Re: [vchkpw] PHP extension for vpopmail
Assuming you use Apache of course : > Thomas Madej Furi Enterprises http://furi.ca/ On 1-Mar-04, at 4:07 AM, [EMAIL PROTECTED] wrote: Eduardo M. Bragatto wrote: Rick Widmer wrote: There are two ways to run the extension that I know of. o Start a separate instance of Apache on its own port or IP address, running as the mail user. This instance should only serve mail related pages. This is very easy to do. o Don't allow any web sites on the mail server. Only run QmailAdmin and sqWebmail on the mail server, and don't allow anyone but mail system administrators to login on the machine. (This is the one I use.) I've got a question. If one runs such a dedicated apache-instance (uid=vpopmail) on a more or less random port bound to localhost - would it be possible to reverse-proxy your script through the main instance on port 80/443 ? Generally, this works best when the site uses no JavaScript and only relative links. That would keep the "single system image" to end-users and administrators. cheers, Rainer
Re: [vchkpw] PHP extension for vpopmail
ProxyPass /mailserver http://mailserver:port/ Put that in your virtual host Thomas Madej Furi Enterprises http://furi.ca/ On 1-Mar-04, at 4:07 AM, [EMAIL PROTECTED] wrote: Eduardo M. Bragatto wrote: Rick Widmer wrote: There are two ways to run the extension that I know of. o Start a separate instance of Apache on its own port or IP address, running as the mail user. This instance should only serve mail related pages. This is very easy to do. o Don't allow any web sites on the mail server. Only run QmailAdmin and sqWebmail on the mail server, and don't allow anyone but mail system administrators to login on the machine. (This is the one I use.) I've got a question. If one runs such a dedicated apache-instance (uid=vpopmail) on a more or less random port bound to localhost - would it be possible to reverse-proxy your script through the main instance on port 80/443 ? Generally, this works best when the site uses no JavaScript and only relative links. That would keep the "single system image" to end-users and administrators. cheers, Rainer
Re: [vchkpw] PHP extension for vpopmail
> > > Eduardo M. Bragatto wrote: >> Rick Widmer wrote: >> >>> There are two ways to run the extension that I know of. >>> >>> o Start a separate instance of Apache on its own port or IP address, >>> running as the mail user. This instance should only serve mail related >>> pages. This is very easy to do. >>> >>> o Don't allow any web sites on the mail server. Only run QmailAdmin >>> and >>> sqWebmail on the mail server, and don't allow anyone but mail system >>> administrators to login on the machine. (This is the one I use.) I've got a question. If one runs such a dedicated apache-instance (uid=vpopmail) on a more or less random port bound to localhost - would it be possible to reverse-proxy your script through the main instance on port 80/443 ? Generally, this works best when the site uses no JavaScript and only relative links. That would keep the "single system image" to end-users and administrators. cheers, Rainer
Re: [vchkpw] PHP extension for vpopmail
> >>Another problem, if you allow the www user access to the vpopmail > >>programs - how do you keep every web site on the server from having full > >>access to mail system? The vpopmail library functions don't provide > >>authentication. (They do provide functions for doing authentication, > >>but the calling program has to manage it.) > > > > > > Perhaps it would be nice to have some authorization method like: > > > > $vid=vpopmail_auth_module("vpopmail-user", > > "vpopmail-pass-perhaps-in-crypted-md5-form"); > > The function is already there. > > struct vpasswd *vauth_user( char *user, char *domain, char *password ); > > All it does is return the password file data for the user if the > password is valid, or NULL for an authentication error. The problem is > you can call vdeldomain() or anything else, even you haven't > authenticated yet. The only security checks in the vpopmail library are > done at the system level. Does the user running the process have rights > to change the files it needs to affect? Notice that I called the function .._auth_module(). If you want to separate websites from accessing vpopmail on your box you need a fundamental authorization that allow you to perform vdeldomain(). More descriptive example follows: $vid=vpopmail_auth_module("vpopmail-user-like-unix-vpopmail-user-that-can-ad d-and-delete-and-so-on", "vpopmail-pass-perhaps-in-crypted-md5-form"); if($vid){ //Your'e a super admin and can manipulate domains and users $rst=vadddomain("myname.tld","postmaster_pass"); //or whatever is the syntax if($rst){ echo "domain created"; }else{ echo vpopmail_errstr(); } }else{ //your regular user that can only auth himself via $auth=vauth_user("user","domain","password"); } on vpopmail_auth_module() level there would be a something like "sudo" mechanism performed so that all functions that require phisycal access to vpopmail dir structure were run as authorized super user (or any other user that has some limited permissions. Personally I feel, that could be an extension to vpopmail itself. A module for PHP operations that would introduce some levels of admins etc...Imagine that you can assign a user rigths to create 5 doimains... Bad thing is I am no coder. All of above is just my imagination and theoretical issues. Perhaps someone of vpopmail users is quite a PHP geek and could verify if it has chance for a success. Solt
Re: [vchkpw] PHP extension for vpopmail
Marcin Soltysiak wrote: Another problem, if you allow the www user access to the vpopmail programs - how do you keep every web site on the server from having full access to mail system? The vpopmail library functions don't provide authentication. (They do provide functions for doing authentication, but the calling program has to manage it.) Perhaps it would be nice to have some authorization method like: $vid=vpopmail_auth_module("vpopmail-user", "vpopmail-pass-perhaps-in-crypted-md5-form"); The function is already there. struct vpasswd *vauth_user( char *user, char *domain, char *password ); All it does is return the password file data for the user if the password is valid, or NULL for an authentication error. The problem is you can call vdeldomain() or anything else, even you haven't authenticated yet. The only security checks in the vpopmail library are done at the system level. Does the user running the process have rights to change the files it needs to affect? Rick
Re: [vchkpw] PHP extension for vpopmail
> Another problem, if you allow the www user access to the vpopmail > programs - how do you keep every web site on the server from having full > access to mail system? The vpopmail library functions don't provide > authentication. (They do provide functions for doing authentication, > but the calling program has to manage it.) Perhaps it would be nice to have some authorization method like: $vid=vpopmail_auth_module("vpopmail-user", "vpopmail-pass-perhaps-in-crypted-md5-form"); Solt
Re: [vchkpw] PHP extension for vpopmail
> >>> o Start a separate instance of Apache on its own port or IP address, > >>> running as the mail user. This instance should only serve mail > >>> related > >>> pages. This is very easy to do. > >>> > >>> o Don't allow any web sites on the mail server. Only run QmailAdmin > >>> and > >>> sqWebmail on the mail server, and don't allow anyone but mail system > >>> administrators to login on the machine. (This is the one I use.) > >> > >> Didn't you ever heard about "sudo"? > >> Using sudo you may allow the apache's user to run commands (that you > >> specify) as the vpopmail's user. I did it once, it isn't hard. I also > >> believe that's more secure, since the vpopmail's user will be used > >> only > >> weh necessary (to run some commands) and not all the time (to run > >> apache). > > > > sudo with PHP extension? When PHP is a module? How? > > > > Solt > > > > > > > Via PHP's CGI module. Ok. I meant shared apache module, not CGI. Personally I dislike CGI modules Solt
Re: [vchkpw] PHP extension for vpopmail
On 22-Feb-04, at 8:04 PM, Rick Widmer wrote: Thomas Madej wrote: On 22-Feb-04, at 7:29 PM, Marcin Soltysiak wrote: sudo with PHP extension? When PHP is a module? How? Solt Via PHP's CGI module. Please try it and let me know how it works! Personally, I am quite happy keeping general web sites off the mail server, and running PHP as an Apache module. I _think_ it should work under CGI, but I don't use PHP as CGI, and don't even know where to start to configure it in. If no one else doe it, I will eventually get to trying this with CGI, but don't hold your breath. QmailAdmin 1.3 will be released before I spend any time on it. If you do try it and have problems I will help you, but unless someone else is actively involved it will remain a very low on my priority list. What about SUID on the script file? That might work too. Rick You just need the proper script header and the proper entries in /etc/sudoers. I think the following header would work: #!/usr/bin/sudo -u vpopmailuser /usr/bin/php but then again, running another server is probably more secure than this method. Thomas Madej Furi Enterprises http://furi.ca/
Re: [vchkpw] PHP extension for vpopmail
Thomas Madej wrote: On 22-Feb-04, at 7:29 PM, Marcin Soltysiak wrote: sudo with PHP extension? When PHP is a module? How? Solt Via PHP's CGI module. Please try it and let me know how it works! Personally, I am quite happy keeping general web sites off the mail server, and running PHP as an Apache module. I _think_ it should work under CGI, but I don't use PHP as CGI, and don't even know where to start to configure it in. If no one else doe it, I will eventually get to trying this with CGI, but don't hold your breath. QmailAdmin 1.3 will be released before I spend any time on it. If you do try it and have problems I will help you, but unless someone else is actively involved it will remain a very low on my priority list. What about SUID on the script file? That might work too. Rick
Re: [vchkpw] PHP extension for vpopmail
Eduardo M. Bragatto wrote: Rick Widmer wrote: There are two ways to run the extension that I know of. o Start a separate instance of Apache on its own port or IP address, running as the mail user. This instance should only serve mail related pages. This is very easy to do. o Don't allow any web sites on the mail server. Only run QmailAdmin and sqWebmail on the mail server, and don't allow anyone but mail system administrators to login on the machine. (This is the one I use.) Didn't you ever heard about "sudo"? Using sudo you may allow the apache's user to run commands (that you specify) as the vpopmail's user. I did it once, it isn't hard. I also believe that's more secure, since the vpopmail's user will be used only weh necessary (to run some commands) and not all the time (to run apache). I think you are missing something here. Extensions give PHP _direct_ access to functions provided by a c or c++ library. They are executed _within_ the Apache child process that handles a page request. They don't spawn a new process, so there is no place to use sudo. If you are going to use sudo then you may as well skip extensions and use exec/system/passthru or the streams facility directly from a PHP library. Another problem, if you allow the www user access to the vpopmail programs - how do you keep every web site on the server from having full access to mail system? The vpopmail library functions don't provide authentication. (They do provide functions for doing authentication, but the calling program has to manage it.) Rick
Re: [vchkpw] PHP extension for vpopmail
On 22-Feb-04, at 7:29 PM, Marcin Soltysiak wrote: o Start a separate instance of Apache on its own port or IP address, running as the mail user. This instance should only serve mail related pages. This is very easy to do. o Don't allow any web sites on the mail server. Only run QmailAdmin and sqWebmail on the mail server, and don't allow anyone but mail system administrators to login on the machine. (This is the one I use.) Didn't you ever heard about "sudo"? Using sudo you may allow the apache's user to run commands (that you specify) as the vpopmail's user. I did it once, it isn't hard. I also believe that's more secure, since the vpopmail's user will be used only weh necessary (to run some commands) and not all the time (to run apache). sudo with PHP extension? When PHP is a module? How? Solt Via PHP's CGI module. Thomas
Re: [vchkpw] PHP extension for vpopmail
> > o Start a separate instance of Apache on its own port or IP address, > > running as the mail user. This instance should only serve mail related > > pages. This is very easy to do. > > > > o Don't allow any web sites on the mail server. Only run QmailAdmin and > > sqWebmail on the mail server, and don't allow anyone but mail system > > administrators to login on the machine. (This is the one I use.) > > Didn't you ever heard about "sudo"? > Using sudo you may allow the apache's user to run commands (that you > specify) as the vpopmail's user. I did it once, it isn't hard. I also > believe that's more secure, since the vpopmail's user will be used only > weh necessary (to run some commands) and not all the time (to run apache). sudo with PHP extension? When PHP is a module? How? Solt
Re: [vchkpw] PHP extension for vpopmail
Rick Widmer wrote: There are two ways to run the extension that I know of. o Start a separate instance of Apache on its own port or IP address, running as the mail user. This instance should only serve mail related pages. This is very easy to do. o Don't allow any web sites on the mail server. Only run QmailAdmin and sqWebmail on the mail server, and don't allow anyone but mail system administrators to login on the machine. (This is the one I use.) Didn't you ever heard about "sudo"? Using sudo you may allow the apache's user to run commands (that you specify) as the vpopmail's user. I did it once, it isn't hard. I also believe that's more secure, since the vpopmail's user will be used only weh necessary (to run some commands) and not all the time (to run apache). Regards, Eduardo M. Bragatto.
Re: [vchkpw] PHP extension for vpopmail
Alejandro Aguilar Sierra wrote: On Thu, 19 Feb 2004, Rick Widmer wrote: There are now 21 functions available to access and update information about email addresses. To work they must be run as the vpopmail user. I do it by running apache under the mail user. Hopefully there are other solutions available. It should be possible to run with the web server user (in debian www-data) and use internally the posmaster's (or user's) password. I'm afraid using other user adds a weak security point and gets problems to web applications which need to use the regular apache user. I _wish_ it was possible. PHP running as an Apache module under the web user will not be able to access anything in vpopmail. There is no way to check mail system permissions and allow access. System permissions won't allow it, and the www user can't change to the proper user. (Only root can do it, and if PHP is running you are a child process running as www. The only root owned process in Apache never serves web pages.) I agree there is no way you should allow this extension on a web server that hosts general web pages. The extension grants full access to accounts on the mail server, you don't want every web developer to have that power. So it is a good thing if all the functions in the extension fail if not run as the mail user. (I just added it to the TODO. That way you only need one Apache executable.) There are two ways to run the extension that I know of. o Start a separate instance of Apache on its own port or IP address, running as the mail user. This instance should only serve mail related pages. This is very easy to do. o Don't allow any web sites on the mail server. Only run QmailAdmin and sqWebmail on the mail server, and don't allow anyone but mail system administrators to login on the machine. (This is the one I use.) If you can't do one of those, this module isn't for you. It must run as the mail server user to do its magic. I don't think there is any other way to run as an Apache module and access mail. There is one other limitation, all the mail accounts must be under the vpopmail user. If you place domains under other users, you will not be able to access them with this extension. It might be possible to do something with CGI to allow PHP to run only mail related programs as the mail user, but then there may be a problem with keeping other web sites on the same machine from having that ability. I don't know, and I won't be thinking about it at least until QmailAdmin 1.3 is out. That is my real priority. There are some cool possibilities exec'ing a program, or having a long running daemon, but these are for someone else to ponder. One tough question if you are considering writing one of these, how are you going to make sure only authorized users have access. The vpopmail api allows everything and expects the application program (like QmailAdmin) to handle authentication issues. If you can access the library you can do anything. Rick
Re: [vchkpw] PHP extension for vpopmail
On Thu, 19 Feb 2004, Rick Widmer wrote: > There is now a sneak peek at the updated PHP extension for vpopmail > available on my test web site: > > > http://kimberly.developersdesk.com/vpopmail.php.tar.gz > > Basic installation instructions are in INSTALL. > > You should read README, NEWS and TODO. > > There are now 21 functions available to access and update information > about email addresses. To work they must be run as the vpopmail user. > I do it by running apache under the mail user. Hopefully there are > other solutions available. It should be possible to run with the web server user (in debian www-data) and use internally the posmaster's (or user's) password. I'm afraid using other user adds a weak security point and gets problems to web applications which need to use the regular apache user. Alejandro