Tonino, thanks for the detailed information
just wanted a final clarification i require chkuser for smtp authentication purpose only on port 587 for my customers who need unrestricted email sending with authentication. I have compiled a separate cdb file called tcp.smtp.587.cdb exclusively for port 587. in my chkuser_settings.h i have uncommented and recompiled qmailtoaster #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" so in my tcp.smtp, if i set CHKUSER_START="NONE" it should allow my customers to authenticate and send out emails without any chkuser checks other than smtp authentication, right ? thanks, rajesh will that disable all other aspects for ----- Original Message ----- From: Tonix - Antonio Nati [mailto:to...@interazioni.it] To: qmailtoaster-list@qmailtoaster.com Sent: Tue, 19 Sep 2017 09:23:01 +0200 Subject: Eric, it looks like I told and wrote wrong instructions (and I remembered wrong sequences in last reply). Let's say there is a potential bug in the application, which I'm seeing only now, after years. It is not really a code bug. It is that I wrote something in the code and something different in documentation. Logic (in version 2.0.9 of chkuser code) says: 1. if CHKUSER_ALWAYS_ON is declared, chkuser is always ON: starting_value = 1 (this option is not compatible in compilation with CHKUSER_STARTING_VARIABLE; only one of them may be defined). 2. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is NOT declared checkuser works on domain base (starting_value = 0) 3. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is declared and NOT assigned, checkuser is disabled (starting_value = -1) 4. if CHKUSER_STARTING_VARIABLE is declared and assigned AND equal to ALWAYS, checkuser is always ON (starting_value = 1) 5. if CHKUSER_STARTING_VARIABLE is declared and assigned AND equal to DOMAIN, checkuser works on domains base (starting_value = 0) 6. if CHKUSER_STARTING_VARIABLE is declared and assigned with values different from ALWAYS and DOMAIN, checkuser works on domains bases (starting_value = 0) 7. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is NOT declared checkuser works on domains base (starting_value = 0) So, the real default is chekuser working on domains base. Other options lead to different behaviours. If you want to disable it, you must declare a variable and not assign it (not assign it is different than assigning "" or empty value). For a better code and a better usage, it should be (in red the code I added): <code> +#if defined CHKUSER_STARTING_VARIABLE + starting_string = env_get (CHKUSER_STARTING_VARIABLE); + if (starting_string) { + if (strcasecmp(starting_string, "ALWAYS") == 0) { + starting_value = 1; + } else if (strcasecmp(starting_string, "DOMAIN") == 0) { + starting_value = 0; + } else if (strcasecmp(starting_string, "NONE") == 0) { + starting_value = -1; + } + } else { + starting_string = ""; + starting_value = -1; + } +#endif </code> In such a case value "NONE" and absence of variable assign would disable chkuser. ALWAYS would enable it forever, any other value would enable it on domain base. Sorry, and thanks for forcing me to read again the code. Tonino > Hi Tonino, > > When CHKUSER_START is set, or not set, the ensuing logic of chkuser > keys on the value of 'starting_value', correct? > > 1) CHKUSER_START="NONE" (starting_value=1) > 2) CHKUSER_START="ANYTHING ELSE" (starting_value=1) > 3) CHKUSER_START="" (starting_value=0) > 4) unset -v CHKUSER_START (starting_value=-1) *A situation where > CHKUSER_START is not even specified in either either the smtpd run file or > tcp.smtp. > > In the code the logic falls out in a different manner for -1, 0, or 1. > > So wouldn't CHKUSER_START="NONE" (starting_value=1) fall out differently than > CHKUSER_START="" (starting_value=0) or CHKUSER_START not specified > (starting_value=-1)? > > Eric > > > > On 9/18/2017 1:58 PM, Tonix - Antonio Nati wrote: >> Eric, >> >> you are right. I wrote "NONE" instead of "everything different from >> ALWAYS or DOMAIN" in order to semplify things, but the concept is >> clear: every value different from DOMAIN or ALWAYS will disable chkuser. >> >> Note: everything is disabled except the >> *CHKUSER_EXTRA_MUSTAUTH_VARIABLE* functionality. >> >> Regards, >> >> Tonino >> >> Il 18/09/2017 21:51, Eric Broch ha scritto: >>> >>> Rajesh, >>> >>> I apologize for the responses that have not been helpful. After >>> looking at the settings (below) from here >>> <http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html> >>> and going through the code, I'm convinced that the "NONE" option >>> will not be helpful or do what you expect or what the documentation >>> even states (Tonix, please review): >>> >>> <settings> >>> >>> CHKUSER_STARTING_VARIABLE 2.0.5 commented "CHKUSER_START" >>> Sets the variable that must be read, at qmail-smtpd start, in order >>> to understand how to use chkuser for any domain. The variable must >>> be filled with the following values: >>> >>> NONE = chkuser will not work >>> ALWAYS = chkuser will work always >>> DOMAIN = chkuser will work depending on single domain settings >>> >>> Any other value, or a missing value, will disable chkuser. >>> Incompatible with CHKUSER_ALWAYS_ON since 2.0.9 >>> >>> </settings> >>> >>> Since you've already defined 'CHKUSER_STARTING_VARIABLE' at compile >>> time in chkuser_settings.h, I think simply leaving the variable >>> CHKUSER_START (null) out of both the run file and the tcp.smtp file >>> you will get what you've been expecting (stop and start qmail of >>> course). The settings section indicates this as well: >>> "Any other value, or a missing value, will disable chkuser." >>> In fact, in my study of the code, I don't think the NONE option does >>> anything. If Tonix is looking at this thread maybe he could help >>> *fingers crossed*. >>> >>> Please let me know how it goes. >>> >>> Eric >>> >>> On 9/18/2017 12:33 PM, Eric Broch wrote: >>>> >>>> Rajesh, >>>> >>>> Can you set this in /var/qmail/supervise/smtp/run >>>> >>>> CHKUSER_START="NONE" >>>> export CHKUSER_START >>>> >>>> exec >>>> /usr/bin/softlimit.................................................................................... >>>> >>>> >>>> >>>> On 9/18/2017 12:10 PM, Eric Broch wrote: >>>>> >>>>> Sorry, my mistake, Rajesh, >>>>> >>>>> #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" >>>>> >>>>> sets CHKUSER_STARTING_VARIABLE to CHKUSER_START >>>>> >>>>> >>>>> On 9/18/2017 11:53 AM, Eric Broch wrote: >>>>>> >>>>>> Rajesh, >>>>>> >>>>>> In the code there is no check for 'CHKUSER_START' but there is >>>>>> for 'CHKUSER_STARTING_VARIABLE'. So, in tcp.smtp use >>>>>> 'CHKUSER_STARTING_VARIABLE' like so: >>>>>> >>>>>> CHKUSER_STARTING_VARIABLE="NONE" >>>>>> >>>>>> then stop and start qmail. >>>>>> >>>>>> Here's the code and the environment variable chkuser checks: >>>>>> >>>>>> <code> >>>>>> >>>>>> starting_string = env_get (CHKUSER_STARTING_VARIABLE); >>>>>> if (starting_string) { >>>>>> if (strcasecmp(starting_string, "ALWAYS") == 0) { >>>>>> starting_value = 1; >>>>>> } else if (strcasecmp(starting_string, "DOMAIN") >>>>>> == 0) { >>>>>> starting_value = 0; >>>>>> } >>>>>> } else { >>>>>> starting_string = ""; >>>>>> starting_value = -1; >>>>>> } >>>>>> >>>>>> </code> >>>>>> >>>>>> Eric >>>>>> >>>>>> On 9/18/2017 11:38 AM, Eric Broch wrote: >>>>>>> Sorry to ask this, but did you restart qmail after the change? >>>>>>> >>>>>>> On 9/18/2017 8:52 AM, Rajesh M wrote: >>>>>>>> hi eric >>>>>>>> >>>>>>>> i wished to disable chkusr mx check, format check etc .. and turn off >>>>>>>> chkuser using CHKUSER_START="NONE" >>>>>>>> >>>>>>>> the default installation of qmail always keeps chkuser on with no >>>>>>>> control >>>>>>>> so i rebuild chkuser from source >>>>>>>> >>>>>>>> CHANGES FOR CHK USER >>>>>>>> EXTRA SOURCE FROM RPM >>>>>>>> rpm -Uvh qmail-1.03-1.qt.src.rpm >>>>>>>> nano /root/rpmbuild/SPECS/qmail.spec >>>>>>>> put a sleep in this for 120 seconds >>>>>>>> >>>>>>>> open 2nd window of ssh >>>>>>>> service qmail stop >>>>>>>> >>>>>>>> in first window run >>>>>>>> rpmbuild -bb --define "dist .qt.el6" qmail.spec >>>>>>>> the process will now for halt for 180 seconds which gives us time to >>>>>>>> modify chkuser_settings.h settings >>>>>>>> >>>>>>>> in second window go to >>>>>>>> cd /root/rpmbuild/BUILD/qmail-1.03 >>>>>>>> nano chkuser_settings.h >>>>>>>> >>>>>>>> UNCOMMENT THIS >>>>>>>> #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" >>>>>>>> >>>>>>>> comment out the following >>>>>>>> /* #define CHKUSER_RCPT_MX */ >>>>>>>> /* #define CHKUSER_ENABLE_USERS_EXTENSIONS */ >>>>>>>> /* #define CHKUSER_USERS_DASH '-' */ >>>>>>>> >>>>>>>> >>>>>>>> now the problem is that even if I set CHKUSER_START="NONE" i get errors >>>>>>>> >>>>>>>> here is my tcp.smtp file for submission port (i use separate tcp.smtp >>>>>>>> files for 25 and 587) >>>>>>>> >>>>>>>> :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_START="NONE" >>>>>>>> >>>>>>>> i still get errors as such >>>>>>>> >>>>>>>> 2017-09-18 11:48:08.810159500 CHKUSER rejected rcpt: >>>>>>>> from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:> remote >>>>>>>> <FTLPCS27:unknown:182.73.35.162> rcpt<slncubm...@domain1.com> : max >>>>>>>> number of recipients >>>>>>>> 2017-09-18 11:48:09.894092500 CHKUSER rejected intrusion: >>>>>>>> from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:> remote >>>>>>>> <FTLPCS27:unknown:182.73.35.162> rcpt <sreecharanbank@domain2> : rcpt >>>>>>>> ignored, session over intrusion threshold >>>>>>>> 2017-09-18 11:48:11.226284500 CHKUSER rejected intrusion: >>>>>>>> from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:> remote >>>>>>>> <FTLPCS27:unknown:182.73.35.162> rcpt<sreekumarga...@gmail.com> : >>>>>>>> rcpt ignored, session over intrusion threshold >>>>>>>> >>>>>>>> help required please >>>>>>>> >>>>>>>> rajesh >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> --------------------------------------------------------------------- >>>>>>>> To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com >>>>>>>> For additional commands, e-mail:qmailtoaster-list-h...@qmailtoaster.com >>>>>>> >>>>>>> -- >>>>>>> Eric Broch >>>>>>> White Horse Technical Consulting (WHTC) >>>>>> >>>>>> -- >>>>>> Eric Broch >>>>>> White Horse Technical Consulting (WHTC) >>>>> >>>>> -- >>>>> Eric Broch >>>>> White Horse Technical Consulting (WHTC) >>>> >>>> -- >>>> Eric Broch >>>> White Horse Technical Consulting (WHTC) >>> >>> -- >>> Eric Broch >>> White Horse Technical Consulting (WHTC) >> >> >> -- >> ------------------------------------------------------------ >> Inter@zioni Interazioni di Antonio Nati >> http://www.interazioni.it to...@interazioni.it >> ------------------------------------------------------------ > > -- > Eric Broch > White Horse Technical Consulting (WHTC) -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it ------------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
