Re: [vchkpw] can't relay any more

2005-04-19 Thread Kyle Wheeler
On Tuesday, April 19 at 12:32 PM, quoth Jeremy Kitchen:
 On Monday 18 April 2005 10:48 pm, Rick van Vliet wrote:
  You're right  -- Thought I had that one. :\
  But if we can stretch this topic - why doesn't vpopmail 'pay attention
  to locals or virtualdomains'? Is it just late and I'm space-y?
 
 It doesn't do it for any real reason, it just does it because it was poorly 
 designed, and nobody has changed it.

What do you expect it to do?

I expect to be able to use my virtualdomains file for more than JUST 
vpopmail domains (for example, I have several lists.* domains that are 
handled exclusively by GNU Mailman).

~Kyle
-- 
Power always thinks it has a great soul and vast views beyond the 
comprehension of the weak; and that it is doing God's service when it is 
violating all his laws.
-- John Adams


signature.asc
Description: Digital signature


Re: [vchkpw] can't relay any more

2005-04-19 Thread Jeremy Kitchen
On Tuesday 19 April 2005 03:04 pm, Kyle Wheeler wrote:
 On Tuesday, April 19 at 12:32 PM, quoth Jeremy Kitchen:
  On Monday 18 April 2005 10:48 pm, Rick van Vliet wrote:
   You're right  -- Thought I had that one. :\
   But if we can stretch this topic - why doesn't vpopmail 'pay attention
   to locals or virtualdomains'? Is it just late and I'm space-y?
 
  It doesn't do it for any real reason, it just does it because it was
  poorly designed, and nobody has changed it.

 What do you expect it to do?

I expect it to look at the virtualdomains file to determine what user the 
domain should be handled by (or that it's even there!) and then look up the 
user using standard qmail lookup procedures (check qmail-users first, then 
system users)

I recently had a problem with a customer who was moving one of his domains to 
an exchange server but leaving the qmail server in place for filtering.  I 
took the domain out of virtualdomains and sent qmail-send a HUP signal, 
however, the chkuser patch was still looking for 'valid' users inside the 
vpopmail databases.  This is wrong behavior on vpopmail's part.

-Jeremy

-- 
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
[EMAIL PROTECTED] ++ inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l
  kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail
 GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]


pgpCm2FI1Nsjw.pgp
Description: PGP signature


Re: [vchkpw] can't relay any more

2005-04-19 Thread Kyle Wheeler
On Tuesday, April 19 at 03:24 PM, quoth Jeremy Kitchen:
 On Tuesday 19 April 2005 03:04 pm, Kyle Wheeler wrote:
  On Tuesday, April 19 at 12:32 PM, quoth Jeremy Kitchen:
   On Monday 18 April 2005 10:48 pm, Rick van Vliet wrote:
You're right  -- Thought I had that one. :\
But if we can stretch this topic - why doesn't vpopmail 'pay attention
to locals or virtualdomains'? Is it just late and I'm space-y?
  
   It doesn't do it for any real reason, it just does it because it was
   poorly designed, and nobody has changed it.
 
  What do you expect it to do?
 
 I expect it to look at the virtualdomains file to determine what user the 
 domain should be handled by (or that it's even there!) and then look up the 
 user using standard qmail lookup procedures (check qmail-users first, then 
 system users)
 
 I recently had a problem with a customer who was moving one of his domains to 
 an exchange server but leaving the qmail server in place for filtering.  I 
 took the domain out of virtualdomains and sent qmail-send a HUP signal, 
 however, the chkuser patch was still looking for 'valid' users inside the 
 vpopmail databases.  This is wrong behavior on vpopmail's part.

Wouldn't that instead be wrong behavior on the chkuser patch's part?

I imagine vchkpw would need to be altered to do the same to prevent 
people from authenticating to the wrong server.

On the other hand, how many software products do you use that parse the 
config files of other systems? Do many sendmail milters parse the 
/etc/sendmail.cf? Should php parse apache's config files?

I'm not saying it wouldn't be useful if vpopmail did go through qmail's 
config files, especially since they're so semantically simple; I think 
it would be a good idea! But does that necessarily make ignoring the 
config files of a separate piece of software WRONG? I don't think so.

Imagine this: you used to have lists.domain.com as a vpopmail domain, 
just to logically separate out your mailing lists (like list.cr.yp.to). 
Then you decide that you want to migrate that domain from ezmlm to GNU 
Mailman... but it's still on the same machine, so it still has an entry 
in virtualdomains. Should vpopmail be able to detect that the 
virtualdomains redirection of mail no longer sends mail to vpopmail but 
to a mailman frontend script? What if, instead, I wanted to merely move 
where lists.domain.com gets delivered and stored (not that I can come up 
with a good reason for wanting to do so, but its certainly within my 
rights as an admin)... should vpopmail follow the virtualdomain entries 
out to the eventual delivery to make sure that they're getting delivered 
to a vdelivermail script?

Upon reflection, I think there's probably too much flexibility in the 
virtualdomains setup for vpopmail to parse and attempt to interpret the 
qmail virtualdomains file fully. It could take a simplistic approach, 
but that simplistic approach would limit the configurable power of 
qmail. If you start throwing qmail-users into the mix, it becomes 
astonishingly complex for vpopmail to decide whether or not a given 
address is going to be delivered to a vpopmail domain.

~Kyle
-- 
The greatest dangers to liberty lurk in insidious encroachment by men of 
zeal, well-meaning but without understanding.
-- Brandeis


signature.asc
Description: Digital signature


Re: [vchkpw] can't relay any more

2005-04-18 Thread Rick van Vliet
Jeremy Kitchen wrote:
On Saturday 16 April 2005 11:51 am, Rick van Vliet wrote:

I don't see any domain in both places.. however
rcpthosts:
SMTP clients may send messages to recipients at
dbns.grasktruckgroup.com.
SMTP clients may send messages to recipients at dubuquepeterbilt.com.
SMTP clients may send messages to recipients at decordelights.us.
SMTP clients may send messages to recipients at bastardopsfromhell.com.

perhaps you mixed up rcpthosts with locals when you were looking at it :)
doesn't really matter though.. vpopmail doesn't really pay much attention to 
locals or virtualdomains for some reason.

-Jeremy
You're right  -- Thought I had that one. :\
But if we can stretch this topic - why doesn't vpopmail 'pay attention 
to locals or virtualdomains'? Is it just late and I'm space-y?



Re: [vchkpw] can't relay any more

2005-04-16 Thread Tom Collins
On Apr 15, 2005, at 8:28 PM, Jeff Schmidt wrote:
I'm leaning toward a qmail issue vs. a vpopmail issue, but I admit I
don't know how much vpopmail is involved w/ the smtpd process.
this is the relevant process running on the server:
/usr/bin/tcpserver -p -v -R -x /etc/tcp.smtp.cdb -c 40 -u 201 -g 200
0.0.0.0 smtp /var/qmail/bin/qmail-smtpd
mail.dubuquepeterbilt.com /var/vpopmail/bin/vchkpw /bin/true
It sounds like you've got two possible things going on.
First, trusted hosts can't relay mail.  This is entirely qmail 
referencing /etc/tcp.smtp.cdb and does not involve vpopmail.

What has changed between the time relaying worked and it didn't work?  
Did you patch qmail-smtpd in any way?

Can tcpserver read /etc/tcp.smtp.cdb when running as user 201 and group 
200?

The second possible problem is that you can't authenticate.  If you try 
a manual session with qmail-smtpd and use AUTH LOGIN or AUTH PLAIN 
(http://fehcom.de/qmail/qmail.html has info on the command formats, 
you'll need a base64 encoder to generate the strings).

If SMTP AUTH doesn't work either, you should try checking 
/var/log/maillog to see if vchkpw is indicating an invalid login.

If both relay and auth are failing, then maybe something has happened 
to your qmail-smtpd such that it's ignoring the RELAYCLIENT environment 
variable.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet: 
sniffter.com



Re: [vchkpw] can't relay any more

2005-04-16 Thread Jeffrey A Schmidt
On Fri, 2005-04-15 at 23:07 -0500, Rick van Vliet wrote:
  # nc localhost 25
  220 mail.dubuquepeterbilt.com ESMTP
  ehlo localhost
  250-mail.dubuquepeterbilt.com
  250-AUTH LOGIN CRAM-MD5 PLAIN
  250-AUTH=LOGIN CRAM-MD5 PLAIN
  250-STARTTLS
  250-SIZE 8388608
  250-PIPELINING
  250 8BITMIME
  MAIL FROM: [EMAIL PROTECTED]
  250 ok
  RCPT TO: [EMAIL PROTECTED]
  553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
  RCPT TO: [EMAIL PROTECTED]
  250 ok
  quit
  221 mail.dubuquepeterbilt.com
  
 Hi-
 Maybe I came in late on this thread, but have you posted the output of 
 your /var/qmail/bin/qmail-showctl?
 Not sure that's goinng have the whole answer, but there might be 
 something there that stands out.
 rick
 
thanks, Rick, here it is:
qmail home directory: /var/qmail.
user-ext delimiter: -.
paternalism (in decimal): 2.
silent concurrency limit: 500.
subdirectory split: 23.
user ids: 200, 201, 202, 0, 203, 204, 205, 206.
group ids: 200, 201.

badmailfrom: (Default.) Any MAIL FROM is allowed.

badrcptto: (Default.) Any RCPT TO is allowed.

morebadrcptto: (Default.) No badrcptto; morebadrcpto is irrelevant.

morebadrcptto.cdb: (Default.) No effect.

bouncefrom: Bounce user name is MAILER_DAEMON-DB.

bouncehost: Bounce host name is mail.dubuquepeterbilt.com.

concurrencylocal: (Default.) Local concurrency is 10.

concurrencyremote: (Default.) Remote concurrency is 20.

databytes: SMTP DATA limit is 8388608 bytes.

defaultdomain: Default domain name is dubuquepeterbilt.com.

defaulthost: Default host name is mail.dubuquepeterbilt.com.

doublebouncehost: 2B recipient host: mail.dubuquepeterbilt.com.

doublebounceto: (Default.) 2B recipient user: postmaster.

envnoathost: (Default.) Presumed domain name is
mail.dubuquepeterbilt.com.

helohost: SMTP client HELO host name is mail.dubuquepeterbilt.com.

idhost: Message-ID host name is mail.dubuquepeterbilt.com.

localiphost: Local IP address becomes mail.dubuquepeterbilt.com.

locals: 
Messages for dbns.grasktruckgroup.com are delivered locally.
Messages for mail.dubuquepeterbilt.com are delivered locally.

me: My name is mail.dubuquepeterbilt.com.

percenthack: (Default.) The percent hack is not allowed.

plusdomain: Plus domain name is dbns.grasktruckgroup.com.

qmqpservers: (Default.) No QMQP servers.

queuelifetime: Message lifetime in the queue is 345600 seconds.

rcpthosts: 
SMTP clients may send messages to recipients at
dbns.grasktruckgroup.com.
SMTP clients may send messages to recipients at dubuquepeterbilt.com.
SMTP clients may send messages to recipients at decordelights.us.
SMTP clients may send messages to recipients at bastardopsfromhell.com.

morercpthosts: (Default.) No effect.

morercpthosts.cdb: (Default.) No effect.

smtpgreeting: (Default.) SMTP greeting: 220 mail.dubuquepeterbilt.com.

smtproutes: (Default.) No artificial SMTP routes.

timeoutconnect: (Default.) SMTP client connection timeout is 60 seconds.

timeoutremote: (Default.) SMTP client data timeout is 1200 seconds.

timeoutsmtpd: (Default.) SMTP server data timeout is 1200 seconds.

virtualdomains: 
Virtual domain: dubuquepeterbilt.com:dubuquepeterbilt.com
Virtual domain: decordelights.us:decordelights.us
Virtual domain: bastardopsfromhell.com:bastardopsfromhell.com

conf-common: I have no idea what this file does.

conf-pop3d: I have no idea what this file does.

conf-qmqpd: I have no idea what this file does.

conf-qmtpd: I have no idea what this file does.

conf-smtpd: I have no idea what this file does.

defaultdelivery: I have no idea what this file does.

servercert.cnf: I have no idea what this file does.

rsa512.pem: I have no idea what this file does.

servercert.pem: I have no idea what this file does.

clientcert.pem: I have no idea what this file does.

locals.lock: I have no idea what this file does.

rcpthosts.lock: I have no idea what this file does.

virtualdomains.lock: I have no idea what this file does.




Re: [vchkpw] can't relay any more

2005-04-16 Thread Jeffrey A Schmidt
On Sat, 2005-04-16 at 08:46 -0400, Tom Collins wrote:
 On Apr 15, 2005, at 8:28 PM, Jeff Schmidt wrote:
  I'm leaning toward a qmail issue vs. a vpopmail issue, but I admit I
  don't know how much vpopmail is involved w/ the smtpd process.
 
  this is the relevant process running on the server:
  /usr/bin/tcpserver -p -v -R -x /etc/tcp.smtp.cdb -c 40 -u 201 -g 200
  0.0.0.0 smtp /var/qmail/bin/qmail-smtpd
  mail.dubuquepeterbilt.com /var/vpopmail/bin/vchkpw /bin/true
 
 It sounds like you've got two possible things going on.
 
 First, trusted hosts can't relay mail.  This is entirely qmail 
 referencing /etc/tcp.smtp.cdb and does not involve vpopmail.
yeah, that's what I thought.

 
 What has changed between the time relaying worked and it didn't work?  
 Did you patch qmail-smtpd in any way?
I wish I knew. I'm not the only one w/ root...
I'm not even sure *when* it broke. it's not heavily used.

 
 Can tcpserver read /etc/tcp.smtp.cdb when running as user 201 and group 
 200?
I assume so - perms on /etc/tcp.smtp.cdb are 644.
I am able to run this without any errors on the command line:
tcpserver -c 5 -x /etc/tcp.smtp.cdb -g 200 -u 201 localhost
26 /var/qmail/bin/qmail-smtpd

 
 The second possible problem is that you can't authenticate.  If you try 
 a manual session with qmail-smtpd and use AUTH LOGIN or AUTH PLAIN 
 (http://fehcom.de/qmail/qmail.html has info on the command formats, 
 you'll need a base64 encoder to generate the strings).
 
 If SMTP AUTH doesn't work either, you should try checking 
 /var/log/maillog to see if vchkpw is indicating an invalid login.
I don't think smtp-auth ever worked. I don't recall seeing any reference
of an smtp-auth patch in the stable ebuild (qmail-1.03-r13), and I'm
pretty sure (roaming users) is disabled in the vpopmail (5.4.6-r1)
ebuild, as well. there are no references to vchkpw in
my /var/log/mail.log

 
 If both relay and auth are failing, then maybe something has happened 
 to your qmail-smtpd such that it's ignoring the RELAYCLIENT environment 
 variable.
that's what I was thinking, but don't know how to verify it. the
time/date on the qmail-smtpd binary is from the original install,
though.

 
 --
 Tom Collins  -  [EMAIL PROTECTED]
 QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
 You don't need a laptop to troubleshoot high-speed Internet: 
 sniffter.com
 



Re: [vchkpw] can't relay any more

2005-04-16 Thread Rick van Vliet
Jeffrey A Schmidt wrote:
On Fri, 2005-04-15 at 23:07 -0500, Rick van Vliet wrote:

Hi-
Maybe I came in late on this thread, but have you posted the output of 
your /var/qmail/bin/qmail-showctl?
Not sure that's goinng have the whole answer, but there might be 
something there that stands out.
rick

thanks, Rick, here it is:
qmail home directory: /var/qmail.
user-ext delimiter: -.
Snip
locals: 
Messages for dbns.grasktruckgroup.com are delivered locally.
Messages for mail.dubuquepeterbilt.com are delivered locally.

me: My name is mail.dubuquepeterbilt.com.
percenthack: (Default.) The percent hack is not allowed.
plusdomain: Plus domain name is dbns.grasktruckgroup.com.
qmqpservers: (Default.) No QMQP servers.
queuelifetime: Message lifetime in the queue is 345600 seconds.
rcpthosts: 
SMTP clients may send messages to recipients at
dbns.grasktruckgroup.com.
SMTP clients may send messages to recipients at dubuquepeterbilt.com.
SMTP clients may send messages to recipients at decordelights.us.
SMTP clients may send messages to recipients at bastardopsfromhell.com.

[Snip]
virtualdomains: 
Virtual domain: dubuquepeterbilt.com:dubuquepeterbilt.com
Virtual domain: decordelights.us:decordelights.us
Virtual domain: bastardopsfromhell.com:bastardopsfromhell.com

OK, Now I'm not 101% sure, but I think that having the same domain in 
locals and in virtualdomains will mess thing up. dubuquepeterbilt?
Whether that messes up what your problem is...that';s what I'm not sure 
about.
I believe you need to take a close look at how you're setting up local 
versus virtual domains.
(looking more and more like a qmail issue - probably see you over on 
that list. Archives - http://gossamer-threads.com/lists/qmail/users/

rick


Re: [vchkpw] can't relay any more

2005-04-15 Thread Rick van Vliet
Jeffrey A Schmidt wrote:
On Fri, 2005-04-15 at 23:06 -0400, Tom Collins wrote:
On Apr 15, 2005, at 8:28 PM, Jeff Schmidt wrote:

nope. same story:
# nc localhost 25
220 mail.dubuquepeterbilt.com ESMTP
ehlo localhost
250-mail.dubuquepeterbilt.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-SIZE 8388608
250-PIPELINING
250 8BITMIME
MAIL FROM: [EMAIL PROTECTED]
250 ok
RCPT TO: [EMAIL PROTECTED]
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
RCPT TO: [EMAIL PROTECTED]
250 ok
quit
221 mail.dubuquepeterbilt.com
I'm pretty sure Gentoo's ebuild for vpopmail 5.4.6-r1 disables
smtp-auth, and they recommend using relay-ctrl, which I haven't
implemented yet.
any other ideas?

Hi-
Maybe I came in late on this thread, but have you posted the output of 
your /var/qmail/bin/qmail-showctl?
Not sure that's goinng have the whole answer, but there might be 
something there that stands out.
rick