From b8caf78e0ae86118cd0659e28da919721106eadb Mon Sep 17 00:00:00 2001 From: John Denker Date: Sat, 2 Jun 2012 20:47:50 -0700 Subject: bring a few odds and ends into the repo --- CHANGES.auth | 62 ++++++++++++++++ README.auth | 175 ++++++++++++++++++++++++++++++++++++++++++++ tools/makefile | 2 + tools/qmail-tls-check_certs | 84 +++++++++++++++++++++ 4 files changed, 323 insertions(+) create mode 100644 CHANGES.auth create mode 100644 README.auth create mode 100755 tools/qmail-tls-check_certs diff --git a/CHANGES.auth b/CHANGES.auth new file mode 100644 index 0000000..80c8935 --- /dev/null +++ b/CHANGES.auth @@ -0,0 +1,62 @@ +0.20 +- initial release + +0.21 +- wrong condition in analysis of response. fixed +- unnecesary debug output freezed eudora. now it should work. + +0.22 +- added auth state support as described in rfc 2554. It prevents you +from authenticated again, when you are already authenticated. +- fixed few error codes to conform with rfc +- errors during authentication does not end the smtp connection anymore as +rfc requires. +- second cram-md5 authentication after failure of first resulted in wrong +challenge generation (in all subsequent authentications too) +- major bug in login implementation fixed (bug introduced in 0.21). it +should work again +- added a more clean netscape compatibility fix (documented in readme) + +0.23 +- added the new style (rfc recommended) greeting message. Yoo can select +beetwen them by #defining or #undefining USE_NEW_GREETING and +USE_OLD_GREETING on the begining of qmail-smtpd.c. You can even enable both +to maintain highest degree of compatibility with various clients. This fix +was suggested by David Harris , the developer of +Pegasus Mail. + +0.24 +- cram-md5 fix. I wonder, how it ever worked for me. 1 week of my beta +tests. 3 months of tests on our mail server and the fundamental bug in +cram-md5 has been found so long after 0.23 release? Anyway it should work +now. + +0.25 +- changed the error message when problems with starting checkpassword +occour. This was a big source of question ("out of memory") that i receive +in my e-mail. +- Joerg Strohmayer showed me light in the dark. I've +read the SMTP AUTH RFC and assumend that if it uses SASL'a PLAIN, it has to +be implemented exactly like SASL RFC says. Poor me... SMTP AUTH says that it +also has to be base64 encoded. This is the relief for the infamous +NETSCAPE_WORKAROUND. Again big thanks for Joerg for not only telling me +where the problem is but also for providing the fully working patch. + +0.26 +- security fix - if your checkpassword crashed, attacker would get the relay +permission. Now it should work. Reported by Javier Kohen , +thank you! + +0.30 +- codebase switch. From now on have merged efforts with Eric M. Johnston + so now there are no more 2 separate auth patches but +just one. +- arguments to qmail-smtpd have changed! See README.auth for further info. +- the code is djbized right now +- TCPREMOTEINFO is set if sender is properly authenticated. + +0.31 +- bug: AUTH PLAIN 334 response not RFC compliant. Reported by Mark Crispin + . +- change: Set TCPREMOTEINFO environment variable to authenticated username. + (Previously only set locally to qmail-smtpd.) diff --git a/README.auth b/README.auth new file mode 100644 index 0000000..1e383aa --- /dev/null +++ b/README.auth @@ -0,0 +1,175 @@ +*** Warning! Cuidado! Vorsicht! *** +=================================== +*** Version 0.30 of the patch changes the arguments which must be +*** passed to qmail-smtpd. If you are upgrading from a previous +*** version of the patch, take care to ensure your invocation of +*** qmail-smtpd uses the correct arguments. Otherwise, your server +*** may run as an open relay! +=================================== +*** Warning! Cuidado! Vorsicht! *** + + +This patch adds ESMTP AUTH authentication protocol support to +qmail-1.03. It's originally based on Mrs. Brisby's smtp-auth patch +with many enhancements from Krzysztof Dabrowski . + +Beginning with version 0.30, the patch was completely rewritten to +use only djb's string functions by Eric M. Johnston . + +You can always get the newest version from: +http://members.elysium.pl/brush/qmail-smtpd-auth/ + +To use all of it's functionality you will also have to obtain and +install Krzysztof's cmd5checkpw utility available at: +http://members.elysium.pl/brush/cmd5checkpw/ + +If you need more information about SMTP-AUTH itself and the +client/server support and configuration, visit: +http://members.elysium.pl/brush/smtp-auth/ + +--- + +Detailed patch information: + +This patch adds the ESMTP AUTH option to qmail-1.03, allowing the +LOGIN, PLAIN, and CRAM-MD5 AUTH types. An appropriate checkpassword +tool is necessary to support the authentication. See +http://cr.yp.to/checkpwd.html for more information on the interface. +Note that the checkpassword tool should support all of the AUTH types +advertised by qmail-smtpd. + +As reflected in the modified qmail-smtpd(8) man page, qmail-smtpd +must be invoked with three arguments: hostname, checkprogram, and +subprogram. If these arguments are missing, qmail-smtpd will still +advertise availability of AUTH, but will fail with a permanent error +when AUTH is used. + +hostname is simply used to form the CRAM-MD5 challenge. qmail-smtpd +invokes checkprogram, feeding it the username and password, in the +case of LOGIN or PLAIN, or the username, challenge, and response, in +the case of CRAM-MD5. If the user is permitted, checkprogram invokes +subprogram, which just has to exit with a status of 0 for the user to +be authenticated. Otherwise, checkprogram exits with a non-zero +status. subprogram can usually be /usr/bin/true (or /bin/true, +depending on your flavor of OS). + +If the user is successfully authenticated, the RELAYCLIENT +environment variable is effectively set for the SMTP session, and +the TCPREMOTEINFO environment variable is set to the authenticated +username, overriding any value that tcpserver may have set. The +value of TCPREMOTEINFO is reflected in a Received header. + + +How to install it: + +Simply patch your qmail-1.03 distribution with the included patch +file and recompile & install like usual. + +The steps to do this are as follows (assuming your virgin +qmail-1.03 install is in "../qmail-1.03"): + + cp README.auth base64.c base64.h ../qmail-1.03 + patch -d ../qmail-1.03 < auth.patch + +Install qmail normally, with the exception of the new arguments +to qmail-smtpd described elsewhere in this file. + +Also obtain, unpack, compile and install the cmd5checkpw utility +(or some other checkpassword utility) and add a sample account to +/etc/poppasswd file. This file must be readable by the qmail-smtpd +user, usually qmaild. + + +How to use it: + +*** Warning: In version 0.30 the arguments have changed from +*** previous versions of qmail-smtpd-auth. Take care to make sure +*** you update your startup scripts if updating! + +If you're running qmail-smtpd from inetd, you'll want to do the +following: + +smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env \ +/var/qmail/bin/qmail-smtpd mail.acme.com /bin/cmd5checkpw /bin/true + +Replace mail.acme.com with your hostname. The second argument to +qmail-smtpd is your checkpassword utility (preferably cmd5checkpw +or some alternative that can handle CRAM-MD5). The third argument +is the executable that the checkpassword utility execs when +authentication is successful. (Note that the location of "true" +is OS dependent: you may need /usr/bin/true.) + +Invocations using tcpserver will require analagous changes. Give +your inetd a kill -HUP or restart tcpserver and away you go. + + +Caveats: + +Please note that as authentication needs vary wildly across +installations, no effort has been made to make this patch work ``out +of the box.'' You'll have to procure or develop your own +checkpassword program. Also note that CRAM-MD5 will require you to +keep plaintext passwords. You'll probably want to disable this AUTH +type if you're just using /etc/passwd (keeping in mind that PLAIN and +LOGIN aren't quite as safe over the wire) -- just undefine AUTHCRAM +in qmail-smtpd. + +Krzysztof Dabrowski's cmd5checkpw tool used as an example in this +document supports the three AUTH types included in this patch. +It's available at http://www.elysium.pl/members/brush/cmd5checkpw/. + +This patch has been generated against the stock qmail 1.03 +distribution. The results of combining this patch with others are +unknown. + + +Features: + +This patch supports the following auth methods: LOGIN, PLAIN and +CRAM-MD5. + + +Compatibility: + +The following MUA's are confirmed to work with this patch: + +Eudora 4.2.2 - CRAM-MD5 +Eudora 5.0.2 - CRAM-MD5 +The Bat 1.39 - LOGIN & CRAM-MD5 +Outlook Express 4 - LOGIN +Outlook Express 5 - LOGIN +Outlook 2000 - LOGIN +Netscape 4.x - LOGIN & PLAIN +Netscape 4.0x - LOGIN +Pegasus Mail 3.1x - CRAM-MD5 + + +Various compatibility issues: + +Testing with Pegasus Mail 3.1 revealed that it requires the new style +(RFC recommended) greeting message. Both styles are now enabled to +maintain the highest degree of compatibility with various clients. +This fix was suggested by David Harris , +the developer of Pegasus Mail. + + +Acknowledgments: + +This patch is based on work by Krzysztof Dabrowski at +http://members.elysium.pl/brush/qmail-smtpd-auth/ and ``Mrs. Brisby'' +at http://www.nimh.org/hacks/qmail-smtpd.c which has been further +developed by Eric M. Johnston . + +--- + +THIS SOFTWARE IS IN THE PUBLIC DOMAIN, IS PROVIDED BY THE AUTHOR +``AS IS,'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/tools/makefile b/tools/makefile index f64b9c2..005b408 100644 --- a/tools/makefile +++ b/tools/makefile @@ -23,6 +23,8 @@ install: chmod u+s /var/qmail/rbin/checkpassword cp smtp.conf /etc/stunnel/ cp pop3.conf /etc/stunnel/ + chmod 640 /var/qmail/control/*.crtkey + chown qmaild /var/qmail/control/*.crtkey /etc/tcpserver/smtp.rules : install -d /etc/tcpserver diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs new file mode 100755 index 0000000..d8f97de --- /dev/null +++ b/tools/qmail-tls-check_certs @@ -0,0 +1,84 @@ +#!/bin/sh +# +# Author: Jason Haar +# Date: 09-Nov-2004 +# Version: 1.0 +# Copyright: GPL +# +# This script simply checks the status of the certificates used by +# Qmail with Frederik Vermeulen's TLS patch - to ensure they are +# valid, non-expired certs with the appropriate KeyUsage extensions +# required to get their jobs done. +# This script can be run on a nightly basis to check the cert status. +# Note that when it marked as cert as "bad" (typically because it's +# expired), it will be renamed, a syslog event generated, and probably +# Qmail will STOP WORKING FOR NEW TLS SESSIONS. +# +# That may sound bad, but the alternative is that Qmail will stop working +# for new TLS sessions *anyway* - it's just that this script will tell +# you why... + +LOGGER="logger -i -t qmail-tls-check_certs" + +dir='' +dirlist="/etc/qmail/control /var/qmail/control" +for trydir in $dirlist ; do + if test -d $trydir ; then + dir=$trydir + break + fi +done +if test -z "$dir" ; then + 1>&2 echo "Cannot find any control director ($dirlist)" + exit 1 +fi + +for cert in servercert.pem clientcert.pem ; do + if ! test -f "$dir/$cert"; then + echo "Certificate missing: $dir/$cert" + else + #First, check that it's a valid cert for the task + TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null` + if [ "$?" != "0" ]; then + echo "$dir/$cert is a broken cert. Disabled" + mv -f $dir/$cert $dir/BROKEN-${cert} + $LOGGER "$dir/$cert is a broken cert. Disabled" + continue + fi + + #Now check it hasn't expired + TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \ + grep -i after|cut -d= -f2 ) + EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null` + if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then + NOW_IN_SECS=`date +%s 2>/dev/null` + if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then + if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then + echo "$dir/$cert has EXPIRED. Disabling" + mv -f $dir/$cert $dir/EXPIRED-${cert} + $LOGGER "$dir/$cert has EXPIRED. Disabling" + continue + fi + fi + fi + + if [ "`echo $cert|grep server`" != "" ] ; then + if [ "_$( echo $TEMP_PURPOSE | \ + egrep -i '(any purpose|server).* yes' )" = "_" ]; then + echo "$dir/$cert is NOT a server cert. Disabled" + mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert} + $LOGGER "$dir/$cert is NOT a server cert. Disabled" + continue + fi + fi + if [ "`echo $cert|grep client`" != "" ] ; then + if [ "_$( echo $TEMP_PURPOSE | + egrep -i '(any purpose|client).* yes' )" = "_" ]; then + echo "$dir/$cert is NOT a client cert. Disabled" + mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert} + $LOGGER "$dir/$cert is NOT a client cert. Disabled" + fi + fi + fi + +done -- cgit v1.2.3