# qmail + vpopmail smtp auth problem [SOLVED]

## kilrathi

I've read the forums and tried many many different things to get SMTP auth to work with my system via qmail.  Nothing i do seems to make auth work.

Here's what i have:

/var/qmail/control/conf-smtpd

```
QMAIL_SMTP_POST="xx.xx.xx.xx /var/vpopmail/bin/vchkpw /bin/true"

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"

QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

[[ -n "${QMAIL_SMTP_CHECKPASSWORD}" ]] && {

        [[ -z "${QMAIL_SMTP_POST}" ]] && QMAIL_SMTP_POST=/bin/true

        QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

}
```

/etc/tcprules.d/tcp.qmail-smtpd

```
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

xx.xx.xx.xx:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"

127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/qmail-queue"

:allow,QMAILQUEUE="/var/qmail/bin/qmail-scanner-queue.pl"
```

>telnet localhost 25

```
Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 xx.xx.xx.xx ESMTP

EHLO

250-xx.xx.xx.xx

250-STARTTLS

250-PIPELINING

250-8BITMIME

250 SIZE 0
```

I've removed and reinstalled almost every piece of the mailing system i can find.  qmail just won't allow smtp authentication for some strange reason.  This machine has only 1 network interface with a public IP address.  It is not behind a NAT firewall of any sort.  I've changed the public address in these config files for security reasons.  Please help.

----------

## Rüpel

what do the logfiles say?

----------

## kilrathi

Well i seem to have made things worse.  After must frustration i decided to complete remove courier-imap, qmail, and vpopmail. So i did a emerge -C qmail courier-imap vpopmail.  

After doing so i started with a fresh emerge of each package.  I followed the directions line by line from http://www.gentoo.org/doc/en/qmail-howto.xml

Now when i try to login from a pop3 client /var/log/mail.log shows me:

```
Aug 11 03:25:37 genbox pop3d: LOGIN FAILED, user=user@domain.com, ip=[::ffff:xx.xx.xx.xx]

Aug 11 03:25:42 genbox pop3d: Disconnected, ip=[::ffff:xx.xx.xx.xx]
```

courier-imap is running fine from what i can tell, but i cannot authenticate to it.

Also telnet localhost 25 returns

```
Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 xx.xx.xx.xx ESMTP

EHLO

250-xx.xx.xx.xx

250-STARTTLS

250-PIPELINING

250-8BITMIME

250 SIZE 0
```

just like before.

/var/log/qmail/qmail-smtpd/current

```
@4000000042fb0b921b77651c tcpserver: status: 0/40

@4000000042fb0baf05f17624 tcpserver: status: 1/40

@4000000042fb0baf05f88aa4 tcpserver: pid 15968 from 205.244.40.42

@4000000042fb0baf12d20034 tcpserver: ok 15968 :::ffff:xx.xx.xx.xx:25 mail3.giftdoc.com:::ffff:205.244.40.42::13885

@4000000042fb0baf1b74d8c4 qmail-smtpd: Attempted relay from bounce-akvvroklrmkyul@10.44.40.13 at 205.244.40.42 to email@domain.net

@4000000042fb0bb4250614ac tcpserver: end 15968 status 0

@4000000042fb0bb425077054 tcpserver: status: 0/40

@4000000042fb0bc90328fb9c tcpserver: status: 1/40

@4000000042fb0bc9032fba2c tcpserver: pid 15994 from 64.246.174.131
```

/var/log/qmail/qmail-send/current

```
@4000000042fb08b80d7434cc new msg 491196

@4000000042fb08b80eead324 info msg 491196: bytes 771 from <username.domain.com> qp 15905 uid 0

@4000000042fb08b80fcab3a4 starting delivery 1: msg 491196 to local root@domain.com

@4000000042fb08b80fcacb14 status: local 1/10 remote 0/20

@4000000042fb08b81ea2d794 delivery 1: success: did_1+0+0/

@4000000042fb08b81ea2f2ec status: local 0/10 remote 0/20

@4000000042fb08b81ed38c54 end msg 491196

@4000000042fb0bc904c0f11c status: exiting
```

----------

## Rüpel

I read "success" and "ok" everywhere...  :Rolling Eyes: 

----------

## kilrathi

Upon further testing here's what i've found so far.

When i run the command

```
printf "user@domain.com\0password\0blah\0" | /var/vpopmail/bin/vchkpw `which id` 3<&0
```

I get the following error message:

```
vmysql: error creating table 'vlog': MySQL server has gone away

error inserting into vlog table
```

my /etc/vpopmail.conf

```
MYSQL_UPDATE_SERVER     localhost

MYSQL_UPDATE_USER       vpopmail

MYSQL_UPDATE_PASSWD     **edit**

MYSQL_READ_SERVER       localhost

MYSQL_READ_USER         vpopmail

MYSQL_READ_PASSWD       **edit**
```

The database name is vpopmail, and the user (vpopmail) has the correct permissions for the database.  

```
vpopmail      SELECT, INSERT, UPDATE, DELETE, CREATE, DROP  
```

```
mysql -u vpopmail -p vpopmail
```

Does allow me access to the vpopmail database.  

I've tried restarting courier-imap, qmail, mysql, and even reboot the machine.

Please help.

----------

## kilrathi

Been doing even more reading on this.  Seems this problem came up back in May or June and the fix was the change the permissions of /etc/vpopmail.conf and /var/vpopmail/bin/vchkpw

Here are the permissions i currently have set.

```
>ls -la /etc/vpopmail.conf

-rw-r-----    1 root     vpopmail      464 Aug 11 14:12 vpopmail.conf
```

```
>ls -la /var/vpopmail/bin/vchkpw

-rws--x--x    1 root     vpopmail    85520 Aug 11 14:12 /var/vpopmail/bin/vchkpw
```

From what i can tell my permissions are correct.  However i still cannot connect the the mysql db via vchkpw.  When i connect from the shell with the same username and password provided in vpopmail.conf i can connect fine.

https://forums.gentoo.org/viewtopic-t-326550-start-0-postdays-0-postorder-asc-highlight-vpopmail+conf.html

This is where i first read about this problem with vpopmail connections and they suggested the permission changes.

https://bugs.gentoo.org/show_bug.cgi?id=53117

This is the bug fixes and such for the problem.  It looks like some of them actually patched the binary.

I am running the vpopmail-5.4.10 ebuild

```
net-mail/vpopmail/vpopmail-5.4.10.ebuild
```

----------

## kilrathi

Well i figured out why vchkpw wasn't working properly.  my /etc/vpopmail.conf file was in a old format rather than the new one.

Old Format:

```
MYSQL_UPDATE_SERVER     localhost

MYSQL_UPDATE_USER       vpopmail

MYSQL_UPDATE_PASSWD     secret

MYSQL_READ_SERVER       localhost

MYSQL_READ_USER         vpopmail

MYSQL_READ_PASSWD       secret
```

New Format:

```
# host|port|user|password|database

# Read-only DB

localhost|0|vpopmail|secret|vpopmail

# Write DB

localhost|0|vpopmail|secret|vpopmail
```

For some reason the ebuild didn't bring a new copy of the vpopmail.conf file with it.

courier-imapd still isn't working, but i'm more worried about qmail and smtp auth.  I pull messages from all of my virtual domains.

```
#/var/qmail/control/conf-smtpd

# Configuration file for qmail-smtpd

# $Header: /var/cvsroot/gentoo-x86/mail-mta/qmail/files/conf-smtpd-r16,v 1.1 2005/06/19 06:52:42 hansmi Exp $

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

[[ -n "${QMAIL_SMTP_CHECKPASSWORD}" ]] && {

        [[ -z "${QMAIL_SMTP_POST}" ]] && QMAIL_SMTP_POST=/bin/true

        QMAIL_SMTP_POST="${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

```
>telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 host.domain.com ESMTP

>EHLO

250-host.domain.com

250-STARTTLS

250-PIPELINING

250-8BITMIME

250 SIZE 0
```

Why am i not getting smtp auth?

----------

## kilrathi

Well i finally solved my problem.  Turns out the main thing i was doing wrong was trying to use the latest and greatest ebuilds.  I removed everything: 

```
emerge -C qmail courier-imap courier-authlib vpopmail
```

and started from scratch.

I used this guide and followed it to the letter.  I emerged the exact ebuild versions that guide talked about.  Now everything is working great.

I still only get STARTTLS and no AUTH options up front.  However pop before smtp seems to allow relaying just fine.

```
>telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 my.domain.com ESMTP

EHLO

250-my.domain.com

250-STARTTLS

250-SIZE 0

250-PIPELINING

250 8BITMIME
```

From my 2 day search through these forums and google I found that not showing AUTH options up front is a 'feature' the newer qmail builds use.  It requires you to get a secure connection before you can send your username and password to the smtp server.

Here are some of the sites i used

http://qmail.jms1.net/test-auth.shtml

http://qmail.jms1.net/smtp-service.shtml

https://forums.gentoo.org/viewtopic-t-334267.html

https://forums.gentoo.org/viewtopic-t-339867.html

Thanks to the guys in IRC (#gentoo on EfNet) for pointing me in the right direction.

*edit* Updated some of the links in here because they changed.

----------

## D33T

I get the same response from telnet, but I can't get SMTP-AUTH to work properly.

I can use the SMTP server for internal domains with no problems, but sending out to anywhere else (currently testing with messages to my gmail account) fails. The client (Thunderbird) reports that server response is:

```

"sorry, that domain isn't in my list of rcpthosts (#5.7.1). Please verify that your email address is correct in your Mail preferences and try again".
```

I am trying to use 'courier-pop3d-ssl' as my POP3 server, which is part of the courier-imap package. Googling the error leads me to believe that this response shows up because SMTP-AUTH (via relay-ctrl) is failing for some reason.

I have set everything up accoding to this over at gentoo-wiki.com and I'm super close. My only assumption is that the 'LOGINRUN="relay-ctrl-allow"' line that it told me to add to /etc/courier-imap/imapd, /etc/courier-imap/imapd-ssl, /etc/courier-imap/pop3d, and /etc/courier-imap/pop3d-ssl is not valid. It's the only thing that makes sense (to me anyhow).

As a side note, my log files are in different locations than yours. I don't want to sit and list them all unless I absolutely need to. One thing I think was pretty odd was this though in /var/log/messages:

```
Aug 13 19:20:22 hostname pop3d-ssl: Connection, ip=[::ffff:123.123.123.123]

Aug 13 19:20:22 hostname pop3d-ssl: LOGIN, user=user1@domain1.net, ip=[::ffff:123.123.123.123]

Aug 13 19:20:22 hostname pop3d-ssl: LOGOUT, user=user1@domain1.net, ip=[::ffff:123.123.123.123], top=0, retr

=0, time=0

Aug 13 19:21:34 hostname pop3d-ssl: Connection, ip=[::ffff:123.123.123.123]

Aug 13 19:21:34 hostname pop3d-ssl: LOGIN, user=user2@domain2.com, ip=[::ffff:123.123.123.123]

Aug 13 19:21:34 hostname pop3d-ssl: LOGOUT, user=user2@domain2.com, ip=[::ffff:123.123.123.123], top=0,

 retr=0, time=0

```

Note that the LOGOUT within the same second as the LOGIN....... might be right, but it seemed odd to me.

It's annoying because I know it's probably something really simple that I am overlooking. Any ideas?! Any help is MUCH appreciated!

----------

## D33T

Bumping in hopes someone will help me. I checked the links that kilrathi posted, but they didn't help me out at all! Also, the tutorial that kilrathi claiims to have followed "to the letter" is gone. I have been using HOWTO Setup QMAIL RELAY-CTRL VPOPMAIL in the wiki like I said, but it doesn't seem to want to work.

The only possibly useful info I found from the links left by kilrathi was compiling ucspi-tcp with USE="-ipv6" and compiling qmail with USE="notlsbeforeauth". However, recompiling tcp didn't seems to help or hurt anything, and I don't want to pass "notlsbeforeauth" to qmail as it will allow users to send authentication via plantext. Now, since I"m only running IMAPD and POP3D over SSL, it shouldn't matter, but you can't be too safe I guess. Last thing I want is to become an open relay....

Any help is appreciated and will end up in the wiki. Your mother would be proud if you helped out!

----------

## kilrathi

From what i can tell the relay-ctrl program is what allows people to relay mail to domains that aren't local.  My setup is still working and i'm about to attempt to add qmail-scanner & spamassassin back into the mix.  

I'll add my existing config files to this post.  Might be helpful.  I'll remove all the commented stuff from the configs so this post doesn't get any more massive.

```
/etc/courier/authlib

authmodulelist="authvchkpw"

authmodulelistorig="authvchkpw"

daemons=5

authdaemonvar=/var/lib/courier/authdaemon

DEBUG_LOGIN=0

DEFAULTOPTIONS=""

LOGGEROPTS=""
```

```
/etc/courier-imap/imapd

ADDRESS=0

PORT=143

MAXDAEMONS=40

MAXPERIP=20

PIDFILE=/var/run/imapd.pid

TCPDOPTS="-nodnslookup -noidentlookup"

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"

IMAP_KEYWORDS=1

IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE"

IMAP_PROXY=0

IMAP_PROXY_FOREIGN=0

IMAP_IDLE_TIMEOUT=60

IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"

IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"

IMAP_DISABLETHREADSORT=0

IMAP_CHECK_ALL_FOLDERS=0

IMAP_OBSOLETE_CLIENT=0

IMAP_UMASK=022

IMAP_ULIMITD=65536

IMAP_USELOCKS=1

IMAP_SHAREDINDEXFILE=/etc/courier-imap/shared/index

IMAP_ENHANCEDIDLE=0

IMAP_TRASHFOLDERNAME=Trash

IMAP_EMPTYTRASH=Trash:7

IMAP_MOVE_EXPUNGE_TO_TRASH=0

SENDMAIL=/usr/sbin/sendmail

HEADERFROM=X-IMAP-Sender

IMAPDSTART=YES

MAILDIR=.maildir

MAILDIRPATH=.maildir

PRERUN="envdir /etc/relay-ctrl relay-ctrl-chdir"

LOGINRUN="relay-ctrl-allow"
```

```
/etc/courier-imap/imapd-ssl

SSLPORT=993

SSLADDRESS=0

SSLPIDFILE=/var/run/imapd-ssl.pid

MAXPERIP=20

IMAPDSSLSTART=YES

IMAPDSTARTTLS=YES

IMAP_TLS_REQUIRED=0

COURIERTLS=/usr/sbin/couriertls

TLS_PROTOCOL=SSL3

TLS_STARTTLS_PROTOCOL=TLS1

TLS_CERTFILE=/etc/courier-imap/imapd.pem

TLS_VERIFYPEER=NONE

TLS_CACHEFILE=/var/lib/courier-imap/couriersslcache

TLS_CACHESIZE=524288

MAILDIR=.maildir

MAILDIRPATH=.maildir

PRERUN="envdir /etc/relay-ctrl relay-ctrl-chdir"

LOGINRUN="relay-ctrl-allow"
```

```
/etc/courier-imap/pop3d

PIDFILE=/var/run/pop3d.pid

MAXDAEMONS=40

MAXPERIP=20

POP3AUTH=""

POP3AUTH_ORIG="LOGIN CRAM-MD5 CRAM-SHA1"

POP3AUTH_TLS=""

POP3AUTH_TLS_ORIG="LOGIN PLAIN"

POP3_PROXY=0

PORT=110

ADDRESS=0

TCPDOPTS="-nodnslookup -noidentlookup"

POP3DSTART=YES

MAILDIR=.maildir

MAILDIRPATH=.maildir

PRERUN="envdir /etc/relay-ctrl relay-ctrl-chdir"

LOGINRUN="relay-ctrl-allow"
```

```
/var/qmail/control/conf-smtpd

TCPSERVER_OPTS="${TCPSERVER_OPTS} -R"

QMAIL_TCPSERVER_PRE="${QMAIL_TCPSERVER_PRE} envdir /etc/relay-ctrl relay-ctrl-chdir"

QMAIL_SMTP_PRE="${QMAIL_SMTP_PRE} relay-ctrl-check"

QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

I also updated some of the links posted above.  I used the qmail - vpopmail guide on gentoo wiki.  From what i can tell the relay-ctrl basically enforces pop before smtp.  My users cannot relay mail until they have authed to both the pop3 and smtp services.  Make sure when you emerge the imap and qmail packages you are using the exact version listed in that guide.  I had very similar problems to what your describing.  I ended up removing everything and using the exact version of each ebuild in the gentoo-wiki guide for qmail and vpopmail.  If i find any more information i will post it here.

----------

## seiko

I did not uninstall everything as the original poster did.  I did however move one step at a time and found that reemerging (after unmasking) net-mail/courier-imap-4.0.1-r1 instead of net-mail/courier-imap-4.0.1 and picking up the LOGINRUN and MAILDIR=.maildir options -- things started working remarkably well.

I want to mention here that you should use /var/qmail/control/locals with care if you are hosting virtual domains.  It you put any other domains that the default, vpopmail will NOT authenticate and your users will not receive any email unless it is sent from their own domain.

Qmail has many great howto's but there is a shortage of whyto's.  Unfortunately, I am unqualified to write one.  Although this ordeal has pushed me much deeper into qmail.  I am beginning to wonder if portage is really all that for production servers.  The gentoo package of qmail is supposed to be patched and improved, but it appears to also be very undocumented and broken in ways that affect production server implementation.  Is there a source of gentoo/qmail development insight that I do not know about where one can find insight to the gentoo specific changes in portage?

Thanks for pointing out that http://gentoo-wiki.com/HOWTO_Setup_QMAIL_VPOPMAIL_and_Other_Mail_Servers worked.

----------

## tecknojunky

 *seiko wrote:*   

> Qmail has many great howto's but there is a shortage of whyto's.  Unfortunately, I am unqualified to write one.  Although this ordeal has pushed me much deeper into qmail.  I am beginning to wonder if portage is really all that for production servers.  The gentoo package of qmail is supposed to be patched and improved, but it appears to also be very undocumented and broken in ways that affect production server implementation.  Is there a source of gentoo/qmail development insight that I do not know about where one can find insight to the gentoo specific changes in portage?

 Boy, do I agree with you.  The first time I installed qmail, that was 5 years ago on a Slackware box, following solely Life With Qmail of that time.  It was no way near as complicated as it is in Gentoo which seems to be the sums of all the half-ass way of doing things.  The end result is still half-ass because there are no clear docs, just bunchs of specific-if-youwant-this-do-that howtos.

I think the main responsabilities of this is due to Dan J. Berstein himself with his licence that forbid distribution of modified version of his programs.  That results in gazillions of versions of qmails patched from the original.  Damn him.

----------

## IAmTheWalrus

SMTP-AUTH via telnet will never work because telnet is insecure.  If you connect via TLS as described at http://qmail.jms1.net/test-auth.shtml, and then issue the EHLO command, you will see the allowed AUTH methods listed.

Qmail, being designed as a secure mail server, will not let you do things that are insecure without some major modification of its config files (and perhaps even the source, too).

----------

## leosgb

Hi, did any of you solve this puzzle? I am running far more updated tools than when this thread was started but I am having the same problems. I cant login to my pop3 server at all. I use thunderbird and outlook to sync email and both report that they were unable to login to the server.

I can send email successfully but I cant login. So I gathered some information:

netstat -nap:

tcp        0      0 :::993                  :::*                    LISTEN      14067/couriertcpd   

tcp        0      0 :::995                  :::*                    LISTEN      14227/couriertcpd   

tcp        0      0 :::110                  :::*                    LISTEN      14147/couriertcpd   

tcp        0      0 :::143                  :::*                    LISTEN      13987/couriertcpd 

User vpopmail can retrieve all fields from vpopmail database:

mysql> select * from vpopmail;

+------------+------------------------+------------------------------------+--------+--------+------------+---------------------------------------------------------+----------+

| pw_name    | pw_domain              | pw_passwd                          | pw_uid | pw_gid | pw_gecos   | pw_dir                                                  | pw_shell |

+------------+------------------------+------------------------------------+--------+--------+------------+---------------------------------------------------------+----------+

| postmaster | mydomain.net | $1$n83sLz4j$Aoode4j7sNWTZhEoKvT. | 0      | 0      | Postmaster | /var/vpopmail/domains/mydomain.net/postmaster | NOQUOTA  |

| john        | mydomain.net | $1$1bMLo0suigfqkTaEPrIv9Twooolsss.l1 | 0      | 0      | john           | /var/vpopmail/domains/mydomain.net/john        | NOQUOTA  |

+------------+------------------------+------------------------------------+--------+--------+------------+---------------------------------------------------------+----------+

2 rows in set (0.02 sec)

I only want to have system user email accounts. So I even believe I dont need vpopmail here! I also dont need to be authenticated using MySQL if the server could authenticate using the system's password file.

I would really apreciate any assistance. Thanks in advance.

----------

