I tried this back in the summer and I just started from scratch on a different box, and still nothing... most of the versions have been bumped since the summer, but even with the ~x86 versions that were specified in the doc during the summer it didn't work... I also email vapier@gentoo.org on September 28th but got no responce... Reproducible: Always Steps to Reproduce: 1.I follow the guide step by step 2. 3. Actual Results: can't relay Expected Results: ability to relay Here's the scoop on the package versions and USE info... qmail-1.03-r13 [ebuild R ] mail-mta/qmail-1.03-r13 +ssl relay-ctrl-3.1.1-r2 [ebuild R ] net-mail/relay-ctrl-3.1.1-r2 courier-imap-3.0.8 [ebuild R ] net-mail/courier-imap-3.0.8 +berkdb -debug +fam +gdbm +ipv6 -ldap +mysql +nls +pam -postgres (-selinux) vpopmail-5.4.6-r1 [ebuild R ] net-mail/vpopmail-5.4.6-r1 -clearpasswd -ipalias +mysql When I try the SMTP-AUTH evolution complains: Error while performing operation. DATA command failed: Requested action aborted: error in processing. Thunderbird says: An error occurred while sending mail. The mail server responded unable to exec qq (#4.3.0). Please check the message and try again. When I try the pop before smtp: Thunderbird says: An error occurred while sending mail. The mail server responded: sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1). Please verify that your email address is correct in your Mail preferences and try again. Evolution says: Error while performing operation. RCPT TO <jshupe@gmail.com> failed: Requested action not taken: mailbox name not allowed. In between the two SMTP-AUTH and pop before smtp, I edit /var/qmail/control/conf-smtpd, /etc/courier-imap/pop3d and/etc/courier-imap/authdaemonrc, and restart qmail, pop3d and authdaemond as described in the doc or in /var/qmail/control/conf-smtpd
This is not a bug. You need to setup courer-imap to use the relay-ctrl plugin which I will show you in just a second. vapier doesnt believe in relay-ctrl yet as from his emails he has sent me. You just need to add and I quote "/usr/bin/relay-ctrl-allow" to your /usr/lib/courier-imap/courier-imapd.rc then all should be well please search the forums before filling a bug report that isnt there and has never been there.
it's not that i dont believe in it, it's just that i havent had time to explore how it works ;) when i wrote the HOWTO, relay-ctrl wasnt really in use
Spanky I sorry for mis interpritation there, I have all the docs ready to go I will be emailing them as soon as this dns problem settles back down my mailserver is up and down like a racoon on crack right now. best part is it isnt my dns server I know for a fact seeing all the emails from outside world are slowly coming in as dns come back online and see my dns server once again.
jason has the problem been fixed so this can be closed or are you still needing more help with this?
I'm waiting for http://gentoo-wiki.com/HOWTO_Setup_QMAIL_VPOPMAIL_and_Other_Mail_Servers to get updated after the author goes to a workshop by the 12th of April... to give it another go...
Jason I will be doing alot of editing on that page there is alot of miss leading info there ... soon as I get back up to tennessee on monday night early tuesday I will get the webpage in teh docs updated with vapier for relay-ctrl. I should have sent vapier info alot sooner sorry for those that are in the dark on relay-ctrl and how to properly set it up with courier-imap support.
Jason can this be closed or are you still having problems?
still waiting for the spam info to be added to the wiki page, and then after I get it going I will close or post problems...
Note that you can wait indefinitely for the wiki page to be updated ;)
(In reply to comment #5) > I'm waiting for > http://gentoo-wiki.com/HOWTO_Setup_QMAIL_VPOPMAIL_and_Other_Mail_Servers to get > updated after the author goes to a workshop by the 12th of April... > to give it another go... (In reply to comment #8) > still waiting for the spam info to be added to the wiki page, and then after I > get it going I will close or post problems... You can wait as long as you wish, we don't maintain nor endorse gentoo-wiki.com; removing docs team from this bug.
To get smtp-auth working on Qmail you need to use plain passwords. It is off security but should not mind without access third party people to your mysql. In fact vpopmail uses Cram-MD5 and Qmail uses Cram-AES, checkin works only when Courier is used to authorize by IMAP/POP (translates hashes in between - that is not used in relation Qmail-Vpopmail directly). set your /etc/portage/package.use like this mail-mta/qmail gencertdaily noauthcram notlsbeforeauth net-mail/vpopmail clearpasswd and rebuild those packages... However roaming users can strike from IP which is on sorbs lists and smtp-auth is unavailing coz you get reply you are banned. Definitely is good to implement relay-ctrl within smtp-auth method to have modern and spam proof MTA. S.
Portage 2.1.2.9 (default-linux/x86/2007.0/server, gcc-4.1.2, glibc-2.5-r3, 2.6.21-gentoo-r3 i586) ================================================================= System uname: 2.6.21-gentoo-r3 i586 Geode(TM) Integrated Processor by AMD PCS Gentoo Base System release 1.12.10 Timestamp of tree: Sun, 01 Jul 2007 21:30:01 +0000 ccache version 2.4 [enabled] dev-lang/python: 2.4.4-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r7 sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.61 sys-devel/automake: 1.4_p6, 1.7.9-r1, 1.9.6-r2, 1.10 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.21 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i586-pc-linux-gnu" CFLAGS="-march=k6-3 -O3 -mmmx -m3dnow -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -mfpmath=387" CHOST="i586-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=k6-3 -O3 -mmmx -m3dnow -fno-align-jumps -fno-align-functions -fno-align-labels -fno-align-loops -pipe -fomit-frame-pointer -mfpmath=387 -fvisibility-inlines-hidden" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="" FEATURES="ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="ftp://ftp.gentoo.mesh-solutions.com/gentoo/" LANG="de_DE.utf8" LC_ALL="de_DE.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -s -Wl,-z,now" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="gzip" PORTAGE_COMPRESS_FLAGS="-f9" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 berkdb bzip2 cgi clamav cli crypt ftp gd iconv javascript jpeg jpeg2k mailwrapper mbox memlimit mysql mysqli ncurses nls nptl pam pcre png readline samba sasl session sharedmem simplexml slang snmp sockets spell ssl symlink tcpd threads tiff tokenizer truetype unicode usb vhosts vim-syntax x86 xinetd xml zlib" ALSA_CARDS="none" ELIBC="glibc" INPUT_DEVICES="none" KERNEL="linux" LCD_DEVICES="none" LINGUAS="de" USERLAND="GNU" VIDEO_CARDS="none" Unset: CTARGET, INSTALL_MASK, PORTAGE_RSYNC_EXTRA_OPTS
Closing, nothing useful going on here.
closing bugs doesnt magically make them fixed
I can't either (w/ SMTP-AUTH, not really interested in relay-ctrl) When I try to connect remotely I get the following (w/ CRAM-MD5 or plain auth) pam_unix(system-auth:auth): authentication failure; logname= uid=201 euid=201 tty= ruser= rhost=71.34.146.34 user=tres When I test it with the example in the manual page for checkpassword-pam I get the following in the system log: echo -e "username\0password\0timestamp\0" | checkpassword-pam -s SERVICE \ --debug --stdout -- /usr/bin/id 3<&0 system-auth[17437]: pam_unix(system-auth:session): session opened for user tres by (uid=0) system-auth[17437]: pam_unix(system-auth:session): session closed for user tres When I try to connect with 'login' authentication it simply hangs. It won't cancel nor exit. I have to kill it from a terminal. I'm using mail-client/evolution-2.12.3-r1 and haven't tried with anything else except a manual kinda way following these instructions: http://qmail.jms1.net/test-auth.shtml I tried with 'uname' and 'uname@domain' and neither worked. The magical line in my /var/qmail/control/conf-smtpd is: QMAIL_SMTP_CHECKPASSWORD="/usr/bin/checkpassword-pam -s system-auth --debug" (with and without the --debug option) and the -s (SERVICE) I used in the test above was system-auth as well. I'm not too interested in cmd5checkpw as it uses a different file, /etc/poppasswd, that seems to be plain text but is another maintenance headache. I'm using: mail-mta/netqmail-1.05-r8 with the following USE="gencertdaily qmail-spp ssl -highvolume -mailwrapper -noauthcram -vanilla" The program is collecting the correct user name for me so it is obviously reading file 3 but it seems to miss on the password. I have tried in vein to become uid #201 (qmaild) but that seems to be not allowed with su and sudo so I went into extreme comando mode and changed the shell for it to allow me in. Interesting results there, as qmaild: Reading username and password Username 'tres' Password read successfully Initializing PAM library using service name 'system-auth' PAM library initialization succeeded conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: " Authentication failed: Authentication failure Exiting with status 1 But as tres I got: Reading username and password Username 'tres' Password read successfully Initializing PAM library using service name 'system-auth' PAM library initialization succeeded conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: " Authentication passed PAM account management failed: Authentication service cannot retrieve authentication info Exiting with status 1 Both failures exited with status of 1 but while doing it as me (tres) I got an "Authentication passed" message but as qmaild I got an "Authentication failed: Authentication failure" message. Something is fux0red in PAM and I don't know that stuff that well. I am out of ideas. :-/
Well this is a bit unfortunate ... after setting the file/executable /usr/bin/checkpassword-pam SUID root I get the following: system-auth[18941]: pam_unix(system-auth:session): session opened for user tres by (uid=201) system-auth[18941]: pam_unix(system-auth:session): session closed for user tres Which pretty much confirms that the problem is on the server side and most likely within the PAM crap. Again I have no ideas as to the proper solution but am off to peruse the source to convince myself that this is a semi-safe solution at least temporarily. :-(
Ok, I did the following emerge and it fixed my problem (after removing the SUID bit from /usr/bin/checkpassword-pam): [ebuild N ] sys-auth/pambase-20080318 USE="-consolekit -cracklib -debug -gnome -mktemp -passwdqc (-selinux)" 3 kB [ebuild U ] sys-libs/pam-0.99.10.0 [0.99.9.0] USE="nls -audit -cracklib (-selinux) -test -vim-syntax" 911 kB I'm not sure if this part was it but this looked like it 'might' be the guilty part so I took notes: --- /etc/pam.d/system-auth 2008-04-11 00:37:28.000000000 -0600 +++ /etc/pam.d/._cfg0000_system-auth 2008-04-17 07:29:44.000000000 -0600 @@ -1,13 +1,11 @@ -#%PAM-1.0 - -auth required pam_env.so -auth sufficient pam_unix.so try_first_pass likeauth nullok -auth required pam_deny.so - -account required pam_unix.so - -password sufficient pam_unix.so try_first_pass nullok md5 shadow -password required pam_deny.so - -session required pam_limits.so -session required pam_unix.so +auth required pam_env.so +auth required pam_unix.so try_first_pass likeauth nullok + +account required pam_unix.so + +password required pam_unix.so try_first_pass nullok md5 shadow + +session required pam_limits.so +session required pam_env.so +session required pam_unix.so + (I still have another PAM bug though :/ )
Ok, there must have been a session that remained connected or cached or something as comment 17 did not fix it. I had to readd the SUID bit to: /usr/bin/checkpassword-pam This is not a good solution. PAM should return authenticated or not without requiring the additional privileges as it indicates here: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/adg-security.html
Ok, please disregard all my other comments in this bug and if curious see https://bugs.gentoo.org/show_bug.cgi?id=218292#c5 for details. Jason, if you are trying to authenticate against an /etc/shadow file you aren't going to have a lot of success unless the check is done with an SUID/root program and in my opinion checkpassword-pam should be installed that way. If that is what he was trying then this bug too should be closed as invalid.
*** Bug 250291 has been marked as a duplicate of this bug. ***
(In reply to comment #20) > *** Bug 250291 has been marked as a duplicate of this bug. *** > While this may be a painful upgrade, Dovecot seems to be a viable option for the now unsupported courier-authlib dropped authvchkpw module. Here's a post from the vpopmail list that may be of interest: http://www.mail-archive.com/vchkpw@inter7.com/msg26301.html Link to a courier --> dovecot upgrade howto: http://qmail.jms1.net/dovecot.shtml HTH,
