Re: [vchkpw] Problem with vadddomain -u and mysql authentication.
Tijs Zwinkels wrote: Hey vpop-mailers! :), I am currently trying to use vpopmail 2.4.12 with mysql authentication. I want to store the mail in the user-directories, to make mail count for the system-quota's. Therefore i'm using the vadddomain -u flag. Both in the qmail-send log when trying to send a message ( vmysql:_can't_read_settings_from_/var/vpopmail/etc/vpopmail.mysql/vdelivermail :_deferred,_database_down/ ) as in the qmailadmin error_log when trying to logon ( vmysql: can't read settings from /var/vpopmail/etc/vpopmail.mysql) I'm getting errors about not being able to read the vpopmail.mysql file. For domain created without the -u option, or if i make the vpopmail.mysql file world readable, everything works fine. It seems that both qmailadmin and the delivery process 'setuid' to the user that's receiving the mail. The problem is: the vpopmail.mysql file isn't readable by 'normal' users. Nor i want it to be readable by my users: With the information in this file, they could logon and alter the database for every user on the system! Any ideas on how to handle this? Thanks in Advance, Tijs Zwinkels Mindconnect Hi, I do the same thing here and I run qmail-smtpd as root. Otherwise it doesn't work as you have seen. Regards, Rick
Re: [vchkpw] Problem with vadddomain -u and mysql authentication.
On 2005-08-25, at 0900, Tijs Zwinkels wrote: I am currently trying to use vpopmail 2.4.12 with mysql authentication. I want to store the mail in the user-directories, to make mail count for the system-quota's. Therefore i'm using the vadddomain -u flag. you do realize that vpopmail stores an entire DOMAIN under one system userid, rather than each MAILBOX under its own system userid? the only reason for doing this is if you need a filesystem quota to control the domain at large, rather than (or in addition to) a separate quota for each mailbox. i tried this once... if users have access to their Maildir, either through a shell or through FTP, they will find them and mess them up- deleting a tmp directory from a folder here, or deleting their Maildir in an attempt to clean up their disk space... i found it easier to make a separate repository for mailboxes (say, inside of the vpopmail's home directory) and give each user two quotas- one for mail, and one for FTP and web stuff. I'm getting errors about not being able to read the vpopmail.mysql file. For domain created without the -u option, or if i make the vpopmail.mysql file world readable, everything works fine. normally this file has its ownership and permissions set so that it can only be read by the vpopmail user. if you're using specific system userid's for one or more domains, those userid's must also be able to read the file. It seems that both qmailadmin and the delivery process 'setuid' to the user that's receiving the mail. The problem is: the vpopmail.mysql file isn't readable by 'normal' users. ah. you already understand the problem them. Nor i want it to be readable by my users: With the information in this file, they could logon and alter the database for every user on the system! Any ideas on how to handle this? don't use separate system userid's for each domain. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Problem with vadddomain -u and mysql authentication.
On 2005-08-25, at 0907, Rick Macdougall wrote: Tijs Zwinkels wrote: It seems that both qmailadmin and the delivery process 'setuid' to the user that's receiving the mail. The problem is: the vpopmail.mysql file isn't readable by 'normal' users. Nor i want it to be readable by my users: With the information in this file, they could logon and alter the database for every user on the system! Any ideas on how to handle this? I do the same thing here and I run qmail-smtpd as root. Otherwise it doesn't work as you have seen. part of the reason that qmail is broken into several parts is to limit the amount of damage that can be done by a security breach. running qmail-smtpd as root is not necessary, and is in fact dangerous. of course there is a $500 guarantee on the security of qmail's code, but (1) that doesn't apply if you're using any qmail patches (and nowadays, who isn't?) and (2) if somebody does find a security hole (and chances are it will be because of a problem with a patch rather than with qmail itself) do you want your system to be one of the first victims? -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Problem with vadddomain -u and mysql authentication.
John Simpson wrote: On 2005-08-25, at 0907, Rick Macdougall wrote: I do the same thing here and I run qmail-smtpd as root. Otherwise it doesn't work as you have seen. part of the reason that qmail is broken into several parts is to limit the amount of damage that can be done by a security breach. running qmail-smtpd as root is not necessary, and is in fact dangerous. of course there is a $500 guarantee on the security of qmail's code, but (1) that doesn't apply if you're using any qmail patches (and nowadays, who isn't?) and (2) if somebody does find a security hole (and chances are it will be because of a problem with a patch rather than with qmail itself) do you want your system to be one of the first victims? Not my choice. I just install and run it as per the managements requirements. Regards, Rick
