qmail Digest 9 Sep 1999 10:00:01 -0000 Issue 754
Topics (messages 29989 through 30039):
Potential hole?
29989 by: "Petr Novotny" <[EMAIL PROTECTED]>
29990 by: Russell Nelson <[EMAIL PROTECTED]>
29993 by: Jos Backus <[EMAIL PROTECTED]>
29994 by: Vince Vielhaber <[EMAIL PROTECTED]>
29995 by: Vince Vielhaber <[EMAIL PROTECTED]>
29996 by: "Petr Novotny" <[EMAIL PROTECTED]>
29997 by: "Petr Novotny" <[EMAIL PROTECTED]>
29998 by: "David Dyer-Bennet" <[EMAIL PROTECTED]>
29999 by: "Thomas M. Sasala" <[EMAIL PROTECTED]>
30000 by: Ken Jones <[EMAIL PROTECTED]>
30001 by: "Petr Novotny" <[EMAIL PROTECTED]>
30002 by: Mark Delany <[EMAIL PROTECTED]>
30017 by: Russ Allbery <[EMAIL PROTECTED]>
30028 by: "David Dyer-Bennet" <[EMAIL PROTECTED]>
30036 by: Nicolas MONNET <[EMAIL PROTECTED]>
30037 by: Ken Jones <[EMAIL PROTECTED]>
mail users
29991 by: "Ilya Krel" <[EMAIL PROTECTED]>
relaying based on MX records
29992 by: [EMAIL PROTECTED]
Two questions on mail lists
30003 by: MSCS Technician <[EMAIL PROTECTED]>
30039 by: Peter Haworth <[EMAIL PROTECTED]>
RAID 5 and queue restore
30004 by: "Daniluk, Cris" <[EMAIL PROTECTED]>
30008 by: [EMAIL PROTECTED]
30031 by: Daemeon Reiydelle <[EMAIL PROTECTED]>
30032 by: Daemeon Reiydelle <[EMAIL PROTECTED]>
newbie problems with qmail-pop3d
30005 by: "Michael" <[EMAIL PROTECTED]>
30006 by: "Racer X" <[EMAIL PROTECTED]>
30007 by: "James J. Lippard" <[EMAIL PROTECTED]>
Delays receaving mail with attatchments
30009 by: Mike Moulton <[EMAIL PROTECTED]>
RCPTHOSTS and 533 "Not in rcpthosts"
30010 by: Paul Farber <[EMAIL PROTECTED]>
30011 by: Robbie Walker <[EMAIL PROTECTED]>
30012 by: Paul Farber <[EMAIL PROTECTED]>
30013 by: Paul Farber <[EMAIL PROTECTED]>
30014 by: Chris Johnson <[EMAIL PROTECTED]>
30015 by: Paul Farber <[EMAIL PROTECTED]>
30016 by: Chris Johnson <[EMAIL PROTECTED]>
30019 by: Paul Farber <[EMAIL PROTECTED]>
30020 by: Chris Johnson <[EMAIL PROTECTED]>
30021 by: "Racer X" <[EMAIL PROTECTED]>
30023 by: Paul Farber <[EMAIL PROTECTED]>
30024 by: Paul Farber <[EMAIL PROTECTED]>
30025 by: Paul Farber <[EMAIL PROTECTED]>
30026 by: Paul Farber <[EMAIL PROTECTED]>
30027 by: "Racer X" <[EMAIL PROTECTED]>
web messaging
30018 by: Mirko Zeibig <[EMAIL PROTECTED]>
Hurdle #2
30022 by: "Ron 'The InSaNe One' Rosson" <[EMAIL PROTECTED]>
Customized Bounce Message ?
30029 by: Hans Wong <[EMAIL PROTECTED]>
30033 by: Anand Buddhdev <[EMAIL PROTECTED]>
30034 by: Hans Wong <[EMAIL PROTECTED]>
30035 by: Anand Buddhdev <[EMAIL PROTECTED]>
Once done installing
30030 by: James <[EMAIL PROTECTED]>
30038 by: Ken Jones <[EMAIL PROTECTED]>
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To bug my human owner, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8 Sep 99, at 11:48, Robert Varga wrote:
> On Wed, 8 Sep 1999, Sebastian Andersson wrote:
>
> > On Wed, Sep 08, 1999 at 11:24:45AM +0500, Dmitry Niqiforoff wrote:
> > > Is there any suggestions about how to avoid all the potential
> > > problems?
>
> What is the problem? They run programs with their uid and gid.
> They would not be able to run in.telnetd I think... or am I wrong?
They are able to run it - only they have to bind it to port >1024. If
the user is allowed to upload, he can also upload binaries.
There are generally two solutions:
1. Disable the user to control which programs get run. It usually
means disable user change of .forward, .qmail and alike files for
delivery (and for other services, unknown to me, also disable user
configuration).
2. Hack qmail-local, procmail etc. to run some kind of restricted
shell instead of /bin/sh (like /bin/smrsh).
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBN9ZCPlMwP8g7qbw/EQKjCQCeOEpWismsf4D9cAJn32QJW8/kGJkAoO0E
/XZYVvjITiyrb/CYo2OxqICS
=ihW4
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
Dmitry Niqiforoff writes:
> Yesterday I found that any user are able to start any program at
> server with .qmail file. This could be potentially dangerous, AFAIU.
Only if you let users edit their own .qmail files. Don't. Deny them
write permission in their home directory. If they need to upload
html, give them write permission in public_html. If you really,
*really* need to allow them to change their .qmail files, give them a
"qmail" home directory, and have a root cron job which copies .qmail
files from that directory into their home directory, editing out
program deliveries on the way.
--
-russ nelson <[EMAIL PROTECTED]> http://russnelson.com
Crynwr sells support for free software | PGPok | Government schools are so
521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | can outdo them. Homeschool!
What about Dan's suggestion?
http://www.ornl.gov/its/archives/mailing-lists/qmail/1999/03/msg00918.html
--
Jos Backus _/ _/_/_/ "Reliability means never
_/ _/ _/ having to say you're sorry."
_/ _/_/_/ -- D. J. Bernstein
_/ _/ _/ _/
[EMAIL PROTECTED] _/_/ _/_/_/ use Std::Disclaimer;
On Wed, 8 Sep 1999, Russell Nelson wrote:
> Dmitry Niqiforoff writes:
> > Yesterday I found that any user are able to start any program at
> > server with .qmail file. This could be potentially dangerous, AFAIU.
>
> Only if you let users edit their own .qmail files. Don't. Deny them
> write permission in their home directory. If they need to upload
> html, give them write permission in public_html. If you really,
> *really* need to allow them to change their .qmail files, give them a
> "qmail" home directory, and have a root cron job which copies .qmail
> files from that directory into their home directory, editing out
> program deliveries on the way.
Will this work? What I did was edited qmail-local.c and changed the
/bin/sh to /bin/qsh. Then copied /bin/sh to /bin/qsh and removed all
rights to 'other'. It tests ok, non priv'd users can't exec env whereas
priv'd users can from within a .qmail file. Could I be missing something?
If not, perhaps Dan can add this to qmail2 (provided he didn't already
come up with something). If this works I'll write something up for
www.qmail.org.
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: [EMAIL PROTECTED] flame-mail: /dev/null
# include <std/disclaimers.h> TEAM-OS2
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================
On Wed, 8 Sep 1999, Jos Backus wrote:
> What about Dan's suggestion?
>
> http://www.ornl.gov/its/archives/mailing-lists/qmail/1999/03/msg00918.html
>
>
But can't joeuser rename the .qmail file to .junk and drop in his own
.qmail file with the right permissions?
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: [EMAIL PROTECTED] flame-mail: /dev/null
# include <std/disclaimers.h> TEAM-OS2
Online Campground Directory http://www.camping-usa.com
Online Giftshop Superstore http://www.cloudninegifts.com
==========================================================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8 Sep 99, at 15:48, Jos Backus wrote:
> What about Dan's suggestion?
>
> http://www.ornl.gov/its/archives/mailing-lists/qmail/1999/03/msg00918.html
Hmm - interesting - I have always though that homedir owned by
root is a definition of system account which does not get mail
delivered to...
Anyway, the trick with --x bit is neat but it assumes educated user
anyway, since adding program deliveries results in temporary
deferrals and eventually bounces after a week.
What's wrong with some kind of /bin/smrsh approach? (If I
understand it correctly, smrsh runs only programs that are
softlinked into /etc/smrsh; ie. root sets up which programs are
allowed to be run.) I must say that running programs like "forward"
or "bouncesaying" pretty much helps in cases of complicated
user-ext setups...
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBN9Z6Y1MwP8g7qbw/EQIrdgCg2uu1QoqjEiDv7r3nAXegIrasSHoAn1zL
96Zgh7P66ILUzIzlJCS0JBUY
=BQnG
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 8 Sep 99, at 9:55, Vince Vielhaber wrote:
> But can't joeuser rename the .qmail file to .junk and drop in his own
> .qmail file with the right permissions?
If he doesn't own his homedir, he can't (unless he is granted -w-
inside the directory). Only if he owned the directory he could grant
himself the -w-.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBN9Z6ulMwP8g7qbw/EQJCkACdH92eXf8G8tB5KhFyuZ9pmpUKFpkAn3SO
aaVTVLm9YFGs3wqU1D1WcPC7
=QnxO
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
Dmitry Niqiforoff <[EMAIL PROTECTED]> writes on 8 September 1999 at 11:24:45 +0500
> Yesterday I found that any user are able to start any program at
> server with .qmail file. This could be potentially dangerous, AFAIU. As
> an example: I denied TELNET access (disabled the service in inetd.conf),
> but any user can put "|in.telnetd" in their .qmail file (ofcourse, there
> should be not only in.telnetd to work correctly).
> Also, any user are able to get our /etc/passwd file. It is not
> dengerous because there is no passwords, but it is possible to a) find
> out where user homedir is, and b) get total list of the users which can
> be later used for, lets say, spamming.
> Your imagination is the only limit for this.
Insufficient data; if these users have shell accounts, they can
already do all the things you mention and more. qmail-local, which is
the one that reads the .qmail file, runs as the user, so it can only
do the things the user can do. No possible compromise in that case.
If you're talking about a setup where the users don't have shell
access, but do have a UID and a home directory, that's harder, but not
completely impossible. Many of the other responses have addressed
approaches to this case.
You might be better off moving to some sort of single-UID POP system;
pointers on the qmail site I believe (I don't run such a thing myself
so I have rather limited opinions on the topic). This takes away the
foothold that users might employ to gain full access to your server.
--
David Dyer-Bennet ***NOTE ADDRESS CHANGES*** [EMAIL PROTECTED]
http://dd-b.lighthunters.net/ (photos) Minicon: http://www.mnstf.org/minicon
http://www.dd-b.net/dd-b (sf) http://ouroboros.demesne.com/ Ouroboros Bookworms
Join the 20th century before it's too late!
I'm very confused about this. If the user has a shell account,
how can you possible deny them write permission? I mean, it is
possible,
but it sounds a bit counterintuitive to make their home directory
read-only.
Secondly, if they don't have a shell account, how would they be able
to edit their .qmail file as themselves (their uid and gid)?
-Tom
Russell Nelson wrote:
>
> Dmitry Niqiforoff writes:
> > Yesterday I found that any user are able to start any program at
> > server with .qmail file. This could be potentially dangerous, AFAIU.
>
> Only if you let users edit their own .qmail files. Don't. Deny them
> write permission in their home directory. If they need to upload
> html, give them write permission in public_html. If you really,
> *really* need to allow them to change their .qmail files, give them a
> "qmail" home directory, and have a root cron job which copies .qmail
> files from that directory into their home directory, editing out
> program deliveries on the way.
>
> --
> -russ nelson <[EMAIL PROTECTED]> http://russnelson.com
> Crynwr sells support for free software | PGPok | Government schools are so
> 521 Pleasant Valley Rd. | +1 315 268 1925 voice | bad that any rank amateur
> Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | can outdo them. Homeschool!
--
+-------------------------------------------------------------------+
+ Thomas M. Sasala, Electrical Engineer [EMAIL PROTECTED] +
+ MRJ Technology Solutions http://www.mrj.com +
+ 10461 White Granite Drive, Suite 102 (W)(703)277-1714 +
+ Oakton, VA 22124 (F)(703)277-1702 +
+-------------------------------------------------------------------+
The best solution i've seen is to group all the programs
that are possible security holes, like in.telnet and compilers,
to a new group. And only allow members of that group to execute
the programs.
Just like all the suid programs should be grouped.
It's a pretty standard security lockdown method.
Ken
Inter7
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9 Aug 99, at 10:38, Ken Jones wrote:
> The best solution i've seen is to group all the programs
> that are possible security holes, like in.telnet and compilers,
> to a new group. And only allow members of that group to execute
> the programs.
>
> Just like all the suid programs should be grouped.
>
> It's a pretty standard security lockdown method.
What prevents me to upload binaries into my home
directory/subdirectories, like ~/Maildir/tmp? (Other than carefully
controlled ftp access?)
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2 -- QDPGP 2.60
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBN9ac0VMwP8g7qbw/EQJTowCgk9NInMtpnVQFNT4kmh+y4s3Vxr4AnAmQ
PPbweKBWtIiLe5nGgs2ERtd4
=gyVW
-----END PGP SIGNATURE-----
--
Petr Novotny, ANTEK CS
[EMAIL PROTECTED]
http://www.antek.cz
PGP key ID: 0x3BA9BC3F
-- Don't you know there ain't no devil there's just God when he's drunk.
[Tom Waits]
>On 9 Aug 99, at 10:38, Ken Jones wrote:
> > The best solution i've seen is to group all the programs
> > that are possible security holes, like in.telnet and compilers,
> > to a new group. And only allow members of that group to execute
> > the programs.
> >
> > Just like all the suid programs should be grouped.
> >
> > It's a pretty standard security lockdown method.
The alternative is the reverse of that. Make all programs inaccessible and
selectively allow execute access to known good programs.
>What prevents me to upload binaries into my home
>directory/subdirectories, like ~/Maildir/tmp? (Other than carefully
>controlled ftp access?)
Some OSes support mount -noexec which means the OS will not run an
executable from that mount point. /home, /var and /tmp all are good
candidates for those systems that allow it.
Another option as someone alluded to earlier is to have a MAILHOME which is
where qmail looks for .qmail files. You can use qmail/users to define this,
then you allow very restricted access to that directory such that the .qmail
files are always in a known state. Typically this is done via a webpage that
has options like "Set forward" address, "Set vacation" and "set -address"
rather than "place data in a .qmail file".
Yet another option is to modify the shell so that it only allows execution
of certain programs/paths. I've modified bash and used it as a /bin/sh with
success in this sort of circumstance.
Yet another option is a one-line change in qmail-local to use a different
shell.
All of this is work, some of which requires real Sysadmin skills and real
programming skills, but the capability is there for those who want to bother.
Regards.
Ken Jones <[EMAIL PROTECTED]> writes:
> The best solution i've seen is to group all the programs that are
> possible security holes, like in.telnet and compilers, to a new
> group. And only allow members of that group to execute the programs.
If you go that direction, you don't want to do it that way. Instead, you
group all the programs that you're pretty sure *aren't* possible security
holes and you remove people's ability to execute anything else.
And as other people mentioned, if you take this route, you also need to
make sure that your users don't have write access to any file system
mounted without -noexec. And make sure that they can't execute any
interpretor, since you can execute interpreted programs even from a
-noexec file system. And... um... they'd better not have shell access
then. And....
This isn't an easy thing to do.
--
Russ Allbery ([EMAIL PROTECTED]) <URL:http://www.eyrie.org/~eagle/>
Russ Allbery <[EMAIL PROTECTED]> writes on 8 September 1999 at 16:13:46 -0700
> Ken Jones <[EMAIL PROTECTED]> writes:
>
> > The best solution i've seen is to group all the programs that are
> > possible security holes, like in.telnet and compilers, to a new
> > group. And only allow members of that group to execute the programs.
>
> If you go that direction, you don't want to do it that way. Instead, you
> group all the programs that you're pretty sure *aren't* possible security
> holes and you remove people's ability to execute anything else.
>
> And as other people mentioned, if you take this route, you also need to
> make sure that your users don't have write access to any file system
> mounted without -noexec. And make sure that they can't execute any
> interpretor, since you can execute interpreted programs even from a
> -noexec file system. And... um... they'd better not have shell access
> then. And....
I've seen discussion on BUGTRAQ recently pointing out that you can
often use ld.so to execute things on non-executable partitions, and
people saying that noexec shouldn't be considered a security
mechanism. If it ain't a security mechanism, I haven't a clue what it
could be good for. If it isn't a *working* security mechanism, it
should either be fixed or removed; as long as it's sitting there,
people will try to use it as a security mechanism.
Another way around it I've thought of is that, if you have a shell
account, with many shells you can "source" a script without that
script having to be executable. Since you can write nearly anything
as a shell script, this gives yet another way to get around
restrictions.
> This isn't an easy thing to do.
As you say.
--
David Dyer-Bennet ***NOTE ADDRESS CHANGES*** [EMAIL PROTECTED]
http://dd-b.lighthunters.net/ (photos) Minicon: http://www.mnstf.org/minicon
http://www.dd-b.net/dd-b (sf) http://ouroboros.demesne.com/ Ouroboros Bookworms
Join the 20th century before it's too late!
> >What prevents me to upload binaries into my home
> >directory/subdirectories, like ~/Maildir/tmp? (Other than carefully
> >controlled ftp access?)
>
>
> Some OSes support mount -noexec which means the OS will not run an
> executable from that mount point. /home, /var and /tmp all are good
> candidates for those systems that allow it.
On linux, /lib/ld-linux.so name-of-the-binary-file goes around this ...
David Dyer-Bennet wrote:
>
> Russ Allbery <[EMAIL PROTECTED]> writes on 8 September 1999 at 16:13:46 -0700
> > Ken Jones <[EMAIL PROTECTED]> writes:
blah blah.
If you want a secure system follow these rules:
1) Only grant shell access to trusted users.
2) Physical security
3) Shut off un-needed services
4) Run trusted programs
5) Monitor news and lists for new exploits
6) Practice "Safe Coding"
7) Have good backups
8) Upgrade
Anything else you will need risk assesment to determine how
much you are willing to be hacked, and how expensive it is
to recover.
Ken Jones
Inter7
If I want to create a bunch of users, which will be getting mail by pop ,
with no shell accounts, do i put them in one of the groups qmail created?
which one will be better?
On Wed, 8 Sep 1999, Jan Stanik wrote:
> Hi,
>
> In Sendmail, I can define the feature "relay based on MX". Is it
> possible configure qmail to work similar way?
List all the names you're an MX for in rcpthosts. Shouldn't be difficult
to make a script to munge your zone file to produce the necessary records
and update rcpthosts if you manage your own DNS records. If not, just
update rcpthosts whenever you tell your DNS people to add the MX records.
As I'm sure someone will tell you in more detail, you don't really want to
do a lookup for MX records pointing at you, as anyone can make such
records.
> --
> Jan Stanik
> [EMAIL PROTECTED]
> Telenor Internet,s.r.o
>
--
"Life is much too important to be taken seriously."
Thomas Erskine <[EMAIL PROTECTED]> (613) 998-2836
Hello,
I have two questions on mail lists:
1) user-defined list question
My user wants to create a user-defined list.
i.e. $ touch .qmail-list (and fill it up with email addresses)
$ touch .qmail-list-owner
This would let him get mail to [EMAIL PROTECTED], but since
not everyone has a self-identifying email address, he'd like to add
a comment in the .qmail-list file to list the person's name next to
the email address. Is this possible? (NAME), <NAME>, and # don't
seem to work. Apparently he was able to do so with a system-wide
alias (pointed to by /etc/aliases, invoked by fastforward-0.51).
2) /etc/aliases question
On another topic, I'd like to know whether there is syntax to
hook-to a separate list of aliases into /etc/aliases. Example: I'd like to
create a 'fullnames' list which list the fullname aliases of our users.
Is there a syntax I can put in /etc/aliases to "#include" that list in?
Or perhaps a better solution? Up until now I create the list
of fullname aliases, manually bring them in, and re-run newaliases.
Thanks much,
-Robert
MSCS Technician wrote:
> 1) user-defined list question
>
> My user wants to create a user-defined list.
>
> i.e. $ touch .qmail-list (and fill it up with email addresses)
> $ touch .qmail-list-owner
>
> This would let him get mail to [EMAIL PROTECTED], but since
> not everyone has a self-identifying email address, he'd like to add
> a comment in the .qmail-list file to list the person's name next to
> the email address. Is this possible? (NAME), <NAME>, and # don't
> seem to work. Apparently he was able to do so with a system-wide
> alias (pointed to by /etc/aliases, invoked by fastforward-0.51).
You can have comments in a .qmail file, but they have to be on their own line:
# This is Fred Bloggs
&fb
rather than:
&fb # This is Fred Bloggs
--
Peter Haworth [EMAIL PROTECTED]
"Ok, print the message, then put it in your shoe and put your shoe in front
of the fireplace... then wait till Santa come and give the code to you ;-)
Hey! this is not mod_santa list !"
-- Fabrice Scemama on the mod_perl list
Unless redundancy is important over striping :)
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 08, 1999 1:47 AM
> To: [EMAIL PROTECTED]
> Subject: Re: RAID 5 and queue restore
>
>
> On Mon, Sep 06, 1999 at 01:22:08PM -0500, wrote:
> > Suppose I was running a DPT RAID 5 controller and the mail queue was
> > stored on this RAID array. What will happen to the inode
> structure of
> > the queue if one of the disks fails, I replace it and the controller
> > rebuilds it?
>
> Nothing. You're covered at the inode level.
>
> But that doesn't mean the RAID 5 is good to use. Use 1+0 instead.
>
> --
> John White johnjohn
> at
> triceratops.com
> PGP Public Key: http://www.triceratops.com/john/public-key.pgp
>
On Wed, Sep 08, 1999 at 01:13:50PM -0400, Daniluk, Cris wrote:
> Unless redundancy is important over striping :)
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 08, 1999 1:47 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: RAID 5 and queue restore
> >
> > But that doesn't mean the RAID 5 is good to use. Use 1+0 instead.
RAID 1+0 is provides more redundancy AND io speed than RAID 5.
--
John White johnjohn
at
triceratops.com
PGP Public Key: http://www.triceratops.com/john/public-key.pgp
Fortunately advise is freely distributed on the internet. Fortunately
because being free it's price is just about right.
[EMAIL PROTECTED] wrote:
>
> On Wed, Sep 08, 1999 at 01:13:50PM -0400, Daniluk, Cris wrote:
> > Unless redundancy is important over striping :)
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Wednesday, September 08, 1999 1:47 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: RAID 5 and queue restore
> > >
> > > But that doesn't mean the RAID 5 is good to use. Use 1+0 instead.
>
> RAID 1+0 is provides more redundancy AND io speed than RAID 5.
>
> --
> John White johnjohn
> at
> triceratops.com
> PGP Public Key: http://www.triceratops.com/john/public-key.pgp
--
Daemeon Reiydelle
Systems Engineer, Anthropomorphics Inc.
[EMAIL PROTECTED]
Hmm, in all fairness, the simple statement "RAID-5" is misleading. The
term is somewhat simplistically used to mean striping with parity
whereas it formally does mean without parity unless qualified as RAID
3,5 or whatever. Simple striping would of course provide no redundancy
but I gave the originator and the readers enough intelligence to not be
a stickler for accuracy. I admit that I find such sticklerism boring and
leads to innane chains such as this.
Time for me to go to back to sleep and let the innaninities stickle.
"Daniluk, Cris" wrote:
>
> Unless redundancy is important over striping :)
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, September 08, 1999 1:47 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: RAID 5 and queue restore
> >
> >
> > On Mon, Sep 06, 1999 at 01:22:08PM -0500, wrote:
> > > Suppose I was running a DPT RAID 5 controller and the mail queue was
> > > stored on this RAID array. What will happen to the inode
> > structure of
> > > the queue if one of the disks fails, I replace it and the controller
> > > rebuilds it?
> >
> > Nothing. You're covered at the inode level.
> >
> > But that doesn't mean the RAID 5 is good to use. Use 1+0 instead.
> >
> > --
> > John White johnjohn
> > at
> > triceratops.com
> > PGP Public Key: http://www.triceratops.com/john/public-key.pgp
> >
--
Daemeon Reiydelle
Systems Engineer, Anthropomorphics Inc.
[EMAIL PROTECTED]
Thanks to all who suggested I uninstall daemontools 0.61 and reinstall
0.53. Everything seems to be up and running, however, now I am having
problems with qmail-pop3d.
I have tested the following:
1. Smtp sends mail out fine. I can send mail out from a local and remote
account.
2. Receiving mail. I can receive mail locally and remotely (I see the
messages appear in the /Maildir/new/ directory).
I can't seem to pop any mail down yet. Checkpassword is installed and
configured. When I run
/var/qmail/bin/qmail-popup slave-1.net /bin/checkpassword pwd
as a user, then enter a valid "user username" at +OK, then a valid "pass
password" at +OK prompt I get an -ERR authorization failed. If I perform the
same command with the same user and password as root, I get the proper
/home/$user directory. Is it by design that only root can get the correct
response with checkpassword?
Given the above, it would appear checkpassword is working properly (I
think). However, when I try to pop my mail down I get an invalid password
response. I am using a WinNT mail reader. Does the mail reader have to
support ./Maildir if I am only POP'ing my mail down?
I am running qmail 1.03 on x86 Red Hat 6.0.
Thanks.
you need to be running qmail-popup out of inetd or tcpserver, and
qmail-popup must start as root so that qmail-pop3d can later change to the
appropriate UID.
the checkpassword thing may be related, if you're using shadow passwords for
instance. fix is the same.
other than that it looks like things are working okay. try starting
qmail-popup out of tcpserver, and see if you can log in as a user. once you
log in successfully, look at the process table and make sure qmail-pop3d is
running as a normal user and not as root.
shag
=====
Judd Bourgeois | CNM Network +1 (805) 520-7170
Software Architect | 1900 Los Angeles Avenue, 2nd Floor
[EMAIL PROTECTED] | Simi Valley, CA 93065
Quidquid latine dictum sit, altum viditur.
----- Original Message -----
From: Michael <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wed 8 Sep 1999 10.33
Subject: newbie problems with qmail-pop3d
> Thanks to all who suggested I uninstall daemontools 0.61 and reinstall
> 0.53. Everything seems to be up and running, however, now I am having
> problems with qmail-pop3d.
>
> I have tested the following:
> 1. Smtp sends mail out fine. I can send mail out from a local and remote
> account.
> 2. Receiving mail. I can receive mail locally and remotely (I see the
> messages appear in the /Maildir/new/ directory).
>
> I can't seem to pop any mail down yet. Checkpassword is installed and
> configured. When I run
> /var/qmail/bin/qmail-popup slave-1.net /bin/checkpassword pwd
> as a user, then enter a valid "user username" at +OK, then a valid "pass
> password" at +OK prompt I get an -ERR authorization failed. If I perform
the
> same command with the same user and password as root, I get the proper
> /home/$user directory. Is it by design that only root can get the correct
> response with checkpassword?
>
> Given the above, it would appear checkpassword is working properly (I
> think). However, when I try to pop my mail down I get an invalid password
> response. I am using a WinNT mail reader. Does the mail reader have to
> support ./Maildir if I am only POP'ing my mail down?
>
> I am running qmail 1.03 on x86 Red Hat 6.0.
>
> Thanks.
>
On Wed, 8 Sep 1999, Michael wrote:
> Thanks to all who suggested I uninstall daemontools 0.61 and reinstall
> 0.53. Everything seems to be up and running, however, now I am having
> problems with qmail-pop3d.
>
> I have tested the following:
> 1. Smtp sends mail out fine. I can send mail out from a local and remote
> account.
> 2. Receiving mail. I can receive mail locally and remotely (I see the
> messages appear in the /Maildir/new/ directory).
>
> I can't seem to pop any mail down yet. Checkpassword is installed and
> configured. When I run
> /var/qmail/bin/qmail-popup slave-1.net /bin/checkpassword pwd
> as a user, then enter a valid "user username" at +OK, then a valid "pass
> password" at +OK prompt I get an -ERR authorization failed. If I perform the
> same command with the same user and password as root, I get the proper
> /home/$user directory. Is it by design that only root can get the correct
> response with checkpassword?
It is if you have shadowed passwords.
> Given the above, it would appear checkpassword is working properly (I
> think). However, when I try to pop my mail down I get an invalid password
> response. I am using a WinNT mail reader. Does the mail reader have to
> support ./Maildir if I am only POP'ing my mail down?
No, POP looks the same from the outside. The client need not know
anything at all about Maildirs.
How do you start your POP server?
> I am running qmail 1.03 on x86 Red Hat 6.0.
>
> Thanks.
Jim Lippard [EMAIL PROTECTED] http://www.discord.org/
Unsolicited bulk email charge: $500/message. Don't send me any.
PGP Fingerprint: 0C1F FE18 D311 1792 5EA8 43C8 7AD2 B485 DE75 841C
Hello all,
I have a SMTP gateway in my DMZ running QMail 1.03, this gateway
forwards
all email bound for our domain (i.e. foo.com) inside the private network
to a Exchange server (yah I know, however I had no choice in the matter,
damb outlook!). This process works fine for simple messages, plain text,
nothing special. However the moment a message is sent to us with a
attachment it takes anywhere from 2 hours to several days before we see
it
in our servers. I have been trying to track down the problem with no
luck.
These are things I know about the problem:
Once the message is injected into QMails queue it is forwarded
immediately.
To the best of my knowledge QMail is operating correctly (i.e.
tcpserver)
The MX record for the domain in question is setup correctly.
The transmitting sites have recent DNS updates reflecting the correct
MX record.
There is no pattern to who or what will cause the duration of the
delay (it varies even at the same site and not dependent on file
size)
Knowing all of this I want to say that it is somewhere outside of our
site, however, why would so many domains be affected?
I'm not quite sure where to go for further information regarding such a
problem, however I am continuously surfing...If anyone has experience
with
such a problem, or insight into the cause and or solution I would be
greatly appreciative.
Thanks in advance,
Mike Moulton
Hello all
Got a really goofy problem with qmail-1.02/RH 5.1. I added a customer and
his /24 to my service. Set up vmailmgr for virtual POP mail and added the
domain haven.k12.pa.us to the rcpthost file, restarted qmail-smtpd.
All the MUA's were set up to use mail.f-tech.net (not haven.f-tech.net as
the MX record says).. but if I add haven.k12.pa.us to rcpthosts it should
not have mattered?
9367 ? S 0:00 tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
10980 ? S 0:00 qmail-smtpd
The error was not e-mailed back, but displayed in a message box in both
Eudora Pro, Netscape 4.5 and Kmail.
I am now running without a rcpthosts file because that's the only way I
could get it to send mail.
Any suggestions?
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
What's the address the message was sent to? Send another message to the
list showing the logs of the failed message.
At 05:12 PM 9/8/99 , you wrote:
>Hello all
>
>Got a really goofy problem with qmail-1.02/RH 5.1. I added a customer and
>his /24 to my service. Set up vmailmgr for virtual POP mail and added the
>domain haven.k12.pa.us to the rcpthost file, restarted qmail-smtpd.
>
>All the MUA's were set up to use mail.f-tech.net (not haven.f-tech.net as
>the MX record says).. but if I add haven.k12.pa.us to rcpthosts it should
>not have mattered?
>
> 9367 ? S 0:00 tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
>10980 ? S 0:00 qmail-smtpd
>
>The error was not e-mailed back, but displayed in a message box in both
>Eudora Pro, Netscape 4.5 and Kmail.
>
>I am now running without a rcpthosts file because that's the only way I
>could get it to send mail.
>
>Any suggestions?
>
>
>Paul D. Farber II
>Farber Technology
>Ph. 570-628-5303
>Fax 570-628-5545
>[EMAIL PROTECTED]
>
______________________
NovaMetrix Development
Robbie Walker, AMWL
P.O. Box 635 or 910-653-4006
106-B S. Main St 800-773-5647
Tabor City, NC 28463 910-653-2052 FAX
I could not send any messages OUT, not even to the sam domain.
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On Wed, 8 Sep 1999, Robbie Walker wrote:
> What's the address the message was sent to? Send another message to the
> list showing the logs of the failed message.
>
> At 05:12 PM 9/8/99 , you wrote:
> >Hello all
> >
> >Got a really goofy problem with qmail-1.02/RH 5.1. I added a customer and
> >his /24 to my service. Set up vmailmgr for virtual POP mail and added the
> >domain haven.k12.pa.us to the rcpthost file, restarted qmail-smtpd.
> >
> >All the MUA's were set up to use mail.f-tech.net (not haven.f-tech.net as
> >the MX record says).. but if I add haven.k12.pa.us to rcpthosts it should
> >not have mattered?
> >
> > 9367 ? S 0:00 tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
> >10980 ? S 0:00 qmail-smtpd
> >
> >The error was not e-mailed back, but displayed in a message box in both
> >Eudora Pro, Netscape 4.5 and Kmail.
> >
> >I am now running without a rcpthosts file because that's the only way I
> >could get it to send mail.
> >
> >Any suggestions?
> >
> >
> >Paul D. Farber II
> >Farber Technology
> >Ph. 570-628-5303
> >Fax 570-628-5545
> >[EMAIL PROTECTED]
> >
>
>
> ______________________
> NovaMetrix Development
> Robbie Walker, AMWL
>
> P.O. Box 635 or 910-653-4006
> 106-B S. Main St 800-773-5647
> Tabor City, NC 28463 910-653-2052 FAX
>
>
>
There were no log entries. ALl messages were displayed on the screen
(netscape, eudora) and not e-mailed from the mailer daemon.
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On Wed, 8 Sep 1999, Robbie Walker wrote:
> What's the address the message was sent to? Send another message to the
> list showing the logs of the failed message.
>
> At 05:12 PM 9/8/99 , you wrote:
> >Hello all
> >
> >Got a really goofy problem with qmail-1.02/RH 5.1. I added a customer and
> >his /24 to my service. Set up vmailmgr for virtual POP mail and added the
> >domain haven.k12.pa.us to the rcpthost file, restarted qmail-smtpd.
> >
> >All the MUA's were set up to use mail.f-tech.net (not haven.f-tech.net as
> >the MX record says).. but if I add haven.k12.pa.us to rcpthosts it should
> >not have mattered?
> >
> > 9367 ? S 0:00 tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
> >10980 ? S 0:00 qmail-smtpd
> >
> >The error was not e-mailed back, but displayed in a message box in both
> >Eudora Pro, Netscape 4.5 and Kmail.
> >
> >I am now running without a rcpthosts file because that's the only way I
> >could get it to send mail.
> >
> >Any suggestions?
> >
> >
> >Paul D. Farber II
> >Farber Technology
> >Ph. 570-628-5303
> >Fax 570-628-5545
> >[EMAIL PROTECTED]
> >
>
>
> ______________________
> NovaMetrix Development
> Robbie Walker, AMWL
>
> P.O. Box 635 or 910-653-4006
> 106-B S. Main St 800-773-5647
> Tabor City, NC 28463 910-653-2052 FAX
>
>
>
On Wed, Sep 08, 1999 at 05:12:40PM -0400, Paul Farber wrote:
> Got a really goofy problem with qmail-1.02/RH 5.1. I added a customer and
> his /24 to my service. Set up vmailmgr for virtual POP mail and added the
> domain haven.k12.pa.us to the rcpthost file, restarted qmail-smtpd.
There's no need to restart qmail-smtpd (and I assume you mean you restarted
tcpserver).
> All the MUA's were set up to use mail.f-tech.net (not haven.f-tech.net as the
> MX record says).. but if I add haven.k12.pa.us to rcpthosts it should not
> have mattered?
What?
> 9367 ? S 0:00 tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
> 10980 ? S 0:00 qmail-smtpd
You're not using the -x option in your tcpserver invocation, so you haven't
implemented selective relaying. If you want your customer to be able to use you
as a relay, you'll need to do this.
> The error was not e-mailed back, but displayed in a message box in both
> Eudora Pro, Netscape 4.5 and Kmail.
>
> I am now running without a rcpthosts file because that's the only way I could
> get it to send mail.
>
> Any suggestions?
Implement selective relaying, as outlined in
http://www.palomine.net/qmail/selectiverelay.html
Chris
I had a qmail-smtp file with the class
209.173.3:allow,RELAYCLIENT=""
And then made the cdb file. Still no go.
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On Wed, 8 Sep 1999, Chris Johnson wrote:
> On Wed, Sep 08, 1999 at 05:12:40PM -0400, Paul Farber wrote:
> > Got a really goofy problem with qmail-1.02/RH 5.1. I added a customer and
> > his /24 to my service. Set up vmailmgr for virtual POP mail and added the
> > domain haven.k12.pa.us to the rcpthost file, restarted qmail-smtpd.
>
> There's no need to restart qmail-smtpd (and I assume you mean you restarted
> tcpserver).
>
> > All the MUA's iwere set up to use mail.f-tech.net (not
haven.f-tech.net as the
> > MX record says).. but if I add haven.k12.pa.us to rcpthosts it should not
> > have mattered?
>
> What?
>
> > 9367 ? S 0:00 tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
> > 10980 ? S 0:00 qmail-smtpd
>
> You're not using the -x option in your tcpserver invocation, so you haven't
> implemented selective relaying. If you want your customer to be able to use you
> as a relay, you'll need to do this.
>
> > The error was not e-mailed back, but displayed in a message box in both
> > Eudora Pro, Netscape 4.5 and Kmail.
> >
> > I am now running without a rcpthosts file because that's the only way I could
> > get it to send mail.
> >
> > Any suggestions?
>
> Implement selective relaying, as outlined in
> http://www.palomine.net/qmail/selectiverelay.html
>
> Chris
>
On Wed, Sep 08, 1999 at 05:33:53PM -0400, Paul Farber wrote:
> I had a qmail-smtp file with the class
>
> 209.173.3:allow,RELAYCLIENT=""
>
> And then made the cdb file. Still no go.
It should be:
209.173.3.:allow,RELAYCLIENT=""
(Note the trailing ".")
But here's how you're starting tcpserver:
tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
So you can put anything you like in your rules file, and it won't have any
effect whatsoever. You need to supply the rules file to tcpserver with the -x
option.
Chris
Acutally the qmail-iniit script will check of the presence of
qmail-smtp.cdb then add the -x option.. I'll assume you are not using a
sysV based system.
As for the trailing ., I have one line with it and one with... works fine
either way.
Also, tcpserver will not reply with a 533 error... that's generated by
qmail. tcpserver will simple not allow the connection.
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On Wed, 8 Sep 1999, Chris Johnson wrote:
> On Wed, Sep 08, 1999 at 05:33:53PM -0400, Paul Farber wrote:
> > I had a qmail-smtp file with the class
> >
> > 209.173.3:allow,RELAYCLIENT=""
> >
> > And then made the cdb file. Still no go.
>
> It should be:
>
> 209.173.3.:allow,RELAYCLIENT=""
>
> (Note the trailing ".")
>
> But here's how you're starting tcpserver:
>
> tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
>
> So you can put anything you like in your rules file, and it won't have any
> effect whatsoever. You need to supply the rules file to tcpserver with the -x
> option.
>
> Chris
>
On Wed, Sep 08, 1999 at 08:47:28PM -0400, Paul Farber wrote:
> Acutally the qmail-iniit script will check of the presence of
> qmail-smtp.cdb then add the -x option.. I'll assume you are not using a
> sysV based system.
That has nothing to do with anything. You showed the output of ps, and
tcpserver was not started with -x, whatever your qmail-init script may do. So
the contents of any rules file you might have hanging around will not be
consulted.
> As for the trailing ., I have one line with it and one with... works fine
> either way.
>
> Also, tcpserver will not reply with a 533 error... that's generated by
> qmail. tcpserver will simple not allow the connection.
Huh? qmail-smtpd will give the rcpthosts error if RELAYCLIENT is not set in its
environment and the domain in the SMTP RCPT command isn't in rcpthosts. This is
what's happening in your case. Fix this and it'll stop happening.
Chris
well, first off, if you're running the script i'm thinking you are, it looks
for qmail-smtpd.cdb, not qmail-smtp.cdb. note the trailing d on smtpd.
these are the scripts written by Mate Wierdl i believe, we use the same ones
here, and that's what they look for on our boxes.
secondly, as Chris already mentioned, the process output you showed us
clearly indicated that regardless of what's in your script, tcpserver is NOT
running with the -x option. so you might want to try running it from the
command line to get the options right before you run it with a script.
also, the man page states that "10.1.2." (with a trailing dot) is the
appropriate wildcard syntax to match everything in net 10.1.2.0/24, but
"10.1.2" is not correct syntax for anything. running tcprulescheck will
verify this.
the 533 error is undoubtedly related to one of the above reasons. because
tcpserver is NOT running with -x, it has no cdb to look at, and therefore it
does not add the RELAYCLIENT variable to each instance of qmail-smtpd. this
is giving you the relaying error.
fix your script/invocation of tcpserver and check your tcprules.
shag
=====
Judd Bourgeois | CNM Network +1 (805) 520-7170
Software Architect | 1900 Los Angeles Avenue, 2nd Floor
[EMAIL PROTECTED] | Simi Valley, CA 93065
Quidquid latine dictum sit, altum viditur.
----- Original Message -----
From: Paul Farber <[EMAIL PROTECTED]>
To: Chris Johnson <[EMAIL PROTECTED]>
Cc: qmail mailing list <[EMAIL PROTECTED]>
Sent: Wed 8 Sep 1999 17.47
Subject: Re: RCPTHOSTS and 533 "Not in rcpthosts"
> Acutally the qmail-iniit script will check of the presence of
> qmail-smtp.cdb then add the -x option.. I'll assume you are not using a
> sysV based system.
>
> As for the trailing ., I have one line with it and one with... works fine
> either way.
>
> Also, tcpserver will not reply with a 533 error... that's generated by
> qmail. tcpserver will simple not allow the connection.
>
> Paul D. Farber II
> Farber Technology
> Ph. 570-628-5303
> Fax 570-628-5545
> [EMAIL PROTECTED]
>
> On Wed, 8 Sep 1999, Chris Johnson wrote:
>
> > On Wed, Sep 08, 1999 at 05:33:53PM -0400, Paul Farber wrote:
> > > I had a qmail-smtp file with the class
> > >
> > > 209.173.3:allow,RELAYCLIENT=""
> > >
> > > And then made the cdb file. Still no go.
> >
> > It should be:
> >
> > 209.173.3.:allow,RELAYCLIENT=""
> >
> > (Note the trailing ".")
> >
> > But here's how you're starting tcpserver:
> >
> > tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
> >
> > So you can put anything you like in your rules file, and it won't have
any
> > effect whatsoever. You need to supply the rules file to tcpserver with
the -x
> > option.
> >
> > Chris
> >
>
>
I'm going throught the qmail-smtp file now..... just my luck I probibly
spelled something worng.
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On Wed, 8 Sep 1999, Chris Johnson wrote:
> On Wed, Sep 08, 1999 at 08:47:28PM -0400, Paul Farber wrote:
> > Acutally the qmail-iniit script will check of the presence of
> > qmail-smtp.cdb then add the -x option.. I'll assume you are not using a
> > sysV based system.
>
> That has nothing to do with anything. You showed the output of ps, and
> tcpserver was not started with -x, whatever your qmail-init script may do. So
> the contents of any rules file you might have hanging around will not be
> consulted.
>
> > As for the trailing ., I have one line with it and one with... works fine
> > either way.
> >
> > Also, tcpserver will not reply with a 533 error... that's generated by
> > qmail. tcpserver will simple not allow the connection.
>
> Huh? qmail-smtpd will give the rcpthosts error if RELAYCLIENT is not set in its
> environment and the domain in the SMTP RCPT command isn't in rcpthosts. This is
> what's happening in your case. Fix this and it'll stop happening.
>
> Chris
>
I know it's not running with the -x option. I don't want it to now...
tille I work my way back and layer on the relay controls.
I am gonna put rcpthosts back in place... then the qmail-smtp file... to
see where I get the failure. I also know the d needs to be in there....
I'm just a somewhat poor typist.
Thanks for all the help.. still plugging away.
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On Wed, 8 Sep 1999, Racer X wrote:
> well, first off, if you're running the script i'm thinking you are, it looks
> for qmail-smtpd.cdb, not qmail-smtp.cdb. note the trailing d on smtpd.
> these are the scripts written by Mate Wierdl i believe, we use the same ones
> here, and that's what they look for on our boxes.
>
> secondly, as Chris already mentioned, the process output you showed us
> clearly indicated that regardless of what's in your script, tcpserver is NOT
> running with the -x option. so you might want to try running it from the
> command line to get the options right before you run it with a script.
>
> also, the man page states that "10.1.2." (with a trailing dot) is the
> appropriate wildcard syntax to match everything in net 10.1.2.0/24, but
> "10.1.2" is not correct syntax for anything. running tcprulescheck will
> verify this.
>
> the 533 error is undoubtedly related to one of the above reasons. because
> tcpserver is NOT running with -x, it has no cdb to look at, and therefore it
> does not add the RELAYCLIENT variable to each instance of qmail-smtpd. this
> is giving you the relaying error.
>
> fix your script/invocation of tcpserver and check your tcprules.
>
> shag
> =====
> Judd Bourgeois | CNM Network +1 (805) 520-7170
> Software Architect | 1900 Los Angeles Avenue, 2nd Floor
> [EMAIL PROTECTED] | Simi Valley, CA 93065
>
> Quidquid latine dictum sit, altum viditur.
>
> ----- Original Message -----
> From: Paul Farber <[EMAIL PROTECTED]>
> To: Chris Johnson <[EMAIL PROTECTED]>
> Cc: qmail mailing list <[EMAIL PROTECTED]>
> Sent: Wed 8 Sep 1999 17.47
> Subject: Re: RCPTHOSTS and 533 "Not in rcpthosts"
>
>
> > Acutally the qmail-iniit script will check of the presence of
> > qmail-smtp.cdb then add the -x option.. I'll assume you are not using a
> > sysV based system.
> >
> > As for the trailing ., I have one line with it and one with... works fine
> > either way.
> >
> > Also, tcpserver will not reply with a 533 error... that's generated by
> > qmail. tcpserver will simple not allow the connection.
> >
> > Paul D. Farber II
> > Farber Technology
> > Ph. 570-628-5303
> > Fax 570-628-5545
> > [EMAIL PROTECTED]
> >
> > On Wed, 8 Sep 1999, Chris Johnson wrote:
> >
> > > On Wed, Sep 08, 1999 at 05:33:53PM -0400, Paul Farber wrote:
> > > > I had a qmail-smtp file with the class
> > > >
> > > > 209.173.3:allow,RELAYCLIENT=""
> > > >
> > > > And then made the cdb file. Still no go.
> > >
> > > It should be:
> > >
> > > 209.173.3.:allow,RELAYCLIENT=""
> > >
> > > (Note the trailing ".")
> > >
> > > But here's how you're starting tcpserver:
> > >
> > > tcpserver -v -H -R -c100 -u81 -g80 0 smtp qmail-smtpd
> > >
> > > So you can put anything you like in your rules file, and it won't have
> any
> > > effect whatsoever. You need to supply the rules file to tcpserver with
> the -x
> > > option.
> > >
> > > Chris
> > >
> >
> >
>
>
This is what I have now... just to make sure we area all on the same page:
Done from thier router via telnet to my mail server:
thier router ip is 209.173.3.254.. added to qmail-smtpd.cdb for this test
gateway.shsd.ptd.net>telnet 207.44.65.16 25
Trying 207.44.65.16, 25 ... Open
220 mail.f-tech.net ESMTP
helo dude
250 mail.f-tech.net
mail <[EMAIL PROTECTED]>
250 ok
rcpt <[EMAIL PROTECTED]>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
config:
23893 ? S 0:00 supervise /var/lock/qmail-smtpd tcpserver -v -H -R
-c100 -x /etc/tcprules.d/qmail-smtpd.cdb -u81 -g80 0 smtp qmail-smtpd
cat qmail-smtpd
207.44.65.:allow,RELAYCLIENT=""
146.145.48.133-159:allow,RELAYCLIENT=""
209.173.3.:allow,RELAYCLIENT=""
209.173.3.254:allow,RELAYCLIENT=""
127.:allow,RELAYCLIENT=""
:allow
made by:
cat qmail-smtpd | tcprules qmail-smtpd.cdb qmail.tmp
cat /var/qmail/control/rcpthosts
localhost
f-tech.net
empirebeauty.com
schoeneman.com
goldwellofpa.com
salonconcepts.com
schuylkilldental.com
rollingmeadowsgolf.com
peace-inc.org
teddybearus.com
mail.f-tech.net
login.f-tech.net
admin.f-tech.net
jonesandcopccpa.com
biblicalstudies.com
kochslg.com
keystonedoors.com
dreams-n-romance.com
pritzauto.com
wickerpalace.com
benesch.f-tech.net
haven.k12.pa.us
Thier domain is haven.k12.pa.us.
Why is it dying and not allowing thier domain/IP through????
ANy advise where to look next?
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
Follow up for all the qmail gods that are being kind enough to help out...
I can send mail to haven.k12.pa.us but not outside of f-tech.net, or
haven.k12.pa.us.
220 mail.f-tech.net ESMTP
helo dude
250 mail.f-tech.net
mail <[EMAIL PROTECTED]>
250 ok
rcpt <[EMAIL PROTECTED]>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
mail <[EMAIL PROTECTED]>
250 ok
rp
502 unimplemented (#5.5.1)
rcpt <[EMAIL PROTECTED]>
250 ok
data
354 go ahead
Subject test
test
.
250 ok 936843357 qp 27940
quit
221 mail.f-tech.net
Paul D. Farber II
Farber Technology
Ph. 570-628-5303
Fax 570-628-5545
[EMAIL PROTECTED]
On Wed, 8 Sep 1999, Paul Farber wrote:
> This is what I have now... just to make sure we area all on the same page:
>
> Done from thier router via telnet to my mail server:
> thier router ip is 209.173.3.254.. added to qmail-smtpd.cdb for this test
>
> gateway.shsd.ptd.net>telnet 207.44.65.16 25
> Trying 207.44.65.16, 25 ... Open
> 220 mail.f-tech.net ESMTP
> helo dude
> 250 mail.f-tech.net
> mail <[EMAIL PROTECTED]>
> 250 ok
> rcpt <[EMAIL PROTECTED]>
> 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>
> config:
>
> 23893 ? S 0:00 supervise /var/lock/qmail-smtpd tcpserver -v -H -R
> -c100 -x /etc/tcprules.d/qmail-smtpd.cdb -u81 -g80 0 smtp qmail-smtpd
>
> cat qmail-smtpd
> 207.44.65.:allow,RELAYCLIENT=""
> 146.145.48.133-159:allow,RELAYCLIENT=""
> 209.173.3.:allow,RELAYCLIENT=""
> 209.173.3.254:allow,RELAYCLIENT=""
> 127.:allow,RELAYCLIENT=""
> :allow
>
> made by:
> cat qmail-smtpd | tcprules qmail-smtpd.cdb qmail.tmp
>
> cat /var/qmail/control/rcpthosts
>
> localhost
> f-tech.net
> empirebeauty.com
> schoeneman.com
> goldwellofpa.com
> salonconcepts.com
> schuylkilldental.com
> rollingmeadowsgolf.com
> peace-inc.org
> teddybearus.com
> mail.f-tech.net
> login.f-tech.net
> admin.f-tech.net
> jonesandcopccpa.com
> biblicalstudies.com
> kochslg.com
> keystonedoors.com
> dreams-n-romance.com
> pritzauto.com
> wickerpalace.com
> benesch.f-tech.net
> haven.k12.pa.us
>
> Thier domain is haven.k12.pa.us.
>
> Why is it dying and not allowing thier domain/IP through????
>
> ANy advise where to look next?
>
>
> Paul D. Farber II
> Farber Technology
> Ph. 570-628-5303
> Fax 570-628-5545
> [EMAIL PROTECTED]
>
>
>
looks like one of two things - either the cdb is not what you think it is,
or you're not coming from the IP you think you are. i'll assume the cdb is
okay, but use tcprulescheck and make sure it tells you that RELAYCLIENT is
set.
when you telnet in from gateway.shsd.ptd.net, are you sure you are really
coming from 209.173.3.254? when i do a traceroute to 209.173.3.254 i end up
with this:
17 gateway-s0.haven.k12.pa.us (204.186.234.22) 91.351 ms * 84.715 ms
and that's the last hop. strangely, i can't trace 204.186.234.22 directly
(no route to host). is 209.173.3.254 a virtual interface maybe? use
qmail-smtpd's logs on your mail server to check the connection and see where
your server thinks it's from.
shag
=====
Judd Bourgeois | CNM Network +1 (805) 520-7170
Software Architect | 1900 Los Angeles Avenue, 2nd Floor
[EMAIL PROTECTED] | Simi Valley, CA 93065
Quidquid latine dictum sit, altum viditur.
----- Original Message -----
From: Paul Farber <[EMAIL PROTECTED]>
To: Chris Johnson <[EMAIL PROTECTED]>
Cc: qmail mailing list <[EMAIL PROTECTED]>
Sent: Wed 8 Sep 1999 19.03
Subject: Re: RCPTHOSTS and 533 "Not in rcpthosts"
> This is what I have now... just to make sure we area all on the same page:
>
> Done from thier router via telnet to my mail server:
> thier router ip is 209.173.3.254.. added to qmail-smtpd.cdb for this test
>
> gateway.shsd.ptd.net>telnet 207.44.65.16 25
> Trying 207.44.65.16, 25 ... Open
> 220 mail.f-tech.net ESMTP
> helo dude
> 250 mail.f-tech.net
> mail <[EMAIL PROTECTED]>
> 250 ok
> rcpt <[EMAIL PROTECTED]>
> 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
>
> config:
>
> 23893 ? S 0:00 supervise /var/lock/qmail-smtpd tcpserver -v -H -R
> -c100 -x /etc/tcprules.d/qmail-smtpd.cdb -u81 -g80 0 smtp qmail-smtpd
>
> cat qmail-smtpd
> 207.44.65.:allow,RELAYCLIENT=""
> 146.145.48.133-159:allow,RELAYCLIENT=""
> 209.173.3.:allow,RELAYCLIENT=""
> 209.173.3.254:allow,RELAYCLIENT=""
> 127.:allow,RELAYCLIENT=""
> :allow
>
> made by:
> cat qmail-smtpd | tcprules qmail-smtpd.cdb qmail.tmp
>
> cat /var/qmail/control/rcpthosts
>
> localhost
> f-tech.net
> empirebeauty.com
> schoeneman.com
> goldwellofpa.com
> salonconcepts.com
> schuylkilldental.com
> rollingmeadowsgolf.com
> peace-inc.org
> teddybearus.com
> mail.f-tech.net
> login.f-tech.net
> admin.f-tech.net
> jonesandcopccpa.com
> biblicalstudies.com
> kochslg.com
> keystonedoors.com
> dreams-n-romance.com
> pritzauto.com
> wickerpalace.com
> benesch.f-tech.net
> haven.k12.pa.us
>
> Thier domain is haven.k12.pa.us.
>
> Why is it dying and not allowing thier domain/IP through????
>
> ANy advise where to look next?
>
>
> Paul D. Farber II
> Farber Technology
> Ph. 570-628-5303
> Fax 570-628-5545
> [EMAIL PROTECTED]
>
>
>
On Wed, Sep 08, 1999 at 03:48:39AM -0400, Ilya Krel wrote:
> Is something hotmail-like possible for QMail? are there programs which allow
> it?
Hello Ilya,
if you deliver to Mailbox-format and imap, imp (www.horde.org) might be a
good starting-point. Easy to set up.
Regards
Mirko
I am using qmail 1.03 and think I have it working properly. <Here it Comes>
But I am having a problem getting my procmail filters to work right. Here is
my rc file for qmail:
#!/bin/sh
# Using dot-forward to support sendmail-style ~/.forward files.
# Using qmail-local to deliver messages to ~/Mailbox by default.
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start '|dot-forward .forward
./Mailbox' accustamp
I have a .forward file for my procmail filters <spam>
"|/usr/local/bin/procmail .jfrc"
Here is the error I am getting im my procmail log:
procmail: Lock failure on "/var/mail/insane.lock"
Can someone please help.
TIA
--
-------------------------------------------------------------------
Ron Rosson ... and a UNIX user said ...
The InSaNe One rm -rf *
[EMAIL PROTECTED] and all was null and void
-------------------------------------------------------------------
Don't bother me i'm living happily ever after.
Hi all,
Is there any way to customerize a default global bouncing
text in case that the recipient does not exist? Can the
'bouncesaying' do this?
Thanks
Hans
On Thu, Sep 09, 1999 at 11:27:29AM +0800, Hans Wong wrote:
> Hi all,
>
> Is there any way to customerize a default global bouncing
> text in case that the recipient does not exist? Can the
> 'bouncesaying' do this?
in ~alias/.qmail-default, put:
|bouncesaying 'Your customised message'
--
See complete headers for more info
Hi,
Thanks Anand.
But this only modifies the bounce reason (per recipient),
not the default text of the bounce, as shouwn below. Is there any
way to modify the text 'Hi. This is the qmail-sent ....'
without modifying the qmail-sent.c source code?
Thanks
------>>>>><<<<<<---------------
Hi. This is the qmail-send program at host.domain.com.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<[EMAIL PROTECTED]>:
This is the customized bounced message
--- Below this line is a copy of the message.
..
..
------->>>>>><<<<<<<<<------------
On Thu, 9 Sep 1999, Anand Buddhdev wrote:
> Date: Thu, 9 Sep 1999 09:20:54 +0300
> From: Anand Buddhdev <[EMAIL PROTECTED]>
> To: Hans Wong <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: Customized Bounce Message ?
>
> On Thu, Sep 09, 1999 at 11:27:29AM +0800, Hans Wong wrote:
>
> > Hi all,
> >
> > Is there any way to customerize a default global bouncing
> > text in case that the recipient does not exist? Can the
> > 'bouncesaying' do this?
>
> in ~alias/.qmail-default, put:
>
> |bouncesaying 'Your customised message'
>
> --
> See complete headers for more info
>
On Thu, Sep 09, 1999 at 02:30:23PM +0800, Hans Wong wrote:
> Hi,
>
> Thanks Anand.
>
> But this only modifies the bounce reason (per recipient),
> not the default text of the bounce, as shouwn below. Is there any
> way to modify the text 'Hi. This is the qmail-sent ....'
> without modifying the qmail-sent.c source code?
No. You have to modify the source code, although the code change is
simple.
--
See complete headers for more info
Are there any other concerns I need to worry about once qmail is
installed? I'm working on getting QmailAdmin
(http://www.inter7.com/qmailadmin/) to work, will this take care of most
of my setting up new users, etc.? Otherwise, will I have to create a
"Mailbox" file in each user's account each time I create a new user?
What about system-wide mail handling.. for example, I can't seem to get
"logcheck" to work now, whereas I was able to get mail from it before when
I was using sendmail. Thanks for any help.
james
James wrote:
>
> Are there any other concerns I need to worry about once qmail is
> installed? I'm working on getting QmailAdmin
> (http://www.inter7.com/qmailadmin/) to work, will this take care of most
> of my setting up new users, etc.?
It works in a limited sense. And you should understand the limitations
qmailadmin has before you try to run a production system. It works
only with virtual domains created under the vpopmail package.
http://www.inter7.com/vpopmail/
It does have limited support for setting:
1) default maildir
2) single uid/gid
3) single forward or alias
4) autoresponder
5) basic ezmlm
> Otherwise, will I have to create a
> "Mailbox" file in each user's account each time I create a new user?
You question and suggested solution hint that you do not yet understand
how to set up qmail. Please read more of the documentation.
If you wish to have on line conversations with qmail people join
irc efnet #qmail channel. If you do not know what this means you
should read about irc. Linux users can use xchat. (sorry, newbie rant)
> What about system-wide mail handling.. for example, I can't seem to get
> "logcheck" to work now, whereas I was able to get mail from it before when
> I was using sendmail. Thanks for any help.
If you want any real problem solving help you need to specify more than
"I can't get logcheck to work".
Always say your operating system, version. qmail version, and versions
of all the software that is in question. blah blah.
Hang in there. Learning is fun :)
Ken
>
> james
