RE: mail attachment losing content type in delivery failures
I applied this patch and started using the new qmail-send. Normal mails seem to be going fine but the bounce messages are not reaching me and syslog shows, "warning: trouble injecting bounce message, will try later" What could be happenening here? I tried to look at qmail-send.c, but no clues. Thanks, Ramesh | > When a mail gets bounced, the content type is getting lost | >and is coming as text message alongwith the mail (I am attaching | >a sample mail). Can anyone please tell me how to preserve the | >content types? | | ftp://ftp.id.wustl.edu/pub/patches/qmail-mime.tgz
Re: Anonymous Qmail Denial of Service
Wouldn't the most simple solution be to just chmod 4550 qmail-queue and force (untrusted) users to use qmail-inject? --Adam --- bash: syntax error near unexpected token `:)' Adam D. McKenna [EMAIL PROTECTED] - Original Message - From: Sam <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 04, 1999 11:33 PM Subject: Re: Anonymous Qmail Denial of Service :> > | 4) Could setuid(geteuid()) but that doesn't buy very much. :> > :> > That should stop the user from killing qmail-queue, methinks. :> :> It doesn't buy much because there is still a time when uid != euid, :> and the signal can arrive then. : :But the temporary file does not exist yet. : :> I thought more about my original suggestion. It's bunk because it :> still allows the leaving behind of a junk mess file. : :Not if you know what you're doing. Reset the userid and the session id, :then create your temporary file. :
Re: Anonymous Qmail Denial of Service
> > | 4) Could setuid(geteuid()) but that doesn't buy very much. > > > > That should stop the user from killing qmail-queue, methinks. > > It doesn't buy much because there is still a time when uid != euid, > and the signal can arrive then. But the temporary file does not exist yet. > I thought more about my original suggestion. It's bunk because it > still allows the leaving behind of a junk mess file. Not if you know what you're doing. Reset the userid and the session id, then create your temporary file.
Re: Fw: Anonymous Qmail Denial of Service
> | 4) Could setuid(geteuid()) but that doesn't buy very much. > > That should stop the user from killing qmail-queue, methinks. It doesn't buy much because there is still a time when uid != euid, and the signal can arrive then. > But perhaps you would normally want the user to have this capability? > For example when you change your mind in the middle of mailing the > output of a program. Not necessarily, because the user would kill the calling process, which is normally qmail-inject but could be his own shell. > > - Harald > Not exactly, on an RH 5.1: > > -rw-r--r-- 1 qmailq mw 0 Jan 4 07:23 179552 > --- > Mate Wierdl | Dept. of Math. Sciences | University of Memphis Red Hat uses a different gid for each user, so yes you can point an accusing finger in that case, but not in general. I thought more about my original suggestion. It's bunk because it still allows the leaving behind of a junk mess file. Here's another. The pid file serves as an in-progress flag. Guarantee:pid files have names unique to their pid (and host). If a pid file exists, it's obviously junk: attempt to unlink mess. If intd exists, it's obviously junk: unlink intd. Create and write intd and mess. Link todo to intd. Unlink pid. (Until here, errors are fatal) Unlink intd. -harold
Re: Vendors and tied hands
On Mon, 4 Jan 1999, Len Budney wrote: > "Sam" <[EMAIL PROTECTED]> wrote: > > And, that's why you're not a vendor. No vendor will have its hands tied > > this way. > > *cough* Bless you. > That's right. And PC vendors ship with Windoze, not through *any* > pressure by Microsoft, because they consider it the best...er, um, > that is, because Microsoft is so unrestrictive in its licensing I can't believe I'm responding to this, but this is actually a perfect example. You won't find very many vendors -happy- to be stuck shipping Windows on every PC they put out the door. Their fate is tied, 100%, to the goodwill of Microsoft. If MS raises the price, they are pretty much stuck. For now. Watch them jump ship as soon as a marketable alternative that doesn't tie their hands as much arrives. Just like an OS vendor, if it can help it, won't tie itself down to a product that it can't support if the author decides to cease development or disappears for whatever reason. But I need to stop posting on this topic. Unless Dan has something to say about it, all of us posting about this (either in favor of his licensing, or against it) are wasting our time. I've got better things to do than argue about this, such as getting the latest Postfix beta up and running on another machine. -- Edward S. Marshall <[EMAIL PROTECTED]> [ What goes up, must come down. ] http://www.logic.net/~emarshal/ [ Ask any system administrator. ] Linux labyrinth 2.2.0-pre4 #1 Sun Jan 3 13:28:42 CST 1999 i586 unknown 9:15pm up 1 day, 5:56, 4 users, load average: 0.02, 0.01, 0.00
Re: wanted: patch to reject mail if envelope sender isn't valid domain
>Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender >domain can't be resolved? Funny you should ask, not 15 minutes ago I upgraded to 1.0.3 using such a patch. You want the patches from Jonathan Bradshaw mentioned on www.qmail.org. The patches do some other stuff as well, most of which is useful, notably logging when qmail-smtpd rejects a mail attempt due to relay or other rules. It also supports a cdb for a large badmailfrom database if you want to try and get into spam filtering by MAIL FROM address. (I don't, I just want the domain validation.) When you test this, note that the rejection actually comes after the RCPT TO, because he makes a special case of postmaster@ and abuse@ and accepts mail to those even from bogus sender domains. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Vendors and tied hands
I'm kinda tired of this thread, but... "Sam" <[EMAIL PROTECTED]> wrote: > "Unattributed by Sam" wrote: > > I'm not a vendor, but if I was, I *would* jump through hoops to > > distribute qmail. It's not "ultimate", as if that's possible, but it's > > the best there is for the types of applications I have. > > And, that's why you're not a vendor. No vendor will have its hands tied > this way. *cough* That's right. And PC vendors ship with Windoze, not through *any* pressure by Microsoft, because they consider it the best...er, um, that is, because Microsoft is so unrestrictive in its licensing Len. ~~~ Len Budney | Now, what were you saying about Maya Design Group | strategies that don't scale? [EMAIL PROTECTED]| -- Prof. Dan Bernstein | Author of qmail ~~~
web based administration
I'm looking to get qmail running with some web based admin forms. With the current trend of ISP's hiring on the lower end of the evolutionary chain for tech support I would like to either find or build some flashy CGI's to show a summary of someones queue, allow changes to the account, adding smtproutes or rcpthosts, etc. Does anyone know of and web tools for either qmail or qpopper?
wanted: patch to reject mail if envelope sender isn't valid domain
Has anyone written a patch for Qmail 1.0.3 to reject mail if envelope sender domain can't be resolved? I'm providing a backup MX for someone who is running Sendmail 8.9.x, and my queue is full of spam that keeps getting "451 ...Sender domain must resolve" responses. I'd really like to avoid accepting this stuff in the first place. I read the FAQL and www.qmail.org, but didn't seem to find anything that quite fits the bill, though I think I'll try the Russell's RBL patch. [I'd also like to whack the people that have written MTAs or MUAs that don't respect the precedence field of MX records with a very large clue stick!] Thanks! Eric
Re: dnsfq
What does dnsfq do? I see it in my qmail-pop3.init file HOST=$($QMAILHOME/bin/dnsfq $($QMAILHOME/bin/hostname)) # your hostname The whole line above finds your host's fqdn. $QMAILHOME/bin/hostname alone not necessarily. it returns a hard error everytime. I am not clear as to what it is supposed to do, and why it would be returning a hard error. It is probably because your host's dns is not OK. Tell us your hostname, and we'll see what is wrong. It should be fixed now. Mate
Re: Why Red Hat is not distributing qmail
> But I've never seen any OSS that I'd put in the same class as > djbware. I have. > >> Just because OSS works for some developers/projects, doesn't mean it's > >> the only valid model. > > > >Well, then, please explain what is so special about Qmail that requires > >something different. The answer is: nothing. > > I believe its extraordinary quality and security sensitive nature > justify its restricted distribution. Its security sensitive nature is no different than the same security sensitive nature that other MTAs have to deal with, and there does not appear to be any problems with their distribution method. As far as quality goes, I've seen better, and I've seen worse. > >You may acknowledge it as > >simply a privilege reserved by the author; but you will not be able to > >claim that there is any good and sound technical reason for it. Any time > >this question is put to you, you keep repeating the same mantra about > >diddling with the code. > > Code quality control is a good, sound technical reason. Code quality has nothing to do with the distribution method. You have a lot of secure, quality, software out there being distributed as OSS. > >Well, diddling with the code doesn't bother those > >who maintain the infrastructure that the Internet runs on. > > Maybe it should. Maybe it would if their code was as tight as > qmail's. Again, please substantiate your implicit assumption that it isn't. You are making a straw argument. > Just because OSS is good enough to run the Internet doesn't > mean it's appropriate for everything. Next time you have a CAT scan, > ask yourself if you'd like the software running the scanner to be Open > Source, running under Red Hat Linux, installed from some RPM that the > technician found on the net, or tightly controlled, tested, audited > code provided by the manufacturer, running on tested, approved, h/w > and OS. I'd feel more comfortable with a product that has undergone an extensive peer review and anal exam, as compared to some closed box that only the manufacturer knows how it works. > >Once again, you're changing the topic. Noone said that it has to be a > >democracy. Try arguing the topic, for a change. > > My point is that 5,000 people screaming at Dan for relaxed qmail > redistribution rights won't mean squat. Dan has already considered > relaxed licensing, already heard and considered all of your arguments, > and decided against it. Deal with it. Feel free to point out any time in the past where I have actually argued that. I have not. I don't care. I'm simply debunking the baseless claim that there is any sound reason behind the restrictions on the distribution. There aren't any. It's simply personal privilege, nothing else. Why don't *you* deal with the fact that there's no valid reason for a restrictive distribution license, except personal privilege. > >> >> Oh, right, users installing, say, a broken modified qmail RPM will > >> >> *know* that the packager broke it, not the author. I forgot that. > >> > > >> >Too bad, because they do. You can choose to ignore that fact, but it will > >> >remain a fact nevertheless. > >> > >> Riiight. But even if I agreed, it wouldn't matter. > > > >Well, facts matter to me. > > Then you should realize that your "fact" isn't one: it's an assertion. Of course, you've written OSS that vendors have packaged for distribution, and you have first-hand experience in making that conclusion. > >> >And since add-ons cannot be redistributed, > >> > >> Wrong. > > > >You cannot redistribute Qmail with add-ons, silly. > > You can't distribute modified qmail source or binaries, but you can Right. > distribute virgin qmail + add-ons like rblsmtp and you can distribute > virgin qmail source + source patches for add-ons. Which is what - 5-10% of all the add-ons? > >> Ever heard of rblsmtp? > > > >Which is badly broken, > > That's news to me, but I don't use it. Neither do most of the people who have implemented RBL checking (by other means). > >and places unnecessary load on the server, and > > In your opinion. Is how the actual code works just my opinion? Is it only my opinion that rblsmtpd returns a temporary error code, for no good reason, so that the blacklisted relay keeps banging at your server for two weeks, until the mail bounces? As opposed to every other RBL implementation out there, which immediately rejects all mail? > >does not permit selective RBLing based upon the recipient. > > procmail. Modularity. Sure, it's less efficient, in some > ways. It would also be broken. We are not talking about user-level filtering, but system-level filtering. Furthermore, post-receipt filtering opens up your server as a conduit for certain denial-of-service attacks. Anyone who actually done any kind of work or research in that area knows it. > "Premature optimization is the root of all evil." So is a broken spam filter. > >So what is the fact that Qmail is not the ultimate
what to put in ~alias/.qmail-list
I want to set up a mailing list on a virtual domain. say the virtual domain is virt.org. and the list name is mlist. In control/virtualdomains, I have virt.org:alias-mlist I'm not sure what to put into ~alias/.qmail-mlist. I'm also not sure about what happens to addresses like [EMAIL PROTECTED] and [EMAIL PROTECTED] will the messages send to them appear on the list as well. Thank you very much.
Re: deleted mail files
At 11:52 AM 1/4/99 -0800, Samuel Dries-Daffner wrote: > >Hello: > >We are experiencing a wierd loss of mail files. Some users check their >mail and then the entire file is deleted. > >Usually, if they read and delete mail or use a POP client and download >their mail, the file exists, but it is size = 0. But in this case its just >gone. Whats more is that qmail doesn't write any mail to a new file, it >just holds it in the queue. Then when I manually make a file the mail is >delivererd. The manually made file looks like this: > >-rw-rw1 amachmail5629 Jan 4 11:45 amach Sounds like you are effectively doing a /var/spool/mail delivery mechanism. That is, a common directory for mailboxes in mailbox format. You don't say in the above case, which directory that file lives in. If it's in a common mail area such as /var/spool/mail, you must read all of INSTALL.vsm very carefully. If you've done that, tell us what local delivery program you are using to store new mail. Is it procmail or the mail.local program? Regards. > >I was thinking it may have to do with permissions, but I'm not finding >(or understanding :) a correlation with the perms on folks home >directories either... > >drwx--x--x6 amachfaculty 4096 Jan 4 09:58 /acct/faculty/amach/ >drwx--x--x 23 helena student 4096 Jan 3 09:52 /acct/student/helena/ >drwxr-xr-x4 cdenton student 4096 Jan 4 11:35 /acct/student/cdenton/ >drwx--3 lawson faculty 4096 Jan 1 00:19 /acct/faculty/lawson/ >drwx--3 bronwen student 4096 Jan 3 20:21 /acct/student/bronwen/ > >I am trying to see if it is related to the client they are using (most are >BSD) but still that doesn't explain (to me) why mail would be delted or >why qmail wouldn't deliver... > >Please help :) > >TIA, > >Samuel Daffner >Mills College ITS > > > >
Re: Anonymous Qmail Denial of Service
On 4 Jan 99 at 22:25, Harald Hanche-Olsen wrote: > - "Adam D. McKenna" <[EMAIL PROTECTED]>: > > | Maybe I'm a retard, but I fail to see what benefits setuid has over > | setgid in this case. If a user is able to exploit either of these > | conditions, then he can read or delete mail from the queue. So why > | would it make sense to use setuid instead of setgid in this > | particular scenario? (besides the fact that that's the way djb > | programmed it) > > Well, if you study the permissions in the queue directory carefully, > you will see that he was quite selective about which program has > access to what directory: Basically, each program in the qmail suite > has just the access it needs to do its job. At the very least, making > qmail-queue setgid rather than setuid would require reworking all > those permissions. (I am too tired and stressed out right now to > check if it is even possible.) Also, as was written before, you may notice that change from setuid to setgid retains user ownership of the file. So it is possible to track who created the file, and who attempted DoS. Am I right? Regards, Andrzej Kukula
dnsfq
What does dnsfq do? I see it in my qmail-pop3.init file HOST=$($QMAILHOME/bin/dnsfq $($QMAILHOME/bin/hostname)) # your hostname it returns a hard error everytime. I am not clear as to what it is supposed to do, and why it would be returning a hard error. I had to change the line to read HOST=$($QMAILHOME/bin/hostname)) # your hostname Thanks for any answers! Seek3r
RE: Virtual host provider using qmail (where to find?)
Hi, Kai MacTane [mailto:[EMAIL PROTECTED]] wrote: > I haven't seen any replies to this yet... I did reply off the list. Right now I'm finishing a new server solution which uses qmail. I've got the basics (HTTP, DNS, mail FTP) running, but am polishing it off. It will be done later this week, and I'll move customers over to it. Basically, every virtual domain users has control of their own .qmail* files, and the users' .qmail-default file is linked to a per-virtual-domain fastforward implementation for setting up lots of aliases. However, users are free to change any and all of the mailhandling system in their home directory. List capability will be provided with exmlm-idx. If anyone else is interested, just e-mail me and I'll tell you when I'm ready to place customers of the new server solution. Or just contact me in a week. - David Harris Principal Engineer, DRH Internet Services
Re: Anonymous Qmail Denial of Service
On 1999-01-04 at 22:25:08, Harald Hanche-Olsen wrote: > At the very least, making qmail-queue setgid rather than setuid would > require reworking all those permissions. (I am too tired and stressed > out right now to check if it is even possible.) Just BTW, I have written my former message assuming that qmail-queue's setuidness is changed to setgidness (with appropriate queue permissions), and nothing else, that makes for accountability, and chargeability (if there's such a work]. I somehow missed that the original proposal would be to limit qmail-queue's to be executed only by a few selected programs. On the other hand, this latter solution seems really awkward... For a well administered system, the former is sufficient without a rethink-at-large. Janos
Re: Anonymous Qmail Denial of Service
- "Adam D. McKenna" <[EMAIL PROTECTED]>: | Maybe I'm a retard, but I fail to see what benefits setuid has over | setgid in this case. If a user is able to exploit either of these | conditions, then he can read or delete mail from the queue. So why | would it make sense to use setuid instead of setgid in this | particular scenario? (besides the fact that that's the way djb | programmed it) Well, if you study the permissions in the queue directory carefully, you will see that he was quite selective about which program has access to what directory: Basically, each program in the qmail suite has just the access it needs to do its job. At the very least, making qmail-queue setgid rather than setuid would require reworking all those permissions. (I am too tired and stressed out right now to check if it is even possible.) - Harald
Re: Virtual host provider using qmail (where to find?)
On Mon, Jan 04, 1999 at 11:48:28AM -0800, Kai MacTane wrote: > At 12:37 PM 1/2/99 +0100, Luca Olivetti wrote: > > > >Anyway, I'm looking for a virtual hosting company using qmail *and* allowing > >users to setup their mailing lists (this is for a non-profit and we need > them) > >either with ezmlm or with our own software (mainly to localize help messages > >to Spanish -- any hook in ezmlm to do that?). > > I haven't seen any replies to this yet... > > Ezmlm allows individual users to completely customize the text of all > administrative messages. The texts are in a subdirectory of the list > directory. > > --Kai MacTane. We provide virtual hosting, use qmail and allow ssh shell access to a specific shell based machine. This shell machine uses qmqpd to hand off mail to the primary mail server. For detailed information please email me. Ken Jones http://www.inter7.com/ Inter7 Internet Technologies, Inc.
Re: Anonymous Qmail Denial of Service
Maybe I'm a retard, but I fail to see what benefits setuid has over setgid in this case. If a user is able to exploit either of these conditions, then he can read or delete mail from the queue. So why would it make sense to use setuid instead of setgid in this particular scenario? (besides the fact that that's the way djb programmed it) --Adam -Original Message- From: Janos Farkas To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Monday, January 04, 1999 3:31 PM Subject: Re: Anonymous Qmail Denial of Service :On 1999-01-04 at 12:12:27, Mate Wierdl wrote: :>That would require qmail-inject and qmail-smtpd, among others, to be suid :>or sgid to some uid/gid that will allow them to execute qmail-queue. :>That would be Wrong(tm). :> :> So what could happen if qmail-inject is sgid qmail? :... :> but at least invoking uid identification is possible. : :[A long boring thread, but..] : :And of course then quota on /var can be used to limit the damage a user :can do to mail submission down to what is negligible. Something still :tells me it's not really a lot less quirky, but sgid actually has the :above two advantages (identification/quota). That is, if I did not lose :any braincells during the holidays which related to this knowledge :) : :-- :Janos - Don't worry, my address is real. I'm just bored of spam. :
Re: Why Red Hat is not distributing qmail
This'll be my last word on the topic. OK, stop cheering. :-) [EMAIL PROTECTED] wrote: >On Mon, 4 Jan 1999, Dave Sill wrote: > >> Question: *Why doesn't* Red Hat ship zmailer, exim, smail, or any >> other OSS sendmail equivalent? > >Because they are not as well tested don't scale and do not offer a >functional replacement for sendmail. I told you that before, but, you >chose to ignore it. If you said that, I missed it. Sorry. I'm a big qmail fan, but even so, I'm pretty sure it's not the only viable sendmail replacement. I'm not interested in arguing this point, though. >> How about if we just let developers who don't want to make their code >> OSS set their own terms based on their beliefs and desires? > >You're dodging the issue. You are claiming that OSS development framework >is somehow defective (in the previous statement of yours that you >conveniently left out). I'm arguing that Dan finds the OSS model inadequate to protect qmail to his level of comfort. I "conveniently" left it out because I didn't see any reason to include it. >Now that I've asked you to explain the defects in >well-known OSS products, you're suddenly changing the topic to something >else. Personally, I'm an OSS fan, and have been for many years--at least 10 years before the term "Open Source Software" was coined. A lot it of it is very good. I shudder to think how I'd do my job if I woke up one day and it all was gone. A good bit of it is crap, too, but I'm able to detect and avoid it pretty easily. But I've never seen any OSS that I'd put in the same class as djbware. If Dan feels the need to restrict diddling of djbware, that's OK with me. I don't care if Red Hat or Debian or OpenBSD switch to qmail. As long as I can install it wherever I need it, and diddle with my own copies as I need to, I'm perfectly happy. >> Just because OSS works for some developers/projects, doesn't mean it's >> the only valid model. > >Well, then, please explain what is so special about Qmail that requires >something different. The answer is: nothing. I believe its extraordinary quality and security sensitive nature justify its restricted distribution. >You may acknowledge it as >simply a privilege reserved by the author; but you will not be able to >claim that there is any good and sound technical reason for it. Any time >this question is put to you, you keep repeating the same mantra about >diddling with the code. Code quality control is a good, sound technical reason. >Well, diddling with the code doesn't bother those >who maintain the infrastructure that the Internet runs on. Maybe it should. Maybe it would if their code was as tight as qmail's. Just because OSS is good enough to run the Internet doesn't mean it's appropriate for everything. Next time you have a CAT scan, ask yourself if you'd like the software running the scanner to be Open Source, running under Red Hat Linux, installed from some RPM that the technician found on the net, or tightly controlled, tested, audited code provided by the manufacturer, running on tested, approved, h/w and OS. >> qmail is not a democracy. > >Once again, you're changing the topic. Noone said that it has to be a >democracy. Try arguing the topic, for a change. My point is that 5,000 people screaming at Dan for relaxed qmail redistribution rights won't mean squat. Dan has already considered relaxed licensing, already heard and considered all of your arguments, and decided against it. Deal with it. >> >> Oh, right, users installing, say, a broken modified qmail RPM will >> >> *know* that the packager broke it, not the author. I forgot that. >> > >> >Too bad, because they do. You can choose to ignore that fact, but it will >> >remain a fact nevertheless. >> >> Riiight. But even if I agreed, it wouldn't matter. > >Well, facts matter to me. Then you should realize that your "fact" isn't one: it's an assertion. >> >And since add-ons cannot be redistributed, >> >> Wrong. > >You cannot redistribute Qmail with add-ons, silly. You can't distribute modified qmail source or binaries, but you can distribute virgin qmail + add-ons like rblsmtp and you can distribute virgin qmail source + source patches for add-ons. Now who's being silly? >> Ever heard of rblsmtp? > >Which is badly broken, That's news to me, but I don't use it. >and places unnecessary load on the server, and In your opinion. >does not permit selective RBLing based upon the recipient. procmail. Modularity. Sure, it's less efficient, in some ways. "Premature optimization is the root of all evil." >> Fine. Let's just say that qmail requires tcpserver. So what? > >So what is the fact that Qmail is not the ultimate MTA, therefore, if you >choose to argue that a vendor must bend through hoops in order to >distribute it, just because it's so great, you will be mistaken. I'm not a vendor, but if I was, I *would* jump through hoops to distribute qmail. It's not "ultimate", as if that's possible, but it's the best there i
RE: User with Capitals in name
OK, I resolved the issue by running /var/qmail/bin/qmail-newu which created a /var/qmail/users/cdb file, and that solved the issue. Im not sure this is the best thing, since I will have to create the /var/qmail/users/assign file then the /var/qmail/users/cdb file every time I add a system user. I may be better off to not allow uppercase user names on my system. I wish there were a better way to handle this... Maybe I will add the following to my qmail init file /var/qmail/bin/qmail-pw2u -u < /etc/passwd >/var/qmail/users/assign /var/qmail/bin/qmail-newu Well thanks everyone for the help! Now Im off to get virtual domain hosting working with VMailMgr Seek3r
RE: User with Capitals in name
Im sorry I should have made this more explicit shadowplay.org is a seperate server, that i am using to send mail out to ntmasters.net, which is the qmail server. -Original Message- From: Soffen, Matthew [mailto:[EMAIL PROTECTED]] Sent: Monday, January 04, 1999 12:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: User with Capitals in name You might just want to make sure you have .shadowplay.org in your /var/qmail/control/locals It prolly handles shadowplay.org fine, but it doesn't handle hosts right. Add the line, restart qmail and see what happens then. Matt Soffen Webmaster - http://www.iso-ne.com/ == Boss- "My boss says we need some eunuch programmers." Dilbert - "I think he means UNIX and I already know UNIX." Boss- "Well, if the company nurse comes by, tell her I said never mind." - Dilbert - == -- From: Seek3r[SMTP:[EMAIL PROTECTED]] Reply To: [EMAIL PROTECTED] Sent: Monday, January 04, 1999 3:09 PM To: [EMAIL PROTECTED] Subject:User with Capitals in name I have a user named Seek3r. When I send e-mail to either [EMAIL PROTECTED] or [EMAIL PROTECTED] the message doesnt get to the user Seek3r, and I dont get a bounce back. I do get a message in the /var/qmail/alias/Maildir with the message I pasted at the end of this message. I know this is an issue with the capital letter S in Seek3r, because when I change the user name in the /etc/passwd file to seek3r, and the home dir as well, then rebuild the /var/qmail/users/assign file, everything works fine. When I created the assign file with qmail-pw2u I used the o and u flags (o to skip users without home dirs, and u to allow uppercase letters in user). Why is this happening, and what can I do to fix it? Thanks in advanced for any help! Heres the message the postmaster revieces: Return-Path: <#@[]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 3713 invoked by alias); 4 Jan 1999 20:02:07 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 3709 invoked for bounce); 4 Jan 1999 20:02:07 - Date: 4 Jan 1999 20:02:07 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at ntmasters.net. I tried to deliver a bounce message to this address, but the bounce bounced! <[EMAIL PROTECTED]>: Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. (#5.4.6) --- Below this line is the original bounce. Return-Path: <> Received: (qmail 3707 invoked from network); 4 Jan 1999 20:02:07 - Received: from unknown (HELO ntmasters.net) (209.85.33.100) by 209.85.33.100 with SMTP; 4 Jan 1999 20:02:07 - Received: (qmail 3704 invoked for bounce); 4 Jan 1999 20:02:07 - Date: 4 Jan 1999 20:02:07 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at ntmasters.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <[EMAIL PROTECTED]> Received: (qmail 3701 invoked from network); 4 Jan 1999 20:02:07 - Received: from unknown (HELO mail.sislp.com) (209.85.33.50) by 209.85.33.75 with SMTP; 4 Jan 1999 20:02:07 - Received: by mail.sislp.com from localhost (router,SLMail V3.0); Mon, 04 Jan 1999 11:59:48 -0800 Received: by mail.sislp.com from kuykendallnt [38.186.107.2] (SLmail 3.0.2421 ()); Mon, 04 Jan 1999 11:59:47 -0800 Reply-To: <[EMAIL PROTECTED]> From: "Seek3r" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Testing Seek3r Account Date: Mon, 4 Jan 1999 11:58:37 -0800 Message-ID: <000201be381c$9f699890$[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Testing Seek3r Account
Re: Anonymous Qmail Denial of Service
On 1999-01-04 at 12:12:27, Mate Wierdl wrote: >That would require qmail-inject and qmail-smtpd, among others, to be suid >or sgid to some uid/gid that will allow them to execute qmail-queue. >That would be Wrong(tm). > > So what could happen if qmail-inject is sgid qmail? ... > but at least invoking uid identification is possible. [A long boring thread, but..] And of course then quota on /var can be used to limit the damage a user can do to mail submission down to what is negligible. Something still tells me it's not really a lot less quirky, but sgid actually has the above two advantages (identification/quota). That is, if I did not lose any braincells during the holidays which related to this knowledge :) -- Janos - Don't worry, my address is real. I'm just bored of spam.
RE: User with Capitals in name
You might just want to make sure you have .shadowplay.org in your /var/qmail/control/locals It prolly handles shadowplay.org fine, but it doesn't handle hosts right. Add the line, restart qmail and see what happens then. Matt Soffen Webmaster - http://www.iso-ne.com/ == Boss- "My boss says we need some eunuch programmers." Dilbert - "I think he means UNIX and I already know UNIX." Boss- "Well, if the company nurse comes by, tell her I said never mind." - Dilbert - == -- From: Seek3r[SMTP:[EMAIL PROTECTED]] Reply To: [EMAIL PROTECTED] Sent: Monday, January 04, 1999 3:09 PM To: [EMAIL PROTECTED] Subject:User with Capitals in name I have a user named Seek3r. When I send e-mail to either [EMAIL PROTECTED] or [EMAIL PROTECTED] the message doesnt get to the user Seek3r, and I dont get a bounce back. I do get a message in the /var/qmail/alias/Maildir with the message I pasted at the end of this message. I know this is an issue with the capital letter S in Seek3r, because when I change the user name in the /etc/passwd file to seek3r, and the home dir as well, then rebuild the /var/qmail/users/assign file, everything works fine. When I created the assign file with qmail-pw2u I used the o and u flags (o to skip users without home dirs, and u to allow uppercase letters in user). Why is this happening, and what can I do to fix it? Thanks in advanced for any help! Heres the message the postmaster revieces: Return-Path: <#@[]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 3713 invoked by alias); 4 Jan 1999 20:02:07 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 3709 invoked for bounce); 4 Jan 1999 20:02:07 - Date: 4 Jan 1999 20:02:07 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at ntmasters.net. I tried to deliver a bounce message to this address, but the bounce bounced! <[EMAIL PROTECTED]>: Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. (#5.4.6) --- Below this line is the original bounce. Return-Path: <> Received: (qmail 3707 invoked from network); 4 Jan 1999 20:02:07 - Received: from unknown (HELO ntmasters.net) (209.85.33.100) by 209.85.33.100 with SMTP; 4 Jan 1999 20:02:07 - Received: (qmail 3704 invoked for bounce); 4 Jan 1999 20:02:07 - Date: 4 Jan 1999 20:02:07 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at ntmasters.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <[EMAIL PROTECTED]> Received: (qmail 3701 invoked from network); 4 Jan 1999 20:02:07 - Received: from unknown (HELO mail.sislp.com) (209.85.33.50) by 209.85.33.75 with SMTP; 4 Jan 1999 20:02:07 - Received: by mail.sislp.com from localhost (router,SLMail V3.0); Mon, 04 Jan 1999 11:59:48 -0800 Received: by mail.sislp.com from kuykendallnt [38.186.107.2] (SLmail 3.0.2421 ()); Mon, 04 Jan 1999 11:59:47 -0800 Reply-To: <[EMAIL PROTECTED]> From: "Seek3r" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Testing Seek3r Account Date: Mon, 4 Jan 1999 11:58:37 -0800 Message-ID: <000201be381c$9f699890$[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Testing Seek3r Account
Re: Fw: Anonymous Qmail Denial of Service
On 04-Jan-99 Russ Allbery wrote: > > IIRC, qmail-queue should not be called by someone wanting to submit mail > > (see doc/PIC*). A better test would be to use qmail-inject: > > Doesn't qmail-inject call qmail-queue eventually anyway? So this is just > a timing issue. Maybe (I haven't looked at the code) qmail-inject collects the message before calling qmail-queue. You'd have to kill qmail-inject after submitting the message but before the message has been queued, which would usually leave you a very small window of opportunity. But I tend to be paranoid WRT interrupting programs, and always catch all signals and clean up after me. I just wanted to point out that using a program not designed for interactive use interactively is not totally kosher, IMHO. Stefaan -- PGP key available from PGP key servers (http://www.pgp.net/pgpnet/) ___ Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. -- Saint-Exupéry
Patch to checkpassword - auth via CDB - New Version
Hi! Forgot the attachment the first time... Sorry about that... This patch allow's you to create a CDB file to handle all you authentication with checkpassword. This patch works with checkpassword-0.81, and requires cdb-0.55. Perl is also required to use a little script that is included to create the authentication database. I added more information to the INSTALL file. Please let me know if you use it. I would like to know if anybody else finds it usefull... Thanks! Russel, I dont have a site for it, so could you please include it in www.qmail.org? --- Pedro Melo [EMAIL PROTECTED] IP - Engenharia http://ip.pt/ Tel: +351-1-3166740 Av. Duque de Avila, 23 Fax: +351-1-3166701 1049-071 LISBOA - PORTUGAL 8:20pm up 5:00, 6 users, load average: 1.51, 1.31, 1.12 patch.checkpassword-0.81
Patch to checkpassword - auth via CDB - New Version
Hi! This patch allow's you to create a CDB file to handle all you authentication with checkpassword. This patch works with checkpassword-0.81, and requires cdb-0.55. Perl is also required to use a little script that is included to create the authentication database. I added more information to the INSTALL file. Please let me know if you use it. I would like to know if anybody else finds it usefull... Thanks! Russel, I dont have a site for it, so could you please include it in www.qmail.org? --- Pedro Melo [EMAIL PROTECTED] IP - Engenharia http://ip.pt/ Tel: +351-1-3166740 Av. Duque de Avila, 23 Fax: +351-1-3166701 1049-071 LISBOA - PORTUGAL 8:20pm up 5:00, 6 users, load average: 1.51, 1.31, 1.12
Re: deleted mail files
- Samuel Dries-Daffner <[EMAIL PROTECTED]>: | We are experiencing a wierd loss of mail files. Some users check | their mail and then the entire file is deleted. | | Usually, if they read and delete mail or use a POP client and | download their mail, the file exists, but it is size = 0. But in | this case its just gone. Whats more is that qmail doesn't write any | mail to a new file, it just holds it in the queue. Then when I | manually make a file the mail is delivererd. The manually made file | looks like this: | | -rw-rw1 amachmail5629 Jan 4 11:45 amach What kind of delivery do you use? /bin/mail perhaps? What appears in the log file when qmail doesn't deliver? (Surely it tries, and fails?) - Harald
User with Capitals in name
I have a user named Seek3r. When I send e-mail to either [EMAIL PROTECTED] or [EMAIL PROTECTED] the message doesnt get to the user Seek3r, and I dont get a bounce back. I do get a message in the /var/qmail/alias/Maildir with the message I pasted at the end of this message. I know this is an issue with the capital letter S in Seek3r, because when I change the user name in the /etc/passwd file to seek3r, and the home dir as well, then rebuild the /var/qmail/users/assign file, everything works fine. When I created the assign file with qmail-pw2u I used the o and u flags (o to skip users without home dirs, and u to allow uppercase letters in user). Why is this happening, and what can I do to fix it? Thanks in advanced for any help! Heres the message the postmaster revieces: Return-Path: <#@[]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 3713 invoked by alias); 4 Jan 1999 20:02:07 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 3709 invoked for bounce); 4 Jan 1999 20:02:07 - Date: 4 Jan 1999 20:02:07 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at ntmasters.net. I tried to deliver a bounce message to this address, but the bounce bounced! <[EMAIL PROTECTED]>: Sorry. Although I'm listed as a best-preference MX or A for that host, it isn't in my control/locals file, so I don't treat it as local. (#5.4.6) --- Below this line is the original bounce. Return-Path: <> Received: (qmail 3707 invoked from network); 4 Jan 1999 20:02:07 - Received: from unknown (HELO ntmasters.net) (209.85.33.100) by 209.85.33.100 with SMTP; 4 Jan 1999 20:02:07 - Received: (qmail 3704 invoked for bounce); 4 Jan 1999 20:02:07 - Date: 4 Jan 1999 20:02:07 - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: failure notice Hi. This is the qmail-send program at ntmasters.net. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <[EMAIL PROTECTED]>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: <[EMAIL PROTECTED]> Received: (qmail 3701 invoked from network); 4 Jan 1999 20:02:07 - Received: from unknown (HELO mail.sislp.com) (209.85.33.50) by 209.85.33.75 with SMTP; 4 Jan 1999 20:02:07 - Received: by mail.sislp.com from localhost (router,SLMail V3.0); Mon, 04 Jan 1999 11:59:48 -0800 Received: by mail.sislp.com from kuykendallnt [38.186.107.2] (SLmail 3.0.2421 ()); Mon, 04 Jan 1999 11:59:47 -0800 Reply-To: <[EMAIL PROTECTED]> From: "Seek3r" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Testing Seek3r Account Date: Mon, 4 Jan 1999 11:58:37 -0800 Message-ID: <000201be381c$9f699890$[EMAIL PROTECTED]> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Testing Seek3r Account
Re: Virtual host provider using qmail (where to find?)
Luca Olivetti ... If no company is found please send me a message with the # of lists/addresses/load you expect and I'll see what I can do to provide what you need. Scott
Re: tcpserver question (for lack of a better venue)
dave-mlist <[EMAIL PROTECTED]> writes: > This works great when the news feed server obeys the RFC. But sometimes > the news feed server disconnects before typing the QUIT command. This > leaves an "nntp-listen" process waiting for more input. What do I have > to do to make tcpserver communicate to nntp-listen that the connection > is gone? It should get an EOF on stdin when the remote side closes the connection. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/>
Re: Virtual host provider using qmail (where to find?)
At 12:37 PM 1/2/99 +0100, Luca Olivetti wrote: > >Anyway, I'm looking for a virtual hosting company using qmail *and* allowing >users to setup their mailing lists (this is for a non-profit and we need them) >either with ezmlm or with our own software (mainly to localize help messages >to Spanish -- any hook in ezmlm to do that?). I haven't seen any replies to this yet... Ezmlm allows individual users to completely customize the text of all administrative messages. The texts are in a subdirectory of the list directory. --Kai MacTane.
deleted mail files
Hello: We are experiencing a wierd loss of mail files. Some users check their mail and then the entire file is deleted. Usually, if they read and delete mail or use a POP client and download their mail, the file exists, but it is size = 0. But in this case its just gone. Whats more is that qmail doesn't write any mail to a new file, it just holds it in the queue. Then when I manually make a file the mail is delivererd. The manually made file looks like this: -rw-rw1 amachmail5629 Jan 4 11:45 amach I was thinking it may have to do with permissions, but I'm not finding (or understanding :) a correlation with the perms on folks home directories either... drwx--x--x6 amachfaculty 4096 Jan 4 09:58 /acct/faculty/amach/ drwx--x--x 23 helena student 4096 Jan 3 09:52 /acct/student/helena/ drwxr-xr-x4 cdenton student 4096 Jan 4 11:35 /acct/student/cdenton/ drwx--3 lawson faculty 4096 Jan 1 00:19 /acct/faculty/lawson/ drwx--3 bronwen student 4096 Jan 3 20:21 /acct/student/bronwen/ I am trying to see if it is related to the client they are using (most are BSD) but still that doesn't explain (to me) why mail would be delted or why qmail wouldn't deliver... Please help :) TIA, Samuel Daffner Mills College ITS
Re: Why Red Hat is not distributing qmail
On Mon, Jan 04, 1999 at 02:45:22PM -0500, Sam wrote: # On Mon, 4 Jan 1999, Justin Bell wrote: # # > # No inetd in existance can be configured for higher connections, yet still # > # implement load limiting. Nobody running Qmail in any kind of a production # ^^^ # > # mode will be able to get it work with inetd. # > umm, I beg to differ, running qmail as a gateway between firewall and # > internet, using inetd with several thousand messages a day, and we were # > running mailing lists from this box at one time, # # [ snip ] # # Wait until someone mailbombs you. Your inetd doesn't keep of spawned # services? That means that it'll keep spawning them until the kernel # crashes. this server has been in production for well over a year, handling that many and more messages per day, 47000 over the 6 days from Dec 30-Jan4 we have been mailbombed, our ISP was temporarily banned from sendmail mail to AOL and routed through our server their list of 3-4000 aol users (mailing list, ezmlm) one message at a time, the load brought on by smtpd was miniscule, the load brought on by qmail-remote was fairly large though. -- /- [EMAIL PROTECTED] --- [EMAIL PROTECTED] -\ |Justin Bell NIC:JB3084| Time and rules are changing. | |Simon & Schuster A&AT | Attention span is quickening.| |Programmer | Welcome to the Information Age. | \ http://www.superlibrary.com/people/justin/ --/
Re: Anonymous Qmail Denial of Service
On 04 Jan 99 17:41:22 +0100, Rask Ingemann Lambertsen wrote: > However, the interesting thing here is not the DoS itself, but the problem >that you don't know who to point the gun at afterwards. Why not: 1. write message tai.pid.N 1a close message handle 2. write addresses, etc. 3. Move tai.pid.N to tai.pid 4. link addresses to todo. 5. close addresses. 6. Have qmail-clean also remove any message files "tai.pid.N" where "pid" is a pid not used by a currently running [qmail-queue] process. [I don't know how expensive this piece of info is, but it would be rare, since it would normally only be files for currently running qmail-queue. I can be made even rarer by placing a restriction on "tai" to say > 5 min old. Now as long as qmail-clean is run more frequently that it takes to snarf all inodes (and does this faster than the snarfing program), it should work. Any qmail-queue attack needs to fork qmail-queue once per inode stolen, whereas qmail-clean runs until done, so qmail-clean should remove files faster than they are created. In the normal case, qmail-clean would do the extra work of looking up the pid once per currently running qmail-queue process (the number of expected tai.pid.N files). qmail-clean could also go through mess files and do the "pid" check for any mess files for which there does not exist a todo, local, remote, or bounce file. This way, the "N" could be eliminated, but this seems unacceptable expensive in the normal case, since it involves 4 lookups for each message in the queue. Hope this makes some sense ... -Sincerely, Fred (Frederik Lindberg, Infectious Diseases, WashU, St. Louis, MO, USA)
tcpserver question (for lack of a better venue)
I wrote a little news feed client program called nntp-listen, and I run it with the following command: /usr/local/bin/supervise /root/news/supervise/server/ \ /usr/local/bin/tcpserver 0 119 /root/news/nntp-listen 2>&1 \ | /usr/local/bin/accustamp \ | /usr/local/bin/cyclog /root/news/log/server/ & This works great when the news feed server obeys the RFC. But sometimes the news feed server disconnects before typing the QUIT command. This leaves an "nntp-listen" process waiting for more input. What do I have to do to make tcpserver communicate to nntp-listen that the connection is gone? For example, here is what the listening processes look like before a connection: [root@feedclient news]# ps auxw | egrep 'RSS|nntp' | grep -v egrep USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND root 3948 0.0 0.4 736 260 p2 S Dec 31 0:00 /usr/local/bin/supervise /root/news/supervise/server/ /usr/local/bin/tcpserver 0 119 /root/news/nntp- root 3951 0.0 0.5 812 356 p2 S Dec 31 0:00 /usr/local/bin/tcpserver 0 119 /root/news/nntp-listen [root@feedclient news]# Netstat says nothing about nntp: [root@feedclient news]# netstat -A inet | grep nntp | grep -v egrep [root@feedclient news]# Now I will open a feed to feedclient: [dave@knave dave]$ telnet feedclient 119 Trying 207.168.228.71... Connected to feedclient.directint.net. Escape character is '^]'. 200 feed news server ready - posting ok At this point, let's look at the status on feedclient again: [root@feedclient news]# ps auxw | egrep 'RSS|nntp' | grep -v egrep USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND root 3948 0.0 0.4 736 260 p2 S Dec 31 0:00 /usr/local/bin/supervise /root/news/supervise/server/ /usr/local/bin/tcpserver 0 119 /root/news/nntp- root 3951 0.0 0.5 812 356 p2 S Dec 31 0:00 /usr/local/bin/tcpserver 0 119 /root/news/nntp-listen root 8748 1.4 2.8 2532 1856 p2 S04:07 0:00 perl -w /root/news/nntp-listen [root@feedclient news]# netstat -A inet | grep nntp | grep -v egrep tcp0 0 feedclient.directint.:nntp knave.directint.ne:8031 ESTABLISHED [root@feedclient news]# Now I'll close the feed without typing "quit," and we'll check the status on feedclient again: [root@feedclient news]# ps auxw | egrep 'RSS|nntp' | grep -v egrep USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND root 3948 0.0 0.4 736 260 p2 S Dec 31 0:00 /usr/local/bin/supervise /root/news/supervise/server/ /usr/local/bin/tcpserver 0 119 /root/news/nntp- root 3951 0.0 0.5 812 356 p2 S Dec 31 0:00 /usr/local/bin/tcpserver 0 119 /root/news/nntp-listen root 8748 4.0 2.9 2536 1864 p2 R04:07 0:05 perl -w /root/news/nntp-listen [root@feedclient news]# netstat -A inet | grep nntp | grep -v egrep tcp0 0 feedclient.directint.:nntp knave.directint.ne:8031 CLOSE_WAIT [root@feedclient news]# As you can see, the "nntp-listen" process never gets told to quit. This means that if the feed opens and rudely closes the connection over and over again, tcpserver will keep spawning new nntp-listen processes. Obviously this quickly makes the load on the client rise unacceptably. How can I fix this? Thanks, Dave
Re: Fw: Anonymous Qmail Denial of Service
Stefaan A Eeckels <[EMAIL PROTECTED]> writes: > IIRC, qmail-queue should not be called by someone wanting to submit mail > (see doc/PIC*). A better test would be to use qmail-inject: Doesn't qmail-inject call qmail-queue eventually anyway? So this is just a timing issue. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/>
Re: Error 4.4.1
On Mon, Jan 04, 1999 at 01:21:09PM -0500, Paul Farber wrote: > Hello all, > > Having a strange problem with qmail 1.3 on a RedHat 5.1 box. > > I have a virtual domain schoeneman.com, which is in rcpthosts, > virtualdomain. Running qmail-smptd with tcpserver. > > When sending a msg to the virt domain i get: > > Jan 4 13:11:32 admin qmail: 915473492.706001 starting delivery 226: msg > 66156 to remote [EMAIL PROTECTED] > Jan 4 13:11:32 admin qmail: 915473492.706212 status: local 0/10 remote > 1/20 > Jan 4 13:11:32 admin qmail: 915473492.747202 delivery 226: deferral: > Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ > and the IP of the mail server is in the range: > > [root@mail tcprules.d]# nslookup mail.schoeneman.com > Server: dns0.f-tech.net > Address: 207.44.65.10 > > Name:mail.f-tech.net > Address: 207.44.65.16 > Aliases: mail.schoeneman.com But it seems to me that the mx for schoeneman.com points to login.f-tech.net: # nslookup -query=mx schoeneman.com Server: dns1.memphis.edu Address: 141.225.253.21 schoeneman.com preference = 10, mail exchanger = login.f-tech.net [...] login.f-tech.netinternet address = 207.44.65.15 and I certainly was not able to telnet to port 25 on login.f-tech.net: $ telnet login.f-tech.net 25 Trying 207.44.65.15... telnet: Unable to connect to remote host: Connection refused while I could $ telnet mail.f-tech.net 25 Trying 207.44.65.16... Connected to mail.f-tech.net. Escape character is '^]'. 220 mail.f-tech.net ESMTP quit 221 mail.f-tech.net Connection closed by foreign host. Mate --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: mail attachment losing content type in delivery failures
On Mon, 4 Jan 1999 20:00:10 +0530, Ramesh Panuganty wrote: > When a mail gets bounced, the content type is getting lost >and is coming as text message alongwith the mail (I am attaching >a sample mail). Can anyone please tell me how to preserve the >content types? ftp://ftp.id.wustl.edu/pub/patches/qmail-mime.tgz [If you use ezmlm, but not ezmlm-idx, also apply the ezmlm-return patch in the package. If you don't know what ezmlm is, don't worry about it.] -Sincerely, Fred (Frederik Lindberg, Infectious Diseases, WashU, St. Louis, MO, USA)
Re: one email with cc creates multiple messages - oh dear.
"Brian S. Craigie" <[EMAIL PROTECTED]> wrote: > >Say for example I send an email with a 3Mb attachment to my home >address and CC: it to my family members, it's going to be sent, say, >5 times over a 33kBPS modem link, and take maybe 1 hour per message, >so 5 hours instead of 1 hour. qmail is designed for well-connected systems. e-mail is not well suited to distributing large files. If your ISP cooperated, you could use qmail-qmqpc/qmail-qmqpd to pass delivery off to a smart host. >Please Please tell me there's an easy way to tell qmail not to create >separate messages in this case? Sorry... -Dave
Error 4.4.1
Hello all, Having a strange problem with qmail 1.3 on a RedHat 5.1 box. I have a virtual domain schoeneman.com, which is in rcpthosts, virtualdomain. Running qmail-smptd with tcpserver. When sending a msg to the virt domain i get: Jan 4 13:11:32 admin qmail: 915473492.706001 starting delivery 226: msg 66156 to remote [EMAIL PROTECTED] Jan 4 13:11:32 admin qmail: 915473492.706212 status: local 0/10 remote 1/20 Jan 4 13:11:32 admin qmail: 915473492.747202 delivery 226: deferral: Sorry,_I_wasn't_able_to_establish_an_SMTP_connection._(#4.4.1)/ But when sending it to a local i get: Jan 4 13:11:09 admin qmail: 915473469.896317 starting delivery 225: msg 66158 to remote [EMAIL PROTECTED] Jan 4 13:11:09 admin qmail: 915473469.896512 status: local 0/10 remote 1/20 Jan 4 13:11:10 admin qmail: 915473470.695127 delivery 225: success: 207.44.65.16_accepted_message./Remote_host_said:_250_ok_915477206_qp_27002/ Jan 4 13:11:10 admin qmail: 915473470.695329 status: local 0/10 remote 0/20 Jan 4 13:11:10 admin qmail: 915473470.695407 end msg 66158 I have the following tcprules running with tcpserver: 207.44.65.:allow,RELAYCLIENT="" 146.145.48.133-159:allow,RELAYCLIENT="" 127.:allow,RELAYCLIENT="" :allow and the IP of the mail server is in the range: [root@mail tcprules.d]# nslookup mail.schoeneman.com Server: dns0.f-tech.net Address: 207.44.65.10 Name:mail.f-tech.net Address: 207.44.65.16 Aliases: mail.schoeneman.com It would seem that NO mail is beeing accppted at that virt domain... ( tried several other accounts in schoeneman.com). Any ideas? Thanks. Paul D. Farber II Farber Technology 717-628-5303 [EMAIL PROTECTED]
Re: Fw: Anonymous Qmail Denial of Service
> But does qmail-queue have to be executable by o? If a user cannot > execute qmail-queue directly, the identification problem disappear, > does not it? That would require qmail-inject and qmail-smtpd, among others, to be suid or sgid to some uid/gid that will allow them to execute qmail-queue. That would be Wrong(tm). So what could happen if qmail-inject is sgid qmail? If this is wrong, then qmail-queue should just immediately write the invoking uid in the received line. It still would not prevent a DoS, like while true; do qmail-queue& killall qmail-queue done but at least invoking uid identification is possible. Mate
one email with cc creates multiple messages - oh dear.
Hi all. I saw the multiple RCPTs discussed several times in the archives, but did not see an answer applicable to our situation. If I send an email to person1 and cc: it to person2, qmail creates two separate messages which our poor email server has to send separately. Our email server sends to a smarthost (our ISP) so we'd much rather send one message with 2 RCPT headers. Say for example I send an email with a 3Mb attachment to my home address and CC: it to my family members, it's going to be sent, say, 5 times over a 33kBPS modem link, and take maybe 1 hour per message, so 5 hours instead of 1 hour. Please Please tell me there's an easy way to tell qmail not to create separate messages in this case? Else, we're going to be hammered for phone line charges. Thanks! Brian Unix Sysadmin Fledgling Qmail admin.
Re: Why Red Hat is not distributing qmail
On Mon, Jan 04, 1999 at 12:40:14PM -0500, Dave Sill wrote: > Apprently I need to nail *both* feet to the floor. Okay. Let me know > which of the following statements you disagree with. > > 1) Red Hat ships sendmail. > > 2) Red Hat doesn't ship qmail, zmailer, exim, smail, or any other OSS >sendmail equivalent. Note: Redhat uses qmail, and understands its capabilities and advantages vs. zmailer (can't handle large queues w/o completely bogging down), exim (monolithic design), smail (waaay out of date, many versions were quite insecure), vmailer (still no-where near close to completion). > 5) Licensing doesn't prevent Red Hat from shipping zmailer, exim, >smail, or any other OSS sendmail equivalent. > > Question: *Why doesn't* Red Hat ship zmailer, exim, smail, or any > other OSS sendmail equivalent? I've postulated an answer earlier in this thread. I pretty much repeat it above. The answer I percieve is that qmail is the only mailer that's convincingly so much better then sendmail that it can act as an alternative. > My Guess: Inertia: too hard to change, not enough incentive to change, > belief that sendmail is good enough, etc. No O'Reilly book, either. Yet. > >So let's have all OSS authors stop writing code, because they can't ensure > >that all complaints due to broken packaging will go to the responsible > >vendor. Let's recall Apache, sendmail, Inn, and Bind, and withdraw them > >from distribution. Clearly the OSS scheme doesn't work, and generates > >horribly buggy installations. > > How about if we just let developers who don't want to make their code > OSS set their own terms based on their beliefs and desires? Why is it that everyone treats software as though only one license were possible at a time? Software can be released under multiple licenses at the same time. It has been suggested (long ago) that to satisfy the need for modification djb could release qmail under the condition that if the software was modified then it could no longer be called qmail. Why not go one step further? Why not release 2 tarballs with 2 different licenses. One called qmail-1.03.tar.gz, one called djb-is-not-responsible-for-this-mailer,contact-your-explicitive-deleted-vendor.tar.gz, with the latter being modifiable, copyright djb, with no support and no mention of qmail or djb allowed anywhere except to declare that he has no responsability for anything that happens in a distribution containing it, and that any vendors or users of the package who claim that he is responsible for problems subject themselves to liable, or whatever djb feels is legally necessary for him to protect his good name. -Peter
Re: ~alias question.(.qmail forwards)
- Greg Moeller <[EMAIL PROTECTED]>: | Example: | I want to put an autoreply on [EMAIL PROTECTED] | The file .qmail-abuse in /var/qmail/alias has a first line of: | |autorespond 1 5 help_message help_autorespond | What do I put in for the local delivery to ~abuse? There's a problem here: If abuse is a user (by qmail-getpw's rules, see the man page) then you cannot override it using ~alias/.qmail-abuse. Use the users/assign mechanism to override existing users. | I'm guessing that | /home/abuse/Maildir/ | wouldn't work since at this point it wouldn't be able to deliver as that user. | Or am I wrong? Well, if that maildir was writable by the alias user it could work. | I can't set this up as a .qmail in abuse's .qmail file because I | have a number of them, and maintenance of the autorespond system | would be a pain with directories all over the place. I think you might have to play some games with the users/assign mechanism to do what you want. Something like this: =abuse:alias:123:456:/var/qmail/alias:+:autorespond-abuse: =real-abuse:abuse:987:654:/home/abuse::: where /var/qmail/alias/.qmail+autorespond-default contains |autorespond 1 5 help_message help_autorespond |forward "real-${EXT2}@${HOST}" This requires just one .qmail file to handle all the autoresponding, while you must create two lines like the above in users/assign for each user for which you wish to perform this trick. (Here 123:456 is the uid:gid of the alias user, while 987:654 are those of the abuse user. I use the + character instead of the customary - to disable mailing directly to autorespond-something.) - Harald
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 11:49:19AM -0600, Mate Wierdl wrote: > >3) Why not write the uid into a Received: line automatically? > > If you do > >echo |qmail-queue > > you see > > cat /var/qmail/queue/mess/16/179646 > Received: (qmail 32431 invoked by uid 500); 4 Jan 1999 17:32:36 - > > so I guess the same should happen just by doing > >qmail-queue > > But does qmail-queue have to be executable by o? If a user cannot > execute qmail-queue directly, the identification problem disappear, > does not it? That would require qmail-inject and qmail-smtpd, among others, to be suid or sgid to some uid/gid that will allow them to execute qmail-queue. That would be Wrong(tm). Greetz, Peter. -- AND I AM GONNA KILL MIKE| Peter van Dijk hardbeat, als je nog nuchter bent: | [EMAIL PROTECTED] @date = localtime(time); | realtime security d00d $date[5] += 2000 if ($date[5] < 37); | $date[5] += 1900 if ($date[5] < 99); |-x- available -x-
Re: Fw: Anonymous Qmail Denial of Service
3) Why not write the uid into a Received: line automatically? If you do echo |qmail-queue you see cat /var/qmail/queue/mess/16/179646 Received: (qmail 32431 invoked by uid 500); 4 Jan 1999 17:32:36 - so I guess the same should happen just by doing qmail-queue But does qmail-queue have to be executable by o? If a user cannot execute qmail-queue directly, the identification problem disappear, does not it? Mate
Re: Why Red Hat is not distributing qmail
[EMAIL PROTECTED] wrote: >On Mon, 4 Jan 1999, Dave Sill wrote: > >> [EMAIL PROTECTED] wrote: >> >On Wed, 30 Dec 1998, Dave Sill wrote: >> > >> >> Let me try again. Licensing alone could conceivably explain why Red >> >> Hat doesn't ship qmail. But it does't explain why they don't ship >> >> exim, smail, zmailer, or any other OSS sendmail equivalent. >> > >> >So, there has to be another reason, that's all. It is probably the same >> >reason why these MTAs have virtually no market share of any kind. >> >> Inertia. "Sendmail is good enough." > >Not just inertia. Inertia combined with inflexibility and unreasonable >restrictions on distribution. Inertia enough didn't stop Red Hat from >making inquiries. Apprently I need to nail *both* feet to the floor. Okay. Let me know which of the following statements you disagree with. 1) Red Hat ships sendmail. 2) Red Hat doesn't ship qmail, zmailer, exim, smail, or any other OSS sendmail equivalent. 3) qmail has more restrictive resdistribution rights than zmailer, exim, smail, or any other OSS sendmail equivalent. 4) Red Hat refuses to distribute qmail because of its licensing. 5) Licensing doesn't prevent Red Hat from shipping zmailer, exim, smail, or any other OSS sendmail equivalent. Question: *Why doesn't* Red Hat ship zmailer, exim, smail, or any other OSS sendmail equivalent? My Guess: Inertia: too hard to change, not enough incentive to change, belief that sendmail is good enough, etc. >So let's have all OSS authors stop writing code, because they can't ensure >that all complaints due to broken packaging will go to the responsible >vendor. Let's recall Apache, sendmail, Inn, and Bind, and withdraw them >from distribution. Clearly the OSS scheme doesn't work, and generates >horribly buggy installations. How about if we just let developers who don't want to make their code OSS set their own terms based on their beliefs and desires? Just because OSS works for some developers/projects, doesn't mean it's the only valid model. >> "mostly" Maybe you find that acceptable. I postulate that Dan doesn't. > >And I postulate that the rest of the world does. qmail is not a democracy. >> Oh, right, users installing, say, a broken modified qmail RPM will >> *know* that the packager broke it, not the author. I forgot that. > >Too bad, because they do. You can choose to ignore that fact, but it will >remain a fact nevertheless. Riiight. But even if I agreed, it wouldn't matter. >> Nor should it. The bounce mechanism works. > >Which makes any system running Qmail a conduit for a denial-of-service >attack. Yawn. >> Nor should it. There's an add-on to do that. > >And since add-ons cannot be redistributed, Wrong. >any one of hundreds of ISPs who >require RBL functionality will not be able to get it from a vendor. Ever heard of rblsmtp? >> Nor should it. It's an SMTP server, not a multiprotocol mail gateway. > >See above. What? Where? >> For those whose inetd's can't be configured to allow higher connection >> rates, yes, tcpserver is required. Big deal. > >No inetd in existance can be configured for higher connections, yet still >implement load limiting. Nobody running Qmail in any kind of a production >mode will be able to get it work with inetd. Fine. Let's just say that qmail requires tcpserver. So what? >> Wrong. qmail-smtpd's logging is minimal, but qmail's logging, in >> general, is quite adequate. > >Except that qmail-smtpd logging is what most people require. Says who? "Require" or "desire"? -Dave
Re: instcheck finds ambiguous errors
On 4 Jan 99 at 6:09, Mate Wierdl wrote: > You can look in hier.c. For a fix, just do "./install" from the top source > dir. Or, in another way, have you changed qmail accounts uids or gids (maybe by accident)? In this case you must remove *.o, auto-uids.c (or similar), reconfigure, recompile and reinstall the package. Otherwise it will incorrectly map old uids to new user names. > On Mon, Jan 04, 1999 at 01:32:38AM -0500, Ken Hooper wrote: > > > > I had a helluva time getting qmail installed but I THINK everything's > > working now. However, instcheck is finding some errors: > > > > [root@dt042nb8 bin]# /var/qmail/bin/instcheck > > instcheck: warning: /var/qmail/control has wrong group [cut] Regards, Andrzej Kukula
~alias question.(.qmail forwards)
I'm setting up some auto respond robots on a Qmail system. The program wants to be setup out of ~alias directory, with a pipe to the program. I know I can have forwards, multiple per line to various adresses, but what I need is one of the forwards to be to the local mailbox on the same system(with the same name) Example: I want to put an autoreply on [EMAIL PROTECTED] The file .qmail-abuse in /var/qmail/alias has a first line of: |autorespond 1 5 help_message help_autorespond What do I put in for the local delivery to ~abuse? I'm guessing that /home/abuse/Maildir/ wouldn't work since at this point it wouldn't be able to deliver as that user. Or am I wrong? I can't set this up as a .qmail in abuse's .qmail file because I have a number of them, and maintenance of the autorespond system would be a pain with directories all over the place. Greg
Re: qmail II request
On 04-Jan-99 01:39:33, Paul Gregg wrote something about "Re: qmail II request". I just couldn't help replying to it, thus: > In article <[EMAIL PROTECTED]> you wrote: >> Since I started this thread I can tell you without question what it's about >> and [EMAIL PROTECTED] isn't any part of it. I want to reject mail being >> sent to certain valid usernames, such as my database. I'd also like to >> bounce some mail to nonvalid usernames without accepting and bouncing >> afterward since they only double bounce anyway. > To do this, then it requires qmail-smtpd to know everything that qmail-send > does. Not at all. Try rereading the message that started this thread. The same mechanism that works for control/badmailfrom will do the trick. > If you are in control of the local delivery then you already can control > who sends mail to your database. Why can't you use procmail? No good. Then you have already accepted the message, and the point was to reject it. Regards, /¯¯T¯\ | Rask Ingemann Lambertsen | [EMAIL PROTECTED] | | Registered Phase5 developer | WWW: http://www.gbar.dtu.dk/~c948374/ | | A4000, 775 kkeys/s (RC5-64) | "ThrustMe" on XPilot and EFnet IRC | |If you had an off switch, Doctor, would you not keep it secret? |
Re: Anonymous Qmail Denial of Service
On 04-Jan-99 15:27:24, Vince Vielhaber wrote something about "Re: Fw: Anonymous Qmail Denial of Service". I just couldn't help replying to it, thus: > On Mon, 4 Jan 1999, Vince Vielhaber wrote: >> So it seems that if/when the admin sees all the qmail-queue's running, ^ > Following up to my own, I don't know what I missed last time, The kill command? > but I just tried it again and it left files of 0 length as advertised: > -rw-r--r-- 1 qmailq qmail 0 Jan 4 09:15 ./mess/10/224720 > But how many would it take for DoS? Use up all the inodes? Yes, inodes or more generally, some kind of disk resource. A 'df -i' shows that our queue disk (tiny 2 GB thing ;-) has less than half a million free inodes. That is few enough to make it feasible to try running the queue disk out of inodes. If you can create 10 per second, it would take a bit more than half a day to halt the mail system. How many would notice until the disaster is a reality? However, the interesting thing here is not the DoS itself, but the problem that you don't know who to point the gun at afterwards. > Still no mail would be lost AFAICT. Not by qmail, but what about all those broken MUA's that don't check the exit code of /usr/somewhere/sendmail or /var/qmail/bin/qmail-inject? Regards, /¯¯T¯\ | Rask Ingemann Lambertsen | [EMAIL PROTECTED] | | Registered Phase5 developer | WWW: http://www.gbar.dtu.dk/~c948374/ | | A4000, 775 kkeys/s (RC5-64) | "ThrustMe" on XPilot and EFnet IRC | | Life starts at '030, fun starts at '040, impotence starts at '86.|
Re: Netscape Mail 4.5
Yes, netscape assumes you are stupid and removes the @domain, when checking mail. If you are using vchkpw try user%vdomain or user_vdomain instead. --Adam -Original Message- From: Hydrogen <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Monday, January 04, 1999 11:37 AM Subject: Netscape Mail 4.5 :For some reason, I type in the 'user@vdomain' for the POP3 :username/account name in netscape, and something happens to make qmail :think that user@vdomain is a real user as opposed to a vuser. Whereas, :the user does not exist as real. Any ideas? : :-Brad : :
Re: Why Red Hat is not distributing qmail
# > >Qmail can't even handle any kind of a reasonable load, right out of the # > >box. You have to go back and install tcpserver for that. # > # > For those whose inetd's can't be configured to allow higher connection # > rates, yes, tcpserver is required. Big deal. # # No inetd in existance can be configured for higher connections, yet still # implement load limiting. Nobody running Qmail in any kind of a production # mode will be able to get it work with inetd. umm, I beg to differ, running qmail as a gateway between firewall and internet, using inetd with several thousand messages a day, and we were running mailing lists from this box at one time, Messages: 44095 Recipients: 49684 Average message tries: 1.14809 Total delivery attempts: 51010 success: 49670 failure: 114 deferral: 1226 Message bytes: 1066205787 Message bytes weighted by success: 1132410514 Time span (days): 6.89296 Average message qtime (s): 58.583 Average xdelay (s): 2.91404 Average ddelay (s): 20.424 Average concurrency: 0.249593 and we have not experienced the inetd looping problem -- /- [EMAIL PROTECTED] --- [EMAIL PROTECTED] -\ |Justin Bell NIC:JB3084| Time and rules are changing. | |Simon & Schuster A&AT | Attention span is quickening.| |Programmer | Welcome to the Information Age. | \ http://www.superlibrary.com/people/justin/ --/
Re: Netscape Mail 4.5
On Mon, Jan 04, 1999 at 10:39:28AM -0700, Hydrogen wrote: > For some reason, I type in the 'user@vdomain' for the POP3 > username/account name in netscape, and something happens to make qmail > think that user@vdomain is a real user as opposed to a vuser. Whereas, > the user does not exist as real. Any ideas? Huh? > > -Brad >
Re: Fw: Anonymous Qmail Denial of Service
> And how to fix kill -9? There's little one can do about that (having signals that can't be caught is a UNIX design decision). I could imagine UNIX with kill -9 disabled for all but the super-user (a bit like the effect of quotas on chown in SunOS). It all depends on how paranoid you are :-) Stefaan -- PGP key available from PGP key servers (http://www.pgp.net/pgpnet/) ___ Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. -- Saint-Exupéry
Netscape Mail 4.5
For some reason, I type in the 'user@vdomain' for the POP3 username/account name in netscape, and something happens to make qmail think that user@vdomain is a real user as opposed to a vuser. Whereas, the user does not exist as real. Any ideas? -Brad
Re: Fw: Anonymous Qmail Denial of Service
Vince Vielhaber writes: > But how many would it take for DoS? Use up all the inodes? Still no > mail would be lost AFAICT. Well, qmail wouldn't accept any new mail, but it's known that some programs do not listen to the return code from /usr/lib/sendmail. So some mail may indeed be lost. Not that that's a qmail problem -- postfix would have the same problem. -- -russ nelson <[EMAIL PROTECTED]> http://crynwr.com/~nelson Crynwr supports Open Source(tm) Software| PGPok | There is good evidence 521 Pleasant Valley Rd. | +1 315 268 1925 voice | that freedom is the Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | cause of world peace.
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 05:08:15PM +0100, Stefaan A Eeckels wrote: > On 04-Jan-99 Mate Wierdl wrote: > > On Mon, Jan 04, 1999 at 01:03:14PM +, Sam wrote: > > > > > > > : :% /var/qmail/bin/qmail-queue > > > > : :^Z > > > > : :Suspended > > > > : :% kill -9 %1 > > > > : :[1]Killed /var/qmail/bin/qmail-queue > > > > : :% > > > > : : > > > > : :There will be one more zero-length file, owned by qmail, without > > > > : :any user identification whatsoever. It is an exercise for the > > > > > > qmail-queue is a setuid program. Did UNIX change, while I was out of town, > > > and you can now send signals to processes of different userids? > > > > Not only that, but the above works w/o the -9 flag. > > IIRC, qmail-queue should not be called by > someone wanting to submit mail (see doc/PIC*). > A better test would be to use qmail-inject: > > /var/qmail# /var/qmail/bin/qmail-inject > > [1] + 2728 Suspended /var/qmail/bin/qmail-inject > /var/qmail# kill %1 > /var/qmail# > [1]Terminated /var/qmail/bin/qmail-inject > /var/qmail# find . -size 0 > ./control/locals > ./alias/.qmail-postmaster > ./alias/.qmail-mailer-daemon > ./alias/.qmail-root > ./alias/Mailbox > ./queue/lock/sendmutex > ./queue/lock/trigger > /var/qmail# > > There's no empty file. I tried it with partial messages, and > there never are file droppings left in the queue. > But yes, if we are to be paranoid, qmail-queue should clean up > when no message has been queued, or when it's interrupted by > a signal that can be caught. And how to fix kill -9? Greetz, Peter. -- AND I AM GONNA KILL MIKE| Peter van Dijk hardbeat, als je nog nuchter bent: | [EMAIL PROTECTED] @date = localtime(time); | realtime security d00d $date[5] += 2000 if ($date[5] < 37); | $date[5] += 1900 if ($date[5] < 99); |-x- available -x-
Re: Why Red Hat is not distributing qmail
[EMAIL PROTECTED] wrote: >On Wed, 30 Dec 1998, Dave Sill wrote: > >> Let me try again. Licensing alone could conceivably explain why Red >> Hat doesn't ship qmail. But it does't explain why they don't ship >> exim, smail, zmailer, or any other OSS sendmail equivalent. > >So, there has to be another reason, that's all. It is probably the same >reason why these MTAs have virtually no market share of any kind. Inertia. "Sendmail is good enough." >No, the question is very specific: if Red Hat botched the sendmail RPM, >how does that sole event somehow translate into Eric Allman's reputation >being affected in any way? > >The answer, of course, is that it doesn't. The answer, of course, is that it *does*. First, Allman will be guilty by association. Lots of people know that he wrote sendmail. If they hear about a sendmail problem, without complete details, they'll naturally assume he's responsible. Second, by allowing other people to modify and repackage sendmail, he's implicitly saying that he doesn't care what people do to it, even if they break it. That's one difference between Eric, Wietse, and all the other OSS authors and Dan: Dan's not willing to let other people diddle with his code. >Since I've been reading the mainstream press quite extensively lately, I'm >comfortable to say that this is not going to be the case. Doesn't matter. Nothing you think will change Dan's mind. >You are replying to the assertion that complaining to the author - when a >vendor's packaging breaks - would be stupid. Maybe I got confused. Complaining to the vendor/packager would be smarter than complaining to the author, but there's no mechanism to ensure that all complaints go to the right place. >> Of course not. But victims of these third party changes will surely go >> to him or his lists for help. > >No. That's my point. The victims will be going back mostly to the vendor. >This is not an arbitrary claim, but it's based on experience over the last >couple of years. "mostly" Maybe you find that acceptable. I postulate that Dan doesn't. >> And these victims will also be unaware >> of the changes their vendor made, so the help they get might be >> wrong. > >Oh yes they will _certainly_ be aware. That's because they installed a >vendor-specific file in the first place. Oh, right, users installing, say, a broken modified qmail RPM will *know* that the packager broke it, not the author. I forgot that. >>There will be unnecessary confusion in the support community, >> and this confusion will reflect poorly on Dan and his products to >> casual observers who don't realize that the confusion is due to third >> party diddling. > >This is plainly FUD. FUD, FUD, FUD... Huh? >If that's true, Brister would've never had the time to write inn 2.0, >because he would've been handling all the mail from Red Hat users. There >was a whole bunch of people out there who suddenly discovered that they >can simply load the Red Hat CD, and instantly have a server on their hands >that can handle a full Usenet feed. Up until that point, you needed to >have a pretty good INN hacker on staff in order to accomplish that. You clearly think OSS, Red Hat, and RPM's are the key to mankind's salvation. Good for you. It's just as clear, however, that Dan doesn't agree, and repetively claiming that you're right and he's wrong isn't going to change his mind. >In some situations Qmail is less efficient than sendmail, and its >performance is sorely lacking. Every complex system has weaknesses. >Qmail does not verify envelope sender addresses, right out of the >box. Nor should it. The bounce mechanism works. >Qmail does not support RBL, right out of the box. Nor should it. There's an add-on to do that. >Qmail does not support UUCP, right out of the box. Nor should it. It's an SMTP server, not a multiprotocol mail gateway. >Qmail does not rewrite headers on relayed mail, right out of the box. Nor should it. There's an add-on to do that. >Qmail can't even handle any kind of a reasonable load, right out of the >box. You have to go back and install tcpserver for that. For those whose inetd's can't be configured to allow higher connection rates, yes, tcpserver is required. Big deal. >Qmail's logging is virtually nonexistent. Wrong. qmail-smtpd's logging is minimal, but qmail's logging, in general, is quite adequate. >Certain things Qmail can do better than sendmail, but there's still a lot >of functionality that many people want, and Qmail does not have, unless >you go out and grab a bunch of other software as well. Modularity. >You will not find any single OSS package that comes with any operating >system in the same original form that the OSS package is distributed by >the author, period. Besides an MTA, there are other software out there >that's just as vital to the overall system security. Their respective >authors do not appear to have any difficulties allowing commercial >distribu
Re: Fw: Anonymous Qmail Denial of Service
On 04-Jan-99 Mate Wierdl wrote: > On Mon, Jan 04, 1999 at 01:03:14PM +, Sam wrote: > > > > > : :% /var/qmail/bin/qmail-queue > > > : :^Z > > > : :Suspended > > > : :% kill -9 %1 > > > : :[1]Killed /var/qmail/bin/qmail-queue > > > : :% > > > : : > > > : :There will be one more zero-length file, owned by qmail, without > > > : :any user identification whatsoever. It is an exercise for the > > > > qmail-queue is a setuid program. Did UNIX change, while I was out of town, > > and you can now send signals to processes of different userids? > > Not only that, but the above works w/o the -9 flag. IIRC, qmail-queue should not be called by someone wanting to submit mail (see doc/PIC*). A better test would be to use qmail-inject: /var/qmail# /var/qmail/bin/qmail-inject [1] + 2728 Suspended /var/qmail/bin/qmail-inject /var/qmail# kill %1 /var/qmail# [1]Terminated /var/qmail/bin/qmail-inject /var/qmail# find . -size 0 ./control/locals ./alias/.qmail-postmaster ./alias/.qmail-mailer-daemon ./alias/.qmail-root ./alias/Mailbox ./queue/lock/sendmutex ./queue/lock/trigger /var/qmail# There's no empty file. I tried it with partial messages, and there never are file droppings left in the queue. But yes, if we are to be paranoid, qmail-queue should clean up when no message has been queued, or when it's interrupted by a signal that can be caught. Stefaan -- PGP key available from PGP key servers (http://www.pgp.net/pgpnet/) ___ Perfection is reached, not when there is no longer anything to add, but when there is no longer anything to take away. -- Saint-Exupéry
Re: Fw: Anonymous Qmail Denial of Service
- Mate Wierdl <[EMAIL PROTECTED]>: | On Mon, Jan 04, 1999 at 04:49:20PM +0100, Harald Hanche-Olsen wrote: | > - Mate Wierdl <[EMAIL PROTECTED]>: | > | > | In any case, what is interesting is that qmail-queue exits with 143: | > | > Hmmm... no, I don't think so: | > | > ; grep SIGTERM /usr/include/sys/signal.h | > #define SIGTERM 15 /* software termination signal from kill */ | > ; expr 128 + 15 | > 143 | > | > - Harald | | Well, what I do not understand here is that qmail-queue exits with | nonzero, but it still leaves a file behind in the queue. The point is that qmail-queue didn't exit; it was killed. - Harald
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 10:02:31AM -0600, Mate Wierdl wrote: > On Mon, Jan 04, 1999 at 04:49:20PM +0100, Harald Hanche-Olsen wrote: > > - Mate Wierdl <[EMAIL PROTECTED]>: > > > > | In any case, what is interesting is that qmail-queue exits with 143: > > > > Hmmm... no, I don't think so: > > > > ; grep SIGTERM /usr/include/sys/signal.h > > #define SIGTERM 15 /* software termination signal from kill */ > > ; expr 128 + 15 > > 143 > > > > - Harald > > Well, what I do not understand here is that qmail-queue exits with nonzero, > but it still leaves a file behind in the queue. qmail-queue does not exit. It gets killed, and does nothing to prevent it. Greetz, Peter. -- AND I AM GONNA KILL MIKE| Peter van Dijk hardbeat, als je nog nuchter bent: | [EMAIL PROTECTED] @date = localtime(time); | realtime security d00d $date[5] += 2000 if ($date[5] < 37); | $date[5] += 1900 if ($date[5] < 99); |-x- available -x-
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 04:49:20PM +0100, Harald Hanche-Olsen wrote: > - Mate Wierdl <[EMAIL PROTECTED]>: > > | In any case, what is interesting is that qmail-queue exits with 143: > > Hmmm... no, I don't think so: > > ; grep SIGTERM /usr/include/sys/signal.h > #define SIGTERM 15 /* software termination signal from kill */ > ; expr 128 + 15 > 143 > > - Harald Well, what I do not understand here is that qmail-queue exits with nonzero, but it still leaves a file behind in the queue. -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: Fw: Anonymous Qmail Denial of Service
- Mate Wierdl <[EMAIL PROTECTED]>: | In any case, what is interesting is that qmail-queue exits with 143: Hmmm... no, I don't think so: ; grep SIGTERM /usr/include/sys/signal.h #define SIGTERM 15 /* software termination signal from kill */ ; expr 128 + 15 143 - Harald
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 10:30:39AM -0500, Sam wrote: > On Mon, 4 Jan 1999, Mate Wierdl wrote: > > > > If you started it, yes. Nothing has changed. Otherwise, you couldn't ctrl-C > > > out of anything SUID.. that would be bad. On the other hand, not allowing > > > users to send signal to those processes has a lot of advantages too.. like > > > security. > > > > So then what is going to happen, if under X, you su to root, and then quit X? > > When X shuts down, the su shell will get an end-of-file indication on > standard input. > > It appears that certain dumb shell may tell you 'you must use exit to > logout' when you manually CTRL-D them, but I think there's a way to tell > them that there's a real EOF condition. SIGHUP? Greetz, Peter. -- AND I AM GONNA KILL MIKE| Peter van Dijk hardbeat, als je nog nuchter bent: | [EMAIL PROTECTED] @date = localtime(time); | realtime security d00d $date[5] += 2000 if ($date[5] < 37); | $date[5] += 1900 if ($date[5] < 99); |-x- available -x-
Re: root user masquerading from cron or at
On 31-Dec-98 Russell Nelson wrote: > Brian S. Craigie writes: > > Hi again. > > > > I searched the mailing list and once again found a question but no answer. > > Perhaps it was answered off-list. [comment: why doesn't the mailing list > set > > reply-to to the list?] > > Because that confuses people whose email client has a Reply button. > They get used to hitting Reply to Reply to the sender. Then they sign > onto a mailing list, and suddenly Reply means Reply to All. But their > MUA already has a Reply to All button. If it doesn't have one, then > it needs to have one added. Adding Reply-To: list is the wrong solution. Hmm... OK. Spoke too soon. Past replies I've made only went to the sender, because they were sent directly to me, not cc:ed to the list. When I hit reply to your email it asked me 'reply to all?', and included the cc to the list, so we're ok. [snip] > You can also do it on the command line (at least with bash and sh): > > MAILNAME=Superuser /usr/sbin/cron That doesn't persist through a reboot, but I suppose I could put that line in the rc script instead of the line that runs cron just now. > > BTW, sendmail gets the user's real name from /etc/passwd (or the NIS/NIS+ > > equivalent). Wouldn't it be smart for qmail to do that too _if_ MAILNAME > is not > > set? > > Not if there's a security hole in getpwuid. Not to mention the fact > that that often sucks in a lot of other code and bloats the executables. Understood, though I don't see the problem with the security hole. Even if there is a hole, the worst it can do is bring up the wrong "name" isn't it? Perhaps it should be mentioned in the sendmail to qmail checklist... Anyway, thanks. I hope you and all list members had a nice festive season / new year / whatever you celebrate. > -- > -russ nelson <[EMAIL PROTECTED]> http://crynwr.com/~nelson > Crynwr supports Open Source(tm) Software| PGPok | There is good evidence > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | that freedom is the > Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | cause of world peace. Cheers! Brian
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 09:27:24AM -0500, Vince Vielhaber wrote: > On Mon, 4 Jan 1999, Vince Vielhaber wrote: Following up to my own, I don't know what I missed last time, but I just > tried it again and it left files of 0 length as advertised: > > -rw-r--r-- 1 qmailq qmail 0 Jan 4 09:15 ./mess/10/224720 > > But how many would it take for DoS? Use up all the inodes? Still no > mail would be lost AFAICT. > I think you did not do ^Z. In any case, what is interesting is that qmail-queue exits with 143: I tried this under X in one xterm, I do qmail-queue (I do not stop it) in the other I kill this new qmail-queue process. In the first xterm I get echo $? 143 Nevertheless, the 0 length file appears in the queue. Here is a shellscript to automate the whole thing while true; do qmail-queue& killall qmail-queue done This should not stop till the inodes are all used up. -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: Why Red Hat is not distributing qmail
"Peter C. Norton" <[EMAIL PROTECTED]> wrote: > >[Eric Allman]'s got a great reputation in the press and at the >executive level. He's the name that's associated with sendmail, >sendmail is publicised as running "75% of the mail on the internet" >right? I think his code and mailer is shoddy, but his reputation in >the wider world seems to be completely unconnected with the security, >speed, or reliability* of the software he's written. s/Eric Allman/Bill Gates/ s/sendmail/Windows/g s/75% of the mail on the internet/95% of the PC's in the world/ (OK, so Bill's reputation has suffered lately. That's just because he's been so successful. 75% is dominance, but 95% is monopoly. And sendmail is free, Windows isn't.) I agree, but I was thinking not about reputation as perceived by the public, but reputation as perceived by people with >= 0.5 clue. You might counter that the partially clueful are likely to realize where the true blame is deserved, and you might be right. >A lot of people use and like sendmail. Probably a lot more then the >number of people who've deployed qmail. No doubt. >> Of course not. But victims of these third party changes will surely go >> to him or his lists for help. And these victims will also be unaware >> of the changes their vendor made, so the help they get might be >> wrong. > >True. Is that so bad? That's DJB's call, not mine or yours. >The list and djb get a lot of mail already. >New users have questions that need to be answered no matter what their >method of installation. All a standard, even broken distribution >really changes is that the question becomes a FAQ almost immideatly, >and can be answered simply and thoroughly. That's the way it goes in most cases. I think the problem is that DLB doesn't do things the way most people do, and most people--not too suprisingly--don't like that. >Why all of the negativity? I think a package author would be happy >that he stops getting FAQ's in his mailbox because a lot of nifty >things are included in the package that users always ask him and/or >inn mailing lists for, and that cuts down on the traffic. Maybe it >evens out or tips the balance towards the package reducing irrelevant >traffic. You might think that, and most of the time you'd be right. Except, apparently, when the author is DJB. -Dave
Re: Fw: Anonymous Qmail Denial of Service
> : :% /var/qmail/bin/qmail-queue > : :^Z > : :Suspended > : :% kill -9 %1 > : :[1]Killed /var/qmail/bin/qmail-queue > : :% > : : > : :There will be one more zero-length file, owned by qmail, without > : :any user identification whatsoever. It is an exercise for the qmail-queue is a setuid program. Did UNIX change, while I was out of town, and you can now send signals to processes of different userids?
[wietse@PORCUPINE.ORG: Anonymous Qmail Denial of Service]
- Forwarded message from Wietse Venema <[EMAIL PROTECTED]> - Delivered-To: [EMAIL PROTECTED] Approved-By: [EMAIL PROTECTED] Date: Mon, 4 Jan 1999 00:04:09 -0500 Reply-To: Wietse Venema <[EMAIL PROTECTED]> From: Wietse Venema <[EMAIL PROTECTED]> Subject: Anonymous Qmail Denial of Service To: [EMAIL PROTECTED] In recent postings, Daniel Bernstein expands on the insecurity of the Postfix world-writable directory for local mail submission. Of all the attacks possible with such a scheme, one attack would result in mail not being delivered. That is of course unacceptable. After my request for input from the Bugtraq membership I received much useful feedback. Many suggestions were made for implementing a private rendez-vous between unrelated, untrusting processes. I will try write up a summary of the responses. I am grateful for all suggestions for improvements that were made, in particular for one suggestion made by Daniel Bernstein himself, in this same forum: Why doesn't [Postfix] use a protected queue, and a setuid program to add mail to the queue with guaranteed user identification? Postfix uses a set-gid program and a mode 0770 submission directory, and it does so for a very good reason. Why doesn't Postfix use a set-uid program, as suggested? The reason is that contrary to Daniel Bernsteins's claim, a set-uid posting program cannot guarantee user identification. I will illustrate this misconception with an example. qmail uses a set-uid posting program, called qmail-queue. When this program is invoked, it opens a queue file somewhere below /var/qmail/queue. For example: -rw-r--r-- 1 qmailq qmail 0 Dec 31 17:02 queue/mess/21/674956 What happens when the qmail-queue process is signaled with, say, SIGKILL? The file will stay in the queue. That's a zero-length file, owned by qmail, without any user identification whatsoever. Each time a user does something like: % /var/qmail/bin/qmail-queue ^Z Suspended % kill -9 %1 [1]Killed /var/qmail/bin/qmail-queue % There will be one more zero-length file, owned by qmail, without any user identification whatsoever. It is an exercise for the reader to write a small program that automates the process: fork a child child: execute /var/qmail/bin/qmail-queue parent: wait briefly and SIGKILL the child When this sequence is executed a sufficient number of times, the queue file system runs out of available resources. No-one can send mail. No-one can receive mail. And no-one can be held responsible. I fully agree with Daniel Bernstein that every mail system, be it Postfix or qmail or anything else, should be able to add mail to the queue with guaranteed user identification. I am grateful for reminding me of this very important and very desirable property. The lack of user identification as described above was verified on BSD/OS 2.1, BSD/OS 3.1, and FreeBSD 2.1.1. It is reasonable to expect that the same behavior exists on other BSD systems/versions. When the same tests are run on Solaris 2.6, RedHat 5.0, and on SunOS 4.1.3_U1, the only difference is in the queue file group ownership attributes: -rw-r--r-- 1 qmailq users 0 Dec 31 18:10 queue/mess/1/418325 What can be done about this lack of accountability? On non-BSD systems, the hole can be worked around by placing every user in a different group, so that a malicious user can be recognized by the queue file group ownership. That will not close the hole on BSD systems, however. For this reason, the preferable solution is to close the hole by changing qmail. For this I suggest the use of a set-gid posting program, similar to the one that is used in Postfix. Wietse - End forwarded message - -- Try not the patience of wizards, for they are subtle and quick to anger. Public PGP Available by Finger: [EMAIL PROTECTED] PGP Fingerprint16 = FC F6 32 8D 9A CC 2A E5 02 FD 54 0F 35 9F 27 C2
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 03:17:35AM -0500, Adam D. McKenna wrote: > :When the same tests are run on Solaris 2.6, RedHat 5.0, and on > :SunOS 4.1.3_U1, the only difference is in the queue file group > :ownership attributes: > : > :-rw-r--r-- 1 qmailq users 0 Dec 31 18:10 queue/mess/1/418325 > : Not exactly, on an RH 5.1: -rw-r--r-- 1 qmailq mw 0 Jan 4 07:23 179552 On an RH 4.2: -rw-r--r-- 1 qmailq mw 0 Jan 4 08:11 51126 -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 01:03:14PM +, Sam wrote: > > > : :% /var/qmail/bin/qmail-queue > > : :^Z > > : :Suspended > > : :% kill -9 %1 > > : :[1]Killed /var/qmail/bin/qmail-queue > > : :% > > : : > > : :There will be one more zero-length file, owned by qmail, without > > : :any user identification whatsoever. It is an exercise for the > > qmail-queue is a setuid program. Did UNIX change, while I was out of town, > and you can now send signals to processes of different userids? Not only that, but the above works w/o the -9 flag. -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: Fw: Anonymous Qmail Denial of Service
- Vince Vielhaber <[EMAIL PROTECTED]>: | But how many would it take for DoS? Use up all the inodes? Yep. | Still no mail would be lost AFAICT. Nope. Anyway, the issue here (in the case of qmail) is not so much with the DoS attack as with the fact that finger pointing can be very difficult doe to the ownership of the queue files. There are other DoS attacks available to a local user if he doesn't mind being found out, for example create a .qmail file containing |sleep 86400 and send more than (concurrencylocal) messages to the corresponding address. Then local deliveries will not happen for the next 24 hours, unless a system administrator investigates and deals with the problem. - Harald
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 02:14:21PM +0100, Peter van Dijk wrote: > On Mon, Jan 04, 1999 at 01:03:14PM +, Sam wrote: > > qmail-queue is a setuid program. Did UNIX change, while I was out of town, > > and you can now send signals to processes of different userids? > > If you started it, yes. Nothing has changed. Otherwise, you couldn't ctrl-C > out of anything SUID.. that would be bad. On the other hand, not allowing > users to send signal to those processes has a lot of advantages too.. like > security. So then what is going to happen, if under X, you su to root, and then quit X? -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: Fw: Anonymous Qmail Denial of Service
- "Sam" <[EMAIL PROTECTED]>: | | > : :% /var/qmail/bin/qmail-queue | > : :^Z | > : :Suspended | > : :% kill -9 %1 | > : :[1]Killed /var/qmail/bin/qmail-queue | > : :% | > : : | > : :There will be one more zero-length file, owned by qmail, without | > : :any user identification whatsoever. It is an exercise for the | | qmail-queue is a setuid program. Did UNIX change, while I was out | of town, and you can now send signals to processes of different | userids? AFAIK, you can if the program's real uid matches your own. - [EMAIL PROTECTED] (): | 4) Could setuid(geteuid()) but that doesn't buy very much. That should stop the user from killing qmail-queue, methinks. But perhaps you would normally want the user to have this capability? For example when you change your mind in the middle of mailing the output of a program. - Harald
mail attachment losing content type in delivery failures
Hi, When a mail gets bounced, the content type is getting lost and is coming as text message alongwith the mail (I am attaching a sample mail). Can anyone please tell me how to preserve the content types? Thanks, Ramesh | -Original Message- | From: MAILER-DAEMON@canine [mailto:MAILER-DAEMON@canine] | Sorry, no mailbox here by that name. (#5.1.1) | | --- Below this line is a copy of the message. | | Return-Path: <[EMAIL PROTECTED]> | Received: (qmail 16988 invoked by uid 254); 4 Jan 1999 14:26:47 - | Message-ID: <[EMAIL PROTECTED]> | Date: Mon, 4 Jan 1999 19:56:47 +0530 | From: Ramesh Panuganty <[EMAIL PROTECTED]> | To: [EMAIL PROTECTED] | Subject: hello | Mime-Version: 1.0 | Content-Type: multipart/mixed; boundary=rwEMma7ioTxnRzrJ | X-Mailer: Mutt 0.91.2 | | | --rwEMma7ioTxnRzrJ | Content-Type: text/plain; charset=us-ascii | | test mail with attachments | | | --rwEMma7ioTxnRzrJ | Content-Type: image/gif | Content-Transfer-Encoding: base64 | Content-Disposition: attachment; filename="checkall.gif" | | R0lGODdhLwANAJEAAP///93d3WZmZgAAACwALwANAAACZpyPqct9AKOctNprQNi8+w+G | oJAFiTmIngGyG8uSg+amrvqm65GjgUzT5Wo8lO3Y88FSQB9nqXQahUQls3SzTqXFIQ/arGlv | 5G4VjEWMi1+kExor4eb0D1CAz+v3/L7f7xAoOGhQAAA7 | | --rwEMma7ioTxnRzrJ-- |
Re: qmail, fetchmail, serialmail et al
Many thanks to all who replied. I had already done most of the suggestions offered, but a couple of them led me to typos in what I had done. Time to re-readTFM. Anyhow, serialmail is now up and running well. Again, many thanks. andy
Re: Fw: Anonymous Qmail Denial of Service
On Mon, Jan 04, 1999 at 01:03:14PM +, Sam wrote: > > > : :% /var/qmail/bin/qmail-queue > > : :^Z > > : :Suspended > > : :% kill -9 %1 > > : :[1]Killed /var/qmail/bin/qmail-queue > > : :% > > : : > > : :There will be one more zero-length file, owned by qmail, without > > : :any user identification whatsoever. It is an exercise for the > > qmail-queue is a setuid program. Did UNIX change, while I was out of town, > and you can now send signals to processes of different userids? If you started it, yes. Nothing has changed. Otherwise, you couldn't ctrl-C out of anything SUID.. that would be bad. On the other hand, not allowing users to send signal to those processes has a lot of advantages too.. like security. Greetz, Peter. -- AND I AM GONNA KILL MIKE| Peter van Dijk hardbeat, als je nog nuchter bent: | [EMAIL PROTECTED] @date = localtime(time); | realtime security d00d $date[5] += 2000 if ($date[5] < 37); | $date[5] += 1900 if ($date[5] < 99); |-x- available -x-
Re: Fw: Anonymous Qmail Denial of Service
On Mon, 4 Jan 1999, Vince Vielhaber wrote: > Dunno about anyone else, but I tried Wietse's little attack attempt, not > to the extent of trying for DoS but to see exactly what it did on a > FreeBSD 2.2.8 system. ps -aux showed a qmail-queue sitting there as > user qmailq. So I did a few of them. Same thing. I logged off. All > of them were gone and there were no files left in the queue from it. > So it seems that if/when the admin sees all the qmail-queue's running, > dumping lusers one at a time till it clears would tell you who it is > or when they logged off it'd clear up anyway. Following up to my own, I don't know what I missed last time, but I just tried it again and it left files of 0 length as advertised: -rw-r--r-- 1 qmailq qmail 0 Jan 4 09:15 ./mess/10/224720 But how many would it take for DoS? Use up all the inodes? Still no mail would be lost AFAICT. Vince. -- == Vince Vielhaber -- KA8CSH email: [EMAIL PROTECTED] flame-mail: /dev/null # includeTEAM-OS2 Online Searchable Campground Listingshttp://www.camping-usa.com "There is no outfit less entitled to lecture me about bloat than the federal government" -- Tony Snow ==
Re: qmail in SCO
On Tue, 19 Oct 1999, Luis Bezerra wrote: > Hello everybody, > > Anyone knows qmail running in SCO UNIX? BTW: Does anyone know where I can get precompiled binaries of the gcc + libs for SCO? later, markus > > > > -- > - > Luís Bezerra de A. Junior > [EMAIL PROTECTED] > SecrelNet Informática LTDA > Fortaleza - Ceará - Brasil > Fone: 021852882090 > - > > > -- (Products & Development) ___ ID-PRO GmbH Arnsberg http://www.id-pro.de Open for the better ... ___
Web Interface
Has anyone seen a web POP3 client that WORKS with the original qmail pop3 daemon from QMail 1.2 ??? I have tried AtDot (www.atdot.org), It cant login to the server, I tried phpop, it cant log in to the server, and everything else is for IMAP. By the way, I am using the single UID virtual users configuration, and I have the latest PHP3 installed, I think its 3.1.12. I believe PHPLIB is not compatible with PHP4.02b which I had installed. Server is Apache 1.3.9, MySQL is 3.21.19, Qmail is 1.2, the kernel is 2.034 if you can help I would really appreciate it. -- Jon Adams [EMAIL PROTECTED]
Autoresponder
Hi ! How to setup an autoresponder with Qmail ? I saw something on the site but the .tar seems to be invalid. Do I MUST install this package in order to autorespond ? Thank you for answering & happy news year. _ Dimitri SZAJMAN - [EMAIL PROTECTED]
Re: Users with capitals
On Sun, Jan 03, 1999 at 10:43:32PM -0800, Seek3r wrote: > One of my users is Seek3r, which has a capital letter. Does qmail have a > problem with that? and is there a fix? > > Also when I run qmail-pw2u to create my /var/qmail/users/assign file it just > hangs and never ends, and no assign file is created. I had to create one > myself manually. > > Thanks for your help > What command are you using to create the assign file? (BTWY, did you fix the rcpthosts problem?) -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
Re: instcheck finds ambiguous errors
You can look in hier.c. For a fix, just do "./install" from the top source dir. Mate On Mon, Jan 04, 1999 at 01:32:38AM -0500, Ken Hooper wrote: > > I had a helluva time getting qmail installed but I THINK everything's > working now. However, instcheck is finding some errors: > > [root@dt042nb8 bin]# /var/qmail/bin/instcheck > instcheck: warning: /var/qmail/control has wrong group > instcheck: warning: /var/qmail/users has wrong group > instcheck: warning: /var/qmail/bin has wrong group > instcheck: warning: /var/qmail/boot has wrong group > instcheck: warning: /var/qmail/doc has wrong group > instcheck: warning: /var/qmail/man has wrong group > instcheck: warning: /var/qmail/alias has wrong permissions > instcheck: warning: .../bin/qmail-qread has wrong permissions > > Which is not too helpful, can somebody please tell me what they *ought* to be? > > --Ken > type2.com webmaster Greasy Fingers Smearing Shabby Clothes > > -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis
OT (really): a little help for Pinter-translation
Hello, a little sorry for doing this, but as I do not know lots of anglo-american "natives" besides those in newsgroups and lists ... I am doing some translation of a piece (Mountain Language) by the british playwright Harold Pinter in my spare-time. I encountered two expressions unknown to me, also online-dictionaries did not deliver any results: "The reception of Lady Duck Muck" and the "babycham of Lady Duck Muck". Any followups to mailto:[EMAIL PROTECTED]?subject=Pinter-Translation I apologize and thanks a lot for your answers Mirko PS: BTW one week ago you could start to call the qmail-list rpm-list as well ;-)). -- mailto:[EMAIL PROTECTED] surfto:http://sites.inka.de/picard
Re: Fw: Anonymous Qmail Denial of Service
On 4 Jan 1999 [EMAIL PROTECTED] wrote: > [37 lines snipped] [more snipped] > : :There will be one more zero-length file, owned by qmail, without > : :any user identification whatsoever. It is an exercise for the > : :reader to write a small program that automates the process: > [34 lines snipped] > > It's hardly in the same league as the postfix design oversight. > This one prevents new mail being queued, that one causes mail > to disappear after it has entered the responsibility of the mta. > Still I wonder: > > 1) Why does qmail-queue employ a sequence number, since no two > processes can have the same pid? If the pidfn is unique to the pid, > then it's a simple matter to open it O_TRUNC rather than O_EXCL. > Then the number of junk files is limited to sizeof pid_t. > > 2) Why does qmail-queue link the mess file in before the message > is written? Because a bad mess file isn't cleaned up but every > 36 hours, whereas a bad pid file will be reclaimed every time the > pids roll around. > > 3) Why not write the uid into a Received: line automatically? > > 4) Could setuid(geteuid()) but that doesn't buy very much. > > None of this prevents a DOS attack. Dunno about anyone else, but I tried Wietse's little attack attempt, not to the extent of trying for DoS but to see exactly what it did on a FreeBSD 2.2.8 system. ps -aux showed a qmail-queue sitting there as user qmailq. So I did a few of them. Same thing. I logged off. All of them were gone and there were no files left in the queue from it. So it seems that if/when the admin sees all the qmail-queue's running, dumping lusers one at a time till it clears would tell you who it is or when they logged off it'd clear up anyway. Vince. -- == Vince Vielhaber -- KA8CSH email: [EMAIL PROTECTED] flame-mail: /dev/null # includeTEAM-OS2 Online Searchable Campground Listingshttp://www.camping-usa.com "There is no outfit less entitled to lecture me about bloat than the federal government" -- Tony Snow ==
RE: mailquotacheck and quota.patch
mailquotacheck does that, it bounces e-mails when the recipient exceeded his quota. aside from that, i don't see why you would want any special configuration. On Sat, 6 Nov 1999, Andres wrote: > I know how to use it, thanks, but I would know if there's any option to send > back the messages that couldn't be delivered (using mailquotacheck). > > As there is no manual of quota.patch I don't know how to use it. > > > > > mailquotacheck works fine without any quota patch for Qmail. > > Just put, "|/path/mailquotacheck.sh" (ignore the quotes) in > > your .qmail file. > > > > On Sat, Nov 06, 1999 at 10:22:08AM +0100, Andres Mendez wrote: > > > Hello. > > > > > > I've installed mailquotacheck, but I would like that when a message > can't be delivered (because exceeds the quota) it is sent back to the > sender. > > > > > > I've seen that exists a patch, quota.patch, which is supposed to do > this. Is there a manual or whatever on how to use it, select the quota... > because I can only download the patch with no instructions. > > > > > > >
Re: Fw: Anonymous Qmail Denial of Service
[37 lines snipped] : :qmail uses a set-uid posting program, called qmail-queue. When : :this program is invoked, it opens a queue file somewhere below : :/var/qmail/queue. For example: : : : :-rw-r--r-- 1 qmailq qmail 0 Dec 31 17:02 queue/mess/21/674956 : : : :What happens when the qmail-queue process is signaled with, say, : :SIGKILL? The file will stay in the queue. That's a zero-length : :file, owned by qmail, without any user identification whatsoever. : : : :Each time a user does something like: : : : :% /var/qmail/bin/qmail-queue : :^Z : :Suspended : :% kill -9 %1 : :[1]Killed /var/qmail/bin/qmail-queue : :% : : : :There will be one more zero-length file, owned by qmail, without : :any user identification whatsoever. It is an exercise for the : :reader to write a small program that automates the process: [34 lines snipped] It's hardly in the same league as the postfix design oversight. This one prevents new mail being queued, that one causes mail to disappear after it has entered the responsibility of the mta. Still I wonder: 1) Why does qmail-queue employ a sequence number, since no two processes can have the same pid? If the pidfn is unique to the pid, then it's a simple matter to open it O_TRUNC rather than O_EXCL. Then the number of junk files is limited to sizeof pid_t. 2) Why does qmail-queue link the mess file in before the message is written? Because a bad mess file isn't cleaned up but every 36 hours, whereas a bad pid file will be reclaimed every time the pids roll around. 3) Why not write the uid into a Received: line automatically? 4) Could setuid(geteuid()) but that doesn't buy very much. None of this prevents a DOS attack. -harold
RE: mailquotacheck and quota.patch
I know how to use it, thanks, but I would know if there's any option to send back the messages that couldn't be delivered (using mailquotacheck). As there is no manual of quota.patch I don't know how to use it. > > mailquotacheck works fine without any quota patch for Qmail. > Just put, "|/path/mailquotacheck.sh" (ignore the quotes) in > your .qmail file. > > On Sat, Nov 06, 1999 at 10:22:08AM +0100, Andres Mendez wrote: > > Hello. > > > > I've installed mailquotacheck, but I would like that when a message can't be delivered (because exceeds the quota) it is sent back to the sender. > > > > I've seen that exists a patch, quota.patch, which is supposed to do this. Is there a manual or whatever on how to use it, select the quota... because I can only download the patch with no instructions. > >
Re: qmail II request
[EMAIL PROTECTED] (Russell Nelson) wrote: > Paul Gregg writes: > > In article <[EMAIL PROTECTED]> you wrote: > > > Since I started this thread I can tell you without question what it's about > > > and [EMAIL PROTECTED] isn't any part of it. I want to reject mail being > > > sent to certain valid usernames, such as my database. I'd also like to bounce ^^ > > > some mail to nonvalid usernames without accepting and bouncing afterward since > > > they only double bounce anyway. > > > > To do this, then it requires qmail-smtpd to know everything that qmail-send > > does. > Nonsense. qmail-send needs to know what recipients it will accept. > qmail-smtpd needs to know what recipients it will reject. The two are > disjoint but not covering sets. Usually I would believe much of what you say Russell, but in this case to do this qmail-smtpd needs to know what it will accept, which is basically what I was saying. Paul. -- Email pgregg at tibus.net | Email pgregg at nyx.net| Eight out of every Technical Director| System Administrator | five people are math The Internet Business Ltd | Nyx Public Access Internet | illiterates. http://www.tibus.net | http://www.nyx.net | - Anon.
Re: More Kings Notes, 1/3/98
On Sun, Jan 03, 1999 at 11:05:24PM -0800, [EMAIL PROTECTED] wrote: [a bunch of stuff to the wrong list] sorry 'bout that. Hmmm... munge reply-to? Hmmm... -- John White [EMAIL PROTECTED] PGP Public Key: http://www.triceratops.com/john/public-key.pgp
Re: HOw do I Stop this...
- Mark Delany <[EMAIL PROTECTED]>: | At 03:38 PM 1/3/99 -0700, John Gonzalez/netMDC admin wrote: | >Does this mean you cant use rcpthosts and RELAYCLIENT with | >tcpserver? If you set anything with RELAYCLIENT environment, it | >totally ignores rcpthosts? | | Correct. That's the whole point. Well, to pick some nits here, it is John's second assumption that is correct; the first one is wrong: Surely you can use rcpthosts and RELAYCLIENT with tcpserver. | You only ever set RELAYCLIENT on IP addresses that are allowed to | relay via your server. Typically this will mean your local | network(s). | | If you don't want to give the above addresses access to relay, | remove them from the rules and let your default "deny" entry take | care of it. More nits: That should be the default "allow" entry. In the absense of a general default in the tcpcontrol file, tcpserver acts as if it said :allow The point, of course, is that the default behaviour does not set RELAYCLIENT, so rcpthosts applies. - Harald
Fw: Anonymous Qmail Denial of Service
Wonder if I'll be the first to forward this here... (I know I won't be the last..) --Adam - Original Message - From: Wietse Venema <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 04, 1999 12:04 AM Subject: Anonymous Qmail Denial of Service :In recent postings, Daniel Bernstein expands on the insecurity of :the Postfix world-writable directory for local mail submission. :Of all the attacks possible with such a scheme, one attack would :result in mail not being delivered. That is of course unacceptable. : :After my request for input from the Bugtraq membership I received :much useful feedback. Many suggestions were made for implementing :a private rendez-vous between unrelated, untrusting processes. I :will try write up a summary of the responses. : :I am grateful for all suggestions for improvements that were made, :in particular for one suggestion made by Daniel Bernstein himself, :in this same forum: : :Why doesn't [Postfix] use a protected queue, and a setuid :program to add mail to the queue with guaranteed user :identification? : :Postfix uses a set-gid program and a mode 0770 submission directory, :and it does so for a very good reason. Why doesn't Postfix use a :set-uid program, as suggested? The reason is that contrary to Daniel :Bernsteins's claim, a set-uid posting program cannot guarantee user :identification. I will illustrate this misconception with an example. : :qmail uses a set-uid posting program, called qmail-queue. When :this program is invoked, it opens a queue file somewhere below :/var/qmail/queue. For example: : :-rw-r--r-- 1 qmailq qmail 0 Dec 31 17:02 queue/mess/21/674956 : :What happens when the qmail-queue process is signaled with, say, :SIGKILL? The file will stay in the queue. That's a zero-length :file, owned by qmail, without any user identification whatsoever. : :Each time a user does something like: : :% /var/qmail/bin/qmail-queue :^Z :Suspended :% kill -9 %1 :[1]Killed /var/qmail/bin/qmail-queue :% : :There will be one more zero-length file, owned by qmail, without :any user identification whatsoever. It is an exercise for the :reader to write a small program that automates the process: : :fork a child :child: execute /var/qmail/bin/qmail-queue :parent: wait briefly and SIGKILL the child : :When this sequence is executed a sufficient number of times, the :queue file system runs out of available resources. No-one can send :mail. No-one can receive mail. And no-one can be held responsible. : :I fully agree with Daniel Bernstein that every mail system, be it :Postfix or qmail or anything else, should be able to add mail to :the queue with guaranteed user identification. I am grateful for :reminding me of this very important and very desirable property. : :The lack of user identification as described above was verified on :BSD/OS 2.1, BSD/OS 3.1, and FreeBSD 2.1.1. It is reasonable to :expect that the same behavior exists on other BSD systems/versions. : :When the same tests are run on Solaris 2.6, RedHat 5.0, and on :SunOS 4.1.3_U1, the only difference is in the queue file group :ownership attributes: : :-rw-r--r-- 1 qmailq users 0 Dec 31 18:10 queue/mess/1/418325 : :What can be done about this lack of accountability? On non-BSD :systems, the hole can be worked around by placing every user in a :different group, so that a malicious user can be recognized by the :queue file group ownership. That will not close the hole on BSD :systems, however. For this reason, the preferable solution is to :close the hole by changing qmail. For this I suggest the use of a :set-gid posting program, similar to the one that is used in Postfix. : :Wietse :
Re: fetchmail and qmail-inject as MTA
On Mon, Jan 04, 1999 at 01:44:06AM +0100, Mirko Zeibig wrote: > Hello, > I am using fetchmail to fetch my mail from an POP3-account. Now as I do > not have defined a special MTA local delivery is done by SMTP. > One might specify another MTA as option and I remember having seen the > suggestion to use qmail-inject for this one?!? This is the fetchmailrc I've been using before I switched to bSMTP. poll pop.vuurwerk.nl protocol POP3 #interface ppp0/0.0.0.0/0.0.0.0 user hardbeat is peter here mda "/var/qmail/bin/qmail-inject peter" pass fetchall set syslog Greetz, Peter. -- AND I AM GONNA KILL MIKE| Peter van Dijk hardbeat, als je nog nuchter bent: | [EMAIL PROTECTED] @date = localtime(time); | realtime security d00d $date[5] += 2000 if ($date[5] < 37); | $date[5] += 1900 if ($date[5] < 99); |-x- available -x-
qmail Digest 6 Nov 1999 11:00:01 -0000 Issue 812
qmail Digest 6 Nov 1999 11:00:01 - Issue 812 Topics (messages 32525 through 32579): REMOTE DELIVERY TO MULTIPLE RECIPIENTS 32525 by: Matej Ondrusek 32527 by: Sam 32533 by: Dave Sill Re: virus scanner 32526 by: Alex at Star Re: running ucspi-tcp does not work 32528 by: Andrés Méndez mailquotacheck 32529 by: Andrés Méndez 32530 by: Andrés Méndez 32531 by: Magnus Bodin 32532 by: Petr Novotny Re: Finally it works (except for root)- add this to a FAQ or whatever 32534 by: Dave Sill Stopping spam 32535 by: Andrés Méndez 32536 by: Petr Novotny Re: Concurrency, and your average mail server 32537 by: Dave Sill quick question re: starting with rblsmtpd 32538 by: Brandon Dudley 32539 by: Dave Sill 32540 by: Brandon Dudley 32542 by: Dave Sill 32543 by: Greg Owen 32548 by: Brandon Dudley 32550 by: Peter Abplanalp 32552 by: Petr Novotny 32553 by: Peter Abplanalp 32555 by: Brandon Dudley 32566 by: troy.graphon.com list conventions. 32541 by: Andy Bradford 32544 by: Dave Sill 32546 by: Andy Bradford [Fwd: qmail-start alert] 32545 by: Stephan Pfeiffer maxrcpt.patch 32547 by: Andrés Méndez 32549 by: Andrés Méndez 32551 by: Petr Novotny 32559 by: Andrés Méndez 32560 by: Ricardo Cerqueira 32563 by: Andrés Méndez 32564 by: Ricardo Cerqueira 32567 by: Andrés Méndez 32570 by: Andrés Méndez 32571 by: Andrés Méndez The timestamp works except.. 32554 by: Genealogy Online 32561 by: Genealogy Online 32572 by: Genealogy Online Qmail - Startup and POP3 Problems 32556 by: Michael Gatti 32557 by: Peter Abplanalp 32558 by: Andrés Méndez 32578 by: Marco Leeflang maxrcpt.patch and qmail-1.03 32562 by: Andrés Méndez Re: spambait? 32565 by: David L. Nicol Re: Command-line mailer 32568 by: David L. Nicol Re: extracting passwords from NTMail? 32569 by: David L. Nicol Problem with mfcheck patch on www.qmail.org 32573 by: Racer X Forwarding Root email 32574 by: G. Ryan Fawcett 32577 by: Magnus Bodin Re: ezmlm problems 32575 by: Ronald Wiplinger Removing a delivery from the queue? 32576 by: paul.cuenet.com mailquotacheck and quota.patch 32579 by: Andrés Méndez Administrivia: To subscribe to the digest, e-mail: [EMAIL PROTECTED] To unsubscribe from the digest, e-mail: [EMAIL PROTECTED] To bug my human owner, e-mail: [EMAIL PROTECTED] To post to the list, e-mail: [EMAIL PROTECTED] -- Hello all, I send a mail with multiple recipients to qmail. According to qmail configuration, it should be forwarded to another host for all listed recipients. I would expect, that it will be sended as a single message in single SMTP session (with multiple RCPT TO:). But it's not true - qmail sends it as many separate messages - for each recipient one. Does anybody know why ? Does anybody know, under which conditions will qmail do remote delivery with multiple recipients in single SMTP session ? It's very important question, because qmail is used as a mail server on local intranet - it delivers messages for local users on local hosts and it forwards all mails for Internet recipients to the ISP's mail server via dial-up line. So when single message to many Internet recipients is sent, it increases connection time&cost rapidly, if it is forwarded to ISP's mail server as seperate mail for each address. Thank you very much for any answers or recommendations. Matej Ondrusek [EMAIL PROTECTED] On Fri, 5 Nov 1999, Matej Ondrusek wrote: > recipients. I would expect, that it will be sended as a single > message in single SMTP session (with multiple RCPT TO:). But it's not > true - qmail sends it as many separate messages - for each recipient > one. > > Does anybody know why ? That's because that's how it works. > Does anybody know, under which conditions > will qmail do remote delivery with multiple recipients in single SMTP > session ? Never. > It's very important question, because qmail is used as a mail server > on local intranet - it delivers messages for local users on local > hosts and it forwards all mails for Internet recipients to the ISP's > mail server via dial-up line. So when single message to many Internet > recipients is sent, it increases connection time&cost rapidly, if it > is forwarded to ISP's mail server as seperate mail for each address. > > Thank you very much for any answers or recommendations. Use something else, because Qmail wil not work for you. -- Sam Matej Ondrusek <[EMAIL PROTECTED]> wrote: >Does anybod
Re: More Kings Notes, 1/3/98
On Sun, Jan 03, 1999 at 10:41:15PM -0800, Stephanie Thompson wrote: > At 07:22 PM 1/3/99 -0800, Mike Mc Gill wrote: > >Courtnall is going to be out three more weeks than they originally predicted > >and McKenna could have known that his tear wasn't going to heal on its own. > >Oh, well. > > Didn't someone post a while back that team doctors were upset with > Courtnall for not using the crutches and that it was impairing the healing > process? I can't remember where I heard it for the life of me. But > anyway... WHY RUSS, WHY?!?!?! Just think... now it'll be an extra three > weeks he's out. Just my 2 cents. This really made me wonder too. Are the Kings obligated to pay the contract of a guy who disregards medical advice as prolongs his IR status? -- John White [EMAIL PROTECTED] PGP Public Key: http://www.triceratops.com/john/public-key.pgp
Users with capitals
One of my users is Seek3r, which has a capital letter. Does qmail have a problem with that? and is there a fix? Also when I run qmail-pw2u to create my /var/qmail/users/assign file it just hangs and never ends, and no assign file is created. I had to create one myself manually. Thanks for your help
Re: qmail II request
On 3 Jan 1999, Russ Allbery wrote: > > Paul Gregg <[EMAIL PROTECTED]> writes: > > > But cron only emails any output sent to stdout. So ensure none happens > > and tack on |/var/qmail/bin/qmail-inject [EMAIL PROTECTED] > > to the end of the cron line. > [...] > > And that should be 2>&1 |/var/qmail/bin/qmail-inject, I believe. Except that that will result in a blank email if there is no output. I had to kludge a broken cron implementation so I wrote a quick script that only sends email if there is any output. See cronoutput at: http://www.foogrill.com/scripts.html I've only tested it for a short time so YMMV. Cheers, Vern -- ,+'^'+, Vern Hart O Creative Design Engineer - The Hungry Programmers `+,.,+' [EMAIL PROTECTED] http://www.hungry.org 10:43pm up 22 day(s), 12:52, 16 users, load average: 0.07, 0.12, 0.14