Mailing List Archive

On 28 Apr 2018, at 13:45, Amitai Schleier wrote:

> I'm nearly finished with a redesigned approach to SMTP AUTH for qmail,
> and I've succeeded at not needing to think much about TLS yet.
>
> acceptutils, once released, will add a handful of small new programs
> that fit together nicely with vanilla qmail/netqmail/mess822.
>
> It _may_ offer improved security -- if I've done a good job, I believe
> so -- and will definitely offer improved functionality. Teaser: it
> makes both ofmipd and pymsgauth useful in new ways.
>
> I'd love to get review and feedback on
> https://schmonz.com/qmail/acceptutils/, and/or to hear from folks who
> might be interested to try it out.

With my code, vanilla ofmipd (or qmail-smtpd) injects into the queue
with the privileges of the authenticated user. Inspect this message's
headers for something like these:

Received: (qmail 25831 invoked by uid 1000); 7 May 2018 14:32:19
-0000
Received: (ofmipd 127.0.0.1); 7 May 2018 14:31:57 -0000

(I'm UID 1000 on my server.)

As a result, I'm pretty sure you'll be reading this message without my
having seen or manually replied to a qsecretary challenge. Even though
I'm not sending from an MUA directly on the server, pymsgauth will have
handled qsecretary for me.

I'd love to hear comments on my approach :-)

- Amitai

That looks appealing.

I am using a compiled qmail installation other than netqmail. i will give
it a try and review the patch.

Well done on the great effort.

On Mon, May 7, 2018 at 4:47 PM, Amitai Schleier <schmonz@schmonz.com> wrote:

> On 28 Apr 2018, at 13:45, Amitai Schleier wrote:
>
> I'm nearly finished with a redesigned approach to SMTP AUTH for qmail, and
>> I've succeeded at not needing to think much about TLS yet.
>>
>> acceptutils, once released, will add a handful of small new programs that
>> fit together nicely with vanilla qmail/netqmail/mess822.
>>
>> It _may_ offer improved security -- if I've done a good job, I believe so
>> -- and will definitely offer improved functionality. Teaser: it makes both
>> ofmipd and pymsgauth useful in new ways.
>>
>> I'd love to get review and feedback on https://schmonz.com/qmail/acce
>> ptutils/, and/or to hear from folks who might be interested to try it
>> out.
>>
>
> With my code, vanilla ofmipd (or qmail-smtpd) injects into the queue with
> the privileges of the authenticated user. Inspect this message's headers
> for something like these:
>
> Received: (qmail 25831 invoked by uid 1000); 7 May 2018 14:32:19 -0000
> Received: (ofmipd 127.0.0.1); 7 May 2018 14:31:57 -0000
>
> (I'm UID 1000 on my server.)
>
> As a result, I'm pretty sure you'll be reading this message without my
> having seen or manually replied to a qsecretary challenge. Even though I'm
> not sending from an MUA directly on the server, pymsgauth will have handled
> qsecretary for me.
>
> I'd love to hear comments on my approach :-)
>
> - Amitai
>



--
Shepherd Nhongo

Do not Queue mail with SENDMAIL, send mail with QMAIL

Botswana # +267 744 760 40
Zimbabwe # +263 772 688 072

On 7 May 2018, at 15:50, Shepherd Nhongo wrote:

> That looks appealing.
>
> I am using a compiled qmail installation other than netqmail. i will
> give
> it a try and review the patch.
>
> Well done on the great effort.

Thank you for the feedback! It means a lot. I've been working on this
for about a year, on and off, and it'll be very satisfying when I can
finally ship it.

I'm hoping to get the patch released in the next few weeks. It'll be
announced here.

- Amitai

acceptutils is my redesigned implementation of SMTP AUTH for qmail. I've
been running it in production for many months now, with no problems that
I can recall.

In that time, I've covered fixsmtpio (the trickiest of the four
acceptutils programs) pretty well with automated tests. And just now
I've test-driven the last feature: loading configuration from
control/fixsmtpio.

I can finally say with confidence that acceptutils will ship this week.
If you're so inclined, now's a great time to give me feedback of any
kind on <URL:https://schmonz.com/qmail/acceptutils>: the documentation,
the design, the config file format (find "these rules" in page and click
to expand), or anything else.

Thanks,

- Amitai

[.This message is brought to you by acceptutils and pymsgauth with the
pymsgauth-filter3 patch]

On Sat, Oct 20, 2018, at 12:07 PM, Amitai Schleier wrote:
> I can finally say with confidence that acceptutils will ship this week.
> If you're so inclined, now's a great time to give me feedback of any
> kind on <URL:https://schmonz.com/qmail/acceptutils>: the documentation,
> the design, the config file format (find "these rules" in page and click
> to expand), or anything else.

Hello, Amitai!

Looks great! Thank you for writing acceptutils! I'm very interested in
using it and your other patches!

Feedback:

* The before-and-after diagram is excellent, but it's not immediately
clear to me what the colored-border-with-white-background ovals mean.
I initially thought the red border meant "setuid root," but then I
wasn't sure what an orange or green border would mean compared to an
orange or green background.

* It would be helpful to have documentation on the config file format.
But I assume that's what you're writing, or you're holding off on
writing it until you're fairly confident the format won't change.

Feedback beyond acceptutils:

* I would love it if you documented some common best-practice setups
for real-world scenarios. This would be great for acceptutils, but I
really mean it as something that would put all, or a sensible subset
of, your patches together into a working setup. I'd love something
like, "here's a nice setup for a small office," or "here's a nice
setup for running your own mail server" that shows your patches put
together into a sensible and secure setup.

* It would also be really nice if I knew an easy way to get all your
patches. You do mention some of your pkgsrc packages at

https://schmonz.com/qmail/

but it would be cool if you added a note for each patch saying it was
included in pkgsrc package foo by default or as an option.

Thanks again!

Lewis

On 24 Oct 2018, at 7:47, J. Lewis Muir wrote:

> * The before-and-after diagram is excellent, but it's not immediately
> clear to me what the colored-border-with-white-background ovals
> mean.

By filling the tcpserver/qmail-pop3d/ofmipd nodes (and making the labels
bold), I was hoping to draw attention to the beginning and end (or not)
of the command chain, at the cost of maybe also focusing attention on
whether filled-vs.-not-filled means something. It doesn't, so now
they're all unfilled.

> * It would be helpful to have documentation on the config file format.

fixsmtpio(8) describes it in detail. I intend to include browsable
manual pages on the site (once I've taught ikiwiki to render them).

> * I'd love something
> like, "here's a nice setup for a small office," or "here's a nice
> setup for running your own mail server" that shows your patches put
> together into a sensible and secure setup.
> [...]
> * It would also be really nice if I knew an easy way to get all your
> patches.

I started writing a document like that long ago. There's still a draft
lying around somewhere. But I decided if I'm making some sort of effort,
I'd rather invest it in not needing to write much. Over the years it's
gotten gradually simpler and simpler to do sensible things from pkgsrc
with the defaults.

It got a bunch simpler yesterday, in pkgsrc-current. When 2018Q4 binary
packages become available in a couple months, my basic
one-size-fits-most answer will be:

$ pkgin -y install qmail-run

Until then, it's "get pkgsrc and run this command":

$ cd mail/qmail-run && make install

This gets you nearly everything listed on https://schmonz.com/qmail:

- qmail-run brings in acceptutils, rejectutils, qmail-qfilter, and qmail
- acceptutils brings in mess822 with the QMAILQUEUE patch
- qmail-qfilter has the grandparent patch applied
- qmail brings in ucspi-tcp with the destdir patch, unconditionally
includes the destdir, qbiffutmpx, remote, and rcptcheck patches, and has
the "eai" option (among others) on by default

With no special options set in my pkgsrc build, here are all the patches
that got included in my production qmail:

$ pkg_info -Q QMAILPATCHES qmail | tr ' ' '\n' | sort
bigdns:qmail-103.patch
customerror:qmail-queue-custom-error-v2.netqmail-1.05.patch
destdir:netqmail-1.06-destdir-20170716.patch
eai:netqmail-1.06-tls-20160918-smtputf8-20181024.patch
maildiruniq:qmail-1.03-maildir-uniq.patch
netqmail:netqmail-1.06.tar.gz
outgoingip:outgoingip.patch
qbiffutmpx:netqmail-1.06-qbiffutmpx-20170820.patch
rcptcheck:netqmail-1.06-tls-20160918-rcptcheck-20181022.patch
remote:netqmail-1.06-qmailremote-20170716.patch
srs:qmail-srs-0.8.patch
syncdir:syncdir-1.0.tar.gz
tls:netqmail-1.06-tls-20160918.patch

(If you need more, or less, set PKG_OPTIONS.qmail for your build.)

That leaves only pymsgauth-filter3 and queue-repair-symlink3 unaccounted
for. If you install pymsgauth or queue-repair from pkgsrc, those patches
are included.

If it turns out there's something more you need to know, then there's
something more I need to do. :-)

Thanks for the very useful feedback!

- Amitai