote: On 2006-04-03, at 0727, Rick Widmer wrote: In the patch, how do you separate password and real_name in add_user? I know the help doesn't mention it, but I think it requires a real name value to put into GECOS. It is at least an option. good point. i totally missed that, and i even changed one of the _TOKENS strings to be called GECOS_TOKENS after seeing that it was only used the one time. now we see why it's better to have several eyes looking at the code. this is going to be another problem. since a password may contain spaces, and a gecos may also contain spaces, there is no reliable way to write such a parser unless there is a specific delimiter between them... and since a password, by definition, can contain any printable character (ASCII 0x21 - 0x7E) the delimiter cannot be one of these. my honest answer is this: README.vpopmaild doesn't talk about there being a gecos field, neither does the vpopmaild wiki entry. in this one case, because the documentation doesn't mention it and because it causes a problem, i would say to pull the gecos functionality out of the add_user command, and add a gecos verb to mod_user (which needs one anyway.) there will be a newer patch on my web site this evening (i would do it now but i need to run some errands first.) actually, README.vpopmaild DID have a mention of long_name, i had just never noticed it. the updated version of README.vpopmail on my web site now does not have this, and there is also a vpopmail-5.4.15-cslogin.2.patch where the add_user code no longer looks for a gecos name. when it calls adduser() to create the mailbox, it passes the mailbox name as the gecos name, so the new mailbox will have the same name as the mailbox itself. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-02, at 0809, Rick Widmer wrote: Robin Bowes wrote: So, a system only needing to validate credentials would just need to login and quit. Which is what slogin will do. You may not even have to quit. It could just return OK or ERROR, and exit. I'm not sure what John did, but he already has a patch to do it this way. slogin is the same as the other two login commands- it logs into vpopmaild. the only difference is the amount of information returned. none of them will automatically quit after authenticating, that's why there is a quit command. ... What do you think? The changes might be a good idea if we were designing a new program, but vpopmaild is about two years old, and I believe Ken has been using it on at least one production site almost that long. I suspect there are others. good point. when writing patches, for vpopmail, qmail, or anything else, i try to minimize the impact of those changes to only what is absolutely necessary to support the new feature or bug-fix for which i am writing the patch. the last thing i want to do is break anybody else's existing code- although if there's a good reason (like passwords containing spaces) then i will do so, and i will make sure that the documentation i make available for my patches (in this case, the web page) clearly sets out the differences, so that people like rick will know what's going on and (hopefully) be able to make their existing code work with the new stuff without a major hassle. for what it's worth, i think if i were writing vpopmaild from scratch, login would do what slogin does, and the client would have to send user_info to get the information it needs. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-02, at 0829, Rick Widmer wrote: John Simpson wrote: On 2006-04-01, at 0547, Rick Widmer wrote: I was planning if you would like a way to see if a user exists without returning anything else... that's certainly a possibility, easy enough to add... should that be available to any client without authenticating first? or if it requires an authenticated session, should it be available to any user, or just the domain-admin for that domain, or only for a system- admin? I think it should just take any user/password combination and return OK if the user exists or ERROR, then exit. If you need to login to find out if a user exists programs will have to have login credentials in the script. Not a good idea. so are you asking about does this mailbox exist, yes or no, or are you asking about is this the correct password for this mailbox, yes or no? if it's a simple existence check, do you want that information available to any client who connects to the service? especially if you are running the service on a non-localhost interface (or on 0.0.0.0) and aren't using a tcpserver access control file? i'm not against it, i just think if we're going to add something like this, the documentation for creating a vpopmaild service should mention, very prominently, that this information is exposed to anybody who connects and that the user (system administrator setting up the service) should either run the service on 127.0.0.1 (as i do), or should have a tcpserver access control file which only allows authorized machines to connect. http://qmail.jms1.net/patches/vpopmail.html I haven't been able to access the SourceForge CVS server for the last two days. I think they may have changed the rules, and may have found what I need to do in the docs... which is what I was doing when I stopped to answer these messages. I'll try to have this in 5.5 within a few days. I still need to see just what is different between 5.4 and 5.5. it just occurred to me, i had never looked at the list of developers for the sourceforge page, i figured it was just inter7 people. i didn't realize you were able to commit code (when the CVS servers are working)... coolness. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
John Simpson wrote: and since i now have two different patches for vpopmail, it's time to create a new web page to hold them. both patches are available from this page, which includes basic documentation for the new features. http://qmail.jms1.net/patches/vpopmail.html Actually its .shtml not .html. In the patch, how do you separate password and real_name in add_user? I know the help doesn't mention it, but I think it requires a real name value to put into GECOS. It is at least an option. slogin is the same as the other two login commands- it logs into vpopmaild. the only difference is the amount of information returned. none of them will automatically quit after authenticating, that's why there is a quit command. Sounds good to me. so are you asking about does this mailbox exist, yes or no, or are you asking about is this the correct password for this mailbox, yes or no? I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is does this mailbox exist. We may as well make it easy, it should be a popular function. Maybe we could provide a validrcptto command, allowed before login, but you have to add --enable-vpopmaild-validrcptto in ./configure to use it. That way they have to act to enable the ability, and they get a warning from ./configure about tightening security. i'm not against it, i just think if we're going to add something like this, the documentation for creating a vpopmaild service should mention, very prominently, that this information is exposed to anybody who connects and that the user (system administrator setting up the service) should either run the service on 127.0.0.1 (as i do), or should have a tcpserver access control file which only allows authorized machines to connect. I'm all for documentation. :) I wrote most of README.vpopmaild. Its not great but its better that what was there before... To run as daemon: tcpserver -vHRD 0 89 ./vpopmaild Then as client telnet localhost 89 Or to run on the command line for testing ./vpopmaild First login. example: login [EMAIL PROTECTED] password Then for a list of commands: help Speaking of documentation, can I add much of your page http://qmail.jms1.net/vpopmaild.shtml to the README.vpopmaild file? I'll credit you and let you review it before I commit. I'm pretty sure you can edit the wiki if you want, you just have to register first. If not, I'm considering making sure everything you need to know is in the wiki, and making the wiki page the README file. Rick p.s. I got a kick out of this: with a working vpopmaild service it becomes possible to write a program like vqadmin or qmailadmin which does all of its work using vpopmaild commands. That's _exactly_ what vpopmaild was written to allow. I couldn't have said it better.
Re: [vchkpw] Re: 5.4.15 onchange patch
On Apr 3, 2006, at 5:24 AM, Robin Bowes wrote: Rick Widmer wrote: I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is does this mailbox exist. We may as well make it easy, it should be a popular function. Yes - having this functionality would obviate the need to maintain the validrcptto list. I'm not following vpopmaild development, so ignore me if you've already considered this, but you should be sure to support quota checking through that interface as well. Doing so would allow a patch to qmail-smtpd to reject email for non-existent users and defer email for users over quota. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 0727, Rick Widmer wrote: John Simpson wrote: and since i now have two different patches for vpopmail, it's time to create a new web page to hold them. both patches are available from this page, which includes basic documentation for the new features. http://qmail.jms1.net/patches/vpopmail.html Actually its .shtml not .html. yeah, i'll learn how to type one of these days. In the patch, how do you separate password and real_name in add_user? I know the help doesn't mention it, but I think it requires a real name value to put into GECOS. It is at least an option. good point. i totally missed that, and i even changed one of the _TOKENS strings to be called GECOS_TOKENS after seeing that it was only used the one time. now we see why it's better to have several eyes looking at the code. this is going to be another problem. since a password may contain spaces, and a gecos may also contain spaces, there is no reliable way to write such a parser unless there is a specific delimiter between them... and since a password, by definition, can contain any printable character (ASCII 0x21 - 0x7E) the delimiter cannot be one of these. my honest answer is this: README.vpopmaild doesn't talk about there being a gecos field, neither does the vpopmaild wiki entry. in this one case, because the documentation doesn't mention it and because it causes a problem, i would say to pull the gecos functionality out of the add_user command, and add a gecos verb to mod_user (which needs one anyway.) there will be a newer patch on my web site this evening (i would do it now but i need to run some errands first.) so are you asking about does this mailbox exist, yes or no, or are you asking about is this the correct password for this mailbox, yes or no? I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is does this mailbox exist. We may as well make it easy, it should be a popular function. Maybe we could provide a validrcptto command, allowed before login, but you have to add --enable-vpopmaild- validrcptto in ./configure to use it. That way they have to act to enable the ability, and they get a warning from ./configure about tightening security. maybe... but validrcptto.cdb is different. it isn't concerned with mailboxes or passwords, as far as it's concerned an alias is just as valid, or if the file contains @domain, any address in the domain is valid... or if there is a -default version of an alias, any suffix after that is valid. vpopmaild is not a good match for what validrcptto.cdb already does. what it IS a good match for, however, is processing AUTH requests- since every vpopmail mailbox which doesn't have the no_smtp flag should also be valid for the AUTH command. i've been thinking about ways to both speed up, and simplify, processing of the AUTH command. the two ideas which have come to mind are: (1) have qmail-smtpd check an auth.cdb file, where the key is a mailbox and the value is the encrypted password. (2) have qmail-smtpd open a socket to a vpopmaild service, or a courierauthd service (i wrote a simple widget which handles the login, help, and quit commands, but uses courier-authlib instead of libvpopmail) and uses that to verify the ID and password which were entered. http://qmail.jms1.net/courierauthd.shtml talks about it. the page is not really finished but the code is very simple and it works, if you can link it- there are issues with how BSD handles linking with the courier-authlib library and i don't have a BSD system to play with. the auth.cdb idea is a lot easier to write, and to me it makes more sense. however, the idea of using vpopmaild for this purpose is also intriguing from a programming standpoint (i.e. CAN i write this code, how can i make a single version of qmail-smtpd which can handle all three AUTH schemes- fork/exec vchkpw, auth.cdb, and vpopmaild.) i think what i'll end up doing is writing the auth.cdb patch first, and then worrying about AUTH via vpopmaild later. i'm not against it, i just think if we're going to add something like this, the documentation for creating a vpopmaild service should mention, very prominently, that this information is exposed to anybody who connects and that the user (system administrator setting up the service) should either run the service on 127.0.0.1 (as i do), or should have a tcpserver access control file which only allows authorized machines to connect. I'm all for documentation. :) I wrote most of README.vpopmaild. Its not great but its better that what was there before... ... Speaking of documentation, can I add much of your page http:// qmail.jms1.net/vpopmaild.shtml to the README.vpopmaild file? I'll credit you and let you review it before I commit. not a problem... all i ask is that you leave the URL
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 0824, Robin Bowes wrote: Rick Widmer wrote: I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is does this mailbox exist. We may as well make it easy, it should be a popular function. Yes - having this functionality would obviate the need to maintain the validrcptto list. Any tool that wants to check the existence of a mailbox for a given email address on a given host would just need to telnet to port 89 and supply a command like exists [EMAIL PROTECTED]. the problem is that validrcptto.cdb doesn't check mailboxes- it checks recipient email addresses. mailboxes are recipients, yes, but other things can be valid recipients as well- aliases, certain flavours of anything (in case of a .qmail-[something-]default file or a domain with a non-bounce catch-all setting), and some people have custom requirements where they want to control which addresses can receive mail from outside. An OK responose would mean it does exist. It should not quite automatically to allow the checking of several addresses in sequence, e.g: connect exists [EMAIL PROTECTED] exists [EMAIL PROTECTED] exists [EMAIL PROTECTED] quit this is known as a dictionary attack (or a bad thing.) it allows the attacker to enumerate which email addresses do and don't work on your server. this used to be a major strategy of the wily spammer, but most mail servers now take steps to prevent it. however, i have seen a few people try it on my own server (and promptly blacklisted those IP addresses.) Does vpopmaild fork? i.e. Does it allow multiple connections? I guess it uses tcpserver to run it so tcpserver will do all the work. Cool. that's it exactly- tcpserver handles all of the networking stuff, vpopmaild is just talking to stdin/stdout, with log output going to stderr. makes it really easy to write server programs. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 1159, Tom Collins wrote: On Apr 3, 2006, at 5:24 AM, Robin Bowes wrote: Rick Widmer wrote: I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is does this mailbox exist. We may as well make it easy, it should be a popular function. Yes - having this functionality would obviate the need to maintain the validrcptto list. I'm not following vpopmaild development, so ignore me if you've already considered this, but you should be sure to support quota checking through that interface as well. Doing so would allow a patch to qmail-smtpd to reject email for non- existent users and defer email for users over quota. good point, but it's a non-issue. the validrcptto.cdb functionality is not going to be bundled into vpopmaild, the two programs are not doing the same things. and besides, if a user's mailbox is over quota, i would rather keep the message in my local queue where it will be delivered rather quickly when the user finally brings their mailbox back below their quota (and where i can send an ALRM signal to qmail-send to force- deliver the message when they call me about it, because they don't want to wait a few hours for qmail-send to decide to deliver it on its own.) -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 1609, Robin Bowes wrote: This is how I've implemented a plugin for qpsmtpd that auths against vpopmaild. It's extremely easy: # create socket my $vpopmaild_socket = IO::Socket::INET-new(PeerAddr = vpopmaild_host, PeerPort = vpopmaild_port, Proto= tcp, Type = SOCK_STREAM) or return (DECLINED); right here, you should read a line of input from the server and make sure it matches /^\+OK/. otherwise... # send login details print $vpopmaild_socket login $user $passClear\n\r; # get response from server my $login_response = $vpopmaild_socket; this read, being the first read since the client connects, will return the +OK line that the server sends when you first connect to the service, rather than the +OK or -ERR response from your login command. you should also wait for the command to end (if the response was +OK +, read lines until you see one which matches /^\.$/), then send quit\n, then wait for the +OK response. otherwise you are writing sloppy code which doesn't follow the protocol, which only encourages others to do the same. Of course, qpsmtpd is written in perl so this sort of thing *is* pretty easy! i love perl. if i ever meet larry wall, i owe him a beer. the auth.cdb idea is a lot easier to write, and to me it makes more sense. however, the idea of using vpopmaild for this purpose is also intriguing from a programming standpoint (i.e. CAN i write this code, how can i make a single version of qmail-smtpd which can handle all three AUTH schemes- fork/exec vchkpw, auth.cdb, and vpopmaild.) You really should check out qpsmtpd. It can handle several auth types easily. if it were for my own server, sure... but i'm releasing patches for people using qmail-smtpd. if i were to suddenly switch to qpsmtpd it would be like abandoning everybody else who is using my qmail patches, including all of my clients. besides, qmail-smtpd is compiled, where qpsmtpd is interpreted and requires the perl runtime and a bunch of libraries. i tend to think in terms of mail servers which may be handling literally hundreds of SMTP requests per second. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-01, at 0547, Rick Widmer wrote: John Simpson wrote: let me suggest an alternative- instead of login user pass compact, how about login/compact user pass? this allows the password to be the last thing on the line, and therefore contain spaces, and still allows for a compact option. What do you think about login | clogin | slogin? sounds good to me, as long as it's consistent and documented somewhere- both in README.vpopmaild and in the vpopmaild wiki entry. I was planning if you would like a way to see if a user exists without returning anything else... that's certainly a possibility, easy enough to add... should that be available to any client without authenticating first? or if it requires an authenticated session, should it be available to any user, or just the domain-admin for that domain, or only for a system- admin? any thoughts? if needed, i will write the patch to make this happen- let me know. If you write it and send it to me I'll make sure it gets into 5.5. You can choose between login/compact | clogin | login password with spaces compact. I like clogin best because I'm lazy... :) i'll go with clogin and slogin. i'm also going to look at the code which parses the line and make sure that when it's looking for a password, it doesn't stop on spaces. i would also like to see the output from the help command trim itself to the set of commands which are actually available to the client- before login, for example, the list would have login, help, and quit, and would not disconnect the client (as it does now.) for a normal user it would only show the commands relating to their own mailbox without any admin-level commands, for a domain admin it would show the domain-level commands but not the system- admin level stuff, and so forth. this is also a patch i am willing to write, if there is any interest in it. That sounds like a good idea too. If you do it, please consider making it so help before login is allowed, and only lists the three login commands. Then once you are logged in expand the help list based on the user's rights. Right now help before login sends the help list and disconnects. i've written what i call the cslogin patch, which does the following: - adds the clogin and slogin commands - fixes the parsing so passwords in the login, add_user, add_domain, and mod_user commands include everything out to the end of the line - makes the help command adjust itself to the access level that the client currently has. and since i now have two different patches for vpopmail, it's time to create a new web page to hold them. both patches are available from this page, which includes basic documentation for the new features. http://qmail.jms1.net/patches/vpopmail.html -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
Robin Bowes wrote: We are proposing alternative login methods because the current login method returns all user information after a successful login, yes? Kind of. Why not change the behaviour so that login does just that - it logs in, and add another command that returns the information, e.g. get I believe Ken Jones, and possibly others, already have programs that use the login command as it is. I want to avoid making any changes that would require existing programs to change. I'm just about to revert a number of changes I've made in the development branches of vpopmail and qmailadmin because they are too radical and I don't seem to be able to get anyone to try them, so I plan to be slower and much more conservative with future API changes. I added the compact option to minimize network traffic, and cut the time to load a large list of domains or users in half. It did that, but I did not consider the problem with spaces in passwords. I don't use passwords with spaces in them, so I did not notice. Luckily John did. Why return the data at all? As I understand it vpopmaild was designed to allow people to write qmailadmin like programs with any scripting language you prefer, and to run them from machines other than the mail server. Qmailadmin and my pMailAdmin both need to know quite a bit about the user who is logging in to decide what screen to display next, and what to allow them to do. Returning that data as part of the login saves one trip to the server to retrieve data about the user logging in. So, a system only needing to validate credentials would just need to login and quit. Which is what slogin will do. You may not even have to quit. It could just return OK or ERROR, and exit. I'm not sure what John did, but he already has a patch to do it this way. get would take parameters, e.g: get name get user_dir That is user_info There could also be a set command which ... you guessed it! set name New Name set system_admin_privileges 1 That is mod_user. What do you think? The changes might be a good idea if we were designing a new program, but vpopmaild is about two years old, and I believe Ken has been using it on at least one production site almost that long. I suspect there are others. Rick
Re: [vchkpw] Re: 5.4.15 onchange patch
John Simpson wrote: On 2006-04-01, at 0547, Rick Widmer wrote: What do you think about login | clogin | slogin? sounds good to me, as long as it's consistent and documented somewhere- both in README.vpopmaild and in the vpopmaild wiki entry. It will be. I was planning if you would like a way to see if a user exists without returning anything else... that's certainly a possibility, easy enough to add... should that be available to any client without authenticating first? or if it requires an authenticated session, should it be available to any user, or just the domain-admin for that domain, or only for a system- admin? I think it should just take any user/password combination and return OK if the user exists or ERROR, then exit. If you need to login to find out if a user exists programs will have to have login credentials in the script. Not a good idea. i'll go with clogin and slogin. i'm also going to look at the code which parses the line and make sure that when it's looking for a password, it doesn't stop on spaces. Excellent. http://qmail.jms1.net/patches/vpopmail.html I haven't been able to access the SourceForge CVS server for the last two days. I think they may have changed the rules, and may have found what I need to do in the docs... which is what I was doing when I stopped to answer these messages. I'll try to have this in 5.5 within a few days. I still need to see just what is different between 5.4 and 5.5. Rick
Re: [vchkpw] Re: 5.4.15 onchange patch
Rick Widmer wrote: I haven't been able to access the SourceForge CVS server for the last two days. I think they may have changed the rules, and may have found what I need to do in the docs... which is what I was doing when I stopped to answer these messages. The answer from SourceForge: ( 2006-03-31 07:00:01 - Project CVS Service ) On 2006-03-30 the developer CVS server had a hardware issue that required us to take the service offline. We are actively working on this problem and hope to have it back up soon. There is not a current estimate for the duration of this outage, but when we get one, it will be posted on the site status page (this page). We currently expect this outage to last 48 hours, at minimum. I will keep trying... Rick
Re: [vchkpw] Re: 5.4.15 onchange patch
John Simpson wrote: how does vpopmaild handle users who have spaces in their passwords? Right now it doesn't. I'm not sure if it did before I added compact or not. I definitely want to keep compact mode, it made a big difference in responsiveness when I was testing. let me suggest an alternative- instead of login user pass compact, how about login/compact user pass? this allows the password to be the last thing on the line, and therefore contain spaces, and still allows for a compact option. What do you think about login | clogin | slogin? I was planning if you would like a way to see if a user exists without returning anything else... any thoughts? if needed, i will write the patch to make this happen- let me know. If you write it and send it to me I'll make sure it gets into 5.5. You can choose between login/compact | clogin | login password with spaces compact. I like clogin best because I'm lazy... :) i would also like to see the output from the help command trim itself to the set of commands which are actually available to the client- before login, for example, the list would have login, help, and quit, and would not disconnect the client (as it does now.) for a normal user it would only show the commands relating to their own mailbox without any admin-level commands, for a domain admin it would show the domain-level commands but not the system- admin level stuff, and so forth. this is also a patch i am willing to write, if there is any interest in it. That sounds like a good idea too. If you do it, please consider making it so help before login is allowed, and only lists the three login commands. Then once you are logged in expand the help list based on the user's rights. Right now help before login sends the help list and disconnects. I just got my PHP qmailadmin clone running on Bill Shupp's toaster with vpopmaild, and I'm getting ready to look at the differences between the stable-5.4 and 5.5. I am seriously considering making 5.5 to be exactly the same as the latest 5.4 once Tom tells me its ready. Then I'll add your patches there. I'm in the process of finding out just what is different between the versions. Rick
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-03-30, at 2124, Rick Widmer wrote: John Simpson wrote: http://qmail.jms1.net/vpopmaild.shtml shows a clearer example of how to run vpopmaild under daemontools, by the way. Nice page! Just a thought... if you are only using vpopmaild to verify user logins, you might want to use the compact flag. login [EMAIL PROTECTED] password compact this will reduce the amount of trash you have to ignore by returning the numeric GID flags value rather than sending a line per bit. i hadn't noticed that in the README.vpopmail file. this is actually a problem. how does vpopmaild handle users who have spaces in their passwords? having compact as a space-separated parameter imposes an artificial limitation on the set of characters available for use in passwords- it means that users with existing passwords containing spaces will not be able to log into vpopmaild, and if somebody is running an SMTP service which relies on vpopmaild to validate AUTH commands (which is a patch that i'm working on) it means that those users will not be able to AUTH successfully. let me suggest an alternative- instead of login user pass compact, how about login/compact user pass? this allows the password to be the last thing on the line, and therefore contain spaces, and still allows for a compact option. you could even add in a login/silent user pass, which simply sends +OK \r\n as the reply for a successful login, rather than showing ANY information about the mailbox... just the thing for a simple application like an SMTP AUTH client, which doesn't need any information other than yes or no. any thoughts? if needed, i will write the patch to make this happen- let me know. i would also like to see the output from the help command trim itself to the set of commands which are actually available to the client- before login, for example, the list would have login, help, and quit, and would not disconnect the client (as it does now.) for a normal user it would only show the commands relating to their own mailbox without any admin-level commands, for a domain admin it would show the domain-level commands but not the system- admin level stuff, and so forth. this is also a patch i am willing to write, if there is any interest in it. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-03-27, at 1304, Robin Bowes wrote: John Simpson wrote: i have written a patch against vpopmail-5.4.15 which causes any changes to trigger ~vpopmail/etc/onchange, if it exists and if it is executable to the userid which is running the vpopmail program. the patch can be downloaded, and simple directions found, at the bottom of this page: http://qmail.jms1.net/patches/ i am running this on my own server as we speak- it seems to work well so far, and i will be writing the scripting to have it build a new validrcptto.cdb over the next day or two. my hope is that there is enough interest in this functionality that it can be integrated into a future verison of vpopmail. John, Can this be modified to pass parameters to the program/script? For example, the action that has just occurred, plus any data associated with that action? e.g. onchange useradd [EMAIL PROTECTED] i guess it's not impossible... i hadn't thought of doing that, but it shouldn't be hard. looking at the code, i guess we can have the script be called with a command line consisting of: - a command (to tell what was done.) the commands would be the same commands which are used in vpopmaild (i.e. add_domain, del_domain, add_alias_domain, add_user, del_user, and mod_user... the only question is how to handle calls to valias_insert(), valias_remove(), and valias_delete()- what command should they put on the script's command line? for now i'll just go with the function names- valias_insert, valias_remove, and valias_delete. the valias_insert() function adds a line to an existing alias, or if it doesn't exist, it creates an alias. the valias_remove() function removes an existing line from an alias. if that was the last line, the alias is deleted. the valias_delete() function removes all lines from an alias, deleting it. i don't know what bearing this might have on somebody's script some day, but i figure it doesn't hurt to document it somewhere. - the target of that command. for add_domain, del_domain, and add_alias_domain, the target is the domain name. for all other commands, the target is the mailbox or alias which is being operated on. that's all. no passwords, no alias targets, nothing else. if a user's script needs more information, they can read whatever file or database holds the data directly. and i was right, it wasn't that hard. same web page. Also, have you tried this with vqadmin/qmailadmin? The reason I mention this is that I'm having a bugger of a job getting my code that implements skel dirs to work with vqadmin - it works fine from the command line (as root) but I get a permission denied error when executing from vqadmin. i've tried it with qmailadmin, and i've tried it with the command line tools, and i've tried it from a vpopmaild service. all seem to trigger the script when they should. however you couldn't pay me to use vqadmin in its current form (nothing personal, i understand you guys are working on other things- and to be honest i'm happier adding and removing domains with the command line tools any way.) http://qmail.jms1.net/vpopmaild.shtml shows a clearer example of how to run vpopmaild under daemontools, by the way. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-03-30, at 1019, Robin Bowes wrote: John Simpson wrote: http://qmail.jms1.net/vpopmaild.shtml shows a clearer example of how to run vpopmaild under daemontools, by the way. Clearer than what? clearer that the first few lines of README.vpopmaild from the source code, which are simply... To run as daemon: tcpserver -vHRD 0 89 ./vpopmaild Then as client telnet localhost 89 Or to run on the command line for testing ./vpopmaild if you don't have a copy of the 5.4.15 source, you can find this file in the CVS repository, or i have a local copy of the file on my web site. http://qmail.jms1.net/README.vpopmaild these directions made perfect sense to me, because i've been using tcpserver and daemontools for years. however this might be a stretch for a lot of people (especially the typical qmailrocks user) so i wrote something a little more detailed. and because i can hear people asking in the back of their minds why i care about qmailrocks users... when eric first put together the qmailrocks package, he used my combined patch file- and since then qmailrocks people have been sending all of their questions to me, because eric has seemingly abandoned the qmailrocks web site. i figure i'll be a nice guy and answer some of their questions, especially those rare good questions that make me think... but if the question shows that the person is just too lazy to do their own research, fsck'em. my only answer for lazy people is the URL of one of my favourite web pages, one that i feel should be required reading before anybody gets on the internet... http://www.catb.org/~esr/faqs/smart-questions.html -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
John Simpson wrote: http://qmail.jms1.net/vpopmaild.shtml shows a clearer example of how to run vpopmaild under daemontools, by the way. Nice page! Just a thought... if you are only using vpopmaild to verify user logins, you might want to use the compact flag. login [EMAIL PROTECTED] password compact this will reduce the amount of trash you have to ignore by returning the numeric GID flags value rather than sending a line per bit. Rick
Re: [vchkpw] Re: 5.4.15 onchange patch
It is indeed possible to use wrappers as you do, but this adds overheadto every invocation of [insert progran here] which I'd rather avoid. How much overhead do you think executing a shell script and an internal call to test implements? How often do you think IMAP connections are made? Think of all the calls that already wrap around shells. Think of how many exec calls (or their variiants in this case) are made to run tcpserver, authentication programs, bincimap-up, and bincimapd? Why not modify bincimap or bincimap-up to do the same thing on invocation and provide the patch to the bincimap folks instead- a likely better way to do things.Just don't get caught up in the hype as to how much faster c programs are- when the shell is probably kept in memory, and the stat calls used by test are cached, this isn't a huge performance hit- especially for a connection like imap that is more persistant.I run about 10K+ users on bincimap through this linkwrapper and generally see almost no load... I know that's vague, but I've never benchmarked the use with or without a simple shell script.It's incredibly easy to add or modify functionality to qpsmtpdbecause of the plugin hooks that are built-in. I'd suggest that: 1. qpsmtpd lacks many plugins and doesn't seem to have a lot of support in the community, along with the various plugin methods to qmail-smtpd. I'm sure there's a good chunk of overhead in there as well, not to mention difficulties like plugin ordering, etc.2. vpopmail manages qmail users and delivers mail. I'm weary of making it even more of a kitchen sink to start adding plugins and management functions that would likely be used by a small number. It's still changing considerably between major releases.Anyway, I've solved the IMAPdir issue a different way (see separate post). Saw it- thumbs up. Glad you solved your issue.-M
Re: [vchkpw] Re: 5.4.15 onchange patch
On Mar 28, 2006, at 10:37 AM, Robin Bowes wrote: However, I see that doing stuff when you create users logically belongs with the program that creates users - vpopmail in this case. So to my perfectionist mind, I'd rather make vpopmail do this once when the user is added than checking for it every time the account is accessed for the lifetime of the account. I agree with this as well. A single patch to vpopmail to add hooks for adding and deleting users and domains allows for a lot of flexibility. I've seen requests to automatically send a welcome message to new users. Instead of adding it as a feature to vpopmail, it can be a script that gets called automatically. Robin's original requirement (and one that others have had) is to have an alternate Maildir directory layout, with symbolic links. Again, this is easily accommodated (and updated) by calling a script/program on user add. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
RE: [vchkpw] Re: 5.4.15 onchange patch
Why not use the .qmail-default to process your skeleton directories? Have it call a script that can test for the existence of the directory and then copy the skeleton as appropriate. I guess it would depend on where in the process a non-existing user directory gets created. If vdelivermail does it or if it's done higher up the chain. If vdelivermail creates the initial directory then you'd want to call your script afterwords. This is all assuming you're just putting users into a database and letting vpopmail auto create the directory when a user checks their email or gets their first email. Charlie -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of Robin Bowes Sent: Monday, March 27, 2006 10:04 AM To: vchkpw@inter7.com Subject: [vchkpw] Re: 5.4.15 onchange patch John Simpson wrote: i have written a patch against vpopmail-5.4.15 which causes any changes to trigger ~vpopmail/etc/onchange, if it exists and if it is executable to the userid which is running the vpopmail program. the patch can be downloaded, and simple directions found, at the bottom of this page: http://qmail.jms1.net/patches/ i am running this on my own server as we speak- it seems to work well so far, and i will be writing the scripting to have it build a new validrcptto.cdb over the next day or two. my hope is that there is enough interest in this functionality that it can be integrated into a future verison of vpopmail. John, Can this be modified to pass parameters to the program/script? For example, the action that has just occurred, plus any data associated with that action? e.g. onchange useradd [EMAIL PROTECTED] Also, have you tried this with vqadmin/qmailadmin? The reason I mention this is that I'm having a bugger of a job getting my code that implements skel dirs to work with vqadmin - it works fine from the command line (as root) but I get a permission denied error when executing from vqadmin. I really must get a built-in function working... R.
RE: [vchkpw] Re: 5.4.15 onchange patch
The reason I mention this is that I'm having a bugger of a job getting my code that implements skel dirs to work with vqadmin - it works fine from the command line (as root) but I get a permission denied error when executing from vqadmin.Have you thought at all about just wrapping your qmail programs executed from tcpserver and doing it at run-time instead of account creation?Example that I use for creating an IMAP folder structure for use with bincimap # /var/qmail/bin/linkwrapper # #!/bin/sh test -d IMAPdir || mkdir IMAPdir test -e IMAPdir/INBOX || ln -sf ../Maildir IMAPdir/INBOX exec $@Then in my service run file, I have tcpserver parameters and programs \ /home/vpopmail/bin/vchkpw \ /var/qmail/bin/linkwrapper \ /var/qmail/bin/bincimapdI don't see why you couldn't do the same with your pop daemon or smtp daemon to do some basic parameters (and maybe extend it to keep additional information).Something to consider. On a run of qmail-smtpd, test the timestamp of a file to the cdb file and rebuild if needed.-M