Re: [vchkpw] vpopmail Authentication Problem
Solved. It was a softlimit problem. > On 2006-04-19, at 1231, [EMAIL PROTECTED] wrote: >> I am having trouble with user authentication. I am running Fedora >> Core 5 on a Dell PowerEdge blade server with the latest (as of a >> few days ago) versions of qmail, vpopmail, and qmailadmin. > > specific version numbers? any patches applied on top of the source? > >> I can log into qmailadmin just fine through Apache and I have >> added a virtual domain and some virtual users. This is reflected >> in my /var/qmail/ rchphosts and virtualdomain files. It is also >> reflected in /home/vpopmail/. >> The passwords for various users work in vpopmail but no where >> else. I have tried telnetting to port 110 on the box and applying >> crudentials but it always reports: >> >> -ERR authorization failed > > even for the same "[EMAIL PROTECTED]" account that you used with > qmailadmin? > >> Here are my run scripts. Let me know what other information you >> require. It may be important to note that this box does not have a >> FQHN, instead, I have lied to it that it's name is >> "stormtrooper.ucdavis.edu", when there is in actuality another box >> with that name (our old mail server). I cannot give it that proper >> name until this box works, because we support hundreds of users >> and cannot have an e-mail downage. The new blade's hostname is >> stormtrooper and if I ping that name according to the box it >> thinks it's 127.0.0.1, so I _think_ it's not a problem. > > that's an /etc/hosts issue. both of the "run" scripts are using "0" > as the IP address, so the hostname shouldn't be an issue for starting > the services. the one thing to note is that when you do "throw the > switch", i'm assuming that part of the process will be changing the > machine's IP address to be the same as the old server... when you > change the IP, you should restart any services which are listening > for incoming connections. > > your pop3 service is running as root, so it shouldn't be a > permissions issue... very strange. > > the smtp service is running as "qmaild", which means that when qmail- > smtpd runs vchkpw, it will try to run vchkpw as the qmaild user, > which doesn't have permissions to read the vpasswd.cdb files (which > contain the mailbox names and encrypted passwords.) there are two > solutions for this problem: > > (1) run the qmail-smtpd service as the vpopmail user, which can cause > issues with other qmail-smtpd add-ons (qmail-scanner, simscan, etc.) > > (2) make the ~vpopmail/bin/vchkpw binary setuid, so that no matter > which userid starts it, it runs as the vpopmail user. > > # cd ~vpopmail/bin > # chown vpopmail:vchkpw vchkpw > # chmdo 6711 vchkpw > > neither solution is the best for everybody- the first one can cause > issues with other programs, and the second one opens a hole which > could potentially allow a local user to conduct a dictionary attack > against mailbox passwords by running vchkpw directly. if you don't > allow non-trusted people to run arbitrary commands on your machine > (this includes CGI or PHP scripts as part of a web site) then the > second option is a non-issue, and is in fact what i've been doing on > my own server for several years. > > however, i have modified qmail-smtpd to check a cdb file when > validating an AUTH command. i will be rolling a patch file for it, > and writing a web page to document it, later this week. > > -- > | John M. Simpson - KG4ZOW - Programmer At Large | > | http://www.jms1.net/ <[EMAIL PROTECTED]> | > -- > | Mac OS X proves that it's easier to make UNIX | > | pretty than it is to make Windows secure. | > -- > > >
Re: [vchkpw] vpopmail Authentication Problem
About [EMAIL PROTECTED] (the user that works in qmailadmin on my test box), I cannot log in using telnet localhost 110 with that account either. I followed your commands to setuid for that program and issued qmailctl stop, qmailctl start and tried again. Still the same auth errors. Here are the versions I'm using: Fedora Core 5 (2.6.16-1.2080_FC5smp, 32-bit i686) netqmail-1.05 (qmail-1.03) ezmlm-0.53 vpopmail-5.4.13 qmailadmin-1.2.9 I'm also running bincimap and squirrelmail but that's not really related to these problems. Any help is appreciated! Chris Thielen Network Programmer Creative Media University of California, Davis > On 2006-04-19, at 1231, [EMAIL PROTECTED] wrote: >> I am having trouble with user authentication. I am running Fedora >> Core 5 on a Dell PowerEdge blade server with the latest (as of a >> few days ago) versions of qmail, vpopmail, and qmailadmin. > > specific version numbers? any patches applied on top of the source? > >> I can log into qmailadmin just fine through Apache and I have >> added a virtual domain and some virtual users. This is reflected >> in my /var/qmail/ rchphosts and virtualdomain files. It is also >> reflected in /home/vpopmail/. >> The passwords for various users work in vpopmail but no where >> else. I have tried telnetting to port 110 on the box and applying >> crudentials but it always reports: >> >> -ERR authorization failed > > even for the same "[EMAIL PROTECTED]" account that you used with > qmailadmin? > >> Here are my run scripts. Let me know what other information you >> require. It may be important to note that this box does not have a >> FQHN, instead, I have lied to it that it's name is >> "stormtrooper.ucdavis.edu", when there is in actuality another box >> with that name (our old mail server). I cannot give it that proper >> name until this box works, because we support hundreds of users >> and cannot have an e-mail downage. The new blade's hostname is >> stormtrooper and if I ping that name according to the box it >> thinks it's 127.0.0.1, so I _think_ it's not a problem. > > that's an /etc/hosts issue. both of the "run" scripts are using "0" > as the IP address, so the hostname shouldn't be an issue for starting > the services. the one thing to note is that when you do "throw the > switch", i'm assuming that part of the process will be changing the > machine's IP address to be the same as the old server... when you > change the IP, you should restart any services which are listening > for incoming connections. > > your pop3 service is running as root, so it shouldn't be a > permissions issue... very strange. > > the smtp service is running as "qmaild", which means that when qmail- > smtpd runs vchkpw, it will try to run vchkpw as the qmaild user, > which doesn't have permissions to read the vpasswd.cdb files (which > contain the mailbox names and encrypted passwords.) there are two > solutions for this problem: > > (1) run the qmail-smtpd service as the vpopmail user, which can cause > issues with other qmail-smtpd add-ons (qmail-scanner, simscan, etc.) > > (2) make the ~vpopmail/bin/vchkpw binary setuid, so that no matter > which userid starts it, it runs as the vpopmail user. > > # cd ~vpopmail/bin > # chown vpopmail:vchkpw vchkpw > # chmdo 6711 vchkpw > > neither solution is the best for everybody- the first one can cause > issues with other programs, and the second one opens a hole which > could potentially allow a local user to conduct a dictionary attack > against mailbox passwords by running vchkpw directly. if you don't > allow non-trusted people to run arbitrary commands on your machine > (this includes CGI or PHP scripts as part of a web site) then the > second option is a non-issue, and is in fact what i've been doing on > my own server for several years. > > however, i have modified qmail-smtpd to check a cdb file when > validating an AUTH command. i will be rolling a patch file for it, > and writing a web page to document it, later this week. > > -- > | John M. Simpson - KG4ZOW - Programmer At Large | > | http://www.jms1.net/ <[EMAIL PROTECTED]> | > -- > | Mac OS X proves that it's easier to make UNIX | > | pretty than it is to make Windows secure. | > -- > > >
Re: [vchkpw] vpopmail Authentication Problem
On 2006-04-19, at 1231, [EMAIL PROTECTED] wrote: I am having trouble with user authentication. I am running Fedora Core 5 on a Dell PowerEdge blade server with the latest (as of a few days ago) versions of qmail, vpopmail, and qmailadmin. specific version numbers? any patches applied on top of the source? I can log into qmailadmin just fine through Apache and I have added a virtual domain and some virtual users. This is reflected in my /var/qmail/ rchphosts and virtualdomain files. It is also reflected in /home/vpopmail/. The passwords for various users work in vpopmail but no where else. I have tried telnetting to port 110 on the box and applying crudentials but it always reports: -ERR authorization failed even for the same "[EMAIL PROTECTED]" account that you used with qmailadmin? Here are my run scripts. Let me know what other information you require. It may be important to note that this box does not have a FQHN, instead, I have lied to it that it's name is "stormtrooper.ucdavis.edu", when there is in actuality another box with that name (our old mail server). I cannot give it that proper name until this box works, because we support hundreds of users and cannot have an e-mail downage. The new blade's hostname is stormtrooper and if I ping that name according to the box it thinks it's 127.0.0.1, so I _think_ it's not a problem. that's an /etc/hosts issue. both of the "run" scripts are using "0" as the IP address, so the hostname shouldn't be an issue for starting the services. the one thing to note is that when you do "throw the switch", i'm assuming that part of the process will be changing the machine's IP address to be the same as the old server... when you change the IP, you should restart any services which are listening for incoming connections. your pop3 service is running as root, so it shouldn't be a permissions issue... very strange. the smtp service is running as "qmaild", which means that when qmail- smtpd runs vchkpw, it will try to run vchkpw as the qmaild user, which doesn't have permissions to read the vpasswd.cdb files (which contain the mailbox names and encrypted passwords.) there are two solutions for this problem: (1) run the qmail-smtpd service as the vpopmail user, which can cause issues with other qmail-smtpd add-ons (qmail-scanner, simscan, etc.) (2) make the ~vpopmail/bin/vchkpw binary setuid, so that no matter which userid starts it, it runs as the vpopmail user. # cd ~vpopmail/bin # chown vpopmail:vchkpw vchkpw # chmdo 6711 vchkpw neither solution is the best for everybody- the first one can cause issues with other programs, and the second one opens a hole which could potentially allow a local user to conduct a dictionary attack against mailbox passwords by running vchkpw directly. if you don't allow non-trusted people to run arbitrary commands on your machine (this includes CGI or PHP scripts as part of a web site) then the second option is a non-issue, and is in fact what i've been doing on my own server for several years. however, i have modified qmail-smtpd to check a cdb file when validating an AUTH command. i will be rolling a patch file for it, and writing a web page to document it, later this week. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
