About [EMAIL PROTECTED] (the user that works in qmailadmin on my test box), I cannot log in using telnet localhost 110 with that account either.
I followed your commands to setuid for that program and issued qmailctl stop, qmailctl start and tried again. Still the same auth errors. Here are the versions I'm using: Fedora Core 5 (2.6.16-1.2080_FC5smp, 32-bit i686) netqmail-1.05 (qmail-1.03) ezmlm-0.53 vpopmail-5.4.13 qmailadmin-1.2.9 I'm also running bincimap and squirrelmail but that's not really related to these problems. Any help is appreciated! Chris Thielen Network Programmer Creative Media University of California, Davis > On 2006-04-19, at 1231, [EMAIL PROTECTED] wrote: >> I am having trouble with user authentication. I am running Fedora >> Core 5 on a Dell PowerEdge blade server with the latest (as of a >> few days ago) versions of qmail, vpopmail, and qmailadmin. > > specific version numbers? any patches applied on top of the source? > >> I can log into qmailadmin just fine through Apache and I have >> added a virtual domain and some virtual users. This is reflected >> in my /var/qmail/ rchphosts and virtualdomain files. It is also >> reflected in /home/vpopmail/. >> The passwords for various users work in vpopmail but no where >> else. I have tried telnetting to port 110 on the box and applying >> crudentials but it always reports: >> >> -ERR authorization failed > > even for the same "[EMAIL PROTECTED]" account that you used with > qmailadmin? > >> Here are my run scripts. Let me know what other information you >> require. It may be important to note that this box does not have a >> FQHN, instead, I have lied to it that it's name is >> "stormtrooper.ucdavis.edu", when there is in actuality another box >> with that name (our old mail server). I cannot give it that proper >> name until this box works, because we support hundreds of users >> and cannot have an e-mail downage. The new blade's hostname is >> stormtrooper and if I ping that name according to the box it >> thinks it's 127.0.0.1, so I _think_ it's not a problem. > > that's an /etc/hosts issue. both of the "run" scripts are using "0" > as the IP address, so the hostname shouldn't be an issue for starting > the services. the one thing to note is that when you do "throw the > switch", i'm assuming that part of the process will be changing the > machine's IP address to be the same as the old server... when you > change the IP, you should restart any services which are listening > for incoming connections. > > your pop3 service is running as root, so it shouldn't be a > permissions issue... very strange. > > the smtp service is running as "qmaild", which means that when qmail- > smtpd runs vchkpw, it will try to run vchkpw as the qmaild user, > which doesn't have permissions to read the vpasswd.cdb files (which > contain the mailbox names and encrypted passwords.) there are two > solutions for this problem: > > (1) run the qmail-smtpd service as the vpopmail user, which can cause > issues with other qmail-smtpd add-ons (qmail-scanner, simscan, etc.) > > (2) make the ~vpopmail/bin/vchkpw binary setuid, so that no matter > which userid starts it, it runs as the vpopmail user. > > # cd ~vpopmail/bin > # chown vpopmail:vchkpw vchkpw > # chmdo 6711 vchkpw > > neither solution is the best for everybody- the first one can cause > issues with other programs, and the second one opens a hole which > could potentially allow a local user to conduct a dictionary attack > against mailbox passwords by running vchkpw directly. if you don't > allow non-trusted people to run arbitrary commands on your machine > (this includes CGI or PHP scripts as part of a web site) then the > second option is a non-issue, and is in fact what i've been doing on > my own server for several years. > > however, i have modified qmail-smtpd to check a cdb file when > validating an AUTH command. i will be rolling a patch file for it, > and writing a web page to document it, later this week. > > -------------------------------------------------- > | John M. Simpson - KG4ZOW - Programmer At Large | > | http://www.jms1.net/ <[EMAIL PROTECTED]> | > -------------------------------------------------- > | Mac OS X proves that it's easier to make UNIX | > | pretty than it is to make Windows secure. | > -------------------------------------------------- > > >
