Can you reproduce your problem, if you use unmodified startup scripts provided by qmail-ldap?
> Well, Thomas, that takes us one step closer, I suppose. > > > After making this change, I no longer get the pbscheck errors, but qmail > still isn't querying from ldap as per our expectations. No ldap message > is being sent across the wire, and the SMTP request isn't being > authenticated for relaying. :( > > Arrg... this is so frustrating. > > > Oh well. Thanks for your help guys... If you can think of anything > else, please let me know. > > -- Jason > > > > ----- Original Message ----- > From: "Tomas Kuliavas" <[EMAIL PROTECTED]> > To: <qmail-ldap@qmail-ldap.org> > Sent: Friday, July 22, 2005 3:28 PM > Subject: Re: smtp auth > > > >> :allow,SMTPAUTH="",NOPBS="" >> >> >> and rebuild tcp.smtp.cdb >> >>> Sameer, >>> >>> >>> >>> You seem to be on to something. Doing the ldaplookup's generated >>> the expected results.. ie.. it returned the ldap info... >>> >>> But when I did this >>> >>> >>> >>> # cd /var/qmail/boot/qmail >>> # ./run & >>> # cd /var/qmail/boot/qmail-smtpd >>> # env LOGLEVEL=255 ./run >>> >>> >>> >>> It outputs some pbscheck stuff about the controls: >>> >>> >>> >>> >>> [EMAIL PROTECTED] qmail-smtpd]# env LOGLEVEL=255 ./run >>> tcpserver: status: 0/50 >>> tcpserver: status: 1/50 >>> tcpserver: pid 5646 from <client_IP> >>> tcpserver: ok 5646 mail.mydomain.org:<Server_ip>:25 >>> :<Client_IP>::56930 >>> pbscheck unable to read controls tcpserver: end 5646 status 256 >>> >>> >>> It's worth noting that when I run the smtp server like this, my SMTP >>> client (outlook express) is NOT prompted for username and password > info... >>> it sends a 554 error and closes the socket as soon as the connection >>> attempt is made... so I don't know if this test accurately >>> simulates > the >>> expierence. >>> >>> I went ahead and added the following line to the supervise/run script >>> to test... dunno if this works the way that I think it does though: >>> >>> #added this line >>> env LOGLEVEL=255 >>> >>> #this line was already there >>> exec /usr/local/bin/softlimit -m 4000000 ...... \ ..... \ ..... >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> ----- Original Message ----- >>> From: "Sameer N Ingole" <[EMAIL PROTECTED]> >>> To: <qmail-ldap@qmail-ldap.org> >>> Sent: Friday, July 22, 2005 2:29 AM >>> Subject: Re: smtp auth >>> >>> >>> >>> >>>> Jason Folkens wrote: >>>> >>>> >>>> >>>>> Thomas, >>>>> >>>>> >>>>> >>>>> I'm running RHEL3... I downloaded and installed djbdns-1.05 >>>>> before installing qmail, then downloaded qmail-1.03, and patched >>>>> it with qmail-ldap-1.03-20050401a.patch... then I modified 3 >>>>> lines in the makefile (uncommented the MDIRMAKE, HDIRMAKE, and >>>>> SHADOWLIBS lines) >>>>> and did a "make setup check" >>>>> >>>>> ucspi-tcp-0.88 and daemontools-0.76 were also installed. >>>>> >>>>> Here is the output from your commands: >>>>> >>>>> >>>>> >>>>> # ls -l /var/qmail/control/ldappassword >>>>> -rw-r----- 1 root nofiles 14 Jul 19 12:55 >>>>> /var/qmail/control/ldappassword >>>>> >>>>> >>>>> >>>>> just to make sure im not crazy, i temporarily set it to >>>>> -rw-rw-rw- >>>>> 1 root nofiles 14 Jul 19 12:55 >>>>> /var/qmail/control/ldappassword >>>>> >>>>> >>>>> >>>>> but in either scenario, it still doesn't pass any ldap requests >>>>> across loopback when I do the SMTP auth, and the smtp auth >>>>> subsequently fails. >>>>> >>>>> # cat /var/qmail/control/ldaprebind >>>>> cat: /var/qmail/control/ldaprebind: No such file or directory >>>>> >>>>> >>>>> >>>>> # cat /etc/tcp.smtp >>>>> :allow,SMTPAUTH="" >>>>> >>>>> >>>>> >>>>> I set it that way so I could test out smtp auth exclusively... >>>>> I'll >>>>> exclude my lan once I know it works. additionally, every time I >>>>> change that file, I do a >>>>> >>>>> # qmailctl cdb >>>>> >>>>> >>>>> >>>>> so its running those rules right now as we speak. qmailctl is >>>>> almost a direct cut/paste from the one on life-with-qmail website >>>>> except I added some extra lines to take care of pop3. >>>> >>>> I suggest you stop qmail using qmailctl script and test it like >>>> this... >>>> >>>> >>>> run following commands manually.. # /var/qmail/boot/qmail/run & # cd >>>> /var/qmail/boot/qmail-smtpd >>>> # env LOGLEVEL=255 ./run >>>> >>>> >>>> >>>> Note that there is no "&" after ./run in above command so it will >>>> output everything on terminal i.e. it will run in foreground. Now >>>> try sending mail and see what it says on the terminal where your >>>> ./run is >>>> running... >>>> >>>> Also try this command and see if you can get something. >>>> >>>> >>>> >>>> # cd /var/qmail/bin >>>> # ./qmail-ldaplookup -u uid >>>> # ./qmail-ldaplookup -m [EMAIL PROTECTED] >>>> >>>> >>>> >>>> Use both uid and mail address [EMAIL PROTECTED] for the same user >>>> (if >>>> they are different like uid is jason and mail address is >>>> [EMAIL PROTECTED]). If this returns entire ldap entry for the uid >>>> you supplied, your pop3 or imap should work unless you have some >>>> problem elsewhere. If you both return the same result your ldap bind >>>> is okay. >>>> >>>> If things work we can look for something else to solve this prob.. >>>> >>>> >>>> >>>>> ----- Original Message ----- From: "Tomas Kuliavas" >>>>> <[EMAIL PROTECTED]> >>>>> To: <qmail-ldap@qmail-ldap.org> >>>>> Sent: Thursday, July 21, 2005 2:07 PM >>>>> Subject: Re: smtp auth >>>>> >>>>> >>>>> >>>>>> your qmail-ldap version? if you use older than 20050401 patch >>>>>> and it is compiled with TLS support and you already configured >>>>>> TLS >>>>>> support in qmail-ldap - require TLS for SMTP AUTH. >>>>>> SMTPAUTH="TLSREQUIRED" >>>>>> >>>>>> >>>>>> >>>>>> ls -l /var/qmail/control/ldappassword >>>>>> >>>>>> cat /var/qmail/control/ldaprebind >>>>>> >>>>>> do you allow anonymous ldap lookups? >>>>>> >>>>>> have you added SMTPAUTH variable in tcpserver for smtp >>>>>> environment. >>>>>> >>>>>> >>>>>> Qmail LDAP provides daemontools startup scripts and you don't >>>>>> have to write custom startup scripts in most cases. >>>>>> >>>>>> -- >>>>>> Tomas >>>>>> >>>>>> >>>>>> >>>>>>> Thanks, both Thomas and HyperAxe, for bringing that to my >>>>>>> attention. I'm still confused though. >>>>>>> >>>>>>> >>>>>>> I've made the permissions changes that you suggested, Thomas. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> When I do an ethereal packet capture between the SMTP and >>>>>>> LDAP >>>>>>> servers (actually capturing on loopback) I dont get any >>>>>>> connections to LDAP unless I'm doing pop3 requests... the >>>>>>> SMTP >>>>>>> server denies the incoming relay attempt without even checking >>>>>>> the password with the ldap server. >>>>>>> >>>>>>> If pop3 can connect (using the same files in the control >>>>>>> directory for credentials as SMTP), then there has got to be >>>>>>> another problem going on. >>>>>>> >>>>>>> Is there any way to trace what files are being accessed >>>>>>> within a given timeframe... kinda like the linux equivalant >>>>>>> of winternals filemon? just to verify that indeed there isn't >>>>>>> a file permissions issue here? >>>>>>> >>>>>>> moreover, whenever I attempt to smtpauth, It logs something >>>>>>> like this in /var/log/qmail/smtpd/current: >>>>>>> >>>>>>> >>>>>>> >>>>>>> @4000000042dfba2a0e9832cc tcpserver: status: 1/20 >>>>>>> @4000000042dfba2a0f62d5cc tcpserver: pid 12398 from <my-ip> >>>>>>> @4000000042dfba2a0fa3befc tcpserver: ok 12398 >>>>>>> mail.mydomain.com:<servers-ip>:25 :<clients-ip>::48418 >>>>>>> @4000000042dfba2f14df19fc tcpserver: end 12398 status 256 >>>>>>> @4000000042dfba2f14df5494 tcpserver: status: 0/20 >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> is there a way that I can change my qmail-smtpd/run/log or >>>>>>> qmail-smtpd/run script to log more helpful information? >>>>>>> >>>>>>> Thanks again. You guys have been ever so helpful! >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- Jason >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ----- Original Message ----- >>>>>>> From: "Tomas Kuliavas" <[EMAIL PROTECTED]> >>>>>>> To: <qmail-ldap@qmail-ldap.org> >>>>>>> Sent: Thursday, July 21, 2005 10:57 AM >>>>>>> Subject: Re: smtp auth >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>>> Thanks, HyperAxe. That fixed my immediate problem... >>>>>>>>> Now it >>>>>>>>> actually tries to authenticate when I roam... which is >>>>>>>>> exactly what I wanted. :-) >>>>>>>>> >>>>>>>>> The new problem is with authentication. It rejects >>>>>>>>> whatever username/password combo that I put in... I'm >>>>>>>>> guessing that relates with my failure to configure my >>>>>>>>> qmail-smtpd/run script correctly. >>>>>>>> >>>>>>>> >>>>>>>> Life with qmail-ldap book is outdated. Current version of >>>>>>>> Qmail-LDAP >>>>>>>> does not need extra arguments in qmail-smtpd. Check >>>>>>>> /var/qmail/boot/qmail-smtpd/run >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Check mailing list history. I think information about >>>>>>>> setting smtp auth in qmail-ldap was posted several times. >>>>>>>> >>>>>>>> ----------------- >>>>>>>> Since 20031001 patch QmailLDAP supports SMTP authentication >>>>>>>> protocol (rfc 2554). Use of 20050401 patch or later is >>>>>>>> recommended. Only PLAIN authentication schema is supported. >>>>>>>> CRAM-MD5 and DIGEST-MD5 >>>>>>>> authentication schemas are not implemented. CRAM-MD5 >>>>>>>> requires features that are not enabled in qmail-ldap by >>>>>>>> default. DIGEST-MD5 requires >>>>>>>> specific user name layout (i think). >>>>>>>> >>>>>>>> SMTP authentication is enabled by adding SMTPAUTH variable >>>>>>>> to tcpserver's environment. If you use daemontools >>>>>>>> (http://cr.yp.to/daemontools.html) >>>>>>>> startup scripts supplied by qmail-ldap 20031101 or later, >>>>>>>> you can do that by adding >>>>>>>> >>>>>>>> <pre> >>>>>>>> :allow,SMTPAUTH="" >>>>>>>> </pre> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> to /var/qmail/control/qmail-smtpd.rules and running command >>>>>>>> 'make' in >>>>>>>> /var/qmail/control directory. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> If you set SMTPAUTH value to TLSREQUIRED >>>>>>>> (SMTPAUTH="TLSREQUIRED"), >>>>>>>> then authentication will work only in TLS encrypted >>>>>>>> sessions. See information about compiling and installing >>>>>>>> qmail ldap with TLS support. >>>>>>>> >>>>>>>> In order to authenticate users, smtp server's user >>>>>>>> (normally >>>>>>>> qmaild) must be able to validate password entered by user >>>>>>>> with information stored in LDAP userPassword field. Access >>>>>>>> to this field is usually restricted and qmaild user does not >>>>>>>> have enough privileges to access ldap connection >>>>>>>> information. >>>>>>>> >>>>>>>> There are two possible solutions to this problem. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> First solution is to give read access rights to qmaild user >>>>>>>> or nofiles group on /var/qmail/control/ldappassword >>>>>>>> configuration file. >>>>>>>> >>>>>>>> <pre> >>>>>>>> # chgrp nofiles /var/qmail/control/ldappassword >>>>>>>> # chmod 640 /var/qmail/control/ldappassword >>>>>>>> </pre> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> or >>>>>>>> >>>>>>>> <pre> >>>>>>>> # chmod 400 /var/qmail/control/ldappassword >>>>>>>> # chown qmaild /var/qmail/control/ldappassword >>>>>>>> </pre> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Second solution is to enable ldaprebind in >>>>>>>> /var/qmail/control/ldaprebind. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> <pre> >>>>>>>> # echo 1 > /var/qmail/control/ldaprebind >>>>>>>> </pre> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> If ldap rebind is used, qmaild user must be able to >>>>>>>> retrieve user's dn in anonymous LDAP connection and >>>>>>>> authenticate to LDAP server with retrieved user's dn and >>>>>>>> password provided by user. Password schema >>>>>>>> used in userPassword field must be supported by LDAP >>>>>>>> server's authentication system. >>>>>>>> >>>>>>>> -- >>>>>>>> Tomas >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> Regards, >>>> >>>> >>>> >>>> -- >>>> Sameer N. Ingole >>>> >>>> >>>> >>>> >>> >>> >>> >> > >
