Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Upgrade of qmail broke smtp auth [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Red-Drop
n00b
n00b


Joined: 10 Mar 2005
Posts: 37

PostPosted: Sat May 21, 2005 8:58 am    Post subject: Upgrade of qmail broke smtp auth [SOLVED] Reply with quote

Hi all,

I am running several small mail servers around the place and I have a small test server which is actually my home server running qmail with vpopmail and smpt auth through vpopmail. On a monthly basis I run and emerge UvD on this box and test out all the new versions of the servers before implementing them on my clients machines.

It seems that smtp-auth has been broken in qmail-1.03-r15 from 1.03-r13. I am getting the error from entourage:

Authentication failed because Entourage doesn't support any of the available authentication methods.

I have tested it with a few other clients like mail all seem to be having trouble authenticating.

Here is a copy of my control/conf-smtp

Code:
# Configuration file for qmail-smtpd
# $Header: /var/cvsroot/gentoo-x86/mail-mta/qmail/files/1.03-r13/conf-smtpd,v 1.2 2004/07/18 03:29:51 dragonheart Exp $

# Stuff to run before tcpserver
#QMAIL_TCPSERVER_PRE=""
# Stuff to run qmail-smtpd
#QMAIL_SMTP_PRE=""
# Stuff to after qmail-smtpd
#QMAIL_SMTP_POST="mail.reddrop.net /var/vpopmail/bin/vchkpw /bin/true"

# this turns off the IDENT grab attempt on connecting
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

# You might want to use rblsmtpd with this, but you need to fill in a RBL server here first
# see http://cr.yp.to/ucspi-tcp/rblsmtpd.html for more details
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} rblsmtpd -r RBL-SERVER"

# If you are interested in providing POP or IMAP before SMTP type relaying,
# emerge relay-ctrl, then uncomment the next 2 lines
#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"
# In /etc/courier-imap/authdaemonrc add the next line to the end:
#authmodulelist="${authmodulelist} relay-ctrl-allow"
# Then in /etc/courier-imap/{imapd,imapd-ssl,pop3d,pop3d-ssl}
# Add this at the end
#PRERUN="${PRERUN} envdir /etc/relay-ctrl relay-ctrl-chdir"

# This next block is for SMTP-AUTH
# This provides the LOGIN, PLAIN and CRAM-MD5 types
# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5
# and reads it's data from /etc/poppasswd
# see the manpage for cmd5checkpw for details on the passwords
# uncomment the next four lines to enable SMTP-AUTH
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"


Any help would be much appreciated.

Just to get things back up and running again as quickly as possible how do i go back to 1.03-r13? Its ebuild is no longer in my portage tree


Last edited by Red-Drop on Mon May 23, 2005 4:50 am; edited 2 times in total
Back to top
View user's profile Send private message
SzczechoO
n00b
n00b


Joined: 28 Feb 2004
Posts: 37
Location: Poland/Opole

PostPosted: Sat May 21, 2005 9:59 am    Post subject: Reply with quote

Hi!
I would check vchkpw permissions.
Back to top
View user's profile Send private message
Red-Drop
n00b
n00b


Joined: 10 Mar 2005
Posts: 37

PostPosted: Sat May 21, 2005 11:24 am    Post subject: Reply with quote

Yeah even with 777 on vckpw it still does not work. But I figured out what is going on r15 supports TLS before authentication. Turning on ssl support in the client now allows me to send emails.

Here is a dump with qmail-1.03-r13
Code:
Escape character is '^]'.
220 <DOMAIN GOES HERE> ESMTP
ehlo
250-<DOMAIN GOES HERE>
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-SIZE 0
250-PIPELINING
250 8BITMIME


and qmail-1.03-r15
Code:

power-mac-g5:~ reddrop$ telnet mail.reddrop.net 25
Trying 150.101.205.114...
Connected to mail.reddrop.net.
Escape character is '^]'.
220 <DOMAIN GOES HERE> ESMTP
ehlo
250-<DOMAIN GOES HERE>
250-STARTTLS
250-SIZE 0
250-PIPELINING
250 8BITMIME


I am happy to do this however it complains about the root certificat not being installed. How can I install a root certificate from my self signed certificate?

Also it would be nice to know how to change it back to mimic the old style of authentication also.


Last edited by Red-Drop on Sun May 22, 2005 8:26 am; edited 3 times in total
Back to top
View user's profile Send private message
Red-Drop
n00b
n00b


Joined: 10 Mar 2005
Posts: 37

PostPosted: Sat May 21, 2005 11:28 am    Post subject: Reply with quote

Also loggin in for smtp now takes over a minute.

Solved this with
chmod u+s /var/vpopmail/bin/vchkpw
Back to top
View user's profile Send private message
SzczechoO
n00b
n00b


Joined: 28 Feb 2004
Posts: 37
Location: Poland/Opole

PostPosted: Sat May 21, 2005 1:47 pm    Post subject: Reply with quote

I'm happy to read that, now you can change topic to [ SOLVED ].
Back to top
View user's profile Send private message
Red-Drop
n00b
n00b


Joined: 10 Mar 2005
Posts: 37

PostPosted: Sun May 22, 2005 6:33 am    Post subject: Reply with quote

Well its not really solved yet. Just worked around.
Back to top
View user's profile Send private message
CrackFarmer
n00b
n00b


Joined: 22 May 2005
Posts: 4

PostPosted: Sun May 22, 2005 4:21 pm    Post subject: Reply with quote

I have having this identical problem after upgrading qmail.

220 <domain> ESMTP
EHLO .....
250-<domain>
250-STARTTLS
250-SIZE 0
250-PIPELINING
250 8BITMIME

and when I try and send AUTH LOGIN i get this:

AUTH LOGIN
530 Must issue a STARTTLS command first (#5.7.0)

However turning on SSL in my mail client dosn't seem to be working.

And of course if i send mail as is without AUTH i get relay error.
Back to top
View user's profile Send private message
CrackFarmer
n00b
n00b


Joined: 22 May 2005
Posts: 4

PostPosted: Sun May 22, 2005 7:41 pm    Post subject: Reply with quote

OK found the solution.

I added 'notlsbeforeauth' to my USE flag in my make.conf

re-emerged qmail and now i get this:

220 <domain> ESMTP
EHLO
250-<domain>
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-SIZE 0
250-PIPELINING
250 8BITMIME

What a pain in the ass..... i am just glad it is working now :) :)
Back to top
View user's profile Send private message
Red-Drop
n00b
n00b


Joined: 10 Mar 2005
Posts: 37

PostPosted: Mon May 23, 2005 4:49 am    Post subject: Reply with quote

Thanks the update to make.conf worked perfectly. Just to help in my puruit to further my gentoo knowledge how did you know about that use flag? I cant seem to find it in /usr/portage/profiles/use.desc.
Back to top
View user's profile Send private message
petterg
Guru
Guru


Joined: 25 Mar 2004
Posts: 500
Location: Oslo, Norway

PostPosted: Tue May 24, 2005 8:53 am    Post subject: Reply with quote

Hey guys, have you thought about what the notlsbeforeauth flag does?
Unless you have a really good reason you'll be better of be enabeling tls for smtp-auth in your mail client.
With the notls... flag off your mailserver will require your mail client to encrypt smtp-auth passwords before sending. With the notls... flag on your mailserver will accept both encrypted and unencrypted passwords - which basicaly means that most clients will send cleartext passwords over an unencrypted channel unless the user is aware of the tls settings.

Note: there is a bug in outlook (and express) 2002 (xp) that makes tls fail. There is a bugfix in microsoft knowledgebase, http://support.microsoft.com/?kbid=304008 . Outlook 2k works.
There is also a tls bug in older mozilla.
Back to top
View user's profile Send private message
Red-Drop
n00b
n00b


Joined: 10 Mar 2005
Posts: 37

PostPosted: Thu Jun 02, 2005 3:31 pm    Post subject: Reply with quote

Yes but users like flexibility. You can't very well ring around half of your city telling people to reconfigure the mail clients. I think giving the users the choice is the best option.

Users should only protected from hurting other users, the server and possibly the admins feelings (that can have negative consequences also). Let them burn themselves if they want. And if some one does gain access to relay because they worked out a users password. All the more reason to yell at the user :twisted:

That's what I do any way. Feel free to disagree.
Back to top
View user's profile Send private message
kalpol
n00b
n00b


Joined: 30 Mar 2004
Posts: 20
Location: Central Texas

PostPosted: Tue Jun 07, 2005 3:28 am    Post subject: a little confused Reply with quote

Would someone explain the different types of authentications and what needs to be configured in the client to get them working? I have been through the whole qmail-r13 to -r15 upgrade hell, and everything seems to be working now except for the SMTP-AUTH. I am a little hampered here because I don't really understand what STARTTTLS and all that means.

Here's the output from telnet localhost 25:
Quote:
220 kalpol.com ESMTP
EHLO
250-kalpol.com
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-SIZE 0
250-PIPELINING
250 8BITMIME


So that looks ok, and Squirrelmail works all right running on localhost. But when I try to send email from Thunderbird on my laptop, it just asks for the password over and over.

Here's the lines from conf-smtpd:
Quote:
# If you are interested in providing POP or IMAP before SMTP type relaying,
# emerge relay-ctrl, then uncomment the next 2 lines
#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-c
hdir"
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"
# In /etc/courier-imap/authdaemonrc add the next line to the end:
#authmodulelist="${authmodulelist} relay-ctrl-allow"
# Then in /etc/courier-imap/{imapd,imapd-ssl,pop3d,pop3d-ssl}
# Add this at the end
#PRERUN="${PRERUN} envdir /etc/relay-ctrl relay-ctrl-chdir"

# This next block is for SMTP-AUTH
# This provides the LOGIN, PLAIN and CRAM-MD5 types
# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5
# and reads it's data from /etc/poppasswd
# see the manpage for cmd5checkpw for details on the passwords
# uncomment the next four lines to enable SMTP-AUTH
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/bin/checkpassword"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP
_POST}"


which also seems OK. Thunderbird was configured for SMTP user/pass, and TLS if available, and port 25.

So what is wrong here? What is TLS? What is STARTTLS? Should I use SSL now and if so, that means I need to open port 465 on the router, right?

Yes...somewhat confused.

Thanks!
_________________
kalpol
------
12:50 - press return.
Back to top
View user's profile Send private message
ttuttle
Tux's lil' helper
Tux's lil' helper


Joined: 03 Oct 2004
Posts: 131

PostPosted: Tue Jun 07, 2005 11:38 am    Post subject: Reply with quote

kalpol:

I'm having the same problem as you, I'm trying to rebuild qmail with "notlsbeforeauth". I'll report back when my 333 MHz Celeron finishes compiling it. ;-)

Quote:

12:50 - press return


I just saw that movie... it was *weird*!
Back to top
View user's profile Send private message
ttuttle
Tux's lil' helper
Tux's lil' helper


Joined: 03 Oct 2004
Posts: 131

PostPosted: Tue Jun 07, 2005 12:01 pm    Post subject: Reply with quote

OMGWTFBBQIHTFMTAIDGI

(oh my god what the f*** barbecue i hate this f***ing mail transfer agent i don't get it)

But it works!

I apparently hastily overwrote /var/qmail/control/conf-smtpd during an etc-update, and disabled smtp auth.

/me feels stupid.

Has anyone else noticed that everything except the qmail binaries (and maybe even them) is (or looks like) a shell script?
Back to top
View user's profile Send private message
kalpol
n00b
n00b


Joined: 30 Mar 2004
Posts: 20
Location: Central Texas

PostPosted: Tue Jun 07, 2005 1:01 pm    Post subject: Reply with quote

ThinkingInBinary wrote:


Has anyone else noticed that everything except the qmail binaries (and maybe even them) is (or looks like) a shell script?


Lots of addons have been made. You can find the original qmail package at http://cr.yp.to, which is where I had the software and instructions for the first few servers before I found Life with Qmail and then Gentoo :) There were only a few scripts in that one. Now the software is so heavily patched it needs all kinds of stuff to keep it working, I guess.

Anyone up to explaining how the mail client should be configured for remote SMTP access?

Quote:
I just saw that movie... it was *weird*!


Yes it was and you're the first person ever to figure out where the quote came from :) another small connection, my nick is from a track on an Autechre album which (after I chose the nick and before I saw the movie) I discovered is on the soundtrack. Weird huh. Like the man said, patterns are everywhere.
_________________
kalpol
------
12:50 - press return.
Back to top
View user's profile Send private message
powderedtoastdude
n00b
n00b


Joined: 09 Jan 2005
Posts: 28

PostPosted: Thu Jun 09, 2005 12:41 am    Post subject: Reply with quote

It would have been nice if an emerge message notified us of the notlsbeforeauth flag and the change in behavior (and the level of message that would show up in portlog-info, since I use that religiously to review emerge results).

My MUA was set up for AUTH but not for TLS, and this change makes it look like AUTH was "broken" in the new ebuild (at least to those users in the AUTH but no TLS case). I'm happy now that I've learned why, since enabling TLS in MUAs is usually no big deal. Just would have been nice to know at emerge time.

$0.02,
ptd
Back to top
View user's profile Send private message
ca_grover
Apprentice
Apprentice


Joined: 08 Jun 2003
Posts: 150
Location: Canada, Eh?

PostPosted: Thu Jun 09, 2005 7:44 am    Post subject: Reply with quote

AAARRRRGGGGGHHHHH!!!!!

I've been fighting this problem for the past week, with no luck. The fix mentioned above (notlsbeforeauth) didn't do the trick for me.

I'm able to retrieve my mail over pop3 with KMail, but the moment I try to send I get an error:

Code:
Your SMTP server claims to support TLS, but negotiation was unsuccessful.
You can disable TLS in KDE using the crypto settings module.


This is a little misleading - it makes it tough to tell if it's a Kmail or qmail issue. But, I've dutifully looked into both with no luck, even going as far to regenerate my certificates and verify EVERY step of the installation/configuration. (Following Gentoo's qmail/vpopmail guide - without Horde though). Everything seems fine, but still fails.

I even turned on the recordio in my tcpserver settings (thanks to The qmail Handbook), to dig deeper. Here's a sample output from my qmail-smtpd logs with the recordio bit enabled:

Code:
@4000000042a7f1ed1041377c tcpserver: status: 1/20
@4000000042a7f1ed104a864c tcpserver: pid 6568 from 192.168.0.20
@4000000042a7f1ed106597fc tcpserver: ok 6568 :::ffff:192.168.0.5:25 :::ffff:192.168.0.20::33274
 4000000042a7f1ed10fab7c4 6568 > 220 srv.open2space.com ESMTP
 4000000042a7f1ed111a3a2c 6568 < EHLO [192.168.0.20]
 4000000042a7f1ed111d89d4 6568 > 250-srv.open2space.com
 4000000042a7f1ed111da144 6568 > 250-STARTTLS
 4000000042a7f1ed111e8ba4 6568 > 250-AUTH LOGIN CRAM-MD5 PLAIN
 4000000042a7f1ed111e9f2c 6568 > 250-AUTH=LOGIN CRAM-MD5 PLAIN
 4000000042a7f1ed111eaecc 6568 > 250-SIZE 0
 4000000042a7f1ed111eba84 6568 > 250-PIPELINING
 4000000042a7f1ed111ec63c 6568 > 250 8BITMIME
 4000000042a7f1ed11478fa4 6568 < STARTTLS
 4000000042a7f1ed11712814 6568 > 220 ready for tls
, 000000042a7f1ed12b85db4 6568 < WSB§ñãH-gÇòSQºXæµdW=äÙh7hTsãÃ/<
@4000000042a7f1ed12b87cf4 6568 < 98532/fedcba`  +
@4000000042a7f1ed12d4de94 6568 > [EOF]
@4000000042a7f1ed12d6bb24 tcpserver: end 6568 status 256
@4000000042a7f1ed12d6ceac tcpserver: status: 0/20


As you can see it craps out right after the TLS stuff, and doesn't continue..... (This was a test message to myself).

Any further tips? Any other config files I can post to help? Thanks bunches.
Back to top
View user's profile Send private message
kalpol
n00b
n00b


Joined: 30 Mar 2004
Posts: 20
Location: Central Texas

PostPosted: Thu Jun 09, 2005 12:52 pm    Post subject: may be not much help but Reply with quote

Try

chmod u+s /bin/checkpassword (or whatever your password program is in conf-smtpd)

That's what I did to get mine working. qmail reported just as yours does so hopefully that's it.

I think tcpserver's exit 256 means that an external program didn't do its job - I have seen that when ClamAV fails because the softlimit was too low.
_________________
kalpol
------
12:50 - press return.
Back to top
View user's profile Send private message
ca_grover
Apprentice
Apprentice


Joined: 08 Jun 2003
Posts: 150
Location: Canada, Eh?

PostPosted: Fri Jun 10, 2005 3:15 am    Post subject: Reply with quote

Thanks kalpol, but /var/vpopmail/bin/vchkpwd was set that way already... I re-ran the command just in case - no joy.

I've been doing some digging, and it looks like qmail 1.05-r15 introduced this problem, but courier-imap 4.0.1 also introduced an authentication change. I *think* when I did my last emerge world I happend to get both of these... So I'm checking out the resolution to courier-imap as well.

If worse comes to worse, I'll just do an emerge -C of all the packages involved in this issue and start from a (relatively) clean slate. Luckily the server isn't TOOOO critical.
Back to top
View user's profile Send private message
donjames
Apprentice
Apprentice


Joined: 19 Dec 2004
Posts: 188
Location: Henderson, Texas USA

PostPosted: Sun Jun 12, 2005 5:46 am    Post subject: qmail broken Reply with quote

Hi,

I worked on qmail for over a year and never got it to work right.

I have been trying to get qmail set up on Gentoo for over six months and have yet to make it do SMTP AUTH.

qmail may be good software, but it is worthless with the current documentation. I bought David Sill's book, The Qmail Handbook. It is worthless. I have found that the documentation on qmail is pretty much worthless, because it is out of date.

I am trying to get an ISP up and running and qmail has been nothing but grief. I have deleted qmail from all of my email servers and installed a commercial product that is just great. It does everything that I want to do and doesn't cost a fortune.

If anyone would like to know what I am using, please email me.

I am through with qmail. I'll NEVER attempt to use qmail again.

Sincerely,

Don James
Henderson, TExas USA
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum