Re: [vchkpw] CHKUSER 2.0.8b - banning IPs into tcp.smtp
On Wednesday 26 Oct 2005 22:51, ISP Lists wrote: CHKUSER 2.0.8b on qmail 1.03 and vpopmail 5.4.10. I LOVE that CHKUSER can single out the unknown recipients and block the offending SMTP session - big traffic control helper! However, I've got one domain that's really being hit hard by dictionary attacks. Some attack traffic is a few hits from many IPs, other traffic is many hits from few IPs. What I'd like to do is get something that's like an IDS that reads log output for CHKUSER rejections - currently only outputting to /var/log/qmail/smtp/current cat current | grep 'CHKUSER rejected rcpt:' | tai64nlocal mylog then write a perl script to pull the ip addresses into a list and compare with what you already have in tcp.smtp and have that information parsed for the specific domain and have the offending sender IP stuffed into a database (probably with a timestamp). Then I would build some scripted logic to query the database to figure out if I've been hit N number of times from an IP in a certain window of time; thus the trigger to update tcp.smtp with the offender. I think I might go ahead and just compile the tcp.smtp at each pass, that way I can keep tcp.smtp as compact as possible. Those who've stopped being naughty are taken off the blocklist eventually. Almost an RBL mentality I guess. (and yes, I AM running with the Spamhaus RBL also). I gotta believe some smart person already built this, but I don't know if it's called something specific. Big challenge for me is how to keep an eye on a logfile for any particular time (particularly given DJB's arcane date values in the above log file) and not end up reprocessing data I've already seen. Help appreciated and thanks! Dave. -- - Bob Hutchinson Midwales dot com -
Re: [vchkpw] chkuser 2.0.8b
On 2005-09-22, at 1234, Tom Collins wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. the design of CRAM requires that the server have a list of plain-text password, regardless of the hashing algorithm it uses. if somebody cracks your machine (and for the sake of security you have to assume that they eventually will) the bad guys will now have a list of all of your users' passwords in plain text, making it possible to not only read your users' email, but relay spam through your server. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! er... telling a user to turn on the use TLS or use SSL checkbox and possibly change a port number isn't hard. i've been building, running, and consulting for ISP's for ten years now, and if you manage the process correctly, it's not hard. it's like any other settings change... you set things up so that both the old and new settings will work, and then leave that in place for a month. tell the users that you've made this change to improve their service, the new settings are in this email or at such- and-such web page, and they have until such-and-such date to change their settings. during the month, your tech support people ask every customer they come in contact with if they've changed their settings, and if not they walk them through it on the spot. then when the end date arrives, most of your customers will have switched, and you can turn the old stuff off without killing your tech support people. then when that final rush of calls dies down, buy pizza for the tech support department to thank them for their extra effort. at least that's how i've always done it, and it's always worked out pretty well. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] chkuser 2.0.8b
On 2005-09-22, at 1627, Erwin Hoffmann wrote: At 18:12 22.09.2005 +0100, tonix (Antonio Nati) wrote: At 17.34 22/09/2005, you wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. i'm sure many of us know this already, but for the benefit of people who may not understand how CRAM authentication works, here's the deal: the server sends a cookie- a string of text which contains a certain amount of pseudo-random text. many servers end up sending a timestamp, a process id, and/or a few bytes of random from /dev/ random, /dev/urandom, or some other source of random. the client takes that cookie, adds the password to the end of it, computes a hash of the result, and sends that has back to the server. the server takes the same cookie, adds the real password to the end of it, computes a hash of that result, and compares it to the hash sent by the client. if the hashes match, then obvoiusly the client knows what the real password is, so it's okay to let them in. otherwise, the client doesn't have the right password and should not be allowed in. the idea with CRAM is for the client to prove that it knows what the correct password is, without every actually sending the password over the wire. if you already have a list of plain-text passwords on the server, CRAM is a very good idea. my only objection is to keeping a list of plain-text passwords on the server in the first place. it's not something i do, but for somebody who already has such a list it can be a good thing. Greets from the hurrican free Germany. --eh. and i'm in orlando- four hurricanes in a row last year, but luckily none so bad as the two which have hit louisiana this year... -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] chkuser 2.0.8b
Aleks, these are some flags I'm using (I have smtp auth ON for all users, so disabling flag is OFF): #disable_smtp #disable_pop #disable_imap In this case, SMTP auth would be ON if line is commented (as in previous lines), OFF if line is active. Check both your default switches in /home/vpopmail/etc/vlimits.default and in your domain .qmailadmin-limits (or in your MySQL limits). Tonino At 23.05 21/09/2005, you wrote: Im not really suer what flags you are aiming for tonix. But i guess they could be enabled/disabled? Aleks On 9/21/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: Sorry for the dumb question. Are your users/domains smtp flags not disabled? Tonino At 14.38 21/09/2005, you wrote: Thanks Bruno, but im not that keen on the TLS support anymore. Perhaps i'll toast next time :) For now im going to figure out why i cant auth with the vpopmail/contrib/auth patch or the newest version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin . 4549 220 mx.domain.com ESMTP 4549 EHLO [192.168.0.100] 4549 250-mx.domain.com 4549 250-PIPELINING 4549 250-8BITMIME 4549 250-SIZE 0 4549 250 AUTH LOGIN PLAIN CRAM-MD5 4549 AUTH CRAM-MD5 4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg== 4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ== 4549 535 authentication failed (#5.7.1) 4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8= 4549 535 authentication failed (#5.7.1) 4549 AUTH LOGIN 4549 334 VXNlcmbWU6 4549 YWxla3NhlckBvbHNlbi5jbg== 4549 334 UGFzc3dvcmQ6 4549 eWY4NpdG8= 4549 535 authentication failed (#5.7.1) Thanks! On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote: Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/ already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other nice guys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else
Re: [vchkpw] chkuser 2.0.8b
On 2005-09-21, at 0614, Aleks Olsen wrote: - Now, it seems the patch didnt like working with auth-jms1.4a.patch (auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). both of which are ANCIENT. my combined patch is up to version 6b now. and it doesn't use chkuser... i doctored up a different way to handle the same problem, using a validrcptto.cdb file containing every valid email address on the system. whenever you add or remove a user, you rebuild the cdb file. http://qmail.jms1.net/patches/ has information on both patches. I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] chkuser 2.0.8b
On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] chkuser 2.0.8b
Just for the fun of it; If I was to, (in this lifetime) get tls/auth to work with chkuser, what/who's tls and auth code should i use? Since jms obvious dont need to make he's patches compatible since he's got the needed stuff for himself in validrcptto, i was hoping someone knew what works or not. I stand corrected about the hole auth and no tls security breach jms pointed out. If you want auth you should use tls i guess. Thanks, /Aleks On 9/22/05, John Simpson [EMAIL PROTECTED] wrote: On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --
Re: [vchkpw] chkuser 2.0.8b
Aleks, sorry to repeat what has been already said, but to make it short use Shupp's Toaster. There inside chkuser + TLS + auth work fine together (since years). You'll build it in minuts, and will never regret of making this step. Ciao, Tonino At 13.18 22/09/2005, you wrote: Just for the fun of it; If I was to, (in this lifetime) get tls/auth to work with chkuser, what/who's tls and auth code should i use? Since jms obvious dont need to make he's patches compatible since he's got the needed stuff for himself in validrcptto, i was hoping someone knew what works or not. I stand corrected about the hole auth and no tls security breach jms pointed out. If you want auth you should use tls i guess. Thanks, /Aleks On 9/22/05, John Simpson [EMAIL PROTECTED] wrote: On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --
Re: [vchkpw] chkuser 2.0.8b
I have just rebuild it last week and it works fine. Remo - Original Message - From: tonix (Antonio Nati) [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, September 22, 2005 08:07 Subject: Re: [vchkpw] chkuser 2.0.8b Aleks, sorry to repeat what has been already said, but to make it short use Shupp's Toaster. There inside chkuser + TLS + auth work fine together (since years). You'll build it in minuts, and will never regret of making this step. Ciao, Tonino At 13.18 22/09/2005, you wrote: Just for the fun of it; If I was to, (in this lifetime) get tls/auth to work with chkuser, what/who's tls and auth code should i use? Since jms obvious dont need to make he's patches compatible since he's got the needed stuff for himself in validrcptto, i was hoping someone knew what works or not. I stand corrected about the hole auth and no tls security breach jms pointed out. If you want auth you should use tls i guess. Thanks, /Aleks On 9/22/05, John Simpson [EMAIL PROTECTED] wrote: On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --
Re: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
sounds good to me! Remo - Original Message - From: Tom Collins [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, September 22, 2005 10:34 Subject: Re: [vchkpw] chkuser 2.0.8b On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
Tom Collins wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. If screen shots were provided, any of the PDF generators for PHP could provide a custom PDF file with ISP branding for downloading on demand. Interesting Idea.. We are in the middle of moving our entire operation, NOC and office. But afterwards maybe, would anyone be interested in this if I did it? DAve -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
I would Dave.. Remo - Original Message - From: DAve [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Thursday, September 22, 2005 10:50 Subject: Re: [vchkpw] chkuser 2.0.8b Tom Collins wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. If screen shots were provided, any of the PDF generators for PHP could provide a custom PDF file with ISP branding for downloading on demand. Interesting Idea.. We are in the middle of moving our entire operation, NOC and office. But afterwards maybe, would anyone be interested in this if I did it? DAve -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
At 17.34 22/09/2005, you wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. A better idea... The most of probably use qmail because there is vpopmail. What about rewriting around vpopmail a modern, robust and customizable MTA that does not force us to be acrobats in order to add functionalities to qmail? First step would be to mantain the same schema and code of qmail, rewriting all the code step by step, module after module. So, free from Bernstein license, we could finally update and upgrade the MTA in a serious way. Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
Hi, At 18:12 22.09.2005 +0100, tonix (Antonio Nati) wrote: At 17.34 22/09/2005, you wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. You should start teaching yourself. http://www.fehcom.de/qmail/smtpauth.html is your friend. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. A better idea... The most of probably use qmail because there is vpopmail. What about rewriting around vpopmail a modern, robust and customizable MTA that does not force us to be acrobats in order to add functionalities to qmail? Do you have considered how many changes vpopmail has undergone the last years ? Did you ever do a code digest ? Do you have the slightest idea how vchkpw works ? First step would be to mantain the same schema and code of qmail, rewriting all the code step by step, module after module. So, free from Bernstein license, we could finally update and upgrade the MTA in a serious way. If anything needs a rewrite, its vpopmail - qmail is perfect in the way it is defined. Or course, since 1998 the requirements have changed. In particular, most of the SMTP add-ones (as defined in the latest RFCs) are (according to my personal oppinion) - useless. We do have AC in our cars, DVD + surround sound, airbags, automatic adjusting seats - but we still use four wheels and a benzine motor, driving on badly-paved roads. Qmail is a good car, but the road gets increasingly worse - adding DVD players to your car doesn't really help. Greets from the hurrican free Germany. --eh. Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote: If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 encoded cleartext and you can determine the password from them. CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash and determine the cleartext password. Each time you connect, a different challenge results in a different response. The only way the server and client can generate the correct response is to have the same cleartext password available. Given the challenge and response, it is not possible to generate the cleartext password. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
RE: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote: If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 encoded cleartext and you can determine the password from them. CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash and determine the cleartext password. Each time you connect, a different challenge results in a different response. The only way the server and client can generate the correct response is to have the same cleartext password available. Given the challenge and response, it is not possible to generate the cleartext password. I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get the password unpossible excepting brute force. The only real problem it has is that MD5 collisions are increasingly easy to generate (down from 2^63 to the range of 2^48), however they're still far from a practical means of faking authentication.
RE: [vchkpw] chkuser 2.0.8b
A better idea... The most of probably use qmail because there is vpopmail. What about rewriting around vpopmail a modern, robust and customizable MTA that does not force us to be acrobats in order to add functionalities to qmail? Do you have considered how many changes vpopmail has undergone the last years ? And what exactly does this have to do with the subject being discussed? Since vpopmail changes so much qmail is the only mta to use? Hell, if the vpopmail folks would get their butts into the 21st century and use shared libraries all of the hell of upgrading vpopmail from one version to the next would also disappear. And I can get on my high horse about this since I submitted patches to facilitate this ages ago. They worked, weren't too ugly, and I offered to make any cleanups people wanted to see. I disagree with the concept of writing a new MTA (we've got several really good ones out there already), but I agree with the end result of vpopmail being more useable by more people. Did you ever do a code digest ? Again, wtf is the relevance? Do you have the slightest idea how vchkpw works ? Since I do have a pretty solid understanding, I'm quite confident in saying that I think vpopmail really ought to be ported to work with postfix or exim in a much cleaner fashion. While I admire qmail a lot, especially when considering its late 90s tech, I definitely am cognizant of its short comings. The lack of a license, and the resultant patch nightmare it creates is probably the single largest liability of qmail.
RE: [vchkpw] chkuser 2.0.8b
Hi, At 15:41 22.09.2005 -0500, you wrote: On Sep 22, 2005, at 1:27 PM, Erwin Hoffmann wrote: If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. I don't bet on this. If you tape the SMTP dialoge, its easy to encrypt the password. I think you're wrong. AUTH PLAIN and AUTH LOGIN are just base64 encoded cleartext and you can determine the password from them. CRAM-MD5 involves a one-way hash. It is impossible to reverse the hash and determine the cleartext password. Each time you connect, a different challenge results in a different response. The only way the server and client can generate the correct response is to have the same cleartext password available. Given the challenge and response, it is not possible to generate the cleartext password. I'm with Tom on this one, the CRAM-MD5 algorithm makes snooping to get the password unpossible excepting brute force. The only real problem it has is that MD5 collisions are increasingly easy to generate (down from 2^63 to the range of 2^48), however they're still far from a practical means of faking authentication. C'm on. The generation of the challenge and the way its used in qmail is well documented on my web site http://www.fehcom.de/qmail/smtpauth.html. Everyone can read that and download the code to do it. The only free parameters are the timestamp and the pid of the current process. regards. --eh.
RE: [vchkpw] chkuser 2.0.8b
C'm on. The generation of the challenge and the way its used in qmail is well documented on my web site http://www.fehcom.de/qmail/smtpauth.html. Everyone can read that and download the code to do it. The only free parameters are the timestamp and the pid of the current process. I'm obviously missing something here, though I did reread the site for the umpteenth time in the last few years. Yes using the pid and timestamp as part of the challenge is weak. Yes the implementation ought to be fixed. No it doesn't compromise security because the challenge isn't the important part. You claimed that by recording the smtp conversation, or at least the portion relating to the AUTH process, was enough to encrypt the password. I'm assuming you meant decrypt (which would be the wrong word here since you don't decrypt a hash since it isn't encryption in the normal sense but is much more accurately described as obfuscation). So we're at the original situation as stated by Tom Collins and myself, namely that you can't go from an MD5 hash of the password and challenge to the password itself. Its not done anywhere in the code, because it's mathematically not doable. That's the whole point of one-way hashing as I'm sure you're aware. Can you please provide a description of exactly how you would take such a network dump and return the password? I'd even be willing to provide such a dump and publicly declare you right if you sent me the correct password and only the correct password in one try. If you're unable to do the above, I'd really appreciate if you'd stop spreading FUD and acknowledge that while CRAM-MD5 has its weak points vulnerability to network snooping is not one of them at this point in time. Cheers, Nick
Re: [vchkpw] chkuser 2.0.8b
On Sep 22, 2005, at 2:10 PM, Erwin Hoffmann wrote: C'm on. The generation of the challenge and the way its used in qmail is well documented on my web site http://www.fehcom.de/qmail/smtpauth.html. Everyone can read that and download the code to do it. The only free parameters are the timestamp and the pid of the current process. And the code to generate the response is freely available in an RFC. I know -- I implemented SMTP AUTH client code to work with PLAIN, LOGIN and CRAM-MD5. Even so, it's a one-way function. Given the challenge and the response, you cannot derive the cleartext password. This is the reason vpopmail requires cleartext passwords if you want to use CRAM-MD5. There's no way for it to derive the cleartext password from CRAM-MD5 in order to run it through crypt() with the proper salt and compare it to the stored, encrypted version. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /AleksanderOn 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.c qmail-smtpd.c: In function `main': qmail-smtpd.c:1021: warning: return type of `main' is not `int' ./compile spf.c ./compile base64.c ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
At 11.14 21/09/2005, you wrote: Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. Tonino I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.c qmail-smtpd.c: In function `main': qmail-smtpd.c:1021: warning: return type of `main' is not `int' ./compile spf.c ./compile base64.c ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
Sorry, ill include the complete run file; #!/bin/sh QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl ; export QMAILQUEUE QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` if [ -z $QMAILDUID -o -z $NOFILESGID -o -z $MAXSMTPD -o -z $LOCAL ]; then echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in echo /var/qmail/supervise/qmail-smtpd/run exit 1 fi if [ ! -f /var/qmail/control/rcpthosts ]; then echo No /var/qmail/control/rcpthosts! echo Refusing to start SMTP listener because it'll create an open relay exit 1 fi exec /usr/local/bin/softlimit -m 4000 \ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 /AleksanderOn 9/21/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.14 21/09/2005, you wrote: Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. Tonino I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.c qmail-smtpd.c: In function `main': qmail-smtpd.c:1021: warning: return type of `main' is not `int' ./compile spf.c ./compile base64.c ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
At 11.56 21/09/2005, you wrote: - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched Sorry, I never try those patches. Can you try them WITHOUT chkuser and check if problem comes from chkuser? [Not related strictly to the problem, but may help... When possible I suggest to put auth system on different addresses than normal smtp, and disable chkuser, because Outlook does not handle correctly KO messages and it would be preferable to send back to sender a normal mail delivery message (user are trusted, so there should be no risk of spam disabling chkuser). Or, set up a variable excluding chkuser when user is authenticated.] Tonino
Re: [vchkpw] chkuser 2.0.8b
Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other niceguys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks!-Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled finewith the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet).220 mx.domain.com ESMTPehlo250-mx.domain.com250-PIPELINING250-8BITMIME250-SIZE 0250 AUTH LOGIN PLAINchkuser.c#include "/home/vpopmail/include/vpopmail.h"#include "/home/vpopmail/include/vauth.h"#include "/home/vpopmail/include/vpopmail_config.h"/* #define CHKUSER_ENABLE_VAUTH_OPEN *//usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \/var/qmail/bin/qmail-smtpd mx.domain.com \/home/vpopmail/bin/vchkpw /usr/bin/true 21I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth.Anyone notice anything i might have missed out?This hoffman patch -should- work with a vpopmail/mysql setup right?Thanks!/Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src.Hope this is right.Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h?Tonino Thanks,/Aleksander-static void first_time_init (void) { char * temp_string;#if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, "ALWAYS") == 0) { starting_value = 1; } else if (strcasecmp(starting_string, "DOMAIN") == 0) { starting_value = 0; } } else { starting_string = ""; }#endif-./load qmail-qmtpd rcpthosts.o control.o constmap.o \received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \datetime.a open.a getln.a sig.a case.a env.a stralloc.a \alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.cqmail-smtpd.c: In function `main':qmail-smtpd.c:1021: warning: return type of `main' is not `int'./compile spf.c./compile base64.c./compile chkuser.cchkuser.c: In function `first_time_init':chkuser.c:425: error: syntax error before '/' tokenmake: *** [chkuser.o] Error 1On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
Thanks Bruno, but im not that keen on the TLS support anymore. Perhaps i'll toast next time :) For now im going to figure out why i cant auth with the vpopmail/contrib/auth patch or the newest version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin . 4549 220 mx.domain.com ESMTP 4549 EHLO [192.168.0.100] 4549 250-mx.domain.com 4549 250-PIPELINING 4549 250-8BITMIME 4549 250-SIZE 0 4549 250 AUTH LOGIN PLAIN CRAM-MD5 4549 AUTH CRAM-MD5 4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg== 4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ== 4549 535 authentication failed (#5.7.1) 4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8= 4549 535 authentication failed (#5.7.1) 4549 AUTH LOGIN 4549 334 VXNlcmbWU6 4549 YWxla3NhlckBvbHNlbi5jbg== 4549 334 UGFzc3dvcmQ6 4549 eWY4NpdG8= 4549 535 authentication failed (#5.7.1) Thanks! On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote: Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other niceguys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks!-Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled finewith the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet).220 mx.domain.com ESMTPehlo 250-mx.domain.com250-PIPELINING250-8BITMIME250-SIZE 0250 AUTH LOGIN PLAINchkuser.c#include /home/vpopmail/include/vpopmail.h#include /home/vpopmail/include/vauth.h#include /home/vpopmail/include/vpopmail_config.h/* #define CHKUSER_ENABLE_VAUTH_OPEN *//usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \-u $QMAILDUID -g $NOFILESGID 0 smtp \/var/qmail/bin/qmail-smtpd mx.domain.com \/home/vpopmail/bin/vchkpw /usr/bin/true 21I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth.Anyone notice anything i might have missed out?This hoffman patch -should- work with a vpopmail/mysql setup right?Thanks!/Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src.Hope this is right.Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h?Tonino Thanks,/Aleksander-static void first_time_init (void) { char * temp_string;#if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; }#endif-./load qmail-qmtpd rcpthosts.o control.o constmap.o \received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \datetime.a open.a getln.a sig.a case.a env.a stralloc.a \alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.cqmail-smtpd.c: In function `main':qmail-smtpd.c:1021: warning: return type of `main' is not `int'./compile spf.c./compile base64.c./compile chkuser.cchkuser.c: In function `first_time_init':chkuser.c:425: error: syntax error before '/' tokenmake: *** [chkuser.o] Error 1On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http
Re: [vchkpw] chkuser 2.0.8b
Did you remember to correctly start qmail-smtpd on the run script? Bellow is an example of a working one: #!/bin/sh VPOPMAILUID=`id -u vpopmail` VPOPMAILGID=`id -g vpopmail` VpopmailHome=`grep vpopmail /etc/passwd|cut -d':' -f6` #SIMSCAN_DEBUG=2 #QMAILQUEUE=/var/qmail/bin/simscan #export QMAILQUEUE SIMSCAN_DEBUG #export QMAILQUEUE exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -p -x $VpopmailHome/etc/tcp.smtp.cdb \ -u $VPOPMAILUID -g $VPOPMAILGID 0 smtp \ /usr/local/bin/recordio sh -c '/var/qmail/bin/qmail-smtpd \ /var/vpopmail/bin/vchkpw /usr/bin/true 21' regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 10:38 AM Subject: Re: [vchkpw] chkuser 2.0.8b Thanks Bruno, but im not that keen on the TLS support anymore. Perhaps i'll toast next time :) For now im going to figure out why i cant auth with the vpopmail/contrib/auth patch or the newest version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin . 4549 220 mx.domain.com ESMTP 4549 EHLO [192.168.0.100] 4549 250-mx.domain.com 4549 250-PIPELINING 4549 250-8BITMIME 4549 250-SIZE 0 4549 250 AUTH LOGIN PLAIN CRAM-MD5 4549 AUTH CRAM-MD5 4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg== 4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ== 4549 535 authentication failed (#5.7.1) 4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8= 4549 535 authentication failed (#5.7.1) 4549 AUTH LOGIN 4549 334 VXNlcmbWU6 4549 YWxla3NhlckBvbHNlbi5jbg== 4549 334 UGFzc3dvcmQ6 4549 eWY4NpdG8= 4549 535 authentication failed (#5.7.1) Thanks! On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote: Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/ already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other nice guys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a
Re: [vchkpw] chkuser 2.0.8b
But you don't need to use TLS, your qmail will just support it. It won't bother you to have it. Since the toaster gives you all the installation steps (you cut and paste every command) you don't need to read boring tls stuff (i didn't). regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 10:38 AM Subject: Re: [vchkpw] chkuser 2.0.8b Thanks Bruno, but im not that keen on the TLS support anymore. Perhaps i'll toast next time :)For now im going to figure out why i cant auth with the vpopmail/contrib/auth patch or the newest version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin . 4549 220 mx.domain.com ESMTP4549 EHLO [192.168.0.100]4549 250-mx.domain.com4549 250-PIPELINING4549 250-8BITMIME4549 250-SIZE 04549 250 AUTH LOGIN PLAIN CRAM-MD54549 AUTH CRAM-MD54549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg==4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ==4549 535 authentication failed (#5.7.1)4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8=4549 535 authentication failed (#5.7.1)4549 AUTH LOGIN4549 334 VXNlcmbWU64549 YWxla3NhlckBvbHNlbi5jbg==4549 334 UGFzc3dvcmQ64549 eWY4NpdG8=4549 535 authentication failed (#5.7.1)Thanks! On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote: Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other niceguys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks!-Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled finewith the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet).220 mx.domain.com ESMTPehlo250-mx.domain.com250-PIPELINING250-8BITMIME250-SIZE 0250 AUTH LOGIN PLAINchkuser.c#include "/home/vpopmail/include/vpopmail.h"#include "/home/vpopmail/include/vauth.h"#include "/home/vpopmail/include/vpopmail_config.h"/* #define CHKUSER_ENABLE_VAUTH_OPEN *//usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \/var/qmail/bin/qmail-smtpd mx.domain.com \/home/vpopmail/bin/vchkpw /usr/bin/true 21I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth.Anyone notice anything i might have missed out?This hoffman patch -should- work with a vpopmail/mysql setup right?Thanks!/Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src.Hope this is right.Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h?Tonino Thanks,/Aleksander-static void first_time_init (void) { char * temp_string;#if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, "ALWAYS") == 0) { starting_value = 1; } else if (strcasecmp(starting_string, "DOMAIN") == 0) { starting_value = 0; } } else {
Re: [vchkpw] chkuser 2.0.8b
Sorry for the dumb question. Are your users/domains smtp flags not disabled? Tonino At 14.38 21/09/2005, you wrote: Thanks Bruno, but im not that keen on the TLS support anymore. Perhaps i'll toast next time :) For now im going to figure out why i cant auth with the vpopmail/contrib/auth patch or the newest version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin . 4549 220 mx.domain.com ESMTP 4549 EHLO [192.168.0.100] 4549 250-mx.domain.com 4549 250-PIPELINING 4549 250-8BITMIME 4549 250-SIZE 0 4549 250 AUTH LOGIN PLAIN CRAM-MD5 4549 AUTH CRAM-MD5 4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg== 4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ== 4549 535 authentication failed (#5.7.1) 4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8= 4549 535 authentication failed (#5.7.1) 4549 AUTH LOGIN 4549 334 VXNlcmbWU6 4549 YWxla3NhlckBvbHNlbi5jbg== 4549 334 UGFzc3dvcmQ6 4549 eWY4NpdG8= 4549 535 authentication failed (#5.7.1) Thanks! On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote: Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/ already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other nice guys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.c qmail-smtpd.c: In function `main': qmail-smtpd.c:1021: warning: return type of `main' is not `int' ./compile spf.c ./compile base64.c ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right
Re: [vchkpw] chkuser 2.0.8b
Im not really suer what flags you are aiming for tonix. But i guess they could be enabled/disabled? Aleks On 9/21/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: Sorry for the dumb question. Are your users/domains smtp flags not disabled? Tonino At 14.38 21/09/2005, you wrote: Thanks Bruno, but im not that keen on the TLS support anymore. Perhaps i'll toast next time :) For now im going to figure out why i cant auth with the vpopmail/contrib/auth patch or the newest version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin . 4549 220 mx.domain.com ESMTP 4549 EHLO [192.168.0.100] 4549 250-mx.domain.com 4549 250-PIPELINING 4549 250-8BITMIME 4549 250-SIZE 0 4549 250 AUTH LOGIN PLAIN CRAM-MD5 4549 AUTH CRAM-MD5 4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg== 4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ== 4549 535 authentication failed (#5.7.1) 4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8= 4549 535 authentication failed (#5.7.1) 4549 AUTH LOGIN 4549 334 VXNlcmbWU6 4549 YWxla3NhlckBvbHNlbi5jbg== 4549 334 UGFzc3dvcmQ6 4549 eWY4NpdG8= 4549 535 authentication failed (#5.7.1) Thanks! On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote: Aleks, I also had problems when I tried to install chkuser and the auth patch in vpopmail/contrib. I discovered that Bill Shupp's qmail-toaster http://shupp.org/toaster/ already has netqmail+chkuser+auth+tls patches and I'm testing it now. On the toaster mailing list you'll find Antonio Nati and other nice guys. There is even an EMPF patch made specially for qmail-toaster, but not for netqmail. It seems to me that there's a lot of people supporting qmail-toaster. Maybe you'd like to try qmail-toaster installation instead of installing all these patches by hand (this is what I'm trying to get with qmail-toaster). Regards, bnegrao - Original Message - From: Aleks Olsen To: vchkpw@inter7.com Sent: Wednesday, September 21, 2005 7:14 AM Subject: Re: [vchkpw] chkuser 2.0.8b Hi I didnt. I missed the trailing */ on that line it seems. Thanks! - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched with the netqmail*auth*chkuser patch. I believe im not really in the need for that tls anyways for smtp transactions. Now, anyone know if there is another trick to that to make the auth work with chkuser? Qmail compiled fine with the patches and the result at the moment is the the smtp wont auth anyone and chkuser works somewhat how it is designed to work (sweet). 220 mx.domain.com ESMTP ehlo 250-mx.domain.com 250-PIPELINING 250-8BITMIME 250-SIZE 0 250 AUTH LOGIN PLAIN chkuser.c #include /home/vpopmail/include/vpopmail.h #include /home/vpopmail/include/vauth.h #include /home/vpopmail/include/vpopmail_config.h /* #define CHKUSER_ENABLE_VAUTH_OPEN */ /usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /var/qmail/bin/qmail-smtpd mx.domain.com \ /home/vpopmail/bin/vchkpw /usr/bin/true 21 I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont auth. Anyone notice anything i might have missed out? This hoffman patch -should- work with a vpopmail/mysql setup right? Thanks! /Aleksander On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.c qmail-smtpd.c: In function `main': qmail-smtpd.c:1021: warning: return type of `main' is not `int' ./compile spf.c
Re: [vchkpw] chkuser 2.0.8b
At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.c qmail-smtpd.c: In function `main': qmail-smtpd.c:1021: warning: return type of `main' is not `int' ./compile spf.c ./compile base64.c ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
At 11.51 20/09/2005, you wrote: Tried to patch up a clean src of qmail-1.03. I get the same error as I get with the already patched up src. Hope this is right. Yes. How did you define CHKUSER_STARTING_VARIABLE within chkuser_settings.h? Tonino Thanks, /Aleksander - static void first_time_init (void) { char * temp_string; #if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE starting_string = env_get (CHKUSER_STARTING_VARIABLE); if (starting_string) { if (strcasecmp(starting_string, ALWAYS) == 0) { starting_value = 1; } else if (strcasecmp(starting_string, DOMAIN) == 0) { starting_value = 0; } } else { starting_string = ; } #endif - ./load qmail-qmtpd rcpthosts.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a open.a getln.a sig.a case.a env.a stralloc.a \ alloc.a substdio.a error.a str.a fs.a auto_qmail.o ./compile qmail-smtpd.c qmail-smtpd.c: In function `main': qmail-smtpd.c:1021: warning: return type of `main' is not `int' ./compile spf.c ./compile base64.c ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
At 18.58 26/07/2005, you wrote: If it works telnetting to port 25, then it should work from anywhere, as the protocol is the same and the programs are the same. What are logs saying about rejected/lost messages? The logs say nothing. Is there any chkuser log in /var/log/maillog (or whener you keep your logs)? Are your logs active? My starting script has /var/qmail/bin/qmail-smtpd-smtp 21 | splogger mymxname in the last line (I don't use supervise), so my chkuser logs are active. If your logs are active and see no chkuser logs, problem is elsewhere. What I had noticed is that sending through an email client, the messages do not appear to hit my system at all and are sent to my mailbackup. once i switch back, the mail starts comming in from the mailbackup as normal. Are you sure the problem is in chkuser or qmail? If mails are going to backup MX it looks the problem is elsewhere. Are your clients sending to a fix relay, or are they using the best MX, routing by themselves? /* * Uncomment this to enable uid/gid changing * (switching UID/GID is NOT compatible with TLS; you may keep this commented if you have TLS) */ #define CHKUSER_ENABLE_UIDGID Are you using this the right way, putting right setuid/setgid bits on over patched qmail-smtpd? I am not sure, I belive this was uncommended and didnt change it at all. I am not using any TLS patches [I couldnt get them to work at the time so i stopped trying]. I didnt think it would hurt to leave it enabled. It should be the same, as it should switch from vpopmail user to vpopmail user. Anyway, comment it (default) if you are simply running as vpopmail. Tonino
Re: [vchkpw] chkuser 2.0.8b
At 07.28 26/07/2005, you wrote: I am having a problem with chkuser. When qmail is running with the patch, everthing appears to be working fine. i can telnet into port 25 of my server and send a test message from my local box and a remote box. this test appears in my inbox as normal. but when i send through a mail client, such was outlook, thunderbird, or even yahoo webmail, the messages are not delivered AT ALL. mail works normally when i use the old qmail-smtpd file [before patching]. Does this make sense to anyone? If it works telnetting to port 25, then it should work from anywhere, as the protocol is the same and the programs are the same. What are logs saying about rejected/lost messages? The logs say nothing. What I had noticed is that sending through an email client, the messages do not appear to hit my system at all and are sent to my mailbackup. once i switch back, the mail starts comming in from the mailbackup as normal. laster today i will run a tcpdump session on my FW checking to see if anything hits me and i will also try with a email client externally and enable logging on that. /* * Uncomment this to enable uid/gid changing * (switching UID/GID is NOT compatible with TLS; you may keep this commented if you have TLS) */ #define CHKUSER_ENABLE_UIDGID Are you using this the right way, putting right setuid/setgid bits on over patched qmail-smtpd? I am not sure, I belive this was uncommended and didnt change it at all. I am not using any TLS patches [I couldnt get them to work at the time so i stopped trying]. I didnt think it would hurt to leave it enabled. the patches I am using are: maildir++ and qmail-remote-auth and of course trying to get chkuser working. I thought it would be ok since the qmail-smtpd/run script is pulling up qmail-smtpd as the vpopmail user and group. should i try to uncomment this and try again? thanks for any help in advance Dan Delaney Tonino thanks again Dan Delaney