Re: [vchkpw] Vpopmail smtp-auth
DAve wrote: A quick check of using Perl to auth against a vpopmaild instance works just dandy. I hacked up a copy of the generic checkpassword.pl script from qmail.org and had it working pretty quickly. It took longer to upgrade my test server and get vpopmaild working. Cool! But what is the silent option? Did you mean compact? Sorry, I should have looked at the code before I replied... In the latest development release there are three possible ways to login. These were added because the old login method with the compact flag did not allow spaces in passwords. The new login methods are: login - Check the user and password. If valid return the entire data record on the user that just logged in, written out in a very long format. clogin - This is the equivalent to the old compact flag. This mode compresses the output by sending the numeric value of gid_flags instead of writing each one out. slogin - This is what I am thinking as the ideal for authentication checks. It simply returns err or ok depending on if the user exists and had a valid password. If you want to continue using the version of vpopmail with the compact option, I do suggest using compact as it will reduce the amount of data the server returns with each request. The user information is useful for a qmailadmin like program to look at the rights of the user who just logged in to determine what options it should show them. A user who has rights to manage the entire system will see many more menu options than one who is only allowed to change their own password... There is a bit of an issue with the development version for people using database back ends. The table structure needs to be changed to provide for longer domain names. (from 64 to 96 characters) Also if you are storing limits in the database, two new fields must be added to the limits table: disable_spamassassin and delete_spam to make it match the latest code for non-database installations. See INSTALL. !DSPAM:45f45f17129292126016720!
Re: [vchkpw] Vpopmail smtp-auth
DAve wrote: DAve wrote: Tom Collins wrote: DAve, I think you've found a bug in vchkpw. Bug? After running this entire situation through my thick head, again, I more suspect I am trying to do something with vchkpw it was never intended to do. snip I think... that vchkpw will not work without a complete working install. It seems to need to have access to the domains, virtualdomains, and users/cdb file. Exactly. vchkpw expects to run on a system with a full vpopmail installation. For some reason, it wants to create the user's directory if it doesn't already exist. This could be related to updating the lastauth file in the user's directory. Disabling AUTH_LOGGING on that system will help, but you'll still have code trying to create the directory. If auth logging is enabled then the attempt to authenticate needs to be logged. If the users directory doesn't exist, it needs to be created so the log file can be created. Let me know if that works, and I'll make changes to the release version. That code could probably be permanently removed -- the user's directory is created by vdelivermail when necessary. vchkpw doesn't need to be doing it. Bill: I have to disagree. The authentication attempt needs to be logged, even if there is no mail to deliver. If MySQL is holding the auth log info, then it should be be removed with another ifdef. There may be some 'combination of configure option' bugs here, but if auth-logging is enabled and the directory does not exist it needs to be created. At least for cdb. Is no one else using a physically separate outbound smtp server? I am open to suggestions on how to auth using my vpopmail DB. John Simpson has a validrcptto patch which modifies qmail-smtp to verify email addresses against a cdb file, and the latest vpopmail provides an onchange script that lets you update the cdb files when users are added or removed. http://qmail.jms1.net/patches/vpopmail.shtml vpopmaild can be used to verify a vpopmail login. Just attempt to login to the daemon with the user and password, using the silent option. If the user is valid the login attempt will succeed. I am not aware of a program to do this, but if you write one, I would consider adding it to the contrib directory of vpopmail. This morning I hacked up a quick Perl script to do the authentication and it is working fine. This confirms that my qmail-auth installation is working, and my remote vpopmail DB is reachable. If you have any other uses for Perl (spamassassin) on the machine and keep it loaded in RAM, this may well be the most efficient method... You are directly opening the database and looking up the info you need. Anything else you do just adds another layer, and the program you use still has to open the database. PHP might be able to do the same thing with a slightly smaller memory footprint.
Re: [vchkpw] Vpopmail smtp-auth
Rick Widmer wrote: Let me know if that works, and I'll make changes to the release version. That code could probably be permanently removed -- the user's directory is created by vdelivermail when necessary. vchkpw doesn't need to be doing it. Bill: I have to disagree. The authentication attempt needs to be logged, even if there is no mail to deliver. If MySQL is holding the auth log info, then it should be be removed with another ifdef. There may be some 'combination of configure option' bugs here, but if auth-logging is enabled and the directory does not exist it needs to be created. At least for cdb. Sorry, it was Tom who made this comment...
Re: [vchkpw] Vpopmail smtp-auth
Rick Widmer wrote: DAve wrote: DAve wrote: Tom Collins wrote: DAve, I think you've found a bug in vchkpw. Bug? After running this entire situation through my thick head, again, I more suspect I am trying to do something with vchkpw it was never intended to do. snip I think... that vchkpw will not work without a complete working install. It seems to need to have access to the domains, virtualdomains, and users/cdb file. Exactly. vchkpw expects to run on a system with a full vpopmail installation. As I thought too. I have already given up on vchkpw just for that reason. It seemed like a poor use of vchkpw and any changes to make it work would be silly. Possibly a separate stand alone program just for authentication against a vpopmail DB would be a better idea, but I don't know who would be interested. Looking back 4 years and 11 servers ago, I should have chosen LDAP. snip Is no one else using a physically separate outbound smtp server? I am open to suggestions on how to auth using my vpopmail DB. John Simpson has a validrcptto patch which modifies qmail-smtp to verify email addresses against a cdb file, and the latest vpopmail provides an onchange script that lets you update the cdb files when users are added or removed. http://qmail.jms1.net/patches/vpopmail.shtml I use that on one old Sparc 10 server for user verification, just for those clients who who insist on paying for a mailspool. vpopmaild can be used to verify a vpopmail login. Just attempt to login to the daemon with the user and password, using the silent option. If the user is valid the login attempt will succeed. I am not aware of a program to do this, but if you write one, I would consider adding it to the contrib directory of vpopmail. Interesting idea! Once we get our vpopmail installation upgraded on the master DB server, that is a good possibility. This morning I hacked up a quick Perl script to do the authentication and it is working fine. This confirms that my qmail-auth installation is working, and my remote vpopmail DB is reachable. If you have any other uses for Perl (spamassassin) on the machine and keep it loaded in RAM, this may well be the most efficient method... You are directly opening the database and looking up the info you need. Anything else you do just adds another layer, and the program you use still has to open the database. PHP might be able to do the same thing with a slightly smaller memory footprint. That is my problem with a Perl solution, which I generally avoid, and is why we never used qmail-scanner. I am looking into vpopmaild this weekend. Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: [vchkpw] Vpopmail smtp-auth
DAve wrote: Rick Widmer wrote: DAve wrote: DAve wrote: Tom Collins wrote: DAve, I think you've found a bug in vchkpw. Bug? After running this entire situation through my thick head, again, I more suspect I am trying to do something with vchkpw it was never intended to do. snip I think... that vchkpw will not work without a complete working install. It seems to need to have access to the domains, virtualdomains, and users/cdb file. Exactly. vchkpw expects to run on a system with a full vpopmail installation. As I thought too. I have already given up on vchkpw just for that reason. It seemed like a poor use of vchkpw and any changes to make it work would be silly. Possibly a separate stand alone program just for authentication against a vpopmail DB would be a better idea, but I don't know who would be interested. Looking back 4 years and 11 servers ago, I should have chosen LDAP. snip Is no one else using a physically separate outbound smtp server? I am open to suggestions on how to auth using my vpopmail DB. John Simpson has a validrcptto patch which modifies qmail-smtp to verify email addresses against a cdb file, and the latest vpopmail provides an onchange script that lets you update the cdb files when users are added or removed. http://qmail.jms1.net/patches/vpopmail.shtml I use that on one old Sparc 10 server for user verification, just for those clients who who insist on paying for a mailspool. vpopmaild can be used to verify a vpopmail login. Just attempt to login to the daemon with the user and password, using the silent option. If the user is valid the login attempt will succeed. I am not aware of a program to do this, but if you write one, I would consider adding it to the contrib directory of vpopmail. A quick check of using Perl to auth against a vpopmaild instance works just dandy. I hacked up a copy of the generic checkpassword.pl script from qmail.org and had it working pretty quickly. It took longer to upgrade my test server and get vpopmaild working. But what is the silent option? Did you mean compact? Let me get some projects out of the way (like DST, again!) and I will put together a Perl and PHP example. Thank you for the pointer, you just solved a very big problem for me. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: [vchkpw] Vpopmail smtp-auth
DAve wrote: Tom Collins wrote: DAve, I think you've found a bug in vchkpw. Bug? After running this entire situation through my thick head, again, I more suspect I am trying to do something with vchkpw it was never intended to do. In a nutshell I am trying to use vchkpw as an auth tool only, and nothing else from vpopmail. For some reason, it wants to create the user's directory if it doesn't already exist. This could be related to updating the lastauth file in the user's directory. Disabling AUTH_LOGGING on that system will help, but you'll still have code trying to create the directory. Ok, so I'm not completely crazy. Configuring with --disable-auth-logging got the messages to stop last night, so I was on the right track. However, tailing the remote MySQL logs shows that the only queries to hit MySQL are the following. # configured with --disable-auth-logging select pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell , pw_clear_passwd from vpopmail where pw_name = dave.list and pw_domain = pixelhammer.com # configured with --enable-auth-logging select pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell , pw_clear_passwd from vpopmail where pw_name = dave.list and pw_domain = pixelhammer.com replace into lastauth set user='dave.list', domain='pixelhammer.com', remote_ip='', timestamp=1173418087 Remote IP is not set. (I would think this was normal as checkpassword_debug is not setting the env variables) So disabling auth logging helped, but authentication still fails. Though, it certainly looks like the query is made correctly to SQL and the result returned. I am again suspicious of the assign error shown in the output of checkpassword_debug. bash-2.05b# /usr/local/src/vpopmail-5.4.17/contrib/checkpassword_debug -vvv -c /home/vpopmail/bin/vchkpw -l dave.list%pixelhammer.com Please enter password: /home/vpopmail/bin/vchkpw started with pid 20840 sending dave.list%pixelhammer.comNULLNULL0NULL (35 bytes) to checkpassword with uid/gid: 0/0 waiting... Error. Domain pixelhammer.com was not found in the assign file done normal exit from checkpassword checkpassword exit value: 6 I think... that vchkpw will not work without a complete working install. It seems to need to have access to the domains, virtualdomains, and users/cdb file. Go into login_virtual_user() and get rid of everything from the comment, If thier directory path is empty make them a new one to right before #ifdef CLEAR_PASS. Let me know if that works, and I'll make changes to the release version. That code could probably be permanently removed -- the user's directory is created by vdelivermail when necessary. vchkpw doesn't need to be doing it. It seemed to have no effect. If that means can you remove it?, I can test on a working production toaster and let you know (I got a spare now ;^) Now debating how to go around this. I really want to auth against my existing vpopmail DB. This morning I hacked up a quick Perl script to do the authentication and it is working fine. This confirms that my qmail-auth installation is working, and my remote vpopmail DB is reachable. I really really don't want to use a Perl script to do this. Searching for other checkpassword programs shows nothing that will do a SQL auth, just CDB, LDAP, radius. Is no one else using a physically separate outbound smtp server? I am open to suggestions on how to auth using my vpopmail DB. Thanks, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: [vchkpw] Vpopmail smtp-auth
DAve wrote: Good morning, Seems I am posting all over the internet these last two weeks, but I can't seem to grab my butt lately. I got FreeBSD running on the Sunfires, netqmail installed, Simscan install, ClamAV installed, everything is working fine. Last step, smtp-auth, why did I try? I should have let today end on a good note. If you use FreeBSD, you should use Matt Simersons FreeBSD Qmail Toaster: http://www.tnpi.biz. ... Mysql 4.0, also tried 4.1. I think both are now EOL in that no timely security-fixes are provided any longer. You have to use 5.x - though 4.x should still work, of course. No errors when building, seems to work, bash-2.05b# /home/vpopmail/bin/vuserinfo [EMAIL PROTECTED] Error. Domain pixelhammer.com was not found in the assign file That should not happen. What happens when you add a domain? Does it get added to the assign file? The one thing that is different, is I have an empty assign file. This server is used for smtp-auth *outbound* only service. So, just for fun I added the test domain to the assign file, still fails. Did you build the cdb? The sql-error is also not good, though I can't say what it is caused by ATM. If you can, use Matt's toaster. cheers, Rainer
Re: [vchkpw] Vpopmail smtp-auth
On Thu, 2007-03-08 at 08:55 -0500, DAve wrote: Rainer Duffner wrote: DAve wrote: Good morning, No errors when building, seems to work, bash-2.05b# /home/vpopmail/bin/vuserinfo [EMAIL PROTECTED] Error. Domain pixelhammer.com was not found in the assign file That should not happen. What happens when you add a domain? Does it get added to the assign file? I do not want to add a domain to this server. I do not think you understand what this server is doing. See below, this server is doing *outbound* service only, there will be no local deliveries. I have a similar setup - but locked down to an IP and a separate qmail install. That IP/qmail install is only for auth'd outgoing email - nothing gets delivered to hosted domains. Even if you're not doing 'local' delivery, you still need to be able to resolve a username with vuserinfo. Otherwise vchkpw won't be able to auth for you either. So yes, you need a complete install as if it's a complete server. Now, what I did for my 'local' domains, since delivery is not happening locally, is create a smtproutes file for those domains and point them to the MX. Rick
Re: [vchkpw] Vpopmail smtp-auth
Rick Romero wrote: On Thu, 2007-03-08 at 08:55 -0500, DAve wrote: Rainer Duffner wrote: DAve wrote: Good morning, No errors when building, seems to work, bash-2.05b# /home/vpopmail/bin/vuserinfo [EMAIL PROTECTED] Error. Domain pixelhammer.com was not found in the assign file That should not happen. What happens when you add a domain? Does it get added to the assign file? I do not want to add a domain to this server. I do not think you understand what this server is doing. See below, this server is doing *outbound* service only, there will be no local deliveries. I have a similar setup - but locked down to an IP and a separate qmail install. That IP/qmail install is only for auth'd outgoing email - nothing gets delivered to hosted domains. Even if you're not doing 'local' delivery, you still need to be able to resolve a username with vuserinfo. Otherwise vchkpw won't be able to auth for you either. So yes, you need a complete install as if it's a complete server. Hmm, other than the assign file situation vuserinfo works, bash-2.05b# ./vuserinfo [EMAIL PROTECTED] Error. Domain pixelhammer.com was not found in the assign file name: dave.list passwd: $1$jB.dCgrW$GbolDS0pK/BMUJuoHwhq20 clear passwd: xx comment/gecos: dave.list uid:0 gid:0 flags: 0 gecos: dave.list limits: No user limits set. dir: /home/vpopmail/domains/pixelhammer.com/dave.list quota: NOQUOTA usage: NOQUOTA last auth: Thu Mar 8 09:13:00 2007 last auth ip: 64.184.10.26 bash-2.05b# Other than the assign file and the virtualdomains file, it is a complete server. If I scp over a assign file, a virtualdomains file, run /var/qmail/bin/qmail-newu, restart qmail, the assign error goes away in vuserinfo. However the checkpassword_debug still fails to work. I am going to try and get back to it today. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: [vchkpw] Vpopmail smtp-auth
DAve, I think you've found a bug in vchkpw. For some reason, it wants to create the user's directory if it doesn't already exist. This could be related to updating the lastauth file in the user's directory. Disabling AUTH_LOGGING on that system will help, but you'll still have code trying to create the directory. Go into login_virtual_user() and get rid of everything from the comment, If thier directory path is empty make them a new one to right before #ifdef CLEAR_PASS. Let me know if that works, and I'll make changes to the release version. That code could probably be permanently removed -- the user's directory is created by vdelivermail when necessary. vchkpw doesn't need to be doing it. -- Tom Collins - [EMAIL PROTECTED] Vpopmail - virtual domains for qmail: http://vpopmail.sf.net/ QmailAdmin - web interface for Vpopmail: http://qmailadmin.sf.net/
Re: [vchkpw] Vpopmail smtp-auth
Tom Collins wrote: DAve, I think you've found a bug in vchkpw. Bug? After running this entire situation through my thick head, again, I more suspect I am trying to do something with vchkpw it was never intended to do. In a nutshell I am trying to use vchkpw as an auth tool only, and nothing else from vpopmail. For some reason, it wants to create the user's directory if it doesn't already exist. This could be related to updating the lastauth file in the user's directory. Disabling AUTH_LOGGING on that system will help, but you'll still have code trying to create the directory. Ok, so I'm not completely crazy. Configuring with --disable-auth-logging got the messages to stop last night, so I was on the right track. However, tailing the remote MySQL logs shows that the only queries to hit MySQL are the following. # configured with --disable-auth-logging select pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell , pw_clear_passwd from vpopmail where pw_name = dave.list and pw_domain = pixelhammer.com # configured with --enable-auth-logging select pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell , pw_clear_passwd from vpopmail where pw_name = dave.list and pw_domain = pixelhammer.com replace into lastauth set user='dave.list', domain='pixelhammer.com', remote_ip='', timestamp=1173418087 Remote IP is not set. (I would think this was normal as checkpassword_debug is not setting the env variables) So disabling auth logging helped, but authentication still fails. Though, it certainly looks like the query is made correctly to SQL and the result returned. I am again suspicious of the assign error shown in the output of checkpassword_debug. bash-2.05b# /usr/local/src/vpopmail-5.4.17/contrib/checkpassword_debug -vvv -c /home/vpopmail/bin/vchkpw -l dave.list%pixelhammer.com Please enter password: /home/vpopmail/bin/vchkpw started with pid 20840 sending dave.list%pixelhammer.comNULLNULL0NULL (35 bytes) to checkpassword with uid/gid: 0/0 waiting... Error. Domain pixelhammer.com was not found in the assign file done normal exit from checkpassword checkpassword exit value: 6 I think... that vchkpw will not work without a complete working install. It seems to need to have access to the domains, virtualdomains, and users/cdb file. Go into login_virtual_user() and get rid of everything from the comment, If thier directory path is empty make them a new one to right before #ifdef CLEAR_PASS. Let me know if that works, and I'll make changes to the release version. That code could probably be permanently removed -- the user's directory is created by vdelivermail when necessary. vchkpw doesn't need to be doing it. It seemed to have no effect. If that means can you remove it?, I can test on a working production toaster and let you know (I got a spare now ;^) Now debating how to go around this. I really want to auth against my existing vpopmail DB. Thanks Tom, DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
Re: [vchkpw] vpopmail smtp-auth struggles
Greetings again. Among other things, my softlimit was set too low. I bumped 200 to 300 and everything seemed to work fine. For other googlers I discovered what was the matter with a telnet session: $ telnet cono.org 220 vps1.digitalfeet.org ESMTP EHLO 250-vps1.digitalfeet.org 250-AUTH LOGIN CRAM-MD5 PLAIN 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-PIPELINING 250 8BITMIME AUTH LOGIN 334 VXNlcm5hbWU6 username -- base 64 encoded 334 UGFzc3dvcmQ6 password -- base 64 encoded /home/vpopmail/bin/vchkpw: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Cannot allocate memory 535 authorization failed (#5.7.0) Unfortunately only the 530 authorization failed message shows up in the client so one does need to telnet to see the actual problem. Also note that one doesn't actually need to base64 encode the username and password in order to generate this error, but ordinarily one would use the encoding to transmit the username and password. This was discussed earlier in the list in a thread titled: Help!! with qmail+vpopmail PLEASE!!!. I should have read on suppressing my aversion to such nondescript subject lines--though I suppose my own isn't anymore helpful, now that I think about it. John-Mason P. Shackelford -- http://john-mason.shackelford.org
Re: [vchkpw] vpopmail smtp-auth struggles
John-Mason P. Shackelford wrote: Greetings all, I have been fighting a problem with vpopmail the smpt-auth patch for several days now and feel a little lost and beaten down. I use Netscape 7.1 to connect to my email account ([EMAIL PROTECTED]) and use 'admin' as the username. I can retreive messages without difficulty. When I attempt to reply, Netscape prompts me for a password. I supply the same password I used to retreive email. After some churning, I am presented with the password dialog again. Hi, I don't know if this applies to you but older Netscape clients required % instead of @ as the separator between username and domain name. ie george%somedomain.com instead of [EMAIL PROTECTED] Regards, Rick
