Re: mail/akpop3d authenticate.c:user_in_file bug
On Tue, Apr 28, 2020 at 01:46:17AM +0200, Ingo Schwarze wrote:
> Hi Alexei,
>
> Alexei Malinin wrote on Tue, Apr 28, 2020 at 01:05:23AM +0300:
>
> > I ported akpop3d to NetBSD and found the Subject.
> > GCC warning was the following:
> > authenticate.c: In function 'is_user_allowed':
> > authenticate.c:110:11: warning: switch condition has boolean value
> > [-Wswitch-bool]
>
> This is a textbook example of how you must *not* react to a compiler
> warning. Do not apply random patches just to shut up the compiler,
> without understanding what the code does or what your patches change.
> Such reckless behaviour is exactly how Debian produced the spectacular
> security vulnerability in their port of OpenSSH several years ago.
>
>
> From pure code inspection, i conclude that what you report is very
> likely a security vulnerability.
>
>
> What the code currently does is this:
>
> * If the file /etc/pop3.deny does not exist or an error occurs
>reading from it, all users are denied access.
> * If the file /etc/pop3.deny exists and can be read,
>users listed in the file are denied access, but
>*all* users *not* listed in the file are granted access.
> * In either case, the file /etc/pop3.allow is totally ignored.
>It may or may not exist, and if it does, the contents are
>read, but whatever is in there makes no difference whatsoever.
> * Note that the confusing condition
> if ((allow == 0 && deny == 0) || (allow == 1 && deny == 0)) {
>a few lines below is equivalent to just
> if (deny == 0) {
>and consequently, the assignments to the variable "allow" are
>effectively dead stores.
>
> From the akpop3d(8) manual page, it remains totally unclear what
> the desired behaviour is supposed to be, but the above cannot
> possibly be right. It looks as if it was never tested at all.
>
>
> The only effect of your change is as follows. With your change,
> we get this in addition to the above:
>
> * If the file /etc/pop3.allow does not exist or an error occurs
>reading from it, all users are denied access.
> * But if it can be read, its contents are still totally
>ignored.
>
> Quite obviously, that cannot possibly be correct behaviour either,
> so if there is a vulnerability (hard to say given that desired
> behaviour is unspecified), it seems unlikely that your change fully
> fixes it.
>
>
> Judging from the website, this program has been unmaintained for
> more than 15 years.
>
> I think we should delete the port completely, giving something like
> "sloppily coded, sloppily documented, severely buggy and likely
> vulnerable abandonware" as the reason for deletion.
It has my vote.
--
Antoine
Re: mail/akpop3d authenticate.c:user_in_file bug
Hi Alexei,
Alexei Malinin wrote on Tue, Apr 28, 2020 at 01:05:23AM +0300:
> I ported akpop3d to NetBSD and found the Subject.
> GCC warning was the following:
> authenticate.c: In function 'is_user_allowed':
> authenticate.c:110:11: warning: switch condition has boolean value
> [-Wswitch-bool]
This is a textbook example of how you must *not* react to a compiler
warning. Do not apply random patches just to shut up the compiler,
without understanding what the code does or what your patches change.
Such reckless behaviour is exactly how Debian produced the spectacular
security vulnerability in their port of OpenSSH several years ago.
>From pure code inspection, i conclude that what you report is very
likely a security vulnerability.
What the code currently does is this:
* If the file /etc/pop3.deny does not exist or an error occurs
reading from it, all users are denied access.
* If the file /etc/pop3.deny exists and can be read,
users listed in the file are denied access, but
*all* users *not* listed in the file are granted access.
* In either case, the file /etc/pop3.allow is totally ignored.
It may or may not exist, and if it does, the contents are
read, but whatever is in there makes no difference whatsoever.
* Note that the confusing condition
if ((allow == 0 && deny == 0) || (allow == 1 && deny == 0)) {
a few lines below is equivalent to just
if (deny == 0) {
and consequently, the assignments to the variable "allow" are
effectively dead stores.
>From the akpop3d(8) manual page, it remains totally unclear what
the desired behaviour is supposed to be, but the above cannot
possibly be right. It looks as if it was never tested at all.
The only effect of your change is as follows. With your change,
we get this in addition to the above:
* If the file /etc/pop3.allow does not exist or an error occurs
reading from it, all users are denied access.
* But if it can be read, its contents are still totally
ignored.
Quite obviously, that cannot possibly be correct behaviour either,
so if there is a vulnerability (hard to say given that desired
behaviour is unspecified), it seems unlikely that your change fully
fixes it.
Judging from the website, this program has been unmaintained for
more than 15 years.
I think we should delete the port completely, giving something like
"sloppily coded, sloppily documented, severely buggy and likely
vulnerable abandonware" as the reason for deletion.
Yours,
Ingo
mail/akpop3d authenticate.c:user_in_file bug
Hello!
I ported akpop3d to NetBSD and found the Subject.
GCC warning was the following:
authenticate.c: In function 'is_user_allowed':
authenticate.c:110:11: warning: switch condition has boolean value
[-Wswitch-bool]
switch (user_in_file(user,POP3ALLOW_FILE)>0) {
^
Please look at the patches below.
--
Alexei
Index: patch-authenticate_c
===
RCS file: /cvs/ports/mail/akpop3d/patches/patch-authenticate_c,v
retrieving revision 1.2
diff -u -p -r1.2 patch-authenticate_c
--- patch-authenticate_c 22 May 2017 20:03:43 - 1.2
+++ patch-authenticate_c 27 Apr 2020 21:42:16 -
@@ -17,7 +17,7 @@ Index: authenticate.c
int allow, deny;
- switch (user_in_file(user,"/etc/pop3.allow")>0) {
-+ switch (user_in_file(user,POP3ALLOW_FILE)>0) {
++ switch (user_in_file(user,POP3ALLOW_FILE)) {
case 0:
allow = 0;
break;
Index: Makefile
===
RCS file: /cvs/ports/mail/akpop3d/Makefile,v
retrieving revision 1.13
diff -u -p -r1.13 Makefile
--- Makefile 12 Jul 2019 20:47:24 - 1.13
+++ Makefile 27 Apr 2020 21:48:43 -
@@ -3,7 +3,7 @@
COMMENT= small and secure POP3 daemon
DISTNAME= akpop3d-0.7.7
-REVISION = 3
+REVISION = 4
CATEGORIES= mail
HOMEPAGE= http://www.synflood.at/akpop3d.html
.
Re: akpop3d crashed with core-dump
On Tue, May 23, 2017 at 09:23:12AM +0200, Giovanni Bechis wrote: > On 05/23/17 08:24, I. Schuchardt wrote: > > hi folks > > > > i testing akpop3d on openbsd 6.1 (amd64 and i386). > > > > with "akpop3d -d" starts the deamon und opening the port 110 on my machine. > > so i can check > > the pop3 with telnet on port 110: > > > fixed yesterday in -current, ok for the same diff for 6.1 ? sure, ok Thanks for taking care of this.
Re: akpop3d crashed with core-dump
On 05/23/17 08:24, I. Schuchardt wrote:
> hi folks
>
> i testing akpop3d on openbsd 6.1 (amd64 and i386).
>
> with "akpop3d -d" starts the deamon und opening the port 110 on my machine.
> so i can check
> the pop3 with telnet on port 110:
>
fixed yesterday in -current, ok for the same diff for 6.1 ?
Cheers
Giovanni
> ---snipp---
> ~% telnet my_machine 110
> Trying 1.2.3.4...
> Connected to my_machine.
> Escape character is '^]'.
> +OK
> user foo
> +OK
> pass bar
> Connection closed by foreign host.
> ---snipp---
>
>
> after this.. there is a core-dump-file "akpop3d.core" in "/" - and no other
> logging-information.
>
>
> thanks,
> ingolf
>
Index: Makefile
===
RCS file: /var/cvs/ports/mail/akpop3d/Makefile,v
retrieving revision 1.11
diff -u -p -r1.11 Makefile
--- Makefile 10 Sep 2016 13:03:42 - 1.11
+++ Makefile 23 May 2017 07:22:13 -
@@ -3,7 +3,7 @@
COMMENT= small and secure POP3 daemon
DISTNAME= akpop3d-0.7.7
-REVISION = 2
+REVISION = 3
CATEGORIES= mail
HOMEPAGE= http://www.synflood.at/akpop3d.html
@@ -16,6 +16,7 @@ MASTER_SITES= http://www.synflood.at/akp
EXTRACT_SUFX= .tar.bz2
CONFIGURE_STYLE=gnu
+CONFIGURE_ARGS=--with-mysql=no
NO_TEST= Yes
Index: patches/patch-authenticate_c
===
RCS file: /var/cvs/ports/mail/akpop3d/patches/patch-authenticate_c,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-authenticate_c
--- patches/patch-authenticate_c 8 Nov 2004 21:57:05 - 1.1.1.1
+++ patches/patch-authenticate_c 23 May 2017 07:22:13 -
@@ -1,6 +1,7 @@
$OpenBSD: patch-authenticate_c,v 1.1.1.1 2004/11/08 21:57:05 naddy Exp $
authenticate.c.orig Sun Aug 17 19:44:55 2003
-+++ authenticate.c Mon Nov 8 22:49:53 2004
+Index: authenticate.c
+--- authenticate.c.orig
authenticate.c
@@ -25,6 +25,9 @@
#include "strlcpy.h"
#include "mysql.h"
@@ -11,7 +12,7 @@ $OpenBSD: patch-authenticate_c,v 1.1.1.1
extern const char * authfile;
char real_username[MAXLINE+1];
char real_maildrop[MAXLINE+1];
-@@ -104,7 +107,7 @@ static int user_in_file(char * user, cha
+@@ -104,7 +107,7 @@ static int user_in_file(char * user, char * path) {
static int is_user_allowed(char * user) {
int allow, deny;
@@ -20,7 +21,7 @@ $OpenBSD: patch-authenticate_c,v 1.1.1.1
case 0:
allow = 0;
break;
-@@ -115,7 +118,7 @@ static int is_user_allowed(char * user)
+@@ -115,7 +118,7 @@ static int is_user_allowed(char * user) {
return 0;
}
@@ -29,7 +30,7 @@ $OpenBSD: patch-authenticate_c,v 1.1.1.1
case 0:
deny = 0;
break;
-@@ -322,7 +325,7 @@ int authenticate(char * username, char *
+@@ -322,7 +325,7 @@ int authenticate(char * username, char * password) {
memset(pass,0,sizeof(pass));
strlcpy(pass,password,len+1);
@@ -38,3 +39,12 @@ $OpenBSD: patch-authenticate_c,v 1.1.1.1
if (0!=use_pop3_allow_deny && 0==is_user_allowed(user)) {
return 0;
}
+@@ -335,7 +338,7 @@ int authenticate(char * username, char * password) {
+ }
+
+ #ifndef HAVE_LIBMYSQLCLIENT
+- u = getpwnam(user);
++ u = getpwnam_shadow(user);
+ #else
+ u = getMpwnam( user ); /* getMpwnam first checks getpwnam() */
+ #endif /* HAVE_LIBMYSQLCLIENT */
Index: pkg/PLIST
===
RCS file: /var/cvs/ports/mail/akpop3d/pkg/PLIST,v
retrieving revision 1.2
diff -u -p -r1.2 PLIST
--- pkg/PLIST 14 Dec 2005 06:02:09 - 1.2
+++ pkg/PLIST 23 May 2017 07:22:13 -
@@ -1,4 +1,4 @@
@comment $OpenBSD: PLIST,v 1.2 2005/12/14 06:02:09 jolan Exp $
@newgroup _akpop3d:555
@man man/man8/akpop3d.8
-sbin/akpop3d
+@bin sbin/akpop3d
akpop3d crashed with core-dump
hi folks i testing akpop3d on openbsd 6.1 (amd64 and i386). with "akpop3d -d" starts the deamon und opening the port 110 on my machine. so i can check the pop3 with telnet on port 110: ---snipp--- ~% telnet my_machine 110 Trying 1.2.3.4... Connected to my_machine. Escape character is '^]'. +OK user foo +OK pass bar Connection closed by foreign host. ---snipp--- after this.. there is a core-dump-file "akpop3d.core" in "/" - and no other logging-information. thanks, ingolf
Re: akpop3d does not work out of the box
On 2014/05/26 09:16, Eric Radman wrote: The upgrade notes for 5.5 suggest that akpop3d might work as a replacement for the popa3d that was removed from base. Is there a trick to using this daemon? akpop3d does not seem to manage locks correctly: Doesn't entirely surprise me, the port hasn't had much love recently (not even an rc script..) - I don't think it is very widely used so unlikely to have picked up many problem reports. From reading Solar's recent comments about it, it seems to expect to run as gid mail (with mail spool permissions set accordingly). Last substantive commit to the port (in 2005) was create/use _akpop3d group rather than the non-existent 'mail' one so it wouldn't be a huge surprise if this was broken since then. (And if anyone did get it to run, you might be interested in his other comments... http://www.openwall.com/lists/oss-security/2014/05/02/2) Personally I'm using Dovecot. Once configured it's pretty solid, though admittedly setup is more complex than the simple pop3-only daemons. I ended up using solid-pop3d which was trivial to install. I've been using nginx from ports to provide SSL access: Using nginx for this may make Reyk sad! (relayd can do SSL offload too).
akpop3d does not work out of the box
The upgrade notes for 5.5 suggest that akpop3d might work as a
replacement for the popa3d that was removed from base. Is there a trick
to using this daemon? akpop3d does not seem to manage locks correctly:
# tail /var/log/maillog
May 23 23:27:16 vm akpop3d[4954]: Connection from 127.0.0.1:27515
May 23 23:27:16 vm akpop3d[6121]: Authenticated eradman
May 23 23:27:21 vm akpop3d[6121]: failed to lock maildrop:
/var/mail/eradman:
File exists
# ls /var/mail/eradman*
-rw--- 1 eradman users 2334 May 3 23:28 eradman
-rw-r- 1 eradman _akpop3d 5 May 26 08:38 eradman.lock
I ended up using solid-pop3d which was trivial to install. I've been
using nginx from ports to provide SSL access:
# pf.conf
block in on ! lo0 proto tcp to port pop3
# nginx.conf
mail {
server_name vm.eradman.com;
auth_http localhost:9000;
proxy on;
ssl_protocols TLSv1 SSLv3;
ssl_certificate /etc/mail/certs/vm.eradman.com.crt;
ssl_certificate_key /etc/mail/certs/vm.eradman.com.key;
pop3_auth plain apop cram-md5;
server {
protocolpop3;
listen 995;
ssl on;
pop3_auth plain;
}
}
--
Eric Radman
mail/akpop3d version number
The packaging suggests 0.7.7. akpop3d -v says 0.7.6 -current
akpop3d maildrop permissions
-current akpop3d current thunderbird client, back a patch from current this box has two users: root and astar. astar is just a normal user. now akpop3d is a deamon and otherwise takes the defaults, so the maildrops are in /var/mail. suppose I try to get some astar messages from the maildrop and stroke thunderbird getmail. Seems to work. But stroke getmail again and a message that the password was not whatever because could not get a lock on the maildrop. Looking at the directory, the first stroke we got a astar-lock file and it never disappeared, so maybe there is a problem here. This file is astar/_akpop3d and group has only r permissions. Now I will be trying some other pop3 server , but here is the counter-argument. I have had other permission problems recently, so it may not exactly be this pop3 server oh, root mailbox seems to work fine. thunderbird is running under the astar user.
Re: akpop3d mysql support openbsd problem
On 11 Apr 2006, at 11:43 PM, Peter Strömberg wrote:
On 11 Apr 2006 at 23:35, Ian McWilliam wrote:
;-)
You need
CONFIGURE_ARGS= CFLAGS=${CFLAGS} -I${LOCALBASE}/include LDFLAGS=-L
${LOCALBASE}/lib
then you get to fix the compilation errors in mysql.c ...
/Peter
Take 2. see attached diff. Not tested. Probably needs run deps as well.
Ian McWilliam
akpop3d.diff
Description: Binary data
Re: akpop3d mysql support openbsd problem
On 12 Apr 2006, at 1:13 AM, Ian McWilliam wrote: Take 2. see attached diff. Not tested. Probably needs run deps as well. AHHH. Take 3 easier with a tar ball - includes missing patches Ian McWilliam akpop3d.tgz Description: Binary data
akpop3d mysql support openbsd problem
Hello, I've got a problem compiling akpop3d with MySQL on OpenBSD. It uses shadow.h which is not included in OpenBSD, can anybody help me, to start it running? I'm not able to fix it by my self that's why I'm writing to the list for assistance. -- Tomasz Pajor Web(Solutions
Re: akpop3d mysql support openbsd problem
On Mon, Apr 10, 2006 at 06:47:02PM +0100, Tomasz Pajor wrote: Hello, I've got a problem compiling akpop3d with MySQL on OpenBSD. It uses shadow.h which is not included in OpenBSD, can anybody help me, to start it running? I'm not able to fix it by my self that's why I'm writing to the list for assistance. Start by applying the patches in /usr/ports/mail/akpop3d/patches. If that doesn't work, try something that is supported, or try to interest someone enough to do the work for you. Joachim
Re: akpop3d questions
Ian McWilliam wrote: Not really the port needs fixing some what. Try the attached tar ball. The port now creates a group _akpop3d and the lock files writable by the _akpop3d group. You will need to make /var/mail group writable, leave the permissons on /var/mail as root:wheel (the default). The command line I've used for simple testing is /usr/local/sbin/akpop3d -d -s -c /etc/ssl/server.crt -k /etc/ssl/ private/server.key Ian McWilliam Sorry, I just noticed this thread. I'm the maintainer. There really is a problem with the group handling in this port, and I think Ian's approach is right. This was my first attempt at making a port and I guess the edges are a bit rough... I don't really have the time anymore to maintain this port, and don't use it anymore, which makes things harder, so I'll relinquish ownership if anyone is willing to handle it. On a more general note, I found that the code in akpop3d is not the prettiest thing around. If you look at the patches in my port, you'll see that in several places they make it log errors, whereas the original code would just ignore non-zero return codes on calls such as getgrnam(mail). I contributed a bunch of patches to the original author over a year ago, but he hasn't released anything since then. Maxime
Re: akpop3d questions
On Mon, Nov 28, 2005 at 12:34:05PM +1100, the unit calling itself Ian McWilliam wrote: On 28 Nov 2005, at 8:18 AM, J Moore wrote: Ian, Hope you'll excuse my persistence, but I'm still struggling with akpop3d. I may be confused, but here's how I see my choices: 1. chgrp mail /var/mail (after adding mail as a group) 2. akpop3d -g wheel (give akpop3 wheel privileges ?) Not really the port needs fixing some what. Try the attached tar ball. The port now creates a group _akpop3d and the lock files writable by the _akpop3d group. You will need to make /var/mail group writable, leave the permissons on /var/mail as root:wheel (the default). The command line I've used for simple testing is /usr/local/sbin/akpop3d -d -s -c /etc/ssl/server.crt -k /etc/ssl/ private/server.key Ian, I'm groggy, but I think this fixes it. I plan to start using it in a day or two will let you know if I see anything. Many thanks, and it looks like you may have inherited a port :) Oh - I tried to create a diff between the tarball you sent, and the stuff in the tree... it was pretty ugly, and didn't seem to apply. diff -u -p -r /.../ians_akpop3d /usr/ports/mail/akpop3d ian.patch Jay
Re: akpop3d questions
On 28 Nov 2005, at 8:18 AM, J Moore wrote: Ian, Hope you'll excuse my persistence, but I'm still struggling with akpop3d. I may be confused, but here's how I see my choices: 1. chgrp mail /var/mail (after adding mail as a group) 2. akpop3d -g wheel (give akpop3 wheel privileges ?) Not really the port needs fixing some what. Try the attached tar ball. The port now creates a group _akpop3d and the lock files writable by the _akpop3d group. You will need to make /var/mail group writable, leave the permissons on /var/mail as root:wheel (the default). The command line I've used for simple testing is /usr/local/sbin/akpop3d -d -s -c /etc/ssl/server.crt -k /etc/ssl/ private/server.key Ian McWilliam akpop3d-port.tgz Description: Binary data
Re: akpop3d questions
On 24 Nov 2005, at 4:28 PM, J Moore wrote:
On Wed, Nov 23, 2005 at 10:08:13PM -0600, the unit calling itself J
Moore wrote:
I need to set up a POP3 server for a while, and after a quick survey,
akpop3d seemed like a good choice - partly because it supports
POP3 via
SSL. So I built it from the ports tree (3.8 -stable), and
installed it.
I am currently starting from the command line as follows:
# akpop3d -d -s
Attempts to connect result in immediate complaints from the client
(I've
tried two of them: Evolution (Linux) and Pegasus (Windoze).
I'm assuming this is due to the fact that I have no cert or key file
installed or generated?
Before I invest any more time in this, I thought I'd ask if anyone
else
is using akpop3d, what the consensus of opinion is on it, and if
there
is any documentation on how to generate the .pem (Base64-encoded?)
cert
and key files.
Perhaps some fwd progress... got cert key files installed, but I am
bombing during the authentication process. Following is part of the
debug output from my client. I double-checked the password value, and
it's correct (changed here, but my client's log shows it correctly).
The culprit seems to be the group not found error... WTF, O??
23:17:13.312 0009 USER jm\0D\0A
23:17:13.359 0005 +OK\0D\0A
23:17:13.359 0017 PASS abcdefghij\0D\0A
23:17:13.500 0033 -ERR [SYS/TEMP] group not found\0D\0A
23:17:20.718 0006 QUIT\0D\0A
23:17:20.718 18: SSL read error -41 (locus 0, type 0, code 0, 'No data
was read because the remote system closed the connection (recv() ==
0)')
--- Connection closed normally at Wed, 23 Nov 2005 23:17:20. ---
Thanks,
Jay
OK, It looks like the port needs some work as it doesn't handle the
default group name.
main.c:# define DEFAULT_GROUP_NAME mail
It appears that this can be changed with a command line arg.
main.c: case 'g': group_name = optarg; break;
It looks like the groupname is used as an argument to lock the users
mail box.
pop3_session.c.orig: g_inf = getgrnam(mail);
pop3_session.c.orig: if (g_inf==NULL) {
pop3_session.c.orig: if (setegid(g_inf-gr_gid)!=0 real_username
[0] == 0) {
pop3_session.c.orig:syslog(LOG_ERR,%s: %u: %s,setegid()
failed,g_inf-gr_gid,strerror(errno));
pop3_session.c.orig: if (setgid(g_inf-gr_gid)!=0 real_username
[0] == 0) {
pop3_session.c.orig:syslog(LOG_ERR,%s: %u: %s,setgid()
failed,g_inf-gr_gid,strerror(errno));
pop3_session.c.orig: if ((rc=lock_maildrop(maildrop,u_inf-
pw_uid,g_inf-gr_gid))=0)
yup, it then fchowns the lock file
lock_maildrop.c: fchown(fd,uid,gid);
So I would assume on other unix systems /var/mail is group mail by
default, maybe??.
if you want to add mail to the /etc/group file
man -k groupadd
groupadd (8) - add a group to the system
Ian McWilliam
Re: akpop3d questions
On Thu, Nov 24, 2005 at 07:17:54PM +1100, the unit calling itself Ian McWilliam
wrote:
Perhaps some fwd progress... got cert key files installed, but I am
bombing during the authentication process. Following is part of the
debug output from my client. I double-checked the password value, and
it's correct (changed here, but my client's log shows it correctly).
The culprit seems to be the group not found error... WTF, O??
23:17:13.312 0009 USER jm\0D\0A
23:17:13.359 0005 +OK\0D\0A
23:17:13.359 0017 PASS abcdefghij\0D\0A
23:17:13.500 0033 -ERR [SYS/TEMP] group not found\0D\0A
23:17:20.718 0006 QUIT\0D\0A
23:17:20.718 18: SSL read error -41 (locus 0, type 0, code 0, 'No data
was read because the remote system closed the connection (recv() ==
0)')
--- Connection closed normally at Wed, 23 Nov 2005 23:17:20. ---
OK, It looks like the port needs some work as it doesn't handle the
default group name.
main.c:# define DEFAULT_GROUP_NAME mail
It appears that this can be changed with a command line arg.
It can - that's how I finally got it to work. According to man akpop3d,
-g groupID does it. (and apparently I'm confused - I thought group ID
was the number, but akpop3d wants the group name, ... whatever)
main.c: case 'g': group_name = optarg; break;
It looks like the groupname is used as an argument to lock the users
mail box.
pop3_session.c.orig: g_inf = getgrnam(mail);
pop3_session.c.orig: if (g_inf==NULL) {
pop3_session.c.orig: if (setegid(g_inf-gr_gid)!=0 real_username
[0] == 0) {
pop3_session.c.orig:syslog(LOG_ERR,%s: %u: %s,setegid()
failed,g_inf-gr_gid,strerror(errno));
pop3_session.c.orig: if (setgid(g_inf-gr_gid)!=0 real_username
[0] == 0) {
pop3_session.c.orig:syslog(LOG_ERR,%s: %u: %s,setgid()
failed,g_inf-gr_gid,strerror(errno));
pop3_session.c.orig: if ((rc=lock_maildrop(maildrop,u_inf-
pw_uid,g_inf-gr_gid))=0)
yup, it then fchowns the lock file
lock_maildrop.c: fchown(fd,uid,gid);
So I would assume on other unix systems /var/mail is group mail by
default, maybe??.
That may be... I checked a FreeBSD and a Linux (Fedora) box - both
listed mail as the group for /var/mail. So OpenBSD would appear to be
in a minority position.
if you want to add mail to the /etc/group file
man -k groupadd
groupadd (8) - add a group to the system
I thought about this, but wouldn't you actually have to change group
ownership of /var/mail to group mail for this to make any difference?
And if you did this, wouldn't you risk breaking something else?
Thanks for the insight,
Jay
Re: akpop3d questions
On Wed, Nov 23, 2005 at 10:08:13PM -0600, the unit calling itself J Moore wrote: I need to set up a POP3 server for a while, and after a quick survey, akpop3d seemed like a good choice - partly because it supports POP3 via SSL. So I built it from the ports tree (3.8 -stable), and installed it. I am currently starting from the command line as follows: # akpop3d -d -s Attempts to connect result in immediate complaints from the client (I've tried two of them: Evolution (Linux) and Pegasus (Windoze). I'm assuming this is due to the fact that I have no cert or key file installed or generated? Before I invest any more time in this, I thought I'd ask if anyone else is using akpop3d, what the consensus of opinion is on it, and if there is any documentation on how to generate the .pem (Base64-encoded?) cert and key files. Perhaps some fwd progress... got cert key files installed, but I am bombing during the authentication process. Following is part of the debug output from my client. I double-checked the password value, and it's correct (changed here, but my client's log shows it correctly). The culprit seems to be the group not found error... WTF, O?? 23:17:13.312 0009 USER jm\0D\0A 23:17:13.359 0005 +OK\0D\0A 23:17:13.359 0017 PASS abcdefghij\0D\0A 23:17:13.500 0033 -ERR [SYS/TEMP] group not found\0D\0A 23:17:20.718 0006 QUIT\0D\0A 23:17:20.718 18: SSL read error -41 (locus 0, type 0, code 0, 'No data was read because the remote system closed the connection (recv() == 0)') --- Connection closed normally at Wed, 23 Nov 2005 23:17:20. --- Thanks, Jay
Re: akpop3d questions
On Wed, Nov 23, 2005 at 11:28:47PM -0600, the unit calling itself J Moore wrote: On Wed, Nov 23, 2005 at 10:08:13PM -0600, the unit calling itself J Moore wrote: I need to set up a POP3 server for a while, and after a quick survey, akpop3d seemed like a good choice - partly because it supports POP3 via SSL. So I built it from the ports tree (3.8 -stable), and installed it. I am currently starting from the command line as follows: # akpop3d -d -s Attempts to connect result in immediate complaints from the client (I've tried two of them: Evolution (Linux) and Pegasus (Windoze). I'm assuming this is due to the fact that I have no cert or key file installed or generated? Before I invest any more time in this, I thought I'd ask if anyone else is using akpop3d, what the consensus of opinion is on it, and if there is any documentation on how to generate the .pem (Base64-encoded?) cert and key files. Perhaps some fwd progress... got cert key files installed, but I am bombing during the authentication process. Following is part of the debug output from my client. I double-checked the password value, and it's correct (changed here, but my client's log shows it correctly). The culprit seems to be the group not found error... WTF, O?? 23:17:13.312 0009 USER jm\0D\0A 23:17:13.359 0005 +OK\0D\0A 23:17:13.359 0017 PASS abcdefghij\0D\0A 23:17:13.500 0033 -ERR [SYS/TEMP] group not found\0D\0A 23:17:20.718 0006 QUIT\0D\0A 23:17:20.718 18: SSL read error -41 (locus 0, type 0, code 0, 'No data was read because the remote system closed the connection (recv() == 0)') --- Connection closed normally at Wed, 23 Nov 2005 23:17:20. --- What is this group mail...? How does it get set up? Why is it not addressed in the docs od the instructions? Thnx, Jay
Re: akpop3d
Mike Pechkin [EMAIL PROTECTED] wrote: ports@ and naddy@ should be enough. do something. :) I bounced your succinct error report on to the MAINTAINER. Remind me to look into it again in case he doesn't react. -- Christian naddy Weisgerber [EMAIL PROTECTED]
akpop3d
hi, 1. install 2. run - /usr/local/sbin/akpop3d -d 3. try to connect Nov 15 10:11:44 gow akpop3d[7184]: Authenticated mpech Nov 15 10:11:44 gow akpop3d[7184]: group 'mail' not found wtf, come on. --mpech
Re: akpop3d
On Tue, Nov 15, 2005 at 04:21:07PM +0200, Mike Pechkin wrote: ports@ and naddy@ should be enough. do something. :) in soviet latvia, ports complain about you! On 11/15/05, Nikolay Sturm [EMAIL PROTECTED] wrote: * Mike Pechkin [2005-11-15]: 1. install 2. run - /usr/local/sbin/akpop3d -d 3. try to connect Nov 15 10:11:44 gow akpop3d[7184]: Authenticated mpech Nov 15 10:11:44 gow akpop3d[7184]: group 'mail' not found wtf, come on. That port has a maintainer, what did he say when you reported the problem to him? Nikolay
