Date: Wed, 09 Apr 2008 12:57:49 -0400 From: Jeff Dickens <jeff@seamanpaper.com> To: freebsd-questions@freebsd.org Cc: garga@FreeBSD.org Subject: [Fwd: Re: smtp auth - checkpw or auth_cdb or ?] Message-ID: <47FCF58D.9040507@seamanpaper.com>
next in thread | raw e-mail | index | archive | help
I posted the message quoted below to the qmail list, and got a reply (below) from jms1 asking just which patches I have with the qmail port. Does the SMTP_AUTH_PATCH config option in the freebsd port use jms1's patches? I sort of doubt this is a repeat of the "qmailrocks" debacle, but I'd like to know whether there would be any advantage to building qmail from source without using the port. On 2008-04-08, at 1739, Jeff Dickens wrote: > > I'm trying to set up an authenticated SMTP server. I have the > freebsd qmail 1.03_6 port, built with the SMTP_AUTH_PATCH config > option. which means what, exactly? what patches are included in that port? i ask because some of the variables listed in your "run" script (i.e. AUTH_CDB, REQUIRE_AUTH, ALLOW_INSECURE_AUTH, FORCE_TLS, DENY_DLS, etc.) are specific to features which only exist (as far as i know) in my combined patch. i've been told that there was an attempt to build a freebsd "port" with my patch in it, but (1) i didn't write the port; (2) if this "run" script is part of it, it looks like the people who put the port together wrote their own scripts instead of using the ones from my web site; (3) the people who wrote the port didn't tell me that they were releasing it, or offer me a chance to preview what they were releasing (does the word "qmailrocks" sound familiar here?) and (4) i don't use freebsd, so if there is a port out there, i have no way to test it or provide support for it. the only things i could suggest would be to contact whoever wrote the port for assistance, or do the same thing people recommend for debian linux- build qmail from source, by hand instead of using a package manager like "ports" or "rpm", so that you KNOW exactly what is and is not included. start with http://lifewithqmail.org/ and then, if you need any extra features which aren't part of netqmail, spend some time reading my qmail site, as well as the web sites for several of the other "mega- patches" out there, and figure out which one is going to best meet your needs. follow the directions for that patch, and if you run into problems, ask on the mailing lists for those patches (i have a list, i know bill shupp's "qmail toaster" has a list, and i'm pretty sure the others do as well.) - -------------------------------------------------------- | John M. Simpson -- KG4ZOW -- Programmer At Large | | http://www.jms1.net/ <jms1@jms1.net> | - -------------------------------------------------------- | Hope for America -- http://www.ronpaul2008.com/ | - -------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkf8CjYACgkQEB9RczMG/Pt/bACfbjJlOiW2hFpJrryEF5GCB1GC tAoAn1j1tyVqd8P0+htuPtNInXh9cHns =5neJ -----END PGP SIGNATURE----- Here's my original message, fyi: I'm trying to set up an authenticated SMTP server. I have the freebsd qmail 1.03_6 port, built with the SMTP_AUTH_PATCH config option. My "run" script looks like this: #!/bin/sh # qmail-submit/run exec 2>&1 CONLIMIT=9 #AUTH_CDB="/var/qmail/auth/auth.cdb" CHECKPW="/usr/local/bin/checkpassword-pam" PAM_SERVICE="submit" LOCAL=`head -1 /var/qmail/control/me` TRUE=`which true` AUTH=1 REQUIRE_AUTH=1 ALLOW_INSECURE_AUTH=0 PORT=465 #SSL=1 FORCE_TLS=0 DENY_DNS=0 # echo "*** Starting qmail-submit..." exec \ envuidgid qmaild \ softlimit -m 3000000 -f 10000000 \ tcpserver -v -HR \ -U \ -c ${CONLIMIT} \ 0 ${PORT} \ /var/qmail/bin/qmail-smtpd ${LOCAL} ${CHECKPW} ${TRUE} I tried to test it - fear not this test account is not accessible from the net - SSL is turned off just until I get it working this far: # perl -MMIME::Base64 -e 'print encode_base64("\000test\000test")' AHRlc3QAdGVzdA== # telnet 0 465 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. 220 asdf.asdf.com ESMTP EHLO test 250-asdf.asdf.com 250-AUTH LOGIN CRAM-MD5 PLAIN 250-AUTH=LOGIN CRAM-MD5 PLAIN 250-PIPELINING 250 8BITMIME AUTH PLAIN AHRlc3QAdGVzdA== 535 authorization failed (#5.7.0) I should mention this takes a few seconds to fail. But, the checkpassword-pam does seem to work, and very quickly indeed. # echo -e "test\0test\0\timestamp\0" | checkpassword-pam -s submit --debug --stdout -- /usr/bin/id 3<&0 Reading username and password Username 'test' Password read successfully Initializing PAM library using service name 'submit' PAM library initialization succeeded conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password:" Authentication passed Account management succeeded Setting PAM credentials succeeded PAM session opened PAM session closed Terminating PAM library Executing /usr/bin/id uid=1005(test) gid=1005(test) groups=1005(test) # I created a vanilla /etc/pam.d/submit file: # grep -v # /etc/pam.d/submit auth required pam_unix.so no_warn try_first_pass I'm just using the local password file, as very few people will be needing this service, but I want it to be available. Can anyone see what I'm doing wrong? Thanks much in advance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47FCF58D.9040507>