| View previous topic :: View next topic |
| Author |
Message |
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
 Posted: Mon Mar 15, 2004 9:23 pm Post subject: *RESOLVED* Qmail + VPOPMAIL + courierimap + NOT WORKING |
 |
|
This CANNOT be that damn dificult!
All I want is a server that allows people external to my network to connect to my server and send mail when authenticated.
What I have got thus far has been 553 rpchosts errors, relay-cntrl headaches, massive multiple conflicting "fixes", horribly written instructions that are so bad they are useless, and still not a damn thing working.
I have managed to get everyhing MOSTLY back to working. I still cannot send mail from an external site (one thats not listed as a relay)
error of:
The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was XXXXXXXXXXXXX. Subject 'Test', Account: 'mail.boboki.com', Server: 'mail.boboki.com', Protocol: SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)', Port: 25, Secure(SSL): No, Server Error: 553, Error Number: 0x800CCC79
My settings are:
| Code: | # Configuration file for qmail-smtpd
# $Header: /home/cvsroot/gentoo-x86/net-mail/qmail/files/1.03-r13/conf-smtpd,v 1.2 2003/11/30 03:00:20 robbat2 Exp $
# Stuff to run before tcpserver
#QMAIL_TCPSERVER_PRE=""
# Stuff to run qmail-smtpd
#QMAIL_SMTP_PRE=""
# Stuff to after qmail-smtpd
#QMAIL_SMTP_POST=""
QMAIL_SMTP_POST="localhost /var/vpopmail/bin/vchkpw /bin/true"
# this turns off the IDENT grab attempt on connecting
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"
# You might want to use rblsmtpd with this, but you need to fill in a RBL server here first
# see http://cr.yp.to/ucspi-tcp/rblsmtpd.html for more details
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} rblsmtpd -r RBL-SERVER"
# If you are interested in providing POP or IMAP before SMTP type relaying,
# emerge relay-ctrl, then uncomment the next 2 lines
#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl
relay-ctrl-chdir"
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"
# In /etc/courier-imap/authdaemonrc add the next line to the end:
#authmodulelist="${authmodulelist} relay-ctrl-allow"
# Then in /etc/courier-imap/{imapd,imapd-ssl,pop3d,pop3d-ssl}
# Add this at the end
#PRERUN="${PRERUN} envdir /etc/relay-ctrl relay-ctrl-chdir"
# This next block is for SMTP-AUTH
# This provides the LOGIN, PLAIN and CRAM-MD5 types
# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5
# and reads it's data from /etc/poppasswd
# see the manpage for cmd5checkpw for details on the passwords
# uncomment the next four lines to enable SMTP-AUTH
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}" |
| Code: | # Configuration file for qmail-pop3d
# $Header: /home/cvsroot/gentoo-x86/net-mail/qmail/files/1.03-r13/conf-pop3d,v 1.1 2003/10/27 09:42:54 robbat2 Exp $
# Stuff to run before tcpserver
#QMAIL_TCPSERVER_PRE=""
# Stuff to run before the authenticator
#QMAIL_POP3_PREAUTH=""
# Stuff to run after the user has authenticated successfully
QMAIL_POP3_POSTAUTH="localhost /var/vpopmail/bin/vchkpw /bin/true"
# this should contain the FQDN of your server
# by default it pulls the value from qmail
# which should be correct
QMAIL_POP3_POP3HOST="$(<${QMAIL_CONTROLDIR}/me)"
# If you want POP3 before SMTP, and you are using this POP3 daemon
# uncomment the next two lines
#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl
relay-ctrl-chdir"
#QMAIL_POP3_POSTAUTH="${QMAIL_POP3_POSTAUTH} /usr/bin/relay-ctrl-allow"
# This controls what password authentication tool POP3 uses
# It must support DJB's checkpassword interface (http://cr.yp.to/checkpwd.html)
#QMAIL_POP3_CHECKPASSWORD="/bin/checkpassword"
QMAIL_POP3_CHECKPASSWPRD="/var/vpopmail/bin/vchkpw"
# cmd5checkpw only validates passwords from /etc/poppasswd
#QMAIL_POP3_CHECKPASSWORD="/bin/cmd5checkpw" |
| Code: | IMAPDSTART=YES
#Hardwire a value for ${MAILDIR}
MAILDIR=.maildir
#Put any program for ${PRERUN} here
PRERUN= |
| Code: | POP3DSTART=YES
#Hardwire a value for ${MAILDIR}
MAILDIR=.maildir
#Put any program for ${PRERUN} here
PRERUN= |
Anything you need, just ask... I am about ready to pull my hair out...
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing.
Last edited by BobOki on Wed Mar 24, 2004 3:12 am; edited 2 times in total |
|
| Back to top |
|
 |
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Wed Mar 17, 2004 11:54 am Post subject: |
|
|
Have you added the domains you recieve mail for to the following files?
/var/qmail/control/rcpthosts
/var/qmail/control/locals
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Thu Mar 18, 2004 1:44 pm Post subject: |
|
|
Yes I have.
The only way I can get it to send is if I allow relaying to whatever EXTERNAL IP I am on. It makes me think there is something wrong with my courier-pop3d or imapd, yet if I telnet into 110 and go thru the motions it accepts the password.
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Thu Mar 18, 2004 7:44 pm Post subject: |
|
|
How are you trying to send the email, through imap or smtp? It's a bit unclear from the thread. If through imap, my understanding is that imap would authenticate you, accept the email, and then relay through qmail as localhost. If through smtp then qmail would need to authenticate you and then sends the mail itself.
The error you mentioned is qmail so I'm thinking the problem is with qmail or you don't have 127.0.0.1:allow,RELAYCLIENT="" in your /etc/tcp.smtp.
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Mon Mar 22, 2004 1:04 pm Post subject: |
|
|
I am sending via pop3.
I can send to anywhere from within an ip on my local network, simply because I allowed relaying from 192.168.0.
But anyone on any other ip anywhere else cannot send mail and gets the above error.
I have all my pertinant configs above as well. If anyone needs any other ones, I'll be happy to post them.
Besides that, I don't think Spamassasin and clamav are doing ANYTHING AT ALL. I see no checks in host headers. I see q-mailscanner checking, but nothing else.
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Mon Mar 22, 2004 3:42 pm Post subject: |
|
|
| BobOki wrote: | | I am sending via pop3. |
Tell us - I'm curious how you do that !
Seriously - you're not.
POP3 cannot send anything.
You may mean you're using pop-before-smtp - in that case, pop3 is used to authenticate to qmail.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Mon Mar 22, 2004 3:49 pm Post subject: |
|
|
Let me restate that.
I am TRYING to send via pop3. 
I don't have pop3 before smtp setup, but if that would fix my problem, I suppose I can get relay-ctrl or whatever.
I just verified that I get the SAME error if I try to use IMAP on an external ip.
I don't want to setup my server as an open relay, there HAS to be a way to fix it!
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Mon Mar 22, 2004 6:10 pm Post subject: |
|
|
Just found some more errors. This is from my qmail-send current log
| Code: |
@40000000405dd8861eca0abc starting delivery 16: msg 288110 to local boboki@animeserver
@40000000405dd8861eca128c status: local 2/10 remote 0/20
@40000000405dd8861f0c3c0c delivery 15: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
@40000000405dd8861f0c5b4c status: local 1/10 remote 0/20
@40000000405dd8861f1a268c delivery 16: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
@40000000405dd8861f1a3244 status: local 0/10 remote 0/20
@40000000405dd8a01eeda01c starting delivery 17: msg 287872 to local boboki@animeserver
@40000000405dd8a01eedb78c status: local 1/10 remote 0/20
@40000000405dd8a01f28ebcc delivery 17: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
@40000000405dd8a01f29033c status: local 0/10 remote 0/20
|
My domain that I am using is boboki.com. animeserver is the pc hostname.. I don't see what its trying to do.
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Mon Mar 22, 2004 7:17 pm Post subject: |
|
|
More headaches.
I just did a telnet to port 25 and here is the NON-EDITED result:
220 *****************
ehlo
502 unimplemented (#5.5.1)
HELO
250 animeserver
AUTh
502 unimplemented (#5.5.1)
AUTH PLAIN
502 unimplemented (#5.5.1)
Something is seriously not right...
I copyied the original conf-smtpd and conf-pop3d files back over the old ones. then I modified QMAIL_SMTP_POST="boboki.com /var/vpopmail/bin/vchkpw /bin/true"
And uncommented the SMTP_AUTH.
Pop3 seems to check and authenticate just fine:
+OK Hello there.
USER *commented*
+OK Password required.
PASS *comented*
+OK logged in.
However I STILL get the SAME Protocol: SMTP, Server Response: '553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)', Port: 25, Secure(SSL): No, Server Error: 553, Error Number: 0x800CCC79 so its like NOTHING has changed.
I am very curious about that smtp telnet session, as it looks NOTHING like anyone elses.
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Mon Mar 22, 2004 7:59 pm Post subject: |
|
|
| adaptr wrote: | | BobOki wrote: | | I am sending via pop3. |
Tell us - I'm curious how you do that !
Seriously - you're not.
POP3 cannot send anything.
You may mean you're using pop-before-smtp - in that case, pop3 is used to authenticate to qmail. |
BAH... now i see what you are saying.
I am trying to send via SMTP.. but I also tried to send IMAP.. neither seemed to work.
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
skunkworx
Guru
Joined: 02 Feb 2003
Posts: 420
Location: Planet Houston
|
| Posted: Mon Mar 22, 2004 11:44 pm Post subject: |
|
|
Disclaimer: I don't use vpopmail, and am not familiar with how it integrates with qmail.
It looks like your original post boils down to this question: How come server mail.boboki.com is rejecting messages bound for "@boboki.com" addresses, saying, "sorry, that domain is not in my list of allowed rcpthosts"? If that is what you were asking, kashani gave you the answer: If you want your server to accept messages bound for "@boboki.com" addresses, "boboki.com" must appear in /var/qmail/control/rcpthosts. If, for example, you have "mail.boboki.com" listed, but not "boboki.com", addresses ending in "@mail.boboki.com" will work, but addresses ending in "@boboki.com" will not.
I imagine vpopmail has its own interface for editing /var/qmail/control/rcpthosts, so you may want to use that.
Depending on how vpopmail handles virtual users, "boboki.com" will also need to appear in either /var/qmail/control/locals or /var/qmail/control/virtualdomains. I suspect the latter file is used, and again, you may want to use vpopmail's interface for configuring these files.
| Quote: | Just found some more errors. This is from my qmail-send current log
| Code: |
@40000000405dd8861eca0abc starting delivery 16: msg 288110 to local boboki@animeserver
@40000000405dd8861eca128c status: local 2/10 remote 0/20
@40000000405dd8861f0c3c0c delivery 15: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
@40000000405dd8861f0c5b4c status: local 1/10 remote 0/20
@40000000405dd8861f1a268c delivery 16: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
@40000000405dd8861f1a3244 status: local 0/10 remote 0/20
@40000000405dd8a01eeda01c starting delivery 17: msg 287872 to local boboki@animeserver
@40000000405dd8a01eedb78c status: local 1/10 remote 0/20
@40000000405dd8a01f28ebcc delivery 17: deferral: Unable_to_chdir_to_maildir._(#4.2.1)/
@40000000405dd8a01f29033c status: local 0/10 remote 0/20 |
My domain that I am using is boboki.com. animeserver is the pc hostname.. I don't see what its trying to do |
qmail has received a message for boboki@animeserver, and is trying to deliver it to local user "boboki". The maildir (mailbox directory) for boboki cannot be accessed (which can happen when the directory doesn't exist or has the wrong file permissions), and qmail has no other instructions on what to do with boboki's email. So, qmail is instead deferring the delivery of those messages, hoping to be told what to do with them before it has to give up and return those messages to their senders.
I suspect vpopmail is at work here, and that what it's trying to do is reroute any messages bound for "@boboki.com" addresses to the local address "boboki@animeserver" (an entry in /var/qmail/control/virtualdomains could be responsible for this rerouting). Local user "boboki" should have additional forwarding rules set up to deliver the message to the right virtual user's mailbox. Perhaps these forwarding rules are missing; that would explain why qmail is instead trying to deliver the message directly to boboki's maildir. See if vpopmail provides a tool for rebuilding the necessary configuration for each local user that is in charge of processing virtual users' email.
| Quote: | More headaches.
I just did a telnet to port 25 and here is the NON-EDITED result:
220 *****************
ehlo
502 unimplemented (#5.5.1)
HELO
250 animeserver
AUTh
502 unimplemented (#5.5.1)
AUTH PLAIN
502 unimplemented (#5.5.1)
Something is seriously not right... |
That is not output from qmail. Either you have another SMTP program running, or perhaps you are hitting a router/firewall that is diverting SMTP traffic. Was this when you tried to connect to your server from outside of your network? Some ISPs do not allow people to set up their own mail servers, and either block or reroute port-25 traffic to enforce this ban. Hopefully that's not the case here; check your server and make sure there are no conflicting email server programs at work (postfix, sendmail, ssmtp, etc.), and also check your router/firewall (if you have one) and make sure it is forwarding SMTP traffic to the right server.
_________________
Proud to be a... eh, forget it.
"Everyday is just one day." -- not the Traveling Wilburys |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Tue Mar 23, 2004 1:26 pm Post subject: |
|
|
Great post. Let me get to the answers.
I can recive mail to boboki.com just fine. All messages that are sent to say boboki@boboki.com (my address) have no problems getting there.
The virtualdomains file DOES have boboki.com. The problem comes in when I am trying to send an e-mail OUT to ANYWHERE in the world from an external ip via pop or imap. It seems that when I am sending from an IP that is NOT set in the tcp.smtp as a open relay, it will NOT send e-mail and get the standard 533 error. Also, I verified that there are not other smtp programs loaded.. emerge -C ssmtp exium postfix sendmail
Let me take a second to reitterate that I can recive ALL mail fine, be it from webfrontend, imap, or pop3. HOWEVER, I cannot send with pop3 or imap, I can ONLY send using the webfrontend, and the only reason I belive i can do that is becuase i have 127.0.0.1 and 192.168.0 as open relays.
The output I came to find out is what smtp looks like when it goes thru a PIX 501 firewall. I will look a tad bit more into that, make sure thats not conflicting with authentication. As far as I know it however, the pix is configured to allow smtp, and the ports are forwarded to that internal ip.
With the same configuration (I didn't change it when I switched to linux from windows 2003) it worked on my older setup, windows 2003 and mdaemon.
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
skunkworx
Guru
Joined: 02 Feb 2003
Posts: 420
Location: Planet Houston
|
| Posted: Tue Mar 23, 2004 4:56 pm Post subject: |
|
|
| Quote: | | I can recive mail to boboki.com just fine. All messages that are sent to say boboki@boboki.com (my address) have no problems getting there. |
Okay, so everything for receiving email is set up correctly, or otherwise has been fixed. Those entries you posted from qmail's logs could still be cause for concern, however, if you're now satisfied with how your server is handling "@boboki.com" addressed email, then that's something you can investigate later, after the bigger problems have been solved.
| Quote: | | Let me take a second to reitterate that I can recive ALL mail fine, be it from webfrontend, imap, or pop3. HOWEVER, I cannot send with pop3 or imap, I can ONLY send using the webfrontend, and the only reason I belive i can do that is becuase i have 127.0.0.1 and 192.168.0 as open relays. |
I believe what you are trying to say is that you are unable to send email through your server using an external email client. POP3 cannot be used as a mail sending protocol. IMAP can be used as such, but that feature isn't widely supported. Most email clients (Outlook Express, Eudora, Thunderbird, etc.) use POP3 or IMAP for retrieval, and SMTP for sending.
Otherwise, you are correct in your conclusions: The web page can be used for sending email because it is local to the server, and qmail's configuration is allowing email to be sent from localhost without authentication.
| Quote: | | The output I came to find out is what smtp looks like when it goes thru a PIX 501 firewall. I will look a tad bit more into that, make sure thats not conflicting with authentication. As far as I know it however, the pix is configured to allow smtp, and the ports are forwarded to that internal ip. |
I strongly suspect this is the culprit. Some firewalls are able to filter traffic that they otherwise allow, giving the administrator tighter control over what is passing through open ports. In fact, I ran into this same problem at a previous job; the firewall allowed SMTP traffic, but did not allow any SMTP commands that it did not know about, including AUTH. This killed authentication support and effectively barred everyone in the company from sending out email.
If your firewall supports it, I would suggest reconfiguring it to allow SMTP traffic to pass unfiltered. Then, try a telnet SMTP session again and make sure the output you see is similar to what you would see when connecting from behind the firewall. That may be enough to get authenticated relaying working again.
_________________
Proud to be a... eh, forget it.
"Everyday is just one day." -- not the Traveling Wilburys |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Wed Mar 24, 2004 3:10 am Post subject: |
|
|
Yeah, you hit that on the head.
The pix 501 uses stateful packet filtering... and it is supposed to block attacks to smtp when using fixup, HOWEVER, it does this by stripping the auth headers!
So yeah, no wonder things were not working.
I just did a no fixup protocol smtp 25 and things are running great now.
Here is my WORKING conf-smtpd
| Code: | # Configuration file for qmail-smtpd
# $Header: /home/cvsroot/gentoo-x86/net-mail/qmail/files/1.03-r13/conf-smtpd,v 1.2 2003/11/30 03:00:20 robbat2 Exp $
# Stuff to run before tcpserver
#QMAIL_TCPSERVER_PRE=""
# Stuff to run qmail-smtpd
#QMAIL_SMTP_PRE=""
# Stuff to after qmail-smtpd
#QMAIL_SMTP_POST=""
QMAIL_SMTP_POST="boboki.com /var/vpopmail/bin/vchkpw /bin/true"
# this turns off the IDENT grab attempt on connecting
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"
# You might want to use rblsmtpd with this, but you need to fill in a RBL server here first
# see http://cr.yp.to/ucspi-tcp/rblsmtpd.html for more details
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} rblsmtpd -r RBL-SERVER"
# If you are interested in providing POP or IMAP before SMTP type relaying,
# emerge relay-ctrl, then uncomment the next 2 lines
#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl
#relay-ctrl-chdir"
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"
# In /etc/courier-imap/authdaemonrc add the next line to the end:
#authmodulelist="${authmodulelist} relay-ctrl-allow"
# Then in /etc/courier-imap/{imapd,imapd-ssl,pop3d,pop3d-ssl}
# Add this at the end
#PRERUN="${PRERUN} envdir /etc/relay-ctrl relay-ctrl-chdir"
# This next block is for SMTP-AUTH
# This provides the LOGIN, PLAIN and CRAM-MD5 types
# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5
# and reads it's data from /etc/poppasswd
# see the manpage for cmd5checkpw for details on the passwords
# uncomment the next four lines to enable SMTP-AUTH
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD}
${QMAIL_SMTP_POST}"
|
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
skunkworx
Guru
Joined: 02 Feb 2003
Posts: 420
Location: Planet Houston
|
| Posted: Wed Mar 24, 2004 4:25 pm Post subject: |
|
|
| BobOki wrote: | Here is my WORKING conf-smtpd
| Code: |
<snip>
# Stuff to after qmail-smtpd
#QMAIL_SMTP_POST=""
QMAIL_SMTP_POST="boboki.com /var/vpopmail/bin/vchkpw /bin/true"
<snip>
# This next block is for SMTP-AUTH
# This provides the LOGIN, PLAIN and CRAM-MD5 types
# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5
# and reads it's data from /etc/poppasswd
# see the manpage for cmd5checkpw for details on the passwords
# uncomment the next four lines to enable SMTP-AUTH
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} {QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
|
|
You've got a bit of redundancy here, which I believe will result in qmail-smtp getting called with more arguments than necessary. That's not a problem if it works, but just to be clean, you may want to comment out the one or the other definition of QMAIL_SMTP_POST.
Otherwise, looks good. I'm happy to hear it's working.
_________________
Proud to be a... eh, forget it.
"Everyday is just one day." -- not the Traveling Wilburys |
|
| Back to top |
|
|
vcihon
Tux's lil' helper
Joined: 19 Aug 2003
Posts: 107
|
| Posted: Sat May 15, 2004 8:20 pm Post subject: |
|
|
I'm having a similar problem. I've been reading till I can't see anymore and my conf-smtpd looks exactly like yours below.
So since I have the same prob as this:
| Quote: | I can recive mail to boboki.com just fine. All messages that are sent to say boboki@boboki.com (my address) have no problems getting there.
The virtualdomains file DOES have boboki.com. The problem comes in when I am trying to send an e-mail OUT to ANYWHERE in the world from an external ip via pop or imap. It seems that when I am sending from an IP that is NOT set in the tcp.smtp as a open relay, it will NOT send e-mail and get the standard 533 error. Also, I verified that there are not other smtp programs loaded.. emerge -C ssmtp exium postfix sendmail |
and I've also checked everything ad nauseum - I wonder if my firewall is stripping auth headers. I am using Shorewall and have normal smtp (port 25) open. Is there any way to work on the fixup issue with Shorewall???
If it is shorewall, this would also explain why I couldn't get smtp-after-pop3 working either even though I troubleshooted that one for weeks.
Thanks for any help!!! |
|
| Back to top |
|
|
skunkworx
Guru
Joined: 02 Feb 2003
Posts: 420
Location: Planet Houston
|
| Posted: Sat May 15, 2004 11:30 pm Post subject: |
|
|
| vcihon wrote: | | and I've also checked everything ad nauseum - I wonder if my firewall is stripping auth headers. |
Only one way to find out. 
| Quote: | I am using Shorewall and have normal smtp (port 25) open. Is there any way to work on the fixup issue with Shorewall???
If it is shorewall, this would also explain why I couldn't get smtp-after-pop3 working either even though I troubleshooted that one for weeks.
Thanks for any help!!! |
Have a look at your firewall's documentation. Also, you can determine whether or not it's filtering traffic by comparing telnet sessions to your mail server behind and through the firewall. If you're not familiar with SMTP commands, here's something you can use. Commands you would type are in green, the rest is what you should see as output. Of course, replace "yourmailserver" with the hostname of your mail server.
| Quote: |
# telnet yourmailserver 25
Trying xxx.yyy.zzz.www...
Connected to yourmailserver.
Escape character is '^]'.
220 yourmailserver ESMTP
ehlo clientservername
250-yourmailserver
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-SIZE 0
250-PIPELINING
250 8BITMIME
auth login
334 VXNlcm5hbWU6
|
That's what you should see if authorization is working. At this point, you can use control-] to safely break out of the telnet session if you don't know how to enter the encoded authentication data by hand.
If you see anything different, either authentication is not set up correctly, or your firewall is filtering SMTP traffic. It should be obvious which one is the problem, depending on whether your see different output behind the firewall than in front of it.
_________________
Proud to be a... eh, forget it.
"Everyday is just one day." -- not the Traveling Wilburys |
|
| Back to top |
|
|
vcihon
Tux's lil' helper
Joined: 19 Aug 2003
Posts: 107
|
| Posted: Sun May 16, 2004 12:25 am Post subject: |
|
|
Thanks for the reply skunkworx.
I am using vchkpw for my auth, not md5 (FYI).
Here is the output:
| Code: | Trying 24.123.161.30...
Connected to alextechstudio.com.
Escape character is '^]'.
220 tolkien.alextechstudio.com ESMTP
ehlo alextechstudio.com
250-tolkien.alextechstudio.com
250-STARTTLS
250-SIZE 0
250-PIPELINING
250 8BITMIME
502 unimplemented (#5.5.1)
auth login
530 Must issue a STARTTLS command first (#5.7.0)
STARTTTLS
502 unimplemented (#5.5.1)
STARTTLS
454 TLS not available: missing RSA private key (#4.3.0)
^]
telnet> exit
|
Any troubleshooting ideas? |
|
| Back to top |
|
|
BobOki
n00b
Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga
|
| Posted: Sun May 16, 2004 12:31 am Post subject: |
|
|
| Quote: | 454 TLS not available: missing RSA private key (#4.3.0)
|
That sounds to me like its trying to enable SSL or some other form of encryption, but the RSA key is not entered.
Did you create your keys during install?
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
| Back to top |
|
|
vcihon
Tux's lil' helper
Joined: 19 Aug 2003
Posts: 107
|
| Posted: Sun May 16, 2004 12:33 am Post subject: |
|
|
| No but right now, I'm not even trying to get SSL working. I am only trying to get auth working. The issue is that I am not clear, given skunkworx's test how to try it with the vchkpw instead of MD5. |
|
| Back to top |
|
|
skunkworx
Guru
Joined: 02 Feb 2003
Posts: 420
Location: Planet Houston
|
| Posted: Mon May 17, 2004 5:07 pm Post subject: |
|
|
vcihon: It looks like you're using a qmail ebuild newer than 1.03-r13. The newer ebuilds have an option, which is enabled by default, to force SMTP clients to request an encrypted session before the AUTH command is allowed. Trying to test AUTH without encryption will fail every time in this scenario.
If you want to allow authentication without encryption, you will need to either use ebuild 1.03-r13 instead, or re-emerge your ebuild with the "notlsbeforeauth" USE flag. (Note: I believe I remember reading that this USE flag doesn't actually work as designed in one of the qmail ebuilds, possibly 1.03-r14. A search through the forums and/or Gentoo's Bugzilla will confirm or deny that.)
The password checking program you use will not have an effect on the output you see when using the SMTP commands I suggested for testing. However, do keep in mind that the example output is based on the 1.03-r13 ebuild, and may be slightly different with the newer ebuilds (I haven't tried anything past 1.03-r13 yet). In any case, the response to the AUTH command should start with "334" in order for authentication to work.
_________________
Proud to be a... eh, forget it.
"Everyday is just one day." -- not the Traveling Wilburys |
|
| Back to top |
|
|
vcihon
Tux's lil' helper
Joined: 19 Aug 2003
Posts: 107
|
| Posted: Tue May 18, 2004 2:42 am Post subject: |
|
|
skunkworx - thanks for the response. I am using 1.03-r13.
One question, if I remerge qmail, will I lose any of my config settings or will it be smart enough to keep them. This is a quasi production server already (meaning for my own email ).
Also, can you give me the correct syntax of the emerge statement - is it:
USE="notslbeforeauth" emerge -U qmail
to go to r15?
Thanks. |
|
| Back to top |
|
|
p4m
n00b
Joined: 10 Feb 2004
Posts: 14
|
| Posted: Fri Oct 07, 2005 11:12 am Post subject: |
|
|
| Quote: | | USE="notslbeforeauth" emerge -U qmail |
Warning: emerge -U will break things
You better do:
| Code: | emerge -C qmail
USE="notslbeforeauth" emerge -pv qmail (to check USE flags)
then:
USE="notslbeforeauth" emerge qmail |
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
