Re: [vchkpw] courier-imap, authdaemond, authvchkpw Login fails sometimes
On Fri, 17 Dec 2004 18:47:18 -0500, Dean Jones [EMAIL PROTECTED] wrote: Pedro Pais wrote: On Fri, 17 Dec 2004 10:24:20 -0500, Dean Jones [EMAIL PROTECTED] wrote: On 12/17/2004, Pedro Pais [EMAIL PROTECTED] wrote: Remove authdaemonrc from imapd and pop3d config files and replace it with authvchkpw. I don't know why, but it works. BTW, I think there's a way to compile courier-imap without authdaemon, but you'll have to find out. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesid=3759t=1 Maybe that's the problem... I don't have either in my config files... Where is it supposed to go? Are we talking about the /usr/lib/courier-imapd/etc/imapd config file? Yes, both in imapd and pop3d. Mine are under /etc/courier-imap, but I think that's distro specific. The differences I made on those files follows below. #AUTHMODULES=authdaemon AUTHMODULES=authvchkpw See, that's weird... I don't have AUTHMODULES=authdaemon in my imapd or pop3d files... I just put AUTHMODULES=authvchkpw in there... It looks like it's working so far, but we'll see after about 5 minutes. Tell us if it worked out or not. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] courier-imap, authdaemond, authvchkpw Login fails sometimes
On Thu, 16 Dec 2004 21:41:33 -0500, Dean Jones [EMAIL PROTECTED] wrote: Hi, I've seen a lot of people complain about this issue, but I've yet to see a resolution to this problem. Basically, I'm running the following: courier-imap v4.0.0 courier-authlib v0.51 vpopmail-5.4.0 in authdaemonrc I have authvchkpw listed as the only authentication module. When I start up authdaemon, I'm able to login for about 1 minute and then it's sporadic... There are very few times that I can login, but I'm always able to right after a restart of authdaemon. This was posted on courier-imap's mailing list and they refered the people complaining about it to the vpopmail mailing list and said this is a Known bug. What can I do to fix this? Thanks, Dean Remove authdaemonrc from imapd and pop3d config files and replace it with authvchkpw. I don't know why, but it works. BTW, I think there's a way to compile courier-imap without authdaemon, but you'll have to find out. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] courier-imap, authdaemond, authvchkpw Login fails sometimes
On Fri, 17 Dec 2004 10:24:20 -0500, Dean Jones [EMAIL PROTECTED] wrote: On 12/17/2004, Pedro Pais [EMAIL PROTECTED] wrote: Remove authdaemonrc from imapd and pop3d config files and replace it with authvchkpw. I don't know why, but it works. BTW, I think there's a way to compile courier-imap without authdaemon, but you'll have to find out. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesid=3759t=1 Maybe that's the problem... I don't have either in my config files... Where is it supposed to go? Are we talking about the /usr/lib/courier-imapd/etc/imapd config file? Yes, both in imapd and pop3d. Mine are under /etc/courier-imap, but I think that's distro specific. The differences I made on those files follows below. #AUTHMODULES=authdaemon AUTHMODULES=authvchkpw -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Wed, 15 Dec 2004 03:24:07 -0300, Eduardo M. Bragatto [EMAIL PROTECTED] wrote: Charles Sprickman wrote: I don't really care if some user has his mail sniffed (if he thinks it's confidential, he should be responsible for encrypting it, so even when it's written to the storage system the message would still be encrypted). But I do care if some spammer sniffs him and starts getting relay to do spam trough my smtpd (smtp-auth). I'm not sure, but I think that the only thing that's encrypted is the login data. Or am I wrong? -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Mon, 13 Dec 2004 21:26:10 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Tue, 14 Dec 2004, Pedro Pais wrote: Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( Oops. Sorry about that. It indeed does not work. This run script is interesting, it will put up an stunnel SSL connection that should make Outhouse Express happy: http://www.jms1.net/qmail/run.smtp Charles Will I be able to run two concurrent qmail processes, on different ports? One listening on 25 and other listening on 465? -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1 -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] Login using only username not whole e-mail
just add your domain to /var/vpopmail/etc/defaultdomain It works with me. On Mon, 13 Dec 2004 13:08:14 +0100, Khan [EMAIL PROTECTED] wrote: Hello, I'm not shure should I ask this here or on courier-imap mailing list. I have installed qmail, vpopmail, ldap and qmailadmin. It all works great together. My question is, Can I log to POP3 or IMAP server using only username instead of [EMAIL PROTECTED] TNX -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Mon, 13 Dec 2004 17:37:00 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Fri, 10 Dec 2004, Eduardo M. Bragatto wrote: Tom Collins wrote: If you stored a single encoded password, anyone sniffing the line could learn the encoded version and just re-use it. So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)? No... Sure I can guarantee that getting access to my DB is more difficult than getting access to my LAN (in case of sniffing), so I would choose having the plain password stored, but it's still being a hole on the system (if some guy gains access to DB, he'll have access to ALL passwords, while sniffing would just compromise some users). They don't have to sniff your LAN, they can sniff at the end-users side. You're probably using smtp-auth to provide roaming to travelling users, and there's a decent chance some of those are on unfriendly networks like wireless... Is there any plans for workaround this problem? Is there a way to do it? How does behavior other softwares that uses CRAM-MD5? They always kept the plain password? There's a simple workaround; use standard auth and in your setup guides show your users how to click the Use SSL/TLS option in their mail program. Then your login (and the contents of the message they are sending/receiving) is encrypted, and you can use an auth mechanism that does not require clear-text passwords. Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( Another auth mechanism that works like this is CHAP. We used to have a roaming dial provider that had a handful of POPs that only supported CHAP and had to ditch them since it required us to store cleartext passwords. Since we auth dialup users out of our vpopmail db, we just decided not to mess with them. I've never been worried about the attack CHAP tries to protect against, which involves tapping the modem line to grab user/pass info - it's just not a realistic threat for most people. Charles -- Best regards, Eduardo M. Bragatto. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Mon, 13 Dec 2004 21:26:10 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Tue, 14 Dec 2004, Pedro Pais wrote: Yes, does Outlook Express support TLS? I can't make it use it, which is not very nice :( Oops. Sorry about that. It indeed does not work. This run script is interesting, it will put up an stunnel SSL connection that should make Outhouse Express happy: http://www.jms1.net/qmail/run.smtp thanks. Charles -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1 -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Fri, 10 Dec 2004 19:28:32 +, Pedro Pais [EMAIL PROTECTED] wrote: On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins [EMAIL PROTECTED] wrote: On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Really? That doesn't sound too secure, or even ethical. CRAM-MD5 is more secure because someone sniffing the network can't derive the sender's password. With all other SMTP AUTH methods, you can easily decode sniffed packets to get the email address and password. The only way for CRAM-MD5 to work is for the server to know the user's cleartext password. Granted, you need to make sure the cleartext password is stored securely... But why isn't the password stored in the passwd/mysql using CRAM-MD5 format? That way you could always check it. It wouldn't matter if the client authenticated using plain or using CRAM-MD5. You could even double cypher the password using mysql PASSWORD(). a) Client authenticates using plain username/password Create CRAM-MD5 from those tokens and check with the password stored. b) Client authenticates usign CRAM-MD5 username/password. Directly compare with the stored password. Am I missing something important in here? Maybe I'm over-simplifying things a bit, right? I'm skimming the RFC and the process of creation of the CRAM-MD5 authentication token doesn't seem to be very straight-forward... -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1 -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins [EMAIL PROTECTED] wrote: On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote: Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Really? That doesn't sound too secure, or even ethical. CRAM-MD5 is more secure because someone sniffing the network can't derive the sender's password. With all other SMTP AUTH methods, you can easily decode sniffed packets to get the email address and password. The only way for CRAM-MD5 to work is for the server to know the user's cleartext password. Granted, you need to make sure the cleartext password is stored securely... But why isn't the password stored in the passwd/mysql using CRAM-MD5 format? That way you could always check it. It wouldn't matter if the client authenticated using plain or using CRAM-MD5. You could even double cypher the password using mysql PASSWORD(). a) Client authenticates using plain username/password Create CRAM-MD5 from those tokens and check with the password stored. b) Client authenticates usign CRAM-MD5 username/password. Directly compare with the stored password. Am I missing something important in here? -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] delivering a mail to every account
On Thu, 09 Dec 2004 14:46:10 +0100, Alexander Gruber [EMAIL PROTECTED] wrote: hi together, i would like to know if it is possbile to send one mail to every account on a vpopmail installation. perhaps via vdeliver or maildrop?! check vpopbull command. vpopbull without arguments shows usage. thanks! alex -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Thu, 9 Dec 2004 16:53:30 -0500 (EST), Charles Sprickman [EMAIL PROTECTED] wrote: On Wed, 8 Dec 2004, Tom Collins wrote: On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote: When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? It looks like the client is trying CRAM-MD5, failing, and then using PLAIN authentication. You probably have an older patch, or a version problem between the smtp-auth patch and vpopmail. The older patch sent the information in the incorrect order, and vpopmail was written to accept it in that order. We fixed vpopmail for the 5.4.0 release, but it required updating to the correct SMTP AUTH patch. Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text passwords enabled. I still need to look at my pop and smtp servers to see how I can make them not advertise something that's not available on my system... Charles Really? That doesn't sound too secure, or even ethical. Well, I've found a way to disable the announcement of CRAM-MD5: edit qmail-smtpd.c, and delete (or comment out) the line that says #define AUTHCRAM. Then compile, install qmal and CRAM-MD5 support is gone. If you're using vpopmail 5.4.0 and later, make sure you're using an up-to-date patch that passes the MD5 challenge and response in the correct order. The patch in vpopmail's contrib directory works properly. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
[vchkpw] vchkpw fails and then succeeds!
When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? Oh.. and the greatest of all is that this only happens while authenticating for smtp relay, POP3 and IMAP work out perfectly. -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1
Re: [vchkpw] vchkpw fails and then succeeds!
On Wed, 8 Dec 2004 10:39:35 -0800, Tom Collins [EMAIL PROTECTED] wrote: On Dec 8, 2004, at 8:04 AM, Pedro Pais wrote: When a user tries to authenticate itself, the first time vchkpw fails with: Dec 6 21:50:08 [vpopmail] vchkpw-smtp: password fail but then it succeeds immediatly after: Dec 6 21:50:13 [vpopmail] vchkpw-smtp: (PLAIN) login success This is very annoying, besides the fact that this only happens with Thunderbird, with other e-mail clients they give an error message and the connection is terminated. Is there any way to solve this thing? It looks like the client is trying CRAM-MD5, failing, and then using PLAIN authentication. You probably have an older patch, or a version problem between the smtp-auth patch and vpopmail. The older patch sent the information in the incorrect order, and vpopmail was written to accept it in that order. We fixed vpopmail for the 5.4.0 release, but it required updating to the correct SMTP AUTH patch. If you're using vpopmail 5.4.0 and later, make sure you're using an up-to-date patch that passes the MD5 challenge and response in the correct order. The patch in vpopmail's contrib directory works properly. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ Thanks a lot for your tips, but it still doesn't work. :( I'm using gentoo, that already has qmail way patches. I tried to compile it with the patch in the contrib dir, and it worked out. But the result is just the same. But I guess you're totally right. I've tried more extensively and with Outlook Express it doesn't give any error (I suppose OE doesn't use CRAM-MD5). I'm using vpopmail 5.4.6, and qmail is already patched with smtp auth, but still nothing. Any thing else you can remember? -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliatesamp;id=3759amp;t=1