I installed courier-authlib because sqwebmail now requires it.  This is a
pure vchkpw auth situation.

The courier-authlib install provides these two options for its ./configure

    --with-mailuser=userid, --with-mailgroup=groupid

I decided to omit these options because of the following statement in the
courier-authlib INSTALL file:

> "userid" is a reserved system username, "groupid" is a reserved system
> groupname. These two options should be used before installing Courier for the
> first time. These options are not required before installing Courier-IMAP or
> SqWebMail.

This works fine for sqwebmail login, but password changing via sqwebmail is
failing as per this maillog entry:

    sqwebmaild: authdaemon: s_connect() failed: Permission denied

However, using either sqwebpasswd or authtest from the command line (as
root) allows passwords to be changed successfully.  So it seems clear that
permissions is the only problem.

Searching the sqwebmail archives for the above maillog error reveals this
advice from Sam:

> Presuming that you"re using the latest versions of all packages: verify the
> ownership and the permissions of the sqwebpasswd wrapper.  It should have
> the setgid bit set, and owned by whatever userid and groupid was assigned to
> courier-authlib.

My sqwebpasswd seems to meet this requirement as these two directory
listings show:

    -rwxr-sr-x  1 root  wheel    3752 Apr 11 20:23 sqwebpasswd

    -rwxr-xr-x  1 root  wheel  51860 Apr 11 00:29 authdaemond*

assuming authdaemond's ownership is a correct reference for the "userid and
groupid was assigned to courier-authlib".

But I was a little surprised to see the root/wheel ownership, and this also
contradicts what the courier-authlib INSTALL file says will happen if the
above two options are not set and there is no previous Courier install:

> The userid is the first userid from the following list which exists in the
> system: courier, daemon, adm, bin, root; and the groupid is the first  groupid
> from the following list which exists in the system: courier,  daemon, adm,
> sys, root

because I do have daemon both as a user-id and a group-id on my system.
(That is apparently a bug in courier-authlib configure process and I will
report it on an appropriate list.)

However, this made me wonder if there are any opinions here about "best
practices" for courier-authlib ownership in a primarily-vpopmail situation.
The possibility of using vpopmail/vchkpw comes to mind immediately, but
maybe courier-authlib is a wrapper that makes this irrelevant, so that
creating a "courier" user and group would be just as good.

I'd also like to do things in a way that wouldn't get me in trouble if I
later add Courier IMAP to my system.

Thanks in advance for any suggestions, or even a solution to my
password-changing problem.


    vpopmail 5.4.10

Reply via email to