> Quoting Joshua Megerman <[EMAIL PROTECTED]>: >> Sounds like there's something funky going on with the chkuser patch for >> you - do you have the same problem when not using TLS? I'm not a >> chkuser >> expert, but have you double-checked your chkuser settings? >> > > The only extra setting I'm using is the CHKUSER_ENABLE_UIDGID. From > what I've read on the Interazioni site this option will cause issues > wtih TLS. I enabled this because qmail-smtpd was unable to run vchkpw > without it enabled. I assume this is because of users/group > permission but even with the qmail & vpopmail user in the same group > vchkpw didn't run. > I don't have it enabled, and I have no problems running qmail-smtpd as vpopmail:vchkpw using tcpserver flags (-u vpopmail -g vchkpw). Which TLS patch set are you using?
>> Qmail implements SMTP_VRFY, but it doesn't actually do anything. DJB >> (rightly, IMHO) decided that it didn't make sense to let people >> constantly >> hammer your system with VRFY commands to determine who was or wasn't a >> valid user, and so (per the RFC) qmail's VRFY implementation responds >> with >> a message that indicates a non-answer (252 send some mail, i'll try my >> best) and doesn't actually indicate whether the address is valid or not. >> Chkuser can result in giving the same information, as it will reject >> non-valid users, but this at least forces spammers to try to send mail, >> and get rejections (and possibly dropped altogether) rather than just >> scanning a qmail SMTP server... >> > > This makes sense but doesn't chkuser essentially do the same thing > SMTP_VRFY would do? > Yes and no. The VRFY command is outside of sending mail - a rogue client could connect to the SMTP server, and after issuing a HELO/EHLO greeting, just run repeated VRFY commands to see if a user is valid or not. Chkuser operates in the RCPT phase of the conversation, so a client has to start with a MAIL FROM command, which can be checked, and then each RCPT command can either be accepted or rejected - and chkuser can also be configured to reject ALL users after a certain number of invalid ones, preventing spam to real users if fake ones are also sent. It's a fine line, but it can make a difference. Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
