I just patched a working qmail installation with the qmail-authentication-064 patch from http://www.fehcom.de. While i feel i followed all install directions, i can't seem to get it work correctly. the autentication seem to be initiated, but all usernames and password combos are rejected by the server. I'm really at a loss here, as i can't figure out what i have done wrong. i will lay out all details of the installation and would be very thankful if you could have a look and see if you can catch any errors or suggest additional tests to narrow down the problem..
For full disclosure, this is what is installed and configured (closely following life with qmail instructions):
netqmail-1.05
ucspi-tcp-0.88
daemontools
qmail-scanner-1.25 (tnef-1.3.3, maildrop-1.8.1, perl-suidperl, Mail-SpamAssassin-3.0.4)
qmail-authentication-064
i ran the qmail-authentication-064 patch in the netqmail-1.05 source directory and remade qmail as per instructions (deleted the line #define CRAM_MD5 from the qmail-smtpd.c file before make). Everything seemed fine. I also made the recommended adjustments to the smtpd/ run file. it now looks like this:
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
#QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
#export QMAILQUEUE
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 6000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 5190 /var/qmail/bin/qmail-smtpd /bin/checkpassword /bin/true 2>&1
All qmail services (before and after the patch) start up fine and i can send emails to the server and they are processed correctly. Trying to send email without authentication works as expected too, as connection is rejected.
In addition, checkpassword works fine when used in conjunction with qmail-pop3d. All users are authorized correctly and i can pop3 into the server just fine.
When i try to send mail via the client (mail.app on OS X Tiger), the server seems to be asking for authentication as expected as it takes a while and then my mail.app prompts me to enter a valid password again and again, rejecting the username & password that i know to be a correct one (in /etc/passwd). I seem to be able to confirm that authorization is at least taking place by this quick test:
telnet mydomain.com 5190
Trying [ip_address]...
Connected to mydomain.com.
Escape character is '^]'.
S: 220 mydomain.com ESMTP
Me: ehlo
S: 250-mydomain.com
S: 250-PIPELINING
S: 250-8BITMIME
S: 250-SIZE 0
S: 250 AUTH LOGIN PLAIN
Me: auth login
S: 334 VXNlcm5hbWU6
Me: [Base64 encode username]
S: 334 UGFzc3dvcmQ6
Me: [Base64 encoded password]
535 authentication failed (#5.7.1)
As you can see, authentication fails, even though i know that these is a good username/password combo.
Given all these indicators, i have a tough time even narrowing it down to a specific problem area but i feel it might be related to one of the following:
1. checkpassword not querying form /etc/passwd or using the wrong method to query: i tried to eliminate all potential problems by explicitly deleting the md5 compile option
2. checkpassword permission problems:
the install doc says /bin/checkpassword has to be made sticky (i dont really understand why) so initially i had:
-rwxrwxrwt 1 root root 7804 Jul 17 16:16 /bin/checkpassword**
later on i found a comment by the patch other that showed these permissions, so i also tried this
-rws--x--x 1 root root 7804 Jul 17 16:16 /bin/checkpassword*
qmail-smtpd binary is set to this:
-rwxr-xr-x 1 root nofiles 31032 Jul 21 01:56 /var/qmail/bin/qmail-smtpd*
having these permissions, pop3 auth still works and the telnet 5190 test still returns the same 535 code. However, my mail client, instead of prompting me to reenter password, right away tells me that he can't send to this server. since the run script exceutes qmail-smtpd with group of qmaild (nofiles), i also tried changing the group to nofiles for both checkpassword and the qmail-smtpd binary.
so, to clarify this once and for all. what should be the correct permissions for the bin/checkpassword file in order to use it with smtp-auth?
3. problem with qmailscanner?
while qmailscanner works great, is there a possibility that it could interfere with the smtp-auth patch? i'm calling qmail scanner thru the /etc/tcp.smtp as follows:
# No Qmail-Scanner at all for mail from 127.0.0.1
127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
# Use Qmail-Scanner without SpamAssassin on any mail from the local network
# [it triggers SpamAssassin via the presence of the RELAYCLIENT var]
10.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
#
# Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
i would think that authentication is long done when this will be used, but just in case i ask if this could this cause any problems with authentication?
4. i am missing something on how username/password should be presented
i read http://www.fehcom.de/qmail/smtpauth.html and it seems to me that i simply use the username and password as registered with my system (/etc/passwd). thus, in mail.app i chose auth method LOgin and enter username and password in plaintext since mail.app will do the base64 encoding. in the telnet example i simply base64 encode both username and password. i know that passwd programs like checkvpw need user info in form of userid@virtualdomain.com but i could not find any info that points to anything like that for /bin/checkpassword.
one thing i like to point out just in case, is that i duplicated the /service/qmail-smtpd folder for /service/qmail-smtpd_5190 and changed the qmailctl script to accommodate this as well. Then in the run file for qmail-smtpd_5190 i changed smtp to 5190 and opened the port on our firewall. the reason for this is that my isp blocks port 25 and i had to make qmail listen to port 5190 as well. so, the script qmail-smtpd run script listed above, refers to the _5190. i verified that port 5190 was listening with netstat and the telnet test also seems to indicate that this is working fine. when connecting with mail.app i made sure this is done thru port 5190.
i know this was a very long description, but i feel that laying out the entire scenario might be the only way for any of you to catch possible errors etc. Your input is greatly appreciated.
Cheers,
Sebastian
For full disclosure, this is what is installed and configured (closely following life with qmail instructions):
netqmail-1.05
ucspi-tcp-0.88
daemontools
qmail-scanner-1.25 (tnef-1.3.3, maildrop-1.8.1, perl-suidperl, Mail-SpamAssassin-3.0.4)
qmail-authentication-064
i ran the qmail-authentication-064 patch in the netqmail-1.05 source directory and remade qmail as per instructions (deleted the line #define CRAM_MD5 from the qmail-smtpd.c file before make). Everything seemed fine. I also made the recommended adjustments to the smtpd/ run file. it now looks like this:
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`
#QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
#export QMAILQUEUE
if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ]; then
echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
echo /var/qmail/supervise/qmail-smtpd/run
exit 1
fi
if [ ! -f /var/qmail/control/rcpthosts ]; then
echo "No /var/qmail/control/rcpthosts!"
echo "Refusing to start SMTP listener because it'll create an open relay"
exit 1
fi
exec /usr/local/bin/softlimit -m 6000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 5190 /var/qmail/bin/qmail-smtpd /bin/checkpassword /bin/true 2>&1
All qmail services (before and after the patch) start up fine and i can send emails to the server and they are processed correctly. Trying to send email without authentication works as expected too, as connection is rejected.
In addition, checkpassword works fine when used in conjunction with qmail-pop3d. All users are authorized correctly and i can pop3 into the server just fine.
When i try to send mail via the client (mail.app on OS X Tiger), the server seems to be asking for authentication as expected as it takes a while and then my mail.app prompts me to enter a valid password again and again, rejecting the username & password that i know to be a correct one (in /etc/passwd). I seem to be able to confirm that authorization is at least taking place by this quick test:
telnet mydomain.com 5190
Trying [ip_address]...
Connected to mydomain.com.
Escape character is '^]'.
S: 220 mydomain.com ESMTP
Me: ehlo
S: 250-mydomain.com
S: 250-PIPELINING
S: 250-8BITMIME
S: 250-SIZE 0
S: 250 AUTH LOGIN PLAIN
Me: auth login
S: 334 VXNlcm5hbWU6
Me: [Base64 encode username]
S: 334 UGFzc3dvcmQ6
Me: [Base64 encoded password]
535 authentication failed (#5.7.1)
As you can see, authentication fails, even though i know that these is a good username/password combo.
Given all these indicators, i have a tough time even narrowing it down to a specific problem area but i feel it might be related to one of the following:
1. checkpassword not querying form /etc/passwd or using the wrong method to query: i tried to eliminate all potential problems by explicitly deleting the md5 compile option
2. checkpassword permission problems:
the install doc says /bin/checkpassword has to be made sticky (i dont really understand why) so initially i had:
-rwxrwxrwt 1 root root 7804 Jul 17 16:16 /bin/checkpassword**
later on i found a comment by the patch other that showed these permissions, so i also tried this
-rws--x--x 1 root root 7804 Jul 17 16:16 /bin/checkpassword*
qmail-smtpd binary is set to this:
-rwxr-xr-x 1 root nofiles 31032 Jul 21 01:56 /var/qmail/bin/qmail-smtpd*
having these permissions, pop3 auth still works and the telnet 5190 test still returns the same 535 code. However, my mail client, instead of prompting me to reenter password, right away tells me that he can't send to this server. since the run script exceutes qmail-smtpd with group of qmaild (nofiles), i also tried changing the group to nofiles for both checkpassword and the qmail-smtpd binary.
so, to clarify this once and for all. what should be the correct permissions for the bin/checkpassword file in order to use it with smtp-auth?
3. problem with qmailscanner?
while qmailscanner works great, is there a possibility that it could interfere with the smtp-auth patch? i'm calling qmail scanner thru the /etc/tcp.smtp as follows:
# No Qmail-Scanner at all for mail from 127.0.0.1
127.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"
# Use Qmail-Scanner without SpamAssassin on any mail from the local network
# [it triggers SpamAssassin via the presence of the RELAYCLIENT var]
10.:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
#
# Use Qmail-Scanner with SpamAssassin on any mail from the rest of the world
:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
i would think that authentication is long done when this will be used, but just in case i ask if this could this cause any problems with authentication?
4. i am missing something on how username/password should be presented
i read http://www.fehcom.de/qmail/smtpauth.html and it seems to me that i simply use the username and password as registered with my system (/etc/passwd). thus, in mail.app i chose auth method LOgin and enter username and password in plaintext since mail.app will do the base64 encoding. in the telnet example i simply base64 encode both username and password. i know that passwd programs like checkvpw need user info in form of userid@virtualdomain.com but i could not find any info that points to anything like that for /bin/checkpassword.
one thing i like to point out just in case, is that i duplicated the /service/qmail-smtpd folder for /service/qmail-smtpd_5190 and changed the qmailctl script to accommodate this as well. Then in the run file for qmail-smtpd_5190 i changed smtp to 5190 and opened the port on our firewall. the reason for this is that my isp blocks port 25 and i had to make qmail listen to port 5190 as well. so, the script qmail-smtpd run script listed above, refers to the _5190. i verified that port 5190 was listening with netstat and the telnet test also seems to indicate that this is working fine. when connecting with mail.app i made sure this is done thru port 5190.
i know this was a very long description, but i feel that laying out the entire scenario might be the only way for any of you to catch possible errors etc. Your input is greatly appreciated.
Cheers,
Sebastian