dbj

[Log in to get rid of this advertisement]

You can test checkpassword with

printf "%s\0%s\0%s\0" user password Y123456 | /usr/bin/checkpassword id 3<&0

But it only gives the right result when you are root. Why ?
I have set spamdyke to use checkpassword
smtp-auth-command=/usr/bin/checkpassword /bin/true

I think that is a problem when running "/etc/init.d/qmail start". I have

...
rblsmtpd="/usr/local/bin/spamdyke -l -f /etc/spamdyke.conf"
...
...
sh -c "start-stop-daemon --start --quiet --user qmaild \
--pidfile /var/run/tcpserver_smtpd.pid --make-pidfile \
--exec /usr/bin/tcpserver -- -R -H \
-u `id -u qmaild` -g `id -g nobody` -x /etc/tcp.smtp.cdb 0 smtp \
$rblsmtpd /usr/sbin/qmail-smtpd 2>&1 \
| $logger &"


I am not an expert but it seems to work if `id -u mails` is replaced with
`id -u root`

Ok, but from a security aspect is that the right solution?
I mean qmail-smtpd will run as root which is not as intended.

neonsignal

Because checkpassword only has access to the shadow password database if it is run as root. Some programs that require access to the database are run as sgid shadow, but even this would be a bad idea for checkpassword, because it can be used to run dictionary attacks against the password list.

Doesn't sound like good security; at the very least, you are running a lot of code as root that doesn't need to be.

There are a number of alternatives to checkpassword.

I cannot advise the best solution; for a commercial system, you should probably operate a separate password database for remote smtp users, rather than give qmail access to the system passwords.