Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 40010

Summary: #ifdef used instead of #if in qmail-smtpd
Product: Gentoo Linux Reporter: Martin Diers <martin>
Component: [OLD] ServerAssignee: Net-Mail Packages <net-mail+disabled>
Status: VERIFIED TEST-REQUEST    
Severity: normal CC: andrei.ivanov, leonardop, vapier
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 29485    

Description Martin Diers 2004-01-31 12:37:59 UTC 
In qmail 1.03 r15, the smtp-auth-close3 patch interferes with authentication, when attempting to use the vpopmail vchkpw utility. 

Reproducible: Always
Steps to Reproduce:
1. Install recent vpopmail (from source. The current vpopmail ebuild is way out of date).
2. Install qmail build r15.
3. Edit conf-smtpd to use /var/vpopmail/bin/vchkpw as the SMTP AUTH password utility.

Actual Results:  
qmail-smtpd never asks for a username and password. It is as if the SMTP-AUTH
patch is not installed at all.

Expected Results:  
qmail-smtpd should ask for username and password.

I use the vpopmail vchkpw utility as a password checker. The r12 qmail build
worked fine for me (on a separate server, with the same config, but different
domains). I noticed bug 23658 notes a similar problem that was (supposedly)
fixed. I commented out smtp-auth-close3.patch in the r15 ebuild, and rebuilt.
This solved the problem.

To get vchkpw to work, I had only to uncomment the SMTP_AUTH lines in
conf-smtpd, and change the path of the password checker from /bin/cmd5checkpw to
/var/vpopmail/bin/vchkpw.

Also, in my setup, qmail is running as the vpopmail user, for obvious reasons.
Comment 1 SpanKY gentoo-dev 2004-01-31 15:36:17 UTC 
umm it works fine over here ... i'm using net-mail/qmail-1.03-r15 with net-mail/vpopmail-5.4.0_rc1 and the only people who can send relay mail through my server are ones who auth with ssl

and the vpopmail ebuild is not way out of date, the latest is 5.4.0_rc2, and 5.4.0_rc1 is in portage

perhaps your custom installation is messed up ?
Comment 2 Martin Diers 2004-02-03 14:47:40 UTC 
OK. I finally figured this out.

The original Brisby SMTP_AUTH patch was simply that, an auth login patch. No TLS.

The patch which is currently implemented in qmail-1.03-r15 is a TLS before AUTH LOGIN patch. That means, unless you have a valid SSL certificate all setup on the server, you cannot use AUTH. This, of course, is a very reasonable and secure way of doing things. However, it is not well documented that without TLS support, AUTH does not work at all.

All that being said, it seems that the smtp-auth-close3.patch has the effect of forcing the use of TLS before AUTH, whereas without the patch, it is possible to Authenticate without issuing a STARTTLS command.

Is this the intended effect of these patches combined, or is this an unfortunate sideeffect?
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-02-03 20:15:26 UTC 
smtp-auth-close3.patch fixes a problem with morercpthosts, and nothing else.

however I have found a logic error in qmail-smtpd.c, dealing with the conditions in which smtp_authout() is called.

#ifdef is used instead of #if for all lines containing TLS && TLS_BEFORE_AUTH

I'll fix it soon.
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-02-04 03:10:57 UTC 
note to self
patch to fix this well is at http://forums.gentoo.org/viewtopic.php?t=131572
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-05-13 20:20:53 UTC 
*** Bug 39018 has been marked as a duplicate of this bug. ***
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-01-04 14:18:46 UTC 
Fixed in r15 and r16, could you test it, please?
Comment 7 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-06-08 11:11:31 UTC 
No response for five months. Closing.