Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
qmail ebuild with SMTP AUTH and SSL support
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Fri Nov 29, 2002 7:27 pm    Post subject: qmail ebuild with SMTP AUTH and SSL support Reply with quote

hey guys,

i've got qmail running on my gentoo box here. it is correctly forwarding messages to users, got aliases set up, etc. i also installed courier-imapd and squirrelmail which both seem to be working well. i have both apache and imapd running over SSL, and would like to get the same from smtp connections so that i can send mail out securely as well as receive securely, and i'd also like to enable smtp auth so that i can relay from various locations. from the qmail.org website, i see that there is a patch which will enable both ssl (with TLS, maybe somebody could clue me in as to what TLS means). to get this functionality with qmail, do i have to apply the patch and rebuild it myself? has anybody else done something like this that could show me where to start or point me in the right direction? i'd appreciate any help or suggestions.

thanks,
ryan
Back to top
View user's profile Send private message
darktux
Veteran
Veteran


Joined: 16 Nov 2002
Posts: 1086
Location: Coimbra, Portugal

PostPosted: Fri Nov 29, 2002 10:17 pm    Post subject: Reply with quote

Quote:
TLS
Transport Layer Security [protocol] (SSL)
Back to top
View user's profile Send private message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Sun Dec 01, 2002 5:53 pm    Post subject: Reply with quote

has anybody accomplished this at all that could just give me a pointer as to which direction to start looking? any advice appreciated.

thanks,
ryan
Back to top
View user's profile Send private message
jeb-c4
n00b
n00b


Joined: 27 Jul 2002
Posts: 35

PostPosted: Wed Dec 04, 2002 2:50 am    Post subject: new ebuild Reply with quote

check the newest ebuild (hint it is masked for testing).

From the ebuild and Changelog, ldap and tls/smtp-auth confict so :

# export USE="-ldap"

Jeb
Back to top
View user's profile Send private message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Wed Dec 04, 2002 6:14 am    Post subject: Reply with quote

yeah i've been trying to get the newest ebuild to work... emerging it didn't work, svscan wouldn't load, complained that /var/qmail/rc didn't exist, so i copied rc from the -r8 ebuild, and svscan started qmail successfully, but it didn't have the TLS or AUTH support i was looking for. when i emerged the -r9 ebuild, it did seem to apply the patch, and it generated an openssl key. when i tried sending the smtp auth command, it returned 503 auth not available (#5.3.3), and when i tried to use ssl with outlook express, i got '454 TLS not available: missing certificate (#4.3.0)', even thought i see both clientcert.pem and servercert.pem in /var/qmail/control/. i'm still investigating a little bit, but any advice is appreciated.
Back to top
View user's profile Send private message
Larde
Guru
Guru


Joined: 07 Jun 2002
Posts: 313
Location: Duesseldorf, Germany

PostPosted: Wed Dec 04, 2002 6:41 am    Post subject: Reply with quote

I didn't have luck with the masked ebuild that's supposed to support smtp-auth either. I just took the current qmail ebuild, got the patch from http://members.elysium.pl/brush/qmail-smtpd-auth/ and patched it myself. (Just ebuild qmail... unpack, go to the unpacked source, patch it, ebuild qmail... compile etc.)

Larde.
_________________
Someday this will be my home... http://moonage.net/
I'll make you a deal
I'll say I came from Earth and my tongue is taped
Back to top
View user's profile Send private message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Wed Dec 04, 2002 8:19 am    Post subject: Reply with quote

thanks for the info larde... i havent patched source before, maybe you could give me a hand with that real quick? i'd run ebuild /path/to/qmail-1.03-r8.ebuild unpack, then put the patch file into the source root directory for the qmail-1.03-r8, then run patch -p0 patchfile then ebuild qmail-1.03-r8 compile? does that sound right at all, or am i way off? oh, and i'm wanting to use the combined STARTTLS + SMTP AUTH patch http://students.imsa.edu/~ngroot/qmail-1.03-starttls-smtp-auth.patch if that matters.

also, did you get the same problem with /var/qmail/rc when starting up svscan that i did? maybe this is a bug in the ebuild that needs to be reported.
Back to top
View user's profile Send private message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Wed Dec 04, 2002 8:40 am    Post subject: Reply with quote

well hmmm... i was messing around with it and unmerged r9, then remerged r8, then remerged r9 again, and got the same svscan error with /var/qmail/rc. well, i copied the rc file from the r8 directory, since it doesnt seem to exist in r9 for some reason. then started up svscan and it worked, and this time starttls seems to work as well. smtp auth however is still unimplemented. i'm going to bed for now (it's 12:45 AM here in seattle), but i'll try to fiddle with it some more. maybe if i can get this all running ill write up some documentation on a gentoo qmail server.

-ryan
Back to top
View user's profile Send private message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Wed Dec 04, 2002 8:15 pm    Post subject: Reply with quote

looking over the patch that is applied to add TLS and AUTH support, it appears that there are three additional arguments that need to be passed to qmail-smtpd on startup to get it to function properly. since this is run through supervise somehow, i havent been able to tell how it actually gets started, or how to check and see if it's being passed these arguments.

also, it may be necessary to implement a different checkpassword program than the default in order to get full AUTH support. i dont know if this is really necessary (it looks as though you can get the basic LOGIN support without switching checkpassword programs, but i'm not sure). however, in my setup, it's not even advertising the auth service at all from what i can tell, so it doesnt seem to me as though this is the issue.

any help from someone with more experience than myself is appreciated, and hopefully my investigation will prove helpful to someone else other than myself.

-ryan
Back to top
View user's profile Send private message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Wed Dec 04, 2002 11:26 pm    Post subject: Reply with quote

if anybody else has tried this latest ebuild (r9), and could post with their experiences, it would be helpful to determine if this is a problem with the ebuild, in which case we could submit bug reports and get it worked on so that it can get fixed and unmasked all that much more quickly, or if it is some other problem that i'm having specifically, it would be much appreciated.

thanks,
ryan
Back to top
View user's profile Send private message
xpunkrockryanx
Tux's lil' helper
Tux's lil' helper


Joined: 22 Sep 2002
Posts: 87
Location: College Place, WA, USA

PostPosted: Thu Dec 05, 2002 1:15 am    Post subject: Reply with quote

one thing i've just noticed is that when it starts to compile, it applies the other patches, but does not apply the TLS + AUTH patch as far as i can tell. i do have USE="-ldap ssl", so it *should* apply the patch. at the end of the build process, it does generate a security certificate, so that part seems to work, just not the AUTH.

also, in the r9 digest file, there's no md5 for the TLS + AUTH patch like there is for the other patches/files. i'm not sure if this is normal or not.
Back to top
View user's profile Send private message
btg308
n00b
n00b


Joined: 14 Aug 2002
Posts: 72
Location: Östersund, Sweden

PostPosted: Wed Jan 01, 2003 10:37 pm    Post subject: Me too Reply with quote

I have the same problems. Wasn't able to easily patch the -r8 (I tried it another way, by adding the patch to the -r8 ebuild) but it didn't fly.

After messing with the WORKDIR (couldn't find the source directory, finally nabbed it in /var/tmp/portage) I manually patched and did a manual make. Starting the svscan again actually started the smtpd correctly (I used to get Unknown mailfront ESMTP messages when telnetting to port 25 and rejects of all incoming mail since I have an empty rcpthosts file). Haven't tested the AUTH yet...

EDIT: Right. Incoming mail just seems to disappear... Outgoing works. Oh, and to add to the confusion, I'm trying to get the qmail-scanner with spamassassin to work. The really sad part is that it did work a while, before the mailfront stuff cropped up. I'm going back to sendmail any second now...
_________________
Gentoo Linux - Feel the speed.
Kawasaki GPZ 1100 - The need for speed.
Back to top
View user's profile Send private message
btg308
n00b
n00b


Joined: 14 Aug 2002
Posts: 72
Location: Östersund, Sweden

PostPosted: Wed Jan 01, 2003 11:57 pm    Post subject: Re-emerged, no go Reply with quote

I just re-emerged both qmail and qmail-scanner (which incidentally deleted a few empty tempdirs in /var/spool/qmailscan that I had to re-create manually, I think it's the emerge -clean stuff that does that), ebuild qmail-r8 unpack, applied the smtp-auth patch, ebuild qmail-r8 compile, ebuild qmail-r8 config, checked the run, tcp.smtp and rc files and it still silently throws away incoming mail. I see stuff coming in in var/log/qmail/qmail-smtpd/current but it never gets anywhere else, not to my maildir and no bounce back out.

Did you find how it gets started? It's the /var/qmail/supervise/qmail-smtpd/run file. I think. This is also where you need to add the "mail.domain.tld /bin/checkpasswd /bin/true" stuff but I haven't figured out what to do with the 2>$1 at the end of that line, if anything...

Scary stuff. I'm going to bed now and I'll probably have nightmares.
_________________
Gentoo Linux - Feel the speed.
Kawasaki GPZ 1100 - The need for speed.
Back to top
View user's profile Send private message
btg308
n00b
n00b


Joined: 14 Aug 2002
Posts: 72
Location: Östersund, Sweden

PostPosted: Thu Jan 02, 2003 4:03 pm    Post subject: Courier Reply with quote

I gave up on qmail and tried Courier-MTA. I don't care if Sam Varschawski IS the soup nazi, Courier rocks. Smooth install, SMTP-AUTH out-of-the-box, webadmin and webmail.

Now I just need to get the virus and spam filers operational... <- Famous last words. :-D
_________________
Gentoo Linux - Feel the speed.
Kawasaki GPZ 1100 - The need for speed.
Back to top
View user's profile Send private message
vert
Apprentice
Apprentice


Joined: 07 May 2002
Posts: 214
Location: Delft, The Netherlands

PostPosted: Sat Jan 11, 2003 8:54 pm    Post subject: Reply with quote

I'm having trouble with qmail too here. Just emerged r9 without any probs. I saw something with ssl pass by, had a look at the ebuild file and am now pretty sure the qmail-1.03-starttls-smtp-auth.patch is applied. Qmail is also still working as it used to do (which is good :D).
What I'm wondering now is how to actually start smptd with auth support. When I telnet at port 25, there are no messages on available authentication methods (and I think there should be, according to google at least). I fooled around in the /var/qmail/supervise/qmail-smtpd/run file, but to no avail. Anybody got a clue on how to see to start smtpd with auth support or how to test that it is indeed installed (correctly)? Also, there is no smtpd-auth or something in the qmail/bin dir, should there be??
Back to top
View user's profile Send private message
Praxxus
Apprentice
Apprentice


Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US

PostPosted: Wed Jan 15, 2003 12:31 am    Post subject: Some Qmail Knowledge Reply with quote

I've successfully installed Qmail + SMTP AUTH + TLS before, but never with Gentoo.

I have installed qmail-1.03-r8 on a Gentoo system.

To test and make sure SMTP AUTH/STARTTLS is working, do the following (I've put the typed in prompts in red, and the expected responses in green):

[praxxus@salem opt]$telnet mail.praxxus.com 25
Trying 192.168.21.11...
Connected to mail.praxxus.com (192.168.21.11).
Escape character is '^]'.
220 mail.praxxus.com ESMTP

ehlo
250-mail.cplane.com
250-PIPELINING
250-STARTTLS
250-AUTH LOGIN PLAIN
250 8BITMIME


Note that you might get a different "AUTH" line than me. I specifically disabled CRAM-MD5 logins.

Given that Qmail build from source wants to install itself to the same directory structure as the qmail.ebuild does, it would be pretty easy to just upgrade the installation that way.

I'll poke around at the ebuild and see what I can find out.
_________________
My glaucoma just got worse!


Last edited by Praxxus on Wed Jan 15, 2003 3:20 pm; edited 1 time in total
Back to top
View user's profile Send private message
vert
Apprentice
Apprentice


Joined: 07 May 2002
Posts: 214
Location: Delft, The Netherlands

PostPosted: Wed Jan 15, 2003 7:47 am    Post subject: Reply with quote

Allright! thnx, this is what I got:
Code:

wolf@Einstein wolf $ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 hk42.dyndns.org ESMTP
ehlo
250-hk42.dyndns.org
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME

It looks like its working! :D
I'm currently at work, so I can't play around with it at the moment. But could you perhaps give a hint on where and how qmail authorizes? Is there a user/pass file somewhere? Thnx!
Back to top
View user's profile Send private message
vert
Apprentice
Apprentice


Joined: 07 May 2002
Posts: 214
Location: Delft, The Netherlands

PostPosted: Wed Jan 15, 2003 10:23 am    Post subject: Reply with quote

It works! All I did was restart qmail :D
The last thing I need to know is how to make the authentication mandatory instead of optional. Which files should I edit for that ?
Back to top
View user's profile Send private message
Praxxus
Apprentice
Apprentice


Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US

PostPosted: Wed Jan 15, 2003 4:50 pm    Post subject: /etc/tcp.smtp Reply with quote

If you want EVERYONE to have to authenticate, make sure /etc/tcp.smtp has only the following line:
Code:
127.0.0.1:allow,RELAYCLIENT=""


Then get Qmail to re-read the new tcp rules:
Code:
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
chmod 0644 /etc/tcp.smtp.cdb


This tells Qmail that ONLY "localhost" can use it as an SMTP relay. With the SMTP AUTH patch, properly authenticated users(actually their IP addresses) can use the SMTP relaying abilities.

Lastly, to get Qmail to be able to authenticate, you need to make sure your /var/qmail/supervise/qmail-smtpd/run script calls the /bin/checkpassword program. Here's what mine looks like:

Code:
#!/bin/sh
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 8000000 \
    /usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcprules.d/tcp.smtp.cdb -c "$MAXSMTPD" \
        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd /bin/checkpassword /bin/true 2>&1


Note the checkpassword reference on the last line. Also, make sure you HAVE a "concurrencyincoming" file in /var/qmail/control/.

Code:
echo 20 > /var/qmail/control/concurrencyincoming


Lastly, for any and all things Qmail, I highly recommend David Sill's "Life with Qmail" website:
_________________
My glaucoma just got worse!
Back to top
View user's profile Send private message
vert
Apprentice
Apprentice


Joined: 07 May 2002
Posts: 214
Location: Delft, The Netherlands

PostPosted: Wed Jan 15, 2003 8:55 pm    Post subject: Reply with quote

Thanx for all the input! :D :D but ...
Well, it seems to work partially. Outlook express clients are still able to send mail without supplying a password. So I'm not done yet. However, qmail does seem to respond to auth requests, only all combinations of user/pass are accepted. See the code. What am I missing here? :roll: Thnx again !
Code:

root@Einstein qmail-smtpd # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 hk42.dyndns.org ESMTP
ehlo
250-hk42.dyndns.org
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
auth login
334 VXNlcm5hbWU6
user
334 UGFzc3dvcmQ6
pass
235 ok, go ahead (#2.0.0)
Back to top
View user's profile Send private message
Praxxus
Apprentice
Apprentice


Joined: 26 Nov 2002
Posts: 193
Location: Indiana, US

PostPosted: Fri Jan 17, 2003 5:55 am    Post subject: Ugh Reply with quote

Well, I can't find it in any docs anywhere, but all the versions of /bin/checkpassword that I have installed are set to run set-uid root. That is a bit of a security concern, so I've done the following:
Code:
chown root:nofiles /bin/checkpassword
chmod 4750 /bin/checkpassword

That will let let qmail-smtpd (belongs to the "nofiles" group) run it, but you get the password-checking abilities of root.

This is necessary, if memory serves, to get at the juicy nuggets in /etc/shadow (mode 0400, root.root)

Hope this helps!
_________________
My glaucoma just got worse!
Back to top
View user's profile Send private message
vert
Apprentice
Apprentice


Joined: 07 May 2002
Posts: 214
Location: Delft, The Netherlands

PostPosted: Sun Jan 26, 2003 6:39 pm    Post subject: Reply with quote

Ok, I went back to this problem, but after 2 hours its still busting my balls. I simply can't get it to work :cry: Everybody can still send mail without authorization and if I do a "auth login" with telnet, all user/pass combinations are accepted. Is there anybody who has qmail working under gentoo with smtp-auth enabled? And if so.... how ?? Any help is very much appreciated ... How hard can this be :roll:
Back to top
View user's profile Send private message
the_eye
n00b
n00b


Joined: 25 Sep 2003
Posts: 6

PostPosted: Thu Sep 25, 2003 10:11 pm    Post subject: authentication in other direction Reply with quote

The qmail and authentication problem bugs me too and has been for a while, only I wanna do it in the other direction, i.e. when qmail delivers outgoing mail via the smarthost specified in /var/qmail/control/smtproutes, it should do so using SSL and authentication, with a username and password specified somewhere.

Can qmail do that for me? Everything I find when googling around is about how to make clients use authentication when using qmail as a server ..

explanation: This is just my workstation, and the outgoing smtp server of my provider is shit, i.e. doesn't work half the time. I would be allowed to use my universitys mail server, _if_ I use SSL and authenticate myself with username and password. The instructions they provide are for MS Outlook Express and Mozilla Messenger (IIRC) and just mention to enter username and password and click the "use SSL when available" checkbox ...

any help on achieving that with qmail would be greatly appreciated!
Back to top
View user's profile Send private message
Accipiter
Tux's lil' helper
Tux's lil' helper


Joined: 24 Feb 2003
Posts: 82
Location: Buffalo, NY

PostPosted: Sat Oct 11, 2003 7:37 pm    Post subject: Bump Reply with quote

Hey. I'm bumping this. Same problem. All user/pass combinations are accepted. This is a Bad Thing (tm). Please help fix.
_________________
unzip ; strip ; touch ; finger ; mount ; fsck ; more ; yes ; umount ; sleep
Registered Linux user #307220, machine #192830
Back to top
View user's profile Send private message
nianderson
Guru
Guru


Joined: 06 May 2003
Posts: 369
Location: Lawrence, KS

PostPosted: Sun Nov 16, 2003 4:59 am    Post subject: Reply with quote

so any updatesim wanting to add smtp-auth ... i currently have qmail up and running with vmailmgr when i redo my server id like to switch to smtp-auth + vpopmail

wo just wonderng if anyone has gotten smtp-auth working yet without the accept all user/password combinations
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum