vpopmail-5.2.2-r1: 0600 vpopmail:vpopmail /etc/vpopmail.conf 0711 root:root /var/vpopmail/bin/vchkpw vpopmail-5.4.0_rc1: 0640 root:vpopmail /etc/vpopmail.conf 0711 root:root /var/vpopmail/bin/vchkpw the problem here is that when using qmail + vpopmail to auth over smtp, vchkpw isnt given permissions to read /etc/vpopmail.conf thus it'll always fail. you dont exactly notice this when using courier-imap-ssl because courier runs as root so it has access to the vpopmail.conf file solution here i think is this: 5.2.2-r1: chown vpopmail:vpopmail /var/vpopmail/bin/vchkpw 5.4.0_rc1: chown root:vpopmail /var/vpopmail/bin/vchkpw and then set the binary +s right after chown -R root:root on the /var/vpopmail dirs another note, in the ebuild, a call is made to 'fowner' ... it should actually be 'fowners' here is the debugging i used: nano /etc/passwd <give qmaild a valid shell like /bin/bash> su qmaild - printf "user\0pass\0blah\0" | /var/vpopmail/bin/vchkpw `which id` 3<&0 if the permissions are wrong, you'll either get no output or you'll get: vmysql: can't read settings from /var/vpopmail/etc/vpopmail.mysql if the permissions are right, you'll get: uid=89(vpopmail) gid=89(vpopmail) groups=200(nofiles)
better solution, as i'd strongly like to avoid setuid root. chmod -R root:root /var/vpopmail/{etc,bin,lib,include} chmod root:vpopmail /var/vpopmail/vchkpw /etc/vpopmail.conf chmod g+s /var/vpopmail/vchkpw chmod 0640 /etc/vpopmail.conf however vchkpw should undergo some code review before this...
right, i tried the same thing (root:vpopmail 0640 on the .conf file and g+s on the binary) but couldnt get it to work for the life of me ... perhaps i was just doing something stupid heh
hmm, you're right. it doesn't seem to work. i'm even more relucant to make vchkpw in as setuid or setgid root after looking at the code. i'm wondering if the best route is a known secure wrapper instead or if there are any other possibilities.
well what about looking into modifying the code in vchkpw to run setuid as root buuuuuuuut drop root as soon as it's read the mysql conf file ? perhaps as a hack, make a global file description and in the very beginning of main, run open() on the conf file, drop uid to vpopmail, and then let the rest of the code run as vpopmail
If you want to fix this problem you havo to make qmail-smtd run ad vpopmail user. To make this you have to modify the /var/qmail/supervise/qmail-smtpd/run and sobstitue the ${QMAILUID} with 89. With this "fix" you will be able ti authenticate your vpopmail users on smtp correctly.
Ok, I ran into problems too, hopefully it's the same issue. I installed sqwebmail as well and it requires vpopmail to read /etc/vpopmail.conf but no matter what I did I could not get it to read that file without it being world readable. I created a test domain with a user and group that I had created. I then added that user to all of the groups for qmail and the vpopmail group in an attempt to give it access to that conf file. Nothing worked. I ended up making some changes to the vpopmail package. I found the error where it says that permission was denied reading that file and added a bit of code that would write the uid and gid of the running vpopmail to a file in /tmp. The result that I got was that it was running as the user and group that I created the domain under. While this does make sense, I did some more digging and found that vpopmail changes UID and GID _before_ reading the conf file. I would say this is a pretty big bug and maybe the vpopmail team needs to be notified about this oversite. I was able to have everything run smoothly if I either a) made /etc/vpopmail.conf world readable (which I'm not willing to do) b) created the domains without their own UID and GID (leave them as vpopmail)
Travis what you didnt do was run your webserver as user/group vpopmail which is were your problem lies I know for a fact that you dont have to have nothin but 0640 on /etc/vpopmail.conf. As for the rest of you I would suggest you use everything like Johnson said chmod -R root:root /var/vpopmail/{etc,bin,lib,include} chmod root:vpopmail /var/vpopmail/vchkpw /etc/vpopmail.conf chmod 0411 /var/vpopmail/vchkpw chmod 0640 /etc/vpopmail.conf instead of the chmod g+s as stated before. This is basic info that is in the gentoo qmail/vpopmail docs on site just so you all know. I will try to get some new info submitted to DOCS team on using relay-ctrl with qmail for those that are needing it.
chown -R root:root /var/vpopmail/{etc,bin,lib,include} chown root:vpopmail /var/vpopmail/vchkpw /etc/vpopmail.conf chmod 0411 /var/vpopmail/vchkpw chmod 0640 /etc/vpopmail.conf might help if we all use the right command here LOL chmod isnt gonna get it for our user/group ownership.
grrrrrr I just realized when putting up the ebuild for vpopmail 5.4.9 that the permissions I said to use were incorrect LOL the correct permissions for vchkpw should be 4711 sorry folks I am tired
is this still a problem for anybody, or can the bug be closed?
fixed for a long time ...
