Friedrich Locke | 6 Jul 20:58 2011
Picon

qmail and sasl

Hi folks,

i am faced with the task to deploy a single sign on authentication
engine. For now we have openldap, kerberos working 100%.
I know qmail supports ldap.
My users' userPassword attribute are currently setted for {SASL}xxxx <at> my.domain.
I wonder if qmail (even with ldap support) supports the SASL
authentication "method".
If not, is anybody aware about someone's patch that implement it ?

Thanks in advance.

Best regards,

Friedrich.

Erwin Hoffmann | 6 Jul 22:12 2011
Picon

Re: qmail and sasl

Hi Friedrich 

(oh we share the same name ..),

On Wed, 6 Jul 2011 15:58:43 -0300
Friedrich Locke <friedrich.locke <at> gmail.com> wrote:

> Hi folks,
> 
> i am faced with the task to deploy a single sign on authentication
> engine. For now we have openldap, kerberos working 100%.

Ok.

> I know qmail supports ldap.

With Andree Oppermann's patch.

> My users' userPassword attribute are currently setted for {SASL}xxxx <at> my.domain.
> I wonder if qmail (even with ldap support) supports the SASL
> authentication "method".

What do you want to achieve ?

SASL is a library (and I doubt - except vor Inter7 - anyone is willing to marry it with qmail) -- and a framework.
However, SASL allows different authentication schemes, which may include the 'PAM' method (as 'external
SASL' method).

> If not, is anybody aware about someone's patch that implement it ?

(Continue reading)

Erwin Hoffmann | 6 Jul 22:54 2011
Picon

Re: qmail and sasl

Hi Friedrich,

On Wed, 6 Jul 2011 17:36:54 -0300
Friedrich Locke <friedrich.locke <at> gmail.com> wrote:

> >
> >> If not, is anybody aware about someone's patch that implement it ?
> >
> > Tell us about your plans, what is your problem.
> 
> My plan is to make qmail authenticate users whose entries'
> userPassword is set to be forwarded to SASL.

Thus your 'User DB' is either in the LDAP or Kerberos Realm ?
(Check for my SMTP Authentication tutorial).

With LDAP authentication, this should be possible; either for simple or strong bind.
This is the typical case, even if Kerberos is used else.

In fact, check for the following:

a) qmail-smtpd uses (by means of the PAM) an extensible authentication scheme.
b) You need a particular PAM to connect to the LDAP DB, binding, and exiting on success with RC=0.
c) Address mangling (Kerberos realm, DN etc), should not be to difficult (the target domain can be used as a hint).
d) A good starting point is my qmail-ldap PAM (in PERL) for user validation (not authentication). 

regards.
--eh.

--

-- 
(Continue reading)

Nelson | 11 Jul 07:19 2011
Picon

broken smpt-auth

I'm currently setting up smtp-auth using checkpw-pop3 and Eric M. Johnston's smtp auth patch. I've been installing them number of times without any issue until recently when I'm using a 64bit os (CentOS). I'm not sure if this is related to the OS version. Here is what I have on my log

<at> 400000004e1a82df18b6fcfc tcpserver: status: 0/120
<at> 400000004e1a82f73708285c tcpserver: status: 0/120
<at> 400000004e1a831b193d5f54 tcpserver: status: 0/120
<at> 400000004e1a84742a34f844 tcpserver: status: 1/120
<at> 400000004e1a84742a367ee4 tcpserver: pid 7416 from 180.2.2.105
<at> 400000004e1a84742a3cb8a4 tcpserver: ok 7416 foo.com:192.168.2.249:587 :180.2.2.105::56770
 400000004e1a84742a4582a4 7416 > 220 foo.com ESMTP
 400000004e1a84742fcd731c 7416 < EHLO [10.0.1.3]
 400000004e1a84742fcdd0dc 7416 > 250-foo.com
 400000004e1a84742fcdd0dc 7416 > 250-AUTH LOGIN CRAM-MD5 PLAIN
 400000004e1a84742fcde84c 7416 > 250-AUTH=LOGIN CRAM-MD5 PLAIN
 400000004e1a84742fcdec34 7416 > 250-PIPELINING
 400000004e1a84742fcdf01c 7416 > 250 8BITMIME
 400000004e1a84782efe3c3c 7416 < AUTH PLAIN sa#dsdsNvbnRzAHRlc3QxMjM=
 400000004e1a847d2f167f2c 7416 > 535 authorization failed (#5.7.0)
 400000004e1a847d3899095c 7416 < AUTH LOGIN
 400000004e1a847d3899577c 7416 > 334 ASfdfdm5hbWU6
 400000004e1a847e014a19dc 7416 < bSer6h29udHM=
 400000004e1a847e014a6414 7416 > 334 UGFzc3dvcmQ6
 400000004e1a847e050e6d0c 7416 < dGCkhfh4EyMw==
 400000004e1a8483052102dc 7416 > 535 authorization failed (#5.7.0)
 400000004e1a849124416cec 7416 < QUIT
 400000004e1a84912442862c 7416 > 221 le-price.com
<at> 400000004e1a84912442a184 7416 > [EOF]
<at> 400000004e1a84912443514c tcpserver: end 7416 status 0
<at> 400000004e1a849124435d04 tcpserver: status: 0/120

I'm sure I'm using the correct password. Below is some contents of /service/qmail-smtpd/run

exec /usr/local/bin/softlimit -m 5000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 recordio /var/qmail/bin/qmail-smtpd foo.com /usr/local/bin/checkpw-pop3 true 2>&1

Below is the contents of /etc/tcp.smtp

:allow,HOST="foo.com",PORT="110"
127.:allow,RELAYCLIENT="",HOST="foo.com",PORT="110"

One thing I notice is that submission is not recognize in my system. Hence, I still need to change to entry to 587 in /service/qmail-smtpd/run. Should I be worry about this?

Anyone could give a hint?





Nelson | 11 Jul 15:31 2011
Picon

Re: broken smpt-auth

Please disregard. I just need to increase softlimit to fix the problem.

On Mon, Jul 11, 2011 at 1:19 PM, Nelson <ntserafica <at> gmail.com> wrote:

I'm sure I'm using the correct password. Below is some contents of /service/qmail-smtpd/run

exec /usr/local/bin/softlimit -m 5000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 recordio /var/qmail/bin/qmail-smtpd foo.com /usr/local/bin/checkpw-pop3 true 2>&1


Friedrich Locke | 11 Jul 16:34 2011
Picon

ldap

I am deploying qmail ldap and wonder if there is a special patch for
qmail-ldap necessary to run mailing lists.

Thanks in advance.

Gennady G. Marchenko | 11 Jul 18:00 2011
Picon

Re: ldap

In qmail-ldap you don't need any special patch to support ldap-enabled 
mailling lists.

Gennady.
11.07.2011 18:34, Friedrich Locke пишет:
> I am deploying qmail ldap and wonder if there is a special patch for
> qmail-ldap necessary to run mailing lists.
>
> Thanks in advance.

Friedrich Locke | 11 Jul 18:31 2011
Picon

Re: ldap

How to create mailing lists in qmail-ldap environment?

Thanks once more.

On Mon, Jul 11, 2011 at 1:00 PM, Gennady G. Marchenko
<gennady.marchenko <at> itv.ru> wrote:
> In qmail-ldap you don't need any special patch to support ldap-enabled
> mailling lists.
>
> Gennady.
> 11.07.2011 18:34, Friedrich Locke пишет:
>>
>> I am deploying qmail ldap and wonder if there is a special patch for
>> qmail-ldap necessary to run mailing lists.
>>
>> Thanks in advance.
>
>

Wagner Bento Coelho | 11 Jul 20:43 2011
Picon

Re: ldap

See:

http://code.deeproot.in/deepofix/wiki/Howto-deepOfix-ezmlm-idx

Deepofix is a particular based qmail-ldap distribution.
-- 
+--------------------------------------------------+
| WAGNER B. COELHO                                 |
| instituto federal de goias  - goiânia - go       |
+--------------------------------------------------+

> How to create mailing lists in qmail-ldap environment?
>
> Thanks once more.
>
> On Mon, Jul 11, 2011 at 1:00 PM, Gennady G. Marchenko
> <gennady.marchenko <at> itv.ru> wrote:
>> In qmail-ldap you don't need any special patch to support ldap-enabled
>> mailling lists.
>>
>> Gennady.
>> 11.07.2011 18:34, Friedrich Locke ÐÉÛÅÔ:
>>>
>>> I am deploying qmail ldap and wonder if there is a special patch for
>>> qmail-ldap necessary to run mailing lists.
>>>
>>> Thanks in advance.
>>
>>
>

Manvendra Bhangui | 15 Jul 07:51 2011
Picon

ANNOUNCE - SURBL filter for netqmail

surblfilter reads an rfc822 email on stdin and prints it back on stdout.
It extracts URL and checks them against SURBL. surblfilter can be used
as a filter using qmail-qfilter(1) or as a qmail-queue(8) frontend by
setting QMAILQUEUE environment variable to a wrapper
/var/qmail/bin/surblqueue

surbfilter caches the result in /var/qmail/control/cache. qmail-smtpd or
any client thats calls surblfilter needs to have write permission for this
directory.

surbfilter does base64 decoding for base64 encoded text/html, text/plain 
to extract urls.

surblfilter requires two control files level2-tlds and level3-tlds in
/var/qmail/control. The same can be obtained from surbl.org website


surbfilter is a standone program and does not need you to patch qmail-smtpd 
or existing programs. It exits 88 in case it finds a SURBL listed URL. It 
exits 111 for temporary errors. It exits 0 if everyting is fine.

surblfilter has been integrated with my qmail-dkim patch and is avaiable at


It has been integrated in dkim-netqmail-1.06.patch-1.9.gz. The older patches 
will not have surblfilter

surblfilter is written in C and  built on djb functions and some functions have
been ruthlessly borrowed from qmail surbl interface by Pieter Droogendijk
and the surblhost program at http://surblhost.sourceforge.net/

Let me know if you find it useful or you find a bug
--
Regards Manvendra - http://www.indimail.org

Gmane