qmail-smtpd-auth FAQ

This section is a result of the correspondece between me and users of my patch. The most common questions will be answered here.

Important notice: Before asking any questions read this FAQ and also check the Mailing list archives. Also do not ask any question in private mails to the patch developers - ask them on the mailing list so others can benefit from the answers!

Questions:

1. I have installed everything accourding to you docs, but i still get authentication errors.
2. I've made sure checkpassword can read shadow etc. but it still does not work.
3. Is this possible to use your patch with vpopmail?
4. Is this possible to use your patch with vmailmgr?
5. Is this possible to use your patch with qmail-ldap or any other qmail/checkpassword modification?

Answers:

1. Make sure that your checkpassword utility can read the shadow file. This is the most common problem. Either make it suid root or find another (safer) way to make it read that file.

2. Make sure that your qmail-smtpd user can actualy launch the checkpassword utility. The default permissions on /bin/checkpassword are too strict.

3. (this answer is contributed by Ismail YENIGUL:

• Download qmail-1.03, vpopmail 5.2 and smtp-auth patch from http://members.elysium.pl/brush/qmail-smtpd-auth/
• Read the README.auth to patch qmail with smtp-auth patch
• Compile qmail normaly
• Compile vpopmail as you need
• # chmod 4755 ~vpopmail/bin/vchkpw
  # chown root.root ~vpopmail/bin/vchkpw
• You can run qmail-smtpd from inetd or tcpserver I recommend you to use tcpserver, If you are using tcpserver, use following command to start qmail-smtpd (Note!! all of them are in a single line !)

  exec /usr/local/bin/softlimit -m 4000000 tcpserver -H -l0 -R -c 512 -x
  /home/vpopmail/etc/tcp.smtp.cdb -u VPOPMAILUID -g VPOPMAILGUID 0 smtp
  /var/qmail/bin/qmail-smtpd  your.qmail.server.name /home/vpopmail/bin/vchkpw
  /bin/true &
  

  change following parameters depend of your system configuration -x /home/vpopmail/etc/tcp.smtp.cdb //change this with your tcp.smtpd.cdb file path VPOPMAILUID is your vpopmail user id VPOPMAILGUID is your vpopmail group id your.qmail.server.name is your fully qualified server name /home/vpopmail/bin/vchkpw is your vchkpw file path /bin/true is your true command path (this is /usr/bin/true in FreeBSD) if you do NOT add your .qmail.server.name parameter after /var/qmail/bin/qmail-smtpd , your smtp-auth gives fake authentication. It returns true for any username and password if you are using inetd, add following lines to inetd.conf and send kill -HUP to inetd

  smtp stream tcp nowait qmaild /var/qmail/bin/tcp-env tcp-env \
  /var/qmail/bin/qmail-smtpd your.qmail.server.name /home/vpopmail/bin/vchkpw
  /bin/true
  

4. The solution is simple:

• Make your /usr/bin/checkvpw suid root
• change your qmail-smtpd startup script to look like this:

  /var/qmail/bin/qmail-smtpd-auth mail.domain.name /usr/bin/checkvpw /bin/true maildir

  Notice the "maildir" argument - something has to be here because of a bug/feature in checkvpw - the last arg is being overwritten with users maildir path and we do not want it to mess up out command path.


The other solution for this problem has been created by Kazuhiko Iwama on his website: http://www.sera.desuyo.net/smtp-auth/. Unfortunalely he did not bothered to contact me so this solution could be made more public for all users of the patch. The page is completely in japan or chinese (sorry i do not know those funky letters) so i decided to give you a brief solution here.

In order to use vmailmgr with smtp-auth you have to:
• Obtain and install current vmailmgr package and pay attention to the vmailmgr-daemon package. Make sure it's installed and running.
• Get new checkpassword utility from here and compile it using this command:

  gcc -o chk_vmauth chk_vmauth.c

• Copy the resulting binary to /var/bin/qmail
  
• Now just use is as your checkpassword utility in the qmail-smtpd invocation:

  /var/qmail/bin/qmail-smtpd-auth mail.domain.name /var/qmail/bin/chk_vmauth

• Restart your qmail-smtpd. Now your authentication should work.

5. As long as you qmail version provides a checkpassword utility which is compatible with standard checkpassword then you should have no problems using it. Just replace /bin/checkpassword invocation in the qmail-smtpd starting script into /path/to/your/checkpassword utility and voila. Make sure you can actualy call this command as qmail-smtpd user.