Well, Thomas, that takes us one step closer, I suppose. After making this change, I no longer get the pbscheck errors, but qmail still isn't querying from ldap as per our expectations. No ldap message is being sent across the wire, and the SMTP request isn't being authenticated for relaying. :(
Arrg... this is so frustrating. Oh well. Thanks for your help guys... If you can think of anything else, please let me know. -- Jason ----- Original Message ----- From: "Tomas Kuliavas" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Friday, July 22, 2005 3:28 PM Subject: Re: smtp auth > :allow,SMTPAUTH="",NOPBS="" > > and rebuild tcp.smtp.cdb > > > Sameer, > > > > > > You seem to be on to something. Doing the ldaplookup's generated the > > expected results.. ie.. it returned the ldap info... > > > > But when I did this > > > > > > # cd /var/qmail/boot/qmail > > # ./run & > > # cd /var/qmail/boot/qmail-smtpd > > # env LOGLEVEL=255 ./run > > > > > > It outputs some pbscheck stuff about the controls: > > > > > > > > [EMAIL PROTECTED] qmail-smtpd]# env LOGLEVEL=255 ./run > > tcpserver: status: 0/50 > > tcpserver: status: 1/50 > > tcpserver: pid 5646 from <client_IP> > > tcpserver: ok 5646 mail.mydomain.org:<Server_ip>:25 :<Client_IP>::56930 > > pbscheck unable to read controls tcpserver: end 5646 status 256 > > > > > > It's worth noting that when I run the smtp server like this, my SMTP > > client (outlook express) is NOT prompted for username and password info... > > it sends a 554 error and closes the socket as soon as the connection > > attempt is made... so I don't know if this test accurately simulates the > > expierence. > > > > I went ahead and added the following line to the supervise/run script to > > test... dunno if this works the way that I think it does though: > > > > #added this line > > env LOGLEVEL=255 > > > > #this line was already there > > exec /usr/local/bin/softlimit -m 4000000 ...... \ ..... \ > > ..... > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > From: "Sameer N Ingole" <[EMAIL PROTECTED]> > > To: <[email protected]> > > Sent: Friday, July 22, 2005 2:29 AM > > Subject: Re: smtp auth > > > > > > > >> Jason Folkens wrote: > >> > >> > >>> Thomas, > >>> > >>> > >>> I'm running RHEL3... I downloaded and installed djbdns-1.05 before > >>> installing qmail, then downloaded qmail-1.03, and patched it with > >>> qmail-ldap-1.03-20050401a.patch... then I modified 3 lines in the > >>> makefile (uncommented the MDIRMAKE, HDIRMAKE, and SHADOWLIBS lines) > >>> and did a "make setup check" > >>> > >>> ucspi-tcp-0.88 and daemontools-0.76 were also installed. > >>> > >>> Here is the output from your commands: > >>> > >>> > >>> # ls -l /var/qmail/control/ldappassword > >>> -rw-r----- 1 root nofiles 14 Jul 19 12:55 > >>> /var/qmail/control/ldappassword > >>> > >>> > >>> just to make sure im not crazy, i temporarily set it to -rw-rw-rw- > >>> 1 root nofiles 14 Jul 19 12:55 > >>> /var/qmail/control/ldappassword > >>> > >>> > >>> but in either scenario, it still doesn't pass any ldap requests > >>> across loopback when I do the SMTP auth, and the smtp auth > >>> subsequently fails. > >>> > >>> # cat /var/qmail/control/ldaprebind > >>> cat: /var/qmail/control/ldaprebind: No such file or directory > >>> > >>> > >>> # cat /etc/tcp.smtp > >>> :allow,SMTPAUTH="" > >>> > >>> > >>> I set it that way so I could test out smtp auth exclusively... > >>> I'll > >>> exclude my lan once I know it works. additionally, every time I change > >>> that file, I do a > >>> > >>> # qmailctl cdb > >>> > >>> > >>> so its running those rules right now as we speak. qmailctl is > >>> almost a direct cut/paste from the one on life-with-qmail website > >>> except I added some extra lines to take care of pop3. > >> > >> I suggest you stop qmail using qmailctl script and test it like this... > >> > >> > >> run following commands manually.. # /var/qmail/boot/qmail/run & > >> # cd /var/qmail/boot/qmail-smtpd > >> # env LOGLEVEL=255 ./run > >> > >> > >> Note that there is no "&" after ./run in above command so it will > >> output everything on terminal i.e. it will run in foreground. Now try > >> sending mail and see what it says on the terminal where your ./run is > >> running... > >> > >> Also try this command and see if you can get something. > >> > >> > >> # cd /var/qmail/bin > >> # ./qmail-ldaplookup -u uid > >> # ./qmail-ldaplookup -m [EMAIL PROTECTED] > >> > >> > >> Use both uid and mail address [EMAIL PROTECTED] for the same user (if > >> they are different like uid is jason and mail address is > >> [EMAIL PROTECTED]). If this returns entire ldap entry for the uid you > >> supplied, your pop3 or imap should work unless you have some problem > >> elsewhere. If you both return the same result your ldap bind is okay. > >> > >> If things work we can look for something else to solve this prob.. > >> > >> > >>> ----- Original Message ----- From: "Tomas Kuliavas" > >>> <[EMAIL PROTECTED]> > >>> To: <[email protected]> > >>> Sent: Thursday, July 21, 2005 2:07 PM > >>> Subject: Re: smtp auth > >>> > >>> > >>>> your qmail-ldap version? if you use older than 20050401 patch and > >>>> it is compiled with TLS support and you already configured TLS > >>>> support in qmail-ldap - require TLS for SMTP AUTH. > >>>> SMTPAUTH="TLSREQUIRED" > >>>> > >>>> > >>>> ls -l /var/qmail/control/ldappassword > >>>> > >>>> cat /var/qmail/control/ldaprebind > >>>> > >>>> do you allow anonymous ldap lookups? > >>>> > >>>> have you added SMTPAUTH variable in tcpserver for smtp environment. > >>>> > >>>> > >>>> Qmail LDAP provides daemontools startup scripts and you don't have > >>>> to write custom startup scripts in most cases. > >>>> > >>>> -- > >>>> Tomas > >>>> > >>>> > >>>>> Thanks, both Thomas and HyperAxe, for bringing that to my > >>>>> attention. I'm still confused though. > >>>>> > >>>>> > >>>>> I've made the permissions changes that you suggested, Thomas. > >>>>> > >>>>> > >>>>> > >>>>> When I do an ethereal packet capture between the SMTP and LDAP > >>>>> servers (actually capturing on loopback) I dont get any > >>>>> connections to LDAP unless I'm doing pop3 requests... the SMTP > >>>>> server denies the incoming relay attempt without even checking the > >>>>> password with the ldap server. > >>>>> > >>>>> If pop3 can connect (using the same files in the control > >>>>> directory for credentials as SMTP), then there has got to be > >>>>> another problem going on. > >>>>> > >>>>> Is there any way to trace what files are being accessed within a > >>>>> given timeframe... kinda like the linux equivalant of winternals > >>>>> filemon? just to verify that indeed there isn't a file permissions > >>>>> issue here? > >>>>> > >>>>> moreover, whenever I attempt to smtpauth, It logs something like > >>>>> this in /var/log/qmail/smtpd/current: > >>>>> > >>>>> > >>>>> > >>>>> @4000000042dfba2a0e9832cc tcpserver: status: 1/20 > >>>>> @4000000042dfba2a0f62d5cc tcpserver: pid 12398 from <my-ip> > >>>>> @4000000042dfba2a0fa3befc tcpserver: ok 12398 > >>>>> mail.mydomain.com:<servers-ip>:25 :<clients-ip>::48418 > >>>>> @4000000042dfba2f14df19fc tcpserver: end 12398 status 256 > >>>>> @4000000042dfba2f14df5494 tcpserver: status: 0/20 > >>>>> > >>>>> > >>>>> > >>>>> is there a way that I can change my qmail-smtpd/run/log or > >>>>> qmail-smtpd/run script to log more helpful information? > >>>>> > >>>>> Thanks again. You guys have been ever so helpful! > >>>>> > >>>>> > >>>>> > >>>>> -- Jason > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ----- Original Message ----- > >>>>> From: "Tomas Kuliavas" <[EMAIL PROTECTED]> > >>>>> To: <[email protected]> > >>>>> Sent: Thursday, July 21, 2005 10:57 AM > >>>>> Subject: Re: smtp auth > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>>> Thanks, HyperAxe. That fixed my immediate problem... Now it > >>>>>>> actually tries to authenticate when I roam... which is > >>>>>>> exactly what I > >>>>>>> wanted. :-) > >>>>>>> > >>>>>>> The new problem is with authentication. It rejects whatever > >>>>>>> username/password combo that I put in... I'm guessing that > >>>>>>> relates with my failure to configure my qmail-smtpd/run script > >>>>>>> correctly. > >>>>>> > >>>>>> > >>>>>> Life with qmail-ldap book is outdated. Current version of > >>>>>> Qmail-LDAP > >>>>>> does not need extra arguments in qmail-smtpd. Check > >>>>>> /var/qmail/boot/qmail-smtpd/run > >>>>>> > >>>>>> > >>>>>> > >>>>>> Check mailing list history. I think information about setting > >>>>>> smtp auth in qmail-ldap was posted several times. > >>>>>> > >>>>>> ----------------- > >>>>>> Since 20031001 patch QmailLDAP supports SMTP authentication > >>>>>> protocol (rfc > >>>>>> 2554). Use of 20050401 patch or later is recommended. Only PLAIN > >>>>>> authentication schema is supported. CRAM-MD5 and DIGEST-MD5 > >>>>>> authentication schemas are not implemented. CRAM-MD5 requires > >>>>>> features that are not enabled in qmail-ldap by default. > >>>>>> DIGEST-MD5 requires > >>>>>> specific user name layout (i think). > >>>>>> > >>>>>> SMTP authentication is enabled by adding SMTPAUTH variable to > >>>>>> tcpserver's environment. If you use daemontools > >>>>>> (http://cr.yp.to/daemontools.html) > >>>>>> startup scripts supplied by qmail-ldap 20031101 or later, you > >>>>>> can do that by adding > >>>>>> > >>>>>> <pre> > >>>>>> :allow,SMTPAUTH="" > >>>>>> </pre> > >>>>>> > >>>>>> > >>>>>> > >>>>>> to /var/qmail/control/qmail-smtpd.rules and running command > >>>>>> 'make' in > >>>>>> /var/qmail/control directory. > >>>>>> > >>>>>> > >>>>>> > >>>>>> If you set SMTPAUTH value to TLSREQUIRED > >>>>>> (SMTPAUTH="TLSREQUIRED"), > >>>>>> then authentication will work only in TLS encrypted sessions. See > >>>>>> information about compiling and installing qmail ldap with TLS > >>>>>> support. > >>>>>> > >>>>>> In order to authenticate users, smtp server's user (normally > >>>>>> qmaild) must be able to validate password entered by user with > >>>>>> information stored in LDAP userPassword field. Access to this > >>>>>> field is usually restricted and qmaild user does not have enough > >>>>>> privileges to access ldap connection information. > >>>>>> > >>>>>> There are two possible solutions to this problem. > >>>>>> > >>>>>> > >>>>>> > >>>>>> First solution is to give read access rights to qmaild user or > >>>>>> nofiles group on /var/qmail/control/ldappassword configuration > >>>>>> file. > >>>>>> > >>>>>> <pre> > >>>>>> # chgrp nofiles /var/qmail/control/ldappassword > >>>>>> # chmod 640 /var/qmail/control/ldappassword > >>>>>> </pre> > >>>>>> > >>>>>> > >>>>>> > >>>>>> or > >>>>>> > >>>>>> <pre> > >>>>>> # chmod 400 /var/qmail/control/ldappassword > >>>>>> # chown qmaild /var/qmail/control/ldappassword > >>>>>> </pre> > >>>>>> > >>>>>> > >>>>>> > >>>>>> Second solution is to enable ldaprebind in > >>>>>> /var/qmail/control/ldaprebind. > >>>>>> > >>>>>> > >>>>>> > >>>>>> <pre> > >>>>>> # echo 1 > /var/qmail/control/ldaprebind > >>>>>> </pre> > >>>>>> > >>>>>> > >>>>>> > >>>>>> If ldap rebind is used, qmaild user must be able to retrieve > >>>>>> user's dn in anonymous LDAP connection and authenticate to LDAP > >>>>>> server with retrieved user's dn and password provided by user. > >>>>>> Password schema > >>>>>> used in userPassword field must be supported by LDAP server's > >>>>>> authentication system. > >>>>>> > >>>>>> -- > >>>>>> Tomas > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> > >>>>> > >>>> > >>>> > >>> > >>> > >>> > >>> > >> > >> Regards, > >> > >> > >> -- > >> Sameer N. Ingole > >> > >> > >> > > > > > > >
