qmail(-tls) smtp-auth patch broken?

D

da1

Hi guys,

I have a 8.2 amd64 machine where I have to build qmail but unfortunately, the end result doesn't work as expected because one can use *ANY* username and password (in fact, *ANY* key on the keyboard to get a valid login into qmail).

I built qmail-tls and qmail from the ports with the following options:
Code: 
SMTP_AUTH_PATCH=on "Provide SMTP Authentication"
     QMAILQUEUE_PATCH=on "run a QMAILQUEUE program"
     BIG_TODO_PATCH=on "enable big_todo qmail patch"
     BIG_CONCURRENCY_PATCH=on "use a concurrency greater than 240"
     QMTPC_PATCH=on "send email using qmtp protocol"
     MAILDIRQUOTA_PATCH=on "Maildir++ support"
     BLOCKEXEC_PATCH=on "block many windows viruses/worms"
     DISCBOUNCES_PATCH=on "discard double-bounces"
     EXTTODO_PATCH=on "extern high-perform. todo processing"
     RCDLINK=on "create rc.d/qmail.sh symlink"
Installed tcpserver with:
Code: 
     MAN=on "Install man(1) pages"
     RSS_DIFF=on "Patch rblsmtpd for qmail users"
     SSL=on "Adds support for SSL (Secure Socket Layer)"
Installed checkpassword and vpopmail (with threaded-perl 5.12).

I start qmail with

Code: 
/usr/local/bin/tcpserver -H -R -c 255 -x /etc/tcp.smtp.cdb -u 82 -g 81 0 25 /var/qmail/bin/qmail-smtpd
 /usr/local/bin/checkpassword /usr/bin/true

and /etc/tcp.smtp contains:

Code: 
127.0.0.1:allow,RELAYCLIENT=""
192.168.1.:allow,RELAYCLIENT=""
:allow

The problem is the following (telnet from another network/country/ISP/etc):

Code: 
telnet <ip> 125 [B]<- pf redirect rule from external 125 to internal 25[/B]
Trying <ip>...
Connected to <ip>.
Escape character is '^]'.
220 <dns goes here> ESMTP
ehlo c
250- <dns goes here>
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
auth login plain
334 UGFzc3dvcmQ6
typewhatever       [B]<- should be base64 encoding here and then it should as for a password[/B]
235 ok, go ahead (#2.0.0)

so, what? I can type whatever I want and I get a green "go ahead"? That's weird.

What I've tried so far:
  1. Using the /usr/local/bin/checkpassword instead of /usr/local/vpopmail/bin/vchkpw, but to no avail.
  2. netqmail-1.06 with the smtp-patch - makes no difference
  3. qmail-1.03 from djb website - no difference
  4. Fresh VirtualBox 8.2-amd64 installation with up-to-date ports - same result
  5. Also tried a 9-STABLE (amd64) but due to problems with the utmp.h file and qmail, I did not go further.
So, I think that the problem is with the patch somehow. I looked at the distinfo file and noticed the last change date to April 12 this year and on freshports.org there is no mention of any update since 2008.


Can someone replicate this problem?
 
Found a solution (although I do not really understand it). The idea is to place a word (any) between
Code: 
/var/qmail/bin/qmail-smtpd
and
Code: 
/usr/local/bin/checkpassword
resulting in something like
Code: 
/var/qmail/bin/qmail-smtpd [B]mail.dns.maybe[/B] /usr/local/bin/checkpassword
when executing the tcpserver binary.

Exactly WHY it works, specially this way, is beyond me. I'm still trying to understand but for the moment, it works. The only thing that concerns me is that by doing it this way, and not really understanding the solution, I may pose a security or any other kind of threat to the future environment.
 
da1 said:
Found a solution (although I do not really understand it). The idea is to place a word (any) between
Code: 
/var/qmail/bin/qmail-smtpd
and
Code: 
/usr/local/bin/checkpassword
resulting in something like
Code: 
/var/qmail/bin/qmail-smtpd [B]mail.dns.maybe[/B] /usr/local/bin/checkpassword
when executing the tcpserver binary.

Exactly WHY it works, specially this way, is beyond me. I'm still trying to understand but for the moment, it works. The only thing that concerns me is that by doing it this way, and not really understanding the solution, I may pose a security or any other kind of threat to the future environment.
Click to expand...

The random word (usually HOSTNAME) is used to generate the challenge for MD5
Apparently, empty word means empty challenge? Still kind of buggy.
 
I have since moved on to the following startup:

Code: 
exec /usr/local/bin/softlimit -m 69000000 /usr/local/bin/tcpserver -H \
    -l <maildns.goes.here> -R -c 512 -x /var/qmail/tcp.smtp.cdb -u 82 -g 81 \
    0 smtp /usr/local/bin/rblsmtpd -b -r bl.spamcop.net \
    /var/qmail/bin/qmail-smtpd <maildns.goes.here> /usr/local/vpopmail/bin/vchkpw \
    /usr/bin/true 2>&1 | /var/qmail/bin/splogger /usr/local/bin/rblsmtpd &
 
You're not still running 8.2 are you?
Using 10.2, I also encountered issues with utmp.h when trying to roll my own, although the port built without a hitch.

That said, I've been unable to get smtp_auth to work at all, which is at the other end of the spectrum from what you've been encountering. Vpopmail roaming users feature also seems non-functional. Makes this MTA of little utility for my intended application.
 
Last edited by a moderator:
No, of course not. I'm at 10.2 amd64.

My setup is actually fully working. If you have issues maybe you can open another thread about it.
 
Thanks for the input. Seem to have it sorted now. A couple of minor changes required though.
For vchkpw to work, tcpserver should be run as vpopmail:vchkpw, not as qmaild.
Also, tcp.smtp.cdb along with *.pem in /var/qmail/control should be readable by vpopmail.

Code: 
exec /usr/local/bin/softlimit -m 69000000 /usr/local/bin/tcpserver -H \
  -l $SMTP_HOSTNAME -R -c 512 -x /var/qmail/control/tcp.smtp.cdb -u `id -u vpopmail` -g `id -g vpopmail` \
  0 smtp /usr/local/bin/rblsmtpd -b -r bl.spamcop.net \
  /var/qmail/bin/qmail-smtpd $SMTP_HOSTNAME /usr/local/vpopmail/bin/vchkpw \
  /usr/bin/true 2>&1 | /var/qmail/bin/splogger /usr/local/bin/rblsmtpd &

Also rebuilt vpopmail without roaming users support, since it serves no purpose with smtp_auth enabled, and all those cdb files it generates just clutter things up.
 
One other odd behaviour I had to fix was all the looping mail for log. Found a fix at http://notes.sagredo.eu/node/42

creating a file ~alias/.qmail-log as below seems to send the logging info where it's supposed to go. Can't say the awk script jumps off the page with self evident meaning though. I just copied and pasted it in there. Otherwise, every mail I send generates a mail to log@$SMTP_HOST which bounces and generates more mail for log, etc.

Code: 
| awk '/^$/ { exit } /^[mM][eE][sS][sS][aA][gG][eE]/ { print } /^[rR][eE][cC][eE][iI][vV][eE][dD]:/ { print; } /^[fF][rR][oO][mM]:/ { print } /^[tT][oO]:/ { print } /^[sS][uU][bB][jJ][eE][cC][tT]:/ { print } /^[xX]-[mM][aA][iI][lL][eE][rR]/ { print } /[hH][eE][lL][oO]/{ print } /^[rR][eE][pP][lL][yY]-[tT][oO]/{ print } /^[rR][eE][tT][uU][rR][nN]-[pP][aA][tT][hH]/{ print } /^[cC][cC]:/{ print } /^[dD][eE][lL][iI][vV][eE][rR][eE][dD]-[tT][oO]/{ print } /^[dD][aA][tT][eE]:/{ print } / by /{ print } / id /{ print } /<.*>/{ print }'
| echo "---"
 
I cannot believe it's 2016 and all of you are still using softlimit. That softlimit goes back to the days of qmailrocks and we're talking seriously old qmail.

Why not update and use the latest and greatest qmail guide at http://freebsdrocks.net. My newest addition is letsencrypt which will allow you to create free ssl certificates for apache and qmail.

Any questions feel free to pm me.
 
You must log in or register to reply here.
Back
Top