Re: [vchkpw] rcpt check patch - rejected rcpt
At 22.53 22/05/2006, you wrote: Has anyone else run into this? A microsoft smtp service is sending an email with a list of rcpt's. Some of the rcpt's are invalid. The microsoft keeps reporting rejection of almost all the email addresses including valid ones. We are using fixcrio on the smtp server, so it's not a bare line feed problem. Using chkuser v.2.0.8. Everything works fine when a qmail server sends the same list of emails. All the good rcpts get the email and all the invalid rcpts are rejected. Any ideas? I am looking into disabling the chk user for the senders static IP address but wonder if there is possibly something in the qmail/chkuser code that needs looking into. What do chkuser logs say about these rejected rcpt? Tonino Ken Jones
Re: [vchkpw] rcpt check patch - rejected rcpt
At 17.11 23/05/2006, you wrote:
tonix (Antonio Nati) wrote:
At 22.53 22/05/2006, you
wrote:
Has anyone else run into
this?
A microsoft smtp service is sending an email with a list
of rcpt's. Some of the rcpt's are invalid. The microsoft
keeps reporting rejection of almost all the email addresses
including valid ones.
We are using fixcrio on the smtp server, so it's not
a bare line feed problem.
Using chkuser v.2.0.8.
Everything works fine when a qmail server sends the
same list of emails. All the good rcpts get the email
and all the invalid rcpts are rejected.
Any ideas?
I am looking into disabling the chk user for the
senders static IP address but wonder if there is
possibly something in the qmail/chkuser code that
needs looking into.
What do chkuser logs say about these rejected rcpt?
Tonino
Is there any settings that will let me disable chkuser
based on an enviroment variable. So it is on by default
but I can turn it off in tcp.smtp like:
A.B.C.D:allow,DISABLE_CHKUSER=
Ken,
I repeat here a previous post, about a change in next chkuser
version.
The define CHKUSER_DISABLE_VARIABLE will let you define a variable whose
existance will exclude chkuser (unless ALWAYS_ON is set!).
Defining CHKUSER_DISABLE_VARIABLE equal to RELAYCLIENT will permit to
exclude chkuser for all authenticated clients (as all email clients have
the same problem you complain about).
This is the code that will be likely added in 2.0.9.
Add in chkuser_settings.h this
define
#define CHKUSER_DISABLE_VARIABLE CHKUSER_DISABLE_VARIABLE
Then, in chkuser.c, add this code within first_time_init() after the
following lines:
#if !defined CHKUSER_ALWAYS_ON defined
CHKUSER_STARTING_VARIABLE
starting_string = env_get
(CHKUSER_STARTING_VARIABLE);
if (starting_string) {
if (strcasecmp(starting_string, ALWAYS) == 0) {
starting_value = 1;
} else if (strcasecmp(starting_string, DOMAIN) == 0) {
starting_value = 0;
}
} else {
starting_string = ;
}
#endif
+#if !defined CHKUSER_ALWAYS_ON defined
CHKUSER_DISABLE_VARIABLE
+ if (env_get
(CHKUSER_DISABLE_VARIABLE)) {
+
starting_value = -1;
+ }
+#endif
Another way suitable for your needs is to define
CHKUSER_STARTING_VARIABLE, setting the variable to DOMAIN for
all except wished IP senders, for which may be set to NONE.
Regards,
Tonino
Ken
Re: [vchkpw] chkuser mystery
At 19.28 19/05/2006, you wrote: I'm have a hell of a time tracking down why some of my user extensions won't work with chkuser. I'm running netqmail-1.05 with the qmail-toaster-0.8.1.patch from shupp.org and vpopmail-5.4.13 (on debian woody). Now, I have one .qmail-matt-default alias that works, and a new one I created (with a cp -a) .qmail-foobar-default that doesn't. Are you speaking of user extensions or aliases, or CHKUSER_ENABLE_ALIAS_DEFAULT setting? They are different things. If you are using normal aliases, user extensions are not needed. If you are using user extensions, if the first part (before -) of the recipient exists then chkuser will let the message pass. If you are using CHKUSER_ENABLE_ALIAS_DEFAULT then .qmail-foobar-default will be recognized. To make matters even more confusing, I've set up a test qmail-smtpd service running on a different port, but with the same backend file structure, so that I could test new qmail-smtpd builds without disrupting my users. So, I rebuilt everything and started the service and I can now successfully email my .qmail-foobar-default alias. But - just for testings sake - I deleted my .qmail-foobar-default and the sent email STILL made it past the chkuser check and then I got the bounce message stating that there was no mailbox. Check if you have user extensions enabled and a foobar recipient exists. Ciao, Tonino I'm thoroughly confused. Is there some cache somewhere of the aliases and valid email addresses for my vpopmail domains? If so, where is it, when does it get refreshed? Thanks in advance, I've been searching through the list archives and readmes so it's a lack of tokens and not effort if this question has already been answered.
Re: [vchkpw] [vpopmail] handle 'postmaster' as non existing user (reject mails)
At 16.47 09/05/2006, you wrote: Easiest thing to do is add a .qmail file in the postmaster directory stating '|/bin/true delete' to scrap the message [just sets it as deleted by default]. Now I'd imagine the main frontline you'd want to investigate is chkuser.c if you use it. By line 567, it's got a user and domain split. Under case 10, it actually does the user check, so just have it test the user for 'postmaster' and return a failed 'user does not exist'. It could be more easy to set the BOUNCE_FLAG on for each postmaster, and message will be rejected. Tonino
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 02.15 10/03/2006, you wrote:
#ifndef TLS
This means that it will only run chkuser if you didn't compile it with
TLS support, which you might have done. If TLS is defined, I don't
see chkuser being included in the executable. You need the chkuser
calls in the TLS/SSL section as well.
This is not an if structure as it would be in regular code. This is
a compiler direction, that tells it to completely ignore those parts at
COMPILE TIME. Meaning, that those parts may never get included...
ever... in the executable.
Of course I'm making an assumption that TLS is defined :)
-M
Yes, I agree with this observation.
But I want to tell something more: I don't understand why, in this phase,
someone is still checking for TLS code.
The TLS phase has already been done initially, so I find all this TLS
code here to be completely useless from an analytic point of view.
Infact, Shupp's version of this code in the same point has zero code
related to TLS.
I find that if you DELETE all the code related to TLS, within this
routine smtp_mail(), you'll semplify all.
Tonino
Lee Evans
[EMAIL PROTECTED] wrote:
You could post here (or send me) the routine where chkuser is
called (both for sender and recipients), just to see what to
change.
I have attached snippets from qmail-smtpd.c showing the send
rcpt routines
and chkuser code I hope this is what you meant.
[Is chkuser.h included in a valid point within
qmail-smtpd.c?]
I have:
#include fd.h
#include dns.h
#include spf.h
/*chkuser*/
#include chkuser.h
Thanks
Lee
void smtp_mail(arg) char *arg;
{
int r;
rcptcounter = 0 ;
if (!addrparse(arg)) { err_syntax(); return; }
/*chkuser*/
if (chkuser_sender (addr) != CHKUSER_OK) { return; }
/*chkuser end*/
flagbarf = bmfcheck();
switch(mfcheck()) {
case DNS_HARD: err_hmf(); return;
case DNS_SOFT: err_smf(); return;
case DNS_MEM: die_nomem();
}
flagbarfspf = 0;
if (spfbehavior !relayclient)
{
switch (r = spfcheck())
{
case SPF_OK: env_put2(SPFRESULT,pass);
break;
case SPF_NONE: env_put2(SPFRESULT,none);
break;
case SPF_UNKNOWN:
env_put2(SPFRESULT,unknown); break;
case SPF_NEUTRAL:
env_put2(SPFRESULT,neutral); break;
case SPF_SOFTFAIL:
env_put2(SPFRESULT,softfail); break;
case SPF_FAIL: env_put2(SPFRESULT,fail);
break;
case SPF_ERROR: env_put2(SPFRESULT,error);
break;
}
switch (r)
{
case SPF_NOMEM:
die_nomem();
case SPF_ERROR:
if (spfbehavior 2) break ;
out (451 SPF lookup failure (#4.3.0)\r\n);
return;
case SPF_NONE:
case SPF_UNKNOWN:
if (spfbehavior 6) break ;
case SPF_NEUTRAL:
if (spfbehavior 5) break ;
case SPF_SOFTFAIL:
if (spfbehavior 4) break ;
case SPF_FAIL:
if (spfbehavior 3) break ;
if (!spfexplanation(spfbarfmsg)) die_nomem();
if (!stralloc_0(spfbarfmsg)) die_nomem();
flagbarfspf = 1;
}
}
else
env_unset(SPFRESULT);
seenmail = 1;
if (!stralloc_copys(rcptto,)) die_nomem();
if (!stralloc_copys(mailfrom,addr.s)) die_nomem();
if (!stralloc_0(mailfrom)) die_nomem();
out(250 ok\r\n);
}
void smtp_rcpt(arg) char *arg; {
rcptcounter++;
if (!seenmail) { err_wantmail(); return; }
if (checkrcptcount() == 1) { err_syntax(); return; }
if (!addrparse(arg)) { err_syntax(); return; }
if (flagbarf) { err_bmf(); return; }
if (flagbarfspf) { err_spf(); return; }
if (relayclient) {
--addr.len;
if (!stralloc_cats(addr,relayclient)) die_nomem();
if (!stralloc_0(addr)) die_nomem();
}
else
#ifndef TLS
if (!addrallowed()) { err_nogateway(); return; }
/*chkuser*/
switch (chkuser_realrcpt (mailfrom, addr)) {
case CHKUSER_KO:
return;
break;
case CHKUSER_RELAYING:
--addr.len;
if (!stralloc_cats(addr,relayclient)) die_nomem();
if (!stralloc_0(addr)) die_nomem();
break;
}
/*end chkuser*/
#else
if (!addrallowed())
{
if (ssl)
{ STACK_OF(X509_NAME) *sk;
X509 *peercert;
stralloc tlsclients = {0};
struct constmap maptlsclients;
int r;
SSL_set_verify(ssl,
SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
verify_cb);
if ((sk = SSL_load_client_CA_file(control/clientca.pem))
== NULL)
{ err_nogateway(); return; }
SSL_set_client_CA_list(ssl, sk);
if((control_readfile(tlsclients,control/tlsclients,0) !=
1) ||
!constmap_init(maptlsclients,tlsclients.s,tlsclients.len,0))
{ err_nogateway(); return; }
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
ssl-state = SSL_ST_ACCEPT;
SSL_do_handshake(ssl);
if ((r = SSL_get_verify_result(ssl)) != X509_V_OK)
{out(553 no valid cert for gatewaying: );
out(X509_verify_cert_error_string(r));
out( (#5.7.1)\r\n);
return;
}
if (peercert = SSL_get_peer_certificate(ssl))
{char emailAddress[256];
X509_NAME_get_text_by_NID(X509_get_subject_name(
SSL_get_peer_certificate(ssl)),
NID_pkcs9_emailAddress, emailAddress, 256); if
(!stralloc_copys(clientcert, emailAddress)) die_nomem();
if (!constmap(maptlsclients,clientcert.s,clientcert.len))
{ err_nogwcert(); return; }
relayclient = ;
}
else { err_nogwcert(); return; }
}
else { err_nogateway(); return; }
}
#endif
if (!stralloc_cats(rcptto,T)) die_nomem();
if
Re: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 17.13 09/03/2006, you wrote: Hi, I'm hoping somebody will be able to help me with a problem I appear to be having with chkuser 2.0. I built my qmail installation from the qmailrocks bundle, which I've done a few times in the past so I haven't had any problems there. I was looking for a suitalbe solution to block SMTP delivery to unknown local recipients and I would prefer to use chkuser instead of the what appears to be a suitalbe alternative, validrcptto, as I anticipate quite a high number of users and regular updates to accounts aliases. With validrcppto I need to build maintain another user database outside of the vpopmail configuration. I have downloded the latest tarball of chkuser and followed the installation instructions. The patches would not apply to my qmailrocks source, so I implemented the changes by hand. Initially compilation failed due to repeated dns.o references, that was my fault and was easily repaired. The changes also seem to have affected the compliation of spfquery.c - I managed to fix this though and compliation now appears to be successful. However - if I run the new qmail-smtpd binary to check the funcationality as recommended it does not appear to be doing any rcpt to: checks - an ok result is returned no matter what username I supply before a valid rcpt host. Can anyone make any suggestions as to what I can do to try and locate the problem? You should give more informations... Have you tried what's suggested in http://www.interazioni.it/opensource/chkuser/documentation/faq/enabling.html ? Tonino Thanks Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 17.43 09/03/2006, you wrote: You should give more informations... Have you tried what's suggested in http://www.interazioni.it/opensource/chkuser/documentation/faq /enabling.html ? Thank you for the response. Sorry about not providing enough information I have followed the instructions at the above URL I have two domains on my server at this time, one of which is setup with bounce-no-mailbox and one which is not. For testing purposes I am trying to send email to [EMAIL PROTECTED] where domain.com is configured with bounce-no-mailbox. As shown: [EMAIL PROTECTED] qmail-1.03]# cat /home/vpopmail/domains/domain.com/.qmail-default | /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox [EMAIL PROTECTED] qmail-1.03] This is confirmed as shortly after sending test email I receive an email at the account I use for envelope from: saying: [EMAIL PROTECTED]: Sorry, no mailbox here by that name. vpopmail (#5.1.1) As would be expected without the chkuser package. I also tried to recompile after setting the option CHKUSER_ALWAYS_ON to see if this would make a difference, but there was no change to the behaviour Did you try what's suggested in http://www.interazioni.it/opensource/chkuser/documentation/faq, running manually qmail-smtpd? Did you check which is the user qmail-smtpd is running as? Tonino Regards Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 18.08 09/03/2006, you wrote: Did you try what's suggested in http://www.interazioni.it/opensource/chkuser/documentation/faq, running manually qmail-smtpd? Did you check which is the user qmail-smtpd is running as? Tonino My qmail-smtpd is running through TCP Server as usver vpopmail and group vchkpw If I run manually I have no evidence of chkuser: [EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd 220 mail.leeevans.org ESMTP mail from [EMAIL PROTECTED] 250 ok rcpt to:[EMAIL PROTECTED] 250 ok quit 221 mail.leeevans.org What does contain .qmail-default for that domain? Tonino Regards Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 18.08 09/03/2006, you wrote: Did you try what's suggested in http://www.interazioni.it/opensource/chkuser/documentation/faq, running manually qmail-smtpd? Did you check which is the user qmail-smtpd is running as? Tonino My qmail-smtpd is running through TCP Server as usver vpopmail and group vchkpw If I run manually I have no evidence of chkuser: [EMAIL PROTECTED] qmail-1.03]# ./qmail-smtpd 220 mail.leeevans.org ESMTP mail from [EMAIL PROTECTED] 250 ok rcpt to:[EMAIL PROTECTED] 250 ok quit 221 mail.leeevans.org If you compiled it with standard chkuser_settings.h, you should see some logs during this emulated session. I have doubts chkuser code is called. Tonino Regards Lee
RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working
At 20.32 09/03/2006, you wrote: mail.leeevans.org If you compiled it with standard chkuser_settings.h, you should see some logs during this emulated session. I have doubts chkuser code is called. I have the same doubts. I have CHKUSER_ENABLE_LOGGING CHKUSER_LOG_VALID_RCPT and CHKUSER_LOG_VALID_SENDER all defined. I don't see anything related to chkuser in /var/log/qmail/qmail-smtpd/current when processing mail. It's a very crude test, I know, but if I do 'strings qmail-smtpd | grep chkuser' it returns the various SMTP error codes/messages chkuser would produce so I know the code is at least in there somewhere You could post here (or send me) the routine where chkuser is called (both for sender and recipients), just to see what to change. [Is chkuser.h included in a valid point within qmail-smtpd.c?] Tonino Thanks Lee
Re: [vchkpw] I could not patch netqmail-1.05_chkuser-2.0.8.patch
At 17.18 17/02/2006, you wrote: Well I have 10 domains. I want to check users for 3 domains. How can I set chkuser_settings.h that ? No need. Leave it as it is, and use qmailadmin to enable blouncing on the domains you want. Tonino Thanks - Original Message - From: Bob Hutchinson [EMAIL PROTECTED] To: vchkpw@inter7.com Sent: Friday, February 17, 2006 3:20 PM Subject: Re: [vchkpw] I could not patch netqmail-1.05_chkuser-2.0.8.patch On Friday 17 Feb 2006 11:18, Yavuz Maslak wrote: I use netqmail1.05 with vpopmail5.4.x After I patched netqmail-1.05 with qmail-toaster-0.8.1.patch successfully, I wanted to patch it with netqmail-1.05_chkuser-2.0.8.patch. But I could not patch beause I got some errors. chkuser-2.0.8 is already in the qmail-toaster-0.8.1.patch look in your source tree, you should find chkuser_settings.h, in which the version number is stated. It also contains a number of things which you might want to enable/disable, depending on your setup -- - Bob Hutchinson Midwales dot com -
Re: [vchkpw] Disabling CHKUSER via tcprules
At 23.05 10/02/2006, you wrote: Hello List, I have searched this list, and Internet, but have no solutions. Anyway, here´s the question: Is there any way to disable CHKSUER for dertains IPs via tcprules? Yes. You must enable within chkuser_settings.h #define CHKUSER_STARTING_VARIABLE CHKUSER_START Recompile and install. Then, in tcp.smtp you have to add the variable CHKUSER_START=NONE for each IP you want to disable. Add a general CHKUSER_START=DOMAIN for all the others. See http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html for more informations. Tonino I really need that feature, and don´t want to recompile every time I change the configuration. Saludos Natalio
Re: [vchkpw] chkuser + smtp auth, disable CHKUSER_RCPTLIMIT when correct smt auth. how??
At 18.36 06/02/2006, you wrote:
Hi, i have a working qmail
installation from netqmail and recently
included chkuser (very nice!).
I want to use the CHKUSER_RCPTLIMIT and CHKUSER_WRONGRCPTLIMIT
variables to block spam because they work very nice in my system,
but
the problem is that i don't want to apply these limits to the
authenticated clients, so they can send mail with lot of recipients
and even whit wrong recipient so they receive a bounced message. (if
they get an error when sending they just think, o! the server is not
working, lets call the provider). So, i tried whit #define
CHKUSER_SENDER_NOCHECK_VARIABLE RELAYCLIENT but it doesn't
works. It
only disables sender checking or also the limits? how i can disable
the limits only for authenticated clients? any idea?
Trying to give a practical answer, this what I suggest.
Add in chkuser_settings.h this define
#define CHKUSER_DISABLE_VARIABLE RELAYCLIENT
Then, in chkuser.c, add this code within first_time_init() after the
following lines:
#if !defined CHKUSER_ALWAYS_ON defined
CHKUSER_STARTING_VARIABLE
starting_string = env_get
(CHKUSER_STARTING_VARIABLE);
if (starting_string) {
if (strcasecmp(starting_string, ALWAYS) == 0) {
starting_value = 1;
} else if (strcasecmp(starting_string, DOMAIN) == 0) {
starting_value = 0;
}
} else {
starting_string = ;
}
#endif
+#if defined CHKUSER_EXCLUDE_VARIABLE
+ if (env_get
(CHKUSER_EXCLUDE_VARIABLE)) {
+
starting_value = -1;
+ }
+#endif
Note that in order to make CHKUSER_EXCLUDE_VARIABLE working:
CHKUSER_ALWAYS_ON must be commented
CHKUSER_STARTING_VARIABLE must be enabled (ALWAYS or
DOMAIN, as you like)
I've not tested this code, as I don't have here shortly a test
environment, but it should work.
Please test it if you can.
I'll publish this feature in next chkuser version (and rewrite the code
in order to make it more easy and powerful - i.e. to make
CHKUSER_EXCLUDE_VARIABLE indipendent from other variables).
Tonino
Thanks in advance
Ion
Re: [vchkpw] chkuser + smtp auth, disable CHKUSER_RCPTLIMIT when correct smt auth. how??
At 12.06 11/02/2006, you wrote: I'll publish this feature in next chkuser version (and rewrite the code in order to make it more easy and powerful - i.e. to make CHKUSER_EXCLUDE_VARIABLE indipendent from other variables). And mainly I'll take care to call it CHKUSER_DISABLE_VARIABLE anywhere !! Tonino
Re: [vchkpw] chkuser + smtp auth, disable CHKUSER_RCPTLIMIT when correct smt auth. how??
At 20.31 06/02/2006, you wrote: Thanks for your answer Tonino, i take that solution in account but i would prefer another solution if possible, that smtp server is being already used by lots of clients so running another server for them would imply that they have to change their mail server (its a little change, i know, but they are lots and the average user would need assistance for doing that simple change) so i would try to another solution first if someone has another idea.. or i get illuminated in between hehe Simplest solution is to put another VARIABLE disabling this check. Let me see how add something like what you ask. I'm just wondering if other checks could be excluded for authenticathed users. Any comment is welcome. Tonino On 2/6/06, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: At 18.36 06/02/2006, you wrote: Hi, i have a working qmail installation from netqmail and recently included chkuser (very nice!). I want to use the CHKUSER_RCPTLIMIT and CHKUSER_WRONGRCPTLIMIT variables to block spam because they work very nice in my system, but the problem is that i don't want to apply these limits to the authenticated clients, so they can send mail with lot of recipients and even whit wrong recipient so they receive a bounced message. (if they get an error when sending they just think, o! the server is not working, lets call the provider). So, i tried whit #define CHKUSER_SENDER_NOCHECK_VARIABLE RELAYCLIENT but it doesn't works. It only disables sender checking or also the limits? how i can disable the limits only for authenticated clients? any idea? Actually I'm using a separate qmail-smtpd server for authenticated users (i.e. relay.mydomain.com), on a dedicated IP address. This solves the most of my problems, as in this way I can make the deepest customization I can, and I keep separated normal MX traffic and relaying traffic. In this dedicated server for authenticated users I think it could be even better not to enable CHKUSER, so normal users with Outlook will receive normal error messages instead of short SMTP responses. Tonino Thanks in advance Ion
Re: [vchkpw] chkuser + smtp auth, disable CHKUSER_RCPTLIMIT when correct smt auth. how??
At 20.57 06/02/2006, you wrote: Ibiltari wrote: Thanks for your answer Tonino, i take that solution in account but i would prefer another solution if possible, that smtp server is being already used by lots of clients so running another server for them would imply that they have to change their mail server (its a little change, i know, but they are lots and the average user would need assistance for doing that simple change) so i would try to another solution first if someone has another idea.. or i get illuminated in between hehe Change the MX record to a new ip and add an alias IP on the server. Current users still use mail.example.com but all outside mail comes in on mx.example.com. Much better than changing chkuser code :-) !!! Tonino Regards, Rick
Re: [vchkpw] MySQL going down results in 5xx error
At 21.30 27/01/2006, you wrote:
#if defined
CHKUSER_ENABLE_VAUTH_OPEN
if (db_already_open != 1) {
if (CHKUSER_VAUTH_OPEN_CALL () == 0) {
db_already_open == 1;
} else {
retstat = CHKUSER_ERR_AUTH_RESOURCE;
}
};
#endif
Minor Bug: you nead a break; on the line after retstat
= ...,
otherwise you keep testing on a failed resource...
Yes, you are right. Actually it would not give fake results, but it will
perform useless checks.
Code becomes:
#if defined CHKUSER_ENABLE_VAUTH_OPEN
if (db_already_open != 1) {
if (CHKUSER_VAUTH_OPEN_CALL () == 0) {
db_already_open == 1;
} else {
retstat = CHKUSER_ERR_AUTH_RESOURCE;
break;
}
};
#endif
Thanks,
Tonino
Josh
--
Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
- Layman's translation of the Laws of Thermodynamics
[EMAIL PROTECTED]
Re: [vchkpw] MySQL going down results in 5xx error
At 20.18 27/01/2006, you wrote: Yes, here are changes. I've already tried them and it works. Just studying the name of calls it may be adapted to Postgres also (it should be enough to use vauth_open() ). In chkuser_settings.h enable #define CHKUSER_ENABLE_VAUTH_OPEN and add one of the following lines: /* use this if you are using replicated MySQL, with read access */ #define CHKUSER_VAUTH_OPEN_CALL vauth_open or /* use this if you are using standalone MySQL, with readwrite access */ #define CHKUSER_VAUTH_OPEN_CALL vauth_open_update FYI - with MySQL it's vauth_open_read not vauth_open. Yes, sorry, the correct name is vauth_open_read with replica enabled and read access. Just a memory problem (age starts to work :-) ). I'm thinking of submitting a patch to vpopmail to unify the call, so that it can be published globally. It would be nice if vauth_open would work no matter what the backend auth mechanism... That is what I was expecting for a while (as told here a lot of time ago), but probably priorities of development have been others (I do not blame them of course). But, as different DB have different kind of calls (vauth_open would only work for read operation on one, while it would work for all the operations on the other) It could be enough simply adding a common #define for the routine opening the database (in read mode or the best equivalent mode). So chkuser will simply call that define (better, will call that #define if that #define exists), simplifying any further operation. snip Another comment on side effects of restarting MySQL. Courier auth daemon must be restarted, because it does not try to reopen any MySQL connection. It would be nice to have a simple perl script monitoring MySQL (an attach every x minutes), and in case of problem: - running a script for shutting down Courier and other mail services - stopping/restarting MySQL - running a script for restarting all mail services Does authdaemon die if it loses its connection to MySQL? If so why not just run it under daemontools. If not, perhaps it should... No, authdaemon seems to be simply opening a connection when starting and then trying the same connection for all future operations. So, after MySQL has been stopped, that connection cannot work anymore. Tonino Josh -- Joshua Megerman SJGames MIB #5273 - OGRE AI Testing Division You can't win; You can't break even; You can't even quit the game. - Layman's translation of the Laws of Thermodynamics [EMAIL PROTECTED]
Re: [vchkpw] MySQL going down results in 5xx error
At 15.15 25/01/2006, you wrote:
If you are using chkuser,
there is a small change you can do (I'm going to
publish nextly this change with next version of chkuser).
If you are interested I'll anticipate this small change so it may
help
people to handle this error.
Can you post the change here so that those of us who want to look at
it
and test it can?
Yes, here are changes. I've already tried them and it works. Just
studying the name of calls it may be adapted to Postgres also (it should
be enough to use vauth_open() ).
In chkuser_settings.h enable
#define CHKUSER_ENABLE_VAUTH_OPEN
and add one of the following lines:
/* use this if you are using replicated MySQL, with read access */
#define CHKUSER_VAUTH_OPEN_CALL vauth_open
or
/* use this if you are using standalone MySQL, with readwrite access
*/
#define CHKUSER_VAUTH_OPEN_CALL vauth_open_update
In chkuser.c, just substitute the following lines:
#if defined CHKUSER_ENABLE_VAUTH_OPEN
if (db_already_open != 1) {
if (vauth_open () == 0) {
db_already_open == 1;
} else {
retstat = CHKUSER_ERR_AUTH_RESOURCE;
}
};
#endif
with:
#if defined CHKUSER_ENABLE_VAUTH_OPEN
if (db_already_open != 1) {
if (CHKUSER_VAUTH_OPEN_CALL () == 0) {
db_already_open == 1;
} else {
retstat = CHKUSER_ERR_AUTH_RESOURCE;
}
};
#endif
Any input/comment is welcome.
Another comment on side effects of restarting MySQL.
Courier auth daemon must be restarted, because it does not try to reopen
any MySQL connection.
It would be nice to have a simple perl script monitoring MySQL (an attach
every x minutes), and in case of problem:
- running
a script for shutting down Courier and other mail services
-
stopping/restarting MySQL
- running
a script for restarting all mail services
Tonino
Thanks,
Josh
--
Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
- Layman's translation of the Laws of Thermodynamics
[EMAIL PROTECTED]
Re: [vchkpw] Quota Checking
At 05.10 05/12/2005, you wrote: I have installed the latest version of the toaster. It works wonderfully, I have also installed Matts mysql relay patch. However I cannot seem to get chkuser to actually deny mail based upon Quota checking. I believe that I need to define a variable in the run script, can anyone give me any more info on how I might get this to work. In your chkuser_settings.h you have a line like: #define CHKUSER_MBXQUOTA_VARIABLE CHKUSER_MBXQUOTA This line tells you the name of the variable to be used. Now you can put in your running command an explicit set of the variable CHKUSER_MBXQUOTA=95 or put it inside tcp.smtp :allow,CHKUSER_MBXQUOTA=95 where 95 means 95% of the quota (change it as you like). Tonino Damien
Re: [vchkpw] Problem chkuser
At 14.46 24/11/2005, you wrote: Hi, Fairly new to Qmail here. Just trying to find my way around. I've come across multiple problems after setting it up. So let me start with one of the more simple ones. On my Outlook, I have a distribution list of 40 people. All addresses are internal addresses. When i attempt to send mail to all these people, I get the following errors: 571 sorry, you are violating our security policies (#5.7.1 - chkuser ) 571 sorry, reached maximum number of recipients for one session (#5.7.1 - chkuser ) Is there somewhere in the config files that allows me to disable this 'policy'? my file /etc/tcp.smtp 127.:allow,RELAYCLIENT=,CHKUSER_RCPTLIMIT=60,CHKUSER_WRONGRCPTLIMIT=10 :allow,CHKUSER_RCPTLIMIT=60,CHKUSER_WRONGRCPTLIMIT=10 Here you see which are your limits enabled. You can either: cut these variables from tcp.smtp (at least in the internal zone) increase these limits. disable #define CHKUSER_RCPT_LIMIT_VARIABLE and CHKUSER_WRONGRCPT_LIMIT_VARIABLE and recompile qmail-smtpd. I suggest you to not apply the third one, and try a solution with the first two. More, I suggest you to disable chkuser on internal relaying, and use it only on external SMTP acceptance. Tonino
Re: [vchkpw] recompile or not
At 05.54 08/11/2005, you wrote: On Nov 7, 2005, at 8:15 AM, Nicholas Harring wrote: Please, please, please don't spread FUD by even implicitly blaming chkuser for this. There's no way to implement chkuser in even a vaguely efficient manner without linking against vpopmail. Vpopmail needs to begin building a shared library, then everybody else can just magically begin using it. This puts the blame squarely where it belongs, on the heads of the developers maintaining vpopmail who completely refuse to integrate shared library support into vpopmail. They've been sent patches, and never offered detailed reasons for refusing to integrate. Please, please, please don't spread FUD by even implicitly blaming the vpopmail developers for this. ;-) I've seen *one* patch for this and, IIRC, it didn't apply cleanly to the current version of vpopmail. I worked on it a bit, and liked the results, but delaying pushing it into the mainstream release. One problem is that some programs (including qmailadmin) actually make use of information in the header files to conditionally compile its code. To truly move to a dynamic lib, we need to have any program that links to libvpopmail do so without using vpopmail's config file. It's not as simple as just making the lib dynamic. What if we wrote an external program that chkuser could run instead of having to link to libvpopmail? Would that be a good solution. Main reason for which I wrote chkuser that way is performance. I don't feel correct to run an external program each time I've to check a sender or a recipient (and I don't like qmail forcing everything new to run on external programs). Another solution could be to spread vpopmail lib into two or more libraries, considering a stable core and added functionalities. As I suppose core changing less frequently, that could help avoiding relinking so often (you could consider as having only the core as shared library). Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] 571 Errors
Yes, the value is within an environment variable. See your chkuser_settings.h to see how you called the variable and change the variable's value. Tonino At 17.24 23/09/2005, you wrote: Hello, I am having some problems whenever people try to send to more than 15 people in the same email. They get back some variation of the 571 error, either 571 sorry, reached maximum number of recipients for one session (#5.7.1 - chkuser)\r\n or 571 sorry, you are violating our security policies (#5.7.1 - chkuser)\r\n is their any way to change the maximum number without re-compiling anything? Thanks, Chris Holloway Network Technician THUMBTECHS CORPORATION 8205 Camp Bowie West # 110 Fort Worth, TX 76116 (817) 923-2419
Re: [vchkpw] chkuser 2.0.8b
Aleks,
these are some flags I'm using (I have smtp auth ON for all users, so
disabling flag is OFF):
#disable_smtp
#disable_pop
#disable_imap
In this case, SMTP auth would be ON if line is commented (as in
previous lines), OFF if line is active.
Check both your default switches in
/home/vpopmail/etc/vlimits.default and in your domain
.qmailadmin-limits (or in your MySQL limits).
Tonino
At 23.05 21/09/2005, you wrote:
Im not really suer what flags you are aiming for tonix. But i guess
they could be enabled/disabled?
Aleks
On 9/21/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote:
Sorry for the dumb question.
Are your users/domains smtp flags not disabled?
Tonino
At 14.38 21/09/2005, you wrote:
Thanks Bruno, but im not that keen on the TLS support anymore.
Perhaps i'll toast next time :)
For now im going to figure out why i cant auth with the
vpopmail/contrib/auth patch or the newest
version http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin .
4549 220 mx.domain.com ESMTP
4549 EHLO [192.168.0.100]
4549 250-mx.domain.com
4549 250-PIPELINING
4549 250-8BITMIME
4549 250-SIZE 0
4549 250 AUTH LOGIN PLAIN CRAM-MD5
4549 AUTH CRAM-MD5
4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg==
4549 YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ==
4549 535 authentication failed (#5.7.1)
4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8=
4549 535 authentication failed (#5.7.1)
4549 AUTH LOGIN
4549 334 VXNlcmbWU6
4549 YWxla3NhlckBvbHNlbi5jbg==
4549 334 UGFzc3dvcmQ6
4549 eWY4NpdG8=
4549 535 authentication failed (#5.7.1)
Thanks!
On 9/21/05, Bruno Negrao [EMAIL PROTECTED] wrote:
Aleks,
I also had problems when I tried to install chkuser and the
auth patch in vpopmail/contrib.
I discovered that Bill Shupp's qmail-toaster
http://shupp.org/toaster/ already has netqmail+chkuser+auth+tls
patches and I'm testing it now. On the toaster mailing list you'll
find Antonio Nati and other nice guys. There is even an EMPF patch
made specially for qmail-toaster, but not for netqmail.
It seems to me that there's a lot of people supporting
qmail-toaster. Maybe you'd like to try qmail-toaster installation
instead of installing all these patches by hand (this is what I'm
trying to get with qmail-toaster).
Regards,
bnegrao
- Original Message -
From: Aleks Olsen
To: vchkpw@inter7.com
Sent: Wednesday, September 21, 2005 7:14 AM
Subject: Re: [vchkpw] chkuser 2.0.8b
Hi
I didnt. I missed the trailing */ on that line it seems. Thanks!
-
Now, it seems the patch didnt like working with
auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch).
I got the auth patch from the vpopmail contrib dir and tried
with that, leaving the ones mentioned above out of it and then
patched with the netqmail*auth*chkuser patch. I believe im not
really in the need for that tls anyways for smtp transactions. Now,
anyone know if there is another trick to that to make the auth work
with chkuser? Qmail compiled fine
with the patches and the result at the moment is the the smtp
wont auth anyone and chkuser works somewhat how it is designed to work (sweet).
220 mx.domain.com ESMTP
ehlo
250-mx.domain.com
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
chkuser.c
#include /home/vpopmail/include/vpopmail.h
#include /home/vpopmail/include/vauth.h
#include /home/vpopmail/include/vpopmail_config.h
/* #define CHKUSER_ENABLE_VAUTH_OPEN */
/usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb
-c $MAXSMTPD \
-u $QMAILDUID -g $NOFILESGID 0 smtp \
/var/qmail/bin/qmail-smtpd mx.domain.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 21
I undefined and defined /* #define CRAM_MD5 */ from
qmail-smtpd.c, compiled fine - but no-go. Wont auth.
Anyone notice anything i might have missed out?
This hoffman patch -should- work with a vpopmail/mysql setup right?
Thanks!
/Aleksander
On 9/20/05, tonix (Antonio Nati) [EMAIL PROTECTED] wrote:
At 11.51 20/09/2005, you wrote:
Tried to patch up a clean src of qmail-1.03. I get the same
error as I get with the already patched up src.
Hope this is right.
Yes. How did you define CHKUSER_STARTING_VARIABLE within
chkuser_settings.h?
Tonino
Thanks,
/Aleksander
-
static void first_time_init (void) {
char * temp_string;
#if !defined CHKUSER_ALWAYS_ON defined CHKUSER_STARTING_VARIABLE
starting_string = env_get (CHKUSER_STARTING_VARIABLE);
if (starting_string) {
if (strcasecmp(starting_string, ALWAYS) == 0) {
starting_value = 1;
} else if (strcasecmp(starting_string, DOMAIN) == 0) {
starting_value = 0;
}
} else
Re: [vchkpw] chkuser 2.0.8b
Aleks, sorry to repeat what has been already said, but to make it short use Shupp's Toaster. There inside chkuser + TLS + auth work fine together (since years). You'll build it in minuts, and will never regret of making this step. Ciao, Tonino At 13.18 22/09/2005, you wrote: Just for the fun of it; If I was to, (in this lifetime) get tls/auth to work with chkuser, what/who's tls and auth code should i use? Since jms obvious dont need to make he's patches compatible since he's got the needed stuff for himself in validrcptto, i was hoping someone knew what works or not. I stand corrected about the hole auth and no tls security breach jms pointed out. If you want auth you should use tls i guess. Thanks, /Aleks On 9/22/05, John Simpson [EMAIL PROTECTED] wrote: On 2005-09-21, at 0623, tonix (Antonio Nati) wrote: Why are you running it with -u $QMAILDUID ? You should run it as vpopmail, excluding any uidswitching (if you enabled uidswitching within chkuser_settings.h, comment it). Cert must be owned by vpopmail as well. qmail is, and has always been, designed to have qmail-smtpd run as qmaild. the only reason to make it run as the vpopmail user is so that you can us vchkpw to support AUTH, and the solution there is to make the vchkpw binary setuid so it always runs as the vpopmail user. the servercert.pem file should be owned by root and readable to the group nofiles (which is the group qmaild belongs to.) the clientcert.pem file (if you have one) should also be owned by root, but readable to the group qmail. -- | John M. Simpson - KG4ZOW - Programmer At Large | | http://www.jms1.net/ [EMAIL PROTECTED] | -- | Mac OS X proves that it's easier to make UNIX | | pretty than it is to make Windows secure. | --
Re: [vchkpw] chkuser 2.0.8b
At 17.34 22/09/2005, you wrote: On Sep 22, 2005, at 1:42 AM, John Simpson wrote: if you're supporting AUTH, you really should use TLS as well. otherwise you're allowing your users to send their passwords across the internet in plain text- and all it takes is one spammer with a packet sniffer to use your machine as a relay. If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the cleartext password. TLS is a good idea, but getting your users to enable it in their clients can be a challenge. It's hard enough explaining how to enable SMTP AUTH! Here's an idea, how about a Wiki page dedicated to instructions on setting SMTP AUTH in various email clients? People could contribute by taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or some similar username. A more ambitious project would be to use PHP and GD with the proper fonts to automatically fill in the fields and generate a completely custom how to page. Any ISP could use it, and make use of hidden fields to enable/disable certain features (like 'user port 587 for outbound smtp', 'enable TLS', 'use full email address as username', 'use smtp.server.com for outbound email', etc.). The end user could enter their name, email address and email client and get a one-page printout instructing them on how to set everything up. A better idea... The most of probably use qmail because there is vpopmail. What about rewriting around vpopmail a modern, robust and customizable MTA that does not force us to be acrobats in order to add functionalities to qmail? First step would be to mantain the same schema and code of qmail, rewriting all the code step by step, module after module. So, free from Bernstein license, we could finally update and upgrade the MTA in a serious way. Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
Re: [vchkpw] chkuser 2.0.8b
At 11.14 21/09/2005, you wrote:
Hi
I didnt. I missed the trailing */ on that line it seems. Thanks!
-
Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth
patch) and/or qmail-1.03-jms1.5.patch (tls patch).
I got the auth patch from the vpopmail contrib dir and tried with that,
leaving the ones mentioned above out of it and then patched with the
netqmail*auth*chkuser patch. I believe im not really in the need for that
tls anyways for smtp transactions. Now, anyone know if there is another
trick to that to make the auth work with chkuser? Qmail compiled
fine
with the patches and the result at the moment is the the smtp wont auth
anyone and chkuser works somewhat how it is designed to work
(sweet).
220 mx.domain.com ESMTP
ehlo
250-mx.domain.com
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
chkuser.c
#include /home/vpopmail/include/vpopmail.h
#include /home/vpopmail/include/vauth.h
#include /home/vpopmail/include/vpopmail_config.h
/* #define CHKUSER_ENABLE_VAUTH_OPEN */
/usr/local/bin/tcpserver -v -R -l $LOCAL -x /etc/tcp.smtp.cdb
-c $MAXSMTPD \
-u $QMAILDUID -g $NOFILESGID 0 smtp \
/var/qmail/bin/qmail-smtpd
mx.domain.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 21
Why are you running it with -u $QMAILDUID ?
You should run it as vpopmail, excluding any uidswitching (if you enabled
uidswitching within chkuser_settings.h, comment it).
Cert must be owned by vpopmail as well.
Tonino
I undefined and defined /*
#define CRAM_MD5 */ from qmail-smtpd.c, compiled fine - but no-go. Wont
auth.
Anyone notice anything i might have missed out?
This hoffman patch -should- work with a vpopmail/mysql setup
right?
Thanks!
/Aleksander
On 9/20/05, tonix (Antonio Nati)
[EMAIL PROTECTED]
wrote:
At 11.51 20/09/2005, you wrote:
Tried to patch up a clean src of qmail-1.03. I get the same error as
I get with the already patched up src.
Hope this is right.
Yes. How did you define CHKUSER_STARTING_VARIABLE within
chkuser_settings.h?
Tonino
Thanks,
/Aleksander
-
static void first_time_init (void) {
char * temp_string;
#if !defined CHKUSER_ALWAYS_ON defined
CHKUSER_STARTING_VARIABLE
starting_string = env_get
(CHKUSER_STARTING_VARIABLE);
if (starting_string)
{
if (strcasecmp(starting_string, ALWAYS) == 0) {
starting_value = 1;
} else if (strcasecmp(starting_string, DOMAIN) == 0) {
starting_value = 0;
}
} else {
starting_string = ;
}
#endif
-
./load qmail-qmtpd rcpthosts.o control.o constmap.o \
received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \
datetime.a open.a getln.a sig.a case.a env.a stralloc.a \
alloc.a substdio.a error.a str.a fs.a auto_qmail.o
./compile qmail-smtpd.c
qmail-smtpd.c: In function `main':
qmail-smtpd.c:1021: warning: return type of `main' is not `int'
./compile spf.c
./compile base64.c
./compile chkuser.c
chkuser.c: In function `first_time_init':
chkuser.c:425: error: syntax error before '/' token
make: *** [chkuser.o] Error 1
On 9/20/05, tonix (Antonio Nati)
[EMAIL PROTECTED]
wrote:
At 11.26 20/09/2005, you
wrote:
Hi,
Trying to patch up an already auth+tls+spf patched qmail-smtpd and
seems i hit a rock and
hoping for some guidance.
I followed the manual patch guide at
http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html
and think I somewhat
fit all the pices in the right places. When i now try to compile it I
get this:
make
./compile chkuser.c
chkuser.c: In function `first_time_init':
chkuser.c:425: error: syntax error before '/' token
make: *** [chkuser.o] Error 1
I have not changed anything directly within the .c file
Can you pls post ten lines of code surrounding the error?
Tonino
Anyone got a clue?
Thanks!
/Aleksander
Re: [vchkpw] chkuser 2.0.8b
At 11.56 21/09/2005, you wrote: - Now, it seems the patch didnt like working with auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls patch). I got the auth patch from the vpopmail contrib dir and tried with that, leaving the ones mentioned above out of it and then patched Sorry, I never try those patches. Can you try them WITHOUT chkuser and check if problem comes from chkuser? [Not related strictly to the problem, but may help... When possible I suggest to put auth system on different addresses than normal smtp, and disable chkuser, because Outlook does not handle correctly KO messages and it would be preferable to send back to sender a normal mail delivery message (user are trusted, so there should be no risk of spam disabling chkuser). Or, set up a variable excluding chkuser when user is authenticated.] Tonino
Re: [vchkpw] chkuser 2.0.8b
Sorry for the dumb question.
Are your users/domains smtp flags not disabled?
Tonino
At 14.38 21/09/2005, you wrote:
Thanks Bruno, but im not that
keen on the TLS support anymore. Perhaps i'll toast next time :)
For now im going to figure out why i cant auth with the
vpopmail/contrib/auth patch or the newest version
http://www.fehcom.de/qmail/auth/qmail-smtpd-auth-057_tgz.bin .
4549 220 mx.domain.com
ESMTP
4549 EHLO
[192.168.0.100]
4549
250-mx.domain.com
4549 250-PIPELINING
4549 250-8BITMIME
4549 250-SIZE 0
4549 250 AUTH LOGIN PLAIN CRAM-MD5
4549 AUTH CRAM-MD5
4549 334 PDExLjExMjczMDdAbXguY29uZmlnLm5vPg==
4549
YWxla3NhbmRlckBvbHNlbi5jbiBkOJlNzdmZGVkMzUzYjA1ZDZlZDU4ZGNlZQ==
4549 535 authentication failed (#5.7.1)
4549 AUTH PLAIN AGFsZWtzYW5kZXJAb2xzZ4AeWY4NDRpdG8=
4549 535 authentication failed (#5.7.1)
4549 AUTH LOGIN
4549 334 VXNlcmbWU6
4549 YWxla3NhlckBvbHNlbi5jbg==
4549 334 UGFzc3dvcmQ6
4549 eWY4NpdG8=
4549 535 authentication failed (#5.7.1)
Thanks!
On 9/21/05, Bruno Negrao
[EMAIL PROTECTED]
wrote:
Aleks,
I also had problems when I tried to install chkuser and
the auth patch in vpopmail/contrib.
I discovered that Bill Shupp's qmail-toaster
http://shupp.org/toaster/ already
has netqmail+chkuser+auth+tls patches and I'm testing it now. On the
toaster mailing list you'll find Antonio Nati and other nice guys. There
is even an EMPF patch made specially for qmail-toaster, but not for
netqmail.
It seems to me that there's a lot of people supporting
qmail-toaster. Maybe you'd like to try qmail-toaster installation instead
of installing all these patches by hand (this is what I'm trying to get
with qmail-toaster).
Regards,
bnegrao
- Original Message -
From: Aleks Olsen
To: vchkpw@inter7.com
Sent: Wednesday, September 21, 2005 7:14 AM
Subject: Re: [vchkpw] chkuser 2.0.8b
Hi
I didnt. I missed the trailing */ on that line it seems. Thanks!
-
Now, it seems the patch didnt like working with
auth-jms1.4a.patch(auth patch) and/or qmail-1.03-jms1.5.patch (tls
patch).
I got the auth patch from the vpopmail contrib dir and tried with
that, leaving the ones mentioned above out of it and then patched with
the netqmail*auth*chkuser patch. I believe im not really in the need for
that tls anyways for smtp transactions. Now, anyone know if there is
another trick to that to make the auth work with chkuser? Qmail compiled
fine
with the patches and the result at the moment is the the smtp wont
auth anyone and chkuser works somewhat how it is designed to work
(sweet).
220 mx.domain.com ESMTP
ehlo
250-mx.domain.com
250-PIPELINING
250-8BITMIME
250-SIZE 0
250 AUTH LOGIN PLAIN
chkuser.c
#include /home/vpopmail/include/vpopmail.h
#include /home/vpopmail/include/vauth.h
#include
/home/vpopmail/include/vpopmail_config.h
/* #define CHKUSER_ENABLE_VAUTH_OPEN */
/usr/local/bin/tcpserver -v -R -l $LOCAL -x
/etc/tcp.smtp.cdb -c $MAXSMTPD \
-u $QMAILDUID -g $NOFILESGID 0 smtp \
/var/qmail/bin/qmail-smtpd
mx.domain.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 21
I undefined and defined /* #define CRAM_MD5 */ from qmail-smtpd.c,
compiled fine - but no-go. Wont auth.
Anyone notice anything i might have missed out?
This hoffman patch -should- work with a vpopmail/mysql setup
right?
Thanks!
/Aleksander
On 9/20/05, tonix (Antonio Nati)
[EMAIL PROTECTED]
wrote:
At 11.51 20/09/2005, you wrote:
Tried to patch up a clean src of qmail-1.03. I get the same error as
I get with the already patched up src.
Hope this is right.
Yes. How did you define CHKUSER_STARTING_VARIABLE within
chkuser_settings.h?
Tonino
Thanks,
/Aleksander
-
static void first_time_init (void) {
char * temp_string;
#if !defined CHKUSER_ALWAYS_ON defined
CHKUSER_STARTING_VARIABLE
starting_string = env_get
(CHKUSER_STARTING_VARIABLE);
if (starting_string)
{
if (strcasecmp(starting_string, ALWAYS) == 0) {
starting_value = 1;
} else if (strcasecmp(starting_string, DOMAIN) == 0) {
starting_value = 0;
}
} else {
starting_string = ;
}
#endif
-
./load qmail-qmtpd rcpthosts.o control.o constmap.o \
received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \
datetime.a open.a getln.a sig.a case.a env.a stralloc.a \
alloc.a substdio.a error.a str.a fs.a auto_qmail.o
./compile qmail-smtpd.c
qmail-smtpd.c: In function `main':
qmail-smtpd.c:1021: warning: return type of `main' is not `int'
./compile spf.c
./compile base64.c
./compile chkuser.c
chkuser.c: In function `first_time_init':
chkuser.c:425: error: syntax error before '/' token
make: *** [chkuser.o] Error 1
On 9/20/05, tonix (Antonio Nati)
[EMAIL PROTECTED]
wrote:
At 11.26 20/09/2005, you
wrote:
Hi,
Trying to patch up an already auth+tls+spf patched qmail-smtpd and
seems i hit a rock and
hoping for some guidance.
I followed the manual patch guide at
http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html
and think I somewhat
fit all the pices in the right
Re: [vchkpw] chkuser 2.0.8b
At 11.26 20/09/2005, you wrote: Hi, Trying to patch up an already auth+tls+spf patched qmail-smtpd and seems i hit a rock and hoping for some guidance. I followed the manual patch guide at http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html and think I somewhat fit all the pices in the right places. When i now try to compile it I get this: make ./compile chkuser.c chkuser.c: In function `first_time_init': chkuser.c:425: error: syntax error before '/' token make: *** [chkuser.o] Error 1 I have not changed anything directly within the .c file Can you pls post ten lines of code surrounding the error? Tonino Anyone got a clue? Thanks! /Aleksander
Re: [vchkpw] chkuser 2.0.8b
At 11.51 20/09/2005, you wrote:
Tried to patch up a clean src of
qmail-1.03. I get the same error as I get with the already patched up
src.
Hope this is right.
Yes. How did you define CHKUSER_STARTING_VARIABLE within
chkuser_settings.h?
Tonino
Thanks,
/Aleksander
-
static void first_time_init (void) {
char * temp_string;
#if !defined CHKUSER_ALWAYS_ON defined
CHKUSER_STARTING_VARIABLE
starting_string = env_get
(CHKUSER_STARTING_VARIABLE);
if (starting_string) {
if (strcasecmp(starting_string, ALWAYS) == 0) {
starting_value = 1;
} else if (strcasecmp(starting_string, DOMAIN) == 0) {
starting_value = 0;
}
} else {
starting_string = ;
}
#endif
-
./load qmail-qmtpd rcpthosts.o control.o constmap.o \
received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \
datetime.a open.a getln.a sig.a case.a env.a stralloc.a \
alloc.a substdio.a error.a str.a fs.a auto_qmail.o
./compile qmail-smtpd.c
qmail-smtpd.c: In function `main':
qmail-smtpd.c:1021: warning: return type of `main' is not `int'
./compile spf.c
./compile base64.c
./compile chkuser.c
chkuser.c: In function `first_time_init':
chkuser.c:425: error: syntax error before '/' token
make: *** [chkuser.o] Error 1
On 9/20/05, tonix (Antonio Nati)
[EMAIL PROTECTED]
wrote:
At 11.26 20/09/2005, you wrote:
Hi,
Trying to patch up an already auth+tls+spf patched qmail-smtpd and
seems i hit a rock and
hoping for some guidance.
I followed the manual patch guide at
http://www.interazioni.it/opensource/chkuser/documentation/installation/manual.html
and think I somewhat
fit all the pices in the right places. When i now try to compile it I
get this:
make
./compile chkuser.c
chkuser.c: In function `first_time_init':
chkuser.c:425: error: syntax error before '/' token
make: *** [chkuser.o] Error 1
I have not changed anything directly within the .c
file
Can you pls post ten lines of code surrounding the error?
Tonino
Anyone got a clue?
Thanks!
/Aleksander
Re: [vchkpw] vpopmail and chkuser
At 09.25 15/09/2005, you wrote: hi all from the chkuser website: External database libraries used by vpopmail are automatically integrated. does this mean that i have to reinstall qmail-smtpd+chkuser after a vpopmail upgrade? Yes, recompile and reinstall (as far as I know vpopmail library is only static). Tonino thanks... --
Re: [vchkpw] chkuser vpopmail and catch alls
At 08.26 14/09/2005, you wrote: * Uncomment the following define if you want chkuser ALWAYS enabled. * If uncommented, it will check for rcpt existance despite any .qmail-default * setting. * So, unsomments this if you are aware that ALL rcpt in all domains will be * ALWAYS checked. */ #define CHKUSER_ALWAYS_ON This setting makes chkuser works aways, without checking bouncing or catchall within .qmail-default. Comment it, and be sure bouncing is enabled everywhere except the catchall domain.. /* * Uncomment the following line if you want chkuser to work depending on a VARIABLE setting * VALUE HERE DEFINED is the name of the variable * Values admitted inside the variable: NONE | ALWAYS | DOMAIN * NONE= chkuser will not work * ALWAYS = chkuser will work always * DOMAIN = chkuser will work depending by single domain settings * if CHKUSER_ALWAYS_ON is defined, this define is useless * if CHKUSER_STARTING_VARIABLE is defined, and no variable or no value is set, then chkuser is disabled */ #define CHKUSER_STARTING_VARIABLE ALWAYS */ As you comment out the previous define, be careful to comment/use this one in the right way. If you comment it, be sure bouncing is enabled for each needed domain. If you don't comment it, change it to #define CHKUSER_STARTING_VARIABLE CHKUSER_START and set a variable called CHKUSER_START = DOMAIN. Then set up bouncing for each needed domain. How do i enable it for all domains but one. And where do I do that in the .qmail-default file? You must enable it on per domain base, which means to follow the previous instructions, and then, using qmailadmin, set to bouncing all domains which must bounce message to invalid recipients (and catchall the domain you want catchall). If you don't use qmail-admin, .qmail-default should be: | /vpopmail/bin/vdelivermail '' bounce-no-mailbox Tonino Tonino Jimmy
Re: [vchkpw] chkuser vpopmail and catch alls
At 10.58 14/09/2005, you wrote: Hello, tonix (Antonio Nati) wrote: At 08.26 14/09/2005, you wrote: * Uncomment the following define if you want chkuser ALWAYS enabled. * If uncommented, it will check for rcpt existance despite any .qmail-default * setting. * So, unsomments this if you are aware that ALL rcpt in all domains will be * ALWAYS checked. */ #define CHKUSER_ALWAYS_ON This setting makes chkuser works aways, without checking bouncing or catchall within .qmail-default. Comment it, and be sure bouncing is enabled everywhere except the catchall domain.. /* * Uncomment the following line if you want chkuser to work depending on a VARIABLE setting * VALUE HERE DEFINED is the name of the variable * Values admitted inside the variable: NONE | ALWAYS | DOMAIN * NONE= chkuser will not work * ALWAYS = chkuser will work always * DOMAIN = chkuser will work depending by single domain settings * if CHKUSER_ALWAYS_ON is defined, this define is useless * if CHKUSER_STARTING_VARIABLE is defined, and no variable or no value is set, then chkuser is disabled */ #define CHKUSER_STARTING_VARIABLE ALWAYS */ As you comment out the previous define, be careful to comment/use this one in the right way. If you comment it, be sure bouncing is enabled for each needed domain. If you don't comment it, change it to #define CHKUSER_STARTING_VARIABLE CHKUSER_START and set a variable called CHKUSER_START = DOMAIN. Then set up bouncing for each needed domain. How do i enable it for all domains but one. And where do I do that in the .qmail-default file? You must enable it on per domain base, which means to follow the previous instructions, and then, using qmailadmin, set to bouncing all domains which must bounce message to invalid recipients (and catchall the domain you want catchall). If you don't use qmail-admin, .qmail-default should be: | /vpopmail/bin/vdelivermail '' bounce-no-mailbox I have done that. The catch all now works for that domain name. However all of the other domain names now accept all email even for users that dont exist. Then once its been accepted it will then attempt to reject the email. However the vast majority of spam originates from bogus from addresses resulting in heaps of double bounces. Is there any way around that. I think i will have to make sure that the customer stops using catch all accounts. Did you set all others domains as bouncing? Check .qmail-default this file is readable by vpopmail, and/or if you're using an alternative delivery (like maildrop). In such a case you have to add a first commented line to .qmail-default, with a bounce-no-mailbox string inside. Check also starting instructions. If you defined a CHKUSER_START variable and you did not fill it in the proper way, chkuser will accept any e-mail. Tonino Tonino Tonino Jimmy
Re: [vchkpw] chkuser vpopmail and catch alls
At 09.50 13/09/2005, you wrote: Hello, Ken Jones wrote: Jimmy wrote: Hello, I have several servers installed with vpopmail, chkuser and the shupp.org toaster patches. Until now I have never had to setup a catch all account for a customer. I have today had to setup a catch all and i am unable to send emails to that domain. I am authenticating from a MySQL databaes and the .qmail files are all ok. Is there a way to make it so that all email accounts are ok in the valias table of the MySQL or in the vpopmail table? I am interested to know how to overcome this issue. What does your .qmail-default file look like after you setup the catchall? It should look something like (all on one line) | /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/example.com/user Here is my .qmail-default file. cat .qmail-default | /home/vpopmail/bin/vdelivermail '' /home/vpopmail/domains/domain.com/admin What do you mean by unable to send emails to that domain? You get bounce messages? Or messages just disappear? Or the messages are not there when you try to pop them? I get an error message that reports the mailbox does not exist. If I turn off the other error messages i get a chkuser error. Which means I suspect it cannot find the users. If this happens only with this domain (i.e. other are working normally) I suspect you have chkuser ALWAYS enabled, despite of domain settings. Tonino -Kurt Bigler
Re: [vchkpw] chkuser vpopmail and catch alls
See following comments. At 12.53 13/09/2005, you wrote: Here is my chkuser_settings file : ==SNIP== /* * /* * Uncomment the following define if you want chkuser ALWAYS enabled. * If uncommented, it will check for rcpt existance despite any .qmail-default * setting. * So, unsomments this if you are aware that ALL rcpt in all domains will be * ALWAYS checked. */ #define CHKUSER_ALWAYS_ON This setting makes chkuser works aways, without checking bouncing or catchall within .qmail-default. Comment it, and be sure bouncing is enabled everywhere except the catchall domain.. /* * Uncomment the following line if you want chkuser to work depending on a VARIABLE setting * VALUE HERE DEFINED is the name of the variable * Values admitted inside the variable: NONE | ALWAYS | DOMAIN * NONE= chkuser will not work * ALWAYS = chkuser will work always * DOMAIN = chkuser will work depending by single domain settings * if CHKUSER_ALWAYS_ON is defined, this define is useless * if CHKUSER_STARTING_VARIABLE is defined, and no variable or no value is set, then chkuser is disabled */ #define CHKUSER_STARTING_VARIABLE ALWAYS */ As you comment out the previous define, be careful to comment/use this one in the right way. If you comment it, be sure bouncing is enabled for each needed domain. If you don't comment it, change it to #define CHKUSER_STARTING_VARIABLE CHKUSER_START and set a variable called CHKUSER_START = DOMAIN. Then set up bouncing for each needed domain. Tonino Jimmy
Re: [vchkpw] qmail+vpopmail+chkuser problems
At 23.45 09/09/2005, you wrote: Greetings, I'm currently working on moving my mail server to another box. I have copied the database, rcpt files, /home/vpopmail/domains over. with the new qmail setup I have decided to use chkuser 2.0. I'm not recieving any errors adding domains, adding users, or using vuserinfo. qmail starts without any errors however; upon recieving test emails (telent localhost 25) it says that the domains I have added don't exist. I'm using default chkuser_settings.h file except that I enabled debuging and debug stderr. Heres my run command. I am using my mysql patch for tcpserver so you wont see the /home/vpopmail/etc/tcp.smtp file. This works PERFECTLY without chkuser. Before -u was 92 and -g was 91. its not set to vpopmail As chkuser reads qmail/vpopmail control files, if it runs as non privileged user it will never be able to read any control file. You must be sure the running UID/GID may read files. If you log as root and run ./qmail-smtpd directly, you can enter the same commands as you did telnetting, but chkuser will act as root and will read everything. If it works, it means you must use appropriated UID/GID. If you have multiple users, then you must use root as uid (using uid switching for additional security if you are not using TLS). Tonino #!/bin/sh export QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl exec /usr/local/bin/tcpserver -p -R -S -u98 -g98 -v -c100 0 smtp /usr/local/bin/rblsmtpd -r relays.ordb.org /var/qmail/bin/qmail-smtpd 2 /var/log/smtpd-debug.log -r-sr-sr-x 1 qmaild nofiles 95620 Sep 9 18:05 /var/qmail/bin/qmail-smtpd
Re: [vchkpw] chkuser 2.0.8b
At 18.58 26/07/2005, you wrote: If it works telnetting to port 25, then it should work from anywhere, as the protocol is the same and the programs are the same. What are logs saying about rejected/lost messages? The logs say nothing. Is there any chkuser log in /var/log/maillog (or whener you keep your logs)? Are your logs active? My starting script has /var/qmail/bin/qmail-smtpd-smtp 21 | splogger mymxname in the last line (I don't use supervise), so my chkuser logs are active. If your logs are active and see no chkuser logs, problem is elsewhere. What I had noticed is that sending through an email client, the messages do not appear to hit my system at all and are sent to my mailbackup. once i switch back, the mail starts comming in from the mailbackup as normal. Are you sure the problem is in chkuser or qmail? If mails are going to backup MX it looks the problem is elsewhere. Are your clients sending to a fix relay, or are they using the best MX, routing by themselves? /* * Uncomment this to enable uid/gid changing * (switching UID/GID is NOT compatible with TLS; you may keep this commented if you have TLS) */ #define CHKUSER_ENABLE_UIDGID Are you using this the right way, putting right setuid/setgid bits on over patched qmail-smtpd? I am not sure, I belive this was uncommended and didnt change it at all. I am not using any TLS patches [I couldnt get them to work at the time so i stopped trying]. I didnt think it would hurt to leave it enabled. It should be the same, as it should switch from vpopmail user to vpopmail user. Anyway, comment it (default) if you are simply running as vpopmail. Tonino
Re: [vchkpw] Why does Inter7 opt Qmail?
There are a lot of us here using qmail and able to give you an e-mail service. So you can continue to use qmail and your boss will have an outsourced service! Ciao, Tonino At 15.29 05/07/2005, you wrote: Guys, let me explain why I'm asking this. My boss (not me) has doubts about Qmail. He wants me to search for new mailservers of mail solutions like, for example, outsourcing the mail function. So I'm asking this now to have more arguments to convince him to stay with Qmail. My boss (and me) esteem Inter7 and we'd like to hear from you the answer of this question. Regards, bnegrao Hi Inter7 and everybody, I'd like to know why do you opt Qmail as your mailserver? Why not Postfix? Why not Qmail-ldap? Why not any other that I don't know about? Would you work with some other mailserver? If so, which one? Thank you in advance,
Re: [vchkpw] pop-before-smtp and chkuser
There is no need to change the code...
Once you've enabled
#define CHKUSER_RCPT_LIMIT_VARIABLE CHKUSER_RCPTLIMIT
it's enought you declare this variable CHKUSER_RCPTLIMIT with the limit
you want before running qmail-smtpd.
So add a
export CHKUSER_RCPTLIMIT=50
before running qmail-smtpd (and be sure it can see this variable);
Tonino
At 01.18 01/07/2005, you wrote:
I went ahead and tried modifying chkuser. these two little quick and dirty
changes seem to make it work. I'm still open to hearing alternatives (if
there are any).
--- ../chkuser-2.0.8b-release/chkuser.c 2004-12-08 17:10:36.0 -0800
+++ chkuser.c 2005-06-30 17:10:44.192650158 -0700
@@ -435,15 +435,10 @@
#endif
#if defined CHKUSER_RCPT_LIMIT_VARIABLE
-maxrcpt_string = env_get (CHKUSER_RCPT_LIMIT_VARIABLE);
-if (maxrcpt_string) {
-maxrcpt_limit = atoi (maxrcpt_string);
+maxrcpt_limit = CHKUSER_RCPT_LIMIT_VARIABLE;
if (maxrcpt_limit 1) {
maxrcpt_limit = 0;
}
-} else {
-maxrcpt_string = ;;
-}
#endif
#if defined CHKUSER_WRONGRCPT_LIMIT_VARIABLE
--- ../chkuser-2.0.8b-release/chkuser_settings.h2004-12-08
17:10:36.0 -0800
+++ chkuser_settings.h 2005-06-30 17:01:28.512240856 -0700
@@ -160,7 +160,7 @@
* The first reached, between CHKUSER_RCPT_LIMIT_VARIABLE and
CHKUSER_WRONGRCPT_LIMIT_VARIABLE,
* makes chkuser rejecting everything else
*/
-#define CHKUSER_RCPT_LIMIT_VARIABLE CHKUSER_RCPTLIMIT
+#define CHKUSER_RCPT_LIMIT_VARIABLE 25
/*
* Uncomment to define a variable which contains the max unknown
recipients number
--
Igor
On Thu, Jun 30, 2005 at 04:21:24PM -0700, Igor Grinchenko wrote:
- Hello everyone,
-
- I have a pop-before-smtp server running vpopmail 5.4.5. That server
only serves clients that supply a valid login/password pair.
- Some clients, however, started abusing this system by sending tons of
spam which gets us blacklisted in various RBL DBs.
- what I'm trying to do is use CHKUSER_RCPTLIMIT option to at least limit
the number of emails that gets sent at once.
-
- it seems like for that I need to have the following line in
tcp.smtp.cdb for every entry:
RELAYCLIENT=,RBLSMTPD=,CHKUSER_RCPTLIMITsome number
- since vpopmail only creates RELAYCLIENT=,RBLSMTPD= - it seems like
the only way is to hack vpopmail.c around line 2526.
-
- another way is to hack chkuser to hardcode some value to
CHKUSER_RCPT_LIMIT_VARIABLE instead of looking at the env variable from
the cdb file.
-
- which way should I go? I don't think I'll have a problem modifying
either source code, since it seems like a pretty straightforward change.
-
- am I missing some other, simplier way?
-
- --
- Igor
-
-
Re: [vchkpw] SENDER_NOCHECK Question
At 22.35 22/06/2005, you wrote: Does SENDER_NOCHECK=1 in tcp.smtp mean that all aspects of chkuser get bypassed when coming from that specific IP? No. It means that no check is done on sender e-mail address (formal check on address). I've been trying to implement this feature and having trouble getting any entry in tcp.smtp to bypass the chkuser rules. My current tcp.smtp is 127.:allow,RELAYCLIENT= 192.168.0.:allow,RELAYCLIENT=,SENDER_NOCHECK=1 x.x.x.x:allow,RELAYCLIENT=,SENDER_NOCHECK=1 If I send to a bogus recipient from one of those IPs I still get the typical chkuser response that recipient doesn't exist. I guess I would have expected it to bypass chkuser and bounce telling me that user doesn't exist. Is this incorrect logic? You could try defining and using CHKUSER_START = NONE, that would exclude any chkuser check. You could define a general CHKUSER_START = DOMAIN (or ALWAYS), using then the variable CHKUSER_START = NONE inside tcp.smtp for senders which are excluded from all chkuser features. I did not think of it inside tcp.smtp, but it may fit your needs, try it. (Be careful to enable all needed #defines, like #CHKUSER_STARTING_VARIABLE). Tonino Thanks. Anthony
Re: [vchkpw] Help with my Chkuser Installation Guide
At 18.36 17/06/2005, you wrote: Hi Tonino, thanks for answering. Documentation says it works with ezmlm and mailman. Please, read the documentation! Tonino Dude, let me tell you: I ran a 'find ezmlm' in your whole website and the only matches I found were these statements (shown bellow) explaining about settings inside chkuser_settings.h file: http://www.interazioni.it/opensource/chkuser/features.html Tonino
Re: [vchkpw] Help with my Chkuser Installation Guide
At 15.49 17/06/2005, you wrote: But now I looking closely to this check I'm recalling some of my customers like to have e-mails of the format: [EMAIL PROTECTED] I't seems that this check would block my usernames with the 'user.lastname' syntax, since it doesn't accept a '.' character in the USER part. Is this customizable? If it's not, this feature does not work even for me!! Documentation is wrong (I'll correct it soon): '.' and '=' are accepted in format controls. Ciao, Tonino
Re: [vchkpw] Help with my Chkuser Installation Guide
At 16.47 17/06/2005, you wrote: Tonino, are these characters enough even in those cases when somebody wants to, for example, send a confirmation reply e-mail to some automatic procedure? Like, confirming a subscribe message for a mailing list or something like that. How were your tests? Documentation says it works with ezmlm and mailman. Please, read the documentation! Ciao, Tonino Regards, bnegrao
Re: [vchkpw] chkuser patch causes problems with qmails sendmail binary
What you see is chkuser logging, that is handled correctly is you send using smtp port. So, you can either disable chkuser logging or send using smtp local port. Ciao, Tonino At 20.17 04/06/2005, you wrote: Ever since I installed chkuser (which has been great, might I add), pine has had issues using the sendmail binary replacement qmail provides. After some stracing I've determined this is because after sending: RCPT TO:[EMAIL PROTECTED] It is getting a responce of CHKUSER accepted rcpt: from mik... instead of a 220 ok. Sendmail is called from pine by default (on debian, at least) with these flags: -bs -odb -oem So I tested it out myself: $ /usr/sbin/sendmail -bs -odb -oem 220 webserv2.divide0.net ESMTP ehlo localhost 250-webserv2.divide0.net 250-STARTTLS 250-PIPELINING 250-8BITMIME 250 AUTH LOGIN PLAIN CRAM-MD5 RSET 250 flushed MAIL FROM:[EMAIL PROTECTED] 250 ok RCPT TO:[EMAIL PROTECTED] CHKUSER accepted rcpt: from [EMAIL PROTECTED]:sendmail-bs: remote :localhost:127.0.0.1 rcpt [EMAIL PROTECTED] : found existing recipient 250 ok This is the same sequence of commands pine writes, and as you see, the CHKUSER response is given after the RCPT TO causing pine to hang. That response shouldn't be in there. Any suggestions/hints as to how to stop this? Thanks, Mike Garrison
Re: [vchkpw] [chkuser] qutoacheck with catchall accounts
No, it is not possible. Let's say quotacheck is an option of chkuser, and if you disable chkuser quotacheck will not work. You are suggesting a nice feature to add, I'll put in my to do list. Tonino At 22.33 22/05/2005, you wrote: Hi, i'm using netqmail 1.05 with qmail-toaster-0.7.2.patch.bz2. This works great but I have a little problem with 'chkuser': A recipient is only checked if the domain has bouncing enabled. Is it possible to check an users quota if the domain has a catch-all account? Or with other words, can I compile 'chkuser' with CHKUSER_ALWAYS_ON but have mails with unknown local parts delivered to the target from.qmail-default instead of rejecting them? TIA Lars Uhlmann
Re: [vchkpw] chkuser 2.0.8 + syslog
At 08.23 19/05/2005, you wrote: /usr/local/bin/tcpserver -R -x /etc/tcp.smtp.cdb -c120 -u89 -g89 0 smtp /usr/local/bin/rblsmtpd -b -v -r sbl-xbl.spamhaus.org -r dnsbl.sorbs.net -r relays.ordb.org -r rhsbl.sorbs.net -r list.dsbl.org -r bl.spamcop.net /var/qmail/bin/qmail-smtpd 21 | /var/qmail/bin/splogger tcpserver That is the exact line. This looks fine. It appeared to actually accept all emails regardless if the user was on the system or not. When I remove that line it will reject email for invalid users using chkuser. Probably in your configuration you have the variable *CHKUSER_STARTING_VARIABLE* that must be defined, or is is defined in a wrong way. Check that. Should I change /* #define CHKUSER_STARTING_VARIABLE CHKUSER_START */ to #define CHKUSER_STARTING_VARIABLE CHKUSER_ALWAYS_ON No, you should start a debugging session, and see what's happening. First, run patched qmail-smtpd manually (as root) and check if chkuser works this way. $ ./qmail-smtpd mail from wrong_sender mail from right_sender rcpt to: [EMAIL PROTECTED] rcpt to: [EMAIL PROTECTED] Second, make the same test telnetting to the port where you're running qmail-smtpd. Third, enable chkuser debugging and disable splogger, and watch what happens telnetting to port 25. Let me know, ciao. Tonino ? Tonino
Re: [vchkpw] chkuser 2.0.8 + syslog
At 08.52 18/05/2005, you wrote: tonix (Antonio Nati) wrote: At 17.59 17/05/2005, you wrote: On Tuesday 17 May 2005 11:47 am, tonix (Antonio Nati) wrote: Hi Jimmy, this does not look as a chkuser problem, but as a general qmail problem (as chkuser uses same logging routines of qmail). chkuser log goes whenever qmail logs go. Are your normal qmail-smtpd logs going to syslog? I currently have no problems with email logging. I have also got the rblsmtpd syslogd patch working its only the chkuser stuff that does not end up in syslog. This is my configuration for qmail-smtpd. It logs everything (chkuser included). I don't use supervise, so you must change something if you use it. /var/qmail/ucspi/tcpserver -l my.system.name \ -b 20 -c 40 -u 88 -g 83 \ -h -R -t 5 -v -p -x /vpopmail/etc/tcp.smtp.cdb my.system.address smtp \ /var/qmail/ucspi/rblsmtpd -r bl.spamcop.net -r sbl-xbl.spamhaus.org \ /var/qmail/bin/qmail-smtpd 21 | splogger mytag Tonino
Re: [vchkpw] chkuser 2.0.8 + syslog
At 10.48 18/05/2005, you wrote: I currently have no problems with email logging. I have also got the rblsmtpd syslogd patch working its only the chkuser stuff that does not end up in syslog. This is my configuration for qmail-smtpd. It logs everything (chkuser included). I don't use supervise, so you must change something if you use it. /var/qmail/ucspi/tcpserver -l my.system.name \ -b 20 -c 40 -u 88 -g 83 \ -h -R -t 5 -v -p -x /vpopmail/etc/tcp.smtp.cdb my.system.address smtp \ /var/qmail/ucspi/rblsmtpd -r bl.spamcop.net -r sbl-xbl.spamhaus.org \ /var/qmail/bin/qmail-smtpd 21 | splogger mytag When I added a similar line where i had /var/qmail/bin/splogger tcpserver Please don't say similar, as similar means a lot of things: post the complete starting commands. It appeared to actually accept all emails regardless if the user was on the system or not. When I remove that line it will reject email for invalid users using chkuser. Probably in your configuration you have the variable CHKUSER_STARTING_VARIABLE that must be defined, or is is defined in a wrong way. Check that. Tonino
Re: [vchkpw] chkuser 2.0.8 + syslog
Hi Jimmy, this does not look as a chkuser problem, but as a general qmail problem (as chkuser uses same logging routines of qmail). chkuser log goes whenever qmail logs go. Are your normal qmail-smtpd logs going to syslog? You should look in other pages, and check how syslog and splogger work. See http://www.lifewithqmail.org/lwq.html or http://qmail.3va.net/qdp/splogger.html more specific info. Ciao, Tonino At 14.54 17/05/2005, you wrote: Hello, I am currently trying to setup my chkuer 2.0.8 to log to syslog. Currently all of the information is coming out on /dev/console. I currently have the following setup #define CHKUSER_ENABLE_LOGGING /* * Uncomment to enable logging of good rcpts * valid only if CHKUSER_ENABLE_LOGGING is defined */ #define CHKUSER_LOG_VALID_RCPT /* * Uncomment to enable usage of a variable escluding any check on the sender. * The variable should be set in tcp.smtp for clients, with static IP, whose mailer * is composing bad sender addresses */ #define CHKUSER_SENDER_NOCHECK_VARIABLE SENDER_NOCHECK Is there any way that I can get it to goto syslog?. Thanks Jimmy.
Re: [vchkpw] chkuser 2.0.8 + syslog
At 17.59 17/05/2005, you wrote: On Tuesday 17 May 2005 11:47 am, tonix (Antonio Nati) wrote: Hi Jimmy, this does not look as a chkuser problem, but as a general qmail problem (as chkuser uses same logging routines of qmail). chkuser log goes whenever qmail logs go. Are your normal qmail-smtpd logs going to syslog? however, qmail-smtpd doesn't actually log anything.. so you've had to add some additional logging code :) You are right! Around chkuser logging I have tcpserver logging (tcpserver starting qmail-smtpd). I consider it the same of qmail-smtpd (when existing :-)) in my previous comment. Tonino -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]
RE: [vchkpw] Re: Getting segmentation fault with chkusr patch for qmail-smtpd
How did you apply the patch over qmailrocks installation? Did you have any error from patch? You should at least examine smtp_rcpt and post it. Ciao, Tonino At 22.44 28/04/2005, you wrote: *exactly*? Compile qmail without and '-O' and with '-g2' and run qmail-smtpd in 'dbg' (or similar). Use 'strace' or 'truss' (with follow fork option) I'm obviously abit over my head here on the Linux platform. :-) I don't have truss or dbg on my machine. I have strace however but I didn't get any smarter. Removed -O2 from conf-cc, touched *.c and ran make but strace didn't display anything more. Part of strace output: - write(1, 220 mx2.example.com ESMTP\r\n, 0 mx2.example.com ESMTP ) = 22 alarm(0)= 1200 alarm(1200) = 0 read(0, helo helo\n, 1024) = 5 alarm(0)= 1197 alarm(1200) = 0 write(1, 250 mx2.example.com\r\n, 16250 mx2.example.com ) = 16 alarm(0)= 1200 alarm(1200) = 0 read(0, mail mail\n, 1024) = 5 alarm(0)= 1199 alarm(1200) = 0 write(1, 250 ok\r\n, 8250 ok ) = 8 alarm(0)= 1200 alarm(1200) = 0 read(0, rcpt rcpt\n, 1024) = 5 alarm(0)= 1197 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ The lines starting with read(0, is followed by my input. I have no idea if this helps anyone see what's wrong though. Sorry for being a complete newbie on this... Regards, Glenn F. Henriksen
Re: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!
You may disable acceptance of message from not authenticated users only if you make one of these changes: - delete any entry from rcpthosts or - modify auth patch so that only auth relaying is allowed. Tonino At 16.24 19/04/2005, you wrote: Hi Everybody, I have a system consists of qmail 1.03 and vpopmail-5.4.9 and courier-imap-4.0.2 and SM and QS. I think that there is a bug in the qmail-smtpd. the bug that I can send mail as/from a local account to any other local account Although I use SMTP auth provided by : http://www.fehcom.de/qmail/smtpauth.html. smtpd and SMTP Auth. must prevent anyone to Impersonate and send mail from an Local Account other than his Local Account to any other Local account. Imagine that I host the two domains: companyXX.com and companyYY.com for example. So , an any person who did not belong to companyXX.com can Impersonate as [EMAIL PROTECTED] and send a formal email - w/o authenticating of course - to [EMAIL PROTECTED] or [EMAIL PROTECTED] I want to do that to prevent any other third party - or even any local account users- to Impersonate and send mail from an other Local Account to any other Local account. By the way; My /var/qmail/supervise/qmail-smtpd/run as follow : #!/bin/sh # when QMAILQUEUE is set, all mail will be sent to the nominated script QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl export QMAILQUEUE QMAILDUID=`id -u vpopmail` QMAILDGID=`id -g vchkpw` exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver \ -v -x /etc/tcp.smtp.cdb \ -c 20 -R -u $QMAILDUID -g $QMAILDGID 0 smtp \ /usr/local/bin/rblsmtpd -b -C \ -r 'relays.ordb.org:Your message was rejected because the mail server you use is configured to allow OPEN RELAY - More detailed information regarding this problem is available from http://www.ordb.org/lookup/?host=%IP% http://www.ordb.org/lookup/?host=%IP% - Please forward this error through to your email server support staff for easy resolution.' \ -r 'list.dsbl.org:Your message was rejected because the message was sent from a server listed in DSBL - More information regarding this problem is available at http://dsbl.org/listing?%IP% http://dsbl.org/listing?%IP% - Please forward this error to your email server support staff for resolution.' \ -r 'sbl-xbl.spamhaus.org:Your message was rejected because the message was sent from a server listed in the Spamhaus RBL - More information regarding this problems is available at http://www.spamhaus.org/query/bl?ip=%IP% http://www.spamhaus.org/query/bl?ip=%IP% - Please forward this error to your email server support staff for resolution.' \ /var/qmail/bin/qmail-smtpd \ /home/vpopmail/bin/vchkpw /bin/true 21 Can anyone help me to work around this problem Best Regards. Samir Noshy
RE: [vchkpw] (Urgent) qmail-smtpd Bug !!!!!!!!!
At 16.42 19/04/2005, you wrote:
-Original
Message-
From: tonix (Antonio Nati)
[
mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 19, 2005 5:24 PM
To: vchkpw@inter7.com
Subject: Re: [vchkpw] (Urgent) qmail-smtpd Bug !
You may disable acceptance of message from not authenticated
users only if you make one of these changes:
- delete any entry from rcpthosts
If I did so, no one can send emails to my local domains.
So now you may understand why this not a bug neither a security hole.
It's a standard feature, and cannot be another way.
or
- modify auth patch so that only auth relaying is allowed.
I think that is a good solution , but how I can modify it ??
You must setup a dedicated qmail-smtpd server for these domains, and
change code: within smtp_rcpt, before chkuser (if you use it), or after
these lines (I use Shupp's patch)
if (flagbarfbmt) {
strerr_warn4(qmail-smtpd: badmailto:
,addr.s, at ,remoteip,0);
err_bmt();
return;
}
add code like this:
if (!relayclient) {
strerr_warn4(qmail-smtpd: not auth sender:
,addr.s, at ,remoteip,0);
err_notauth();
return;
}
where err_notauth() can be:
void err_notauth() { out(553 sorry, you must authenticate before
using this server (#5.7.1)\r\n); }
It would be much better if this would be a configurable option of auth
patch, that would force authentication in the first smtp steps, and not
within rcpt dialog (but this is better than nothing).
Tonino
Tonino
Thanks and Best Regards.
Samir Noshy
At 16.24 19/04/2005, you wrote:
Hi Everybody,
I have a system consists of qmail 1.03 and vpopmail-5.4.9 and
courier-imap-4.0.2 and SM and QS.
I think that there is a bug in the qmail-smtpd.
the bug that I can send mail as/from a local account to any other
local
account Although I use SMTP auth provided by :
http://www.fehcom.de/qmail/smtpauth.html.
smtpd and SMTP Auth. must prevent anyone to Impersonate and
send mail
from an Local Account other than his Local Account to any other
Local
account.
Imagine that I host the two domains: companyXX.com and companyYY.com
for example.
So , an any person who did not belong to companyXX.com can
Impersonate
as [EMAIL PROTECTED] and send a formal email - w/o authenticating
of
course - to [EMAIL PROTECTED] or [EMAIL PROTECTED]
I want to do that to prevent any other third party - or even any
local
account users- to Impersonate and send mail from an other Local
Account
to any other Local account.
By the way; My /var/qmail/supervise/qmail-smtpd/run as follow :
#!/bin/sh
# when QMAILQUEUE is set, all mail will be sent to the nominated
script
QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue.pl export
QMAILQUEUE
QMAILDUID=`id -u vpopmail`
QMAILDGID=`id -g vchkpw`
exec /usr/local/bin/softlimit -m 1500 \ /usr/local/bin/tcpserver
\
-v -x /etc/tcp.smtp.cdb \
-c 20 -R -u $QMAILDUID -g $QMAILDGID 0 smtp \
/usr/local/bin/rblsmtpd -b -C \
-r 'relays.ordb.org:Your message was rejected because the mail server
you use is configured to allow OPEN RELAY - More detailed information
regarding this problem is available from
http://www.ordb.org/lookup/?host=%IP%
http://www.ordb.org/lookup/?host=%IP% - Please forward this
error
through to your email server support staff for easy resolution.'
\
-r 'list.dsbl.org:Your message was rejected because the message was
sent from a server listed in DSBL - More information regarding this
problem is available at
http://dsbl.org/listing?%IP%
http://dsbl.org/listing?%IP% - Please forward this error to
your
email server support staff for resolution.' \
-r 'sbl-xbl.spamhaus.org:Your message was rejected because the
message
was sent from a server listed in the Spamhaus RBL - More information
regarding this problems is available at
http://www.spamhaus.org/query/bl?ip=%IP%
http://www.spamhaus.org/query/bl?ip=%IP% - Please forward
this error
to your email server support staff for resolution.' \
/var/qmail/bin/qmail-smtpd \
/home/vpopmail/bin/vchkpw /bin/true 21
Can anyone help me to work around this problem
Best Regards.
Samir Noshy
Re: [vchkpw] SMTP Abuse
If remote user is sending using an authenticated SMTP session, you would find his name within chkuser logging. Probably, as Ken is saying, are simply some viruses trying to guess recipients on your MX hosted domains. Tonino At 19.24 13/04/2005, you wrote: Ken, Thanks for your help. You probably are receiving a dictionary scan from infected PC's. Be sure to use rblsmtpd against one or more of the good rbl sites. I have tried this before write here. So maybe too much rbl's, look: #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 1000 \ /usr/local/bin/tcpserver \ -v -H -R -l 0 \ -x /etc/tcprules/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/rblsmtpd -b -C \ -r list.dsbl.org:Your mail server is listed in DSBL list. \ -r bl.spamcop.net:Your mail server is listed in Spamcop blocklist. \ -r relays.ordb.org:Your mail server is an OPEN RELAY (ORDB list). \ -r sbl.spamhaus.org:Your mail server is listed in SBL-Spamhaus. \ -r blackholes.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -r dialups.mail-abuse.org: See http://www.mail-abuse.com/enduserinfo.html \ -t 5 \ /var/qmail/bin/qmail-smtpd \ /var/vpopmail/bin/vchkpw /bin/true 21 Another thing you can do is scan for frequent IP's to bad users in the smtp log files and build new tcp.smtp deny lines. Yes. That what I'm doing: 4.:deny 12.:deny 130-159.:deny 80-89.:deny and so on... But there is a way to determine if the spammer are using an account on my server, with password, to do that? So I can change the password and block him. Thanks, -- Walter.
Re: [vchkpw] chkuser: Let chkuser kill qmail-smtpd
Hi Tobias, I don't think that quitting qmail-smtpd is the best action. When you enable these thresholds settings and enable delay, chkuser simply aborts further rcpt to: with the message you see, and for each new rcpt waits for CHKUSER_ERROR_DELAY (default 1000) milliseconds, increased, for each aborted rcpt, of a value of CHKUSER_ERROR_DELAY_INCREASE (default 100) milliseconds. So, based on standard settings, if you have 100 aborted recipients, you have a delay of 11 seconds for the 101th rcpt (N.B.: all that happens only if you have defined the variables needed to enable this check). So, you can decrease these values, or define CHKUSER_ERROR_DELAY_INCREASE to zero, or disable these controls. As conseguence, chkuser cannot waste any resource, as the most used instruction in such conditions is delay. I feel this is the most suitable way to fight intruders, making them lose time and/or resources without giving them valuable informations. If you just quit the process after the initial threshold, they will start a qmail-smtpd process and gain real information for the initial rcpts of the new process. I've been attacked a lot of times. First times intruders did not note the you are violating... message, and wasted some days. After that, they made the same job, with a unique rcpt to for each session. So, when I saw a lot of CHKUSER rejected messages from the same IP, and watched the strange sequence of rcpt looked for, I denied that IP in my tcp.smtp. I was asked also to keep trace automatically of these intruders between sessions, but I feel this is out of chkuser scopes and very dangerous to perform. I've controlled my logs, and sometimes I see remote senders (i.e. mailing lists or systems answering back to viruses) that look hundreds of times for the same broken addresses, and I feel I cannot automatically create a black list for those remote IP. You can make a simple script checking for CHKUSER logs, alerting you when numbers are strange (see http://www.interazioni.it/opensource/chkuser/documentation/logging_summary.html for a very simple example). Ciao, Tonino At 17.53 29/03/2005, you wrote: Am Dienstag, 29. März 2005 18:37 schrieb Jeremy Kitchen: On Tuesday 29 March 2005 10:31 am, Tobias Orlamuende wrote: After intensive logging I found out, that chkuser sends something like You are violating my security policy when CHKUSERRCPTLIMIT and / or CHKUSER_WRONGRCPTLIMIT is reached. That's fine so far, but the other side is still sending masses of rcpt to. This causes qmail-smtpd to stay open for a very long time until the sender finishes sending his spam. so? the resources consumed by a single copy of qmail-smtpd hanging around for some spammer to give up are minimal. IMHO not :-( qmail-smtpd is running for 40 minutes and counts up (until now) to 105 processes where the oldest one dates from one minute after startup of qmail-smtpd. Load of this Dueal-Opteron (240) is about 100. Timeoutsmtpd is set in control... Most of the started qmail-smtpd's are closed correctly, but some stay open which gives this amount... I am not 100% sure if this problem is caused by chkuser, but for me it looks like. The strange thing is, that most of these open sessions are using STARTTLS. Btw: Anybody made bad experiences with this patch ? http://www.arda.homeunix.net/store/qmail/starttls-2way-auth-20050307.patch I started with Bill Shupp's tls-auth-patch but the loead was even going much higher than now. Wouldn't it make sense to let chkuser terminatie this specific qmail-smtpd instance if one of the above limits is reached? perhaps, but why? See above. If yes, how could it be implemented? just edit the code. Find the place where it flips on the ok, we're not accepting anymore limit... and have it exit. Nice. But for me as somebody who has nearly no knowledge of C it is quite difficult. Maybe you, Jeremy, or somebody else on this list has any hints for the above situation... Greetings Tobias
Re: [vchkpw] chkuser 2.0.8 oddities
At 15.31 16/03/2005, you wrote:
Good morning,
I recently installed chkuser in response to a SpamCop listing. I have a
user getting addresses rejected that we know exist. The addresses are in
valias and work fine when I send a message. The user in question is
recently getting rejections. Here is a sample of the qmail-smtp
log.
2005-03-15 17:06:06.731444500 CHKUSER rejected rcpt: from
[EMAIL PROTECTED]:: remote
SUPPORT4:wls-41-226-196-65.tls.net:65.196.226.41 rcpt
[EMAIL PROTECTED] : not existing recipient
2005-03-16 08:37:28.526532500 CHKUSER accepted rcpt: from
[EMAIL PROTECTED]:: remote
[192.168.1.101]:64-184-8-148.bb.hrtc.net:64.184.8.148 rcpt
[EMAIL PROTECTED] : found existing recipient
You should enable CHKUSER_RCPT_FORMAT and see if there are any strange
characters (invisible in log) that make the address unusable (you have
rcpt not existing when you could have INVALID FORMAT)
You could also modify chkuser.c this way, in order to track better the
rejected recipient... The following change display complete address
length, so you may check if the address length corresponds to what you
read:
static void chkuser_commonlog (char *sender, char *rcpt, char *title,
char *description) {
char str[30];
sprintf (str, %d, strlen (rcpt));
substdio_puts (subfderr, CHKUSER );
substdio_puts (subfderr, title);
substdio_puts (subfderr, : from );
substdio_puts (subfderr, sender);
substdio_puts (subfderr, : );
if (remoteinfo) {
substdio_puts (subfderr,
remoteinfo);
}
substdio_puts (subfderr, : );
#if defined CHKUSER_IDENTIFY_REMOTE_VARIABLE
if (identify_remote) substdio_puts (subfderr,
identify_remote);
#endif
substdio_puts (subfderr, remote );
if (fakehelo) substdio_puts (subfderr, fakehelo);
substdio_puts (subfderr, : );
if (remotehost) substdio_puts (subfderr, remotehost);
substdio_puts (subfderr, : );
if (remoteip) substdio_puts (subfderr, remoteip);
substdio_puts (subfderr, rcpt );
substdio_puts (subfderr, rcpt);
substdio_puts (subfderr, : );
substdio_puts (subfderr, str);
substdio_puts (subfderr, : );
substdio_puts (subfderr, description);
substdio_puts (subfderr, \n);
substdio_flush (subfderr);
I'm not sure just why this is happening, I do not have
CHKUSER_RCPT_FORMAT defined, in fact the only changes I made to the
chkuser_settings.h was to uncomment CHKUSER_ALWAYS_ON and set the
CHKUSER_MBXQUOTA to 90 in my qmail-smtpd run script.
I had the user send me the message in question and I noticed that the
addresses had single qoutes in them,
'[EMAIL PROTECTED]'
mailto:[EMAIL PROTECTED].
'[EMAIL PROTECTED]'
mailto:[EMAIL PROTECTED].
I would suspect that was the issue except that this address book worked
prior to installing chkuser, and the qmail-smtpd log shows the address
correctly when it is rejected.
chkuser uses and logs exactly what receives from qmail-smtpd.
Ciao,
Tonino
Any ideas?
DAve
--
Dave Goodrich
Systems Administrator
http://www.tls.net
Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: [vchkpw] chkuser 2.0.8 oddities
Sorry for the previous message, this is indented better.
At 15.31 16/03/2005, you wrote:
Good morning,
I recently installed chkuser in response to a SpamCop listing. I have a
user getting addresses rejected that we know exist. The addresses are in
valias and work fine when I send a message. The user in question is
recently getting rejections. Here is a sample of the qmail-smtp
log.
2005-03-15 17:06:06.731444500 CHKUSER rejected rcpt: from
[EMAIL PROTECTED]:: remote
SUPPORT4:wls-41-226-196-65.tls.net:65.196.226.41 rcpt
[EMAIL PROTECTED] : not existing recipient
2005-03-16 08:37:28.526532500 CHKUSER accepted rcpt: from
[EMAIL PROTECTED]:: remote
[192.168.1.101]:64-184-8-148.bb.hrtc.net:64.184.8.148 rcpt
[EMAIL PROTECTED] : found existing recipient
You should enable CHKUSER_RCPT_FORMAT and see if there are any strange
characters (invisible in log) that make the address unusable (you have
rcpt not existing when you could have INVALID FORMAT)
You could also modify chkuser.c this way, in order to track better the
rejected recipient... The following change display complete address
length, so you may check if the address length corresponds to what you
read:
---
static void chkuser_commonlog (char *sender, char *rcpt, char *title,
char *description) {
char str[30];
sprintf (str, %d, strlen (rcpt));
substdio_puts (subfderr, CHKUSER );
substdio_puts (subfderr, title);
substdio_puts (subfderr, : from );
substdio_puts (subfderr, sender);
substdio_puts (subfderr, : );
if (remoteinfo) {
substdio_puts (subfderr,
remoteinfo);
}
substdio_puts (subfderr, : );
#if defined CHKUSER_IDENTIFY_REMOTE_VARIABLE
if (identify_remote) substdio_puts (subfderr, identify_remote);
#endif
substdio_puts (subfderr, remote );
if (fakehelo) substdio_puts (subfderr, fakehelo);
substdio_puts (subfderr, : );
if (remotehost) substdio_puts (subfderr, remotehost);
substdio_puts (subfderr, : );
if (remoteip) substdio_puts (subfderr, remoteip);
substdio_puts (subfderr, rcpt );
substdio_puts (subfderr, rcpt);
substdio_puts (subfderr, : );
substdio_puts (subfderr, str);
substdio_puts (subfderr, : );
substdio_puts (subfderr, description);
substdio_puts (subfderr, \n);
substdio_flush (subfderr);
---
I'm not sure just why this is
happening, I do not have CHKUSER_RCPT_FORMAT defined, in fact the only
changes I made to the chkuser_settings.h was to uncomment
CHKUSER_ALWAYS_ON and set the CHKUSER_MBXQUOTA to 90 in my
qmail-smtpd run script.
I had the user send me the message in question and I noticed that the
addresses had single qoutes in them,
'[EMAIL PROTECTED]'
mailto:[EMAIL PROTECTED].
'[EMAIL PROTECTED]'
mailto:[EMAIL PROTECTED].
I would suspect that was the issue except that this address book worked
prior to installing chkuser, and the qmail-smtpd log shows the address
correctly when it is rejected.
chkuser uses and logs exactly what receives from qmail-smtpd.
Ciao,
Tonino
Any ideas?
DAve
--
Dave Goodrich
Systems Administrator
http://www.tls.net
Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: [vchkpw] chkuser 2.0.8 oddities
At 19.21 16/03/2005, you wrote: tonix (Antonio Nati) wrote: At 15.31 16/03/2005, you wrote: Good morning, I recently installed chkuser in response to a SpamCop listing. I have a user getting addresses rejected that we know exist. The addresses are in valias and work fine when I send a message. The user in question is recently getting rejections. Here is a sample of the qmail-smtp log. 2005-03-15 17:06:06.731444500 CHKUSER rejected rcpt: from [EMAIL PROTECTED]:: remote SUPPORT4:wls-41-226-196-65.tls.net:65.196.226.41 rcpt [EMAIL PROTECTED] : not existing recipient 2005-03-16 08:37:28.526532500 CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote [192.168.1.101]:64-184-8-148.bb.hrtc.net:64.184.8.148 rcpt [EMAIL PROTECTED] : found existing recipient You should enable CHKUSER_RCPT_FORMAT and see if there are any strange characters (invisible in log) that make the address unusable (you have rcpt not existing when you could have INVALID FORMAT) I can certainly do that. But I am confused, if I did't enable CHKUSER_RCPT_FORMAT shouldn't the address work as it did before? Or is there some level of format checking going on by default? Despite of CHKUSER_RCPT_FORMAT define, chkuser calls some routines to check for rcpt existence, and may be that address my(invisible char)[EMAIL PROTECTED] is not found and logged immediately as not existing rcpt. Ciao, Tonino Thanks, DAve -- Dave Goodrich Systems Administrator http://www.tls.net Get rid of Unwanted Emails...get TLS Spam Blocker!
Re: [vchkpw] 551 response to user not found
I don't remember exactly, I studied a lot of documents and found same tables that lead me to that decision (to have a close correspondence to 5.x.x formats). These are all definitions within chkuser_settings.h #define CHKUSER_NORCPT_STRING 511 sorry, no mailbox here by that name (#5.1.1 - chkuser)\r\n #define CHKUSER_RESOURCE_STRING 430 system temporary unavailable, try again later (#4.3.0 - chkuser)\r\n #define CHKUSER_MBXFULL_STRING 522 sorry, recipient mailbox is full (#5.2.2 - chkuser)\r\n #define CHKUSER_MAXRCPT_STRING 571 sorry, reached maximum number of recipients for one session (#5.7.1 - chkuser)\r\n #define CHKUSER_MAXWRONGRCPT_STRING 571 sorry, you are violating our security policies (#5.1.1 - chkuser)\r\n #define CHKUSER_DOMAINMISSING_STRING 511 sorry, you must specify a domain (#5.1.1 - chkuser)\r\n #define CHKUSER_RCPTFORMAT_STRING 511 sorry, recipient address has invalid format (#5.1.1 - chkuser)\r\n #define CHKUSER_RCPTMX_STRING 511 sorry, can't find a valid MX for rcpt domain (#5.1.1 - chkuser)\r\n #define CHKUSER_SENDERFORMAT_STRING 571 sorry, sender address has invalid format (#5.7.1 - chkuser)\r\n #define CHKUSER_SENDERMX_STRING 511 sorry, can't find a valid MX for sender domain (#5.1.1 - chkuser)\r\n #define CHKUSER_INTRUSIONTHRESHOLD_STRING 571 sorry, you are violating our security policies (#5.7.1 - chkuser)\r\n #define CHKUSER_NORELAY_STRING 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)\r\n I may change default definitions if there is any problem (but anyone may change as he/she likes). Tonino At 10.05 15/03/2005, you wrote: Can somebody tell me why chkuser (I'm using 2.0.8) gives a 511 response to a user not found error? RFC 821 gives 550 as the correct response -- Cheers Alastair Battrick www.battrick.org
Re: [vchkpw] 551 response to user not found
Hi Cris, 550 is ok for #define CHKUSER_NORCPT_STRING 511 sorry, no mailbox here by that name (#5.1.1 - chkuser)\r\n What about other cases? #define CHKUSER_MBXFULL_STRING 522 sorry, recipient mailbox is full (#5.2.2 - chkuser)\r\n #define CHKUSER_MAXRCPT_STRING 571 sorry, reached maximum number of recipients for one session (#5.7.1 - chkuser)\r\n #define CHKUSER_MAXWRONGRCPT_STRING 571 sorry, you are violating our security policies (#5.1.1 - chkuser)\r\n #define CHKUSER_DOMAINMISSING_STRING 511 sorry, you must specify a domain (#5.1.1 - chkuser)\r\n #define CHKUSER_RCPTFORMAT_STRING 511 sorry, recipient address has invalid format (#5.1.1 - chkuser)\r\n #define CHKUSER_RCPTMX_STRING 511 sorry, can't find a valid MX for rcpt domain (#5.1.1 - chkuser)\r\n #define CHKUSER_SENDERFORMAT_STRING 571 sorry, sender address has invalid format (#5.7.1 - chkuser)\r\n #define CHKUSER_SENDERMX_STRING 511 sorry, can't find a valid MX for sender domain (#5.1.1 - chkuser)\r\n #define CHKUSER_INTRUSIONTHRESHOLD_STRING 571 sorry, you are violating our security policies (#5.7.1 - chkuser)\r\n #define CHKUSER_NORELAY_STRING 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.5.3 - chkuser)\r\n I feel #define CHKUSER_RESOURCE_STRING 430 system temporary unavailable, try again later (#4.3.0 - chkuser)\r\n is probably ok as it is. Tonino At 13.48 15/03/2005, you wrote: On Tue, 15 Mar 2005 12:22:34 +0100, tonix (Antonio Nati) [EMAIL PROTECTED] wrote: Ciao Antonio, first of all compliments for your work in this patch. I don't remember exactly, I studied a lot of documents and found same tables that lead me to that decision (to have a close correspondence to 5.x.x formats). I think should be better a 550 reply as RFC 2821: 550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons) -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
Re: [vchkpw] 551 response to user not found
Alastair, if you give a transient error sender will probably have a definitive error after some days, and until then will be (wrongly) satisfied about the delivery. In this way sender is notified immediately, and may decide the opportune action. Anyway, these strings have been made external (in settings file) to let anyone chose own best behaviours. Tonino At 14.06 15/03/2005, you wrote: tonix (Antonio Nati) wrote: #define CHKUSER_MBXFULL_STRING 522 sorry, recipient mailbox is full (#5.2.2 - chkuser)\r\n #define CHKUSER_RCPTMX_STRING 511 sorry, can't find a valid MX for rcpt domain (#5.1.1 - chkuser)\r\n #define CHKUSER_SENDERMX_STRING 511 sorry, can't find a valid MX for sender domain (#5.1.1 - chkuser)\r\n Should these not be temporary 4XX errors? -- Cheers Alastair Battrick www.battrick.org
Re: [vchkpw] Removing entries from vlog with user/domain deleted
At 17.08 21/01/2005, you wrote: On Thursday 20 January 2005 9:43 pm, Tom Collins wrote: secnetdk submitted the following patch on SourceForge: http://sourceforge.net/tracker/? func=detailatid=577800aid=1099800group_id=85937 It adds code to delete the associated vlog entries when a user or domain are deleted. Does anyone on the list have a need/reason for vlog entries to stay behind when a user/domain are deleted? If not, I'll go ahead and roll it into the next release. I'ld like more to have a separate program to purge logs, based on parameters (domain, days, users, deleted users, etc.). And I'ld like to add more logging on vlog for all activities, like user creation, user deletion, etc. Tonino
RE: [vchkpw] chkuser 2.0 and vpopmail w/mysql
At 17.47 20/01/2005, you wrote: So based on what you have said, if chkuser relies on vpopmail commands to determine existence then my current setup should work just fine. If chkuser directly reads the virtualdomains file, then I will have problems. Hi Brian, chkuser relies on vpopmail for domains (i.e. rcpthosts, virtualdomains), users (cdb/MySQL/other) and valiases (MySQL) informations, using instead its own code for aliases and mailing lists. Checking of chkuser enabling (looking for bounce string) is done using its own code. Ciao, Tonino
Re: [vchkpw] qmail-default, bounce and reply
I can't say for the qmailrocks version, in standard chkuser 2.0.8 you have new defines that may help you. CHKUSER_ENABLE_ALIAS_DEFAULT Enables checking of .qmail-alias-default files You may try to keep your patched qmail-smtpd.c and copy newer chkuser.h, chkuser_settings.h, chkuser.c, then change settings, compile and see if you have reached your goal. Tonino At 13.10 19/01/2005, you wrote: Hi.. This is my fist mail from the list. I need a help for one question. I have installed netqmail-1.05, vpopmail-5.4.7 without mysql and chkuser-2.0.5-qmailrocks.patch. The problem is bounced and replys mails, the vckuser block my alias-default. Example: # cat .qmail-hello [EMAIL PROTECTED] # cat .qmail-hello-default [EMAIL PROTECTED] | /var/qmail/bots/myprogram # If I to send an email for [EMAIL PROTECTED], chkuser accept the mail. but if i to send an email for [EMAIL PROTECTED], chkuer block the mail. below it follows an examplo of as it would be work, this server is of inter.com this user or alias does't exist: -- Delivery to the following recipient failed permanently: [EMAIL PROTECTED] Technical details of failure: PERM_FAILURE: SMTP Error (state 10): 550 sorry, no mailbox here by that name (#5.1.1 - chkusr) --- and below is on alias for maillist program. --- added to the vchkpw mailing list, please send an empty reply to this address: [EMAIL PROTECTED] thanks best regards. Juarez Junior
Re: [vchkpw] chkuser 2.0 and vpopmail w/mysql
I feel these two statements are not in opposition. chkuser checks recipients only for domains who are in virtualdomains. When a domain is already inside virtualdomains, for a new user you may simply add a new line with MySQL vpopmail database, and the user will be added automatically as it is used the first time (the first incoming message). In this way, using a replica MySQL on a front-end qmail system, it will use chkuser for all domains that are listed in virtualdomains and have all users within MySQL. So it looks simply like you have to add your domains to virtualdomains, and put them also in smtproutes. Tonino At 21.00 12/01/2005, you wrote: Quick question that I can't seem to sort out myself. I see people are doing the same thing based on the archives but I can't seem to find a definitive answer. Using a smart host relay to do initial mail checking running qmail. All my virtual domains are setup up correctly but not listed in the virtualdomains file. Instead we are using the smtproutes file to pass on to the rest of our mail system. This all works great. Vpopmail 5.4.7 is setup using MySQL with a replicated read only host on the smart relay. I noticed in the archives that people have used the chkuser patch to qmail in this situation with great success. My question is this: In the FAQ at http://www.interazioni.it/opensource/chkuser/documentation/faq/general.html it states that chkuser will do the checking only if the domain exists in rcpthosts(or morercpthosts) AND virtualdomains. The archives seem to suggest that if you are using MySQL, you don't need the entries in virtualdomains. Am I misreading this? What would be the correct setup in this case assuming checking on all domains? Any clarification would be great. Thanks Brian Lanier
Re: [vchkpw] chkuser 2.0 and vpopmail w/mysql
At 10.17 14/01/2005, you wrote: I feel these two statements are not in opposition. chkuser checks recipients only for domains who are in virtualdomains. When a domain is already inside virtualdomains, for a new user you may simply add a new line with MySQL vpopmail database, and the user will be added automatically as it is used the first time (the first incoming message). Correction: the user is already created, as you put it inside MySQL; the needed qmail directories and structures for that user will be created the first time the account will receive e-mail. In this way, using a replica MySQL on a front-end qmail system, it will use chkuser for all domains that are listed in virtualdomains and have all users within MySQL. So it looks simply like you have to add your domains to virtualdomains, and put them also in smtproutes. Tonino At 21.00 12/01/2005, you wrote: Quick question that I can't seem to sort out myself. I see people are doing the same thing based on the archives but I can't seem to find a definitive answer. Using a smart host relay to do initial mail checking running qmail. All my virtual domains are setup up correctly but not listed in the virtualdomains file. Instead we are using the smtproutes file to pass on to the rest of our mail system. This all works great. Vpopmail 5.4.7 is setup using MySQL with a replicated read only host on the smart relay. I noticed in the archives that people have used the chkuser patch to qmail in this situation with great success. My question is this: In the FAQ at http://www.interazioni.it/opensource/chkuser/documentation/faq/general.html it states that chkuser will do the checking only if the domain exists in rcpthosts(or morercpthosts) AND virtualdomains. The archives seem to suggest that if you are using MySQL, you don't need the entries in virtualdomains. Am I misreading this? What would be the correct setup in this case assuming checking on all domains? Any clarification would be great. Thanks Brian Lanier
Re: [vchkpw] vchkpw problemm!
Are you testing as root? If yes, it should work... If not, you should setuid and setgid qmail-smtpd as indicated in documentation. Tonino At 15.43 10/12/2004, you wrote: Hello all! i install netqmail-1.05 qmail-toaster-0.6-1.patch netqmail-1.05_toaster-0.6-1_chkuser-2.0.8b.patch and have a problemm with chkuser. this is my chkuser_settings.h #define CHKUSER_VPOPMAIL #define CHKUSER_STARTING_VARIABLE CHKUSER_START #define CHKUSER_ENABLE_UIDGID other by default this is my qmail-smtpd run file #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` # CHKUSER_START=DOMAIN export CHKUSER_START # exec /usr/local/bin/softlimit -m 600 \ /usr/local/bin/tcpserver -H -R -v -p -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/rblsmtpd -r relays.ordb.org /var/qmail/bin/qmail-smtpd 21 = my /usr/local/vpopmail/domains/vs..ua/.qmail-default | /usr/local/vpopmail/bin/vdelivermail '' bounce-no-mailbox = when i test mail qmail-smtpd CHKUSER_START=DOMAIN export CHKUSER_START ./qmail-smtpd 220 venus.vs..ua ESMTP mail from: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt [EMAIL PROTECTED] : found exi sting recipient 250 ok rcpt to: [EMAIL PROTECTED] CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt [EMAIL PROTECTED] : found exi sting recipient 250 ok [EMAIL PROTECTED] exist ing recipient [EMAIL PROTECTED] non exist i see that patched qmail-smtpd d't work fine! where is my mistake ? -- ó Õ×ÁÖÅÎÉÅÍ, vit mailto:[EMAIL PROTECTED] -= SV365-RIPE -= VS574-UANIC -= ICQ 1811
Re: [vchkpw] vchkpw problemm!
Hi, watching better your post. If you are using Shupp's toaster, you must run qmail-smtpd as vpopmail user, not qmail (see documentation). You may also comment CHKUSER_ENABLE_UIDGID. Tonino At 15.43 10/12/2004, you wrote: Hello all! i install netqmail-1.05 qmail-toaster-0.6-1.patch netqmail-1.05_toaster-0.6-1_chkuser-2.0.8b.patch and have a problemm with chkuser. this is my chkuser_settings.h #define CHKUSER_VPOPMAIL #define CHKUSER_STARTING_VARIABLE CHKUSER_START #define CHKUSER_ENABLE_UIDGID other by default this is my qmail-smtpd run file #!/bin/sh QMAILDUID=`id -u qmaild` NOFILESGID=`id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` # CHKUSER_START=DOMAIN export CHKUSER_START # exec /usr/local/bin/softlimit -m 600 \ /usr/local/bin/tcpserver -H -R -v -p -x /etc/tcp.smtp.cdb -c $MAXSMTPD \ -u $QMAILDUID -g $NOFILESGID 0 smtp \ /usr/local/bin/rblsmtpd -r relays.ordb.org /var/qmail/bin/qmail-smtpd 21 = my /usr/local/vpopmail/domains/vs..ua/.qmail-default | /usr/local/vpopmail/bin/vdelivermail '' bounce-no-mailbox = when i test mail qmail-smtpd CHKUSER_START=DOMAIN export CHKUSER_START ./qmail-smtpd 220 venus.vs..ua ESMTP mail from: [EMAIL PROTECTED] 250 ok rcpt to: [EMAIL PROTECTED] CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt [EMAIL PROTECTED] : found exi sting recipient 250 ok rcpt to: [EMAIL PROTECTED] CHKUSER accepted rcpt: from [EMAIL PROTECTED]:: remote :unknown:unknown rcpt [EMAIL PROTECTED] : found exi sting recipient 250 ok [EMAIL PROTECTED] exist ing recipient [EMAIL PROTECTED] non exist i see that patched qmail-smtpd d't work fine! where is my mistake ? -- ó Õ×ÁÖÅÎÉÅÍ, vit mailto:[EMAIL PROTECTED] -= SV365-RIPE -= VS574-UANIC -= ICQ 1811
[vchkpw] chkuser 2.0.8 released again - 2.0.8a
A damned typing error in chkuser.c gives compile error when #define
CHKUSER_STARTING_VARIABLE is defined.
You may download 2.0.8a, or change, in chkuser.c, this line:
if (strùcasecmp(starting_string, ALWAYS) == 0) {
to
if (strcasecmp(starting_string, ALWAYS) == 0) {
Sorry for any inconvenience.
Tonino
chkuser 2.0.8 has been released,
and is available at
www.interazioni.it/opensource.
As usual, this version has been tested and is now working on my
production systems since some weeks.
This version, basically:
freeze
all important changes in 2.0.7 (closing DB connections among all)
is
more RFC compliant (NULL SENDER is now ALWAYS accepted, and all FORMAT
and MX checking defines are OFF by default)
cleans
some small bugs.
It has been released as complete release package, and as
update of previous installed versions (from 2.0.5 to
2.0.7).
Additional note:
I put on the site a small script displaying chkuser activity.
On one of my systems, I defined acceptance limits for existing (limit is
50) and wrong (limit is 5) users.
On that system, I'm facing each day several attacks, and these acceptance
limits help me rejecting them.
They are also suggesting me to implement additional features for
rejecting those IP.
Any comment on this topic is welcomed.
qstat -yesterday
CHKUSER entries 10135
CHKUSER accepted null senders 365
CHKUSER rejected senders 268
CHKUSER accepted senders 3615
CHKUSER rejected rcpts 966
CHKUSER accepted rcpts 3809
CHKUSER rejected relaying 88
CHKUSER accepted relaying 42
CHKUSER mbx overquota 0
CHKUSER max rcpt intrusion triggers 0
CHKUSER max wrong rcpt intrusion triggers 62
CHKUSER rejected intrusions 920
Please note I may answer any question until friday, then I'll be
again available at the end of the month.
Tonino
Re: [vchkpw] chkuser 2.0.7 released
Charles,
you've found an error. Your output in the private e-mail has been
extremely useful, so I've checked the code, and found a small (stupid!)
bug that works when CHKUSER_STARTING_VARIABLE is defined (in such a case,
no check is done on sender).
In 2.0.8 (I'll try to publish it today or tomorrow) this is
fixed.
Anyway, this is the correction, inside chkuser.c, in the routine
chkuser_sender:
int chkuser_sender (stralloc
*sender) {
int count;
+ if (first_time_init_flag) {
+ first_time_init ();
+ }
#if !defined CHKUSER_ALWAYS_ON defined
CHKUSER_STARTING_VARIABLE
if (starting_value == -1) {
return CHKUSER_OK;
}
#endif
#if defined CHKUSER_SENDER_FORMAT || defined CHKUSER_SENDER_MX
- if (first_time_init_flag)
{
-
first_time_init ();
- }
#if defined CHKUSER_SENDER_NOCHECK_VARIABLE
Thanks,
Tonino
At 01.44 07/12/2004, you wrote:
On Tue, 26 Oct 2004, tonix
(Antonio Nati) wrote:
Patch is working in a production
enviromnent, but it is anyway released as development
version, because changes are so important that I'ld like to have a wider
testing.
As usual, please help me testing
it.
Any bug warning, feedback or comment is welcome!
It looks like there are some issues with verifying the sender
dns...
Two things I've noticed:
-This patch seems to undo the mfcheck patch. Previous
to patching with chkuser, qmail-smtpd would reject any mail without a
proper dns entry for the envelope sender, now it seems to let that all
through. My only patches are Bill Shupp's toaster patch and chkuser
2.0.7.
-Turning on what I think is the equivalent option in chkuser does not
seem to do anything (#define CHKUSER_SENDER_MX).
For example, with /var/qmail/control/mfcheck set to 1 and the above
define set in chkuser_settings.h:
[EMAIL PROTECTED]/home/spork]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost
Escape character is '^]'.
220 xena.foo.net UCE PROHIBITED ESMTP
mail from: [EMAIL PROTECTED]
250 ok
quit
221 xena.foo.net UCE PROHIBITED
Connection closed by foreign host.
And just to be sure, from outside any tcprules checks:
[EMAIL PROTECTED] telnet mail.foo.net 25
Trying 216.220.96.26...
Connected to mail.foo.net.
Escape character is '^]'.
220 xena.foo.net UCE PROHIBITED ESMTP
mail from: [EMAIL PROTECTED]
250 ok
quit
221 xena.foo.net UCE PROHIBITED
Connection closed by foreign host.
[EMAIL PROTECTED] host -t mx no.real.domain.here.tv.us
Host not found.
That should be rejected outright, correct?
Thanks,
Charles
Tonino
[EMAIL PROTECTED]
Interazioni di Antonio Nati
http://www.interazioni.it
[EMAIL PROTECTED]
[vchkpw] chkuser 2.0.8 released
chkuser 2.0.8 has been released, and is available at www.interazioni.it/opensource. As usual, this version has been tested and is now working on my production systems since some weeks. This version, basically: freeze all important changes in 2.0.7 (closing DB connections among all) is more RFC compliant (NULL SENDER is now ALWAYS accepted, and all FORMAT and MX checking defines are OFF by default) cleans some small bugs. It has been released as complete release package, and as update of previous installed versions (from 2.0.5 to 2.0.7). Additional note: I put on the site a small script displaying chkuser activity. On one of my systems, I defined acceptance limits for existing (limit is 50) and wrong (limit is 5) users. On that system, I'm facing each day several attacks, and these acceptance limits help me rejecting them. They are also suggesting me to implement additional features for rejecting those IP. Any comment on this topic is welcomed. qstat -yesterday CHKUSER entries 10135 CHKUSER accepted null senders 365 CHKUSER rejected senders 268 CHKUSER accepted senders 3615 CHKUSER rejected rcpts 966 CHKUSER accepted rcpts 3809 CHKUSER rejected relaying 88 CHKUSER accepted relaying 42 CHKUSER mbx overquota 0 CHKUSER max rcpt intrusion triggers 0 CHKUSER max wrong rcpt intrusion triggers 62 CHKUSER rejected intrusions 920 Please note I may answer any question until friday, then I'll be again available at the end of the month. Tonino
Re: [vchkpw] just noticed something with chkuser ....
At 18.34 24/11/2004, you wrote: On Wednesday 24 November 2004 04:17 am, tonix (Antonio Nati) wrote: CORRECTION TO THE PREVIOUS MESSAGE. CHKUSER_ENABLE_NULL_SENDER is in 2.0.7. This version may be considered stable, despite of its devel attribute. I tried to use it.. looks like I need to patch with 2.0.6 and then patch the 2.0.7 patch against it? No, if you have 2.0.5 means you're not using Toaster (version 2.0.6 contains only the Toaster patch). You have to copy newer chkuser.c, chkuser.h, chkuser_settings.h and patch your Makefile using Makefile.patch. On next days I'll publish a 2.0.8 release, and update online documentation. 2.0.8 that will probably be the definitive stable chkuser, with the most of RFC compliance. One general question, before I publish 2.0.8: Does it make sense to have format checking enabled as default? I think it's beyond the scope of the functionality of the chkuser patch, to be honest. Perhaps the code could be split up into chkuser, which does its purpose in validating local recipients, and another patch that attempts to perform some checks on the envelope sender. I'll follow this suggestion: keeping all non RFC options commented (exclude format control, exclude MX control, accept NULL sender, etc.), and improving documentation. Thanks, Tonino -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]
Re: [vchkpw] just noticed something with chkuser ....
Jeremy, you should add also CHKUSER_ENABLE_NULL_SENDER. When CHKUSER_SENDER_FORMAT or CHKUSER_SENDER_MX are defined, CHKUSER_ENABLE_NULL_SENDER will exclude NULL SENDERS from those checkings. This is the new default in the last distributions, after CHKUSER_ENABLE_NULL_SENDER has been added: CHKUSER_SENDER_FORMAT enabled CHKUSER_SENDER_MX enabled CHKUSER_ENABLE_NULL_SENDER enabled Sorry, I realized too late that CHKUSER_ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST feature, far from being a valid intruders rejection, has made too many troubles. I tried to fix the situation introducing CHKUSER_ENABLE_NULL_SENDER. Let me know of any better explanation in the documentation or FAQ. Regards, Tonino At 01.08 24/11/2004, you wrote: On Tuesday 23 November 2004 05:30 pm, Jeremy Kitchen wrote: On Tuesday 23 November 2004 04:53 pm, Rick Macdougall wrote: Jeremy Kitchen wrote: mail from: 571 sorry, sender address has invalid format (#5.7.1 - chkuser) HUH? this is fixed in a newer version I hope? Hi, Is CHKUSER_ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST defined in your config ? From the manual CHKUSER_ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST 2.0.5 defined Enables accepting null sender from hosts which have a name associated to their IP oh, and we don't do reverse dns lookups.. that would explain it. This is on as default or something? Why is this even in chkuser? heh... hmm.. even commenting it out it appears that I am not able to receive bounce messages. This is very bad. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]
Re: [vchkpw] just noticed something with chkuser ....
CORRECTION TO THE PREVIOUS MESSAGE. CHKUSER_ENABLE_NULL_SENDER is in 2.0.7. This version may be considered stable, despite of its devel attribute. On next days I'll publish a 2.0.8 release, and update online documentation. 2.0.8 that will probably be the definitive stable chkuser, with the most of RFC compliance. One general question, before I publish 2.0.8: Does it make sense to have format checking enabled as default? My standard checking excludes a lot of unusual characters (like ), that could instead be accepted, as RFC has a wider set enabled. My system logs show no rejection of honest addresses, while all rejected senders are wrong/illegal names. Which are your opinions on format checking? Regards, Tonino At 10.22 24/11/2004, you wrote: Jeremy, you should add also CHKUSER_ENABLE_NULL_SENDER. When CHKUSER_SENDER_FORMAT or CHKUSER_SENDER_MX are defined, CHKUSER_ENABLE_NULL_SENDER will exclude NULL SENDERS from those checkings. This is the new default in the last distributions, after CHKUSER_ENABLE_NULL_SENDER has been added: CHKUSER_SENDER_FORMAT enabled CHKUSER_SENDER_MX enabled CHKUSER_ENABLE_NULL_SENDER enabled Sorry, I realized too late that CHKUSER_ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST feature, far from being a valid intruders rejection, has made too many troubles. I tried to fix the situation introducing CHKUSER_ENABLE_NULL_SENDER. Let me know of any better explanation in the documentation or FAQ. Regards, Tonino At 01.08 24/11/2004, you wrote: On Tuesday 23 November 2004 05:30 pm, Jeremy Kitchen wrote: On Tuesday 23 November 2004 04:53 pm, Rick Macdougall wrote: Jeremy Kitchen wrote: mail from: 571 sorry, sender address has invalid format (#5.7.1 - chkuser) HUH? this is fixed in a newer version I hope? Hi, Is CHKUSER_ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST defined in your config ? From the manual CHKUSER_ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST 2.0.5 defined Enables accepting null sender from hosts which have a name associated to their IP oh, and we don't do reverse dns lookups.. that would explain it. This is on as default or something? Why is this even in chkuser? heh... hmm.. even commenting it out it appears that I am not able to receive bounce messages. This is very bad. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet IRC ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ jabber:[EMAIL PROTECTED]
Re: [vchkpw] 2.0.7 not correctly working?
Alastair, main difference between 2.0.5 and 2.0.7, speaking only about sender checking, is related to NULL SENDER (), now accepted by default, while previously it was accepted only if its IP had a corresponding DNS name. This (default) change makes more messages accepted. Can you check if you have the variable SENDER_NOCHECK (#define CHKUSER_SENDER_NOCHECK_VARIABLE) set in some way? Otherwise please post your qmail-smtpd starting script and your chkuser_settings.h (if message is too long post it privately). Tonino At 27/10/2004 27/10/2004 +0100, you wrote: J. Kendzorra wrote: Alastair Battrick: I've applied the patches for 2.0.7 and made the qmail-smtpd binary. When I try and run the binary with ./qmail-smtpd I am not getting an error message when I 'MAIL FROM' a non existent domain or from an invalid email address. The previous version gives a 571 sorry, sender address has invalid format (#5.7.1 - chkuser) Check your chkuser_settings.h if ,- |#define CHKUSER_SENDER_MX |#define CHKUSER_SENDER_FORMAT ` are commented out. They are not commented out -- Cheers Alastair Battrick www.battrick.org [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] MySql load causes bounced mail
At 25/10/2004 25/10/2004 -0400, you wrote: I feel it could be time to redesign qmail and use atexit() functions. This could be a lengthy process. But if you are willing to undertake it, and write the patches for it, then it is certainly worth it. I'm willing to do it, but I've no time shortly. Anyway, I feel most urgent job would be to rewrite Makefile and make a ./configure script. Tonino X-Istence [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] 2.0.7 not correctly working? [SEMI SOLVED]
At 27/10/2004 27/10/2004 +0100, you wrote: I've discovered the problem with this. Using MAIL FROM without the colon, results in a null sender. This bit of code in chkuser.c accepts the email address as it is null: ... In chkuser 2.0.5 ommiting the colon would have been picked up with a 571 sorry, sender address has invalid format (#5.7.1 - chkuser) error I guess I want to know, is *this* a feature or a bug :) This is a feature (or better, the new default for chkuser). Several people asked me to make sender acceptance compliant with RFC, where NULL SENDER may be normally used for bounced e-mails. Previous 2.0.5 default implementation was too tight: accepting NULL SENDER only for IP with a DNS name caused rejecting of warning messages that could be accepted. You may turn back to old implementation commenting #define CHKUSER_ENABLE_NULL_SENDER and enabling #define CHKUSER_ENABLE_NULL_SENDER_WITH_TCPREMOTEHOST . Regards, Tonino Cheers Alastair [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
[vchkpw] chkuser 2.0.7 released
chkuser 2.0.7, development version, is now available on the site (www.interazioni.it/opensource). This is an important version, because a lot of bugs have been solved and a lot of new features have been added. But, most of all, this is the first version caring to close all DB connections, and this should solve a lot of problems in busy MySQL environments. New/changed features: closing of DB connections handling of mailman lists handling of temporary DNS failures (on MX checking) some features are now RFC compliant (now accepting NULL SENDER) handling of .qmail-alias-default a lot of other bug solved and features added. Patch is working in a production enviromnent, but it is anyway released as development version, because changes are so important that I'ld like to have a wider testing. As usual, please help me testing it. Any bug warning, feedback or comment is welcome! Tonino [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] MySql load causes bounced mail
At 22/10/2004 22/10/2004 -0400, you wrote: On Oct 22, 2004, at 8:13 AM, tonix (Antonio Nati) wrote: Any comment? Tonino Why is qMail calling _exit() and not exit()? Is there a reason it does not want its files closed, and other stuff properly cleaned up? Or is it because DJB is just not happy with using calls that are in the libc library and thus are not thread safe for the most part? Threads? I don't see where qmail is using threads... Anyways, eventhough i do not agree with using #define's to override a function, i don't see it as a bad one necessarily, as it clears up the entire MySQL mess. Funny, I'm checking my (chkuser) patch and I see also auth patch (Bill Shupp's toaster version) does the same thing (overriding _exit). I feel it could be time to redesign qmail and use atexit() functions. Tonino [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] MySql load causes bounced mail
At 21/10/2004 21/10/2004 -0700, you wrote:
vdelivermail calls _exit() when running a command in a .qmail file (exit
codes 99, 100 and 111). It should really be calling vexit() to give the
MySQL lib a chance to close its connections.
We could also consider just using atexit() to register functions that will
be automatically called at exit, then we don't have to worry about calling
vexit instead (which calls vclose).
I'm working on the chkuser side, and this is my solution (here semplified)...
Given the fact qmail-smtpd uses only _exit(), and this function is called a
lot of times within the source, I'm substituting this _exit() function
within qmail-smtpd.c using these definitions:
void my_cleaning_call(int a);
#define _exit(a) my_cleaning_call(a)
Then in my chkuser.c module, I have:
#undef _exit
void my_cleaning_call (int a) {
vclose();
_exit (a);
}
Any comment?
Tonino
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/
[EMAIL PROTECTED]Interazioni di Antonio Nati
http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] MySql load causes bounced mail
At 21/10/2004 21/10/2004 -0700, you wrote: We could also consider just using atexit() to register functions that will be automatically called at exit, then we don't have to worry about calling vexit instead (which calls vclose). Wow! In another thread I just suggested to use atexit() in vpopmail. I know that Tonio has worked on a new chkuser patch that, along with some extra code in vpopmail, will respond with 4xx. Is there a chance that the old chkusr patch had an execution path that resulted in it not closing its connection to MySQL? Yes, both for new and for old patch. chkuser cannot close any connection, as it's called only for each sender or rcpt, and cannot know when it has finished his job. But, as we are speaking of atexit(), I'll give the good example ( :-) ) and in next 2.0.7 version I'll use it to call vclose(). Thanks, Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] MySql load causes bounced mail
At 21/10/2004 21/10/2004 +0100, you wrote: But, as we are speaking of atexit(), I'll give the good example ( :-) ) and in next 2.0.7 version I'll use it to call vclose(). As another thread is saying, qmail-smtpd also is using _exit(), so atexit() is useless. I'll put another solution to work. Probably I'll change the flush() functions. Tonino -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/ [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] Re: chkuser and SSL with stunnel
At 16/10/2004 16/10/2004 +0200, you wrote: I think the problem is, that qmail-smtpd is called by a wrapper program (stunnel here) and chkuser sends log-messages to stdout when called directly (logging enabled in this example): chkuser sends log messages using qmail routines (that should use stderr), but you have to route qmail-smtpd errors to right channels. My working configuration with stunnel (I had a lot of problems with logging and stunnel, but of different kind) is: /usr/local/sbin/stunnel -f . -- \ qmail-smtpd /vpopmail/bin/vchkpw /usr/bin/true 21 | splogger sslsmtp Please note: -f forces stunnel to stay in foreground and display error messages normally 21 | splogger sslsmtp pipes all ERR output to splogger, using sslsmtp as name of the logged service This should avoid any problem, and you have logging routed to usual log files. Regards, Tonino thanks, Florian [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser 2.0
Eric, we are waiting for the release of this feature, that should already be in CVS. See this previous message: Charles Sprickman wrote: Take a look at vpopmail CVS HEAD. What I did was add a vauth_open() function in vmysql.c, and every other authentication back end that did not already have one. It returns 0 if the database opens properly or some negative number if there was an error. I really think the right thing to do is make that change to vpopmail, then in the chkuser patch return a temporary failure if the database does not open properly. Ciao, Tonino At 14/10/2004 14/10/2004 -0700, you wrote: While the current chkuser.c might compile fine against a vpopmail install with Sybase or Postgres, it doesn't work for MySQL because vauth_open is defined only in vpgsql.c and vsybase.c. To get around this, I replaced the following line in chkuser.c: . -- Eric Ziegast [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
[vchkpw] Safe closing of DB connections - it was Re: [vchkpw] chkuser 2.0
At 14/10/2004 14/10/2004 -0500, you wrote:
Several people, myself included, are still seeing problems with MySQL
under a large useage. So far I have not been able to get to the cause of
the problem other than to convince myself I have no network or MySQL
issues. I don't know C well enough to add debug code or create a patch for
this, but I am still having users who have to authenticate twice and the
MySQL errors I record point to improper closing of the tables, causing a
communication failure.
I feel most of the critical closing routines (for any MySQL or DB or
socket or file) should be chained using an atexit() function.
Calls chained using atexit are always called when program is exiting in the
normal way (i.e. excluding some special SIG).
That would guarantee that ANY normal program will ALWAYS close opened
connections.
It should be enought simple to implement such a control.
Each DB module could be coded like (sorry for the strange metacode used here):
static int dbopened = 0;
safeclosedb ()
{
if (dbopened == 1) {
close (DB);
dbopened = 0;
}
}
..
open (DB);
if ERROR {
go away
}
dbopened = 1;
atexit (safeclosedb)
...
...
...
close (DB);
dbopened = 0;
.
Ciao,
Tonino
I can give details if interested, and I am willing to be the guinea pig
and test the code.
DAve
--
Systems Administrator
http://www.tls.net
Get rid of Unwanted Emails...get TLS Spam Blocker!
[EMAIL PROTECTED]Interazioni di Antonio Nati
http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser 2.0
At 13/10/2004 13/10/2004 -0500, you wrote: as a suggestion, would it be possible to have a definition placed into vpopmail.h such as: #define HAVE_VAUTH_OPEN that way programs that link against vpopmail can support both methods without any user intervention, and also this way, if say perhaps the postgres code doesn't have vauth_open, and the mysql does, etc, so someone linking against it need not worry about it :) Hopefully that made sense :) Would be great! Continuing on the same line, is there anything I can already check in order to semplify integration of obsolete vget_real_domain() function? Tonino [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser starting variable not working
At 13/10/2004 13/10/2004 -0700, you wrote: Hello all, I am having a problem with getting the CHKUSER_STARTING_VARIABLE to work with my system. When I use this setting when compiling qmail chkuser doesn't work at all. However when I use the CHKUSER_ALWAYS_ON it works fine. Did you enable bouncing for your domains (use qmailadmin for setting bouncing)? What is the content of your .qmail-default file? (You can find more hints in http://www.interazioni.it/opensource/chkuser/documentation/enabling.html). Here is my chkuser.h file: chkuser.h is useless here. Settings are within chkuser_settings.h . Ciao, Tonino Stefan [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser starting variable not working
At 13/10/2004 13/10/2004 -0700, you wrote: Hello all, I am having a problem with getting the CHKUSER_STARTING_VARIABLE to work with my system. When I use this setting when compiling qmail chkuser doesn't work at all. However when I use the CHKUSER_ALWAYS_ON it works fine. #!/bin/sh QMAILDUID=`id -u vpopmail` NOFILESGID=`id -g vpopmail` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` LOCAL=`head -1 /var/qmail/control/me` CHKUSER_START=DOMAIN You should export CHKUSER_START, otherwise it will be unavailable to tcpserver and derived programs. Ciao, Tonino Stefan [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] Integration with maildrop as default deliver?
You could try keeping commented as first line in .qmail-default the same line usually written by qmailadmin inside .qmail-default when bouncing is enabled. Or you could use chkuser patch, enabling it always or adding a commented line, containing bounce-no-mailbox to .qmail-default (see www.interazioni.it/opensource). Ciao, Tonino At 08/10/2004 08/10/2004 +0200, you wrote: Hi I have been fighting with the integration between maildrop and vpopmail using qmail for quite some time now! Every time I solve one problem, a new one appears... I'm sure, that many people is doing as I do, so I would like to get a few hints or two :-) My wish is to use qmail as MTA, vpopmail (and tools) as domain/user administration and sqwebmail as webmail, so that my users can configure their own mailfilters. This is running entirely on a closed server, where all users is virtual users - no Unix user here... The solution I have now is, that I convert vpopmail password files to maildrop/courier-imap userdb format and the in each domain, I make a .qmail-default, which contains | /usr/bin/maildrop -d [EMAIL PROTECTED] This works (it reads the users .mailfilter and processes it), but it have two problems: 1: if the users does not exist, delivere is deferred and not bounced 2: the nice vpopmail feature, where domain administrators can choose to bounce or redirect non-exsisting users mails does ofcause now work as I do now uses vdelivermail at all. My guess is, that the best(!) solution would be to hack vdelivermail to always deliver mail using maildrop -d [EMAIL PROTECTED] What are you guys doing? I have searched the archives for answers, but the proposed solutions is all not perfect... Best regards, Karsten [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] SIMSCAN
At 27/09/2004 27/09/2004 -0300, you wrote: i am running simscan with vpopmail user. I feel you should run simscan as qmaild user, as vpopmail user cannot write in qmail spool archives. but when i set the QMAILQUEUE to simscan i receive this message. (unable to exec qq) That should be the reason: no permission for vpopmail user. Ciao, Tonino Itamar Reis Peixoto Analista Consultor TreyNet Consultoria - Uberlândia Tel : + 55 34 3231 0598 Cel: +55 38 9107 1250 http://www.treynet.com.br [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] SIMSCAN working directory privs
At 28/09/2004 28/09/2004 +0200, you wrote:
Simscan creates the working directory with a privilege of 700. in this way
clamd
must run with the same owner of simscan to access the msg.
They work on the same files (and only on those files), so why should they
have different users?
I feel this design to be very safe, because clamd should be dedicated to
e-mail only.
There should be more safety having them only accessing the files with the
same uid/permissions.
To complete the security of the system, clamd client should be activated by
simscan user only.
Changing the privilege to 755 clamd and spamd can access the working
directory regardless of clamd process user.
mod 755 means every one in the system may access those files.
Ciao,
Tonino
To apply the change - search this
/* create the directory */
if ( mkdir(workdir, 0700) == -1 ) {
_exit(EXIT_400);
}
and replace with this
/* create the directory */
if ( mkdir(workdir, 0755) == -1 ) {
_exit(EXIT_400);
}
--
Fa
[EMAIL PROTECTED]Interazioni di Antonio Nati
http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] mail from patch
At 27/09/2004 27/09/2004 -0300, you wrote: i have to user on my vpopmail machine [EMAIL PROTECTED] [EMAIL PROTECTED] i am using an autenticated smtp the [EMAIL PROTECTED] can send mail using my smtp server using [EMAIL PROTECTED] as mailfrom Yes, it can: but its real address is written inside e-mail headers (if you're using autenticated smtp). Tonino can you understand - me ? - Original Message - From: tonix (Antonio Nati) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, September 27, 2004 2:33 PM Subject: Re: [vchkpw] mail from patch You could also set up an authenticated SMTP server, and modify it's code to accept only autenticated users. I do this for my relay system. Tonino At 27/09/2004 27/09/2004 -0500, you wrote: On Monday 27 September 2004 11:45 am, Itamar Reis Peixoto wrote: There is a patch to qmail deliver messages only if sender exist in vpopmail table ? you wouldn't get much email. Including this one. If you are trying to restrict mail from outside, simply make your smtp server not listen on the outside, either by configuring your firewall or changing your superserver configuration. -Jeremy -- Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc. [EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 815.776.9465 int'l kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail GnuPG Key ID: 481BF7E2 ++ scriptkitchen.com/kitchen.asc [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser 2.0 - doc typos
Of course, there are a lot of typos and errors (all docs have been written in few days and, first of all, I'm not english motherlanguage), so thanks anyone for warning me: write directly to [EMAIL PROTECTED] Ciao, Tonino At 23/09/2004 23/09/2004 -0600, you wrote: Tonix cambia questo who's sending to who a who's sending to whom Ciao, Remo - Original Message - From: tonix (Antonio Nati) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 23, 2004 4:16 PM Subject: [vchkpw] chkuser 2.0 chkuser 2.0 has been released. New version is available on: http://www.interazioni.it/opensource/chkuser. These are the most evident changes: - new design, a lot more easy to install and update - extended logging - flexible and powerful tarpitting - quota checking - Makefile working with every vpopmail database (cdb, MySQL, LDAP, Postgres, etc.) - a lot of chkuser settings added - change of name, from chkusr to chkuser. 2.0 has been tested and put in production for more than one month, than other people has tested it before this public release (thanks to Juergen Kendzorra, Remo Mattei, Bill Shupp, Machiel Kuitert). As usual, test it deeply before putting on production system. Tonino [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
[vchkpw] chkuser 2.0
chkuser 2.0 has been released. New version is available on: http://www.interazioni.it/opensource/chkuser. These are the most evident changes: - new design, a lot more easy to install and update - extended logging - flexible and powerful tarpitting - quota checking - Makefile working with every vpopmail database (cdb, MySQL, LDAP, Postgres, etc.) - a lot of chkuser settings added - change of name, from chkusr to chkuser. 2.0 has been tested and put in production for more than one month, than other people has tested it before this public release (thanks to Juergen Kendzorra, Remo Mattei, Bill Shupp, Machiel Kuitert). As usual, test it deeply before putting on production system. Tonino [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser 2.0
At 23/09/2004 23/09/2004 -0400, you wrote: I didn't see anything in the docs or change logs specifically regarding the mysql connection problem that sometimes crops up with vpopmail. Has this been addressed ? Yes, chkuser 2.0 includes a new call, vauth_open(), that Rick Widmer told is in vpopmail CVS, and will be able to return the status of connection. As default this call is disabled, and should be enabled (uncommenting #define CHKUSER_ENABLE_VAUTH_OPEN in chkuser_settings.h) when this call is released. Ciao, Tonino Regards, Rick [EMAIL PROTECTED] Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] troubleshooting chkusr
Are all .qmail-default rsynced? Has been rcpthosts amd morercpthosts copied as well? You can out a printf - out() - at the beginning of each case, and after the rcpthosts checking, and see what's happening. Tonino At 04/09/2004 04/09/2004 -0400, you wrote: On Fri, 3 Sep 2004, tonix (Antonio Nati) wrote: chkusr is not working because it can't read .qmail-default, so, or chkusr is not running as vpopmail, or .qmail-default is not readable by vpopmail users. It means you're running qmail-smtpd on the secondary server with different uid/gid/privileges. I did give that a quick check: vpopmail 13766 0.0 0.1 4208 944 ?SSep01 0:00 tcpserver -v -l nico.bway.net -H -R -c70 -t5 -S -x /home/vpopmail/etc/tcp.smtp.cdb -u 89 -g 89 0 26 rblsmtpd -t 2 -r sbl.spamhaus.org qmail-smtpd /home/vpopmail/bin/vchkpw /usr/bin/true [EMAIL PROTECTED]:~$ id vpopmail uid=89(vpopmail) gid=89(vchkpw) groups=89(vchkpw) [EMAIL PROTECTED]:~$ ls -al ~vpopmail/domains/|more total 114 drwxr-xr-x 99 root root 3072 Sep 6 2004 . drwxr-xr-x 8 vpopmail vchkpw 1024 Sep 6 2004 .. drwx-- 92 vpopmail vchkpw 3072 Jul 28 13:20 0 drwx-- 96 vpopmail vchkpw 3072 Jul 15 18:57 1 drwx-- 94 vpopmail vchkpw 3072 Aug 27 18:21 2 drwx-- 2 vpopmail vchkpw 1024 Jul 19 17:24 2021blah.com [etc..] Any other ideas? Any good places in the patched qmail-smtpd to put some debug printf's? Thanks, Charles Tonino At 03/09/2004 03/09/2004 -0400, you wrote: Hi, We've got qmail/vpopmail running fine with the latest chkusr patch from Bill's page (http://www.shupp.org/). Our backup mxer has been running sendmail for ages, and we'd like to move it to qmail. We'd also like put vpopmail on there just so we can reject bogus addresses on there as well rather than queuing them and having them bang on the main mxer each time the queue runs. I've got qmail and vpopmail compiled there. Started with netqmail and then Bill's big jumbo patch and the chkusr patch. There's a daily rsync of the ~vpopmail/domains tree (.qmail-* only) to the backup mxer. We're testing on an alternate port (26). Everything works fine except chkusr is not blocking anything; I can enter a totally bogus address and it's accepted. Any ideas? Thanks, Charles [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] troubleshooting chkusr
chkusr is not working because it can't read .qmail-default, so, or chkusr is not running as vpopmail, or .qmail-default is not readable by vpopmail users. It means you're running qmail-smtpd on the secondary server with different uid/gid/privileges. Tonino At 03/09/2004 03/09/2004 -0400, you wrote: Hi, We've got qmail/vpopmail running fine with the latest chkusr patch from Bill's page (http://www.shupp.org/). Our backup mxer has been running sendmail for ages, and we'd like to move it to qmail. We'd also like put vpopmail on there just so we can reject bogus addresses on there as well rather than queuing them and having them bang on the main mxer each time the queue runs. I've got qmail and vpopmail compiled there. Started with netqmail and then Bill's big jumbo patch and the chkusr patch. There's a daily rsync of the ~vpopmail/domains tree (.qmail-* only) to the backup mxer. We're testing on an alternate port (26). Everything works fine except chkusr is not blocking anything; I can enter a totally bogus address and it's accepted. Any ideas? Thanks, Charles [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser patch
Jeremy, pls switch to private, as I need more info on serial mail. Tonino At 11/07/2004 11/07/2004 -0400, you wrote: On Wednesday, July 07, 2004 5:32 AM, tonix (Antonio Nati) wrote: I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Hi, Antonio Could you make chkusr work with djb's serialmail (http://cr.yp.to/serialmail.html) ? instead of just having a .qmail-1:2:3:4-default, bounce-no-mailbox could be in the default, and have the rest of the .qmail-1:2:3:4-usernames, like normal.. Jeremy Kister http://jeremy.kister.net/ [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [vchkpw] chkuser patch
At 07/07/2004 07/07/2004 -0400, you wrote: There's some larger issue here that involves a moderately loaded machine running both mysql and qmail (and incidentally, vpopmail) having trouble getting some sql queries out in time. The mysql people (mostly Zawodny) don't think it's a bug/problem with mysql but that qmail can easily swamp a system to the point that mysql bogs down, even with all the tables cached in memory. For most vpopmail operations, it's not a big deal; an occasional login failure or mail being deferred. But on the chkusr side, a mysql burp leads to rejected mail. Personally, I feel MySQL unsafe for such operations, and I'll switch to OpenLDAP before or later. I'm really worried about MySQL reliability. When I used cdb I did not have a problem for years. Now the message MysQL server is gone terrifies me. This is a known problem, that will be resolved as vpopmail will integrate such checks (I've been told these checks on DB connects are going to be put inside vpopmail CVS). I hope that gets backported to 5.4.x, sounds like a good fix. I'm preparing chkuser 2.0, that will integrate all these changes, and will improve a lot of other things. Excellent. I also have a coworker looking at the patch to see if he can build a workaround. I'm also considering just changing the patch to return a temporary failure. Considering most of what chkusr blocks is spam, why not let it queue on the remote end? Nasty, but oddly appropriate. Charles, if you are willing to test, I'll send you a pre-release of chkuser 2.0, so your coworker may test new vpopmail vauth_open routines and new chkuser functionalities. Just I need one week to release a fully working and tested pre-release. Tonino [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
