headers
Darek | 23 Apr 2013 22:05
Picon

SMTP AUTH allows any sender via SSL, but only correct auth via non-SSL

Hi there, I'm running Qmail on FreeBSD 9.1 (port version qmail-1.03_8) with the SMTP-AUTH patch from ports.  I run it using tcpserver and daemontools, with the exact file, except the smtps port running through stunnel.

The non-SSL process does correct user lookups and fails incorrect authentication.

The SSL one gladly accepts any random string for user and pass and allows relay.  I am running the same commands, only adding stunnel for the second one.  A bit lost as to why this is happening.  Below I use the same base64 encoded string for the login, both attempts from an untrusted source, not allowed to relay anywhere.

$ perl -MMIME::Base64 -e 'print encode_base64("some-random-string");'
c29tZS1yYW5kb20tc3RyaW5n

$ telnet mail.server.net 25
Trying 1.2.3.4...
Connected to mail.server.net .
Escape character is '^]'.
220 mail.server.net ESMTP
AUTH LOGIN
334 VXNlcm5hbWU6
c29tZS1yYW5kb20tc3RyaW5n
334 UGFzc3dvcmQ6
c29tZS1yYW5kb20tc3RyaW5n
535 authorization failed (#5.7.0)
^]

$ openssl s_client -crlf -connect mail.server.net:465
<...ssl stuff here...>
220 mail.server.net ESMTP
AUTH LOGIN
334 VXNlcm5hbWU6
c29tZS1yYW5kb20tc3RyaW5n
334 UGFzc3dvcmQ6
c29tZS1yYW5kb20tc3RyaW5n
235 ok, go ahead (#2.0.0)
^]


# cat /service/qmail-smtpd/run
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000                               \
        /usr/local/bin/tcpserver -H -R -l 0 -v                          \
        -x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD"  \
        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp                 \
        /var/qmail/bin/qmail-smtpd 0                                    \
        /usr/local/vpopmail/bin/vchkpw true 2>&1



# cat /service/qmail-smtpds/run
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000                               \
        /usr/local/bin/tcpserver -H -R -l 0 -v                          \
        -x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD"          \
        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtps                        \
        /usr/local/sbin/stunnel                                         \
          -p /opt/ssl/certificate.stunnel.crt                \
          -A /opt/ssl/GT_True_BusinessID_and_Enterprise_SSL_Intermediate_bundle.pem \
          -l /var/qmail/bin/qmail-smtpd 0                               \
          /usr/local/vpopmail/bin/vchkpw true 2>&1

Anyone know what I should look at?  Let me know if there's any other info I should provide.

I'm running stunnel 3.x simply for compatibility (4.x doesn't support command line args).  I could upgrade that but doubt this should be my problem.

--
Thanks,
Darek
Permalink | Reply | 4 comments |
headers
Jason Haar | 23 Apr 2013 02:54
Picon
Favicon

Re: weird issue with email to <at> jud.ca.gov

On 23/04/13 12:31, John Levine wrote:
> The ANY query works around a BIND bug that was fixed 15 years ago
> (really, in about 1998) so I encourage everyone to use this patch to
> change it to the CNAME query it should have been making all along:
> http://www.memoryhole.net/qmail/any-to-cname.patch R's, John 

[cross-posted from djbdns list]

Not to contradict DJB, but it does look like all the ANY query does it
try to see if there is a CNAME for the canonicalized host. So doing an
actual CNAME does sound more appropriate. Am I missing anything?

--

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Permalink | Reply | 1 comment |
headers
Aaron Goldblatt | 8 Apr 2013 08:51

server migration

i'm trying to migrate my qmail setup from an ancient box with dying hard drives to a vps, setup thus:

lwq setup, netqmail106 with validrcptto.cdb patch

lwq setup, netqmail106 with validrcptto.cdb patch

if you go digging in the DNS records for goldblatt.net, you'll see the present MX receiver is blotts, and it works as i intend. the only way for me to test this out is to adjust the MX record, which i will not do and leave unattended until i have this fixed.


DESIRED BEHAVIOR
on blotts, * <at> goldblatt.net comes in and is filtered for delivery according to a series of .qmail files that live in /var/qmail/alias:

-rw-r--r--  1 root  qmail   27 May 21  2010 .qmail-goldblatt-aaron
-rw-r--r--  1 root  qmail   27 Dec 19 03:58 .qmail-goldblatt-benjamin
-rw-r--r--  1 root  qmail   27 May 21  2010 .qmail-goldblatt-lists
-rw-r--r--  1 root  qmail   27 May 21  2010 .qmail-goldblatt-lists-default
-rw-r--r--  1 root  qmail    2 May 21  2010 .qmail-goldblatt-lists-dhconsulting
(etc)

mail to known-good addresses is &forwarded to gmail for further handling; mail to known-bad addresses is #deleted.

the desired behavior is for preg to do exactly the same thing.



OBSERVED BEHAVIOR
on preg, * <at> goldblatt.net comes in and is bounced immediately with "550 sorry, no mailbox here by that name. (#5.1.1)" including stuff to known-good addresses that should be passed to google.



TROUBLESHOOTING
so, upon cross-checking the two setups, i find in /var/qmail/control:

concurrencyincoming: identical
concurrencyremote: identical
defaultdelivery: identical
defaultdomain: identical
locals: fqdns of the respective machines
me: fqdns of the respective machines
plusdomains: identical (goldblatt.net)
rcpthosts: identical (goldblatt.net)
validrcptto.cdb: identical (copied from old to new by scp)
virtualdomains: identical (goldblatt.net:alias-goldblatt)


i find in /var/qmail/alias a series of .qmail files. these are identical between both machines, because i copied them across with scp. see above for example ls -la.

tailing the smtpd log on preg produces this:
2013-04-08 09:52:27.825573500 tcpserver: status: 0/20
2013-04-08 09:55:28.667733500 tcpserver: status: 1/20
2013-04-08 09:55:28.667874500 tcpserver: pid 9687 from 209.85.210.182
2013-04-08 09:55:28.717608500 tcpserver: ok 9687 preg.goldblatt.net:199.175.54.166:25 mail-ia0-f182.google.com:209.85.210.182::52311
2013-04-08 09:55:28.935668500 realrcptto 9687 209.85.210.182 aaron <at> goldblatt.net
2013-04-08 09:55:28.981077500 tcpserver: end 9687 status 0
2013-04-08 09:55:28.981079500 tcpserver: status: 0/20


so, any directions on where i can look or how i can trace this further would be most helpful. i'm obviously missing something, but for the life of me do not see what.

ag
Permalink | Reply | 6 comments |
headers
Erwin Hoffmann | 2 Apr 2013 21:13
Picon

qmail-authentication 0.8

Hi everybody out there,

within my current qmail-authentication patch (0.8) I realized a feature for qmail-remote  which was
required by some users:

qmail-remote allows now two distinct mechanisms to enable authentication:

* Sender-based authentication: This is triggered by the 'Mail From:' address and can be customized by control/authsenders.
* Target-based authentication: As an extension for control/smtproutes now for a specific route the
authentication information can be optionally added.

The last feature is often called a 'smart relay' or 'smart host'. Of course the 'Submisson' is always possible!

Sender-based authentication has precedence over 'relay-based' authentication.

The current version + docs are available on my web site 

   http://www.fehcom.de/qmail/smtpauth.html

Note: For qmail-smtpd I use now an extensible scheme for the environment variable SMTPAUTH.

These features have been included into my SPAMCONTROL patch (2.7). Users of this patch are encouraged to
update ! All new features are now in place and working. 

regards.
--eh. 

--

-- 
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
Permalink | Reply | 2 comments |
headers
John Giordano | 28 Mar 2013 18:16
Picon

Compiling ezmlm on Solaris 10 - HeLp

Hi,

 

I figured this forum would be good as any to post about getting ezmlm to compile on Solaris 10.

 

Our Qmail/IMAP server pizza is about baked.  One of the last remaining parts is the mailing list topping.

 

The compile is failing with this error:

 

<SNIP>

 

./makelib stralloc.a stralloc_eady.o stralloc_pend.o \

stralloc_copy.o stralloc_opys.o stralloc_opyb.o \

stralloc_cat.o stralloc_cats.o stralloc_catb.o \

stralloc_arts.o

./compile alloc.c

alloc.c:3: warning: conflicting types for built-in function 'malloc'

./compile alloc_re.c

./makelib alloc.a alloc.o alloc_re.o

./load ezmlm-make auto_bin.o open.a getopt.a substdio.a \

strerr.a stralloc.a alloc.a error.a str.a

./compile ezmlm-manage.c

ezmlm-manage.c: In function `main':

ezmlm-manage.c:320: error: incompatible type for argument 1 of `log'

ezmlm-manage.c:320: error: too many arguments to function `log'

ezmlm-manage.c:331: error: incompatible type for argument 1 of `log'

ezmlm-manage.c:331: error: too many arguments to function `log'

ezmlm-manage.c:135: warning: return type of 'main' is not `int'

*** Error code 1

make: Fatal error: Command failed for target `ezmlm-manage.o'

[root <at> tesla:/usr/local/src/ezmlm/ezmlm-0.53]$

 

</SNIP>

 

I am no c programmer so I am not sure what the heck is causing this thing to fail on make.  I have set our compiler to gcc in both conf-cc and conf-ld.  Is it because we don’t have the Sun Studio compiler on here?  Any tips would be most appreciated. 

 

THANK U!

 

-jg

Permalink | Reply | 3 comments |
headers
Clement Thomas | 25 Mar 2013 07:38
Picon

Greeting failed, but delivery success

Hi,
   We use qmail with ezmlm for mailinglist service

[root <at> xx-yyy ~]# rpm -qa|egrep '(ezmlm|qmail)'
qmail-toaster-1.03-1.3.25
ezmlm-toaster-0.53.324-1.3.3

There was postfix SMTP failure with one of the MX to which qmail tried mail delivery and got a 4xx reply. Log says ZConnected to , but greeting failed, server says "All ports busy". Despite this message, the delivery was success. exact log at http://pastie.org/private/stwlr6jmvhiljzbed0i3ag All the mail delivery tried via the above MX is lost, but qmail log reports success with above ZConnected message.  Z means delivery deferral, if i am not wrong.

Regards,
Clement

Permalink | Reply | 2 comments |
headers
Sikkandar Dulkaranai | 20 Mar 2013 19:17
Picon

Smarthost (outgoing mail through Remote SMTP Server)

Hi, We want to setup so that all outgoing mail relay on Remote SMTP Server (port 2525). We have installed qmail-smtp-auth and qmail-remote-auth patches. The content of /var/qmail/control/smtproutes is:

:remotesmtpserver.com:2525 -username password

Also, tried this (without - before username):

:remotesmtpserver.com:2525 username password

We tried to send a message from command line as below:

# /var/qmail/bin/qmail-inject <<EOM
from: myuserid <at> gmail.com
Return-Path: myuserid <at> gmail.com
to: anotheruser <at> gmail.com
subject: Test Qmail

This is a test message from qmail.
EOM


Unfortunately, We are getting following error:

delivery 1: failure: 207.58.xxx.xxx_does_not_like_recipient./Remote_host_said:_550_relay_refused_myuserid <at> gmail.com/184.106.xxx.xxx_unauthenticated/Giving_up_on_207.58.xxx.xxx./

We are wondering that this is somthing we need to do at our Qmail server or it is related with Remote SMTP Server.

Any help on this is highly appreciated.

Thanks,
Sikkandar.
Permalink | Reply | 9 comments |
headers
John Giordano | 20 Mar 2013 01:27
Picon

RE: Compiling DaemonTools on Solaris 10

Hi Andy,

Thanks a lot for the reply... I will look more into tomorrow morn but I think you are on the right track here
because I saw the test.sv hanging out in the process list.  In fact, I tried a few different goes of getting it
to compile so there were three of these in the process list- one from each attempted compile of daemontools.

I went ahead and installed daemontools via OpenCSW and it worked sweet.  I will think about whether or not I
want to run with the package from OpenCSW or go for another compile.

Have a good one,
jg

-----Original Message-----
From: Andy Bradford [mailto:amb-sendok-1366330883.cbcjedhdeganpoonfbhp <at> bradfords.org] 
Sent: Tuesday, March 19, 2013 5:21 PM
Cc: John Giordano; 'qmail <at> list.cr.yp.to'
Subject: Re: Compiling DaemonTools on Solaris 10

Thus said "Andy Bradford" on 19 Mar 2013 18:07:01 -0600:

> root <at> solaris11.1:/package/admin/daemontools-0.76# ./command/svc -dx compile/r
ts-tmp/test.sv

I think this was wrong, I meant:

root <at> solaris11.1:/package/admin/daemontools-0.76# ./command/svc -u compile/rts-tmp/test.sv

This is where it hangs:

--- svc -ox works
hi
--- svstat works for up services
.: up (pid x) x seconds, normally down
--- svc -u works
svc: warning: unable to control test.sv: supervise not running

So it should be trying to bring up the service (not sure why it didn't).

Andy
Permalink | Reply | 0 comments |
headers
John Giordano | 19 Mar 2013 21:06
Picon

Compiling DaemonTools on Solaris 10

Hi,

 

I am attempting to get Qmail going on a Solaris 10 server.  Qmail and ucspi=  have been compiled and installed ok.

 

Daemontools, however, is hanging here....

 

<SNIP>

 

rm -f svscanboot

cat warn-auto.sh svscanboot.sh \

| sed s}HOME}"`head -1 home`"}g \

> svscanboot

chmod 555 svscanboot

./compile svstat.c

./load svstat time.a unix.a byte.a

./compile tai64n.c

./load tai64n timestamp.o time.a unix.a byte.a ./compile tai64nlocal.c ./load tai64nlocal unix.a byte.a env - /bin/sh rts.tests 2>&1 | cat -v > rts

 

*** Signal 9 (that's me killing it from another SSH session)

make: Fatal error: Command failed for target `rts'

 

</SNIP>

 

Truss says it is just sleeping forever...

 

root <at> foo:/package/admin/daemontools-0.76/src]$ truss -p 22011 waitid(P_PID, 22013, 0xFFBFF9D0, WEXITED|WTRAPPED|WNOWAIT) (sleeping...)

 

I made the requisite changes to error.h as per the Life With Qmail HOWTO...= . Would anyone know why these tests are just hanging here forever?  Any ins= ight would be most appreciated.

 

Cheers from Seattle,

Jg

 

 

Permalink | Reply | 2 comments |
headers
Matt Simpson | 19 Mar 2013 18:11

Questions about bounce messages and qmail-queue

Are bounce messages inserted into the queue via qmail-queue, or are they added some other way? If
qmail-queue is used, and the QMAILQUEUE patch is installed, does the bounce process use the qmail-queue
program specified by QMAILQUEUE, or is it hardcoded to use qmail-queue?

My reason for asking:

I am using a qmail-queue replacement to sign outbound messages with DKIM.  Most of the outbound mail from my
server is either from ezmlm, or from mail clients submitting through SMTP.  I am successfully signing
those messages by using QMAILQUEUE  in the ezmlm .qmail files and the smptd script.   But bounce messages are
not being signed, and I would like to sign them.  (Actually, I would prefer not to send bounce messages at
all, but the ezmlm architecture uses bounces to send error messages).

I have tried setting the QMAILQUEUE environment variable in the qmail/rc script that starts qmail, but
apparently either that is not getting passed to whatever process generates bounces, or it is being
ignored.   If possible, I would like bounces to be processed through a replacement program that signs them
and passes them to the "real" qmail-queue, just like all other outbound messages.

I know I have a couple of other alternatives if I can't make this work.  One alternative would be to sign the
messages in a qmail-remote wrapper instead of qmail-queue.  But since I've gotten the qmail-queue
signing process working, I'm reluctant to re-engineer the process.    Another possibility would be to
rename qmail-queue to something else,  and replace qmail-queue with the signing program which would then
call the actual qmail-queue via its new name.  But that will only work if the bounce messages are being sent
through qmail-queue with the program name hard-coded.

--

-- 
Matt Simpson
Tatertown, KY
Permalink | Reply | 3 comments |
headers
Chris Berry | 13 Mar 2013 20:54
Favicon

Relay issue

I've setup a qmail server to act as a relay and smarthost in front of our Groupwise server.  We went live last night and everything is going well except one small problem.  Our primary domain is davistl.com and we also host lockingmailbox.com so our /var/qmail/control/smtproutes file looks like this:


lockingmailbox.com:192.168.3.32

davistl.com:192.168.3.32


All of the mail for those addresses is delivered just fine.  I do have some mail though that is addressed to root <at> relay.davistl.com which I'd like to have delivered to cberry <at> davistl.com instead.  I think the answer is some combination of smtproutes, virtualdomains and .qmail files but I haven't quite been able to pin it down.


Currently the mail gets stuck in the queue and shows "deferral: CNAME_lookup_failed_temporarily._(#4.4.3)" in the /var/qmail/log/current file.


If I add relay.davistl.com:192.168.3.32 to smtproutes I get messages like following:


<at> 400000005140d1ee33806514 new msg 1153782

<at> 400000005140d1ee338068fc info msg 1153782: bytes 8036 from <> qp 4552 uid 1010

<at> 400000005140d1ee33bfbfd4 starting delivery 1889: msg 1153782 to remote root <at> relay.davistl.com

<at> 400000005140d1ee33bfc3bc status: local 0/10 remote 2/20


<at> 400000005140d1ef00b4fdfc end msg 1153782

<at> 400000005140d1ef00baf554 delivery 1891: success: 192.168.3.32_accepted_message./Remote_host_said:_250_Ok/

<at> 400000005140d1ef00baf554 status: local 0/10 remote 1/20


The message never actually gets delivered though and qmail just keeps trying to send it.


/var/qmail/alias/.qmail-root is:


&cberry <at> davistl.com


I guessing that isn't actually getting applied because it's a sub-domain and it attempts to deliver to the root user which doesn't actually exist on the Groupwise system.


Alternately I tried adding a virtualdomains entry (after removing the smtproutes entry):


relay.davistl.com:vmail


/home/vmail/.qmail-root is:


&cberry <at> davistl.com


After a qmailctl reload and qmailctl flush though I still get "CNAME_lookup_failed_temporarily._(#4.4.3)" so obviously I didn't get that quite right.


Would someone mind pointing out what I'm doing wrong?


Chris Berry
Linux Systems Administrator
Davis Tool
x521

Permalink | Reply | 2 comments |

Gmane