Re: [toaster] qmail-smtpd-auth-secure integration?
tonix (Antonio Nati) wrote: Ingo Claro ha scritto: Hello list: has anyone integrared this patch: http://www.camscape.ro/opensource/qmail-smtpd-auth-secure.htm chkuser already has such feature, enabled by *CHKUSER_EXTRA_MUSTAUTH_VARIABLE.* How much is different what you point from this feature? Tonino: this part: Further more it only allows messages which have the same MAIL FROM: and SMTP AUTH user to avoid sender misrepresentation.
Re: [toaster] qmail-smtpd-auth-secure integration?
Ingo Claro ha scritto: tonix (Antonio Nati) wrote: Ingo Claro ha scritto: Hello list: has anyone integrared this patch: http://www.camscape.ro/opensource/qmail-smtpd-auth-secure.htm chkuser already has such feature, enabled by *CHKUSER_EXTRA_MUSTAUTH_VARIABLE.* How much is different what you point from this feature? Tonino: this part: Further more it only allows messages which have the same MAIL FROM: and SMTP AUTH user to avoid sender misrepresentation. What about NULL senders? Is allowed? A read receipt has a null sender address. Tonino -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [toaster] qmail-smtpd-auth-secure integration?
tonix (Antonio Nati) wrote:
Ingo Claro ha scritto:
tonix (Antonio Nati) wrote:
Ingo Claro ha scritto:
Hello list:
has anyone integrared this patch:
http://www.camscape.ro/opensource/qmail-smtpd-auth-secure.htm
chkuser already has such feature, enabled by
*CHKUSER_EXTRA_MUSTAUTH_VARIABLE.*
How much is different what you point from this feature?
Tonino:
this part:
Further more it only allows messages which have the same MAIL FROM:
and SMTP AUTH user to avoid sender misrepresentation.
What about NULL senders? Is allowed? A read receipt has a null sender
address.
good point, I didn't knew that. I looked at the code and this is the check:
if (authd strcmp(addr.s,user.s)) { err_authmismatch(); return; }
so it doesn't consider the null senders (unless thay are sent without auth )
I think the patch is a good idea, but don't know for the moment how to
fix the null sender part.
regards,
Ingo.-
Re: [toaster] qmail-smtpd-auth-secure integration?
Ingo Claro ha scritto:
tonix (Antonio Nati) wrote:
Ingo Claro ha scritto:
tonix (Antonio Nati) wrote:
Ingo Claro ha scritto:
Hello list:
has anyone integrared this patch:
http://www.camscape.ro/opensource/qmail-smtpd-auth-secure.htm
chkuser already has such feature, enabled by
*CHKUSER_EXTRA_MUSTAUTH_VARIABLE.*
How much is different what you point from this feature?
Tonino:
this part:
Further more it only allows messages which have the same MAIL FROM:
and SMTP AUTH user to avoid sender misrepresentation.
What about NULL senders? Is allowed? A read receipt has a null sender
address.
good point, I didn't knew that. I looked at the code and this is the
check:
if (authd strcmp(addr.s,user.s)) { err_authmismatch(); return; }
so it doesn't consider the null senders (unless thay are sent without
auth )
I think the patch is a good idea, but don't know for the moment how to
fix the null sender part.
This is the reason for which I did not put this check inside chkuser. If
you stop NULL sender, you block user's normal activity when sending
receipts. If you don't, checking is unuseful for smart users. Not
speaking about using reply to: different from return to: different
from mail from.
Anyway, as auth is always putting the real authenticated sender inside
mail headers, so, personally, I don't see this as a huge problem.
Regards,
Tonino
regards,
Ingo.-
--
[EMAIL PROTECTED]Interazioni di Antonio Nati
http://www.interazioni.it [EMAIL PROTECTED]
Re: [toaster] qmail-smtpd-auth-secure integration?
tonix (Antonio Nati) wrote: [snip] This is the reason for which I did not put this check inside chkuser. If you stop NULL sender, you block user's normal activity when sending receipts. If you don't, checking is unuseful for smart users. Not speaking about using reply to: different from return to: different from mail from. Anyway, as auth is always putting the real authenticated sender inside mail headers, so, personally, I don't see this as a huge problem. bummer :( thanks for the explanation. Regards, Tonino regards, Ingo.- -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
RE: [toaster] domainkeys ???
Ok I'm trying to get this simscan installed. [EMAIL PROTECTED] simscan-1.3.1.shupp2]# ./configure --enable-user=clamav --enable-clam av=y --enable-spam=y --enable-spam-passthru=y --enable-per-domain=y --enable-rip mime --enable-attach=y --enable-received=y --enable-clamdscan=/usr/local/bin/cla mscan --enable-qmail-queue=/var/qmail/bin/qmail-dk checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking dependency style of gcc... none checking for strsep... yes checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ANSI C... (cached) none needed checking dependency style of gcc... (cached) none checking whether the clamav user exists... no configure: error: could not find the clamav user. Please add the clamav user an d try again. [EMAIL PROTECTED] simscan-1.3.1.shupp2]# ./configure --enable-spam=y --enable-spam-passthru=y --enable-per-domain=y --enable-ripmime --enable-attach=y --enable-received=y --enable-clamdscan=/usr/local/bin/clamscan --enable-qmail-queue=/var/qmail/bin/qmail-dk checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking build system type... i686-pc-linux-gnu checking host system type... i686-pc-linux-gnu checking for style of include used by make... GNU checking for gcc... gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ANSI C... none needed checking dependency style of gcc... none checking for strsep... yes checking for gcc... (cached) gcc checking whether we are using the GNU C compiler... (cached) yes checking whether gcc accepts -g... (cached) yes checking for gcc option to accept ANSI C... (cached) none needed checking dependency style of gcc... (cached) none checking whether the simscan user exists... no configure: error: could not find the simscan user. Please add the simscan user and try again. [EMAIL PROTECTED] simscan-1.3.1.shupp2]# the first time, I relies it's because clam isnt installed ( I didnt install it, didnt want it installed) the second time I removed the clam bit, and now I get a simscan user error or can I say install clamav and not use it... Cheers Aron Palmer - Domains Administrator - Conetix Premier Web Solution Provider PO BOX 742 Ipswich Queensland Australia 4305 B 1300 789 260 1300 789 261 INT+(617) 345 46700 +(617) [EMAIL PROTECTED] http://www.conetix.com.au DISCLAIMER Communications through Conetix e-mail systems may be monitored to secure effective system operation and for other lawful purposes. This communication is to be treated as confidential and the content may not be used or disclosed except for the purpose for which it has been sent. No liability is accepted for damage caused in the transmission of this email.If you have reason to believe that you are not the intended recipient of this communication, please contact sender immediately. -Original Message- From: aron [mailto:[EMAIL PROTECTED] Sent: Monday, November 12, 2007 11:41 AM To: toaster@shupp.org Subject: RE: [toaster] domainkeys ??? Sorry. just reading the other tutorial.. I have to configure it again to get domain keys to work. http://www.sangprabv.web.id/articles/article.php?aid=Mg== Reconfigure simscan #cd /var/src/simscan-1.3.1.shupp2/ #./configure --enable-user=clamav --enable-clamav=y --enable-spam=y --enable-spam-passthru=y --enable-per-domain=y --enable-ripmime --enable-attach=y --enable-received=y --enable-clamdscan=/usr/local/bin/clamscan --enable-qmail-queue=/var/qmail/bin/qmail-dk make and install your simscan so if I havent installed clam do I just leave the clam bits out, dont want to scan for spam or virus, just want to have emails signed if they come from a specific ip.. Cheers Aron Palmer - Domains Administrator - Conetix Premier Web Solution Provider PO BOX 742 Ipswich
RE: [toaster] domainkeys ???
Hi Aron, Here I give you a working steps to get domainkeys run without simscan, clamav,spamasassin on your Qmail, I assume you use Bill's Linux Qmail Toaster v.0.9.2 and Jurgen Kendzorra Patch. Go to http://www.sangprabv.web.id/articles/article.php?aid=Mg== without the simscan rebuild part. Please remember that Jurgen's patch is hardcoded the DKSIGN part in the vpopmail.c and qmail-smtpd.c. So we don't add it the tcp.smtp Add QMAILQUEUE=/var/qmail/bin/qmail-dk in your tcp.smtp. Be sure to do qmailctl cdb And make sure that your DNS entry is working, you can test your DNS setting by using http://domainkeys.sourceforge.net/policycheck.html It should return something like this: Testing sangprabv.web.id Policy TXT=t=y; o=~ This policy record appears valid. http://domainkeys.sourceforge.net/selectorcheck.html It should return something like this: default._domainkey.sangprabv.web.id TXT Record length = 225 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTdJLFppq+L +RjUvGPhm4DZG2S+EFIYjQ ...MWLfabDpBEBbQiz2p4/BuM2/6F6/52K2xs0YQRiZN05n287VUNVvSEBomkEbYNykHpL0gbDELkUgL2Q8 ...3amo5xUA0cmrk+XGqyrOQOPNMXhUoElJsrBvRli9R0xyR4bCYNeLxzOXVKwIDAQAB This selector appears valid. Without these correct DNS setting, your domainkeys will never work. Good luck :) Regards, Willy -- www.sangprabv.web.id www.binbit.co.id
RE: [toaster] domainkeys ???
Hi Willy. really appreciate your help. ok I went to http://domainkeys.sourceforge.net/policycheck.html and this is the result Testing conetix.com.au New test Policy TXT=t=y; o=-; [EMAIL PROTECTED]; This policy record appears valid. Tag Value Explanation o - Domain signs *ALL* email r [EMAIL PROTECTED] Domain has a reporting address for invalid verification results t y Domain is in test mode then here http://domainkeys.sourceforge.net/selectorcheck.html default._domainkey.conetix.com.au New test TXT Record length = 225 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3IjECZJmRBqlBS2aJ95jV2Xa5qfvKZri ...JJi+/pmnKJIx5lwnnWjd+LScaqb2r3NKeHTMTTANzNBcPIOQeegePPwzQsHLe9OtHNGAy1Dtp nEf8hqT ...QS5eb+3EiHh/ucZtZVJ2QEGkZCH2EXT2wL45o/QK5i7HoR6i8gjBrE90xowIDAQAB This selector appears valid. Tag Value Explanation k rsa The public key algorithm used to verify the signature p MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQC3IjECZJmRBqlBS2aJ... Modulus Size=1024 Exponent=65537 this is all I have in my tcp.smtp line now. 202.74.0.0:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/qmail-dk but now on the server the mail tester just hangs, the mail doesn't even get to the server. It's like its stuck in qmail-dk. if I change It to 202.74.0.0:allow,RELAYCLIENT=,QMAILQUEUE=/var/qmail/bin/qmail-queue it goes through, but doesn't get signed...(testing in yahoo) Return-Path: [EMAIL PROTECTED] Authentication-Results: mta167.mail.re3.yahoo.com from=conetix.com.au; domainkeys=neutral (no sig) Cheers Aron Palmer - Domains Administrator - Conetix Premier Web Solution Provider PO BOX 742 Ipswich Queensland Australia 4305 B 1300 789 260 1300 789 261 INT+(617) 345 46700 +(617) [EMAIL PROTECTED] http://www.conetix.com.au DISCLAIMER Communications through Conetix e-mail systems may be monitored to secure effective system operation and for other lawful purposes. This communication is to be treated as confidential and the content may not be used or disclosed except for the purpose for which it has been sent. No liability is accepted for damage caused in the transmission of this email.If you have reason to believe that you are not the intended recipient of this communication, please contact sender immediately. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 10:49 AM To: toaster@shupp.org Subject: RE: [toaster] domainkeys ??? Hi Aron, Here I give you a working steps to get domainkeys run without simscan, clamav,spamasassin on your Qmail, I assume you use Bill's Linux Qmail Toaster v.0.9.2 and Jurgen Kendzorra Patch. Go to http://www.sangprabv.web.id/articles/article.php?aid=Mg== without the simscan rebuild part. Please remember that Jurgen's patch is hardcoded the DKSIGN part in the vpopmail.c and qmail-smtpd.c. So we don't add it the tcp.smtp Add QMAILQUEUE=/var/qmail/bin/qmail-dk in your tcp.smtp. Be sure to do qmailctl cdb And make sure that your DNS entry is working, you can test your DNS setting by using http://domainkeys.sourceforge.net/policycheck.html It should return something like this: Testing sangprabv.web.id Policy TXT=t=y; o=~ This policy record appears valid. http://domainkeys.sourceforge.net/selectorcheck.html It should return something like this: default._domainkey.sangprabv.web.id TXT Record length = 225 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTdJLFppq+L +RjUvGPhm4DZG2S+EFIYjQ ...MWLfabDpBEBbQiz2p4/BuM2/6F6/52K2xs0YQRiZN05n287VUNVvSEBomkEbYNykHpL0gbDEL kUgL2Q8 ...3amo5xUA0cmrk+XGqyrOQOPNMXhUoElJsrBvRli9R0xyR4bCYNeLxzOXVKwIDAQAB This selector appears valid. Without these correct DNS setting, your domainkeys will never work. Good luck :) Regards, Willy -- www.sangprabv.web.id www.binbit.co.id No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.32/1131 - Release Date: 11/14/2007 4:54 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.32/1131 - Release Date: 11/14/2007 4:54 PM
RE: [toaster] domainkeys ???
Hi Aron, Yes it's correct for qmail-smtpd.c but have you patch vpopmail.c also? Regards, Willy -- www.sangprabv.web.id www.binbit.co.id
RE: [toaster] domainkeys ???
HI Willy Yeah iv done the same with vpopmail.c here. fprintf( fs_tmp_file, %s:allow,RELAYCLIENT=\\,RBLSMTPD=\\\t%d\n, fprintf( fs_tmp_file, %s:allow,RELAYCLIENT=,RBLSMTPD=, DKSIGN=/var/qmail/control/domainkeys/%/default %d , ipaddr, (int)mytime); fclose(fs_cur_file); fclose(fs_tmp_file); /* rename the open-smtp.tmp to the be open-smtp */ rename(open_smtp_tmp_filename, OPEN_SMTP_CUR_FILE); also here are some interesting tests. from the server 202.74.0.0 if I send from [EMAIL PROTECTED] the mail doesn't go through it gets stuck. Im assuming at qmail-dk. But if I send the same email from [EMAIL PROTECTED] ( which isnt domain keyed setup, but still coming from the same server) it does go through, I get the email (both going to my yahoo.com email address).. so is there something wrong with qmail-dk and the way it needs to write the domain key headers to the email. incase something stuffed up when making the key, I dedleted it and recreated it again DNS Part You need to generate a RSA key pair #cd /var/qmail/control #mkdir -p domainkeys/your.domain.tld #cd domainkeys/your.domain.tld #dknewkey default 1024 default.pub #vi default.pub I assume you use BIND DNS and by default the file will look like this: default._domainkey IN TXT k=rsa; p=MIGf...IDAQAB you need to add your.domain.tld. next to default._domainkey. so it will look like this default._domainkey.your.domain.tld. #cd .. #chown -Rf root.vchkpw your.domain.tld #chmod 750 your.domain.tld #chmod 640 your.domain.tld/* but still no go. Cheers Aron Palmer - Domains Administrator - Conetix Premier Web Solution Provider PO BOX 742 Ipswich Queensland Australia 4305 B 1300 789 260 1300 789 261 INT+(617) 345 46700 +(617) [EMAIL PROTECTED] http://www.conetix.com.au DISCLAIMER Communications through Conetix e-mail systems may be monitored to secure effective system operation and for other lawful purposes. This communication is to be treated as confidential and the content may not be used or disclosed except for the purpose for which it has been sent. No liability is accepted for damage caused in the transmission of this email.If you have reason to believe that you are not the intended recipient of this communication, please contact sender immediately. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, November 15, 2007 12:35 PM To: toaster@shupp.org Subject: RE: [toaster] domainkeys ??? Hi Aron, Yes it's correct for qmail-smtpd.c but have you patch vpopmail.c also? Regards, Willy -- www.sangprabv.web.id www.binbit.co.id No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.32/1131 - Release Date: 11/14/2007 4:54 PM No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.503 / Virus Database: 269.15.32/1131 - Release Date: 11/14/2007 4:54 PM
