Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-02, at 0829, Rick Widmer wrote: John Simpson wrote: On 2006-04-01, at 0547, Rick Widmer wrote: I was planning if you would like a way to see if a user exists without returning anything else... that's certainly a possibility, easy enough to add... should that be available to any client without authenticating first? or if it requires an authenticated session, should it be available to any user, or just the domain-admin for that domain, or only for a system- admin? I think it should just take any user/password combination and return OK if the user exists or ERROR, then exit. If you need to login to find out if a user exists programs will have to have login credentials in the script. Not a good idea. so are you asking about "does this mailbox exist, yes or no", or are you asking about "is this the correct password for this mailbox, yes or no"? if it's a simple existence check, do you want that information available to any client who connects to the service? especially if you are running the service on a non-localhost interface (or on 0.0.0.0) and aren't using a tcpserver access control file? i'm not against it, i just think if we're going to add something like this, the documentation for creating a vpopmaild service should mention, very prominently, that this information is exposed to anybody who connects and that the user (system administrator setting up the service) should either run the service on 127.0.0.1 (as i do), or should have a tcpserver access control file which only allows authorized machines to connect. http://qmail.jms1.net/patches/vpopmail.html I haven't been able to access the SourceForge CVS server for the last two days. I think they may have changed the rules, and may have found what I need to do in the docs... which is what I was doing when I stopped to answer these messages. I'll try to have this in 5.5 within a few days. I still need to see just what is different between 5.4 and 5.5. it just occurred to me, i had never looked at the list of "developers" for the sourceforge page, i figured it was just inter7 people. i didn't realize you were able to commit code (when the CVS servers are working)... coolness. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
John Simpson wrote: > and since i now have two different patches for vpopmail, it's time to > create a new web page to hold them. both patches are available from > this page, which includes basic documentation for the new features. > >http://qmail.jms1.net/patches/vpopmail.html Actually its .shtml not .html. In the patch, how do you separate password and real_name in add_user? I know the help doesn't mention it, but I think it requires a real name value to put into GECOS. It is at least an option. "slogin" is the same as the other two "login" commands- it logs into vpopmaild. the only difference is the amount of information returned. none of them will automatically quit after authenticating, that's why there is a "quit" command. Sounds good to me. so are you asking about "does this mailbox exist, yes or no", or are > you asking about "is this the correct password for this mailbox, yes > or no"? I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is "does this mailbox exist." We may as well make it easy, it should be a popular function. Maybe we could provide a validrcptto command, allowed before login, but you have to add --enable-vpopmaild-validrcptto in ./configure to use it. That way they have to act to enable the ability, and they get a warning from ./configure about tightening security. i'm not against it, i just think if we're going to add something like > this, the documentation for creating a vpopmaild service should mention, > very prominently, that this information is exposed to anybody who > connects and that the user (system administrator setting up the service) > should either run the service on 127.0.0.1 (as i do), or should have a > tcpserver access control file which only allows authorized machines to > connect. I'm all for documentation. :) I wrote most of README.vpopmaild. Its not great but its better that what was there before... To run as daemon: tcpserver -vHRD 0 89 ./vpopmaild Then as client telnet localhost 89 Or to run on the command line for testing ./vpopmaild First login. example: login [EMAIL PROTECTED] password Then for a list of commands: help Speaking of documentation, can I add much of your page http://qmail.jms1.net/vpopmaild.shtml to the README.vpopmaild file? I'll credit you and let you review it before I commit. I'm pretty sure you can edit the wiki if you want, you just have to register first. If not, I'm considering making sure everything you need to know is in the wiki, and making the wiki page the README file. Rick p.s. I got a kick out of this: "with a working vpopmaild service it becomes possible to write a program like vqadmin or qmailadmin which does all of its work using vpopmaild commands." That's _exactly_ what vpopmaild was written to allow. I couldn't have said it better.
[vchkpw] Re: 5.4.15 onchange patch
Rick Widmer wrote: > > I was under the impression your interest is based on Robin Bowes > suggestion about the validrcptto.cdb patch, so it is "does this mailbox > exist." We may as well make it easy, it should be a popular function. Yes - having this functionality would obviate the need to maintain the validrcptto list. Any tool that wants to check the existence of a mailbox for a given email address on a given host would just need to telnet to port 89 and supply a command like "exists [EMAIL PROTECTED]". An "OK" responose would mean it does exist. It should not quite automatically to allow the checking of several addresses in sequence, e.g: connect exists [EMAIL PROTECTED] exists [EMAIL PROTECTED] exists [EMAIL PROTECTED] quit Does vpopmaild fork? i.e. Does it allow multiple connections? I guess it uses tcpserver to run it so tcpserver will do all the work. Cool. R. > p.s. I got a kick out of this: "with a working vpopmaild service it > becomes possible to write a program like vqadmin or qmailadmin which > does all of its work using vpopmaild commands." That's _exactly_ what > vpopmaild was written to allow. I couldn't have said it better. I look forward to seeing a php/perl/python/whatever replacement for both vqadmin and qmailadmin. R.
Re: [vchkpw] Re: 5.4.15 onchange patch
On Apr 3, 2006, at 5:24 AM, Robin Bowes wrote: Rick Widmer wrote: I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is "does this mailbox exist." We may as well make it easy, it should be a popular function. Yes - having this functionality would obviate the need to maintain the validrcptto list. I'm not following vpopmaild development, so ignore me if you've already considered this, but you should be sure to support quota checking through that interface as well. Doing so would allow a patch to qmail-smtpd to reject email for non-existent users and defer email for users over quota. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 0727, Rick Widmer wrote: John Simpson wrote: > and since i now have two different patches for vpopmail, it's time to > create a new web page to hold them. both patches are available from > this page, which includes basic documentation for the new features. > >http://qmail.jms1.net/patches/vpopmail.html Actually its .shtml not .html. yeah, i'll learn how to type one of these days. In the patch, how do you separate password and real_name in add_user? I know the help doesn't mention it, but I think it requires a real name value to put into GECOS. It is at least an option. good point. i totally missed that, and i even changed one of the _TOKENS strings to be called GECOS_TOKENS after seeing that it was only used the one time. now we see why it's better to have several eyes looking at the code. this is going to be another problem. since a password may contain spaces, and a gecos may also contain spaces, there is no reliable way to write such a parser unless there is a specific delimiter between them... and since a password, by definition, can contain any printable character (ASCII 0x21 - 0x7E) the delimiter cannot be one of these. my honest answer is this: README.vpopmaild doesn't talk about there being a gecos field, neither does the vpopmaild wiki entry. in this one case, because the documentation doesn't mention it and because it causes a problem, i would say to pull the gecos functionality out of the add_user command, and add a "gecos" verb to "mod_user" (which needs one anyway.) there will be a newer patch on my web site this evening (i would do it now but i need to run some errands first.) so are you asking about "does this mailbox exist, yes or no", or are > you asking about "is this the correct password for this mailbox, yes > or no"? I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is "does this mailbox exist." We may as well make it easy, it should be a popular function. Maybe we could provide a validrcptto command, allowed before login, but you have to add --enable-vpopmaild- validrcptto in ./configure to use it. That way they have to act to enable the ability, and they get a warning from ./configure about tightening security. maybe... but validrcptto.cdb is different. it isn't concerned with mailboxes or passwords, as far as it's concerned an alias is just as valid, or if the file contains "@domain", any address in the domain is valid... or if there is a "-default" version of an alias, any suffix after that is valid. vpopmaild is not a good match for what validrcptto.cdb already does. what it IS a good match for, however, is processing AUTH requests- since every vpopmail mailbox which doesn't have the "no_smtp" flag should also be valid for the AUTH command. i've been thinking about ways to both speed up, and simplify, processing of the AUTH command. the two ideas which have come to mind are: (1) have qmail-smtpd check an "auth.cdb" file, where the key is a mailbox and the value is the encrypted password. (2) have qmail-smtpd open a socket to a vpopmaild service, or a courierauthd service (i wrote a simple widget which handles the "login", "help", and "quit" commands, but uses courier-authlib instead of libvpopmail) and uses that to verify the ID and password which were entered. http://qmail.jms1.net/courierauthd.shtml talks about it. the page is not really finished but the code is very simple and it works, if you can link it- there are issues with how BSD handles linking with the courier-authlib library and i don't have a BSD system to play with. the "auth.cdb" idea is a lot easier to write, and to me it makes more sense. however, the idea of using vpopmaild for this purpose is also intriguing from a programming standpoint (i.e. CAN i write this code, how can i make a single version of qmail-smtpd which can handle all three AUTH schemes- fork/exec vchkpw, auth.cdb, and vpopmaild.) i think what i'll end up doing is writing the auth.cdb patch first, and then worrying about "AUTH via vpopmaild" later. i'm not against it, i just think if we're going to add something like > this, the documentation for creating a vpopmaild service should mention, > very prominently, that this information is exposed to anybody who > connects and that the user (system administrator setting up the service) > should either run the service on 127.0.0.1 (as i do), or should have a > tcpserver access control file which only allows authorized machines to > connect. I'm all for documentation. :) I wrote most of README.vpopmaild. Its not great but its better that what was there before... ... Speaking of documentation, can I add much of your page http:// qmail.jms1.net/vpopmaild.shtml to the README.vpopmaild file? I'll credit you and let you review it before I commit. not a problem.
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 0824, Robin Bowes wrote: Rick Widmer wrote: I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is "does this mailbox exist." We may as well make it easy, it should be a popular function. Yes - having this functionality would obviate the need to maintain the validrcptto list. Any tool that wants to check the existence of a mailbox for a given email address on a given host would just need to telnet to port 89 and supply a command like "exists [EMAIL PROTECTED]". the problem is that validrcptto.cdb doesn't check "mailboxes"- it checks "recipient email addresses". mailboxes are recipients, yes, but other things can be valid recipients as well- aliases, certain flavours of "anything" (in case of a ".qmail-[something-]default" file or a domain with a non-bounce "catch-all" setting), and some people have custom requirements where they want to control which addresses can receive mail from outside. An "OK" responose would mean it does exist. It should not quite automatically to allow the checking of several addresses in sequence, e.g: connect exists [EMAIL PROTECTED] exists [EMAIL PROTECTED] exists [EMAIL PROTECTED] quit this is known as a "dictionary attack" (or a "bad thing".) it allows the attacker to enumerate which email addresses do and don't work on your server. this used to be a major strategy of the wily spammer, but most mail servers now take steps to prevent it. however, i have seen a few people try it on my own server (and promptly blacklisted those IP addresses.) Does vpopmaild fork? i.e. Does it allow multiple connections? I guess it uses tcpserver to run it so tcpserver will do all the work. Cool. that's it exactly- tcpserver handles all of the networking stuff, vpopmaild is just talking to stdin/stdout, with log output going to stderr. makes it really easy to write server programs. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 1159, Tom Collins wrote: On Apr 3, 2006, at 5:24 AM, Robin Bowes wrote: Rick Widmer wrote: I was under the impression your interest is based on Robin Bowes suggestion about the validrcptto.cdb patch, so it is "does this mailbox exist." We may as well make it easy, it should be a popular function. Yes - having this functionality would obviate the need to maintain the validrcptto list. I'm not following vpopmaild development, so ignore me if you've already considered this, but you should be sure to support quota checking through that interface as well. Doing so would allow a patch to qmail-smtpd to reject email for non- existent users and defer email for users over quota. good point, but it's a non-issue. the validrcptto.cdb functionality is not going to be bundled into vpopmaild, the two programs are not doing the same things. and besides, if a user's mailbox is over quota, i would rather keep the message in my local queue where it will be delivered rather quickly when the user finally brings their mailbox back below their quota (and where i can send an ALRM signal to qmail-send to force- deliver the message when they call me about it, because they don't want to wait a few hours for qmail-send to decide to deliver it on its own.) -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
[vchkpw] Re: 5.4.15 onchange patch
John Simpson wrote:
>
> (2) have qmail-smtpd open a socket to a vpopmaild service, or a
> courierauthd service (i wrote a simple widget which handles the
> "login", "help", and "quit" commands, but uses courier-authlib instead
> of libvpopmail) and uses that to verify the ID and password which were
> entered. http://qmail.jms1.net/courierauthd.shtml talks about it. the
> page is not really finished but the code is very simple and it works,
> if you can link it- there are issues with how BSD handles linking with
> the courier-authlib library and i don't have a BSD system to play with.
This is how I've implemented a plugin for qpsmtpd that auths against
vpopmaild.
It's extremely easy:
# create socket
my $vpopmaild_socket = IO::Socket::INET->new(PeerAddr => vpopmaild_host,
PeerPort => vpopmaild_port,
Proto=> "tcp",
Type => SOCK_STREAM)
or return (DECLINED);
# send login details
print $vpopmaild_socket "login $user $passClear\n\r";
# get response from server
my $login_response = <$vpopmaild_socket>;
close ($vpopmaild_socket);
# check for successful login
if ($login_response =~ /\+OK.*/) {
return ( OK, "authcheckpassword" );
} else {
return (DECLINED);
}
Of course, qpsmtpd is written in perl so this sort of thing *is* pretty
easy!
> the "auth.cdb" idea is a lot easier to write, and to me it makes more
> sense. however, the idea of using vpopmaild for this purpose is also
> intriguing from a programming standpoint (i.e. CAN i write this code,
> how can i make a single version of qmail-smtpd which can handle all
> three AUTH schemes- fork/exec vchkpw, auth.cdb, and vpopmaild.)
You really should check out qpsmtpd. It can handle several auth types
easily.
R.
[vchkpw] rblsmtpd with vchkpw
Hi, there is any rule to put in ~vpopmail/etc/tcp.smtp for one user has been authenticated not be IP checked on rblsmtpd ? I think that can be possible using environment variables, may not. Something like this: 111.111.111.111:allow,RBLSMTPD="" Thanks a lot, Fernando Milovich
Re: [vchkpw] Re: 5.4.15 onchange patch
On 2006-04-03, at 1609, Robin Bowes wrote: This is how I've implemented a plugin for qpsmtpd that auths against vpopmaild. It's extremely easy: # create socket my $vpopmaild_socket = IO::Socket::INET->new(PeerAddr => vpopmaild_host, PeerPort => vpopmaild_port, Proto=> "tcp", Type => SOCK_STREAM) or return (DECLINED); right here, you should read a line of input from the server and make sure it matches /^\+OK/. otherwise... # send login details print $vpopmaild_socket "login $user $passClear\n\r"; # get response from server my $login_response = <$vpopmaild_socket>; this read, being the first read since the client connects, will return the "+OK" line that the server sends when you first connect to the service, rather than the "+OK" or "-ERR" response from your "login" command. you should also wait for the command to end (if the response was "+OK +", read lines until you see one which matches /^\.$/), then send "quit\n", then wait for the "+OK" response. otherwise you are writing sloppy code which doesn't follow the protocol, which only encourages others to do the same. Of course, qpsmtpd is written in perl so this sort of thing *is* pretty easy! i love perl. if i ever meet larry wall, i owe him a beer. the "auth.cdb" idea is a lot easier to write, and to me it makes more sense. however, the idea of using vpopmaild for this purpose is also intriguing from a programming standpoint (i.e. CAN i write this code, how can i make a single version of qmail-smtpd which can handle all three AUTH schemes- fork/exec vchkpw, auth.cdb, and vpopmaild.) You really should check out qpsmtpd. It can handle several auth types easily. if it were for my own server, sure... but i'm releasing patches for people using qmail-smtpd. if i were to suddenly switch to qpsmtpd it would be like abandoning everybody else who is using my qmail patches, including all of my clients. besides, qmail-smtpd is compiled, where qpsmtpd is interpreted and requires the perl runtime and a bunch of libraries. i tend to think in terms of mail servers which may be handling literally hundreds of SMTP requests per second. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] rblsmtpd with vchkpw
On 2006-04-03, at 1024, [EMAIL PROTECTED] wrote: Hi, there is any rule to put in ~vpopmail/etc/tcp.smtp for one user has been authenticated not be IP checked on rblsmtpd ? if by "authenticated" you mean that their IP address matches a certain line, yes. the example you include... 111.111.111.111:allow,RBLSMTPD="" does exactly what you're asking about. the rblsmtpd program will bypass the RBL checks and just continue on to qmail-smtpd if it sees a RELAYCLIENT envrionment variable, or an RBLSMTPD variable whose value is empty. http://cr.yp.to/ucspi-tcp/rblsmtpd.html explains how this works. however, if by "authenticated" you mean that the client has sent a successful SMTP AUTH command, no. the AUTH command is processed by qmail-smtpd, while rblsmtpd runs before qmail-smtpd. this means that any RBL checking is done, and blocking (if appropriate) happens, before the client would have a chance to enter an AUTH command (or any command at all, for that matter.) -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | -- PGP.sig Description: This is a digitally signed message part
Re: [vchkpw] rblsmtpd with vchkpw
I mean bypass RBL is the client is authenticated. But it seems to be no possibly. This problem is because our customers use ISP connections like ADSL and Dial Up and these connections are blocked by CBL at spamhaus.org I think i´ll have to change the RBL checker. Thanks so much. - Original Message - From: "John Simpson" <[EMAIL PROTECTED]> To: Sent: Monday, April 03, 2006 7:18 PM Subject: Re: [vchkpw] rblsmtpd with vchkpw
Re: [vchkpw] rblsmtpd with vchkpw
Hi, El Miércoles, 5 de Abril de 2006 06:02, Fernando Milovich escribió: > I mean bypass RBL is the client is authenticated. But it seems to be no > possibly. > This problem is because our customers use ISP connections like ADSL and Dial > Up and these connections are blocked by CBL at spamhaus.org > I think i´ll have to change the RBL checker. Then create your own rbl whitelist zone and add the desired ip ranges to it. Then use rblsmtpd like this: ... /usr/local/bin/rblsmtpd -b -ayourwhitelist -rsbl.spamhaus.org etc ... As rblsmtpd will match them first, it won' lookup them in CBL neither in any other blacklist. Ruben
