Re: smtp-auth / vpopmail

[tonix (Antonio Nati)]

I want to do that, and in the future I'll extend my patch (checkusers on 
qmail-smtpd) or write a new one, but I've not studied actual patches nor 
I've time to do it in near future.

Tonino

At 31/05/2001 31/05/2001 +0100, Kieran Barnes wrote:
Does anybody have any implementation of, or plans to implement smtp-auth
using vpopmail

I've seen a few smtp-auth patches, but from what I can gather they all use
PAM/checkpassword

I'd like to offer my users relaying with smtp-auth, as an alternative or
replacement for the relay after pop3 authentication method

Any body got any ideas/suggestions on this?

Regards,

Kieran Barnes
Signum 1226 Ltd
Use our Web site at...  http://www.1226.net
Phone us on... 01772 622889
Fax us on...   01772 622558

RE: smtp-auth / vpopmail

[Jonas Pasche]

hi there,

i'm using authenticated smtp for over a year now, and it works great. what 
you should now is that there are three different authentication types: 
PLAIN, LOGIN and CRAM-MD5.

here is a nice table on what clients and other mailservers are supporting 
authenticated smtp:

http://members.elysium.pl/brush/smtp-auth/index.html

the author even has a patch for qmail that implements all three 
authentication types, while using cmd5checkpwd (i guess) as an alternative 
to djb's original checkpassword. like checkpassword it authenticates system 
users (/etc/passwd  /etc/shadow). if you want vpopmail authentication, you 
have to use the vchkpw program which doesn't support CRAM-MD5... so there's 
no real CRAM-MD5 authentication possible for vpopmail users yet.

ken - i'm not an md5 expert and don't now exactly how that works, but maybe 
this would be a nice feature to implement in vchkpw.

personally, i'm happy with just the LOGIN mechanism because m$ outlook 
express supports it, and this is the most used client that really has 
problems with pop-before-smtp because it always does smtp-before-pop. both 
pop-before-smtp and authenticated smtp can be used together, so you don't 
have to choose - just use both.

CRAM-MD5 authentication would be best because no cleartext passwords would 
be transferred over the net. but users already do so with pop3 and imap, so 
i personally would prefer using stunnel to use smtp/pop/imap-over-ssl, then 
you don't need to care for cleartext passwords as the complete 
communication would be encrypted.

i'm using the following patch to qmail-smtpd.c:

http://www.cuni.cz/~vhor/qmail/smtpauth-en.html

this patch is based on the patch of mrs. brisby, but it features also a 
workaround for buggy netscape clients and servers (they want to use 
authenticated smtp even if there is no need to). for installation help look 
here (at the bottom):

http://www.nimh.org/code.shtml

unfortunately, the author included a security patch that eliminates all 
non-alphanumeric characters in usernames what breaks vpopmail as it uses at 
least % and . in its usernames.

look for these lines:

   /* vhor */
   for(i=0;istrlen(smtpauthlogin);i++) {
 if (! isalnum(smtpauthlogin[i]) ) {
   smtpauthlogin[i] = 'X';
 }
   }

and just delete them to get back vpopmail compatibility.

as chris bolt correctly stated, vchkpw has to be suid, but suid vpopmail 
unfortunately is not enough; it has to be suid root (ken jones told me that 
long time ago), so please re-check the vchkpw code to be sure that you 
don't open security holes through higher privileges. suid root is 
especially needed in situations where vpopmail domains are not all owned by 
vpopmail.vchkpw but by different users (using the command line switches on 
vadddomain).

hope that helped... if you have any questions, let me know.

bye, jon

_
Jonas Pasche, RHCERheinstr. 3
webagentur Domke GmbH 64283 Darmstadt
Systemadministration / Systementwicklung  Germany

Hotline: 0700 46637243 (24 Pf./Min.)  mailto:[EMAIL PROTECTED]
Telefax: +49 (0)6151 293173   http://www.domke.de
_

Re: smtp-auth / vpopmail

[Ondej Sur]

"Chris Bolt" [EMAIL PROTECTED] writes:

 vchkpw can be used as a drop-in replacement for checkpassword. If it
 supports checkpassword, it should work with vchkpw. You may just have to
 make vchkpw suid vpopmail:vchkpw.

Be aware that when you make vchkpw suid vpopmail.vchkpw you have to add
access to your tcp.smtp file for vpopmail user.

-- 
Ondej Sur [EMAIL PROTECTED]Globe Internet s.r.o. http://globe.cz/
Tel: +420235365000   Fax: +420235365009 Plnikova 1, 162 00 Praha 6
GPG fingerprint:  CC91 8F02 8CDE 911A 933F  AE52 F4E6 6A7C C20D F273

Re: smtp-auth / vpopmail

[Ondej Sur]

[EMAIL PROTECTED] (Ondej Sur) writes:

Jonas Pasche [EMAIL PROTECTED] writes:

 as chris bolt correctly stated, vchkpw has to be suid, but suid vpopmail
 unfortunately is not enough; it has to be suid root (ken jones told me that
 long time ago),

This is *not* true!  I have vchkpw running suid vpopmail.vchkpw just fine.

-- 
Ondej Sur [EMAIL PROTECTED]Globe Internet s.r.o. http://globe.cz/
Tel: +420235365000   Fax: +420235365009 Plnikova 1, 162 00 Praha 6
GPG fingerprint:  CC91 8F02 8CDE 911A 933F  AE52 F4E6 6A7C C20D F273

Re: smtp-auth / vpopmail

[Jonas Pasche]

hi there,

[EMAIL PROTECTED] (Ondøej Surý) writes:

Jonas Pasche [EMAIL PROTECTED] writes:

  as chris bolt correctly stated, vchkpw has to be suid, but suid vpopmail
  unfortunately is not enough; it has to be suid root (ken jones told me that
  long time ago),

This is *not* true!  I have vchkpw running suid vpopmail.vchkpw just fine.

ok, with my old vpopmail version that didn't work; it worked just with suid 
root. obviously this isn't a problem with newer versions. thanks for that 
correction.

but take care, if you create domains under different user id's (vadddomain 
-u/-i/-g) vchkpw _really_ has to be suid root.

bye, jon.
_
Jonas Pasche, RHCERheinstr. 3
webagentur Domke GmbH 64283 Darmstadt
Systemadministration / Systementwicklung  Germany

Hotline: 0700 46637243 (24 Pf./Min.)  mailto:[EMAIL PROTECTED]
Telefax: +49 (0)6151 293173   http://www.domke.de
_