tonino, eric thanks for your help
it looks like setting #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" and CHKUSER_START="NONE" compels authentication but will not check for other aspects like valid mx, recpient /sender format etc tcp.smtp (tcp.smtp.587.cdb in my case) needs to be recompiled and qmail has to be restarted. rajesh ----- Original Message ----- From: Tonix - Antonio Nati [mailto:to...@interazioni.it] To: qmailtoaster-list@qmailtoaster.com Sent: Tue, 19 Sep 2017 11:57:19 +0200 Subject: Rajesh, I don't know which version of chkuser is included in qmailtoaster. Behaviour has changed sometimes. I always tried to configurations stable, but sometimes evolutions lead to a change. So, which is the version in qmailtoaster? About forcing to authenticate, you need the *CHKUSER_EXTRA_MUSTAUTH_VARIABLE* feature, but it exists from 2.0.9. Check documentation in http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html. Regards, Tonino Il 19/09/2017 11:39, Rajesh M ha scritto: > Tonino, > > thanks for the detailed information > > just wanted a final clarification > > i require chkuser for smtp authentication purpose only on port 587 for my > customers who need unrestricted email sending with authentication. > > I have compiled a separate cdb file called tcp.smtp.587.cdb exclusively for > port 587. > > in my chkuser_settings.h i have uncommented and recompiled qmailtoaster > > #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" > > so in my tcp.smtp, if i set > > CHKUSER_START="NONE" > > it should allow my customers to authenticate and send out emails without any > chkuser checks other than smtp authentication, right ? > > thanks, > rajesh > > > > will that disable all other aspects for > > > ----- Original Message ----- > From: Tonix - Antonio Nati [mailto:to...@interazioni.it] > To: qmailtoaster-list@qmailtoaster.com > Sent: Tue, 19 Sep 2017 09:23:01 +0200 > Subject: > > Eric, > > it looks like I told and wrote wrong instructions (and I remembered > wrong sequences in last reply). > > Let's say there is a potential bug in the application, which I'm seeing > only now, after years. It is not really a code bug. It is that I wrote > something in the code and something different in documentation. > > Logic (in version 2.0.9 of chkuser code) says: > > 1. if CHKUSER_ALWAYS_ON is declared, chkuser is always ON: > starting_value = 1 (this option is not compatible in compilation > with CHKUSER_STARTING_VARIABLE; only one of them may be defined). > 2. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is NOT > declared checkuser works on domain base (starting_value = 0) > 3. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is declared > and NOT assigned, checkuser is disabled (starting_value = -1) > 4. if CHKUSER_STARTING_VARIABLE is declared and assigned AND equal to > ALWAYS, checkuser is always ON (starting_value = 1) > 5. if CHKUSER_STARTING_VARIABLE is declared and assigned AND equal to > DOMAIN, checkuser works on domains base (starting_value = 0) > 6. if CHKUSER_STARTING_VARIABLE is declared and assigned with values > different from ALWAYS and DOMAIN, checkuser works on domains bases > (starting_value = 0) > 7. if CHKUSER_STARTING_VARIABLE (by default CHKUSER_START) is NOT > declared checkuser works on domains base (starting_value = 0) > > So, the real default is chekuser working on domains base. Other options > lead to different behaviours. If you want to disable it, you must > declare a variable and not assign it (not assign it is different than > assigning "" or empty value). > > For a better code and a better usage, it should be (in red the code I > added): > > <code> > > +#if defined CHKUSER_STARTING_VARIABLE > + starting_string = env_get (CHKUSER_STARTING_VARIABLE); > + if (starting_string) { > + if (strcasecmp(starting_string, "ALWAYS") == 0) { > + starting_value = 1; > + } else if (strcasecmp(starting_string, "DOMAIN") == > 0) { > + starting_value = 0; > + } else if (strcasecmp(starting_string, "NONE") == 0) { > + starting_value = -1; > + } > + } else { > + starting_string = ""; > + starting_value = -1; > + } > +#endif > > </code> > > In such a case value "NONE" and absence of variable assign would disable > chkuser. ALWAYS would enable it forever, any other value would enable it > on domain base. > > Sorry, and thanks for forcing me to read again the code. > > Tonino > > >> Hi Tonino, >> >> When CHKUSER_START is set, or not set, the ensuing logic of chkuser >> keys on the value of 'starting_value', correct? >> >> 1) CHKUSER_START="NONE" (starting_value=1) >> 2) CHKUSER_START="ANYTHING ELSE" (starting_value=1) >> 3) CHKUSER_START="" (starting_value=0) >> 4) unset -v CHKUSER_START (starting_value=-1) *A situation where >> CHKUSER_START is not even specified in either either the smtpd run file or >> tcp.smtp. >> >> In the code the logic falls out in a different manner for -1, 0, or 1. >> >> So wouldn't CHKUSER_START="NONE" (starting_value=1) fall out differently >> than CHKUSER_START="" (starting_value=0) or CHKUSER_START not specified >> (starting_value=-1)? >> >> Eric >> >> >> >> On 9/18/2017 1:58 PM, Tonix - Antonio Nati wrote: >>> Eric, >>> >>> you are right. I wrote "NONE" instead of "everything different from >>> ALWAYS or DOMAIN" in order to semplify things, but the concept is >>> clear: every value different from DOMAIN or ALWAYS will disable chkuser. >>> >>> Note: everything is disabled except the >>> *CHKUSER_EXTRA_MUSTAUTH_VARIABLE* functionality. >>> >>> Regards, >>> >>> Tonino >>> >>> Il 18/09/2017 21:51, Eric Broch ha scritto: >>>> Rajesh, >>>> >>>> I apologize for the responses that have not been helpful. After >>>> looking at the settings (below) from here >>>> <http://opensource.interazioni.it/qmail/chkuser/documentation/chkuser_settings.html> >>>> and going through the code, I'm convinced that the "NONE" option >>>> will not be helpful or do what you expect or what the documentation >>>> even states (Tonix, please review): >>>> >>>> <settings> >>>> >>>> CHKUSER_STARTING_VARIABLE 2.0.5 commented "CHKUSER_START" >>>> Sets the variable that must be read, at qmail-smtpd start, in order >>>> to understand how to use chkuser for any domain. The variable must >>>> be filled with the following values: >>>> >>>> NONE = chkuser will not work >>>> ALWAYS = chkuser will work always >>>> DOMAIN = chkuser will work depending on single domain settings >>>> >>>> Any other value, or a missing value, will disable chkuser. >>>> Incompatible with CHKUSER_ALWAYS_ON since 2.0.9 >>>> >>>> </settings> >>>> >>>> Since you've already defined 'CHKUSER_STARTING_VARIABLE' at compile >>>> time in chkuser_settings.h, I think simply leaving the variable >>>> CHKUSER_START (null) out of both the run file and the tcp.smtp file >>>> you will get what you've been expecting (stop and start qmail of >>>> course). The settings section indicates this as well: >>>> "Any other value, or a missing value, will disable chkuser." >>>> In fact, in my study of the code, I don't think the NONE option does >>>> anything. If Tonix is looking at this thread maybe he could help >>>> *fingers crossed*. >>>> >>>> Please let me know how it goes. >>>> >>>> Eric >>>> >>>> On 9/18/2017 12:33 PM, Eric Broch wrote: >>>>> Rajesh, >>>>> >>>>> Can you set this in /var/qmail/supervise/smtp/run >>>>> >>>>> CHKUSER_START="NONE" >>>>> export CHKUSER_START >>>>> >>>>> exec >>>>> /usr/bin/softlimit.................................................................................... >>>>> >>>>> >>>>> >>>>> On 9/18/2017 12:10 PM, Eric Broch wrote: >>>>>> Sorry, my mistake, Rajesh, >>>>>> >>>>>> #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" >>>>>> >>>>>> sets CHKUSER_STARTING_VARIABLE to CHKUSER_START >>>>>> >>>>>> >>>>>> On 9/18/2017 11:53 AM, Eric Broch wrote: >>>>>>> Rajesh, >>>>>>> >>>>>>> In the code there is no check for 'CHKUSER_START' but there is >>>>>>> for 'CHKUSER_STARTING_VARIABLE'. So, in tcp.smtp use >>>>>>> 'CHKUSER_STARTING_VARIABLE' like so: >>>>>>> >>>>>>> CHKUSER_STARTING_VARIABLE="NONE" >>>>>>> >>>>>>> then stop and start qmail. >>>>>>> >>>>>>> Here's the code and the environment variable chkuser checks: >>>>>>> >>>>>>> <code> >>>>>>> >>>>>>> starting_string = env_get (CHKUSER_STARTING_VARIABLE); >>>>>>> if (starting_string) { >>>>>>> if (strcasecmp(starting_string, "ALWAYS") == 0) { >>>>>>> starting_value = 1; >>>>>>> } else if (strcasecmp(starting_string, "DOMAIN") >>>>>>> == 0) { >>>>>>> starting_value = 0; >>>>>>> } >>>>>>> } else { >>>>>>> starting_string = ""; >>>>>>> starting_value = -1; >>>>>>> } >>>>>>> >>>>>>> </code> >>>>>>> >>>>>>> Eric >>>>>>> >>>>>>> On 9/18/2017 11:38 AM, Eric Broch wrote: >>>>>>>> Sorry to ask this, but did you restart qmail after the change? >>>>>>>> >>>>>>>> On 9/18/2017 8:52 AM, Rajesh M wrote: >>>>>>>>> hi eric >>>>>>>>> >>>>>>>>> i wished to disable chkusr mx check, format check etc .. and turn off >>>>>>>>> chkuser using CHKUSER_START="NONE" >>>>>>>>> >>>>>>>>> the default installation of qmail always keeps chkuser on with no >>>>>>>>> control >>>>>>>>> so i rebuild chkuser from source >>>>>>>>> >>>>>>>>> CHANGES FOR CHK USER >>>>>>>>> EXTRA SOURCE FROM RPM >>>>>>>>> rpm -Uvh qmail-1.03-1.qt.src.rpm >>>>>>>>> nano /root/rpmbuild/SPECS/qmail.spec >>>>>>>>> put a sleep in this for 120 seconds >>>>>>>>> >>>>>>>>> open 2nd window of ssh >>>>>>>>> service qmail stop >>>>>>>>> >>>>>>>>> in first window run >>>>>>>>> rpmbuild -bb --define "dist .qt.el6" qmail.spec >>>>>>>>> the process will now for halt for 180 seconds which gives us time to >>>>>>>>> modify chkuser_settings.h settings >>>>>>>>> >>>>>>>>> in second window go to >>>>>>>>> cd /root/rpmbuild/BUILD/qmail-1.03 >>>>>>>>> nano chkuser_settings.h >>>>>>>>> >>>>>>>>> UNCOMMENT THIS >>>>>>>>> #define CHKUSER_STARTING_VARIABLE "CHKUSER_START" >>>>>>>>> >>>>>>>>> comment out the following >>>>>>>>> /* #define CHKUSER_RCPT_MX */ >>>>>>>>> /* #define CHKUSER_ENABLE_USERS_EXTENSIONS */ >>>>>>>>> /* #define CHKUSER_USERS_DASH '-' */ >>>>>>>>> >>>>>>>>> >>>>>>>>> now the problem is that even if I set CHKUSER_START="NONE" i get >>>>>>>>> errors >>>>>>>>> >>>>>>>>> here is my tcp.smtp file for submission port (i use separate tcp.smtp >>>>>>>>> files for 25 and 587) >>>>>>>>> >>>>>>>>> :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_START="NONE" >>>>>>>>> >>>>>>>>> i still get errors as such >>>>>>>>> >>>>>>>>> 2017-09-18 11:48:08.810159500 CHKUSER rejected rcpt: >>>>>>>>> from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:> remote >>>>>>>>> <FTLPCS27:unknown:182.73.35.162> rcpt<slncubm...@domain1.com> : max >>>>>>>>> number of recipients >>>>>>>>> 2017-09-18 11:48:09.894092500 CHKUSER rejected intrusion: >>>>>>>>> from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:> remote >>>>>>>>> <FTLPCS27:unknown:182.73.35.162> rcpt <sreecharanbank@domain2> : rcpt >>>>>>>>> ignored, session over intrusion threshold >>>>>>>>> 2017-09-18 11:48:11.226284500 CHKUSER rejected intrusion: >>>>>>>>> from<a.muruga...@mycustomer.com:a.muruga...@mycustomer.com:> remote >>>>>>>>> <FTLPCS27:unknown:182.73.35.162> rcpt<sreekumarga...@gmail.com> : >>>>>>>>> rcpt ignored, session over intrusion threshold >>>>>>>>> >>>>>>>>> help required please >>>>>>>>> >>>>>>>>> rajesh >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> --------------------------------------------------------------------- >>>>>>>>> To unsubscribe, e-mail:qmailtoaster-list-unsubscr...@qmailtoaster.com >>>>>>>>> For additional commands, >>>>>>>>> e-mail:qmailtoaster-list-h...@qmailtoaster.com >>>>>>>> -- >>>>>>>> Eric Broch >>>>>>>> White Horse Technical Consulting (WHTC) >>>>>>> -- >>>>>>> Eric Broch >>>>>>> White Horse Technical Consulting (WHTC) >>>>>> -- >>>>>> Eric Broch >>>>>> White Horse Technical Consulting (WHTC) >>>>> -- >>>>> Eric Broch >>>>> White Horse Technical Consulting (WHTC) >>>> -- >>>> Eric Broch >>>> White Horse Technical Consulting (WHTC) >>> >>> -- >>> ------------------------------------------------------------ >>> Inter@zioni Interazioni di Antonio Nati >>> http://www.interazioni.it to...@interazioni.it >>> ------------------------------------------------------------ >> -- >> Eric Broch >> White Horse Technical Consulting (WHTC) > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- ------------------------------------------------------------ Inter@zioni Interazioni di Antonio Nati http://www.interazioni.it to...@interazioni.it ------------------------------------------------------------
--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com