summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Denker <jsd@av8n.com>2012-06-02 20:47:50 -0700
committerJohn Denker <jsd@av8n.com>2012-06-02 20:47:50 -0700
commitb8caf78e0ae86118cd0659e28da919721106eadb (patch)
tree62e6afbb7b848a5ac67326ac61d04c6b59ab0251
parent6116a98a0ec20c22d8e18fcaf384bad18fc39a00 (diff)
bring a few odds and ends into the repo
-rw-r--r--CHANGES.auth62
-rw-r--r--README.auth175
-rw-r--r--tools/makefile2
-rwxr-xr-xtools/qmail-tls-check_certs84
4 files changed, 323 insertions, 0 deletions
diff --git a/CHANGES.auth b/CHANGES.auth
new file mode 100644
index 0000000..80c8935
--- /dev/null
+++ b/CHANGES.auth
@@ -0,0 +1,62 @@
+0.20
+- initial release
+
+0.21
+- wrong condition in analysis of response. fixed
+- unnecesary debug output freezed eudora. now it should work.
+
+0.22
+- added auth state support as described in rfc 2554. It prevents you
+from authenticated again, when you are already authenticated.
+- fixed few error codes to conform with rfc
+- errors during authentication does not end the smtp connection anymore as
+rfc requires.
+- second cram-md5 authentication after failure of first resulted in wrong
+challenge generation (in all subsequent authentications too)
+- major bug in login implementation fixed (bug introduced in 0.21). it
+should work again
+- added a more clean netscape compatibility fix (documented in readme)
+
+0.23
+- added the new style (rfc recommended) greeting message. Yoo can select
+beetwen them by #defining or #undefining USE_NEW_GREETING and
+USE_OLD_GREETING on the begining of qmail-smtpd.c. You can even enable both
+to maintain highest degree of compatibility with various clients. This fix
+was suggested by David Harris <David.Harris@pmail.gen.nz>, the developer of
+Pegasus Mail.
+
+0.24
+- cram-md5 fix. I wonder, how it ever worked for me. 1 week of my beta
+tests. 3 months of tests on our mail server and the fundamental bug in
+cram-md5 has been found so long after 0.23 release? Anyway it should work
+now.
+
+0.25
+- changed the error message when problems with starting checkpassword
+occour. This was a big source of question ("out of memory") that i receive
+in my e-mail.
+- Joerg Strohmayer <usenet@bigfoot.de> showed me light in the dark. I've
+read the SMTP AUTH RFC and assumend that if it uses SASL'a PLAIN, it has to
+be implemented exactly like SASL RFC says. Poor me... SMTP AUTH says that it
+also has to be base64 encoded. This is the relief for the infamous
+NETSCAPE_WORKAROUND. Again big thanks for Joerg for not only telling me
+where the problem is but also for providing the fully working patch.
+
+0.26
+- security fix - if your checkpassword crashed, attacker would get the relay
+permission. Now it should work. Reported by Javier Kohen <jkohen@tough.com>,
+thank you!
+
+0.30
+- codebase switch. From now on have merged efforts with Eric M. Johnston
+<emj@postal.net> so now there are no more 2 separate auth patches but
+just one.
+- arguments to qmail-smtpd have changed! See README.auth for further info.
+- the code is djbized right now
+- TCPREMOTEINFO is set if sender is properly authenticated.
+
+0.31
+- bug: AUTH PLAIN 334 response not RFC compliant. Reported by Mark Crispin
+ <mrc@CAC.Washington.EDU>.
+- change: Set TCPREMOTEINFO environment variable to authenticated username.
+ (Previously only set locally to qmail-smtpd.)
diff --git a/README.auth b/README.auth
new file mode 100644
index 0000000..1e383aa
--- /dev/null
+++ b/README.auth
@@ -0,0 +1,175 @@
+*** Warning! Cuidado! Vorsicht! ***
+===================================
+*** Version 0.30 of the patch changes the arguments which must be
+*** passed to qmail-smtpd. If you are upgrading from a previous
+*** version of the patch, take care to ensure your invocation of
+*** qmail-smtpd uses the correct arguments. Otherwise, your server
+*** may run as an open relay!
+===================================
+*** Warning! Cuidado! Vorsicht! ***
+
+
+This patch adds ESMTP AUTH authentication protocol support to
+qmail-1.03. It's originally based on Mrs. Brisby's smtp-auth patch
+with many enhancements from Krzysztof Dabrowski <brush@elysium.pl>.
+
+Beginning with version 0.30, the patch was completely rewritten to
+use only djb's string functions by Eric M. Johnston <emj@postal.net>.
+
+You can always get the newest version from:
+http://members.elysium.pl/brush/qmail-smtpd-auth/
+
+To use all of it's functionality you will also have to obtain and
+install Krzysztof's cmd5checkpw utility available at:
+http://members.elysium.pl/brush/cmd5checkpw/
+
+If you need more information about SMTP-AUTH itself and the
+client/server support and configuration, visit:
+http://members.elysium.pl/brush/smtp-auth/
+
+---
+
+Detailed patch information:
+
+This patch adds the ESMTP AUTH option to qmail-1.03, allowing the
+LOGIN, PLAIN, and CRAM-MD5 AUTH types. An appropriate checkpassword
+tool is necessary to support the authentication. See
+http://cr.yp.to/checkpwd.html for more information on the interface.
+Note that the checkpassword tool should support all of the AUTH types
+advertised by qmail-smtpd.
+
+As reflected in the modified qmail-smtpd(8) man page, qmail-smtpd
+must be invoked with three arguments: hostname, checkprogram, and
+subprogram. If these arguments are missing, qmail-smtpd will still
+advertise availability of AUTH, but will fail with a permanent error
+when AUTH is used.
+
+hostname is simply used to form the CRAM-MD5 challenge. qmail-smtpd
+invokes checkprogram, feeding it the username and password, in the
+case of LOGIN or PLAIN, or the username, challenge, and response, in
+the case of CRAM-MD5. If the user is permitted, checkprogram invokes
+subprogram, which just has to exit with a status of 0 for the user to
+be authenticated. Otherwise, checkprogram exits with a non-zero
+status. subprogram can usually be /usr/bin/true (or /bin/true,
+depending on your flavor of OS).
+
+If the user is successfully authenticated, the RELAYCLIENT
+environment variable is effectively set for the SMTP session, and
+the TCPREMOTEINFO environment variable is set to the authenticated
+username, overriding any value that tcpserver may have set. The
+value of TCPREMOTEINFO is reflected in a Received header.
+
+
+How to install it:
+
+Simply patch your qmail-1.03 distribution with the included patch
+file and recompile & install like usual.
+
+The steps to do this are as follows (assuming your virgin
+qmail-1.03 install is in "../qmail-1.03"):
+
+ cp README.auth base64.c base64.h ../qmail-1.03
+ patch -d ../qmail-1.03 < auth.patch
+
+Install qmail normally, with the exception of the new arguments
+to qmail-smtpd described elsewhere in this file.
+
+Also obtain, unpack, compile and install the cmd5checkpw utility
+(or some other checkpassword utility) and add a sample account to
+/etc/poppasswd file. This file must be readable by the qmail-smtpd
+user, usually qmaild.
+
+
+How to use it:
+
+*** Warning: In version 0.30 the arguments have changed from
+*** previous versions of qmail-smtpd-auth. Take care to make sure
+*** you update your startup scripts if updating!
+
+If you're running qmail-smtpd from inetd, you'll want to do the
+following:
+
+smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env \
+/var/qmail/bin/qmail-smtpd mail.acme.com /bin/cmd5checkpw /bin/true
+
+Replace mail.acme.com with your hostname. The second argument to
+qmail-smtpd is your checkpassword utility (preferably cmd5checkpw
+or some alternative that can handle CRAM-MD5). The third argument
+is the executable that the checkpassword utility execs when
+authentication is successful. (Note that the location of "true"
+is OS dependent: you may need /usr/bin/true.)
+
+Invocations using tcpserver will require analagous changes. Give
+your inetd a kill -HUP or restart tcpserver and away you go.
+
+
+Caveats:
+
+Please note that as authentication needs vary wildly across
+installations, no effort has been made to make this patch work ``out
+of the box.'' You'll have to procure or develop your own
+checkpassword program. Also note that CRAM-MD5 will require you to
+keep plaintext passwords. You'll probably want to disable this AUTH
+type if you're just using /etc/passwd (keeping in mind that PLAIN and
+LOGIN aren't quite as safe over the wire) -- just undefine AUTHCRAM
+in qmail-smtpd.
+
+Krzysztof Dabrowski's cmd5checkpw tool used as an example in this
+document supports the three AUTH types included in this patch.
+It's available at http://www.elysium.pl/members/brush/cmd5checkpw/.
+
+This patch has been generated against the stock qmail 1.03
+distribution. The results of combining this patch with others are
+unknown.
+
+
+Features:
+
+This patch supports the following auth methods: LOGIN, PLAIN and
+CRAM-MD5.
+
+
+Compatibility:
+
+The following MUA's are confirmed to work with this patch:
+
+Eudora 4.2.2 - CRAM-MD5
+Eudora 5.0.2 - CRAM-MD5
+The Bat 1.39 - LOGIN & CRAM-MD5
+Outlook Express 4 - LOGIN
+Outlook Express 5 - LOGIN
+Outlook 2000 - LOGIN
+Netscape 4.x - LOGIN & PLAIN
+Netscape 4.0x - LOGIN
+Pegasus Mail 3.1x - CRAM-MD5
+
+
+Various compatibility issues:
+
+Testing with Pegasus Mail 3.1 revealed that it requires the new style
+(RFC recommended) greeting message. Both styles are now enabled to
+maintain the highest degree of compatibility with various clients.
+This fix was suggested by David Harris <David.Harris@pmail.gen.nz>,
+the developer of Pegasus Mail.
+
+
+Acknowledgments:
+
+This patch is based on work by Krzysztof Dabrowski at
+http://members.elysium.pl/brush/qmail-smtpd-auth/ and ``Mrs. Brisby''
+at http://www.nimh.org/hacks/qmail-smtpd.c which has been further
+developed by Eric M. Johnston <emj@postal.net>.
+
+---
+
+THIS SOFTWARE IS IN THE PUBLIC DOMAIN, IS PROVIDED BY THE AUTHOR
+``AS IS,'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE
+LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/tools/makefile b/tools/makefile
index f64b9c2..005b408 100644
--- a/tools/makefile
+++ b/tools/makefile
@@ -23,6 +23,8 @@ install:
chmod u+s /var/qmail/rbin/checkpassword
cp smtp.conf /etc/stunnel/
cp pop3.conf /etc/stunnel/
+ chmod 640 /var/qmail/control/*.crtkey
+ chown qmaild /var/qmail/control/*.crtkey
/etc/tcpserver/smtp.rules :
install -d /etc/tcpserver
diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs
new file mode 100755
index 0000000..d8f97de
--- /dev/null
+++ b/tools/qmail-tls-check_certs
@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Author: Jason Haar <jhaar@users.sourceforge.net>
+# Date: 09-Nov-2004
+# Version: 1.0
+# Copyright: GPL
+#
+# This script simply checks the status of the certificates used by
+# Qmail with Frederik Vermeulen's TLS patch - to ensure they are
+# valid, non-expired certs with the appropriate KeyUsage extensions
+# required to get their jobs done.
+# This script can be run on a nightly basis to check the cert status.
+# Note that when it marked as cert as "bad" (typically because it's
+# expired), it will be renamed, a syslog event generated, and probably
+# Qmail will STOP WORKING FOR NEW TLS SESSIONS.
+#
+# That may sound bad, but the alternative is that Qmail will stop working
+# for new TLS sessions *anyway* - it's just that this script will tell
+# you why...
+
+LOGGER="logger -i -t qmail-tls-check_certs"
+
+dir=''
+dirlist="/etc/qmail/control /var/qmail/control"
+for trydir in $dirlist ; do
+ if test -d $trydir ; then
+ dir=$trydir
+ break
+ fi
+done
+if test -z "$dir" ; then
+ 1>&2 echo "Cannot find any control director ($dirlist)"
+ exit 1
+fi
+
+for cert in servercert.pem clientcert.pem ; do
+ if ! test -f "$dir/$cert"; then
+ echo "Certificate missing: $dir/$cert"
+ else
+ #First, check that it's a valid cert for the task
+ TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null`
+ if [ "$?" != "0" ]; then
+ echo "$dir/$cert is a broken cert. Disabled"
+ mv -f $dir/$cert $dir/BROKEN-${cert}
+ $LOGGER "$dir/$cert is a broken cert. Disabled"
+ continue
+ fi
+
+ #Now check it hasn't expired
+ TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \
+ grep -i after|cut -d= -f2 )
+ EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null`
+ if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
+ NOW_IN_SECS=`date +%s 2>/dev/null`
+ if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
+ if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then
+ echo "$dir/$cert has EXPIRED. Disabling"
+ mv -f $dir/$cert $dir/EXPIRED-${cert}
+ $LOGGER "$dir/$cert has EXPIRED. Disabling"
+ continue
+ fi
+ fi
+ fi
+
+ if [ "`echo $cert|grep server`" != "" ] ; then
+ if [ "_$( echo $TEMP_PURPOSE | \
+ egrep -i '(any purpose|server).* yes' )" = "_" ]; then
+ echo "$dir/$cert is NOT a server cert. Disabled"
+ mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert}
+ $LOGGER "$dir/$cert is NOT a server cert. Disabled"
+ continue
+ fi
+ fi
+ if [ "`echo $cert|grep client`" != "" ] ; then
+ if [ "_$( echo $TEMP_PURPOSE |
+ egrep -i '(any purpose|client).* yes' )" = "_" ]; then
+ echo "$dir/$cert is NOT a client cert. Disabled"
+ mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert}
+ $LOGGER "$dir/$cert is NOT a client cert. Disabled"
+ fi
+ fi
+ fi
+
+done