Re: [vchkpw] Re: SMTP-Auth question

[Joel Newkirk]

(Apologies for the delayed reply - I've been on the road)
On Thu, 2004-04-01 at 13:52, Peter Palmreuther wrote:

  Even if RELAYCLIENT is set, (the Auth patched) qmail-smtpd *WILL* ask for
  Authentication. 
 
 No. It'll /OFFER/ SMTP-ATUH, for those that want to set up their mail
 client to always use SMTP-AUTH instead of relying on a formerly done
 POP3.
 
 You absolutely don't have to make ANY use of this offer. If your IP is
 set to RELAYCLIENT= by a former POP3 (or whatever) connection, or
 even is set statically to be allowed to relay, the MUA can simply go


 I read this:
 
 ,- [ mid:[EMAIL PROTECTED] ]
 | Is there any way to set up SMTP-Auth, while still allowing pop-b4-smtp? 
 | So far when I've rebuilt the system with SMTP-Auth patching, it will
 | ONLY accept SMTP-Auth to allow relaying... :(
 `-
 
 as follows:
 
 - I want both method, SMTP-Auth and POP3-b4-SMTP, for allowing a client
   to relay.
 - I don't want the system to /require/ SMTP-Auth when POP3-b4-SMTP
   already set RELAYCLIENT=
 
 But maybe I got it wrong ... Joel?

No, you got it right.  When I'd tested after rebuilding with SMTP-Auth,
I was unable to send mail through without authentication.  It could,
however, have been caused by my MUA (Evolution 1.4) and my own local
configuration, rather than the server - I'll be looking into that
tomorrow.  Thanks.

j

-- 
Not all those who wander are lost.  - JRR Tolkien

Re: [vchkpw] Re: SMTP-Auth question

[Werner Amon]

Joel Newkirk schrieb:


- I want both method, SMTP-Auth and POP3-b4-SMTP, for allowing a client
 to relay.
- I don't want the system to /require/ SMTP-Auth when POP3-b4-SMTP
 already set RELAYCLIENT=
Hi,

I have such a setup.
I use qmail-spamcontrol+vpopmail+mysql+courier+relay-ctrl
my smtpd run file:

#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/envdir /etc/relay-ctrl \
/usr/local/bin/tcpserver -v -R -H -c $MAXSMTPD -x 
/home/vpopmail/etc/tcp.smtp.cdb \
-u $QMAILDUID -g $NOFILESGID 0 smtp \
/usr/local/bin/relay-ctrl-check \
/usr/local/bin/rblsmtpd -b \
-r relays.ordb.org \
-r sbl-xbl.spamhaus.org \
-r opm.blitzed.org \
-r bl.spamcop.net \
-r list.dsbl.org \
-r relays.visi.com \
-r obsl.outblaze.com \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 21

Both auth methods work well on my system

Werner

Re: [vchkpw] Re: SMTP-Auth question

[Erwin Hoffmann]

Hi Peter,

At 17:24 31.03.04 +0200, you wrote:
Hello Erwin,

On Wednesday, March 31, 2004 at 10:09:29 AM you wrote (at least in
part):

 In case a client is accepted via pop-4-smtpd, the $RELAYCLIENT environment
 variable is set. It might be useful to define this variable explicitely,
 ie. RELAYCLIENT=PB4S.

No. It will, for sure, not be useful.

I somehow disagree.

,- [ man qmail-smtpd ]
| [...]
|  Exception: If the environment variable RELAYCLIENT is
|  set,  qmail-smtpd  will  ignore  rcpthosts,  and will
|  append the value  of  RELAYCLIENT  to  each  incoming
|  recipient address.
| [...]
`-

Setting RELAYCLIENT to something different than an empty string is
only useful when one KNOWS what he/she does. The overwhelming majority
only wants RELAYCLIENT unlocks relay restrictions and therefore has to
set it empty.

Yes. But this is *EXACTLY* what we want.

The reason is twofold:

1. Relayclients which are identfied by - let's say - static IP addresses
(ie. NOT by POP-b4-SMTP) have RELAYCLIENT=.
2. Relayclients identfied by POP-b4-SMTP carrying RELAYCLIENT=P4S (sample).
Ok. qmail-smtpd will append this string to the Recipient address ([EMAIL PROTECTED]
= [EMAIL PROTECTED]). However, using ie. ksh capabilities you can do
${RECIPIENT%P4S} thus retaining the old RECIPIENT variable.

 Check it and call qmail-smtpd without any arguments.
 
 In case the variable is not set or empty, call qmail-smtpd with the proper
 SMTP Auth args.

This whole wrapper-stuff should not be necessary. If tcpserver sets
RELAYCLIENT due to .cdb or SQL-lookup it'll be passed to qmail-smtpd.
qmail-smtpd than will allow relaying even w/o SMTP-Auth.

Correct. 

I'm running a SMTP which offers SMTP-Auth and POP3-b4-SMTP and it
works w/o any wrappers at all. The SMTP-Auth patch simply sets
RELAYCLIENT for qmail-smtpd /WHEN/ someone authenticated successful,
if not the formerly set RELAYCLIENT (passed as ENV-var from tcpserver,
when set) is not reset when authentication fails.

@Joel:

How about this: Copy your current qmail-smtpd invocation, remove all
the 'qmail-smtpd foo bar bla' stuff and replace it with a simply
'/usr/bin/env'. Make the tcpserver listen on port 26. Prepend an
environment clearing 'env' call. Start the stuff on command line. It
can be something similar to this:

env -i PATH=/var/qmail/bin:/usr/local/bin tcpserver -vRX \
 0 26 /usr/bin/env

(plus adding the stuff necessary for tcpserver reading the database
for potentially set environment vars like RELAYCLIENT)

Than connect to this server from a client-IP that should be set to
relaying allowed (e.g. by formerly executed POP3 authentication):

telnet $SERVER 26

You should see a line with PATH=... and some TCPREMOTExxx and
TCPLOCALxxx lines. Additionally you should see a line 'RELAYCLIENT='.

If this is there and your qmail-smtpd invocation looks up the same
database for possible RELAYCLIENT settings try this:

telnet $SERVER 35
EHLO _
MAIL FROM:
RCPT TO:[EMAIL PROTECTED]
QUIT

If this fails: please post the error you get, your qmail-smtpd startup
script and the result of above 'env'-test.


But thats not the question:

Even if RELAYCLIENT is set, (the Auth patched) qmail-smtpd *WILL* ask for
Authentication. 

If I understood correctly, thats *EXACTLY* what should be avoided.

regards.
--eh.

Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/
Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24