On 2006-04-19, at 1231, [EMAIL PROTECTED] wrote:
I am having trouble with user authentication. I am running Fedora
Core 5 on a Dell PowerEdge blade server with the latest (as of a
few days ago) versions of qmail, vpopmail, and qmailadmin.

specific version numbers? any patches applied on top of the source?

I can log into qmailadmin just fine through Apache and I have
added a virtual domain and some virtual users. This is reflected
in my /var/qmail/ rchphosts and virtualdomain files. It is also
reflected in /home/vpopmail/.
The passwords for various users work in vpopmail but no where
else. I have tried telnetting to port 110 on the box and applying
crudentials but it always reports:

-ERR authorization failed

even for the same "[EMAIL PROTECTED]" account that you used with qmailadmin?

Here are my run scripts. Let me know what other information you
require. It may be important to note that this box does not have a
FQHN, instead, I have lied to it that it's name is
"stormtrooper.ucdavis.edu", when there is in actuality another box
with that name (our old mail server). I cannot give it that proper
name until this box works, because we support hundreds of users
and cannot have an e-mail downage. The new blade's hostname is
stormtrooper and if I ping that name according to the box it
thinks it's, so I _think_ it's not a problem.

that's an /etc/hosts issue. both of the "run" scripts are using "0" as the IP address, so the hostname shouldn't be an issue for starting the services. the one thing to note is that when you do "throw the switch", i'm assuming that part of the process will be changing the machine's IP address to be the same as the old server... when you change the IP, you should restart any services which are listening for incoming connections.

your pop3 service is running as root, so it shouldn't be a permissions issue... very strange.

the smtp service is running as "qmaild", which means that when qmail- smtpd runs vchkpw, it will try to run vchkpw as the qmaild user, which doesn't have permissions to read the vpasswd.cdb files (which contain the mailbox names and encrypted passwords.) there are two solutions for this problem:

(1) run the qmail-smtpd service as the vpopmail user, which can cause issues with other qmail-smtpd add-ons (qmail-scanner, simscan, etc.)

(2) make the ~vpopmail/bin/vchkpw binary setuid, so that no matter which userid starts it, it runs as the vpopmail user.

        # cd ~vpopmail/bin
        # chown vpopmail:vchkpw vchkpw
        # chmdo 6711 vchkpw

neither solution is the best for everybody- the first one can cause issues with other programs, and the second one opens a hole which could potentially allow a local user to conduct a dictionary attack against mailbox passwords by running vchkpw directly. if you don't allow non-trusted people to run arbitrary commands on your machine (this includes CGI or PHP scripts as part of a web site) then the second option is a non-issue, and is in fact what i've been doing on my own server for several years.

however, i have modified qmail-smtpd to check a cdb file when validating an AUTH command. i will be rolling a patch file for it, and writing a web page to document it, later this week.

| John M. Simpson - KG4ZOW - Programmer At Large |
| http://www.jms1.net/           <[EMAIL PROTECTED]> |
| Mac OS X proves that it's easier to make UNIX  |
| pretty than it is to make Windows secure.      |

Attachment: PGP.sig
Description: This is a digitally signed message part

Reply via email to