qmail installs both checkpassword and cmd5checkpw This may be great for some installs, but they're not needed on others. The recent GLSA brought this to my attention. http://www.gentoo.org/security/en/glsa/glsa-200502-30.xml I realize that if I'm not using it, I don't have much to worry about, but still. If it's not needed, I don't want it on my server. Reproducible: Always Steps to Reproduce: 1. emerge qmail 2. 3. Expected Results: A USE flag related to checkpassword and cmd5checkpw would be nice. If that existed, these packages could be installed, only if needed.
The converse bug to this is the fact that their are multiple checkpassword implementations. Currently only two are in portage. The default, and checkpassword-pam. However qmail requires that checkpassword is installed, as mentioned in the initial report. You should be able to install a different checkpassword.
I would like to add, that you can supply a use-flag named "noauthcram" in newest qmail ebuilds. If this flag is supplied, cmd5checkpw really should not be installed!
The problem with this is, that if the user decides to enable the corresponding options in conf-smtpd (cmd5checkpw), things will break. Can this be tollerated?
I obviously would say yes. ;-) What about a "big fat warning" insde the configfile?
Sounds good. I'll implement this.
Done in CVS. Can you please check wether it's what you meant?
No response in a month, closing.