I guess I'm confused. Since my vpopmail user isn't allowed to write a new file in /etc, using the default configure option of '--enable-tcpserver-file=/etc/tcp.smtp' breaks qmail-smtpd's tcpserver tcprule rule. This is not because the tcprule is pointing to the wrong file but rather that vpopmail can't even update this file.
When you use vpopmail's ebuild does it now create the vpopmail user with permissions to write (and create new files) in /etc? What other program than tcpserver/tcprules uses /etc/tcp.smtp? I still don't see why vpopmail's ebuild can't use /var/vpopmail/etc/tcp.smtp. Or, I suppose, it could link to /etc/tcp.smtp but build it's own tcp.smtp.cdb file in /var/vpopmail/etc/ (since it doesn't actually edit tcp.smtp but rather updates tcp.smtp.cdb). With the current default emerge of vpopmail, does POP-before-SMTP auth even work? >From the looks of it, it doesn't. You yourself say you don't want arbitrary users to be able to write to config files in /etc, but then why does the now-default ebuild of vpopmail require this? You also say that it'd require a recompile of vpopmail to turn off POP-before-SMTP but this isn't true. You simply have to remove the tcprule -x arg from your qmail-smtpd startup script. You could also modify the tcp.smtp file to allow all IPs. --- Corey Crawford [EMAIL PROTECTED] ----- Original Message ----- From: "Robin H. Johnson" <[EMAIL PROTECTED]> To: "Martin Lesser" <[EMAIL PROTECTED]>; "Gentoo Developers" <[EMAIL PROTECTED]> Sent: Saturday, November 01, 2003 5:15 AM Subject: Re: [gentoo-dev] vpopmail's emerge directory structure On Sat, Nov 01, 2003 at 09:52:41AM +0100, Martin Lesser wrote: > > The file doesn't belong to vpopmail exclusively. It really belongs to > > qmail, and vpopmail wants to add and remove items from it for it's > > misguiding implementation of relaying. > What do you mean with misguiding? vpopmail - like others - only tries to > record the REMOTEIP for SMTP after POP purposes. I personally believe that /etc/tcp.smtp should not be writable by anybody other than the root user himself, setting it up. > > Qmail looks at /etc/tcp.smtp via tcpserver, which only allows a single > > file to be specified, so there is also a tcp.smtp is in > > /var/vpopmail/etc, then qmail NEVER looks at it, as it really needs > > /etc/tcp.smtp. > Just for clarifying: tcpserver (and not qmail) looks into a cdb-file > which you define as option for tcpserver with -x /path/to/file.cdb. That is exactly what I said: 'Qmail looks at /etc/tcp.smtp via tcpserver'. > So if one uses vpopmail the run-file for qmail-smtpd could be changed in > a way that tcpserver looks in another cdb-file for which vpopmail has > write access. The vanilla vpopmail suggests this IIRC. The problem is that tcpserver only takes the last '-x' parameter it is passed, so you cannot give it multiple cdbfiles. I'd like to enforce a clean seperation between the tcp.smtp that is set by the administrator and the tcp.smtp that vpopmail wants to create. No application should ever re-write configuration files as it goes, there is too much potential for disaster, and ideally should have no permissions to write to the files even. [snip standard information about how qmail-smtpd uses tcpserver]. Worst case scenario: somebody finds a way to exploit vpopmail and add arbitrary information to your cdb-file. now they use your mail server to send spam etc. I can simply turn off the extra relaying added in by vpopmail, and leave my original (and seperate) tcp.smtp file intact. > > A much better overall solution is to use the relay-ctrl package (see my > > notes in the latest qmail conf-smtpd and courier-imap stuff about it). > Ack. Why 'Ack'? The relay-ctrl package is simply the RELAYCLIENT stuff abstracted and made a lot more useful. It also doesn't violate my configuration files. I don't see any convincing reasons why it is less suitable than vpopmail's less than idea implementation of relay after auth. Another nastiness with vpopmail, is that is I wanted to remove the relay after auth only, I'd have to recompile it, versus just flipping a configuration setting. -- Robin Hugh Johnson E-Mail : [EMAIL PROTECTED] Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 -- [EMAIL PROTECTED] mailing list
