# qmail ebuild with SMTP AUTH and SSL support

## xpunkrockryanx

hey guys,

i've got qmail running on my gentoo box here. it is correctly forwarding messages to users, got aliases set up, etc. i also installed courier-imapd and squirrelmail which both seem to be working well. i have both apache and imapd running over SSL, and would like to get the same from smtp connections so that i can send mail out securely as well as receive securely, and i'd also like to enable smtp auth so that i can relay from various locations. from the qmail.org website, i see that there is a patch which will enable both ssl (with TLS, maybe somebody could clue me in as to what TLS means). to get this functionality with qmail, do i have to apply the patch and rebuild it myself? has anybody else done something like this that could show me where to start or point me in the right direction? i'd appreciate any help or suggestions.

thanks,

ryan

----------

## darktux

 *Quote:*   

> TLS
> 
>         Transport Layer Security [protocol] (SSL)

 

----------

## xpunkrockryanx

has anybody accomplished this at all that could just give me a pointer as to which direction to start looking? any advice appreciated.

thanks,

ryan

----------

## jeb-c4

check the newest ebuild (hint it is masked for testing).

From the ebuild and Changelog, ldap and tls/smtp-auth confict so :

# export USE="-ldap"

Jeb

----------

## xpunkrockryanx

yeah i've been trying to get the newest ebuild to work... emerging it didn't work, svscan wouldn't load, complained that /var/qmail/rc didn't exist, so i copied rc from the -r8 ebuild, and svscan started qmail successfully, but it didn't have the TLS or AUTH support i was looking for. when i emerged the -r9 ebuild, it did seem to apply the patch, and it generated an openssl key. when i tried sending the smtp auth command, it returned 503 auth not available (#5.3.3), and when i tried to use ssl with outlook express, i got '454 TLS not available: missing certificate (#4.3.0)', even thought i see both clientcert.pem and servercert.pem in /var/qmail/control/. i'm still investigating a little bit, but any advice is appreciated.

----------

## Larde

I didn't have luck with the masked ebuild that's supposed to support smtp-auth either. I just took the current qmail ebuild, got the patch from http://members.elysium.pl/brush/qmail-smtpd-auth/ and patched it myself. (Just ebuild qmail... unpack, go to the unpacked source, patch it, ebuild qmail... compile etc.)

Larde.

----------

## xpunkrockryanx

thanks for the info larde... i havent patched source before, maybe you could give me a hand with that real quick? i'd run ebuild /path/to/qmail-1.03-r8.ebuild unpack, then put the patch file into the source root directory for the qmail-1.03-r8, then run patch -p0 patchfile then ebuild qmail-1.03-r8 compile? does that sound right at all, or am i way off? oh, and i'm wanting to use the combined STARTTLS + SMTP AUTH patch http://students.imsa.edu/~ngroot/qmail-1.03-starttls-smtp-auth.patch if that matters.

also, did you get the same problem with /var/qmail/rc when starting up svscan that i did? maybe this is a bug in the ebuild that needs to be reported.

----------

## xpunkrockryanx

well hmmm... i was messing around with it and unmerged r9, then remerged r8, then remerged r9 again, and got the same svscan error with /var/qmail/rc. well, i copied the rc file from the r8 directory, since it doesnt seem to exist in r9 for some reason. then started up svscan and it worked, and this time starttls seems to work as well. smtp auth however is still unimplemented. i'm going to bed for now (it's 12:45 AM here in seattle), but i'll try to fiddle with it some more. maybe if i can get this all running ill write up some documentation on a gentoo qmail server.

-ryan

----------

## xpunkrockryanx

looking over the patch that is applied to add TLS and AUTH support, it appears that there are three additional arguments that need to be passed to qmail-smtpd on startup to get it to function properly. since this is run through supervise somehow, i havent been able to tell how it actually gets started, or how to check and see if it's being passed these arguments.

also, it may be necessary to implement a different checkpassword program than the default in order to get full AUTH support. i dont know if this is really necessary (it looks as though you can get the basic LOGIN support without switching checkpassword programs, but i'm not sure). however, in my setup, it's not even advertising the auth service at all from what i can tell, so it doesnt seem to me as though this is the issue.

any help from someone with more experience than myself is appreciated, and hopefully my investigation will prove helpful to someone else other than myself.

-ryan

----------

## xpunkrockryanx

if anybody else has tried this latest ebuild (r9), and could post with their experiences, it would be helpful to determine if this is a problem with the ebuild, in which case we could submit bug reports and get it worked on so that it can get fixed and unmasked all that much more quickly, or if it is some other problem that i'm having specifically, it would be much appreciated.

thanks,

ryan

----------

## xpunkrockryanx

one thing i've just noticed is that when it starts to compile, it applies the other patches, but does not apply the TLS + AUTH patch as far as i can tell. i do have USE="-ldap ssl", so it *should* apply the patch. at the end of the build process, it does generate a security certificate, so that part seems to work, just not the AUTH.

also, in the r9 digest file, there's no md5 for the TLS + AUTH patch like there is for the other patches/files. i'm not sure if this is normal or not.

----------

## btg308

I have the same problems. Wasn't able to easily patch the -r8 (I tried it another way, by adding the patch to the -r8 ebuild) but it didn't fly. 

After messing with the WORKDIR (couldn't find the source directory, finally nabbed it in /var/tmp/portage) I manually patched and did a manual make. Starting the svscan again actually started the smtpd correctly (I used to get Unknown mailfront ESMTP messages when telnetting to port 25 and rejects of all incoming mail since I have an empty rcpthosts file). Haven't tested the AUTH yet...

EDIT: Right. Incoming mail just seems to disappear... Outgoing works. Oh, and to add to the confusion, I'm trying to get the qmail-scanner with spamassassin to work. The really sad part is that it did work a while, before the mailfront stuff cropped up. I'm going back to sendmail any second now...

----------

## btg308

I just re-emerged both qmail and qmail-scanner (which incidentally deleted a few empty tempdirs in /var/spool/qmailscan that I had to re-create manually, I think it's the emerge -clean stuff that does that), ebuild qmail-r8 unpack, applied the smtp-auth patch, ebuild qmail-r8 compile, ebuild qmail-r8 config, checked the run, tcp.smtp and rc files and it still silently throws away incoming mail. I see stuff coming in in var/log/qmail/qmail-smtpd/current but it never gets anywhere else, not to my maildir and no bounce back out.

Did you find how it gets started? It's the /var/qmail/supervise/qmail-smtpd/run file. I think. This is also where you need to add the "mail.domain.tld /bin/checkpasswd /bin/true" stuff but I haven't figured out what to do with the 2>$1 at the end of that line, if anything...

Scary stuff. I'm going to bed now and I'll probably have nightmares.

----------

## btg308

I gave up on qmail and tried Courier-MTA. I don't care if Sam Varschawski IS the soup nazi, Courier rocks. Smooth install, SMTP-AUTH out-of-the-box, webadmin and webmail. 

Now I just need to get the virus and spam filers operational... <- Famous last words. :-D

----------

## vert

I'm having trouble with qmail too here. Just emerged r9 without any probs. I saw something with ssl pass by, had a look at the ebuild file and am now pretty sure the qmail-1.03-starttls-smtp-auth.patch is applied. Qmail is also still working as it used to do (which is good   :Very Happy: ). 

What I'm wondering now is how to actually start smptd with auth support.  When I telnet at port 25, there are no messages on available authentication methods (and I think there should be, according to google at least). I fooled around in the /var/qmail/supervise/qmail-smtpd/run file, but to no avail. Anybody got a clue on how to see to start smtpd with auth support or how to test that it is indeed installed (correctly)? Also, there is no smtpd-auth or something in the qmail/bin dir, should there be??

----------

## Praxxus

I've successfully installed Qmail + SMTP AUTH + TLS before, but never with Gentoo.

I have installed qmail-1.03-r8 on a Gentoo system.

To test and make sure SMTP AUTH/STARTTLS is working, do the following (I've put the typed in prompts in red, and the expected responses in green):

[praxxus@salem opt]$telnet mail.praxxus.com 25

Trying 192.168.21.11...

Connected to mail.praxxus.com (192.168.21.11).

Escape character is '^]'.

220 mail.praxxus.com ESMTP

ehlo

250-mail.cplane.com

250-PIPELINING

250-STARTTLS

250-AUTH LOGIN PLAIN

250 8BITMIME

Note that you might get a different "AUTH" line than me.  I specifically disabled CRAM-MD5 logins.

Given that Qmail build from source wants to install itself to the same directory structure as the qmail.ebuild does, it would be pretty easy to just upgrade the installation that way.

I'll poke around at the ebuild and see what I can find out.

----------

## vert

Allright! thnx, this is what I got: 

```

wolf@Einstein wolf $ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 hk42.dyndns.org ESMTP

ehlo

250-hk42.dyndns.org

250-AUTH LOGIN CRAM-MD5 PLAIN

250-AUTH=LOGIN CRAM-MD5 PLAIN

250-STARTTLS

250-PIPELINING

250 8BITMIME

```

It looks like its working!   :Very Happy: 

I'm currently at work, so I can't play around with it at the moment. But could you perhaps give a hint on where and how qmail authorizes? Is there a user/pass file somewhere? Thnx!

----------

## vert

It works! All I did was restart qmail   :Very Happy: 

The last thing I need to know is how to make the authentication mandatory instead of optional. Which files should I edit for that ?

----------

## Praxxus

If you want EVERYONE to have to authenticate, make sure /etc/tcp.smtp has only the following line:

```
127.0.0.1:allow,RELAYCLIENT=""
```

Then get Qmail to re-read the new tcp rules:

```
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp

chmod 0644 /etc/tcp.smtp.cdb
```

This tells Qmail that ONLY "localhost" can use it as an SMTP relay.  With the SMTP AUTH patch, properly authenticated users(actually their IP addresses) can use the SMTP relaying abilities.

Lastly, to get Qmail to be able to authenticate, you need to make sure your /var/qmail/supervise/qmail-smtpd/run script calls the /bin/checkpassword program.  Here's what mine looks like:

```
#!/bin/sh

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`

exec /usr/local/bin/softlimit -m 8000000 \

    /usr/local/bin/tcpserver -v -R -l 0 -x /etc/tcprules.d/tcp.smtp.cdb -c "$MAXSMTPD" \

        -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp /var/qmail/bin/qmail-smtpd /bin/checkpassword /bin/true 2>&1
```

Note the checkpassword reference on the last line.  Also, make sure you HAVE a "concurrencyincoming" file in /var/qmail/control/.  

```
echo 20 > /var/qmail/control/concurrencyincoming
```

Lastly, for any and all things Qmail, I highly recommend David Sill's "Life with Qmail" website:

----------

## vert

Thanx for all the input!   :Very Happy:   :Very Happy:   but ... 

Well, it seems to work partially. Outlook express clients are still able to send mail without supplying a password. So I'm not done yet. However, qmail does seem to respond to auth requests, only all combinations of user/pass are accepted. See the code. What am I missing here?   :Rolling Eyes:  Thnx again !

```

root@Einstein qmail-smtpd # telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 hk42.dyndns.org ESMTP

ehlo

250-hk42.dyndns.org

250-AUTH LOGIN CRAM-MD5 PLAIN

250-AUTH=LOGIN CRAM-MD5 PLAIN

250-STARTTLS

250-PIPELINING

250 8BITMIME

auth login

334 VXNlcm5hbWU6

user

334 UGFzc3dvcmQ6

pass

235 ok, go ahead (#2.0.0)

```

----------

## Praxxus

Well, I can't find it in any docs anywhere, but all the versions of /bin/checkpassword that I have installed are set to run set-uid root.  That is a bit of a security concern, so I've done the following:

```
chown root:nofiles /bin/checkpassword

chmod 4750 /bin/checkpassword
```

That will let let qmail-smtpd (belongs to the "nofiles" group) run it, but you get the password-checking abilities of root.

This is necessary, if memory serves, to get at the juicy nuggets in /etc/shadow (mode 0400, root.root)

Hope this helps!

----------

## vert

Ok, I went back to this problem, but after 2 hours its still busting my balls. I simply can't get it to work  :Crying or Very sad:   Everybody can still send mail without authorization and if I do a "auth login" with telnet, all user/pass combinations are accepted.  Is there anybody who has qmail working under gentoo with smtp-auth enabled? And if so.... how ?? Any help is very much appreciated ... How hard can this be   :Rolling Eyes: 

----------

## the_eye

The qmail and authentication problem bugs me too and has been for a while, only I wanna do it in the other direction, i.e. when qmail delivers outgoing mail via the smarthost specified in /var/qmail/control/smtproutes, it should do so using SSL and authentication, with a username and password specified somewhere.

Can qmail do that for me? Everything I find when googling around is about how to make clients use authentication when using qmail as a server ..

explanation: This is just my workstation, and the outgoing smtp server of my provider is shit, i.e. doesn't work half the time. I would be allowed to use my universitys mail server, _if_ I use SSL and authenticate myself with username and password. The instructions they provide are for MS Outlook Express and Mozilla Messenger (IIRC) and just mention to enter username and password and click the "use SSL when available" checkbox ...

any help on achieving that with qmail would be greatly appreciated!

----------

## Accipiter

Hey. I'm bumping this. Same problem. All user/pass combinations are accepted. This is a Bad Thing (tm). Please help fix.

----------

## nianderson

so any updatesim wanting to add smtp-auth ... i currently have qmail up and running with vmailmgr when i redo my server id like to switch to smtp-auth + vpopmail 

wo just wonderng if anyone has gotten smtp-auth working yet without the accept all user/password combinations

----------

## apokalyptik

I've rewritten the e-build for qmail-1.03-r10 to use the "qmail patch cocktail" available at http://people.kldp.org/~eunjea/qmail/patch/  please read the description of *IT* and make sure it suites your needs before using this...

Replace /usr/portage/net-mail/qmail/qmail-1.03-r10.ebuild  with: 

```
# Copyright 1999-2003 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License v2

# $Header: /home/cvsroot/gentoo-x86/net-mail/qmail/qmail-1.03-r10.ebuild,v 1.24 2003/11/06 20:17:27 robbat2 Exp $

inherit eutils

IUSE="ssl"

DESCRIPTION="A modern replacement for sendmail which uses maildirs and includes SSL/TLS, AUTH SMTP, and queue optimization"

HOMEPAGE="http://www.qmail.org/

        http://members.elysium.pl/brush/qmail-smtpd-auth/

        http://www.jedi.claranet.fr/qmail-tuning.html"

SRC_URI="http://cr.yp.to/software/qmail-1.03.tar.gz

        http://people.kldp.org/~eunjea/qmail/patch/qmail-ej-cocktail-14.tar.gz"

SLOT="0"

LICENSE="as-is"

KEYWORDS="x86 ppc ~sparc alpha"

DEPEND="virtual/glibc

        sys-apps/groff

        >=sys-apps/ucspi-tcp-0.88

        >=net-mail/checkpassword-0.90

        >=net-mail/cmd5checkpw-0.22

        ssl? ( >=dev-libs/openssl-0.9.6g )"

RDEPEND="!virtual/mta

        virtual/glibc

        sys-apps/groff

        >=sys-apps/ucspi-tcp-0.88

        >=sys-apps/daemontools-0.76-r1

        >=net-mail/checkpassword-0.90

        >=net-mail/cmd5checkpw-0.22

        >=net-mail/dot-forward-0.71"

PROVIDE="virtual/mta

         virtual/mda"

src_unpack() {

        unpack qmail-1.03.tar.gz

        unpack qmail-ej-cocktail-14.tar.gz

        cd ${WORKDIR}/qmail-ej-cocktail-14

        cp README.* ${S}

        cd ${S}

        epatch ../qmail-ej-cocktail-14/cocktail.patch

        if [ `use ssl` ]; then

                echo "gcc ${CFLAGS} -DTLS" > conf-cc

        else

                echo "gcc ${CFLAGS}" > conf-cc

        fi

        echo "gcc" > conf-ld

        echo "500" > conf-spawn

}

src_compile() {

        cd ${S}

        emake it man || die

}

src_install() {

        cd ${S}

        einfo "Setting up directory hierarchy ..."

        diropts -m 755 -o root -g qmail

        dodir /var/qmail

        for i in bin boot control

        do

                dodir /var/qmail/${i}

        done

        dodir /var/qmail/users

        touch ${D}/var/qmail/users/.keep

        diropts -m 755 -o alias -g qmail

        dodir /var/qmail/alias

        einfo "Installing the qmail software ..."

        insopts -o root -g qmail -m 755

        insinto /var/qmail/boot

        doins home home+df proc proc+df binm1 binm1+df binm2 binm2+df binm3 binm3+df

        dodoc FAQ UPGRADE SENDMAIL INSTALL* TEST* REMOVE* PIC* SECURITY

        dodoc SYSDEPS TARGETS THANKS THOUGHTS TODO VERSION

        dodoc ${FILESDIR}/${PV}-${PR}/tls-patch.txt

        insopts -o qmailq -g qmail -m 4711

        insinto /var/qmail/bin

        doins qmail-queue qmail-queue

        insopts -o root -g qmail -m 700

        insinto /var/qmail/bin

        doins qmail-lspawn qmail-start qmail-newu qmail-newmrh

        insopts -o root -g qmail -m 711

        insinto /var/qmail/bin

        doins qmail-getpw qmail-local qmail-remote qmail-rspawn \

        qmail-clean qmail-send splogger qmail-pw2u

        insopts -o root -g qmail -m 755

        insinto /var/qmail/bin

        doins qmail-inject predate datemail mailsubj qmail-showctl \

        qmail-qread qmail-qstat qmail-tcpto qmail-tcpok qmail-pop3d \

        qmail-popup qmail-qmqpc qmail-qmqpd qmail-qmtpd qmail-smtpd \

        sendmail tcp-env qreceipt qsmhook qbiff forward preline \

        condredirect bouncesaying except maildirmake maildir2mbox \

        maildirwatch qail elq pinq config-fast

        into /usr

        for i in *.1 *.5 *.8

        do

                doman $i

        done

        einfo "Adding /var/qmail/bin to PATH and ROOTPATH"

        dodir /etc/env.d

        cp ${FILESDIR}/${PV}-${PR}/99qmail ${D}/etc/env.d

        einfo "Creating sendmail replacement ..."

        diropts -m 755

        dodir /usr/sbin /usr/lib

        dosym /var/qmail/bin/sendmail /usr/sbin/sendmail

        dosym /var/qmail/bin/sendmail /usr/lib/sendmail

        einfo "Setting up the default aliases ..."

        diropts -m 700 -o alias -g qmail

        if [ ! -d ${ROOT}/var/qmail/alias/.maildir ] ; then

                dodir /var/qmail/alias/.maildir

                for i in cur new tmp

                do

                        dodir /var/qmail/alias/.maildir/$i

                done

        fi

        for i in mailer-daemon postmaster root

        do

                if [ ! -f ${ROOT}/var/qmail/alias/.qmail-${i} ]; then

                        touch ${D}/var/qmail/alias/.qmail-${i}

                        fowners alias:qmail /var/qmail/alias/.qmail-${i}

                fi

        done

        einfo "Setting up maildirs by default in the account skeleton ..."

        diropts -m 755 -o root -g root

        insinto /etc/skel

        ${D}/var/qmail/bin/maildirmake ${D}/etc/skel/.maildir

        newins ${FILESDIR}/${PV}-${PR}/dot_qmail .qmail

        fperms 644 /etc/skel/.qmail

        insinto /root

        ${D}/var/qmail/bin/maildirmake ${D}/root/.maildir

        newins ${FILESDIR}/${PV}-${PR}/dot_qmail .qmail

        fperms 644 /root/.qmail

        einfo "Setting up daemontools ..."

        insopts -o root -g root -m 755

        diropts -m 755 -o root -g root

        dodir /var/qmail/supervise

        dodir /var/qmail/supervise/qmail-send

        dodir /var/qmail/supervise/qmail-send/log

        dodir /var/qmail/supervise/qmail-smtpd

        dodir /var/qmail/supervise/qmail-smtpd/log

        chmod +t ${D}/var/qmail/supervise/qmail-send

        chmod +t ${D}/var/qmail/supervise/qmail-smtpd

        diropts -m 755 -o qmaill

        dodir /var/log/qmail

        touch ${D}/var/log/qmail/.keep

        dodir /var/log/qmail/qmail-send

        touch ${D}/var/log/qmail/qmail-send/.keep

        dodir /var/log/qmail/qmail-smtpd

        touch ${D}/var/log/qmail/qmail-smtpd/.keep

        insinto /var/qmail/supervise/qmail-send

        newins ${FILESDIR}/${PV}-${PR}/run-qmailsend run

        insinto /var/qmail/supervise/qmail-send/log

        newins ${FILESDIR}/${PV}-${PR}/run-qmailsendlog run

        insinto /var/qmail/supervise/qmail-smtpd

        newins ${FILESDIR}/${PV}-${PR}/run-qmailsmtpd run

        insinto /var/qmail/supervise/qmail-smtpd/log

        newins ${FILESDIR}/${PV}-${PR}/run-qmailsmtpdlog run

        einfo "Installing the qmail control file ..."

        exeinto /var/qmail/bin

        doexe ${FILESDIR}/${PV}-${PR}/qmail-control

        einfo "Installing the qmail startup file ..."

        insinto /var/qmail

        doins ${FILESDIR}/${PV}-${PR}/rc

        insinto /var/qmail/control

        doins ${FILESDIR}/${PV}-${PR}/defaultdelivery

        einfo "Setting up the pop3d service ..."

        insopts -o root -g root -m 755

        diropts -m 755 -o root -g root

        dodir /service

        dodir /var/qmail/supervise/qmail-pop3d

        dodir /var/qmail/supervise/qmail-pop3d/log

        chmod +t ${D}/var/qmail/supervise/qmail-pop3d

        diropts -m 755 -o qmaill

        dodir /var/log/qmail/qmail-pop3d

        insinto /var/qmail/supervise/qmail-pop3d

        newins ${FILESDIR}/${PV}-${PR}/run-qmailpop3d run

        insinto /var/qmail/supervise/qmail-pop3d/log

        newins ${FILESDIR}/${PV}-${PR}/run-qmailpop3dlog run

}

pkg_postinst() {

        einfo "Setting up the message queue hierarchy ..."

        install -d -m 750 -o qmailq -g qmail ${ROOT}/var/qmail/queue

        install -d -m 750 -o qmailq -g qmail ${ROOT}/var/qmail/queue/todo

        install -d -m 700 -o qmailq -g qmail ${ROOT}/var/qmail/queue/pid

        install -d -m 700 -o qmails -g qmail ${ROOT}/var/qmail/queue/bounce

        install -d -m 750 -o qmailq -g qmail ${ROOT}/var/qmail/queue/mess

        for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

        do

                install -d -m 750 -o qmailq -g qmail ${ROOT}/var/qmail/queue/mess/${i}

                install -d -m 750 -o qmailq -g qmail ${ROOT}/var/qmail/queue/todo/${i}

                install -d -m 750 -o qmailq -g qmail ${ROOT}/var/qmail/queue/intd/${i}

        done

        for i in info local remote

        do

                install -d -m 700 -o qmails -g qmail ${ROOT}/var/qmail/queue/${i}

        done

        for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

        do

                install -d -m 700 -o qmails -g qmail ${ROOT}/var/qmail/queue/info/${i}

                install -d -m 700 -o qmails -g qmail ${ROOT}/var/qmail/queue/local/${i}

                install -d -m 700 -o qmails -g qmail ${ROOT}/var/qmail/queue/remote/${i}

        done

        install -d -m 750 -o qmailq -g qmail ${ROOT}/var/qmail/queue/lock

        dd if=/dev/zero of=${ROOT}/var/qmail/queue/lock/tcpto bs=1024 count=1

        chmod 644 ${ROOT}/var/qmail/queue/lock/tcpto

        chown qmailr:qmail ${ROOT}/var/qmail/queue/lock/tcpto

        touch ${ROOT}/var/qmail/queue/lock/sendmutex

        chmod 600 ${ROOT}/var/qmail/queue/lock/sendmutex

        chown qmails:qmail ${ROOT}/var/qmail/queue/lock/sendmutex

        mkfifo ${ROOT}/var/qmail/queue/lock/trigger

        chmod 622 ${ROOT}/var/qmail/queue/lock/trigger

        chown qmails:qmail ${ROOT}/var/qmail/queue/lock/trigger

        echo -e "\e[32;01m Please do not forget to run, the following syntax :\033[0m"

        echo -e "\e[32;01m ebuild /var/db/pkg/${CATEGORY}/${PN}-${PV}-${PR}/${PN}-${PV}-${PR}.ebuild config \033[0m"

        echo -e "\e[32;01m This will setup qmail to run out-of-the-box on your system. \033[0m"

        echo -e ""

        echo -e "\e[32;01m To start qmail at boot you have to enable the /etc/init.d/svscan rc file \033[0m"

        echo -e "\e[32;01m and create the following links : \033[0m"

        echo -e "\e[32;01m ln -s /var/qmail/supervise/qmail-send /service/qmail-send \033[0m"

        echo -e "\e[32;01m ln -s /var/qmail/supervise/qmail-smtpd /service/qmail-smtpd \033[0m"

        echo -e ""

        echo -e "\e[32;01m To start the pop3 server as well, create the following link : \033[0m"

        echo -e "\e[32;01m ln -s /var/qmail/supervise/qmail-pop3d /service/qmail-pop3d \033[0m"

}

pkg_config() {

export qhost=`hostname --fqdn`

        if [ ${ROOT} = "/" ] ; then

                if [ ! -f ${ROOT}/var/qmail/control/me ] ; then

                        ${ROOT}/var/qmail/bin/config-fast $qhost

                fi

        fi

        echo "Accepting relaying by default from all ips configured on this machine."

        LOCALIPS=`/sbin/ifconfig  | grep inet | cut -d " " -f 12 -s | cut -b 6-20`

        for ip in $LOCALIPS; do

                echo "$ip:allow,RELAYCLIENT=\"\"" >> /etc/tcp.smtp

        done

        echo ":allow" >> /etc/tcp.smtp

        tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp

        if [ `use ssl` ]; then

        if [ ! -f /var/qmail/control/servercert.pem ]; then

                echo "Creating a self-signed ssl-cert:"

                /usr/bin/openssl req -new -x509 -nodes -out /var/qmail/control/servercert.pem -days 366 -keyout /var/qmail/control/servercert.pem

                chmod 640 /var/qmail/control/servercert.pem

                chown qmaild:qmail /var/qmail/control/servercert.pem

                ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

                echo -e "\e[32;01m If You want to have a signed cert, do the following: \033[0m"

                echo -e "\e[32;01m openssl req -new -nodes -out req.pem \ \033[0m"

                echo -e "\e[32;01m -keyout /var/qmail/control/servercert.pem \033[0m"

                echo -e "\e[32;01m chmod 640 /var/qmail/control/servercert.pem \033[0m"

                echo -e "\e[32;01m chown qmaild:qmail /var/qmail/control/servercert.pem \033[0m"

                echo -e "\e[32;01m ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem \033[0m"

                echo -e "\e[32;01m Send req.pem to your CA to obtain signed_req.pem, and do: \033[0m"

                echo -e "\e[32;01m cat signed_req.pem >> /var/qmail/control/servercert.pem \033[0m"

        fi

        fi

}
```

then run the following commands: 

```
ebuild /usr/portage/net-mail/qmail/qmail-1.03-r10.ebuild fetch

ebuild /usr/portage/net-mail/qmail/qmail-1.03-r10.ebuild digest

/etc/init.d/svscan stop

emerge /usr/portage/net-mail/qmail/qmail-1.03-r10.ebuild

/etc/init.d/svscan start
```

to use cmd5checkpw (emerge net-mail/cmd5checkpw) which stores usernames and passwords in plain text in /etc/poppassword set your /service/qmail-smtpd/run as follows

```
#!/bin/sh

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

exec /usr/bin/softlimit -m 8000000 \

        /usr/bin/tcpserver -H -R -v -p -x /etc/tcp.smtp.cdb \

        -u $QMAILDUID -g $NOFILESGID 0 smtp rblsmtpd /var/qmail/bin/qmail-smtpd eaglenetworks.net \

        /bin/cmd5checkpw /bin/true 2>&1
```

then run 

```
/etc/init.d/svscan restart
```

----------

## apokalyptik

and........... vchkpw suport (tada)

replace /service/qmail-smtpd/run with 

```
#!/bin/sh

exec /usr/bin/softlimit -m 8000000 tcpserver -H -l0 -R -c 512 -x \

/etc/tcp.smtp.cdb -u `id -u vpopmail` -g `id -g vpopmail` 0 smtp \

/var/qmail/bin/qmail-smtpd `hostname` /var/vpopmail/bin/vchkpw /bin/true 2>&1
```

 then 

```
chmod u+s /var/vpopmail/bin/vchkpw
```

 then 

```
chown root.root /var/vpopmail/bin/vchkpw
```

 then 

```
/etc/init.d/svscan restart
```

have fun peoples

----------

## evossler

Hi all,

I'm bumping this thread because I am at wits end trying to get SMTP AUTH working with qmail, and despite reading every thread on the subject that I can find I still don't know why my setup isn't working.

My problem is, as others in this thread have mentioned, that although SMTP AUTH is enabled and although qmail won't relay messages for an outsider unless they have authenticated, it is accepting ANY combination of user and password as valid.

I am using the qmail-1.03-r10 ebuild.

When I first edited my /service/qmail-smtpd/run file to get AUTH working, it looked like this:

```

#!/bin/sh

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

exec /usr/bin/softlimit -m 8000000 \

        /usr/bin/tcpserver -H -R -v -p -x /etc/tcp.smtp.cdb \

        -u $QMAILDUID -g $NOFILESGID 0 smtp rblsmtpd /var/qmail/bin/qmail-smtpd /bin/checkpassword /bin/true 2>&1

```

From everything that I've read this should have worked, and at first I thought it did, since when I attempted to send mail through my server from a different machine using outlook it forced me to authenticate.  It would fail authentication if I tried to enter no password, and succed when I used a valid user/password.  I thought I was done until I read this thread, went back, and double-checked. . . sure enough, it accepts any user and password.

So I looked around forever to try and find an answer to why it would authenticate any combination, and couldn't really find one.  I decided to switch to using cmd5checkpw instead of checkpassword and see if that made a difference.

So, I emerged cmd5checkpw and changed my /service/qmail-smtp/run file to

```

#!/bin/sh

QMAILDUID=`id -u qmaild`

NOFILESGID=`id -g qmaild`

exec /usr/bin/softlimit -m 8000000 \

        /usr/bin/tcpserver -H -R -v -p -x /etc/tcp.smtp.cdb \

        -u $QMAILDUID -g $NOFILESGID 0 smtp rblsmtpd /var/qmail/bin/qmail-smtpd /bin/cmd5checkpw /bin/true 2>&1

```

The results of this are interesting.  If I don't create any entries in /etc/poppasswd, then no authentication is possible -- every user and password is rejected, including the ones that I thought should still work with cmd5checkpw because they are in the regular /etc/passwd.  However, as soon as I create a single entry in /etc/poppasswd, like thus:

```

# Format of this file is one user:pass per line

# Like so...

# joedogger:sm311yf33t

mailuser:h4ppym4i1

```

Then we are back to accepting any combination of user and password.

This is really frustrating.  Can anyone please explain to me how checkpassword and cmd5checkpw work, and what might cause them to authenticate everything that qmail passes to them?  I'm really at the end of my rope on this one.

Thanks,

evossler

----------

## Accipiter

Okay. This is starting to be a real pain. I HAD this working until the -r13 ebuild came along and played a shell game with all of qmail's configuration files. Now I'm back at square-one.

GREAT call on that one, devs, by the way...

What I need is so simple it's absurd. Only authenticated users may send mail. These users are to be authenticated against /etc/shadow.

Simple.

So why, why, why, why, why, WHY in the name of all that is holy is that so fracking hard to achieve?

Again, I had this working in -r10 until -r13 came along. Someone, have pity, and help us out.

----------

## Accipiter

Okay. Done blowing steam. Repaired my configuration. It's in twelve files instead of one now, which has the tendency to tick me off, but it works. Here.

From /var/qmail/control/conf-smtpd

```
# This next block is for SMTP-AUTH 

# This provides the LOGIN, PLAIN and CRAM-MD5 types

# the 'cmd5checkpw' used in $QMAIL_SMTP_AUTHCHECKPASSWORD supports CRAM-MD5

# and reads it's data from /etc/poppasswd

# see the manpage for cmd5checkpw for details on the passwords

# uncomment the next four lines to enable SMTP-AUTH

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

# Screw cmd5checkpw. This works. This authenticates against user accounts vis-a-vis /etc/shadow.

QMAIL_SMTP_CHECKPASSWORD="/bin/checkpassword"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

If someone can find a flaw in this, go ahead and tell me. I'd like to know.

----------

