Re: [vchkpw] SMTP Auth HOWTO?
Hello blist, Friday, May 21, 2004, 2:00:08 AM, you wrote: b I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail with b this patch: bqmail-smtpd-auth-0.31 from b http://members.elysium.pl/brush/qmail-smtpd-auth/ b Here is my run tcpserver script for qmail-smtpd: b exec /usr/local/bin/softlimit -m 1000 \ b /usr/local/bin/tcpserver -v -H -R -l $LOCAL -x \ b /usr/local/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD -u \ b $QMAILDUID -g vchkpw 192.168.5.50 25 \ b /usr/local/bin/fixcrio \ b /usr/local/bin/rblsmtpd -r relays.ordb.org \ b /var/qmail/bin/qmail-smtpd ps1.prostream.net \ b /usr/local/vpopmail/bin/vchkpw /bin/true b I cannot get any users to authenticate when sending email. I then tried b taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd and it b lets all users authenticate. I am running SUSE 9.0 x86-64 with vpopmail b 5.4.0 b Any ideas why its not working? b Thanks, b Brooks Roy Roy, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. I suggest You use: SHUPP's version with netqmail like : fetch http://www.qmail.org/netqmail-1.05.tar.gz tar xzvf netqmail-1.05.tar.gz.tar cd netqmail-1.05 ./collate.sh # patch with Shupp's TLS and SMTP-Auth fetch http://shupp.org/patches/netqmail-1.05-tls-smtpauth-20040207.patch patch ./netqmail-1.05-tls-smtpauth-20040207.patch certificate: You can copy thoses (extension .pem) from : freeBSD, vpopmail stuff cd /var/qmail/control cp /usr/local/cert/ipop3d.pem servercert.pem ln -s servercert.pem ./clientcert.pem Activate TLS by create a certificate, and You will be much better off to create an encrypted connecton to Your SMTP server by the SMTP Enc smtps 465/tcp#smtp protocol over TLS/SSL (was ssmtp) smtps 465/udp#smtp protocol over TLS/SSL (was ssmtp) -- Best regards, DEBO Jurgen Belgian Chocolates mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] SMTP Auth HOWTO?
On Friday, May 21, 2004 5:41 AM, DEBO Jurgen E. G. wrote: In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. Are you insinuating that this is not so with POP3 (or SMTP after POP) ? LOL Jeremy Kister http://jeremy.kister.com/
Re: [vchkpw] SMTP Auth HOWTO?
On Thursday 20 May 2004 09:24 pm, Brooks Roy wrote: I have put in the patch as described in the contrib README and changed it to be /bin/checkpassword instead of vchkpw and I still have the same senario. /bin/checkpassword generally needs to be run as root to authenticate users. More than likely you are not doing this. Why did you change from vchkpw to /bin/checkpassword ? post your run script so we can try to attempt to help you. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re: [vchkpw] SMTP Auth HOWTO?
On Friday 21 May 2004 09:11 am, [EMAIL PROTECTED] wrote: In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. JKister Are you insinuating that this is not so with POP3 (or SMTP after POP) No not at all, were do You get this ? you said it yourself. Maybe You read it Your way. no, he read it as you wrote it. You can authenticate with POP3-SSL, and have a SMTP after POP, so were is Your point, in this case ? you can also smtp auth over ssl What I insinuating was to use TLS for SMTP, and not SMTP Auth. you said that later, but that wasn't your original statement. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re: [vchkpw] SMTP Auth HOWTO?
On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: EH This is only true for SMTP Authentication of type plain and login. EH With CRAM-MD5 its quite save. Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. I am truly amazed at that statement. More, Your mail is sent in plaintext. I prefer encrypted streams, so SUPP's patch which encrypts the stream with SSL, and authenticate afterwards (in plaintext) is still the best way to go, it's not a big effort to realize. but most servers out there don't have TLS support so your email still goes across unencrypted. for instance, I use smtps to talk to my mail server, purely because I have it available (I'm not using smtp auth or anything) but I realize that when it leaves my server it's not encrypted. If you want end to end encryption of emails, most MUAs support pgp/gpg/s-mime encryption formats. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re: [vchkpw] SMTP Auth HOWTO?
Title: Re: [vchkpw] SMTP Auth HOWTO? [EMAIL PROTECTED] wrote: Hello Jeremy, Friday, May 21, 2004, 5:20:40 PM, you wrote: JK On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: EH This is only true for SMTP Authentication of type plain and login. EH With CRAM-MD5 its quite save. CRAM-MD5 makes it safer, not quite safe. Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. JK I am truly amazed at that statement. This sounds pretty ridiculous to me also. People who spend inordinate amounts of time actually worrying about having their traffic sniffed, probably shouldn't be using anything remotely resembling common internet protocols. snip I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps to secure the stream up to Your mailserver (one step), but in this step, You 'can' have many hops between You and Your workstation, so this stream is the first to protect anyway. I agree on the fact there aren't many TLS servers, but if everyone do his own part to install the TLS option, we have in a little decade a much nicer place to have secure mail transport. If people stich with smtp-auth, we never get there. Some of us don't actually have the luxury of smtp-tls because we have one physical mail server, or cluster thereof, serving multiple domains. These domains are all hidden from each other, so unless we start running separate smtpd instances, with their own configs, separate IPs we cannot present a certificate to each client that'd match what their mail client expects. (note: even Your soft, courier-imap seems to have an option for spamass, would be nice to see Dspam(.org) instead) I think this'd be a show us the code request. There are quite a few ways to use spamassassin where its not a ridiculous memory hog (spamc/spamd for one). Cheers, Nick Harring Webley Systems
Re: [vchkpw] SMTP Auth HOWTO?
PD Ahhh...yes! A flame war...always nice :) I quote from the one who has bringing 'the gas': EH You are joking, troll Well, I did't start. This list is to help people. It's not about to be picky or to be arrogant, if someone share another view, he has the right to put his vision forward and to defend his case. You can discuss topics without insulting people and without words like 'troll', maintained in the directory of Dr. Erwin Hoffmann. Maybe I write terrible English, but I am on the internet for a few decades, and some use our programs quite a lot in their BSD stuff. I don't need insults of someone, who thinks to have the right to insult people, because he has a PhD. Well, you dont hear me complain!
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: I do not have an open relay. I am trying to setup SMTP Auth. It is not working.. When users try to auth, it just keeps asking for username password over and over. Never sends. How are they authentication? with [EMAIL PROTECTED] or just username? X-Istence wrote: Brooks Roy wrote: I have put in the patch as described in the contrib README and changed it to be /bin/checkpassword instead of vchkpw and I still have the same senario. What does your data.cdb or smtp.cdb look like that gets created from a file? Also, it should still be to vchkpw if you want to use vpopmail. This is what your run file should look like: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l $LOCAL -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD -u \ $QMAILDUID -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /usr/bin/true Also make sure $QMAILDUID $MAXSMTPD and $LOCAL are set properly. I see that you have your /usr/local/vpopmail/etc/tcp.smtp.cdb, are you sure that is no causing the open relay? Try pointing it to one that only has: :allow in it, and see if you are still an open relay then. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArmIMJukONu5DUaQRAmnpAKCCfD0TAifKW9/j9tV5u9PZRo8c4wCgk/B1 UPQrlLc6uG27pYQXT5Sh1kY= =ry3M -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
On Thursday 20 May 2004 07:00 pm, blist wrote: I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail with this patch: qmail-smtpd-auth-0.31 from http://members.elysium.pl/brush/qmail-smtpd-auth/ Here is my run tcpserver script for qmail-smtpd: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l $LOCAL -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD -u \ $QMAILDUID -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd ps1.prostream.net \ /usr/local/vpopmail/bin/vchkpw /bin/true ok I cannot get any users to authenticate when sending email. I then tried taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd and it lets all users authenticate. I am running SUSE 9.0 x86-64 with vpopmail 5.4.0 what's the value of $QMAILDUID in that script? also, if you take out the hostname you're an open relay, because you're authenticating with /bin/true -Jeremy Any ideas why its not working? Thanks, Brooks Roy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
Re: [vchkpw] SMTP Auth HOWTO?
Jeremy, QMAILDUID = vpopmail I know if i take out the domain its open :(.. That is the only thing so far that works.. I am at loss what I did wrong. Been googling all night :) Jeremy Kitchen wrote: On Thursday 20 May 2004 07:00 pm, blist wrote: I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail with this patch: qmail-smtpd-auth-0.31 from http://members.elysium.pl/brush/qmail-smtpd-auth/ Here is my run tcpserver script for qmail-smtpd: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l $LOCAL -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD -u \ $QMAILDUID -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd ps1.prostream.net \ /usr/local/vpopmail/bin/vchkpw /bin/true ok I cannot get any users to authenticate when sending email. I then tried taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd and it lets all users authenticate. I am running SUSE 9.0 x86-64 with vpopmail 5.4.0 what's the value of $QMAILDUID in that script? also, if you take out the hostname you're an open relay, because you're authenticating with /bin/true -Jeremy Any ideas why its not working? Thanks, Brooks Roy
Re: [vchkpw] SMTP Auth HOWTO?
The patch you are using is incredibly old.
You should consider auth-jms1.4a.patch from
http://www.jms1.net/qmail/auth-jms1.4a.patch
If that link is broken, google on auth-jms1.4a.patch and look at the
cached version.
You might also consider the qmail-requireauth.patch that allows you to
set an environment variable to selectively require authentication. I had
to manually apply the patch as some of the line numbers didn't jive.
I've pasted it below.
Greg
*** qmail-smtpd-orig.c Tue May 15 13:21:04 2001
--- qmail-smtpd.c Tue May 15 13:26:04 2001
***
*** 72,77
--- 72,79
int err_authabrt() { out(501 auth exchange cancelled (#5.0.0)\r\n);
return -1; }
int err_input() { out(501 malformed auth input (#5.5.4)\r\n); return
-1; }
+ void err_authrequired() { out(503 you must authenticate first
(#5.5.1)\r\n); }
+
stralloc greeting = {0};
void smtp_greet(code) char *code;
***
*** 93,98
--- 95,102
char *remoteinfo;
char *local;
char *relayclient;
+ char *requireauth;
+ int authd = 0;
stralloc helohost = {0};
char *fakehelo; /* pointer into helohost, or 0 */
***
*** 143,148
--- 147,153
if (!remotehost) remotehost = unknown;
remoteinfo = env_get(TCPREMOTEINFO);
relayclient = env_get(RELAYCLIENT);
+ requireauth = env_get(REQUIREAUTH);
dohelo(remotehost);
}
***
*** 259,264
--- 264,270
}
void smtp_mail(arg) char *arg;
{
+ if (requireauth !authd) { err_authrequired(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
flagbarf = bmfcheck();
seenmail = 1;
***
*** 425,431
char **childargs;
substdio ssup;
char upbuf[128];
- int authd = 0;
int authgetl(void) {
int i;
--- 431,436
blist wrote:
I am installing vchkpw + SMTP AUTH + qmail. I have installed qmail
with this patch:
qmail-smtpd-auth-0.31 from
http://members.elysium.pl/brush/qmail-smtpd-auth/
Here is my run tcpserver script for qmail-smtpd:
exec /usr/local/bin/softlimit -m 1000 \
/usr/local/bin/tcpserver -v -H -R -l $LOCAL -x \
/usr/local/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD -u \
$QMAILDUID -g vchkpw 192.168.5.50 25 \
/usr/local/bin/fixcrio \
/usr/local/bin/rblsmtpd -r relays.ordb.org \
/var/qmail/bin/qmail-smtpd ps1.prostream.net \
/usr/local/vpopmail/bin/vchkpw /bin/true
I cannot get any users to authenticate when sending email. I then
tried taking out ps1.prostream.net after /var/qmail/bin/qmail-smtpd
and it lets all users authenticate. I am running SUSE 9.0 x86-64 with
vpopmail 5.4.0
Any ideas why its not working?
Thanks,
Brooks Roy
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jeremy Kitchen wrote: On Thursday 20 May 2004 07:00 pm, blist wrote: Here is my run tcpserver script for qmail-smtpd: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l $LOCAL -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD -u \ $QMAILDUID -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd ps1.prostream.net \ /usr/local/vpopmail/bin/vchkpw /bin/true Simple, remove the hostname, and all should be well. what's the value of $QMAILDUID in that script? also, if you take out the hostname you're an open relay, because you're authenticating with /bin/true Wrong, vchkpw needs another program to change the directory for, check the way qmail-pop3d works. pop3-popup checkpasswrd realpop3 (Which is now in the users directory) If vchkpw is not given another argument to execute after it auth's the user, qmail-smtpd has no way to check if it was successfull. -Jeremy -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArV1GJukONu5DUaQRAt/SAJ9Ubh1+KnXuKN9p+AGtnz3OvPEi4wCgmS2k lqa015oQi4ITRgNw0nECxRI= =LOQ4 -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My apologies, the solution i provided *WILL* not work. Considering the code still contains the hostname stuff. What i suggest is you grab the patch from the vpopmail contrib directory, it contains a copy that *will* work. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArV6EJukONu5DUaQRAuMQAJ4oPWzzYWeeAKRlYOop6DWxovBy/wCghqre PvraZ1VWDiBT4Yx++8H0Xho= =pS6m -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
So use the patch from the vpopmail contrib directory WITHOUT the hostname in the run script for tcpserver? Wont this make the server an open relay? X-Istence wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My apologies, the solution i provided *WILL* not work. Considering the code still contains the hostname stuff. What i suggest is you grab the patch from the vpopmail contrib directory, it contains a copy that *will* work. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArV6EJukONu5DUaQRAuMQAJ4oPWzzYWeeAKRlYOop6DWxovBy/wCghqre PvraZ1VWDiBT4Yx++8H0Xho= =pS6m -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: So use the patch from the vpopmail contrib directory WITHOUT the hostname in the run script for tcpserver? Wont this make the server an open relay? No, cause that patch doesnt require a hostname on purpose, as to many poeple were unsure if it was needed or not. It is not needed, thus it was removed. So no, you will not make yourself an open relay. X-Istence wrote: My apologies, the solution i provided *WILL* not work. Considering the code still contains the hostname stuff. What i suggest is you grab the patch from the vpopmail contrib directory, it contains a copy that *will* work. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArWgSJukONu5DUaQRApA6AKCM+q+2R0ErkBTWX1AK+swrOrruLgCfbBZs x1XaueBT++M1ovsaIvevqpw= =Ubls -END PGP SIGNATURE-
Re: [vchkpw] SMTP Auth HOWTO?
I do not have an open relay. I am trying to setup SMTP Auth. It is not working.. When users try to auth, it just keeps asking for username password over and over. Never sends. X-Istence wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brooks Roy wrote: I have put in the patch as described in the contrib README and changed it to be /bin/checkpassword instead of vchkpw and I still have the same senario. What does your data.cdb or smtp.cdb look like that gets created from a file? Also, it should still be to vchkpw if you want to use vpopmail. This is what your run file should look like: exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver -v -H -R -l $LOCAL -x \ /usr/local/vpopmail/etc/tcp.smtp.cdb -c $MAXSMTPD -u \ $QMAILDUID -g vchkpw 192.168.5.50 25 \ /usr/local/bin/fixcrio \ /usr/local/bin/rblsmtpd -r relays.ordb.org \ /var/qmail/bin/qmail-smtpd /usr/local/vpopmail/bin/vchkpw /usr/bin/true Also make sure $QMAILDUID $MAXSMTPD and $LOCAL are set properly. I see that you have your /usr/local/vpopmail/etc/tcp.smtp.cdb, are you sure that is no causing the open relay? Try pointing it to one that only has: :allow in it, and see if you are still an open relay then. X-Istence -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFArWnTJukONu5DUaQRAvIEAJ4kNtYLR/Kq37/KHIhQT+bowaa2AwCfcfmw T/UiN67ZKxN5Xl8bfb7td2A= =ioO9 -END PGP SIGNATURE-
