headers
André Alexandre Gaio | 19 May 2013 03:51
Picon
Favicon

Issues with plain authentication mode with qmail-ldap 20120221

Hello Guys,

I'm having a problem since I started using the patch 20120221, about 1 year ago, I had not noticed yet.

The problem is as follows:

If I use the LOGIN authentication mode, everything happens normally. This is how I configure my email clients by default.

If I set any email client PLAIN authentication mode, the login process usually happens when the user enters the correct password, and send email normally follows too.

But when the user misses the password at login, the qmail-smtpd process falls with a segfault, but he usually responds well:

535 authentication failure
or
501 failed authentication exchange

It ends the session normally.

I noticed this strange behavior when a user configured mode PLAIN by mistake in your email client instead of LOGIN so that is what standardized.

Appears in the log with LOGLEVEL=255 and DEBUGLEVEL=3:

<at> 400000005197d6e333ee9034 tcpserver: pid 27959 from XXX.XXX.45.10
<at> 400000005197d6e333f575d4 tcpserver: ok 27959 correio.domaindst.com.br:172.16.1.2:587 correio01.domainorig.com.br:XXX.XXX.45.10::60720
<at> 400000005197d6e3341050d4 qmail-smtpd 27959: connection from XXX.XXX.45.10 (correio01.domainorig.com.br) to correio.domaindst.com.br
<at> 400000005197d6e33410c9ec qmail-smtpd 27959: enabled options: max msg size: 55000000 starttls sanitycheck blockrelayprobe rcptcheck ldapsoftok smtp-auth authrequired smtp550disconnect qmailqueue /var/qmail/bin/simscan-msa
<at> 400000005197d6ea2407f9e4 qmail-smtpd 27959: remote ehlo: domainorig.com.br
<at> 400000005197d6f235249f34 qmail-smtpd 27959: auth plain
<at> 400000005197d6f2353df77c init_ldap: control/ldapserver: '127.0.0.1'
<at> 400000005197d6f2353e64dc init_ldap: control/ldapbasedn: dc=domaindst,dc=com,dc=br
<at> 400000005197d6f2353e68c4 init_ldap: control/ldapobjectclass: qmailUser
<at> 400000005197d6f2353e68c4 init_ldap: control/ldaptimeout: 30
<at> 400000005197d6f2353e6cac init_ldap: control/ldaprebind: 1
<at> 400000005197d6f2353e6cac init_ldap: control/ldapuid: 777
<at> 400000005197d6f2353e6cac init_ldap: control/ldapgid: 777
<at> 400000005197d6f2353e7094 init_ldap: control/ldapmessagestore: /vmail/
<at> 400000005197d6f2353e8bec init_ldap: control/ldapdefaultdotmode: both
<at> 400000005197d6f2353ea35c init_ldap: control/defaultquotasize: 1024000000
<at> 400000005197d6f2353ea35c init_ldap: control/defaultquotacount: 5000
<at> 400000005197d6f23544d164 qldap_open: init successful
<at> 400000005197d6f23544ecbc qldap_set_option: set referrals successful
<at> 400000005197d6f2354d31ec qldap_bind: successful
<at> 400000005197d6f23552044c qldap_lookup: search for (&(objectClass=qmailUser)(uid=suporte)) succeeded
<at> 400000005197d6f235526dc4 qldap_get_attr(accountStatus): active
<at> 400000005197d6f23553f07c qldap_open: init successful
<at> 400000005197d6f2355413a4 qldap_set_option: set referrals successful
<at> 400000005197d6f2355ad61c qldap_bind: failed (Invalid credentials)
<at> 400000005197d6f2355ada04 check_ldap: password compare was not successful
<at> 400000005197d6f2355b919c warning: auth_fail: user suporte failed
<at> 400000005197d6f33636c2e4 tcpserver: end 27959 status 139

This behavior does not happen with the previous patch 20060201.

Has anyone had noticed this? Or just happen to me?

My server is a Dell with Xeon E5430 2.66GHz processor with 16GB RAM and SAS disks, the distro is a linux CentOS 6.4 with kernel default 2.6.32-358.6.1.el6.x86_64 #1 SMP.
This happens too in a small Atom D525 with 4GB RAM and Ubuntu 12.04.2 LTS with 3.2.0-32-generic x86_64 SMP kernel.

Thanks in advice and sorry by the long mail and by my bad english. :-)

-- André Alexandre Gaio Engenheiro de redes e Suporte RedHat RHCE - LPIC - Novell SCLA - HE IPv6 Sage Linwork Informática Ltda "...o que o SENHOR pede de ti: que pratiques a justiça, e ames a misericórdia, e andes humildemente com o teu Deus." Mq. 6:8
Permalink | Reply | 0 comments |
headers
Friedrich Locke | 2 Apr 2013 21:37
Picon

ezmlm

Does qmail-ldap works with ezmlm ?

Thanks.

Fried
Permalink | Reply | 2 comments |
headers
Jeff Hardy | 13 Mar 2013 18:19

Qmail-LDAP/Dovecot Cluster

Hello,

I have worked with qmail-ldap and Dovecot for a number of years, and 
recently wrote up a piece going into great detail about all aspects of 
our environment.  It currently supports a rather small installation of 
~10K active users.  If it should be of interest:

http://fritz.potsdam.edu/projects/email

It is intended primarily for system administrators or mail 
administrators interested in building mail infrastructure on top of 
open-source technologies, and is inspired by the likes of Life with qmail.

Topics include storage, backup, directory integration, local and remote 
mail exchange, checkpassword SMTP-Auth and Dovecot login, RBLs, 
content-scanning and anti-spam, quarantine, webmail, etc.  Full 
installation directions and configuration stanzas are provided for 
nearly every piece of the infrastructure.

Comments/criticism welcome.  Cheers.

-Jeff

--
Jeffrey M Hardy
Network / Systems Administrator
hardyjm <at> potsdam.edu
Permalink | Reply | 0 comments |
headers
Raja T Nair | 4 Feb 2013 14:09
Picon

Want to blacklist a sender and drop mails silently

Hello All,

Is there a way in qmail-ldap, where I can blacklist one sender and drop all mails from this id silently?
I don't want to send a 'mail rejected' message to her.

Regards,
Raja.
--
:^)

Permalink | Reply | 4 comments |
headers
Ismail Yenigul | 15 Jan 2013 19:15

YNT: changing user mailhost on working environment

Just move the user mailbox like a regular directory. If the messagestore path is different on the new host. You must update this attr. Or use a Shared storage on all machines. Nfs might be easy solution.




-Sent from Galaxy Note

Friedrich Locke <friedrich.locke <at> gmail.com> yazdı:
Hi,

suppose i have a cluster with 5 machine. For a given user, let me say: xyz, the mailhost is z, i want to change his mailhost to b. The ldap part is pretty easy, but what about the email the user already have in mailhost z. How do i move them from mailhost z to mailhost b.
How do you do that ?

Thanks in advance.
Permalink | Reply | 0 comments |
headers
Friedrich Locke | 15 Jan 2013 17:18
Picon

changing user mailhost on working environment

Hi,

suppose i have a cluster with 5 machine. For a given user, let me say: xyz, the mailhost is z, i want to change his mailhost to b. The ldap part is pretty easy, but what about the email the user already have in mailhost z. How do i move them from mailhost z to mailhost b.
How do you do that ?

Thanks in advance.

Permalink | Reply | 0 comments |
headers
Tomas Kuliavas | 14 Jan 2013 21:02
Picon
Gravatar

Re: patches for qmail-ldap

2013.01.14 20:41 Friedrich Locke rašė:
> Sorry folks,
>
> but in my journey to get obsd+oldap+qmail working i am in need for a patch
> (AFAIK, by Mr. Jeker) , more precisely:
>
> http://www.mail-archive.com/qmail-ldap <at> qmail-ldap.org/msg07407.html
>
> I cannot cut and paste it right now, that's why i am asking!
>
> Does anybody have it and would like to send me ?

it is already pasted on link you posted and it is only four line change.

See
http://www.gnu.org/software/diffutils/manual/html_node/Detailed-Unified.html#Detailed-Unified,
if you are familiar with unified diff format.

--

-- 
Tomas
Permalink | Reply | 0 comments |
headers
Friedrich Locke | 14 Jan 2013 19:41
Picon

patches for qmail-ldap

Sorry folks,

but in my journey to get obsd+oldap+qmail working i am in need for a patch (AFAIK, by Mr. Jeker) , more precisely:

http://www.mail-archive.com/qmail-ldap <at> qmail-ldap.org/msg07407.html

I cannot cut and paste it right now, that's why i am asking!

Does anybody have it and would like to send me ?

Thanks in advance.

Permalink | Reply | 0 comments |
headers
Friedrich Locke | 14 Jan 2013 17:15
Picon

openbsd+ldap+qmail: a nightmare

Hi folks,

i have been walking around and now i need to get qmail+ldap+openbsd working.
I could configure  everything, as usual openbsd runs rock solid. But i believe openldap does not like openbsd somehow. That's what i want to figure it out.

The point is: i have just setted up obsd+oldap+qmail. I am trying to send a message for the only user i have in the tree: somehow, i don't know why is "eating" all my system memory. I am really curious why it happens on OBSD. I am running amd64 5.2, but i remenber to have given up some time ago when the obsd version was not 5.2. When i issue ldapsearch not memory increase is realized.

The problem remains even with the 5.2 version.
Some information is provided below :

sioux <at> gustav$ uname -a
OpenBSD gustav.cpd.ufv.br 5.2 GENERIC.MP#368 amd64
sioux <at> gustav$ pkg_info | grep openldap
openldap-client-2.4.31 Open source LDAP software (client)
openldap-server-2.4.31p0 Open source LDAP software (server)
sioux <at> gustav$

For the /etc/openldap/slapd.conf, here you have it:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/qmail.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/local/libexec/openldap
# moduleload    back_bdb.la
# moduleload    back_hdb.la
# moduleload    back_ldap.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
#suffix         "dc=my-domain,dc=com"
suffix          "dc=ufv,dc=br"
#rootdn         "cn=Manager,dc=my-domain,dc=com"
rootdn          "cn=oldap,dc=ufv,dc=br"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
#rootpw         secret
rootpw          {SSHA}HBjSmSCbiE8J26EuDg3ULnSj2SmN1x5g
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/openldap-data
# Indices to maintain
index   cn                                      eq
index   objectClass                             eq
index   mail,mailalternateaddress,uid           eq,sub
index   accountstatus,mailhost,deliverymode     eq
index   default                                 eq

cachesize       4096
checkpoint      128 15
dbnosync
dirtyread

sasl-host       gustav.cpd.ufv.br
sasl-realm      UFV.BR
sasl-regexp     uid=([^,]+),cn=UFV.BR,cn=gssapi,cn=auth
                uid=$1,ou=people,dc=ufv,dc=br

limits dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" time=2048 size=16384
limits dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" time=2048 size=16384
limits dn.onelevel="ou=people,dc=ufv,dc=br" time=4 size=16384

################################################################################
# access definition on ou=appsrv,dc=ufv,dc=br
################################################################################

access to dn.one="ou=appsrv,dc=ufv,dc=br" attrs=userPassword
        by self read
        by anonymous auth
#       by * none

access to dn.one="ou=appsrv,dc=ufv,dc=br"
        by dn.one="ou=appsrv,dc=ufv,dc=br" read

access to dn.base="ou=appsrv,dc=ufv,dc=br" attrs=entry
        by dn.one="ou=appsrv,dc=ufv,dc=br" read

################################################################################
# access definition on ou=group,dc=ufv,dc=br
################################################################################

access to dn.one="ou=group,dc=ufv,dc=br"
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
        by dn.one="ou=people,dc=ufv,dc=br" read

access to dn.base="ou=group,dc=ufv,dc=br" attrs=entry
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
        by dn.one="ou=people,dc=ufv,dc=br" read

################################################################################
# access definition on ou=people,dc=ufv,dc=br
################################################################################

access to dn.one="ou=people,dc=ufv,dc=br" attrs=userPassword
        by self read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
        by anonymous auth
        by * none

access to dn.one="ou=people,dc=ufv,dc=br" attrs=uid,homeDirectory
        by self read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read

access to dn.one="ou=people,dc=ufv,dc=br" attrs=cn,uidNumber,gidNumber,loginShell,gecos,description
        by self read
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read

access to dn.one="ou=people,dc=ufv,dc=br" attrs=mail,mailMessageStore,mailAlternateAddress,qmailUID,qmailGID,mailHost,mailForwardingAddress,deliveryProgramPath,qmailDotMode,deliveryMode,mailReplyText,accountStatus,qmailAccountPurge,mailQuotaSize,mailQuotaCount,mailSizeMax
        by self read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read

access to dn.one="ou=people,dc=ufv,dc=br"
        by self read
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read

access to dn.base="ou=people,dc=ufv,dc=br" attrs=entry
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
       
################################################################################
# access definition for the root (ufv.br)
################################################################################

access to dn.base="dc=ufv,dc=br" attrs=entry
        by dn.base="cn=ypldap,ou=appsrv,dc=ufv,dc=br" read
        by dn.base="cn=mail,ou=appsrv,dc=ufv,dc=br" read
       
#######################################################################
# Monitor database definitions
#######################################################################

database monitor

access to dn.subtree="cn=monitor"
        by dn.base="cn=oldap,dc=ufv,dc=br" read
#       by * none

Permalink | Reply | 1 comment |
headers
Friedrich Locke | 14 Jan 2013 16:17
Picon

Just installed qmail+ldap: i am loosing my hairs

Hi folks,

I have just finnished installing my qmail-ldap system. I am trying to send me a local message, but no success so far.

Here is what i am trying:

sioux <at> gustav$ echo to: vlobo | /var/qmail/bin/qmail-inject                    
sioux <at> gustav$


Here is what i got from qmail-ldap logs:

<at> 4000000050f4201a17a0e594 new msg 1039956
<at> 4000000050f4201a17a0e97c info msg 1039956: bytes 220 from <sioux <at> gustav.cpd.ufv.br> qp 4069 uid 1000
<at> 4000000050f4201a17a1761c starting delivery 21: msg 1039956 to local vlobo <at> gustav.cpd.ufv.br
<at> 4000000050f4201a17a1df94 status: local 1/100 remote 0/400
<at> 4000000050f4201a17d130dc delivery 21: deferral: Temporary_failure_in_LDAP_lookup._(#4.4.3)./
<at> 4000000050f4201a17d1f814 status: local 0/100 remote 0/400


Here is what i get from qmail-ldaplookup:

gustav# ../bin/qmail-ldaplookup -d 255 -m vlobo <at> gustav.cpd.ufv.br
Searching ldap for: (|(mail=vlobo <at> gustav.cpd.ufv.br)(mailAlternateAddress=vlobo <at> gustav.cpd.ufv.br)))
under dn: ou=people,dc=ufv,dc=br
qmail-ldaplookup: fatal: qldap_filter: unspecified error
gustav#


And here is what i got from slapd log:

50f42010 ber_get_next on fd 14 failed errno=0 (Undefined error: 0)
50f42010 connection_read(14): input error=-2 id=1047, closing.
50f42010 connection_closing: readying conn=1047 sd=14 for close
50f42010 daemon: activity on 1 descriptor
50f42010 daemon: waked
50f42010 daemon: select: listen=5 active_threads=0 tvp=zero
50f42010 daemon: select: listen=6 active_threads=0 tvp=zero
50f42010 daemon: select: listen=7 active_threads=0 tvp=zero
50f42010 daemon: select: listen=8 active_threads=0 tvp=zero
50f42010 daemon: select: listen=9 active_threads=0 tvp=zero
50f42010 connection_close: deferring conn=1047 sd=14
50f42010 conn=1047 op=1 do_unbind
50f42010 conn=1047 op=1 UNBIND
50f42010 connection_resched: attempting closing conn=1047 sd=14
50f42010 connection_close: conn=1047 sd=14
50f42010 daemon: removing 14
50f42010 conn=1047 fd=14 closed

But when i try by hand:

sioux <at> gustav$ ldapsearch -D cn=mail,ou=appsrv,dc=ufv,dc=br -b ou=people,dc=ufv,dc=br -h localhost -W \(\|\(mail=vlobo <at> gustav.cpd.ufv.br\)\(mailAlternateAddress=vlobo <at> gustav.cpd.ufv.br\)\)
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=ufv,dc=br> with scope subtree
# filter: (|(mail=vlobo <at> gustav.cpd.ufv.br)(mailAlternateAddress=vlobo <at> gustav.cpd.ufv.br))
# requesting: ALL
#

# vlobo, people, ufv.br
dn: uid=vlobo,ou=people,dc=ufv,dc=br
uid: vlobo
objectClass: organizationalRole
objectClass: posixAccount
objectClass: qmailUser
homeDirectory: /home/vlobo
userPassword:: e1NBU0x9dmxvYm9AVUZWLkJS
mail: valter.lobo <at> gustav.cpd.ufv.br
mailAlternateAddress: vlobo <at> gustav.cpd.ufv.br
mailHost: gustav.cpd.ufv.br
mailMessageStore: vlobo

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
sioux <at> gustav$


Everything works. What am i doing wrong ?

Permalink | Reply | 10 comments |
headers
Friedrich Locke | 14 Jan 2013 13:42
Picon

qmail-ldap failed to compile

Hi!

I am trying to install qmail-ldap in my server, but i am getting problems related to compilation. Here you have it:

...
...
nroff -man forgeries.7 > forgeries.0
./load auth_dovecot auth_mod.o checkpassword.o passwd.o digest_md4.o  digest_md5.o digest_rmd160.o digest_sha1.o base64.o read-ctrl.o  getopt.a control.o qldap.a dirmaker.o mailmaker.o localdelivery.o  locallookup.o pbsexec.o constmap.o getln.a strerr.a substdio.a  stralloc.a env.a wait.a dns.o ip.o ipalloc.o ipme.o alloc.a str.a  case.a fs.a error.a timeoutconn.o timeoutread.o ndelay.a open.a  prot.o auto_uids.o auto_qmail.o -L/usr/local/lib -lldap -llber   `cat dns.lib` `cat socket.lib`
/usr/local/lib/libldap.so.12.0: warning: strcpy() is almost always misused, please use strlcpy()
/usr/local/lib/libldap.so.12.0: warning: strcat() is almost always misused, please use strlcat()
/usr/local/lib/libldap.so.12.0: warning: sprintf() is often misused, please use snprintf()
auth_dovecot.o(.text+0x26f): In function `auth_init':: undefined reference to `loglevel'
auth_dovecot.o(.text+0x27b): In function `auth_init':: undefined reference to `loglevel'
collect2: ld returned 1 exit status
*** Error code 1

Stop in /tmp/qmail-1.03 (line 132 of Makefile).
gustav#

I am using qmail 1.03 and qmail-ldap-1.03-20120221.patch.gz

Any ideia about my mistake ?

Permalink | Reply | 0 comments |

Gmane