headers
Tim van Erven | 1 Jan 2003 03:15

Re: '.' and '/' in usernames

On Tue, 31/12/2002 08:52 +0300, Solar Designer wrote:
> On Tue, Dec 31, 2002 at 06:07:26PM +0100, Tim van Erven wrote:
>> Popa3d rejects usernames with dots ('.') in them and I believe it also
>> rejects usernames containing any slashes ('/'), though I haven't tested
>> the latter.
> 
> No, it doesn't.  The code you're referring to is only an example of
> setting up virtual domains.  It's not used for Unix accounts, and
> actual virtual domain setups may use different user database formats,
> possibly without such restrictions.

I see.

>> AFAICT, rfc 1939 allows usernames consisting of any printable ASCII
>> characters (and being no longer than 40 characters). Surely '.' and '/'
>> are printable characters.
> 
> That's true, but it doesn't mean that a POP3 server (setup) which
> disallows these characters isn't RFC-compliant.  The RFC doesn't
> require that it's possible for a server admin to create such
> usernames, it merely specifies that such usernames may be passed over
> the POP3 protocol.

Ah, very informative.

Thanks for clearing those up.

--

-- 
Tim van Erven <tve@...>
OpenPGP Key ID: 712CB811        Fingerprint: F6C9 61EE 242C C012 36D5
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tim van Erven | 1 Jan 2003 03:54

Add (virtual) user perlscript

I've written a simple perl script[1] to add users for popa3d when using
the example database format for virtual domains as implemented in
virtual.c.  It isn't very userfriendly in that it could be a security
risk if directory permissions aren't set correctly.  However, it might
be useful as a starting point for creating a custom setup.

See my mail to the debian-security mailing list[2] for a description of
the setup I'm using it on.

Tim

1. http://gene.wins.uva.nl/~talerven/software/
2. http://lists.debian.org/debian-security/2002/debian-security-200212/
   msg00103.html (this should of course be on a single line) 

--

-- 
Tim van Erven <tve@...>
OpenPGP Key ID: 712CB811        Fingerprint: F6C9 61EE 242C C012 36D5
WWW: http://www.science.uva.nl/~talerven/    BBF8 6310 D557 712C B811
Permalink | Reply | 2 comments |
headers
Solar Designer | 3 Jan 2003 02:26
Favicon

Re: Add (virtual) user perlscript

On Wed, Jan 01, 2003 at 03:54:32AM +0100, Tim van Erven wrote:
> I've written a simple perl script[1] to add users for popa3d when using
> the example database format for virtual domains as implemented in
> virtual.c.  It isn't very userfriendly in that it could be a security
> risk if directory permissions aren't set correctly.  However, it might
> be useful as a starting point for creating a custom setup.

Thanks.

I've added a link to it to the contributed resources list on the
popa3d homepage.  I'd like to also place it in contrib/ on my FTP (and
thus on all the mirrors), but before that you might want to fix two
things:

1. You have the auth files readable by group popa3d.  Why?  That
shouldn't be needed and only makes things worse in case of a user
popa3d compromise.

2. You set $virtual_mail_owner to user mail.  It would be safer to use
a dedicated pseudo-user (or better yet, a pseudo-user per domain, but
that may be harder to configure in your delivery agent).  The reason
it's not good to re-use user mail is that in this case popa3d is granted
a privilege it doesn't need: ability to access the entire global mail
spool.  Should there be a post-authentication vulnerability in popa3d,
it would now allow to destroy all mail on the system or, even worse,
place traps in /var/{spool/,}mail that would result in a subsequent
root compromise via other mail-related services you might have.  This
setup goes against the design of popa3d.

> See my mail to the debian-security mailing list[2] for a description of
(Continue reading)

Permalink | Reply | 1 comment |
headers
Tim van Erven | 4 Jan 2003 01:33

Re: Add (virtual) user perlscript

On Fri, 03/01/2003 04:26 +0300, Solar Designer wrote:
> On Wed, Jan 01, 2003 at 03:54:32AM +0100, Tim van Erven wrote:
>> I've written a simple perl script[1] to add users for popa3d when using

...

> I've added a link to it to the contributed resources list on the
> popa3d homepage.  I'd like to also place it in contrib/ on my FTP (and
> thus on all the mirrors), but before that you might want to fix two
> things:
> 
> 1. You have the auth files readable by group popa3d.  Why?  That
> shouldn't be needed and only makes things worse in case of a user
> popa3d compromise.
> 
> 2. You set $virtual_mail_owner to user mail.  It would be safer to use
> a dedicated pseudo-user (or better yet, a pseudo-user per domain, but
> that may be harder to configure in your delivery agent).  The reason
> it's not good to re-use user mail is that in this case popa3d is granted
> a privilege it doesn't need: ability to access the entire global mail
> spool.  Should there be a post-authentication vulnerability in popa3d,
> it would now allow to destroy all mail on the system or, even worse,
> place traps in /var/{spool/,}mail that would result in a subsequent
> root compromise via other mail-related services you might have.  This
> setup goes against the design of popa3d.

Should be fixed in version 1.1, which is available from my website. It
also contains a few other improvements.  See the changelog[2] for
details.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nuno Teixeira | 25 Jan 2003 21:42

"was not the expected length ..." errors


    Hi,

    I'm new to this list.

    My server is running qpopper without problems, but I'm very curious 
    about popa3d because it is very simple and secure like a lot people say.

    I'm making tests with fetchmail on FreeBSD 5.0R and it gives the error: 
    "... was not the expected length (608 actual != 610 expected)" but it 
    fetches the mail ok.

    It seems that it is a fetchmail problem but it only happens with popa3d 
    and not with qpopper.

    Can anyone help me?

    Thanks very much,

    		Nuno Teixeira

--

-- 

/*
PGP fingerprint:
C6D1 06ED EB54 A99C 6B14  6732 0A5D 810D 727D F6C6
*/
Permalink | Reply | 4 comments |
headers
Solar Designer | 26 Jan 2003 05:45
Favicon

Re: "was not the expected length ..." errors

On Sat, Jan 25, 2003 at 08:42:39PM +0000, Nuno Teixeira wrote:

Hi,

>     I'm making tests with fetchmail on FreeBSD 5.0R and it gives the error: 
>     "... was not the expected length (608 actual != 610 expected)" but it 
>     fetches the mail ok.

Thanks a lot for your report.

Actually, this appears to be a bug I've introduced in popa3d 0.4.9.3.
Before this version, popa3d would often include the mailbox separator
trailing empty line in messages.  I decided that I don't like this
(the line is a part of the mailbox format, not a part of the messages)
and killed this property in 0.4.9.3.  Unfortunately, this lack of an
empty line triggered a bug in Outlook Express (now worked around in
0.5.9 by still adding the empty line whenever necessary for MSOE), and
as you have now noticed I forgot to update the reported message length
accordingly.  I wish someone who uses fetchmail reported this earlier.
Other POP3 clients clearly don't do this check because it doesn't
really affect anything (there's a more reliable way to see when a
whole message has been received).

Please test the patch below (against 0.5.9) and let me know if it
solves the problem for you.  I will then include it in the release.

diff -ur popa3d-0.5.9/mailbox.c popa3d-0.5.9-size-fix/mailbox.c
--- popa3d-0.5.9/mailbox.c	Sun Sep  8 13:52:57 2002
+++ popa3d-0.5.9-size-fix/mailbox.c	Sun Jan 26 07:30:26 2003
 <at>  <at>  -227,6 +227,7  <at>  <at>
(Continue reading)

Permalink | Reply | 3 comments |
headers
Nuno Teixeira | 26 Jan 2003 17:18

Re: "was not the expected length ..." errors


    Hi,

    I'm very happy by helping you in this bug.

    Well, I'm using popa3d-0.5.1 FreeBSD port, and I apply the changes 
    manually in mailbox.c and the problem is solved.

    The FreeBSD popa3d port maintainer is Sergey Samoyloff 
    <gonza@...>. I think that I can send him the patch for 
    popa3d-0.5.1.

    Please tell me if the patch is correct for this version (attached to 
    this message).

    Thanks very much,

    		Nuno Teixeira   

On Sun, Jan 26, 2003 at 07:45:52AM +0300, Solar Designer wrote:
> On Sat, Jan 25, 2003 at 08:42:39PM +0000, Nuno Teixeira wrote:
> 
> Hi,
> 
> >     I'm making tests with fetchmail on FreeBSD 5.0R and it gives the error: 
> >     "... was not the expected length (608 actual != 610 expected)" but it 
> >     fetches the mail ok.
> 
> Thanks a lot for your report.
>
(Continue reading)

Permalink | Reply | 2 comments |
headers
Solar Designer | 26 Jan 2003 17:55
Favicon

Re: "was not the expected length ..." errors

On Sun, Jan 26, 2003 at 04:18:39PM +0000, Nuno Teixeira wrote:
>     Well, I'm using popa3d-0.5.1 FreeBSD port, and I apply the changes 
>     manually in mailbox.c and the problem is solved.

Thanks for testing, I will now apply the changes.

>     The FreeBSD popa3d port maintainer is Sergey Samoyloff 
>     <gonza@...>. I think that I can send him the patch for 
>     popa3d-0.5.1.
>     
>     Please tell me if the patch is correct for this version (attached to 
>     this message).

No, it isn't.  This will fail with body-less messages (these are the
ones affected by the MSOE bug workaround in 0.5.9, the patch I sent
you assumes it).

I suggest that the FreeBSD port be updated to 0.5.9 + the patch, or to
0.6 once I release it.

--

-- 
/sd
Permalink | Reply | 1 comment |
headers
Nuno Teixeira | 26 Jan 2003 18:07

Re: "was not the expected length ..." errors


    Hi,

    OK. I understand it. I will talk to FreeBSD port mantainer to see if he 
    can update the port.

    Thanks very much,

    		Nuno Teixeira

    
On Sun, Jan 26, 2003 at 07:55:52PM +0300, Solar Designer wrote:
> On Sun, Jan 26, 2003 at 04:18:39PM +0000, Nuno Teixeira wrote:
> >     Well, I'm using popa3d-0.5.1 FreeBSD port, and I apply the changes 
> >     manually in mailbox.c and the problem is solved.
> 
> Thanks for testing, I will now apply the changes.
> 
> >     The FreeBSD popa3d port maintainer is Sergey Samoyloff 
> >     <gonza@...>. I think that I can send him the patch for 
> >     popa3d-0.5.1.
> >     
> >     Please tell me if the patch is correct for this version (attached to 
> >     this message).
> 
> No, it isn't.  This will fail with body-less messages (these are the
> ones affected by the MSOE bug workaround in 0.5.9, the patch I sent
> you assumes it).
> 
> I suggest that the FreeBSD port be updated to 0.5.9 + the patch, or to
(Continue reading)

Permalink | Reply | 0 comments |
headers
Michael Dengler | 29 Jan 2003 03:49

[popa3d] Please save my sanity!!!

Hi,

I am attempting to use popa3d and POP-BEFORE-SMTP.
Here's what I've done:

grabbed the source from openwall (v0.4 because it is the only one that
has the P-B-SMTP patch. Is P-B-SMTP built-in in v0.5.1? If so how do I
enable it?).

Followed the INSTALL instructions and the instructions in the P-B-SMTP
patch (editted params.h, Makefile to be a non-standalone
POP_STANDALONE=0)

did "makemap hash /etc/mail/popauth </dev/null" to create the popauth.db

made sure inetd.conf was correct and re-started.

OK....

No matter what e-mail client I use, I get a "Server un-expectedly closed
the connection" (or something similar)

So I tried this:

root <at> newmail:/usr/sbin# telnet newmail 110
Trying 192.1.200.175...
Connected to newmail
Escape character is '^]'.
+OK
USER mike
(Continue reading)

Permalink | Reply | 1 comment |

Gmane