> Quoting Joshua Megerman <[EMAIL PROTECTED]>:
>> Sounds like there's something funky going on with the chkuser patch for
>> you - do you have the same problem when not using TLS?  I'm not a
>> chkuser
>> expert, but have you double-checked your chkuser settings?
> The only extra setting I'm using is the CHKUSER_ENABLE_UIDGID.  From
> what I've read on the Interazioni site this option will cause issues
> wtih TLS.  I enabled this because qmail-smtpd was unable to run vchkpw
> without it enabled.  I assume this is because of users/group
> permission but even with the qmail & vpopmail user in the same group
> vchkpw didn't run.
I don't have it enabled, and I have no problems running qmail-smtpd as
vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw).  Which TLS
patch set are you using?

>> Qmail implements SMTP_VRFY, but it doesn't actually do anything.  DJB
>> (rightly, IMHO) decided that it didn't make sense to let people
>> constantly
>> hammer your system with VRFY commands to determine who was or wasn't a
>> valid user, and so (per the RFC) qmail's VRFY implementation responds
>> with
>> a message that indicates a non-answer (252 send some mail, i'll try my
>> best) and doesn't actually indicate whether the address is valid or not.
>> Chkuser can result in giving the same information, as it will reject
>> non-valid users, but this at least forces spammers to try to send mail,
>> and get rejections (and possibly dropped altogether) rather than just
>> scanning a qmail SMTP server...
> This makes sense but doesn't chkuser essentially do the same thing
> SMTP_VRFY would do?
Yes and no.  The VRFY command is outside of sending mail - a rogue client
could connect to the SMTP server, and after issuing a HELO/EHLO greeting,
just run repeated VRFY commands to see if a user is valid or not.  Chkuser
operates in the RCPT phase of the conversation, so a client has to start
with a MAIL FROM command, which can be checked, and then each RCPT command
can either be accepted or rejected - and chkuser can also be configured to
reject ALL users after a certain number of invalid ones, preventing spam
to real users if fake ones are also sent.  It's a fine line, but it can
make a difference.

Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
  - Layman's translation of the Laws of Thermodynamics

Reply via email to