The existing pop-before-smtp works fine with the latest version of qpopper,
but I see qpopper can use "Drac" option to build a list of IPs directly,
does any one have any experience of this as it would be more efficient than
regex parsing the log file.
Thanks
Leigh
-----Original Message-----
From: patricko (at mark) staff.singnet.com.sg [mailto:patricko (at mark) staff.singnet.com.sg]
Sent: 20 January 2006 17:38
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:03918] Re: pop daemon upgrade....
Hi,
oops.
missed out.
Security hole in 4.0.5
"> 25. Process user and spool config files as user, not as root (fix
> security hole reported by Jens Steube)"
Cheers
patrick
On Sat, 21 Jan 2006 patricko (at mark) staff.singnet.com.sg wrote:
>
>
> Based on my preliminary investigation.
> The log format have changed.
> Added "Servicing request" on all lines.
>
> May be this break poprelayd regexp?
>
> Can we have a sample log from 4.0.8?
>
>
> I think we should move to 4.0.8
> as there are a lot of minor bugs fixes.
>
>
>
> Cheers
> patrick
>
>
>
>
>
>
> Sorry cant find linux changelog anywhere.
>
> [changelog from netbsd]
> http://mail-index.netbsd.org/pkgsrc-changes/2005/06/01/0097.html
>
> - Update qpopper to 4.0.8
> - Thanks to taca@ and gavan@ for feedback and patch review
> - This also enables experimental PAM support (on platforms that support
> it)
> - Security fixes included
> - From the ChangeLog:
> > Changes from 4.0.7 to 4.0.8:
> > ---------------------------
> > 1. Fix compilation error on HPUX.
> > 2. Fix some compilation warnings.
> > 3. Update man page with '-x' option.
> > 4. Fix problems with 'make install'
> >
> >
> > Changes from 4.0.6 to 4.0.7:
> > ---------------------------
> > 1. Fix '-V' for standalone.
> > 2. Include 'man' directory in tarball.
> >
> >
> > Changes from 4.0.5 to 4.0.6:
> > ----------------------------
> > 1. Minor fixes for true64.
> > 2. Patch from Uli Zappe to fix SCRAM compilation bugs.
> > 3. Minor fixes for true64.
> > 4. poppassd now runs smbpasswd as user, not root, to avoid exploit
> > 5. Remove -traditional-cpp from the compiler options for Darwin
> > builds (otherwise build fails)
> > 6. Open stdout and stderr as O_WRONLY instead of O_RDONLY so that
> > should anything actually be written to them it will show up
> > 7. When configured as --with-pam and required,
> > include <pam/pam_appl.h> instead of <security/pam_appl.h>
> > (otherwise build fails)
> > 8. strdup the pw.pw_name field from getpwnam so that it's still
> > valid by the time genpath is called; also added corresponding
> > free (without this fix when the bug manifests, clients are
> > erroneously told there are 0 messages in the mail drop
> > regardless of the actual number)
> > 9. Add a pam bug workaround at the beginning of main to do a
> > pam_start and pam_end immediately when the program starts up
> > in order to avoid bogus authentication failed messages from
> > pam_authenticate later (only when configured as --with-pam)
> > [ Thanks to Kyle McKay for changes 5-9 ]
> > 10. Fixed error in configure script for Mac OS / Darwin.
> > 11. Support chained certs for OpenSSL [from Daniel Senie].
> > 12. Fixes to compile better on Linux [from Daniel Senie].
> > 13. X-UIDL header no longer written when Update_status_hdrs is false
> > [thanks to Helge Oldach]
> > 14. Now calling SSL_shutdown() again if it fails the first time.
> > 15. Now logging TLS errors when compiled with debugging and debug is
> > enabled (instead of either) [thanks to Maks N. Polunin].
> > 16. Config file now always closed (not just on error).
> > 17. When using pam, Kerberos tickets are now destroyed.
> > Otherwise dead tickets accumulate in cache directory which runs
> > out of space quickly on busy server. Problem noted by Rodney
> > McDuff ITS UQ. (Directory permissions on ticket cache dir need
> > to be 1777).
> > 18. Always log "Servicing request" (instead of just when debugging is
> > on). This allows start of pop sessions to be logged always which
> > is useful for diagnosis of problems.
> > 19. Worked around problem on some systems causing SIGALRM to be masked,
> > leaving hung pop processes which should have timed out waiting
> > for a command from the client.
> > [ Thanks to David Shrimpton for changes 16-19 ]
> > 20. Now defaulting to "EXPIRE NEVER" instead of "EXPIRE 0".
> > 21. Fix core dump on 64-bit Solaris 2.8 [thanks to Kenny Nguyen]
> > 22. Log facility set on command line now applies to daemon as well.
> > [Thanks to Helge Oldach]
> > 23. '-y' to set log facility on command line now works again.
> > 24. Allow '-V' as synonym for '-v' (to see version).
> > 25. Process user and spool config files as user, not as root (fix
> > security hole reported by Jens Steube)
> > 26. Added "xtnd_xmit" as a boolean option to permit/deny XTND XMIT
> > and 'x' as a command-line option to disable it. You should
> > disable it unless you really need it, and even then it is better
> > to move to SMTP AUTH.
> > 27. popauth now opens trace file as user, not root (fix security
> > hole reported by Jens Steube); also umask now set.
> > 28. Fix race crash on FreeBSD (thanks to Martin Haller).
> > 29. Resolve some compiler warnings.
> > 30. Fix check for libcrypt on FreeBSD.
> > 31. Added sample pam configuration file (also installed by 'make
> > install')
> > 32. Use generic error msg and sleep in more auth failure cases.
> > 33. Added code to use mkstemp() instead of our perfectly safe usage
> > of tempnam() because some compilers issue overly broad warnings
> > implying that all uses of tempnam() are unsafe. To bypass,
> > use '--enable-tempnam' with ./configure.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sat, 21 Jan 2006 patricko (at mark) staff.singnet.com.sg wrote:
>
> >
> > Hi,
> >
> >
> > I think it is a format / conf issue.
> >
> >
> >
> >
> > Quite simple.
> >
> > pop-b4-smtp is a hack.
> >
> > Basically, qpopper need to write log to
> > /var/log/maillog <for BQ and cobalt>
> >
> > Then a script daemon call poprelayd is run
> > to extract IP from specific regexp line:
> >
> > popper.*?POP login.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/)
> >
> >
> >
> > Then it will populate a DB: /etc/mail/popip.db
> >
> >
> >
> > By BQ - Cobalt default, sendmail will read
> > from that db with:
> > Kpopauth hash -a<MATCH> /etc/mail/popip.db
> > and some m4 Ruleset
> >
> > to open relay for that specific IP for a short period.
> >
> >
> >
> >
> > I hope this help
> >
> >
> >
> > Cheers
> > patrick
> >
> >
> >
> > On Sat, 21 Jan 2006, Hisao SHIBUYA wrote:
> >
> > > Hi Leigh,
> > >
> > > Please add --enable-log-login option.
> > > If these is some security or critical issues with 4.0.5 release, I'll
make
> > > new package with 4.0.8 release.
> > >
> > > I don't have any information, does anyone have any information?
> > >
> > > Regards,
> > > Hisao
> > >
> > >
> > > Leigh Blackwell wrote:
> > > > Hi Guys,
> > > >
> > > > Havent had the time to upgrade my bq box to centos yet, but today I
upgraded
> > > > my qpopper to 4.0.8 the current release, from
> > > >
> > > > http://www.eudora.com/products/unsupported/qpopper/index.html
> > > >
> > > > I have managed to make it run ok with the following
configuration....
> > > >
> > > > ./configure --enable-cache-dir=/var/spool/mail
--enable-home-dir-mail=mbox
> > > >
> > > > But it isn't allowing my pop before smtp users to email out, I
imagine I am
> > > > missing a setting as nothing else on the system has changed. Does
anyone now
> > > > which option I am missing...
> > > >
> > > > Thank in advance
> > > >
> > > > Leigh
> > > >
> > >
> >
> >
>
>