Re: compile troubles

[Vladimir Kabanov]

Bill, hello!

 gcc -I. -Icdb  -g -O2 -Wall -c vpopmail.c
 In file included from /usr/include/sys/wait.h:79,
  from vpopmail.c:30:
 /usr/include/bits/waitstatus.h:78: duplicate member `__w_retcode'
 /usr/include/bits/waitstatus.h:79: duplicate member `__w_coredump'
 /usr/include/bits/waitstatus.h:80: duplicate member `__w_termsig'
 /usr/include/bits/waitstatus.h:92: duplicate member `__w_stopsig'
 /usr/include/bits/waitstatus.h:93: duplicate member `__w_stopval'
 In file included from functions.c:4,
  from vpopmail.c:42:
 sha1.c: In function `SHA1_Transform':
 sha1.c:290: `q' undeclared (first use in this function)
 sha1.c:290: (Each undeclared identifier is reported only once
 sha1.c:290: for each function it appears in.)
 sha1.c:291: `i' undeclared (first use in this function)
 make[2]: *** [vpopmail.o] Error 1
 make[2]: Leaving directory `/var/src/vlad/vpop.4.10.30'
 make[1]: *** [all-recursive] Error 1
 make[1]: Leaving directory `/var/src/vlad/vpop.4.10.30'
 make: *** [all-recursive-am] Error 2
 
 
 This is a RH Linux 7.1 system with gcc version 2.96 2731 (Red Hat Linux
 7.1 2.96-81)


thank you very mach you leave me a hope to participate in project.
I guess all of these errors caused by only one file endian.h.
I'm using FreeBSD, and just take this from /usr/inlclude/machine (as used in original 
sha1.c -- no more corrections done)

About Qmail -- my corrections based on cumulative patch found at 
http://matt.simerson.net/computing/qmail.toaster.shtml (I wish to say Big Thanks to 
Matt for that toaster).
Of course there also were stylistic corrections, It were almost impossible to look and 
understand anything why looking on that horrible-styled code. So I format modified 
modules for my own taste. Guess it ok.
Modifications (meaningful) done only for two modules: qmail-popup.c and qmail-smtpd.c  
to provide sending of additional zero-divided control byte to vchkpw-module (to be 
know which module asking for authentication and which schema were used).


For vpopmail: 
as I said, works based on version 4.10.30, all corrections made by myself, applying 
new auth schemas, modifying logging and so on. Of course stylistic corrections also 
had place.
I wrote some additional functions placed in functions.c.  excepting HMAC_MD5, i just 
copy there a text I found on Net.
base64-related functions adopted from base64-packet found in ports-collections. 
(Author John Walker, http://www.fourmilab.ch/).
It is possible to use SHA-1 after installing   just not sure...  mcrypt maybe?  
(libmd,  -lmd)

Bill, what else should be said to continue integration?
I have a little entreaty: give a hint how to use quotas cooperatively with 
Courier-IMAP quotas,
I'm ready to do these corrections too.

Vladimir Kabanov.

RE: No user found (4.9.10)

[Shawn Delano]

Ok, I feel like a fool now. While browsing through some archives, my eyes
caught the tcpserver command which used -u and -g of vpopmail/vchkpw, and it
sparked a thought. Low and behold, when I copied over my rc file from the
old server to the new server, I forgot the change the uid/gid that tcpserver
used, and the vpopmail/vchkpw uid/gid are different on the new server.

I feel that this is going to be solved by a very simple fix... - turned
out to be true.

Shawn

Re[2]: finished vaddaliasdomain() patch

[Gabriel Ambuehl]

-BEGIN PGP SIGNED MESSAGE-

Hello Bill,

Monday, September 03, 2001, 9:35:39 PM, you wrote:

 This now works properly, except for the fact that vget_assign
 (which many of the vpopmail tools rely on) no longer know about
 this domain.  Vuserinfo and vmoduser, for example, can't find the
 user.  Unless you (or someone else) plan to make some major changes
 in vpopmail to accommodate this, I recommend that your previous
 patch (that only removes the sym links) is the one to integrate
 into vpopmail.


IMNSHO, the user tools should NOT operate on user@aliasdomain anyway
cause an aliasdomain is an aliasdomain and nothing more, the user is
user@masterdomain and thus one should work only on the masterdomain.

I could, of course, patch vget_assign() to call get_domain_type()
first and in case of an aliasdomain simply return dir, uid, gid of
the masterdomain, thoughts?



Best regards,
 Gabriel


-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQEVAwUBO5TjQcZa2WpymlDxAQHb2Qf/bNH8Af+NQwL7VsJgnoB2URVpHSP/g1JM
B644WyfRvuM04hkPFWvp4lKCyVybFHo7cwj1q++PbKnwhDSE+k6PNL/6CxCJJNP3
IUWBqbaixeF8Ju7H73+mC5g5w1/kEAb129YHcnUhzi7bjPqQSshKJRUmsrvcQ734
lvrSHjZaRnNA/AJ8JJEdeyDp1lNa7T0/f4AzHpgBXIna6OiQxohEQ5HnfKM3HAir
jBHuIjrnFxnpxLW44RPFUCFAqrnw+dlPp9Jhl6lcRpkKpYRwxEnrgIbcna2tUSSu
1tdzqhPAw1d9WealpHx26hGKpMG+yXeII5PVOzj/1PnTkqkMyRW/1w==
=72Yc
-END PGP SIGNATURE-

vpopmail-5.0pre1

[Ken Jones]

Hi Folks,

The summer is over (here in the US) and it's time we have a new
vpopmail-5.0 release to start the year out right.

I do not want to add in any new features which require a new
round of testing. Any new features can be added to 5.1 (devel version)
and later released as a production version 5.2.

So I would like to release vpopmail-4.10.36 as vpopmail-5.0pre1.

The two features I would like to put in the 5.1 devel version
are Vlad's new auth code for
pop3 capa
pop3 auth login  cram-md5
smtp auth login  cram-md5
pop3 APOP.

And Enar's vaddaliasdomain code.

What do you folks think?

Ken Jones

Re: vpopmail-5.0pre1

[Einar Bordewich]

- Original Message -
From: Ken Jones [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, September 04, 2001 5:42 PM
Subject: vpopmail-5.0pre1


 Hi Folks,

 The summer is over (here in the US) and it's time we have a new
 vpopmail-5.0 release to start the year out right.

 I do not want to add in any new features which require a new
 round of testing. Any new features can be added to 5.1 (devel version)
 and later released as a production version 5.2.

 So I would like to release vpopmail-4.10.36 as vpopmail-5.0pre1.

 The two features I would like to put in the 5.1 devel version
 are Vlad's new auth code for
 pop3 capa
 pop3 auth login  cram-md5
 smtp auth login  cram-md5
 pop3 APOP.

 And Enar's vaddaliasdomain code.

Ken,
I'm willing to take the credit for pushing through the handling of
virtualdomains, but please give Gabriel credit for the acctual and nice
coding ;-)

Sounds like a plan.
--

IDG New MediaEinar Bordewich
Development Manager  Phone: +47 2336 1420
E-Mail:  eibo(at)newmedia.no
Lat: 59.91144 N  Lon: 10.76097 E

Re: vpopmail-5.0pre1

[Vladimir Kabanov]

 Hi Folks,

 The summer is over (here in the US) and it's time we have a new
 vpopmail-5.0 release to start the year out right.

 I do not want to add in any new features which require a new
 round of testing. Any new features can be added to 5.1 (devel version)
 and later released as a production version 5.2.

 So I would like to release vpopmail-4.10.36 as vpopmail-5.0pre1.

 The two features I would like to put in the 5.1 devel version
 are Vlad's new auth code for
 pop3 capa
 pop3 auth login  cram-md5
 smtp auth login  cram-md5
 pop3 APOP.

 And Enar's vaddaliasdomain code.

 What do you folks think?

 Ken Jones



Ken, sounds fine!

but what about alternative way of password hashes storing, I mean SHA-1 (i
guess almost all LDIF exports use this format)?
and SMTP-blocking for certain users?
these features already done too  :))

Best wishes!
Vladimir Kabanov.

Re: vpopmail-5.0pre1

[sec]

Hello ,

It will be great if you will add spam blocking for certain users.

I mean black-lists for certain users.



  

-- 
Best regards,
 Yuri  mailto:[EMAIL PROTECTED]

Re: vpopmail-5.0pre1

[Ken Jones]

On Tue, 2001-09-04 at 11:31, Vladimir Kabanov wrote:
  Hi Folks,
 
  The summer is over (here in the US) and it's time we have a new
  vpopmail-5.0 release to start the year out right.
 
  I do not want to add in any new features which require a new
  round of testing. Any new features can be added to 5.1 (devel version)
  and later released as a production version 5.2.
 
  So I would like to release vpopmail-4.10.36 as vpopmail-5.0pre1.
 
  The two features I would like to put in the 5.1 devel version
  are Vlad's new auth code for
  pop3 capa
  pop3 auth login  cram-md5
  smtp auth login  cram-md5
  pop3 APOP.
 
 
  What do you folks think?
 
  Ken Jones
 
 
 
 Ken, sounds fine!
 
 but what about alternative way of password hashes storing, I mean SHA-1 (i
 guess almost all LDIF exports use this format)?
 and SMTP-blocking for certain users?
 these features already done too  :))

That sounds like a good feature too.

Ken

Re: Re[2]: finished vaddaliasdomain() patch

[Bill Shupp]

on 9/4/01 10:20 AM, Gabriel Ambuehl at [EMAIL PROTECTED] spake:


 IMNSHO, the user tools should NOT operate on user@aliasdomain anyway
 cause an aliasdomain is an aliasdomain and nothing more, the user is
 user@masterdomain and thus one should work only on the masterdomain.

Sounds like I'm in the minority!

 I could, of course, patch vget_assign() to call get_domain_type()
 first and in case of an aliasdomain simply return dir, uid, gid of
 the masterdomain, thoughts?

Nah, if people feel strongly that alias domains should not be treated as
real accounts, then it's probably best to leave things as they are.

Cheers,

Bill

Re: vpopmail-5.0pre1

[Ken Jones]

On Tue, 2001-09-04 at 11:55, sec wrote:
 Hello ,
 
 It will be great if you will add spam blocking for certain users.
 
 I mean black-lists for certain users.
 

we are working on a new filtering project
http://www.inter7.com/eps/
That should be the building block for
filtering on a site/domain and user basis.

Ken

Re: vpopmail-5.0pre1

[Ken Jones]

On Tue, 2001-09-04 at 11:07, Einar Bordewich wrote:
 - Original Message -
 From: Ken Jones [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Tuesday, September 04, 2001 5:42 PM
 Subject: vpopmail-5.0pre1
 
 
  Hi Folks,
 
  The summer is over (here in the US) and it's time we have a new
  vpopmail-5.0 release to start the year out right.
 
  I do not want to add in any new features which require a new
  round of testing. Any new features can be added to 5.1 (devel version)
  and later released as a production version 5.2.
 
  So I would like to release vpopmail-4.10.36 as vpopmail-5.0pre1.
 
  The two features I would like to put in the 5.1 devel version
  are Vlad's new auth code for
  pop3 capa
  pop3 auth login  cram-md5
  smtp auth login  cram-md5
  pop3 APOP.
 
  And Enar's vaddaliasdomain code.
 
 Ken,
 I'm willing to take the credit for pushing through the handling of
 virtualdomains, but please give Gabriel credit for the acctual and nice
 coding ;-)

Hehe, Sorry about that. 

Ken

Re: vpopmail-5.0pre1

[Bill Shupp]

on 9/4/01 12:08 PM, Ken Jones at [EMAIL PROTECTED] spake:

 On Tue, 2001-09-04 at 11:31, Vladimir Kabanov wrote:
 Hi Folks,
 
 The summer is over (here in the US) and it's time we have a new
 vpopmail-5.0 release to start the year out right.
 
 I do not want to add in any new features which require a new
 round of testing. Any new features can be added to 5.1 (devel version)
 and later released as a production version 5.2.
 
 So I would like to release vpopmail-4.10.36 as vpopmail-5.0pre1.
 
 The two features I would like to put in the 5.1 devel version
 are Vlad's new auth code for
 pop3 capa
 pop3 auth login  cram-md5
 smtp auth login  cram-md5
 pop3 APOP.
 
 
 What do you folks think?

Sounds like a good plan to me.

What's up with qmailadmin?

 and SMTP-blocking for certain users?
 these features already done too  :))
 
 That sounds like a good feature too.

SMTP blocking (via vmoduser) is something I wouldn't mind seeing in 5.0..  I
just implemented smtp auth in production, and could use that sooner than
later.  ; )   If I get time today, I'll try to extract those changes from
Vladimir's code and submit it as a patch to 5.0pre1.

Cheers,

Bill Shupp

Re: Re[2]: finished vaddaliasdomain() patch

[Richard A. Secor]

Will there at least be something like:

b.com is aliased to a.com

vuserinfo [EMAIL PROTECTED]
[EMAIL PROTECTED] is aliased to [EMAIL PROTECTED]

-Rich

- Original Message - 
From: Bill Shupp [EMAIL PROTECTED]
To: Gabriel Ambuehl [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, September 04, 2001 13:02
Subject: Re: Re[2]: finished vaddaliasdomain() patch


 on 9/4/01 10:20 AM, Gabriel Ambuehl at [EMAIL PROTECTED] spake:
 
 
  IMNSHO, the user tools should NOT operate on user@aliasdomain anyway
  cause an aliasdomain is an aliasdomain and nothing more, the user is
  user@masterdomain and thus one should work only on the masterdomain.
 
 Sounds like I'm in the minority!
 
  I could, of course, patch vget_assign() to call get_domain_type()
  first and in case of an aliasdomain simply return dir, uid, gid of
  the masterdomain, thoughts?
 
 Nah, if people feel strongly that alias domains should not be treated as
 real accounts, then it's probably best to leave things as they are.
 
 Cheers,
 
 Bill
 
 

Re[4]: finished vaddaliasdomain() patch

[Gabriel Ambuehl]

-BEGIN PGP SIGNED MESSAGE-

Hello Bill,

Tuesday, September 04, 2001, 7:02:38 PM, you wrote:
 on 9/4/01 10:20 AM, Gabriel Ambuehl at [EMAIL PROTECTED]
 spake: 
 IMNSHO, the user tools should NOT operate on user@aliasdomain
 anyway cause an aliasdomain is an aliasdomain and nothing more,
 the user is user@masterdomain and thus one should work only on the
 masterdomain. 
 Sounds like I'm in the minority!

That's why I'm asking. I'm generally not against fixing it but I
don't
mind if I don't need to cause I'm a lazy (the sales people would call
it efficient :-) person...

 I could, of course, patch vget_assign() to call get_domain_type()
 first and in case of an aliasdomain simply return dir, uid, gid of
 the masterdomain, thoughts?

 Nah, if people feel strongly that alias domains should not be
 treated as real accounts, then it's probably best to leave things
 as they are.  

I mean I don't know what the others involved would like to say about
it, but I for myself would leave things the way as they are.

Ken, is vget_assign() used anywhere to do something else than getting
dir, uid, gid of the domain to work on? If it isn't it would be ok if
it simply returns the values for the masterdomain if invented on an
aliasdomain, right?




Best regards,
 Gabriel


-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQEVAwUBO5UAZ8Za2WpymlDxAQHVywgAjlZYbMqTQoBrpZrKNw0WkvRm2/Kijd/b
TuaPfQKUKIUT9mdpLq32ZsdzABpevUuW8j8f+iSeeXUvOC0c6ETDy7UwhmtgSZlz
bom8z0tN8xEriIgxD3V6zD/M9sKJBpMC2bJTBMahm7Sv/iS1h5pMt+PVFCNTg0oD
qFD+hJFg5+SYGilFoBP+kCXE+ppgnhL4iSI+GXqA+vE2+HafsgcAO4kGpKZnwzx3
6yFPVnVPz2Y7qxOPE304+yyy2BCnBm4UJHJ7diWkkcCti7pRgB3dzn69j7tNvmsk
dmsuAXULz9ot471qXMEFJeldWxenNPo1am8oUNgLuYRXfX+ordDRzQ==
=mpOs
-END PGP SIGNATURE-

Re[4]: finished vaddaliasdomain() patch

[Gabriel Ambuehl]

-BEGIN PGP SIGNED MESSAGE-

Tuesday, September 04, 2001, 7:15:21 PM, you wrote:

 Will there at least be something like:
 b.com is aliased to a.com

 vuserinfo [EMAIL PROTECTED]
 [EMAIL PROTECTED] is aliased to [EMAIL PROTECTED]

No. Fixing this would most likely involve hacking around in the
vuserinfo code which I don't want to do as I haven't got any idea of
it cause I've never even used the binary of it. I don't even know
whether it does this at the moment with the old aliasdomain scheme?




Best regards,
 Gabriel



-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQEVAwUBO5UA78Za2WpymlDxAQGorwf/T0TvKtxTzGDLyz9OJTzP5P3rwGRJTPEd
Jky/L7+1/BavxiUcOVJWbIzXE2QCkT2DBnDayb73Yy0VcGfdZmVP1kKpGkBSjPjT
2TzlE4OtHWS2wOVSHGC8A4feIU/uQpqOAnuePzFbKEnGH9o9dgYZeBqlGCG7GC0Z
2kuMtlPWss6C7ryna9qHMXLBeR6eSjaLLxxqhTUhpv4sLWcxg2BPVadscl4hZDAj
GuvBuJiC49p9D6OmbdA3NzaPTWBrFh7j5qh2ipOs3QVir0CusAO9Q0p+eOopFvwP
5YoWBCOpu7Rvp9lXa0TTkZzz+YurJyVmSsxm/hW6vvMHDhbXq/sR9w==
=pc3/
-END PGP SIGNATURE-

Re: Re[4]: finished vaddaliasdomain() patch

[Ken Jones]

On Tue, 2001-09-04 at 12:25, Gabriel Ambuehl wrote:
 -BEGIN PGP SIGNED MESSAGE-
 
 Hello Bill,
 
 Tuesday, September 04, 2001, 7:02:38 PM, you wrote:
  on 9/4/01 10:20 AM, Gabriel Ambuehl at [EMAIL PROTECTED]
  spake: 
  IMNSHO, the user tools should NOT operate on user@aliasdomain
  anyway cause an aliasdomain is an aliasdomain and nothing more,
  the user is user@masterdomain and thus one should work only on the
  masterdomain. 
  Sounds like I'm in the minority!
 
 That's why I'm asking. I'm generally not against fixing it but I
 don't
 mind if I don't need to cause I'm a lazy (the sales people would call
 it efficient :-) person...
 
  I could, of course, patch vget_assign() to call get_domain_type()
  first and in case of an aliasdomain simply return dir, uid, gid of
  the masterdomain, thoughts?
 
  Nah, if people feel strongly that alias domains should not be
  treated as real accounts, then it's probably best to leave things
  as they are.  
 
 I mean I don't know what the others involved would like to say about
 it, but I for myself would leave things the way as they are.
 
 Ken, is vget_assign() used anywhere to do something else than getting
 dir, uid, gid of the domain to work on? If it isn't it would be ok if
 it simply returns the values for the masterdomain if invented on an
 aliasdomain, right?

There is code that uses vget_assign to see if a domain exists, 
and then get the dir, uid, gid of the domain. It would be okay
to return the masterdomain info.

How do you know if a domain is aliased?

Ken

Re[6]: finished vaddaliasdomain() patch

[Gabriel Ambuehl]

-BEGIN PGP SIGNED MESSAGE-

Hello Ken,

Tuesday, September 04, 2001, 7:58:05 PM, you wrote:

 Ken, is vget_assign() used anywhere to do something else than
 getting dir, uid, gid of the domain to work on? If it isn't it
 would be ok if it simply returns the values for the masterdomain
 if invented on an aliasdomain, right?
 There is code that uses vget_assign to see if a domain exists,
 and then get the dir, uid, gid of the domain. It would be okay
 to return the masterdomain info.

 How do you know if a domain is aliased?

You mean how to tell whether it is an aliasdomain, a normal one or an
old alias one? call
int get_domain_type(char * domain)

and parse the integer it returns. Maybe I should add a
char *get_real_domain(char * domain, char * realdomain, int
sizeofrealdomain)

function, so vget_assign() and everything else can easily get the
masterdomain name of every domain?




Best regards,
 Gabriel

-BEGIN PGP SIGNATURE-
Version: PGP 6.5i

iQEVAwUBO5UJ08Za2WpymlDxAQG+bAf8Df53R7oOwfzM8X88G7bxU8Aa3csybFHv
UTKLWvtJKexxdLSU8N/Dv1U9iw+FpCHy4PngFTwfcGqj9HwXIWi0wpgzj/QeAOr0
aTTuJ/xhN0k8K7CADJIMbnFDo+NNWh8bRyK9j5q1p0LGhcH/yDt5jT2lvUattUw+
uvDmRvoez904VFxhMHpE5uxjQb2DyjBkkx1jX5JOe8JzWtzFH/UZKzwGTif4WXpm
FbeSbdJ4QPZHMhUTPhog+4CuTa9Ykkoy5RrNO4fh6ypjiEip8nEdHSh8STA/5HpL
UBS9+nJO12X36AlZ4b4PLP1JwVCg1zGmTFqQFAjNhLBrQUCm1N27hQ==
=AC3T
-END PGP SIGNATURE-

Advisories

[vol]

I'd like to comment on the advisory posted below.

First of all, this issue is as old as databases and programs
that interface with them automatically.  Changes to file
and library permissions fixes any problems people might have
with this as stated in my advisory about valias.  The point in
my advisory, which the author of this advisory clearly missed,
was that binaries/libraries with permissions fixes on what he
has stated below, were still vulnerable due to an internal error
with vpopmail.

I'll restate my advisory briefly here.  vauth_getall() does not
require authentication of any kind.  vauth_getall() loads a db
connection in memory, which means, if I cause a segfault while
using vauth_getall() (on most systems) I can look at the contents
of the core file and read the database password.  If they have
valias enabled, I can insert information into the valias tables
and come up with a SUID vpopmail shell, which can be used from there
to gain root priveleges in various ways (trojans, etc).

Thats all, folks. :)

Forwarded message: 
 -BEGIN PGP SIGNED MESSAGE-
 
 - -
 BUZ.CH Security Advisory 20010831: Inter7 vpopmail
 - -
 Subject:  local password problem in vpopmail when installed with
   MySQL  module and all programs linked against
   libvpopmail.a
 Written by:   Gabriel Ambuehl [EMAIL PROTECTED]
 Impact:   - MySQL authentication data can get stolen which means
 that all the data the respective user has access to
 is in danger.
   - Probably remote command execution under the vpopmail
 user (untested).
 Affected: All vpopmail = 4.10.35 Setups using MySQL
 NOT affected: vpopmail setups without DB based authentication
 Credits:  Inter7 (earlier advisory on  vpopmail-4.10.34, see
   below for details)
 - -
 
 I first want to say that Ken Jones of Inter7 was really responsive
 when I reported the bug and that they fixed the vulnerability fast.
 I also want to say that vpopmail really does a great job!
 
 1. Introduction
 - ---
 Some days ago, Inter7 released a security advisory concerning
 passwords saved in libvpopmail.a cause they feared people could link
 against that lib with code that segfaults to steal the authentication
 data out of the core dump file and thus made the file chmod 400 so
 that
 only root has access to the compiled passwords. While this fixes this
 particular vulnerability, it really only fixes one particular
 problem with libvpopmail.a.
 
 
 2. Description of the Problem
 - -
 As pointed out above, the passwords to the MySQL server get compiled
 into libvpopmail.a which is where they belong for various reasons,
 which basically means that one can get them out of there rather
 easily (a short description for FreeBSD 4.3/gcc 2.95.2 is below).
 Now since all the command line utilities link against libvpopmail.a,
 they all contain the passwords too. This means that there's
 absolutely no need to write some code that will segfault as all
 binaries are chmod 755 which means that every user can read their
 contents, including the passwords.
 
 
 3. Principal attack
 - ---
 On FreeBSD 4.3/gcc 2.95.2 and vpopmail-4.10.35/4.10 (first one is the
 development snapshot) the username and password is saved in the same
 line as the error message
 could not connect to mysql
 All you have to do now is to open the file in a text editor, search
 for the string and grab the passwords a few bytes earlier. You now
 can
 connect to the DB server and do whatever you like with the data you
 gained access to.
 (the following paragraph is based on assumptions, as we don't run the
 mysql module ourselves) In some versions, this probably involves
 access
 to forwards which means that you could be able to spawn an arbitrary
 executable under the uid vpopmail runs (normally vpopmail, which
 means that all the email data is in danger, but when the multi
 Unix user scheme is used root, i.e. complete control of the system).
 
 
 4. Background
 - -
 It's widely known that saving DB passwords anywhere on the system
 causes a big risk that they will be stolen but there isn't any other
 solution for daemons to work with databases as it is obviously
 impossible to run them interactively typing the password every time
 they are used. There ain't any real solution against this for
 interpreted code, but for binaries one can at least remove the r bits
 from the permissions to prevent users stealing the passwords out of
 the binaries. We suspect that there are many other programs out there
 that suffer of the same problem.
 
 
 5. Solution
 - ---
 Run
 # chmod 711 ~vpopmail/bin/*
 # chmod 400 ~vpopmail/lib/*
 (substitute the second 

Re: all fixed up vaddaliasdomain() patch (I hope...)

[Ken Jones]

In the future, please post a URL to the patch file
instead of posting the patch.

Why?

Because it eats up our T1 connection deliverying the
patch file to everyone on the mailing list.

Thanks
ken

On Tue, 2001-09-04 at 12:59, Gabriel Ambuehl wrote:
 -BEGIN PGP SIGNED MESSAGE-
 
 Hello all,
 I think I've got together an all working vaddaliasdomain() patch and
 would appreciate any comments on it.
 
 I did not, however, fix the issue Bill raised earlier about
 vget_assign() not knowing about the aliasdomains and which makes
 some of the standalone utilities fail to recognize aliasdomains which
 I personally think is the required behavior as it doesn't make too
 much sense to me to operate on users off aliasdomains but you're
 invited to convince me otherwise and I'll try to fix this.
 
 Todo:
 some small script that is able to change the existing, symlink based
 aliasdomains to the new scheme. For the domains in ~vpopmail/domains/
 this is rather easy (i.e. check whether a given entry in that
 directory is a symlink and if it is, fetch the path it points to,
 call vdeldomain(entry) followed by vaddaliasdomain(entry, linkdest)).
 
 Please note that this isn't ultimately needed as the old aliasdomain
 scheme should work without any problems even with the new stuff in
 place.
 
 You might also want to check for compatibility with Vladimir's
 authentication patches, although I highly suspect there won't be any
 problems as I really tried to have the existing library functions
 behave like they always did (with the above exception, of course).
 
 Someone might also want to check what's going to happen if there are
 more than 100 aliasdomains for a given domain as I used a 100 entry
 array of char * to hold the aliasdomains. In theory, the array should
 get refilled after every time I use it but I wouldn't want to rely on
 this without having it tested first (I was to lazy to dig into all
 the
 realloc() stuff as I ordinarily prefer to use C++ and the STL where
 memory management is done by the lib which is why there isn't a
 dynamic array instead).
 
 There's one other issue with the whole array too: cause the
 char[] it is pointing are malloc'ed by the code and not by C itself,
 they don't get destroyed after the function exits. This isn't
 a problem for any program that does only one operation at a time
 but for daemon like code linked against libvpopmail.a it could result
 in memory leaks. The solution to this is easy: a small function that
 takes the array and free() all the char[] it points to.
 
 
 
 Best regards,
  Gabriel
 PFiۈ
,Ùä
 
 -BEGIN PGP SIGNATURE-
 Version: PGP 6.5i
 
 iQEVAwUBO5UIe8Za2WpymlDxAQGuYAgAy8rvuFijAIWbemRyIr4tqXiW78X/h3sz
 rCs5KoxnMT+9QxF0+1mL2Htx31qE+SSobDIMYkTm256D1AWSfpV9eKczPtTYtAM6
 HJIsrJFCrsC5sKpthiUW7pICV59jfOWQMP+m/3AKRfHJToJfpH/Ow7pVLDQI/QS7
 7D0JCeBtKPTPGkyFi6cQfvkD9B/eIx9qnRa2bbjUT/rfglG9jV8+hMi2gYGm+7Us
 MyDVqpXOdRzXXroUpu92Okv4rFI20oREo51f4s99Z3T/kFVP0GZVzk9MRJ9qmIWh
 kV3ij8mw8d2nB8SERzswGwaaV+FgzSSZxqeQXEfVHN/ImmXAioKK+g==
 =1+cA

Re: vpopmail-5.0pre1

[Bill Shupp]

on 9/4/01 12:09 PM, Bill Shupp at [EMAIL PROTECTED] spake:

 SMTP blocking (via vmoduser) is something I wouldn't mind seeing in 5.0..  I
 just implemented smtp auth in production, and could use that sooner than
 later.  ; )   If I get time today, I'll try to extract those changes from
 Vladimir's code and submit it as a patch to 5.0pre1.


Ok, I've been working on this but can't get it right yet.  The
vmoduser/vuserinfo stuff was easy to adapt.  But Vladimir's version uses a
lot of new stuff to determine what service is calling vchkpw.  I ended up
bringing a lot of his code into 5.0.

Anyway, it doesn't work yet, and I can't work on it anymore today.  I've
posted a patch (against 5.0pre1) of where I'm at, if anyone wants to look at
it.  It's pretty close, probably.  ; )

To apply:

cd vpopmail-5.0pre1
lynx --source http://shupp.org/patches/vpopmail-5.0p1-nosmtp.patch.gz |
patch -p0
./configure
make
make install-strip

Cheers,

Bill Shupp

Re: vpopmail-5.0pre1

[Vladimir Kabanov]

 SMTP blocking (via vmoduser) is something I wouldn't mind seeing in 5.0..  I
 just implemented smtp auth in production, and could use that sooner than
 later.  ; )   If I get time today, I'll try to extract those changes from
 Vladimir's code and submit it as a patch to 5.0pre1.
 
 Cheers,
 
 Bill Shupp

Good day friends!

of course thats not completing SMTP blocks, 
its just a possibility to disable user from sending to someone else using  our 
protected smtp-server.

I guess there also could be such possibility as block on vdeliver level...
but...  dont think its good decision, as we will lost contact with that user... or...  
maybe enable smtp delivery from admin stuff?
this a little better.

to Bill and Ken:
why cant u contact me for additional info what have been done to vpopmail modules
in order to implement it faster? I guess it will be a little easier way to work on  :)

Waiting for news from you.

Vladimir Kabanov.

Re: vpopmail-5.0pre1

[Bill Shupp]

on 9/4/01 6:27 PM, Vladimir Kabanov at [EMAIL PROTECTED] spake:

 Good day friends!
 
 of course thats not completing SMTP blocks,
 its just a possibility to disable user from sending to someone else using  our
 protected smtp-server.
 
 I guess there also could be such possibility as block on vdeliver level...
 but...  dont think its good decision, as we will lost contact with that
 user... or...  maybe enable smtp delivery from admin stuff?
 this a little better.
 
 to Bill and Ken:
 why cant u contact me for additional info what have been done to vpopmail
 modules
 in order to implement it faster? I guess it will be a little easier way to
 work on  :)
 
 Waiting for news from you.

Vladimir,

I wasn't intending to merge all of your changes, as I figured Inter7 would
want to do that to be sure of any design issues.  I was just personally
interested in the NO_SMTP gid flag for my system.

I'm certainly not against any of your changes.  While can't speak for them,
I think the easiest thing for Inter7 would be for you to provide any
additional info you have on your modifications, as well as a patch against
the current dev release, as your changes seem pretty substantial.

Cheers!

Bill

Outbound quota suggestion.

[Eduardo Augusto Alvarenga]

Hi all,

Forgive me about my english (it's not quite so good!)

My idea is:
When a user sucessfully authenticates on vchkpw the same schema used to allow 
roaming users smtping, may be used to put a 'RELAYCLIENT' tag on the same line
of the 'allow' tag on the tcp.smtp file.

Example:

ro.am.ming.ip:allow,RELAYCLIENT=,DATABYTES=''

It may have a default outbound quota for everyone allowing any size
and a personal quota size for some emails, having a time period to expire,
like roaming users have

I'm suggesting this because I have this schema, 
but to get this working I had to give the station a fixed ip on dhcpd, 
and edit the tcp.smtp line by line to put the user on the right outbound
quota state. 
Note: as you see, this solution is machine based, since it works only with a
determined ip number assigned by a dhcp config, it's stable and useful, but
hard to mantaing and very insecure, since user can easily change it's NIC's
MAC Address and run away with my smtp rules!)

In the future, qmailadmin support may be very very welcome ;)


Hope this idea is useful.
Best Regards,

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Eduardo Augusto Alvarenga - Analista de Suporte - #179653
Blumenau - Santa Catarina. Tel. (47) 9102-3303
   http://www.netron.com.br/~eduardo
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Re: Outbound quota suggestion.

[Eduardo Augusto Alvarenga]

Eduardo Augusto Alvarenga [EMAIL PROTECTED] wrote:

[...]
 roaming users smtping, may be used to put a 'RELAYCLIENT' tag on the
[...]

Sorry! Correcting:

[...]
roaming users smtping, may be used to put a 'DATABYTES' tag on the
[...]

Now it's right.

Best Regards,

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Eduardo Augusto Alvarenga - Analista de Suporte - #179653
Blumenau - Santa Catarina. Tel. (47) 9102-3303
   http://www.netron.com.br/~eduardo
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Re: Outbound quota suggestion.

[CGI Guru]

What??

- Original Message - 
From: Eduardo Augusto Alvarenga [EMAIL PROTECTED]
To: Eduardo Augusto Alvarenga [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, September 04, 2001 7:58 PM
Subject: Re: Outbound quota suggestion.


 Eduardo Augusto Alvarenga [EMAIL PROTECTED] wrote:
 
 [...]
  roaming users smtping, may be used to put a 'RELAYCLIENT' tag on the
 [...]
 
 Sorry! Correcting:
 
 [...]
 roaming users smtping, may be used to put a 'DATABYTES' tag on the
 [...]
 
 Now it's right.
 
 Best Regards,
 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Eduardo Augusto Alvarenga - Analista de Suporte - #179653
 Blumenau - Santa Catarina. Tel. (47) 9102-3303
http://www.netron.com.br/~eduardo
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 

sqwebmail3.0.0 and vpopmail4.9.10

[Schiltz Luc]

Hi,

I installed the mentionned packages and get the following error when
compiling sqwebmail :

gcc -DHAVE_CONFIG_H -I. -I. -I. -I/home/vpopmail/include -g -O2 -Wall -I
.. -I./.. -c authvchkpw.c
authvchkpw.c: In function `auth_vchkpw_changepass':
authvchkpw.c:142: warning: assignment from incompatible pointer type
authvchkpw.c:151: dereferencing pointer to incomplete type
authvchkpw.c:151: dereferencing pointer to incomplete type
make[1]: *** [authvchkpw.o] Error 1
make[1]: Leaving directory `/home/luc/download/sqwebmail-3.0.0/authlib'
make: *** [all-recursive] Error 1
[root@josephine sqwebmail-3.0.0]#

configure line is :

./configure --enable-cgibindir=/usr/local/httpd/cgi-bin --enable-htmldir=/us
r/local/httpd/htdocs --without-authpam
--without-authuserdb --enable-webpass=no --without-authpwd --without-authsha
dow

do you know how to get it working correctly ?

thanks

Luc

Re: sqwebmail3.0.0 and vpopmail4.9.10

[Tren Blackburn]

Get vpopmail 4.10.32

Tren.

On Tue, 4 Sep 2001, Schiltz Luc wrote:

 Hi,

 I installed the mentionned packages and get the following error when
 compiling sqwebmail :

 gcc -DHAVE_CONFIG_H -I. -I. -I. -I/home/vpopmail/include -g -O2 -Wall -I
 .. -I./.. -c authvchkpw.c
 authvchkpw.c: In function `auth_vchkpw_changepass':
 authvchkpw.c:142: warning: assignment from incompatible pointer type
 authvchkpw.c:151: dereferencing pointer to incomplete type
 authvchkpw.c:151: dereferencing pointer to incomplete type
 make[1]: *** [authvchkpw.o] Error 1
 make[1]: Leaving directory `/home/luc/download/sqwebmail-3.0.0/authlib'
 make: *** [all-recursive] Error 1
 [root@josephine sqwebmail-3.0.0]#

 configure line is :

 ./configure --enable-cgibindir=/usr/local/httpd/cgi-bin --enable-htmldir=/us
 r/local/httpd/htdocs --without-authpam
 --without-authuserdb --enable-webpass=no --without-authpwd --without-authsha
 dow

 do you know how to get it working correctly ?

 thanks

 Luc



-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Tren Blackburn - Ownermailto:[EMAIL PROTECTED]  =
= End of Time Networks  http://www.eotnetworks.com   -
- (403) 269-2122 =
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-