Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

SMTP AUTH only
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
d3m0
n00b
n00b


Joined: 17 Nov 2005
Posts: 5
PostPosted: Thu Nov 17, 2005 10:49 am    Post subject: SMTP AUTH only Reply with quote
I have follwed the qmail install for Gentoo and I have everything working. My question is with SMTPAUTH. How do you configure qmail to only allow clients that have/are authenticated to relay? Right now my configuration seems to allow authenticed and non-authenticaed clients the ability to relay. :-?

my config file for smtp is:
Code:

mail ~ # cat /var/qmail/control/conf-smtpd
TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

#QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"
#QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"


QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)
[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true
QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"
QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"



and i've vchkpw setuid like in the manual

Code:

mail ~ # ll /var/vpopmail/bin/vchkpw
-rws--x--x  1 root root 74188 Nov 16 10:23 /var/vpopmail/bin/vchkpw


any clue about this? i've seen a lot of posts in other forums than this but never see a question for this answer

Thanks all
_________________
Run? Nothing runs in Windows. Maybe a brisk walk, but never run.
Back to top
View user's profile Send private message
geforce
l33t
l33t


Joined: 29 Dec 2003
Posts: 654
Location: Canada
PostPosted: Mon Nov 21, 2005 12:07 am    Post subject: Reply with quote
I also have problems with qmail-smtp...

But I think /etc/tcprules.d/tcp.qmail-smtp could be a part of the problem...

Here is my /etc/tcprules.d/tcp.qmail-smtp.cdb

Quote:

#------------------------------------------------------
# To update the database after changing this file, run:
# /var/qmail/bin/qmail-rulesupdate
#------------------------------------------------------
#
# If you set 'allow', this means that our mail server will allow
# the specified IP range to make a TCP connection to our server
#
# If you set 'deny', this means that our mail server will not allow
# the specified IP range to make a TCP connection to our server
#
# If you set RELAYCLIENT="", this means that the listed IP range is
# allowed to relay mail through our server
#
# If you don't set RELAYCLIENT="", this means that the listed IP range
# will not be able to relay mail through our server
#
# A complete list of environment variables you can set are:
# AUTHPREPEND RBL SSLCERT
# AUTHREQUIRED RBLONLYHEADER SMTPAUTH
# BLOCKRELAYPROBE RCPTCHECK SMTP550DISCONNECT
# LDAPSOFTOK REJECTEXEC TARPITCOUNT
# LOGLEVEL RELAYCLIENT TARPITDELAY
# MAXRCPTCOUNT RETURNMXCHECK 421GREETING
# NOBOUNCE SANITYCHECK 550GREETING
# QMAILQUEUE SENDERCHECK
#
# You should read the QLDAPINSTALL file (included in the docs) for a
# detailed explanation of what these settings do. However, a reasonable
# example would be:
#
##Allow localhost to relay mail:
# 127.0.0.1:allow,RELAYCLIENT=""
##Allow five hosts on the LAN to relay mail. RBL lookups are off, but we still
## scan for viruses, SPAM, and properly formatted sender information
# 1.2.3.1-5:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/simscan",SANITYCHECK=""
##Allow a sixth host to relay mail with no checks:
# 1.2.3.6:allow,RELAYCLIENT=""
##Everyone else has to jump through hoops!
# :allow,SMTPAUTH="STARTTLS",RBL="",QMAILQUEUE="/var/qmail/bin/simscan",BLOCKRELAYPROBE="",RETURNMXCHECK="",SANITYCHECK="",REJECTEXEC=""

# Actual rules:
#:allow

127.0.0.1:allow,RELAYCLIENT=""
XXX.XXX.XXX.:allow,RELAYCLIENT=""

:allow



I'm still messing with this..


If you got it up and working, please tell me :wink:


GeForce
_________________
http://tilde.club/~geforce/
Back to top
View user's profile Send private message
LinuxRocks
Guru
Guru


Joined: 27 Nov 2003
Posts: 397
Location: New Mexico
PostPosted: Mon Nov 21, 2005 6:16 am    Post subject: Reply with quote
What you have to do is use the checkpasswd utiltiy so qmail will ask for a password when sending, and make the change in your /var/qmail/supervise/qmail-smtpd/run file as such:

Code:

exec /usr/local/bin/softlimit -m 4000000 \
    /usr/local/bin/tcpserver -v -R -H -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
     -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /usr/local/bin/rblsmtpd -r relays.ordb.org -r bl.spamcop.net \
     /var/qmail/bin/qmail-smtpd "$LOCAL" /bin/checkpassword /bin/true 2>&1


Of course, all you really need to add is the /bin/checkpassword /bin/true 2>&1 part...

I would read up on it also before makeing many changes... You have to also set the suid bit on the /bin/checkpassword file so anyone can execute the file, AND (As a security measure) use setfacl and add the qmaild user as an owner along with root and chmod 750 the file. That way, only the owners (Root and qmaild) can execute the file and NO ONE ELSE... This, however, is optional, but you still have to suid the checkpassword file.

To use acl's, you will have to add acl to the option line for the filesystem in fstab and mount -o remount the filesystem.

After all that, then you can limit the tcp.smtp file to only your local machine to relay ;)

Hope this helps!!!

Joe
Back to top
View user's profile Send private message
geforce
l33t
l33t


Joined: 29 Dec 2003
Posts: 654
Location: Canada
PostPosted: Mon Nov 21, 2005 10:47 pm    Post subject: Reply with quote
Welll, I want to do a production server with domains and everything..

If you could post the config files you mentionned it would really be GREAT, FINALLY!!!!


Thanks,,
Phil
_________________
http://tilde.club/~geforce/
Back to top
View user's profile Send private message
LinuxRocks
Guru
Guru


Joined: 27 Nov 2003
Posts: 397
Location: New Mexico
PostPosted: Mon Nov 21, 2005 11:08 pm    Post subject: Reply with quote
geforce wrote:
Welll, I want to do a production server with domains and everything..

If you could post the config files you mentionned it would really be GREAT, FINALLY!!!!


Thanks,,
Phil


Well, there are really no config files to make changes to. You would modify your run file and install the checkpassword utility in portage. You can also tinker with checkpassword over SSL or even cmd5checkpw instead of checkpasswd. That might require a bit of reading to set up, but would really be more secure...

There are tons of web sites dedicated to this topic. Its been a while since I did it last, so I would read up on it so you know excatly what to do...

Joe
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy