headers
Friedrich Locke | 6 Jul 2011 20:58
Picon

qmail and sasl

Hi folks,

i am faced with the task to deploy a single sign on authentication
engine. For now we have openldap, kerberos working 100%.
I know qmail supports ldap.
My users' userPassword attribute are currently setted for {SASL}xxxx <at> my.domain.
I wonder if qmail (even with ldap support) supports the SASL
authentication "method".
If not, is anybody aware about someone's patch that implement it ?

Thanks in advance.

Best regards,

Friedrich.
Permalink | Reply | 1 comment |
headers
Erwin Hoffmann | 6 Jul 2011 22:12
Picon

Re: qmail and sasl

Hi Friedrich 

(oh we share the same name ..),

On Wed, 6 Jul 2011 15:58:43 -0300
Friedrich Locke <friedrich.locke <at> gmail.com> wrote:

> Hi folks,
> 
> i am faced with the task to deploy a single sign on authentication
> engine. For now we have openldap, kerberos working 100%.

Ok.

> I know qmail supports ldap.

With Andree Oppermann's patch.

> My users' userPassword attribute are currently setted for {SASL}xxxx <at> my.domain.
> I wonder if qmail (even with ldap support) supports the SASL
> authentication "method".

What do you want to achieve ?

SASL is a library (and I doubt - except vor Inter7 - anyone is willing to marry it with qmail) -- and a framework.
However, SASL allows different authentication schemes, which may include the 'PAM' method (as 'external
SASL' method).

> If not, is anybody aware about someone's patch that implement it ?
(Continue reading)

Permalink | Reply | 0 comments |
headers
Erwin Hoffmann | 6 Jul 2011 22:54
Picon

Re: qmail and sasl

Hi Friedrich,

On Wed, 6 Jul 2011 17:36:54 -0300
Friedrich Locke <friedrich.locke <at> gmail.com> wrote:

> >
> >> If not, is anybody aware about someone's patch that implement it ?
> >
> > Tell us about your plans, what is your problem.
> 
> My plan is to make qmail authenticate users whose entries'
> userPassword is set to be forwarded to SASL.

Thus your 'User DB' is either in the LDAP or Kerberos Realm ?
(Check for my SMTP Authentication tutorial).

With LDAP authentication, this should be possible; either for simple or strong bind.
This is the typical case, even if Kerberos is used else.

In fact, check for the following:

a) qmail-smtpd uses (by means of the PAM) an extensible authentication scheme.
b) You need a particular PAM to connect to the LDAP DB, binding, and exiting on success with RC=0.
c) Address mangling (Kerberos realm, DN etc), should not be to difficult (the target domain can be used as a hint).
d) A good starting point is my qmail-ldap PAM (in PERL) for user validation (not authentication). 

regards.
--eh.

--

--
(Continue reading)

Permalink | Reply | 0 comments |
headers
Nelson | 11 Jul 2011 07:19
Picon

broken smpt-auth

I'm currently setting up smtp-auth using checkpw-pop3 and Eric M. Johnston's smtp auth patch. I've been installing them number of times without any issue until recently when I'm using a 64bit os (CentOS). I'm not sure if this is related to the OS version. Here is what I have on my log

<at> 400000004e1a82df18b6fcfc tcpserver: status: 0/120
<at> 400000004e1a82f73708285c tcpserver: status: 0/120
<at> 400000004e1a831b193d5f54 tcpserver: status: 0/120
<at> 400000004e1a84742a34f844 tcpserver: status: 1/120
<at> 400000004e1a84742a367ee4 tcpserver: pid 7416 from 180.2.2.105
<at> 400000004e1a84742a3cb8a4 tcpserver: ok 7416 foo.com:192.168.2.249:587 :180.2.2.105::56770
 400000004e1a84742a4582a4 7416 > 220 foo.com ESMTP
 400000004e1a84742fcd731c 7416 < EHLO [10.0.1.3]
 400000004e1a84742fcdd0dc 7416 > 250-foo.com
 400000004e1a84742fcdd0dc 7416 > 250-AUTH LOGIN CRAM-MD5 PLAIN
 400000004e1a84742fcde84c 7416 > 250-AUTH=LOGIN CRAM-MD5 PLAIN
 400000004e1a84742fcdec34 7416 > 250-PIPELINING
 400000004e1a84742fcdf01c 7416 > 250 8BITMIME
 400000004e1a84782efe3c3c 7416 < AUTH PLAIN sa#dsdsNvbnRzAHRlc3QxMjM=
 400000004e1a847d2f167f2c 7416 > 535 authorization failed (#5.7.0)
 400000004e1a847d3899095c 7416 < AUTH LOGIN
 400000004e1a847d3899577c 7416 > 334 ASfdfdm5hbWU6
 400000004e1a847e014a19dc 7416 < bSer6h29udHM=
 400000004e1a847e014a6414 7416 > 334 UGFzc3dvcmQ6
 400000004e1a847e050e6d0c 7416 < dGCkhfh4EyMw==
 400000004e1a8483052102dc 7416 > 535 authorization failed (#5.7.0)
 400000004e1a849124416cec 7416 < QUIT
 400000004e1a84912442862c 7416 > 221 le-price.com
<at> 400000004e1a84912442a184 7416 > [EOF]
<at> 400000004e1a84912443514c tcpserver: end 7416 status 0
<at> 400000004e1a849124435d04 tcpserver: status: 0/120

I'm sure I'm using the correct password. Below is some contents of /service/qmail-smtpd/run

exec /usr/local/bin/softlimit -m 5000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 recordio /var/qmail/bin/qmail-smtpd foo.com /usr/local/bin/checkpw-pop3 true 2>&1

Below is the contents of /etc/tcp.smtp

:allow,HOST="foo.com",PORT="110"
127.:allow,RELAYCLIENT="",HOST="foo.com",PORT="110"

One thing I notice is that submission is not recognize in my system. Hence, I still need to change to entry to 587 in /service/qmail-smtpd/run. Should I be worry about this?

Anyone could give a hint?





Permalink | Reply | 1 comment |
headers
Nelson | 11 Jul 2011 15:31
Picon

Re: broken smpt-auth

Please disregard. I just need to increase softlimit to fix the problem.

On Mon, Jul 11, 2011 at 1:19 PM, Nelson <ntserafica <at> gmail.com> wrote:

I'm sure I'm using the correct password. Below is some contents of /service/qmail-smtpd/run

exec /usr/local/bin/softlimit -m 5000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 recordio /var/qmail/bin/qmail-smtpd foo.com /usr/local/bin/checkpw-pop3 true 2>&1


Permalink | Reply | 0 comments |
headers
Manvendra Bhangui | 15 Jul 2011 07:51
Picon
Gravatar

ANNOUNCE - SURBL filter for netqmail

surblfilter reads an rfc822 email on stdin and prints it back on stdout.
It extracts URL and checks them against SURBL. surblfilter can be used
as a filter using qmail-qfilter(1) or as a qmail-queue(8) frontend by
setting QMAILQUEUE environment variable to a wrapper
/var/qmail/bin/surblqueue

surbfilter caches the result in /var/qmail/control/cache. qmail-smtpd or
any client thats calls surblfilter needs to have write permission for this
directory.

surbfilter does base64 decoding for base64 encoded text/html, text/plain 
to extract urls.

surblfilter requires two control files level2-tlds and level3-tlds in
/var/qmail/control. The same can be obtained from surbl.org website


surbfilter is a standone program and does not need you to patch qmail-smtpd 
or existing programs. It exits 88 in case it finds a SURBL listed URL. It 
exits 111 for temporary errors. It exits 0 if everyting is fine.

surblfilter has been integrated with my qmail-dkim patch and is avaiable at


It has been integrated in dkim-netqmail-1.06.patch-1.9.gz. The older patches 
will not have surblfilter

surblfilter is written in C and  built on djb functions and some functions have
been ruthlessly borrowed from qmail surbl interface by Pieter Droogendijk
and the surblhost program at http://surblhost.sourceforge.net/

Let me know if you find it useful or you find a bug
--
Regards Manvendra - http://www.indimail.org
Permalink | Reply | 0 comments |
headers
Tregaron Bayly | 19 Jul 2011 19:13
Favicon

"connection died" errors and Postini - patch

Not long ago we noticed on our outbound mail servers that a surprising
number of qmail-remote processes were living a much longer than expected
life before throwing a "connected to <foo> but connection died" error
and deferring the message.  We were able to tie these down to processes
communicating with Google Postini and catch an strace that showed a
surprising bug with Google's mail server.  After receiving the DATA
Google intends to reject the message with a 571 code, but sends this:

read(3, "571 Message Refused\r", 128)

Unfortunately the message really needs to have both a CR and LF at the
end (\r\n) according to RFC 821 (section 4.1.2):  "The argument field
consists of a variable length character string ending with the character
sequence <CRLF>. The receiver is to take no action until this sequence
is received." 

I brought this to Google's attention and they said "we don't have such
issue with any of our customers" and "sending server will know what to
do from there", which seems bogus - qmail, sendmail and postfix all
expect RFC-compliant responses and choke on this.  On one hand I feel
that Google must fix this rather than the MTA (why should everyone else
work around their broken software?).  On the other hand, putting this
patch on our qmail servers dropped the size of our outgoing mail queue
by more than 1/3.

Here's the patch:

--- qmail-1.03/qmail-remote.c   1998-06-15 04:53:16.000000000 -0600
+++ qmail-1.03-571/qmail-remote.c       2011-04-25 11:39:07.513583926
-0600
 <at>  <at>  -158,7 +158,32  <at>  <at> 
     get(&ch);
     get(&ch);
   }
-  while (ch != '\n') get(&ch);
+  while (ch != '\n') 
+  {
+    // Postini can return a 571 SMTP code terminated with a '\r' but no
+    // '\n'.  The result is that we are trapped in this while loop
until
+    // saferead() times out and the message is drop()ed. This means a 
+    // message that should be a permanent failure is instead requeued
+    // continually until it ages out.  Try to catch and prevent this:
+    if (ch == '\r' && code == 571) 
+    {
+ 
+     // Cap smtptext with a '\n' so future uses of the string look
right
+      unsigned char LF;
+      LF = '\n';
+      if (!stralloc_append(&smtptext,&LF)) temp_nomem();
+ 
+     // Returning here potentially leaves a '\n' in the fd (if someone
+     // later correctly implements a 571 error with CRLF), but since 
+     // this means we will be quitting before we read() again we'll
+     // not worry about it.
+     return code;
+    }
+    else
+    {
+      get(&ch);
+    }
+  }

   return code;
 }
Permalink | Reply | 1 comment |
headers
Andy Bradford | 20 Jul 2011 07:04

Re: "connection died" errors and Postini - patch

Thus said Tregaron Bayly on Tue, 19 Jul 2011 11:13:09 MDT:

> I brought this to Google's attention and they said "we don't have such
> issue with any of our customers" and "sending server will know what to
> do from  there", which seems bogus  - qmail, sendmail and  postfix all
> expect RFC-compliant responses and choke on this.

Why do  companies think this  an acceptable response to  broken software
and poor software  design? This is probably an attempt  on their part at
some kind  of elaborate anti-spam technique.  I can see no  other reason
why they would reject an email with a 5xx permanent failure but not give
the complete \r\n to terminate the response except this. Yes, I'm giving
google developers the benefit of the  doubt... I hear that they hire the
best.

Andy
Permalink | Reply | 0 comments |
headers
Manvendra Bhangui | 20 Jul 2011 15:24
Picon
Gravatar

Using systemd to start qmail/netqmail

FC9 had replaced sysv init scripts for the new init upstart. FC15 has
moved to a new init yet again. This time the init is systemd
http://en.wikipedia.org/wiki/Systemd

To have qmail/netqmail or my own indimail server run under systemd,
one needs to create a service configuration file
(/lib/systemd/system/qmail.service)

# cat > /lib/systemd/system/qmail.service
[Unit]
Description=qmail/netqmail service
After=local-fs.target network.target

[Service]
ExecStart=/var/qmail/bin/svscan /service
ExecStop=/var/qmail/bin/svc -dx /service/* /service/*/log
Type=simple
NonBlocking=yes

[Install]
WantedBy=multi-user.target

NOTE: You can use your own variation in ExecStart to start svscan
(using it with readproctitle, etc)

# systemctl enable qmail.service

The above command will create a link in
/etc/systemd/system/multi-user.target.wants

lrwxrwxrwx  1 root root   36 Jul 20 18:18 qmail.service ->
/lib/systemd/system/qmail.service

To start qmail/netqmail do

# systemctl start qmail.service

To stop qmail/netqmail do

# systemctl stop qmail.service

--
Regards Manvendra - http://www.indimail.org
Permalink | Reply | 0 comments |

Gmane