Hi there, I'm running Qmail on FreeBSD 9.1 (port version qmail-1.03_8)
with the SMTP-AUTH patch from ports. I run it using tcpserver and
daemontools, with the exact file, except the smtps port running through
stunnel.
The non-SSL process does correct user lookups and fails incorrect
authentication.
The SSL one gladly accepts any random string for user and pass and
allows relay. I am running the same commands, only adding stunnel for
the second one. A bit lost as to why this is happening. Below I use the
same base64 encoded string for the login, both attempts from an
untrusted source, not allowed to relay anywhere.
$ perl -MMIME::Base64 -e 'print encode_base64("some-random-string");'
c29tZS1yYW5kb20tc3RyaW5n
$ *telnet mail.server.net 25*
Trying 1.2.3.4...
Connected to mail.server.net .
Escape character is '^]'.
220 mail.server.net ESMTP
*AUTH LOGIN*
334 VXNlcm5hbWU6
*c29tZS1yYW5kb20tc3RyaW5n*
334 UGFzc3dvcmQ6
*c29tZS1yYW5kb20tc3RyaW5n*
535 authorization failed (#5.7.0)
^]
$ *openssl s_client -crlf -connect mail.server.net:465*
<...ssl stuff here...>
220 mail.server.net ESMTP
*AUTH LOGIN*
334 VXNlcm5hbWU6
*c29tZS1yYW5kb20tc3RyaW5n*
334 UGFzc3dvcmQ6
*c29tZS1yYW5kb20tc3RyaW5n*
235 ok, go ahead (#2.0.0)
^]
# *cat /service/qmail-smtpd/run *
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v \
-x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd 0 \
/usr/local/vpopmail/bin/vchkpw true 2>&1
# *cat /service/qmail-smtpds/run *
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v \
-x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
/usr/local/sbin/stunnel \
-p /opt/ssl/certificate.stunnel.crt \
-A
/opt/ssl/GT_True_BusinessID_and_Enterprise_SSL_Intermediate_bundle.pem \
-l /var/qmail/bin/qmail-smtpd 0 \
/usr/local/vpopmail/bin/vchkpw true 2>&1
Anyone know what I should look at? Let me know if there's any other
info I should provide.
I'm running stunnel 3.x simply for compatibility (4.x doesn't support
command line args). I could upgrade that but doubt this should be my
problem.
--
Thanks,
Darek
with the SMTP-AUTH patch from ports. I run it using tcpserver and
daemontools, with the exact file, except the smtps port running through
stunnel.
The non-SSL process does correct user lookups and fails incorrect
authentication.
The SSL one gladly accepts any random string for user and pass and
allows relay. I am running the same commands, only adding stunnel for
the second one. A bit lost as to why this is happening. Below I use the
same base64 encoded string for the login, both attempts from an
untrusted source, not allowed to relay anywhere.
$ perl -MMIME::Base64 -e 'print encode_base64("some-random-string");'
c29tZS1yYW5kb20tc3RyaW5n
$ *telnet mail.server.net 25*
Trying 1.2.3.4...
Connected to mail.server.net .
Escape character is '^]'.
220 mail.server.net ESMTP
*AUTH LOGIN*
334 VXNlcm5hbWU6
*c29tZS1yYW5kb20tc3RyaW5n*
334 UGFzc3dvcmQ6
*c29tZS1yYW5kb20tc3RyaW5n*
535 authorization failed (#5.7.0)
^]
$ *openssl s_client -crlf -connect mail.server.net:465*
<...ssl stuff here...>
220 mail.server.net ESMTP
*AUTH LOGIN*
334 VXNlcm5hbWU6
*c29tZS1yYW5kb20tc3RyaW5n*
334 UGFzc3dvcmQ6
*c29tZS1yYW5kb20tc3RyaW5n*
235 ok, go ahead (#2.0.0)
^]
# *cat /service/qmail-smtpd/run *
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v \
-x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \
/var/qmail/bin/qmail-smtpd 0 \
/usr/local/vpopmail/bin/vchkpw true 2>&1
# *cat /service/qmail-smtpds/run *
#!/bin/sh
QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
exec /usr/local/bin/softlimit -m 30000000 \
/usr/local/bin/tcpserver -H -R -l 0 -v \
-x /usr/local/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
/usr/local/sbin/stunnel \
-p /opt/ssl/certificate.stunnel.crt \
-A
/opt/ssl/GT_True_BusinessID_and_Enterprise_SSL_Intermediate_bundle.pem \
-l /var/qmail/bin/qmail-smtpd 0 \
/usr/local/vpopmail/bin/vchkpw true 2>&1
Anyone know what I should look at? Let me know if there's any other
info I should provide.
I'm running stunnel 3.x simply for compatibility (4.x doesn't support
command line args). I could upgrade that but doubt this should be my
problem.
--
Thanks,
Darek