On Friday 22 February 2008 06:00:15 pm Nick Bright wrote: > I'm working on adding security features and compatability to my server, > which is currently running vpopmail 5.4.17. At the moment, everything is > working fine, but there are many features my system doesn't support. My > end goal is to support virtually any combination of server options in > Outlook Express. While personally I detest OE, it is without a doubt the > most commonly used email client, so I'd like to make sure I support it > as well as possible. > > Currently, if someone check marks "Secure password authentication" in OE > (either for SMTP or POP), it does not work. Is it possible to get > qmail/vpopmail to support that option for both POP and SMTP? > > I've already got SMTP Authentication & SMTP CRAM-MD5 working properly, > based on the vpopmail contrib patch for such; as well as IMAP-SSL, > IMAP-TLS (courier-imap). > > However, courier-imap doesn't seem to want to use CRAM-MD5. Is there > something specific about vchkpw that would cause that to not work? > > Does anyone on the list know if there are patches for qmail-pop3d to > support CRAM-MD5 and TLS? I've already reviewed getting STUNNEL going, > and while I haven't gotten it working yet, I think I'm close. > > I don't need step by step instructions, as I've been maintaining a > qmail/vpopmail server for several years; but I would appreciate any > pointers towards good patches for supporting these features - if they > exist. > Unpatched, vchkpw currently only supports CRAM-MD5 for SMTP authentication. IMHO it's at least a misfeature, if not a bug. There's a patch at http://alex.zeitform.de/qmail/patches/qmail-popup-auth_cram_md5/vpopmail-5.4.x.patch that adds it for POP connection, but not IMAP. I've never gotten around to trying to add CRAM-MD5 auth to IMAP, as I just use IMAP over SSL to cover that, but it should give you pointers about where to check for how to add the support to vchkpw. If you do add IMAP CRAM-MD5 auth support to vchkpw, don't forget to add it to you IMAP capabilities line :)
As for qmail-pop3d, IIRC there's not much that needs to be done to support CRAM-MD5 directly - just make sure it advertises the correct challenge in the banner. qmail-pop3d doesn't do any authentication directly in it - you need a cram-md5-enabled checkpasswd program. Direct TLS support can be added via at least one patch that I know of, using UCSPI-TLS - see http://www.suspectclass.com/~sgifford/ucspi-tls/ucspi-tls-qmail-howto.html for details (Note: this also patches qmail-smtpd, and thus can conflict with other SMTP-SSL patches...). IIRC, you should be able to find most of this stuff on qmail.org... Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED] -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED] !DSPAM:47bf6362310541819949514!