On 2006-04-19, at 1231, [EMAIL PROTECTED] wrote:
I am having trouble with user authentication. I am running Fedora Core 5 on a Dell PowerEdge blade server with the latest (as of a few days ago) versions of qmail, vpopmail, and qmailadmin.
specific version numbers? any patches applied on top of the source?
I can log into qmailadmin just fine through Apache and I have added a virtual domain and some virtual users. This is reflected in my /var/qmail/ rchphosts and virtualdomain files. It is also reflected in /home/vpopmail/. The passwords for various users work in vpopmail but no where else. I have tried telnetting to port 110 on the box and applying crudentials but it always reports: -ERR authorization failed
even for the same "[EMAIL PROTECTED]" account that you used with qmailadmin?
Here are my run scripts. Let me know what other information you require. It may be important to note that this box does not have a FQHN, instead, I have lied to it that it's name is "stormtrooper.ucdavis.edu", when there is in actuality another box with that name (our old mail server). I cannot give it that proper name until this box works, because we support hundreds of users and cannot have an e-mail downage. The new blade's hostname is stormtrooper and if I ping that name according to the box it thinks it's 127.0.0.1, so I _think_ it's not a problem.
that's an /etc/hosts issue. both of the "run" scripts are using "0" as the IP address, so the hostname shouldn't be an issue for starting the services. the one thing to note is that when you do "throw the switch", i'm assuming that part of the process will be changing the machine's IP address to be the same as the old server... when you change the IP, you should restart any services which are listening for incoming connections.
your pop3 service is running as root, so it shouldn't be a permissions issue... very strange.
the smtp service is running as "qmaild", which means that when qmail- smtpd runs vchkpw, it will try to run vchkpw as the qmaild user, which doesn't have permissions to read the vpasswd.cdb files (which contain the mailbox names and encrypted passwords.) there are two solutions for this problem:
(1) run the qmail-smtpd service as the vpopmail user, which can cause issues with other qmail-smtpd add-ons (qmail-scanner, simscan, etc.)
(2) make the ~vpopmail/bin/vchkpw binary setuid, so that no matter which userid starts it, it runs as the vpopmail user.
# cd ~vpopmail/bin
# chown vpopmail:vchkpw vchkpw
# chmdo 6711 vchkpw
neither solution is the best for everybody- the first one can cause
issues with other programs, and the second one opens a hole which
could potentially allow a local user to conduct a dictionary attack
against mailbox passwords by running vchkpw directly. if you don't
allow non-trusted people to run arbitrary commands on your machine
(this includes CGI or PHP scripts as part of a web site) then the
second option is a non-issue, and is in fact what i've been doing on
my own server for several years.
however, i have modified qmail-smtpd to check a cdb file when validating an AUTH command. i will be rolling a patch file for it, and writing a web page to document it, later this week.
-------------------------------------------------- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | -------------------------------------------------- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --------------------------------------------------
PGP.sig
Description: This is a digitally signed message part
