qmail authentication

lucmove · 06-09-2010, 01:33 PM

I've had qmail running on a server for three years, almost forgot how difficult that installation was. I got away with it because I downloaded Qmail Rocks and followed all their instructions step by step. However, Qmail Rocks is based on qmail 1.03. I just had to install qmail on a new server, so this time I looked around and found netqmail 1.06 and decided to go with it, following the instructions on Life With Qmail. It was a good decision. A read a lot more documentation and now I understand qmail a lot better.

But I can't get past one point: authentication. Consider this test on Qmail Rocks:

Code:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 somewhere.anywhere.com ESMTP
ehlo localhost
250-somewhere.anywhere.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
starttls
220 ready for tls
quit
quit
Connection closed by foreign host.

That test works fine on my old server. But qmail behaves differently on my new server:

Code:

# netqmail-1.06> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 domain.com ESMTP
ehlo localhost
250-domain.com
250-PIPELINING
250 8BITMIME
starttls
502 unimplemented (#5.5.1)
quit
221 domain.com
Connection closed by foreign host.

That same page on Qmail Rocks says that I need to have a certificate, the procedure is described here.

The installation procedure given by LWQ does not include that step. Running 'make cert' inside the source directory of netqmail-1.06 does not work:

Code:

# netqmail-1.06> make cert
make: *** No rule to make target `cert'.  Stop.

In my vast ignorance, I copied /var/qmail/control/servercert.pem from my old server over to the new one. I also fixed all ownership and permissions. I don't know if I am allowed to do that. But although those are two different boxes, I am in fact installing the same domain in the new box. The new server is going to replace the old one as soon as it's running perfectly. I restarted qmail and... authentication still does not work.

Everything else is working fine, I just need to fix that part. But I am stumped now. Can anyone give me any pointers?

TIA

bathory · 06-09-2010, 05:45 PM

IMHO QMR is better that LWQ, because it's fully patched to support a vast variety of add-ons. That is why it has native support for tls. Besides that the installation is straight forward, while in QMR you have to do most of the things by hand.
If you want to go with LWQ, then you have to patch it yourself for tls. Read this for details

Regards

lucmove · 07-09-2010, 05:03 PM

Quote:

Originally Posted by bathory

IMHO QMR is better that LWQ, because it's fully patched to support a vast variety of add-ons. That is why it has native support for tls. Besides that the installation is straight forward, while in QMR you have to do most of the things by hand. If you want to go with LWQ, then you have to patch it yourself for tls. Read this for details
Regards

I used the link suggested by bathory and it really helped. I have SSL-secured SMTP and POP3 now.

However, that tutorial does not contemplate authentication. Note this session output taken from that very same page:

Code:

* telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 host.example.com ESMTP
* EHLO there
    250-host.example.com
    250-PIPELINING
    250-8BITMIME
    250 STARTTLS
* QUIT
    221 host.example.com

In comparison, look at what I get from my old server:

Code:

luc[359-1]/> telnet domain.com 25                                 
Trying 64.65.66.67...
Connected to domain.com.
Escape character is '^]'.
220 domain.com ESMTP
ehlo domain.com
250-domain.com
250-AUTH LOGIN CRAM-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 PLAIN
250-STARTTLS
250-PIPELINING
250 8BITMIME
quit
221 domain.com
Connection closed by foreign host.
Exit 1

My NEW server does not have those AUTH lines:

Code:

luc[361-1]/> telnet newdomain.com 25                                    
Trying 74.75.76.77...
Connected to newdomain.com.
Escape character is '^]'.
220 newdomain.com ESMTP
ehlo newdomain.com
250-newdomain.com
250-STARTTLS
250-PIPELINING
250 8BITMIME
quit
221 newdomain.com
Connection closed by foreign host.
Exit 1

I looked for "inspiration" in the /var/qmail/supervise/qmail-smtpd/run file of my old server, comparing it to the one in the new server.

NEW SERVER:

Code:

blah blah blah...
exec /usr/local/bin/softlimit -m 30000000 \
    /usr/local/bin/sslserver -e -n -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd 2>&1

OLD SERVER:

Code:

exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd host.domain.com \
/home/vpopmail/bin/vchkpw /usr/bin/true 2>&1

Is that all? Just invoke vchkpw?

Code:

exec /usr/local/bin/softlimit -m 30000000 \
    /usr/local/bin/sslserver -e -n -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd \
        host.newdomain.com /var/vpopmail/bin/vchkpw /usr/bin/true 2>&1

No, apparently not. SSL is working well, but I still have no authentication. Without authentication, relay is closed and I cannot use my own server to send mail anywhere outside of my own local domains.

Can anyone here tell me how I can fix this?

bathory · 07-10-2010, 08:57 AM

Hi,

Apparently the old server uses vpopmail for authentication. Thus you have vchkpw in the qmail-smtpd run script.
Take a look here for details and needed patches

Regards