On 2006-02-07, at 0623, N0K wrote:
Hello, and thanks for the reply, i have quit smtp auth old patch and i have patched with vpopmail/contrib patch, but now, i get the next error:

tsuki:/var/qmail/supervise# telnet localhost 25
334 VXNlcm5hbWU6
YnJvZHJpasffZ3sVlemJAZnVqaXRzdS5l     -> username in base64
334 UGFzc3dvcmQ6
MTIzMDhA                                             -> pass in base64
454 oops, unable to write pipe and I can't auth (#4.3.0)

qmail-smtpd is trying to run the checkpassword program, and can't.

check the permissions on your checkpassword program (specified on your qmail-smtpd command line- if the example you sent is accurate, this will be "/home/vpopmail/bin/vchkpw".) and here's the part a lot of people forget- also check the permissions of each directory which contains it. for example, if the program is "/home/vpopmail/bin/ vchkpw", you need to make sure that "/home", "/home/vpopmail", and "/ home/vpopmail/bin" all have AT LEAST "x" permission for "group" and "other" (i.e. "chmod go+x /home /home/vpopmail /home/vpopmail/bin".)

the next problem you're going to run into is that (according to the smtp run script you sent) qmail-smtpd is running as the userid "qmaild", and in order for "vchkpw" to read the vpasswd.cdb files and do its job, it has to be run as either the vpopmail user, or as root. the easiest way to make this happen is to make the vchkpw binary setuid, like so:

        # chmod 6711 /home/vpopmail/bin/vchkpw

however, this could potentially be dangerous if normal users have access to run commands on the machine- a user could run vchkpw over and over, for example, in an attempt to do brute-force guessing of other peoples' passwords. there are other options- a popular one is to make qmail-smtpd run as the vpopmail user, however if you're using qmail-scanner, simscan or any other QMAILQUEUE program, this will also cause those programs to run as the vpopmail user as well. i'm not saying this is a good or a bad thing, just something to be aware of- as long as you understand what's going on, it can be handled.

| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <[EMAIL PROTECTED]> |
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to