qmail-remote crashing w/TLS patch

[Charles Sprickman]

Hi,

I'm getting tons of these log entries whenever I send mail:

May 25 18:49:19 bigpoop qmail: 990830959.449207 status: local 0/10 remote
1/20
May 25 18:49:19 bigpoop qmail: 990830959.662255 delivery 801: deferral:
qmail-remote_crashed./

I fear that this started after I rebuilt qmail on this box with the
following patches:

tls/ssl
Frederik Vermeulen <[EMAIL PROTECTED]> 20010106
http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch

smtp-auth
http://members.elysium.pl/brush/qmail-smtpd-auth/

tarpit
Chris Johnson
[EMAIL PROTECTED]

It was rough combining these, but the most trouble was in smtpd, not
qmail-remote, as only one patch touched it (the TLS patch).

Any hints on how to debug this?  Anyone else running this combo?

Thanks,

Charles

| Charles Sprickman  | Internet Channel
| INCH System Administration Team| (212)243-5200
| [EMAIL PROTECTED] | [EMAIL PROTECTED]

How filter a special mail address or subject when receiver all mail.

[George Xu]

Hello :
 I use qmail+mysql system in SunOS.I want to filter a 
special mail address or subject or content when qmail server receiver all 
mail.
 
How to do ?
Thank you!

whether original sender can receiver a notic mail when mail can't send ?

[George Xu]

Hello all:
  I have two question.
1.  I want to know how to process when qmail received a 
not exist user in qmail server.
which program to process, is qmail-send ?
 
whether original sender can receiver 
a notic mail?
 
2.  About quota ,when user mail sizes execd max quota 
size,qmail how to process, or qmail-local error . 

whether original sender can receiver a notic 
mail?
Thank you.

Re: smtp on a specific IP

[Ross Davis]

I don't think that will help me yet (Maybe I am being really stupid or
missing something) How does qmail know that mail that is from domain
mail.domain1.com is to be delivered on IP xxx.xxx.xxx.xxx and that mail from
mail.domain2.com is to be delivered using IP yyy.yyy.yyy.yyy.

At the point that qmail is sending out mail via smtp it no longer knows what
domain it is send out mail for does it?

There has to be some kind of config file that tells qmail-smtpd what domains
to send for.  I would expect something like this would have to be done.
A file called smtpddomain1
mail.domain1.com

Another file called smtpdotherdomains
mail.domain2.com
mail.domain3.com
...etc

(I know that the above doesn't exist - just dreaming)

Another thought would be if I could use the domain name on the program line
as below. (That would be a pain to have to add a new smtp file for every
domain that I want to be unique)

> #!/bin/sh
> QMAILDUID=`id -u qmaild`
> NOFILESGID=`id -g qmaild`
> MAXSMTPD=`/bin/cat /var/qmail/control/concurrencyincoming`
> exec /usr/local/bin/softlimit -m 200 /usr/local/bin/tcpserver \
> -vPHR -c "$MAXSMTPD" -x /var/qmail/cdb/smtp.cdb \
> -u "$QMAILDUID" -g "$NOFILESGID" mail.domain1.com smtp
/var/qmail/bin/qmail-smtpd 2>&1
>
^^

> run file for mail2.example.com:
>
> #!/bin/sh
> QMAILDUID=`id -u qmaild`
> NOFILESGID=`id -g qmaild`
> MAXSMTPD=`/bin/cat /var/qmail/control/concurrencyincoming`
> exec /usr/local/bin/softlimit -m 200 /usr/local/bin/tcpserver \
> -vPHR -c "$MAXSMTPD" -x /var/qmail/cdb/smtp.cdb \
> -u "$QMAILDUID" -g "$NOFILESGID" mail.domain2.com smtp
/var/qmail/bin/qmail-smtpd 2>&1
>
^^

Re: headers in failure notice

[Russell Nelson]

Charles Cazabon writes:
 > I personally don't see how this would help anything.  As Russell Nelson has
 > aid a couple of times in the last 24 hours, "What problem are you trying to
 > solve?"

It's a terribly useful question when a customer calls up and asks me
how to do something that makes no sense.  Maybe I just don't
understand problem; maybe they're trying to solve a problem the wrong
way.  Asking for a description of the problem keeps me from saying
something stupid.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | Microsoft rivets everything.
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Linux has some loose screws.
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX  | You own a screwdriver.

Re: xinetd

[David Means]

I personally don't care to run tcpserver, although I've run it in the
past, and it worked well at that time.  tcpserver is nothing but a
wrapper to enable one to 1) log connections, and 2) keep unallowed hosts
out.  Xinetd does that for me.  Why would any one want to run two
servers that can do the same thing? 

Here's my config for xinetd.  I've not yet configured it to be aware of
the RCPTHOSTS env var (or what ever it's called).  Drop me a line if
you'd like.


David


service smtp
{
socket_type = stream
wait= no
user= qmaild
server  = /var/qmail/bin/tcp-env
server_args =  /var/qmail/bin/qmail-smtpd
log_on_success  = HOST PID USERID DURATION USERID
log_on_failure  = HOST RECORD ATTEMPT USERID
}



Charles Cazabon wrote:
> 
> Eduardo Gargiulo <[EMAIL PROTECTED]> wrote:
> >
> > I had installed qmail and it's running ok.  All the examples says to add a
> > line in /etc/inetd.conf to run qmail-smtpd, but I don't know how to
> > configure it in xinetd.  Where can I find an xinetd example and what is
> > tcp-env for?
> 
> Running qmail from inetd is deprecated.  Download ucspi-tcp and run it under
> tcpserver.
> 
> Charles
> --
> ---
> Charles Cazabon<[EMAIL PROTECTED]>
> GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
> Any opinions expressed are just that -- my opinions.
> ---

Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Russell Nelson]

Boris writes:
 > If you will find 100 bugs in sendmail they are fixed then after
 > reporting them. The games is over, the problem is solved. The admin
 > updates, and thats all.

Actually, the admin doesn't update.  Or rather, some do, and some
don't.

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | Microsoft rivets everything.
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Linux has some loose screws.
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX  | You own a screwdriver.

RE: xinetd

[Kirti S. Bajwa]

Eduardo:

xinetd.conf is something new. I have seen it in RH 7.1. You will notice that
it includes a statement that looks something like this:

"includedir /etc/xinetd.d"

If you open the directory "xinetd.x", you will find several files. Each file
represent an entry in the old "inetd.conf". If you open "/etc/xinetd.x/pop3"
file, you will see how "pop3" is setup. How to setup these files in
"etc/xinetd.x", please read "man xinetd.conf" pages.

Several people have suggested using tcpserver. I suggest you look into it.
It might be easier and better (or that's what everybody says). Hope it
helps.


Kirti

-Original Message-
From: Eduardo Gargiulo [mailto:[EMAIL PROTECTED]]
Sent: Saturday, June 02, 2001 12:59 PM
To: [EMAIL PROTECTED]
Subject: xinetd


Hi all.

I had installed qmail and it's running ok.
All the examples says to add a line in /etc/inetd.conf 
to run
qmail-smtpd, but I don't know how to configure it in xinetd.
Where can I find an xinetd example and what is tcp-env for?

--xgnu powered by vi editor
:%s/Micros~1/GNU\/Linux/g^M
:wq!^M

Re: xinetd

[Charles Cazabon]

Eduardo Gargiulo <[EMAIL PROTECTED]> wrote:
> 
> I had installed qmail and it's running ok.  All the examples says to add a
> line in /etc/inetd.conf to run qmail-smtpd, but I don't know how to
> configure it in xinetd.  Where can I find an xinetd example and what is
> tcp-env for?

Running qmail from inetd is deprecated.  Download ucspi-tcp and run it under
tcpserver.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: 451 error

[Charles Cazabon]

Nathaniel L. Keeling III <[EMAIL PROTECTED]> wrote:
> I would like to say thank you for the help so far on the 451 error that
> I am receiving. I am still having a problem with this message.
[...]
>  214 < -Version: 1.0
>  214 < Content-Type: text/html; charset=US-ASCII
>  214 <
>  214 > 451 See http://pobox.com/~djb/docs/smtplf.html.
> 1214 > [EOF]
> tcpserver: end 1214 status 256

Did you go read the page at the URL that qmail told you to look at?
The client is sending bare linefeeds, which are forbidden.  Fix the client.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: host masquerading / qmail-remote problems

[Charles Cazabon]

Phil Schwartz <[EMAIL PROTECTED]> wrote:
> I've scanned through the archives and FAQ and I
> *think* I have qmail set up properly, however
> masquerading isn't working for me.

If you still want help, try reposting your question using your real domain
name and FQDN.  It could be a DNS issue (in fact, sounds like it to me), but I
get a headache trying to look at "phil@domain" and "phil@FQDN" all day.  We
need real DNS info to tell you if this is the problem.

Also include the unedited output of qmail-showctl.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: headers in failure notice

[Charles Cazabon]

John Hogan <[EMAIL PROTECTED]> wrote:
> 
> >I've never seen anyone else ask for this type of control, and have a
> >difficult time imagining why it would be necessary (or even desirable).
> >Probably no one else has written such a patch or add-on; you'd need to do
> >it yourself.  Note that this would then require parsing the original
> >message headers -- a job tricky to do without introducing bugs.
> 
> ick

Yes, ick indeed.

> >Why do you want to control this?
> 
> we get quite a number of them daily (sometimes 300-400/day) - some 
> customers' sites have email addresses on web pages, robots harvest them 
> (you know the ending)

Yes.  I see 100-300 double-bounces a day myself.  I glance at them to see if I
can help someone (obvious typo, etc) but most are double-bounces of spam to
bad addresses, and get deleted with <1s of effort on my part.

> i'd like to at least get rid of the Content-Type, Content-Transfer, 
> X-MSMail-Priority, etc... just keep the basics in case i need to flog someone

I personally don't see how this would help anything.  As Russell Nelson has
aid a couple of times in the last 24 hours, "What problem are you trying to
solve?"  Bounces go to the envelope sender; returning the complete headers of
their message to them can help them if they need to re-send it.  Returning
incomplete headers looks like a lot of work with little payoff in the end.
Double-bounces are a fact of life to a mail admin.

Charles
-- 
---
Charles Cazabon<[EMAIL PROTECTED]>
GPL'ed software available at:  http://www.qcc.sk.ca/~charlesc/software/
Any opinions expressed are just that -- my opinions.
---

Re: xinetd

[Nick (Keith) Fish]

Eduardo Gargiulo wrote:
> 
> Hi all.
> 
> I had installed qmail and it's running ok.
> All the examples says to add a line in /etc/inetd.conf to run
> qmail-smtpd, but I don't know how to configure it in xinetd.
> Where can I find an xinetd example and what is tcp-env for?
> 
> --xgnu powered by vi editor
> :%s/Micros~1/GNU\/Linux/g^M
> :wq!^M

Don't use xinetd.  Use tcpserver instead.

-- 
Keith
Network Engineer
Triton Technologies, Inc.

xinetd

[Eduardo Gargiulo]

Hi all.

I had installed qmail and it's running ok.
All the examples says to add a line in /etc/inetd.conf to run
qmail-smtpd, but I don't know how to configure it in xinetd.
Where can I find an xinetd example and what is tcp-env for?

--xgnu powered by vi editor
:%s/Micros~1/GNU\/Linux/g^M
:wq!^M

451 error

[Nathaniel L. Keeling III]

I would like to say thank you for the help so far on the
451 error that I am receiving. I am still having a problem with this message.
Here is the output from the smtp log file with recordio. The error is occurring
between the header information and the message itself. There was already
a carriage return line feed after the content type line and we tried to
add some more but it did not help. When we added more carriage return line
feed, we got more blank lines. I am thinking this error has something to
do with the blank line between the header information and the message itself.
Any help of information would be appreciated. thanks
tcpserver: ok 1214 kweku.akan.net:207.227.131.131:25 ro05-24-131-178-246.ce.mediaone.net:24.131.178.246::1254
 214 > 220 kweku.akan.net ESMTP
 214 < HELO ForSure_MailBot
 214 > 250 kweku.akan.net
 214 < MAIL FROM:<[EMAIL PROTECTED]>
 214 > 250 ok
 214 < RCPT TO:<[EMAIL PROTECTED]>
 214 > 250 ok
 214 < DATA
 214 > 354 go ahead
 214 < Sender: [EMAIL PROTECTED]
 214 < Reply-to: [EMAIL PROTECTED]
 214 < To: "Nathaniel Keeling" <[EMAIL PROTECTED]>
 214 < From: "billing" <[EMAIL PROTECTED]>
1214 < Date: Thu, 31 May 2001 00:03:15
1214 < Subject: Invoice 1011 for June Services
 214 < X-Mailer: ForSure_MailBot (5.5.1960.3)
1214 < MIME+
 214 < -Version: 1.0
 214 < Content-Type: text/html; charset=US-ASCII
 214 <
 214 > 451 See http://pobox.com/~djb/docs/smtplf.html.
1214 > [EOF]
tcpserver: end 1214 status 256
 
 

Re: Oops,I guess Sendmail wasn't secure after all...

[Todd Finney]

At 12:25 PM 6/2/01, Mark Delany wrote:
>On Sat, Jun 02, 2001 at 05:20:01PM +0200, Boris allegedly wrote:
> > Well, there is no button with a text like "press me here" -) 
> for
> > the public.
>
>Of course there is, silly.
>
>Now, what do you think most script kiddies do? They don't scour the
>code for exploits as you imply with "there is no button". They simply
>download the hard work of one or two people and install the pre-built
>button. It's trivial. So, "press me here" is as far away as a
>download. You're not seriously suggesting this is a serious secruity
>barrier are you?

This is a very, very good point.  We have unfortunately reached a stage 
where the crackers don't need to actually _know_ anything 
anymore.  They download a port scanner and a root kit, and can 
compromise your machine without having any real understanding of what's 
going on.

You not only have to protect yourself from the skilled, determined 
cracker, but also from the unskilled, casual cracker.   The former is 
far more difficult than the latter, but fortunately the really talented 
black hats have better things to do than hit 99% of the machines out 
there.

We had a machine compromised by an exploit in the wu-ftpd package a 
couple of years ago.  Fortunately, I happened to be on the machine when 
it occurred, and was able to monitor the cracker's activities and shut 
him down before he was able to cause any real damage.

Based upon the things he typed, he had no idea what he was doing:

 cd /etc/init.
 cd /etc/init.d
 ls
 cd etc
 ls
 ls init*
 ls rc*
 cd rc.local
 ls
 ls -al rc.*
 cd init.d

And yet, in the space of 5-10 minutes, he was able to break in and 
install three trojans.

Sendmail can be secure, if you really know what you're doing and stay 
on top of the patches that come out (every three days or so).  I don't 
have that kind of time, so I'd rather have a mail server that is secure 
out of the box.  We've been gradually migrating our domains from 
sendmail to qmail over the last ~year; I've had to patch sendmail at 
least twice, qmail hasn't needed anything since install.

I can deal with (sometimes) sketchy documentation and the hassle of 
installing 12 different things to get the results I want -  that's 
still easier than restoring a machine that's been compromised.

Todd

Re: Enquiry

[El Chupacabra]

Il Fri, 1 Jun 2001, Rohit Gupta senza cognizione di causa, scrisse:

> Hi all guruz
> 
> Is there any way out without using vpopmail.. that i can analysing qmail queue and 
>cleaning it manually without actually get into queue directory and deleting the files 
>manually
> rgds
> Rohit
> 

You can try to use 'qmHandle'

Bye.
-- 
--
El Chupacabra
Linux User No.: 187826
e-mail: <[EMAIL PROTECTED]>
--
Remember, there is always a Chupacabra
around the corner.
--

Re: masquarading and qmail-smtpd

[Alex Pennace]

On Sat, Jun 02, 2001 at 09:28:02AM +0200, [EMAIL PROTECTED] wrote:
> a wanna masguerade hosts that send mail using qmail-smtpd
> from my internal net.
> 
> control/defaulthost doesn't work 'cos for qmail-inject
> QMAILSHOST to my environment doesn't work
> 
> adding the env in my tcpserver cdb file like
> 
> 172.16.3.:allow,RELAYCLIENT="",QMAILSHOST="trivial.3va.net"
> 
> does not work either. Is there a way?

qmail-smtpd isn't designed to do any rewriting. You want ofmipd, see
.

Re: expn

[Mark Delany]

On Sat, Jun 02, 2001 at 09:02:08AM -0700, Rob Genovesi allegedly wrote:
> Hello List,
> 
> Is this "expn" (expand) command completely disabled in Qmail (1.03)?  If 
> so, are there any patches out there to enable expn from certain hosts on a 
> Qmail server?

It's not disabled as such, it's merely not implemented in the standard
product for a variety of reasons - one of which is that the design
does not lend itself readily to expn (but there are good privacy
reasons too).

Having said that, there are patches to do this and a search of the
archives should reveal where they are.

> I'm trying to find a solution for a remote product to find the pop3 account 
> behind a catch-all virtual account and a limited-access expn would 
> certainly do the trick.

It sounds like you'll be adding non-standard code to both ends of this
solution so why not do something more specific that doesn't involve
patching qmail, such as a protected access web page? Or a protected
access finger port? Or a periodic rsync of the user list?


Regards.

Re: Oops,I guess Sendmail wasn't secure after all...

[Mark Delany]

On Sat, Jun 02, 2001 at 05:20:01PM +0200, Boris allegedly wrote:
> Hello Johan,
> 
> 
> JA> Not quite. More like "someone inspects your free car and finds a button
> JA> that can make it explode. Maybe he pushes the button, maybe not. Maybe he
> JA> pushes the button on someone else's car". Are you willing to take that
> JA> risk? I can imagine two situations where that would be the case: either
> 
> Well, there is no button with a text like "press me here" -) for
> the public.

Of course there is, silly.

Tell us, your mail progam seems to be "The Bat! (v1.48f) Personal" -
did you write this program from scratch yourself or did you simply
click a few buttons and install the work of someone else?

Now, what do you think most script kiddies do? They don't scour the
code for exploits as you imply with "there is no button". They simply
download the hard work of one or two people and install the pre-built
button. It's trivial. So, "press me here" is as far away as a
download. You're not seriously suggesting this is a serious secruity
barrier are you?

> If we are talking about the security of a product, we have several
> things to take a look at. Internal security (a mailserver-only
> solution, mailserver+webserver, n mailservers, persons who access the
> mail queue as root). External security. Buffer overflows, chroot
> problems, jail problems, password problems. Design specific topics,
> what is secure, what is not secure, what can be implemented, what is
> not secure.

You are obscuring definition with implementation (and jargon for that
matter).

> As root i can read all the messages in clear text, sendmail or qmail -
> a security risk? An attack to privacy? Or just a design problem?
> Or is it not a design problem, its just normal?
> 
> Security is relative.

No it's not. You're futzing and confused. This is real simple.

The security of a product is defined as a set of claims about
providing certain protection. A security problem exists when the
product does not meet a stated claim. Eg, qmail never claimed to
protect clear text messages on disk from root, so why did you bring it
up?

However, both qmail explicitly and sendmail (somewhat less explicitly)
do make claims about protecting against a user gaining elevated
priviledges. This thread started from yet another alert about being
able to corrupt the memory of sendmail. Corrupting memory is a tried
and true method of gaining elevated priviledges and time and again
this method *has* been used to gain elevated priviledges via sendmail.

In other words, sendmail has repeatedly failed to live up to it's
security claims and it looks like this current announcement may be
just another example.

So, inspite of what you say, you do not have to "have several things
to take a look at" and you don't have to understand sentences full of
buzzwords like "chroot problems" and "jail problems"...

You simply ask the question "has sendmail failed to live up to it's
security claims". The answer is a repeated "yes" bordering on
recidivism and no amount of obfuscation by you will change that fact.


Your sole defense is that sendmail doesn't make such security claims
explicitly and thus people are silly to infer such security. This is
indeed a strong argument.


Regards.

expn

[Rob Genovesi]

Hello List,

Is this "expn" (expand) command completely disabled in Qmail (1.03)?  If 
so, are there any patches out there to enable expn from certain hosts on a 
Qmail server?

I'm trying to find a solution for a remote product to find the pop3 account 
behind a catch-all virtual account and a limited-access expn would 
certainly do the trick.

Thanks,

Rob Genovesi
[EMAIL PROTECTED]

Re: Oops,I guess Sendmail wasn't secure after all...

[Patrick Atamaniuk]

Aaron L. Meehan([EMAIL PROTECTED])@2001.06.01 12:14:20 +:
> I've been looking for a sucker.. OK I'll bet a six pack is
> doesn't. (or, if Bud, I'd demand a case)
i put another six pack on top.
Reasons per priv. mail

-- 
regards,
Patrick


Patrick Atamaniuk   [EMAIL PROTECTED]

http://www.atamaniuk.de
http://www.atabersk.de


 PGP signature

Re: IsoQlog problems

[Flavio Curti]

hi

multilog rotates the logfiles after 100k per default. the isoqlogappend script only 
runs when the log rotates, so isoqlog has nothing to process if you call it before the 
log rotated.
HUP'ing the log process actually rotates the log, so svc -h it before you run isoqlog 
and it should work.
you could change the ssize parameter for multilog aswell, but somewhere in the isoqlog 
documentation it says, that this would break isoqlog...

greetz & hope it helps

Flavio

On Tue, 29 May 2001 09:39:45 -0400 Gary MacKay <[EMAIL PROTECTED]> wrote:

> Does anyone have isoqlog running consistantly? I have worked on this for
> quite awhile and think I have it narrowed down to the fact that I don't
> get enough traffic to make the ../send/current log file grow over 100k.
> 
> Let me explain: I have installed isoqlog on several servers from very
> low to very high traffic. The high traffic sites seem to work fine, the
> low traffic sites don't work at all, and the medium traffic sites work
> once in awhile. (Sounds like the three bears story right?) Anyway, with
> all the testing I've done, it seems to be related to the ../send/current
> file not getting big enough. I have setup qmail using the LWQ doc and
> multilog. The author suggested I use splogger instead of multilog, but
> the LWQ doc says not to do that since it slows everything down. Since I
> only have trouble on the low traffic sites, would switching to splogger
> be a big problem? Where is this magic number of 100k for multilog? Can
> it be changed?
> 
> - Gary
> 


-- 
http://no-way.org/~fcu/

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Adrian Ho]

On Sat, 2 Jun 2001, Boris wrote:

> There should be one file to download and the makefile should do nearly
> everything neccessary. I should not spend days to understand the
> different modules as a newbie, it takes too much time.

I would argue that you /should/ take the time.  Qmail's power lies in its
amazing flexibility and configurability, but the downside is that it's
easy to get things not quite the way you wanted it.

As a wise man once said (or words to that effect), "If you can't find the
time to do it right, how will you find the time to do it over?"  IMO, this
applies to qmail in spades (and most of DJB's software in general).

If you're in a hurry, the mail-related stuff bundled with your favorite
distro (hopefully at least postfix-quality) is probably a better choice.
That'll at least get you up and running till you can find the time to
Understand And Do The Right Thing, or until a security compromise or
broken setup forces you to make time.  8-)

-- 
Adrian Ho   [EMAIL PROTECTED]

Re[4]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello Johan,


JA> Not quite. More like "someone inspects your free car and finds a button
JA> that can make it explode. Maybe he pushes the button, maybe not. Maybe he
JA> pushes the button on someone else's car". Are you willing to take that
JA> risk? I can imagine two situations where that would be the case: either

Well, there is no button with a text like "press me here" -) for
the public.

If we are talking about the security of a product, we have several
things to take a look at. Internal security (a mailserver-only
solution, mailserver+webserver, n mailservers, persons who access the
mail queue as root). External security. Buffer overflows, chroot
problems, jail problems, password problems. Design specific topics,
what is secure, what is not secure, what can be implemented, what is
not secure.

As root i can read all the messages in clear text, sendmail or qmail -
a security risk? An attack to privacy? Or just a design problem?
Or is it not a design problem, its just normal?

Security is relative.


--
Boris

Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Johan Almqvist]

* Boris <[EMAIL PROTECTED]> [010602 16:28]:
> LM> If you bought (OK, got for free) a car, and it exploded, leaving you
> LM> burned, then you waited a week to get a new car mailed to you, then you
> The car is not exploding, someone comes and looks at your car. He is
> searching and searching and searching until he finds a silly bug like
> "the fuel meter showes something wrong, this could be a security risk"
> but in fact the men is driving the car years without a problem. Some
> month he updates the car (new version) and thats all.

Not quite. More like "someone inspects your free car and finds a button
that can make it explode. Maybe he pushes the button, maybe not. Maybe he
pushes the button on someone else's car". Are you willing to take that
risk? I can imagine two situations where that would be the case: either
you do something that is so unimportant for the rest of the world that
noone bothers destroying your work, or you do something that is so good
for everyone that noone will want to destroy your work, not even out of
envy. Come on, not even the UN are _that_ good :-)

-Johan
-- 
Johan Almqvist
http://www.almqvist.net/johan/qmail/

 PGP signature

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello List,

Saturday, June 02, 2001, 7:24:56 AM, you wrote:


LM> If you bought (OK, got for free) a car, and it exploded, leaving you
LM> burned, then you waited a week to get a new car mailed to you, then you

The car is not exploding, someone comes and looks at your car. He is
searching and searching and searching until he finds a silly bug like
"the fuel meter showes something wrong, this could be a security risk"
but in fact the men is driving the car years without a problem. Some
month he updates the car (new version) and thats all.


--
Boris

Re: Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Daniel Kelley]

> Why no one makes a package with "all you need" to download and
> install, here is a suggestion:
> 
> - qmail
> - the tcpserver
> - something good for pop before smtp
> - vpopmail
> - good tools for blocking spam, blocking mails from open relays, and
> so on
> - and other additions from other people i do not know
> 
> There should be one file to download and the makefile should do nearly
> everything neccessary. I should not spend days to understand the
> different modules as a newbie, it takes too much time.

the author of qmail has specific rules for how qmail packages can be
distributed. 

see http://cr.yp.to/qmail/dist.html

basically, you can distribute so called "var-qmail" packages, but anything
else seems to require the Dan Bernstein's approval.

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello List,

Saturday, June 02, 2001, 7:24:56 AM, you wrote:

>> I like sendmail, its slow - yes, but it is powerful and this silly
>> bugs are fixed fast. Its just some C-Code, everyone knows this.

LM> Yeah, it is only a few hundred thousand lines of code, and you should have
LM> looked through it for bugs or exploits before you compiled it, right?  It

Well, this is a strange argument, sorry.

There is no product without any errors, maybe a "hello world" program.
If you write it in c++, its a design problem if you use a try..catch..
within the main clause or not, for example.

There are a lot of security bugs everywhere in a lot of programs, the most of them are
non-critical to critical, and some fanatic people are screaming about some really
silly problems.

Software engineering is a living process. Bugs are normal, the are
reported and then fixed. Thats all, there are some more important
things in live as  "i am the master i have found a (silly) bug".

The peoples are screaming if they found a bug, they are the masters,
but its just a bug, and after the bug is fixed, the problem is over.

If you will find 100 bugs in sendmail they are fixed then after
reporting them. The games is over, the problem is solved. The admin
updates, and thats all. The day continues.

Bugs are +just bugs+ and the are fixed after reporting them.


--
Boris

Re: Oops,I guess Sendmail wasn't secure after all...

[Karsten W. Rohrbach]

Boris([EMAIL PROTECTED])@2001.06.02 05:01:57 +:
> When I was using sendmail on my FreeBSD Server, it has never been
> hacked, very strange ugh?
no. with your domain name, it is very unlikely to be a crack target ;-)
if your domain is called cnn.com or the like, you would not run sendmail
for the sake of security. most script kiddie attacks get fixed very
fast in sendmail, but nobody will change the base design of the software
which is potentially dangerous.

/k

-- 
> question = ( to ) ? be : ! be; // Wm. Shakespeare
KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/
karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- [EMAIL PROTECTED]
GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46

 PGP signature

Re[2]: Oops,I guess Sendmail wasn't secure after all...

[Boris]

Hello Russell,

Saturday, June 02, 2001, 5:38:43 AM, you wrote:

RN> Boris writes:
RN>  > I really can´t hear the "qmail is the most secure bla bla" anymore,
RN>  > really.

RN> Why?  It's true.

Yes it is true, and qmail is great, but it would be better to make a
better documentation for qmail, and to offer "bundles" with a single
makefile.

My english is not very good, sorry.

I mean qmail has better arguments as security only.

Why no one makes a package with "all you need" to download and
install, here is a suggestion:

- qmail
- the tcpserver
- something good for pop before smtp
- vpopmail
- good tools for blocking spam, blocking mails from open relays, and
so on
- and other additions from other people i do not know

There should be one file to download and the makefile should do nearly
everything neccessary. I should not spend days to understand the
different modules as a newbie, it takes too much time.

RN>  > At the moment I am evaluating qmail, and there
RN>  > are some things I am missing from sendmail.

RN> Like what?

See above, a better installation, better documentation. I have written
in my linux/unixbook a chapter about the installation and
configuratio of qmail in a production environment, covering all
neccessary topics (german language) but its too much for the stressed administrator.

Strange argument, I know. I am a user only in this case.

Putting a lot of snippets togeter for one package is not a bad idea
and would give a boost to qmail (i think).


--
Boris

Re: Enquiry

[Russell Nelson]

Rohit Gupta writes:
 > Hi all guruz
 > 
 > Is there any way out without using vpopmail.. that i can analysing
 > qmail queue and cleaning it manually without actually get into
 > queue directory and deleting the files manually

You worry too much.  Qmail doesn't need any queue management.  What
problem are you trying to solve?

-- 
-russ nelson <[EMAIL PROTECTED]>  http://russnelson.com
Crynwr sells support for free software  | PGPok | Microsoft rivets everything.
521 Pleasant Valley Rd. | +1 315 268 1925 voice | Linux has some loose screws.
Potsdam, NY 13676-3213  | +1 315 268 9201 FAX  | You own a screwdriver.

Re: two question about qmail

[Andrea Cerrito]

Hi.

> 1, How to setup qmail with ESMTP, each time a client wanna use
> smtp server,
>  smtp server ask him pop3 user&pass to check if right. and only allow mail
>  from is that user's mail can be sent.

You can patch qmail with authentication for qmail-smtp, or instead you can
allow relay just after a pop3 authentication (using vpopmail function or an
external package, called realy-ctrl).

You can found them on qmail home page.

> 2, Can I count how many mails one day the qmail processed?
> (received & send)
>   Did this need another tools and where can I find them?

You can use the mrtg + qmail-mrtg. You can find more infos here
https://mail.socha.net/stats/ (and on qmail homepage, of course).
---
Cordiali saluti / Best regards
Andrea Cerrito
^^
Net.Admin @ Centro MultiMediale di Terni S.p.A.
P.zzale Bosco 3A
05100 Terni IT
Tel. +39 744 5441330
Fax. +39 744 5441372

qmail Digest 2 Jun 2001 10:00:01 -0000 Issue 1383

[qmail-digest-help]

qmail Digest 2 Jun 2001 10:00:01 - Issue 1383

Topics (messages 63304 through 63368):

Re: Hy
63304 by: David
63306 by: hari_bhr

Summary: locals question
63305 by: MMP Wolfgang Rupp

virtual users? aliases? what do I need?
63307 by: Nate Pinchot
63309 by: tom
63313 by: Dave Sill

Features
63308 by: GARGIULO Eduardo   INGDESI
63311 by: Dave Sill
63312 by: Andrea Cerrito
63318 by: tom

Re: Limiting bandwidth usage
63310 by: Dave Sill
63319 by: Karsten W. Rohrbach

dot qmail problem 
63314 by: Lye On Siong Johnny
63316 by: Henning Brauer
63317 by: Lye On Siong Johnny
63324 by: Henning Brauer
63326 by: Ahmad Ridha
6 by: Lye On Siong Johnny

Re: qmail-popbull used w/ imap
63315 by: Russell Nelson
63338 by: Scott Gifford
63340 by: michael
63343 by: Antonio S. Martins Jr.

Re: recipient limit for qmail-inject?
63320 by: Charles Cazabon

Re: the same username and different of domain qustion?
63321 by: Charles Cazabon

Re: disclaimer at end of outgoing msg
63322 by: Charles Cazabon

Outlook Express and qmail
63323 by: Greg Harper

Quick tcpserver question
63325 by: Gordon-Nildram
63328 by: Peter van Dijk
63329 by: Kurth Bemis
63330 by: Andrea Cerrito
63331 by: Russell Nelson

Netscape Messenger Configuration
63327 by: Lye On Siong Johnny
63335 by: Charles Cazabon
63357 by: Nick (Keith) Fish

Re: Quick tcpserver question - Thanks
63332 by: Gordon-Nildram

Question about supervise and tcpserver behaviour
63334 by: Renato
63339 by: Charles Cazabon
63341 by: Renato
63345 by: Charles Cazabon

Re: smtp on a specific IP
63336 by: Ross Davis - Data Anywhere
63342 by: Greg White
63344 by: Kourosh Ghassemieh

Oops,I guess Sendmail wasn't secure after all...
63337 by: Dave Sill
63346 by: Aaron L. Meehan
63360 by: Boris
63361 by: Mark Delany
63362 by: Russell Nelson
63364 by: List Monkey

MailDir stopped working
63347 by: Robert Schmid
63348 by: Charles Cazabon
63349 by: Robert Schmid
63351 by: Charles Cazabon
63353 by: Tim Hunter
63359 by: Robert Schmid
63366 by: Adrian Ho

qmail-qfilter logging?
63350 by: Jon Rust

headers in failure notice
63352 by: John Hogan
63354 by: Charles Cazabon
63355 by: Russell Nelson
63356 by: John Hogan

host masquerading / qmail-remote problems
63358 by: Phil Schwartz

two question about qmail
63363 by: David

Re: /var partition, queue size, and sendmail
63365 by: Todd A. Jacobs

masquarading and qmail-smtpd
63367 by: arjen.3va.net

Enquiry
63368 by: Rohit Gupta

Administrivia:

To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]

To subscribe to the digest, e-mail:
[EMAIL PROTECTED]

To bug my human owner, e-mail:
[EMAIL PROTECTED]

To post to the list, e-mail:
[EMAIL PROTECTED]


--



Dear marco1,

  1£¬ here http://www.inter7.com/qmailadmin/ is web based interface to create 
users/aliases/forward ...
  you should install vpopmail for qmail first, vpopmail can be located at 
http://www.inter7.com/vpopmail/
  Http://www.inter7.com/vqadmin/ is a web based interface to create virtual 
domains in qmail
  you nedd install vpopmail first too.
  2,  If you wanna get your mail to your local machine via pop3, you will need one 
software like outlook express.
  3,  Here(http://www.inter7.com/sqwebmail/) is a free webmail programe, but it need 
vpopmail too.

  I use qmail+vpopmail+mysql, so all my suggestion with vpopmail.



Sincerely yours,
David Ge <[EMAIL PROTECTED]>
Room 604, No. 168, Qinzhou Road, Shanghai.
Phone: (021)34140621-12
2001-06-01 18:00:52

On 2001-06-01 11:50:00 you wrote:
>Hy I'me a new user of Qmail and Linux so i need some basic information, I'm sorry for 
>my ignorance:-)
>
>1)There is some free Gui or Web interface for administering Qmail?
>2)I need client software or all I need is something like outlook express?
>3)It is possible to read e-mail directly on the server with common web browser?







better you down load plesk its free for one domain
- Original Message -
From: David <[EMAIL PROTECTED]>
To: marco1 <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, June 01, 2001 3:30 PM
Subject: Re: Hy


Dear marco1,

  1¡ê? here http://www.inter7.com/qmailadmin/ is web based interface to
create users/aliases/forward ...
  you should install vpopmail for qmail first, vpopmail can be located
at http://www.inter7.com/vpopmail/
  Http://www.inter7.com/vqadmin/ is a web based interface to create
virtual domains in qmail
  

Enquiry

[Rohit Gupta]

Hi all guruz
 
Is there any way out without using vpopmail.. that 
i can analysing qmail queue and cleaning it manually without actually get into 
queue directory and deleting the files manually
rgds
Rohit

masquarading and qmail-smtpd

[arjen]

Hi,

a wanna masguerade hosts that send mail using qmail-smtpd
from my internal net.

control/defaulthost doesn't work 'cos for qmail-inject
QMAILSHOST to my environment doesn't work

adding the env in my tcpserver cdb file like

172.16.3.:allow,RELAYCLIENT="",QMAILSHOST="trivial.3va.net"

does not work either. Is there a way?

Thnx.


Grtz, 

Arjen.

RE: MailDir stopped working

[Adrian Ho]

On Fri, 1 Jun 2001, Robert Schmid wrote:

> So, why am I no longer able to access Mailboxes without symlinks?

First remove one symlink (say, yours).  Then send yourself some test mail,
and manually check your Mailbox file.  If it's in there, then your POP
daemon config is broken, as Tim Hunter suggested.

If not, then something's probably changed with your qmail setup, in which
case the output of qmail-showctl is a first step towards solving your
problem.

-- 
Adrian Ho   [EMAIL PROTECTED]