The qpopper list archive ending on 12 Aug 2002
Topics covered in this issue include:
1. Re: Announce: OpenSSL exploits, patch your servers!
Peter Evans <peter at gol dot com>
Wed, 31 Jul 2002 12:38:20 +0900
2. I would like to have information about poppassd-4.0.4
yahagi_mayumi at itfrontier.co dot jp
Wed, 31 Jul 2002 13:11:03 +0900
3. Re: I would like to have information about poppassd-4.0.4
Peter Evans <peter at gol dot com>
Wed, 31 Jul 2002 14:10:22 +0900
4. Re: Announce: OpenSSL exploits, patch your servers!
Randall Gellens <randy at qualcomm dot com>
Wed, 31 Jul 2002 11:54:54 -0700
5. Question regarding SSL mode
SkyDeep <skyd at humankind dot com>
Wed, 31 Jul 2002 14:33:34 -0500
6. dealing with openssl updates and qpopper
"Brian C. Hill" <bchill at bch dot net>
Wed, 31 Jul 2002 12:44:10 -0700
7. Re: Question regarding SSL mode
Vince Nigro <vjnigro at i-2000 dot com>
Wed, 31 Jul 2002 16:39:51 -0400
8. Re: Question regarding SSL mode
SkyDeep <skyd at humankind dot com>
Wed, 31 Jul 2002 15:51:56 -0500
9. Re: Question regarding SSL mode
Vince Nigro <vjnigro at i-2000 dot com>
Wed, 31 Jul 2002 17:28:04 -0400
10. Re: dealing with openssl updates and qpopper
Kenneth Porter <shiva at well dot com>
31 Jul 2002 18:58:08 -0700
11. Re: Question regarding SSL mode
Wolfgang Breyha <wbreyha at gmx dot net>
Thu, 01 Aug 2002 15:24:25 +0200
12. Problem with ~/mail
Eckhard Jokisch <e.jokisch at u-code dot de>
Thu, 1 Aug 2002 16:29:51 +0200
13. Re: Problem with ~/mail
The Little Prince <thelittleprince at asteroid-b612 dot org>
Thu, 1 Aug 2002 08:56:54 -0700 (PDT)
14. Re: Question regarding SSL mode
Vince Nigro <vjnigro at i-2000 dot com>
Thu, 01 Aug 2002 12:44:26 -0400
15. Re: Question regarding SSL mode
Wolfgang Breyha <wbreyha at gmx dot net>
Thu, 01 Aug 2002 18:58:59 +0200
16. Re: Question regarding SSL mode
SkyDeep <skyd at humankind dot com>
Thu, 01 Aug 2002 14:35:07 -0500
17. Newbie Question
"Wil McGilvery" <wmcgilvery at lynch dot ca>
Fri, 2 Aug 2002 13:27:34 -0400
18. Qpopper on Mandrake
Kenneth Porter <shiva at well dot com>
05 Aug 2002 09:54:44 -0700
19. 64 bit option
mike miller <mikem at ndtel dot com>
Mon, 05 Aug 2002 13:19:54 -0500
20. Re: 64 bit option
"Brian C. Hill" <bchill at bch dot net>
Mon, 5 Aug 2002 11:33:27 -0700
21. retr command hangs...
"Karl Poulton" <karl_vts at hotmail dot com>
Tue, 06 Aug 2002 09:00:19 +0000
22. [Fwd: CERT Advisory CA-2002-25 Integer Overflow In XDR Library]
Kenneth Porter <shiva at well dot com>
06 Aug 2002 07:16:30 -0700
23. Re: [Fwd: CERT Advisory CA-2002-25 Integer Overflow In XDR Library]
Ken Hornstein <kenh at cmf.nrl.navy dot mil>
Tue, 06 Aug 2002 10:47:08 -0400
24. I/O error flushing output (long)
Brian Jackson <bjackson at conversent dot com>
Tue, 06 Aug 2002 12:17:36 -0400
25. RE: Qpopper on Mandrake
"Wil McGilvery" <wmcgilvery at lynch dot ca>
Tue, 6 Aug 2002 12:30:18 -0400
26. Re: retr command hangs...
Randall Gellens <randy at qualcomm dot com>
Tue, 6 Aug 2002 15:13:42 -0700
27. Filesystem quotas
"Alan W. Rateliff, II" <alan at yourvillage dot com>
Thu, 8 Aug 2002 12:12:44 -0400
28. Re: Filesystem quotas
Alan Brown <alanb at digistar dot com>
Thu, 8 Aug 2002 18:29:53 -0400 (EDT)
29. Re: Filesystem quotas
Kenneth Porter <shiva at well dot com>
08 Aug 2002 15:54:27 -0700
30. Re: Filesystem quotas
Michael Kolos <michael at colba dot net>
Fri, 09 Aug 2002 09:17:45 -0400
31. Qpopper openssl patch.
Brendan Bank <brendan at gnarst dot net>
Fri, 09 Aug 2002 16:25:35 +0200
32. Re: Filesystem quotas
"Alan W. Rateliff, II" <alan at yourvillage dot com>
Fri, 9 Aug 2002 12:53:18 -0400
33. Re: Filesystem quotas
Justin Shore <listuser at neo.pittstate dot edu>
Fri, 9 Aug 2002 12:15:18 -0500
34. Re: Filesystem quotas
"Jeff A. Earickson" <jaearick at colby dot edu>
Fri, 9 Aug 2002 13:10:45 -0400 (EDT)
35. opinion: filesystem quotas - how cheap is disk space?
"Brian C. Hill" <bchill at bch dot net>
Fri, 9 Aug 2002 10:56:24 -0700
36. Re: Filesystem quotas
Justin Shore <listuser at neo.pittstate dot edu>
Fri, 9 Aug 2002 13:08:06 -0500
37. Re: Qpopper openssl patch.
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Fri, 9 Aug 2002 11:37:39 -0700
38. Re: Qpopper openssl patch.
Randall Gellens <randy at qualcomm dot com>
Fri, 9 Aug 2002 11:49:02 -0700
39. Re: Filesystem quotas
Alan Brown <alanb at digistar dot com>
Fri, 9 Aug 2002 14:44:31 -0400 (EDT)
40. Maildir Format
J Bacher <jb at jbacher dot com>
Fri, 09 Aug 2002 13:45:11 -0500
41. Re: Filesystem quotas
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Fri, 9 Aug 2002 11:51:33 -0700
42. Re: Filesystem quotas
Kenneth Porter <shiva at well dot com>
09 Aug 2002 16:10:53 -0700
43. Re: Maildir Format
The Little Prince <thelittleprince at asteroid-b612 dot org>
Fri, 9 Aug 2002 19:36:31 -0700 (PDT)
44. Re: Filesystem quotas
"Alan W. Rateliff, II" <alan at yourvillage dot com>
Mon, 12 Aug 2002 01:26:10 -0400
45. Re: Filesystem quotas
Eric Luyten <Eric.Luyten at vub.ac dot be>
Mon, 12 Aug 2002 09:29:58 +0200 (MET DST)
46. Re: Filesystem quotas
Eric Luyten <Eric.Luyten at vub.ac dot be>
Mon, 12 Aug 2002 09:34:16 +0200 (MET DST)
47. Re: filesystem quotas
"Jeff A. Earickson" <jaearick at colby dot edu>
Mon, 12 Aug 2002 11:11:11 -0400 (EDT)
48. Re: filesystem quotas
Eric Luyten <Eric.Luyten at vub.ac dot be>
Mon, 12 Aug 2002 17:31:57 +0200 (MET DST)
49. Re: filesystem quotas
Gregory Hicks <ghicks at cadence dot com>
Mon, 12 Aug 2002 09:11:14 -0700 (PDT)
50. Re: filesystem quotas
"Jeff A. Earickson" <jaearick at colby dot edu>
Mon, 12 Aug 2002 12:06:44 -0400 (EDT)
Date: Wed, 31 Jul 2002 12:38:20 +0900
From: Peter Evans <peter at gol dot com>
Subject: Re: Announce: OpenSSL exploits, patch your servers!
Kenneth Porter (shiva at well dot com) wrote:
> Those of you who use the TLS feature of Qpopper with OpenSSL will need
> to patch your servers. New exploits were announced today. See
[snip]
http://www.cert.org/advisories/CA-2002-23.html
http://www.openssl.org/news/secadv_20020730.txt
> Randall, does Qpopper need a recompile after this, or does it link
> dynamically to the SSL libraries?
this is os and/or installation dependant, in my
case:
> ldd /usr/local/sbin/popper
libnsl.so.1 => /usr/lib/libnsl.so.1
libsocket.so.1 => /usr/lib/libsocket.so.1
libresolv.so.2 => /usr/lib/libresolv.so.2
libmail.so.1 => /usr/lib/libmail.so.1
librt.so.1 => /usr/lib/librt.so.1
libcrypt_i.so.1 => /usr/lib/libcrypt_i.so.1
libdl.so.1 => /usr/lib/libdl.so.1
libc.so.1 => /usr/lib/libc.so.1
libmp.so.2 => /usr/lib/libmp.so.2
libaio.so.1 => /usr/lib/libaio.so.1
libgen.so.1 => /usr/lib/libgen.so.1
/usr/platform/SUNW,Sun-Blade-1000/lib/libc_psr.so.1
I think you should be looking for libssl.*
here, ssh doesnt use it and a cursory investigation
seems to imply that libssl is the one to worry about.
(there's nothing on the openssh site to confirm/deny that though)
P
----*
--
END OF LINE.
Subject: I would like to have information about poppassd-4.0.4
From: yahagi_mayumi at itfrontier.co dot jp
Date: Wed, 31 Jul 2002 13:11:03 +0900
The confirmation code is 57698659
Hello.
This is Mayumi Yahagi of IT Frontier co.Ltd.
I send to this mailing list for the first time.
I would like to know if poppassd can be used on Solaris8.
I compiled and installed qpopper-4.0.4 with poppassd on Solaris8.
The commands I executed are following:
1.% cd /usr/local/src/qpopper4.0.4
2. % ./configure --enable-poppassd
3. % make
4. # make install
Moreover, I editted /etc/inetd.conf, /etc/syslog.conf, and /etc/services
for using qpopper and poppassd.
The description is following:
:/etc/inetd.conf:
pop3 stream tcp nowait root /usr/local/lib/popper qpopper -s
-R -S
poppassd stream tcp nowait root /usr/local/lib/poppassd
poppassd -R -p /bin/passwd
:/etc/syslog.conf:
local0.notice;local0.debug /var/log/popper.log
local2.err /var/log/poppassd.log
:/etc/services:
pop3 11/tcp # Post Office Protocol -
Version3
poppassd 106/tcp # POP password change
After editting those files, I refreshed the daemon: inetd, syslogd.
Next, I examined using qpopper and poppassd.
The ways of tests are executing "telnet" to port 106(poppassd) and port
110(qpopper), and using softwares on PC.
As a result, I could use qpopper with no problem, but could not use
poppassd successfully.
In detail, I could connect to port 106, but could not change password.
The message appeared in log file is following:
"Jul 26 14:01:00 yatabe poppassd[830]: [ID 702911 local2.error] passwd
failed for test"
I would like to know the cause that I could not change password using
poppassd-4.0.4:
because poppassd is not be applied to Solaris8, I compiled and installed in
the wrong way, or the description of files is wrong.
Would you please let me have information?
Date: Wed, 31 Jul 2002 14:10:22 +0900
From: Peter Evans <peter at gol dot com>
Subject: Re: I would like to have information about poppassd-4.0.4
yahagi_mayumi at itfrontier.co.jp (yahagi_mayumi at itfrontier dot co dot jp) wrote:
> Subject: I would like to have information about poppassd-4.0.4
> I would like to know if poppassd can be used on Solaris8.
yes, but you *have* read the README in the password directory?
particularly the warnings about how much fun you can have with
it and tcp_wrappers.
> "Jul 26 14:01:00 yatabe poppassd[830]: [ID 702911 local2.error] passwd
> failed for test"
> Would you please let me have information?
popassd appears to have both a -t <trace> and -d <debug> flags.
you should probably use them, and tcp_wrappers ...
one possibility from looking at the code is that the matching
for the various types of /bin/passwd is too strict, but I don't
think so. (Im not prepared to install popassd on my machine.)
P
----*
too hot in Otemachi -.-;;
--
END OF LINE.
Date: Wed, 31 Jul 2002 11:54:54 -0700
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: Announce: OpenSSL exploits, patch your servers!
At 8:08 PM -0700 7/30/02, Kenneth Porter wrote:
> Randall, does Qpopper need a recompile after this, or does it link
> dynamically to the SSL libraries?
This depends on the platform and configuration procedures.
Thanks for bringing this to people's attention.
Date: Wed, 31 Jul 2002 14:33:34 -0500
From: SkyDeep <skyd at humankind dot com>
Subject: Question regarding SSL mode
Hi, I have a quick question and hope someone can help... I could not find
anything on the Qualcomm site relating to this (and there are several
errors in their tutorial on setting up SSL support in qpopper).
I am running FreeBSD and have compiled QPopper to support SSL (using
OpenSSL 9.6e). I finally got everything working by setting up a temporary
certificate and signing it myself and then telling my Eudora client to
"trust" the certificate.
It looks like I can now check mail in SSL mode, however when I do, it never
pulls my mail off the server. I get no error messages or anything and it
acts as if I have no new mail when I actually do. If I switch the client
to not check mail in SSL mode, it retrieves my mail. Does anyone know what
might be causing this?
Date: Wed, 31 Jul 2002 12:44:10 -0700
From: "Brian C. Hill" <bchill at bch dot net>
Subject: dealing with openssl updates and qpopper
One way to be sure your qpopper has been dynamically linked (in
addition to using ldd), is to run fuser or lsof on the openssl libs and
see if your qpopper pid(s) has them open. I have rebuilt openssl a
couple of times and not needed to rebuild qpopper, just restart it.
I suggest moving the libs to another name using mv just before
you actually install the newly built openssl and the restarting qpopper
just after that. The 'mv' will not affect with programs that already
have files open (libraries, for example).
Brian
Date: Wed, 31 Jul 2002 16:39:51 -0400
From: Vince Nigro <vjnigro at i-2000 dot com>
Subject: Re: Question regarding SSL mode
At 02:33 PM 7/31/2002 -0500, SkyDeep wrote:
>I am running FreeBSD and have compiled QPopper to support SSL (using
>OpenSSL 9.6e). I finally got everything working by setting up a temporary
>certificate and signing it myself and then telling my Eudora client to
>"trust" the certificate.
>
>It looks like I can now check mail in SSL mode, however when I do, it
>never pulls my mail off the server. I get no error messages or anything
>and it acts as if I have no new mail when I actually do. If I switch the
>client to not check mail in SSL mode, it retrieves my mail. Does anyone
>know what might be causing this?
Hello,
I am having the same problem on Solaris 7 and 8 , it seems to be related to
OpenSSL 0.9.6d and OpenSSL 0.9.6e and qpopper 4.04
When I go back to OpenSSL 0.96c it works.
It just seems to be a problem with the Eudora client, it works with
Outlook Express. (Alternate Port)
If you turn on debug in qpopper and check your logs, you will see a "probe"
error like this:
Jul 31 16:32:35 ns1 popper[14498]: [ID 702911 local0.warning] Possible
probe of account jjoe from host 207.41.177.201 (207.41.177.201) [pop_quit.c:29]
Looks some type of timing error with pop quit command and SSL.
I sent a note to qualcomm with the details, but have not had a reply yet.
vince
Date: Wed, 31 Jul 2002 15:51:56 -0500
From: SkyDeep <skyd at humankind dot com>
Subject: Re: Question regarding SSL mode
At 04:39 PM 7/31/02 -0400, you wrote:
>At 02:33 PM 7/31/2002 -0500, SkyDeep wrote:
>
>>I am running FreeBSD and have compiled QPopper to support SSL (using
>>OpenSSL 9.6e). I finally got everything working by setting up a
>>temporary certificate and signing it myself and then telling my Eudora
>>client to "trust" the certificate.
>>
>>It looks like I can now check mail in SSL mode, however when I do, it
>>never pulls my mail off the server. I get no error messages or anything
>>and it acts as if I have no new mail when I actually do. If I switch the
>>client to not check mail in SSL mode, it retrieves my mail. Does anyone
>>know what might be causing this?
>
>Hello,
>
>I am having the same problem on Solaris 7 and 8 , it seems to be related
>to OpenSSL 0.9.6d and OpenSSL 0.9.6e and qpopper 4.04
>When I go back to OpenSSL 0.96c it works.
>It just seems to be a problem with the Eudora client, it works with
>Outlook Express. (Alternate Port)
>
>If you turn on debug in qpopper and check your logs, you will see a
>"probe" error like this:
>Jul 31 16:32:35 ns1 popper[14498]: [ID 702911 local0.warning] Possible
>probe of account jjoe from host 207.41.177.201 (207.41.177.201) [pop_quit.c:29]
>
>Looks some type of timing error with pop quit command and SSL.
>
>I sent a note to qualcomm with the details, but have not had a reply yet.
I'm under the impression that it's unwise to use any version of OpenSSL
other than the latest one. Do you think this is a bug with Eudora, Qpopper
or the current OpenSSL library?
Glad to know I wasn't going crazy. ; )
I guess I'll tell my users that SSL won't be available for Eudora users
until the problem is fixed.
Date: Wed, 31 Jul 2002 17:28:04 -0400
From: Vince Nigro <vjnigro at i-2000 dot com>
Subject: Re: Question regarding SSL mode
>
>I'm under the impression that it's unwise to use any version of OpenSSL
>other than the latest one. Do you think this is a bug with Eudora,
>Qpopper or the current OpenSSL library?
Not sure where the problem is among these 3 programs, but it is probably
best not use earlier versions of OpenSSL until it can be analyzed in depth.
>Glad to know I wasn't going crazy. ; )
>
>I guess I'll tell my users that SSL won't be available for Eudora users
>until the problem is fixed.
>
Subject: Re: dealing with openssl updates and qpopper
From: Kenneth Porter <shiva at well dot com>
Date: 31 Jul 2002 18:58:08 -0700
On Wed, 2002-07-31 at 12:44, Brian C. Hill wrote:
> I suggest moving the libs to another name using mv just before
> you actually install the newly built openssl and the restarting qpopper
> just after that. The 'mv' will not affect with programs that already
> have files open (libraries, for example).
Good point! In fact, not doing this has locked some people out of remote
systems because their sshd server had its SSL support knocked out from
under it before the new library had been tested. I've also seen it
suggested that one use PRELOAD on the SSL libraries to keep them in
memory. See the SlashDot thread for some discussion about this.
This shouldn't affect file handles already open, but I get the
impression that some dynamic linker implementations re-open the library
for each new API connection, and the PRELOAD would force all symbols to
be resolved right away, before the library was moved to a new name.
Date: Thu, 01 Aug 2002 15:24:25 +0200
From: Wolfgang Breyha <wbreyha at gmx dot net>
Subject: Re: Question regarding SSL mode
At 16:39 31.07.2002 -0400, you wrote:
>Hello,
>
>I am having the same problem on Solaris 7 and 8 , it seems to be related to OpenSSL 0.9.6d and OpenSSL 0.9.6e and qpopper 4.04
>When I go back to OpenSSL 0.96c it works.
>It just seems to be a problem with the Eudora client, it works with Outlook Express. (Alternate Port)
Same Problem on Linux (RH 6.0). Doesn't matter if you link openssl 0.9.6d+ statically or shared.
>If you turn on debug in qpopper and check your logs, you will see a "probe" error like this:
>Jul 31 16:32:35 ns1 popper[14498]: [ID 702911 local0.warning] Possible probe of account jjoe from host 207.41.177.201 (207.41.177.201) [pop_quit.c:29]
With debugging enabled (-d and --enable-debugging) the SSL-handshake with Eudora seems to work. Eudora sends the USER <bla> Command then. qpopper send back the +OK and then Eudora responds with "QUIT"! Don't know why.
Even the SSL-Manager in Eudora tells everything should be fine.
>Looks some type of timing error with pop quit command and SSL.
I donÄt think so. Something in the SSL-Communication goes terrible wrong and Eudora does a "QUIT" after "USER". It seems as Eudora can't read the "+OK" response properly.
I'm trying a workaround currently by applying the patch
http://www.openssl.org/news/patch_20020730_0_9_6d.txt
to openssl-0.9.6c. It fails in the CHANGES File, but who cares;-)
It's compiling now...installing....restarting qpopper....
Aug 1 15:20:39 xxxxxxx popper[32050]: (v4.0.4-netway) TLSv1/SSLv3 handshake with client at xxxxxxxxxxx (xxx.xxx.xxx.xx); new session-id; cipher: DES-CBC3-SHA (DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=ES(168) Mac=SHA1), 168 bits
Aug 1 15:20:39 xxxxxxx popper[32050]: Stats: xxxxxxx 0 0 1 379 xxxxxxxxx xxx.xxx.xxx.xx
Aug 1 15:20:39 xxxxxxx popper[32050]: Timing for xxxxxxx@xxxxxxxxxxxxx (normal) auth=0 init=0 clean=0
There we're again;-) Works perfectly for now...
Regards,
Wolfgang Breyha
--
/ recursive, adj.; see recursive. -- Unknown \
( Wolfgang Breyha <wbreyha at gmx.net> - http://mash.nwy dot at )
\ System Engineering UTA/netway - Vienna - Austria /
From: Eckhard Jokisch <e.jokisch at u-code dot de>
Subject: Problem with ~/mail
Date: Thu, 1 Aug 2002 16:29:51 +0200
Hello,
I installed qpopper-4 .0.4 with the built-in option --home-dir-mail=mail/. All
incomming mail is stored in ~/mail/Inbox.
when I try to fecht mail from this server I just don's get anything.
Using an IMAP account works perfect.
Also with --home-dir-mail=mail it doesn't work.
Can anybody help me out.
Thanks in advance
Eckhard Jokisch
Date: Thu, 1 Aug 2002 08:56:54 -0700 (PDT)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: Problem with ~/mail
On Thu, 1 Aug 2002, Eckhard Jokisch wrote:
> Hello,
> I installed qpopper-4 .0.4 with the built-in option --home-dir-mail=mail/. All
> incomming mail is stored in ~/mail/Inbox.
> when I try to fecht mail from this server I just don's get anything.
> Using an IMAP account works perfect.
> Also with --home-dir-mail=mail it doesn't work.
>
umm, --home-dir-mail=mail/Inbox
?
I THINK what you pass it refers to the actual spool file, not the
directory the spool is in.
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"Strange, but it seems, there's a mutiny brewing inside of me"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Date: Thu, 01 Aug 2002 12:44:26 -0400
From: Vince Nigro <vjnigro at i-2000 dot com>
Subject: Re: Question regarding SSL mode
>
>
>I donÄt think so. Something in the SSL-Communication goes terrible wrong
>and Eudora does a "QUIT" after "USER". It seems as Eudora can't read the
>"+OK" response properly.
>
>I'm trying a workaround currently by applying the patch
>http://www.openssl.org/news/patch_20020730_0_9_6d.txt
>to openssl-0.9.6c. It fails in the CHANGES File, but who cares;-)
You state that you applied this patch to openssl-0.9.6c, do you mean
openssl-0.9.6e?
openssl-0.9.6c and earlier does not exhibit the problem, and for security
reasons you would only want to run openssl-0.9.6e at this point.
thanks,
vince
Date: Thu, 01 Aug 2002 18:58:59 +0200
From: Wolfgang Breyha <wbreyha at gmx dot net>
Subject: Re: Question regarding SSL mode
At 12:44 01.08.2002 -0400, Vince Nigro wrote:
>>I donÄt think so. Something in the SSL-Communication goes terrible wrong and Eudora does a "QUIT" after "USER". It seems as Eudora can't read the "+OK" response properly.
>>
>>I'm trying a workaround currently by applying the patch
>>http://www.openssl.org/news/patch_20020730_0_9_6d.txt
>>to openssl-0.9.6c. It fails in the CHANGES File, but who cares;-)
>
>You state that you applied this patch to openssl-0.9.6c, do you mean openssl-0.9.6e?
>openssl-0.9.6c and earlier does not exhibit the problem, and for security reasons you would only want to run openssl-0.9.6e at this point.
As I already answered to Vince personally:
The patch above is for openssl-0.9.6d -> 0.9.6e.
Since releases "e" and "d" are not working properly with qpopper I tried to apply the fixes from the "e" release to the older "c" release by using the above patch on openssl-0.9.6c.
So some minor fixes between "c" and "d" are missing (and the one not working with qpopper), but the securityfixes from the advisory are applied!
Regards,
Wolfgang
--
/ recursive, adj.; see recursive. -- Unknown \
( Wolfgang Breyha <wbreyha at gmx.net> - http://mash.nwy dot at )
\ System Engineering UTA/netway - Vienna - Austria /
Date: Thu, 01 Aug 2002 14:35:07 -0500
From: SkyDeep <skyd at humankind dot com>
Subject: Re: Question regarding SSL mode
>
>I'm trying a workaround currently by applying the patch
>http://www.openssl.org/news/patch_20020730_0_9_6d.txt
>to openssl-0.9.6c. It fails in the CHANGES File, but who cares;-)
>
>It's compiling now...installing....restarting qpopper....
>Aug 1 15:20:39 xxxxxxx popper[32050]: (v4.0.4-netway) TLSv1/SSLv3
>handshake with client at xxxxxxxxxxx (xxx.xxx.xxx.xx); new session-id;
>cipher: DES-CBC3-SHA (DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=ES(168)
>Mac=SHA1), 168 bits
>Aug 1 15:20:39 xxxxxxx popper[32050]: Stats: xxxxxxx 0 0 1 379 xxxxxxxxx
>xxx.xxx.xxx.xx
>Aug 1 15:20:39 xxxxxxx popper[32050]: Timing for xxxxxxx@xxxxxxxxxxxxx
>(normal) auth=0 init=0 clean=0
>
>There we're again;-) Works perfectly for now...
So it sounds to me like there is a problem in the OpenSSL code. But the
question is, does your patch address the buffer overflow vulnerabilities
identified by CERT?
I figure we can expect to see OpenSSL 9.6f in the next week or
so.... hopefully I'm going to love having to re-compile all my ssl apps
again... sigh
Has anyone notified OpenSSL of this issue?
Subject: Newbie Question
Date: Fri, 2 Aug 2002 13:27:34 -0400
From: "Wil McGilvery" <wmcgilvery at lynch dot ca>
This is a multi-part message in MIME format.
------_=_NextPart_001_01C23A49.E3653A50
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
I tried to install Qpopper 4.0.4 on a Mandrake 8.1 machine.
I installed the program in /usr/local/qpopper4.0.4/popper using enable
bulletins, enable server mode
I edited the host.allow file to read popper:all
I set up a pop3 file in xinetd.d as outlined in the qpopper FAQ.
I removed the files relating to ipop3.
When I try to telnet to port 110 it just hangs. The telnet session does
not return an error.
I looked under /var/logs/mail/log/errors and I can't see any references
to qpopper.
When I use the ipop3 server - everything works fine.
Any help is appreciated.
Regards,
Wil McGilvery
Manager, Digital Media
Lynch Technologies Inc.
416-744-7191
1-888-622-3729
416-744-0406 FAX
<http://www.lynchdigital.com/> www.lynchdigital.com
------_=_NextPart_001_01C23A49.E3653A50
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html;
charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Arial Black";
panose-1:2 11 10 4 2 1 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin-right:0in;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
p.StyleBefore5ptAfter5pt, li.StyleBefore5ptAfter5pt,
div.StyleBefore5ptAfter5pt
{margin-top:5.0pt;
margin-right:0in;
margin-bottom:5.0pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.StyleE-mailSignatureVerdana10pt
{font-family:Verdana;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>I tried to install Qpopper 4.0.4 on a Mandrake 8.1
machine.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>I installed the program in
/usr/local/qpopper4.0.4/popper
using enable bulletins, enable server mode</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>I edited the host.allow file to read
popper:all</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>I set up a pop3 file in xinetd.d as outlined in the
qpopper
FAQ.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>I removed the files relating to
ipop3.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>When I try to telnet to port 110 it just hangs. The
telnet
session does not return an error.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>I looked under /var/logs/mail/log/errors and I
can’t
see any references to qpopper.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>When I use the ipop3 server – everything works
fine.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'>Any help is appreciated.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span
style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=StyleBefore5ptAfter5pt><font size=2 face=Verdana><span
style='font-size:10.0pt;font-family:Verdana'>Regards,</span></font></p>
<p class=StyleBefore5ptAfter5pt><font size=2 face=Verdana><span
style='font-size:10.0pt;font-family:Verdana'> </span></font></p>
<p class=MsoNormal><font size=2 face=Verdana><span
style='font-size:10.0pt;
font-family:Verdana'>Wil McGilvery</span></font></p>
<p class=StyleBefore5ptAfter5pt
style='margin:0in;margin-bottom:.0001pt'><font
size=2 face=Verdana><span
style='font-size:10.0pt;font-family:Verdana'>Manager,
Digital Media</span></font></p>
<p class=StyleBefore5ptAfter5pt
style='margin:0in;margin-bottom:.0001pt'><font
size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=StyleBefore5ptAfter5pt
style='margin:0in;margin-bottom:.0001pt'><font
size=3 face="Times New Roman"><span
style='font-size:12.0pt'> </span></font></p>
<p class=MsoAutoSig style='margin:0in;margin-bottom:.0001pt'><span
class=StyleE-mailSignatureVerdana10pt><font size=2
face=Verdana><span
style='font-size:10.0pt'>Lynch Technologies
Inc.</span></font></span></p>
<p class=MsoAutoSig style='margin:0in;margin-bottom:.0001pt'><span
class=StyleE-mailSignatureVerdana10pt><font size=2
face=Verdana><span
style='font-size:10.0pt'>416-744-7191</span></font></span></p>
<p class=MsoAutoSig style='margin:0in;margin-bottom:.0001pt'><span
class=StyleE-mailSignatureVerdana10pt><font size=2
face=Verdana><span
style='font-size:10.0pt'>1-888-622-3729</span></font></span></p>
<p class=MsoAutoSig style='margin:0in;margin-bottom:.0001pt'><span
class=StyleE-mailSignatureVerdana10pt><font size=2
face=Verdana><span
style='font-size:10.0pt'>416-744-0406
FAX</span></font></span></p>
<p class=MsoAutoSig style='margin:0in;margin-bottom:.0001pt'><font
size=2
color=red face="Arial Black"><span
style='font-size:10.0pt;font-family:"Arial Black";
color:red'><a href="http://www.lynchdigital.com/"><font size=3
color=red><span
style='font-size:12.0pt;color:red'>www.lynchdigital.com</span></font></
a></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:
12.0pt'> </span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:
12.0pt'> </span></font></p>
</div>
</body>
</html>
------_=_NextPart_001_01C23A49.E3653A50--
Subject: Qpopper on Mandrake
From: Kenneth Porter <shiva at well dot com>
Date: 05 Aug 2002 09:54:44 -0700
On Fri, 2002-08-02 at 10:27, Wil McGilvery wrote:
> I tried to install Qpopper 4.0.4 on a Mandrake 8.1 machine.
> When I try to telnet to port 110 it just hangs. The telnet session
> does not return an error.
> I looked under /var/logs/mail/log/errors and I canÿt see any
> references to qpopper.
After attempting to connect, use "ls -lt | head" on all directories
under /var/log. Note which files just changed. Then run tail on each of
those to see if there's any qpopper-related messages. *Something* should
have logged an error.
When you restarted xinetd, did it report any problems with its config
files?
Please reply to the list so others can benefit from any resolution.
Date: Mon, 05 Aug 2002 13:19:54 -0500
From: mike miller <mikem at ndtel dot com>
Subject: 64 bit option
will qpopper support compiling in a 64 bit mode on solaris 8? I didn't
see any thing about it on the qpopper site....
Date: Mon, 5 Aug 2002 11:33:27 -0700
From: "Brian C. Hill" <bchill at bch dot net>
Subject: Re: 64 bit option
--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
If you mean building a 64-bit binary, it does work. If you
build it in standalone, you will need to change a small snippet of code
in main.c that handles errors. I have attached the diff.
Brian
=====================================================================
On Mon, Aug 05, 2002 at 01:19:54PM -0500, mike miller wrote:
> will qpopper support compiling in a 64 bit mode on solaris 8? I didn't
> see any thing about it on the qpopper site....
--
_____________________________________________________________________
/ Brian C. Hill bchill at bch.net http://brian.bch dot net \
| Unix Specialist BCH Technical Services http://www.bch.net |
--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=diff
--CE+1k2dSO48ffgeK--
From: "Karl Poulton" <karl_vts at hotmail dot com>
Subject: retr command hangs...
Date: Tue, 06 Aug 2002 09:00:19 +0000
Can anybody help?
I am very new to qpopper and have very little knowledge about it.
I keep getting a problem where a POP3 client cannot download mail. If I
telnet to the server and perform a retr command, it gets half way through
displaying the message and stops. It is just a plain text message! Any
ideas???
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
Subject: [Fwd: CERT Advisory CA-2002-25 Integer Overflow In XDR Library]
From: Kenneth Porter <shiva at well dot com>
Date: 06 Aug 2002 07:16:30 -0700
http://www.cert.org/advisories/CA-2002-25.html
This may affect qpopper users using Kerberos, and may also affect DRAC
as it uses RPC to receive commands from Qpopper.
Subject: Re: [Fwd: CERT Advisory CA-2002-25 Integer Overflow In XDR Library]
Date: Tue, 06 Aug 2002 10:47:08 -0400
From: Ken Hornstein <kenh at cmf.nrl.navy dot mil>
>http://www.cert.org/advisories/CA-2002-25.html
>
>This may affect qpopper users using Kerberos, and may also affect DRAC
>as it uses RPC to receive commands from Qpopper.
FYI: This CERT Advisory does NOT affect people using Kerberos with
Qpopper. MIT Kerberos only uses RPC for the admin system, not for the
base Kerberos protocol itself, so this doesn't affect it. Note that
you do need to patch your Kerberos admin server, though, but Qpopper
itself is not affected.
--Ken
Date: Tue, 06 Aug 2002 12:17:36 -0400
From: Brian Jackson <bjackson at conversent dot com>
Subject: I/O error flushing output (long)
Hi All -
Well, we've done the obligatory google search, archive search, and
came up with nothing. We're looking for any and all suggestions.
Please see below for details.
We recently upgraded to a new hardware platform, and started having
issues immediately with Broken pipes and I/O flushing. We receive these
at the rate of about 2 a second.
Log entry:
Aug 6 11:42:48 host /usr/local/sbin/popper[25473]: [ID 702911
local3.notice] I/O error flushing output to client (username) at
(hostname) [(IP address)]: Broken pipe (32)
We've recompiled popper for trace support. Here's the trace for the
above session:
Aug 6 10:24:44.451 2002 [5789] Received (13): "USER (username)"
[pop_get_command.c:105]
Aug 6 10:24:44.452 2002 [5789] user name downcased to '(username)'
[pop_user.c:442]
Aug 6 10:24:44.453 2002 [5789] home (22): '/usr/mailhome/(username)'
[pop_user.c:215]
Aug 6 10:24:44.453 2002 [5789] +OK Password required for (username).
[pop_user.c:426]
Aug 6 10:24:44.453 2002 [5789] Qpopper ready for input from (username)
at (hostname) [(IP address)] [popper.c:285]
Aug 6 10:24:44.480 2002 [5789] ...built: (46)
'/usr/mailhome/(username)/' [genpath.c:158]
Aug 6 10:24:44.480 2002 [5789] genpath Spool (1) [hash: 0; home: .mail]
for user (username) returning /usr/mailhome/(username)/.mail [genpath.c:233]
Aug 6 10:24:44.480 2002 [5789] genpath old .pop (5) [hash: 0; home:
.mail] for user (username) returning /var/mail/.(username).pop
[genpath.c:233]
Aug 6 10:24:44.481 2002 [5789] genpath .pop (2) [hash: 0; home: .mail]
for user (username) returning /var/mail/.(username).pop [genpath.c:233]
Aug 6 10:24:44.481 2002 [5789] Temporary maildrop name:
'/var/mail/.(username).pop' [pop_dropcopy.c:1255]
Aug 6 10:24:44.833 2002 [5789] Opened temp drop
/var/mail/.(username).pop (5) [pop_dropcopy.c:1501]
Aug 6 10:24:44.851 2002 [5789] successfully opened (exclusive) lock
/usr/mailhome/(username)/.mail.lock [maillock.c:477]
Aug 6 10:24:44.851 2002 [5789] maillock() on file
/usr/mailhome/(username)/.mail (/usr/mailhome/(username)/.mail.lock)
[pop_dropcopy.c:1631] returning 0 (1 attempt(s)) [maillock.c:549]
Aug 6 10:24:44.852 2002 [5789] Opened spool
/usr/mailhome/(username)/.mail (6) [pop_dropcopy.c:1663]
Aug 6 10:24:44.852 2002 [5789] genpath .cache (6) [hash: 0; home:
.mail] for user (username) returning /var/mail/.(username).cache
[genpath.c:233]
Aug 6 10:24:44.853 2002 [5789] Read cache file
"/var/mail/.(username).cache"; msg_count=0; toc_size=0; drop_size=0;
spool_end=0; first_msg_hidden=0; visible_msg_count=0 [pop_cache.c:429]
Aug 6 10:24:44.853 2002 [5789] Last bulletin sent to (username) was 6
[pop_bull.c:579]
Aug 6 10:24:44.864 2002 [5789] mailunlock() called
[pop_dropcopy.c:1807] for /usr/mailhome/(username)/.mail.lock
[maillock.c:579]
Aug 6 10:24:44.865 2002 [5789] +OK (username) has 0 visible messages (0
hidden) in 0 octets. [pop_pass.c:1446]
Aug 6 10:24:44.865 2002 [5789] Qpopper ready for input from (username)
at (hostname) [(IP Address)] [popper.c:285]
Aug 6 10:24:44.902 2002 [5789] Qpopper ready for input from (username)
at (hostname) [(IP Address)] [popper.c:285]
Aug 6 10:24:44.921 2002 [5789] Stats: (username) 0 0 0 0 (hostname) (IP
address) [pop_updt.c:296]
Aug 6 10:24:44.922 2002 [5789] genpath .cache (6) [hash: 0; home:
.mail] for user (username) returning /var/mail/.(username).cache
[genpath.c:233]
Aug 6 10:24:45.009 2002 [5789] Wrote cache file
"/var/mail/.(username).cache"; msg_count=0; toc_size=0; drop_size=0;
spool_end=0 [pop_cache.c:248]
Aug 6 10:24:45.156 2002 [5789] Unlinked [pop_updt.c:311] temp drop
(/var/mail/.(username).pop) [pop_updt.c:146]
Aug 6 10:24:45.157 2002 [5789] I/O error flushing output to
client (username) at (hostname) [(IP address)]: Broken pipe (32)
[pop_send.c:685]
Aug 6 10:24:45.157 2002 [5789] (v4.0.3) Ending request from
"(username)" at ((hostname)) (IP address) [popper.c:369]
Here's the appropriate code snippet (pop_send.c)
/*
* Flush the output that might be buffered to client
*/
void
pop_write_flush ( POP *p )
{
int rslt = 0;
if ( p->nOutBufUsed > 0 ) {
pop_write_now ( p, p->pcOutBuf, p->nOutBufUsed );
p->nOutBufUsed = 0;
}
if ( p->tls_started ) {
rslt = pop_tls_flush ( p->tls_context );
} else {
rslt = fflush ( p->output );
}
if ( rslt == EOF ) {
if ( p->tls_started )
pop_log ( p, POP_NOTICE, HERE, "Error flushing data to
client" );
else {
int e = ferror ( p->output );
pop_log ( p, POP_NOTICE, HERE,
"I/O error flushing output to client %s at %s [%s]: "
"%s (%d)",
p->user, p->client, p->ipaddr, STRERROR(e), e );
}
} /* flush failed */
#ifdef _DEBUG
else
DEBUG_LOG0 ( p, "#flushed output to client" );
#endif /* _DEBUG */
}
Thanks again for any and all help / pointers / suggestions.
Brian
--
Brian Jackson
Subject: RE: Qpopper on Mandrake
Date: Tue, 6 Aug 2002 12:30:18 -0400
From: "Wil McGilvery" <wmcgilvery at lynch dot ca>
I have solved the problem.
I copied the popper executable into /usr/sbin and edited the pop3 in my
xinetd.d directory. Everything works fine.
Thank you for your assistance.
Regards,
=A0
Wil McGilvery
Manager, Digital Media
=A0
Lynch Technologies Inc.
416-744-7191
1-888-622-3729
416-744-0406=A0 FAX
www.lynchdigital.com
-----Original Message-----
From: Kenneth Porter [mailto:shiva at well dot com]
Sent: Monday, August 05, 2002 12:55 PM
To: Wil McGilvery
Cc: Subscribers of Qpopper
Subject: Qpopper on Mandrake
On Fri, 2002-08-02 at 10:27, Wil McGilvery wrote:
> I tried to install Qpopper 4.0.4 on a Mandrake 8.1 machine.
> When I try to telnet to port 110 it just hangs. The telnet session
> does not return an error.
> I looked under /var/logs/mail/log/errors and I canÿt see any
> references to qpopper.
After attempting to connect, use "ls -lt | head" on all directories
under /var/log. Note which files just changed. Then run tail on each of
those to see if there's any qpopper-related messages. *Something* should
have logged an error.
When you restarted xinetd, did it report any problems with its config
files?
Please reply to the list so others can benefit from any resolution.
Date: Tue, 6 Aug 2002 15:13:42 -0700
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: retr command hangs...
At 9:00 AM +0000 8/6/02, Karl Poulton wrote:
> Can anybody help?
>
> I am very new to qpopper and have very little knowledge about it.
>
> I keep getting a problem where a POP3 client cannot download mail.
> If I telnet to the server and perform a retr command, it gets half
> way through displaying the message and stops. It is just a plain
> text message! Any ideas???
Two things that would help show what is happening: run Qpopper under
a kernel/syscal trace utility (these differ from one OS to another,
one Solaris use truss(1), on OpenBSD use ktrace(1), one Linux use
strace(1), etc.). To do this, you'll need to modify how Qpopper is
started (e.g., command line, inetd, xinetd) to run the trace utility
and tell it to run Qpopper. As a shortcut, you can try invoking the
trace utility on the Qpopper process that is hung. This might be
enough, but it's usually helpful to see the earlier calls as well.
The second thing that will help is to get a TCP packet trace of the session.
From: "Alan W. Rateliff, II" <alan at yourvillage dot com>
Subject: Filesystem quotas
Date: Thu, 8 Aug 2002 12:12:44 -0400
I'm ready activate quotas on a client's mailserver to help with the rampant
collection of mail (some have 50MB+) on the server.
I've gotten minimal functionality with procmail and sendmail for receiving.
Now I need to know how I can avoid problems with the .pop spool.
I actually have QPopper use a different directory for the temporary spool,
that helped with quotas in the past. However, now when QPopper goes to
reconstruct the mailfile, a box that exceeds the quota becomes garbage, or
doesn't rebuild at all.
I have a couple of ideas using the hard and soft limits, but I'm thinking
they might not work well in practice, or perhaps I'm over-thinking the
problem. Is there anyone here with experience in this area that can offer
some advice?
TIA. ** Alan ][ **
--
Alan W. Rateliff, II
Date: Thu, 8 Aug 2002 18:29:53 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Filesystem quotas
On Thu, 8 Aug 2002, Alan W. Rateliff, II wrote:
> I have a couple of ideas using the hard and soft limits, but I'm thinking
> they might not work well in practice, or perhaps I'm over-thinking the
> problem. Is there anyone here with experience in this area that can offer
> some advice?
Set hard quota _at least_ twice the soft quota, with a very short grace period.
This assumes .pop files are on the same filesystem.
Subject: Re: Filesystem quotas
From: Kenneth Porter <shiva at well dot com>
Date: 08 Aug 2002 15:54:27 -0700
On Thu, 2002-08-08 at 09:12, Alan W. Rateliff, II wrote:
> I actually have QPopper use a different directory for the temporary spool,
> that helped with quotas in the past. However, now when QPopper goes to
> reconstruct the mailfile, a box that exceeds the quota becomes garbage, or
> doesn't rebuild at all.
Quotas are applied per filesystem. So put the temp spool on a partition
with quotas not enabled. There's still a boundary condition where the
spool might grow slightly during a POP, so leave some margin in your
limits to keep from getting too close to the hard limit.
Date: Fri, 09 Aug 2002 09:17:45 -0400
From: Michael Kolos <michael at colba dot net>
Subject: Re: Filesystem quotas
What is this "boundary condition" and when does it come up?
We have the temp dir on a non-quota filesystem, and on the spool dir users
have a hard quota 100k more than the soft quota.
Yet we still occasionnally end up with a user with a corrupted mail spool
because somehow it went over quota, and when qpopper copies the spool back,
it gets corrupted.
I have tried turning off the X-UIDL writing, but that hasn't helped.
At 06:54 PM 8/8/2002, Kenneth Porter wrote:
>On Thu, 2002-08-08 at 09:12, Alan W. Rateliff, II wrote:
>
> > I actually have QPopper use a different directory for the temporary spool,
> > that helped with quotas in the past. However, now when QPopper goes to
> > reconstruct the mailfile, a box that exceeds the quota becomes garbage, or
> > doesn't rebuild at all.
>
>Quotas are applied per filesystem. So put the temp spool on a partition
>with quotas not enabled. There's still a boundary condition where the
>spool might grow slightly during a POP, so leave some margin in your
>limits to keep from getting too close to the hard limit.
Michael Kolos
Colba.Net Inc.
From: Brendan Bank <brendan at gnarst dot net>
Subject: Qpopper openssl patch.
Date: Fri, 09 Aug 2002 16:25:35 +0200
Hoi,
If you compile qpopper with OpenSSL version 0.9.6d or higher there
is a problem with some broken SSL implementation on Eudora 5.1.1
on windows. Qualcomm is working looking into replacing the SSL ddl
to correct the problem.
The Eudora help desk reported the following: "In OpenSSL0.9.6e Make
sure to compile it with the CBC Countermeasure disabled. Please
consult the OpenSSL files on how to do this."
It felt not right to change the OpenSSL code so I've added created
a patch for qpopper which stop's the CBC Countermeasure to be
implemented when a client connects to a qpopper compiled with OpenSSL
version 0.9.6d or higher.
This should pose no and fixes the reported problems with Eudora.
See the SSL_CTX_set_options manual pages for more information. Maybe
to set SSL_OP_ALL is a bit of overkill and we might be a little bit
more conservative if we set only: SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS.
I Like to hear your feedback on this.
Regards,
- Brendan
#### patch start below.
*** pop_tls_openssl.c.orig Wed Aug 7 14:54:53 2002
--- pop_tls_openssl.c Fri Aug 9 16:23:00 2002
***************
*** 340,345 ****
--- 340,360 ----
goto Done;
}
+ /*
+ * This set's the option SSL_OP_ALL to the ssl conection to allow
+ * "broken" clients to connect to the server.
+ */
+
+ DEBUG_LOG0 (pPOP, "...set SSL_CTX_set_options to"
+ " SSL_OP_ALL to allow broken ssl implementations.");
+
+ SSL_CTX_set_options(pTLS->m_OpenSSLctx, SSL_OP_ALL);
+ if(!(SSL_CTX_get_options(pTLS->m_OpenSSLctx) & SSL_OP_ALL))
+ {
+ log_openssl_err ( pPOP, HERE, "Unable to set SSL_OP_ALL option."
+ " Some clients may not be able to connect." );
+ }
+
/*
* Establish the certificate for our server cert.
*/
From: "Alan W. Rateliff, II" <alan at yourvillage dot com>
Subject: Re: Filesystem quotas
Date: Fri, 9 Aug 2002 12:53:18 -0400
----- Original Message -----
From: "Michael Kolos" <michael at colba dot net>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Friday, August 09, 2002 9:17 AM
Subject: Re: Filesystem quotas
> What is this "boundary condition" and when does it come up?
> We have the temp dir on a non-quota filesystem, and on the spool dir users
> have a hard quota 100k more than the soft quota.
> Yet we still occasionnally end up with a user with a corrupted mail spool
> because somehow it went over quota, and when qpopper copies the spool
back,
> it gets corrupted.
> I have tried turning off the X-UIDL writing, but that hasn't helped.
Imagine a user with a 5120k hard quota, and 4.9MB in their mailfile.
QPopper copies that mailfile over to the non-quota filesystem to POP it out,
and while the user is checking his/her email (and apparently NOT deleting it
from the server) they receive a 200k email. Now there's 200k in their
mailfile, only 4.8MB available. The POP session is over and QPopper copies
the .pop file back into the mail spool. 0.2MB + 4.9MB = 5.1MB > 5.0MB: the
user is now over quota, and the last 100k or so is lost.
That was my concern. But frankly, I don't like my users leaving their mail
on the server. But that's not an entirely practical requirement when some
people have multiple machines/people checking the same box (which I
recommend multiple boxes with aliases) or using webmail as their primary or
only mail viewing agent.
But, that's what happens. I haven't decided if it would be nicer to have
quota systems installed in the local mail delivery agent or not, as it would
require a separate database of user quotas. I think procmail can do that,
but I'm only beginning to learn about it.
--
Alan W. Rateliff, II
Date: Fri, 9 Aug 2002 12:15:18 -0500
From: Justin Shore <listuser at neo.pittstate dot edu>
Subject: Re: Filesystem quotas
At 12:53 PM -0400 8/9/02, Alan W. Rateliff, II wrote:
>That was my concern. But frankly, I don't like my users leaving their mail
>on the server. But that's not an entirely practical requirement when some
>people have multiple machines/people checking the same box (which I
>recommend multiple boxes with aliases) or using webmail as their primary or
>only mail viewing agent.
This is part of the reason why I'm still a Claris Emailer fan. It
hasn't been sold or updated since '97 but I still love it. The
feature that applies here is the "Leave on Server For X Days" option.
I don't think I've ever seen another mail client with that ability.
I tend to leave mail on the server for 2-3 weeks so down the road
when I'm at home and think of something in an email from a couple
weeks ago, I can ssh in and find it in pine fairly easily without
going into work. If all email clients supported this, the world
would be a much better place.
It would also be nice is the server could dictate some of these
options to the clients when they connect. That would also be nice. :)
Justin
--
--
Justin Shore, ES-SS ES-SSR Pittsburg State University
Network & Systems Manager Kelce 157Q
Office of Information Systems Pittsburg, KS 66762
Voice: (620) 235-4606 Fax: (620) 235-4545
http://www.pittstate.edu/ois/
Warning: This message has been quadruple Rot13'ed for your protection.
Date: Fri, 9 Aug 2002 13:10:45 -0400 (EDT)
From: "Jeff A. Earickson" <jaearick at colby dot edu>
Subject: Re: Filesystem quotas
Hi,
IMHO, quotas on mail file systems are a bad, bad idea. You don't ever
want to loose email because a file system filled up or a user hit their
quota (something they can't control if they aren't around to check email).
Disk is cheap, buy more if your mail spool starts filling up. I use
a 8 GB mail spool for 3000 users (with another 8+ GB in reserve). During
the worst time in the summer when the students are gone, it will get about
30% full. If it ever gets to 50% full, I will add more disk.
For those POP users who insist on using the "leave mail on server" option,
I have a perl script that will read a standard mbox format file and delete
messages based on different criteria (I didn't write the script). I run
a cron job every week that deletes any message that has been opened for
reading AND is more than 30 days old. This keeps the old drek cleaned
out of the mail spool. The user community knows about this policy.
** Jeff A. Earickson, Ph.D PHONE: 207-872-3659
** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick at colby dot edu
** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076
** Waterville ME, 04901-8842
----------------------------------------------------------------------------
---------- Forwarded message ----------
Date: Fri, 9 Aug 2002 12:53:18 -0400
From: "Alan W. Rateliff, II" <alan at yourvillage dot com>
To: Subscribers of Qpopper <qpopper at lists.pensive dot org>
Subject: Re: Filesystem quotas
----- Original Message -----
From: "Michael Kolos" <michael at colba dot net>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Friday, August 09, 2002 9:17 AM
Subject: Re: Filesystem quotas
> What is this "boundary condition" and when does it come up?
> We have the temp dir on a non-quota filesystem, and on the spool dir users
> have a hard quota 100k more than the soft quota.
> Yet we still occasionnally end up with a user with a corrupted mail spool
> because somehow it went over quota, and when qpopper copies the spool
back,
> it gets corrupted.
> I have tried turning off the X-UIDL writing, but that hasn't helped.
Imagine a user with a 5120k hard quota, and 4.9MB in their mailfile.
QPopper copies that mailfile over to the non-quota filesystem to POP it out,
and while the user is checking his/her email (and apparently NOT deleting it
from the server) they receive a 200k email. Now there's 200k in their
mailfile, only 4.8MB available. The POP session is over and QPopper copies
the .pop file back into the mail spool. 0.2MB + 4.9MB = 5.1MB > 5.0MB: the
user is now over quota, and the last 100k or so is lost.
That was my concern. But frankly, I don't like my users leaving their mail
on the server. But that's not an entirely practical requirement when some
people have multiple machines/people checking the same box (which I
recommend multiple boxes with aliases) or using webmail as their primary or
only mail viewing agent.
But, that's what happens. I haven't decided if it would be nicer to have
quota systems installed in the local mail delivery agent or not, as it would
require a separate database of user quotas. I think procmail can do that,
but I'm only beginning to learn about it.
--
Alan W. Rateliff, II
Date: Fri, 9 Aug 2002 10:56:24 -0700
From: "Brian C. Hill" <bchill at bch dot net>
Subject: opinion: filesystem quotas - how cheap is disk space?
IMNSHO:
Not to start a flame war, but we've all been hearing about how
cheap disk is for a long time. Remember to add in the costs related to
disk installation and management. These are forgotten truths:
* time to research for purchase
* time to negotiate and purchase
* time to physically install
* cost to provision power, cooling and SPACE (these can really add up)
* time for initial configuration
* optional cost for RAID software (Veritas?)
* time/hardware/software costs for expanded backups (high cost item)
* time for on-going monitoring and management
--------------------------------------------------
= a liberal disk policy is not cheap and can actually be quite costly
It is a bad idea to convice users that the sky is the limit,
because they will defy science in short order and find it.
Brian
=====================================================================
On Fri, Aug 09, 2002 at 01:10:45PM -0400, Jeff A. Earickson wrote:
> Hi,
> IMHO, quotas on mail file systems are a bad, bad idea. You don't ever
> want to loose email because a file system filled up or a user hit their
> quota (something they can't control if they aren't around to check email).
>
> Disk is cheap, buy more if your mail spool starts filling up. I use
> a 8 GB mail spool for 3000 users (with another 8+ GB in reserve). During
> the worst time in the summer when the students are gone, it will get about
> 30% full. If it ever gets to 50% full, I will add more disk.
>
> For those POP users who insist on using the "leave mail on server" option,
> I have a perl script that will read a standard mbox format file and delete
> messages based on different criteria (I didn't write the script). I run
> a cron job every week that deletes any message that has been opened for
> reading AND is more than 30 days old. This keeps the old drek cleaned
> out of the mail spool. The user community knows about this policy.
>
> ** Jeff A. Earickson, Ph.D PHONE: 207-872-3659
> ** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick at colby dot edu
> ** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076
> ** Waterville ME, 04901-8842
> ----------------------------------------------------------------------------
>
> ---------- Forwarded message ----------
> Date: Fri, 9 Aug 2002 12:53:18 -0400
> From: "Alan W. Rateliff, II" <alan at yourvillage dot com>
> To: Subscribers of Qpopper <qpopper at lists.pensive dot org>
> Subject: Re: Filesystem quotas
>
> ----- Original Message -----
> From: "Michael Kolos" <michael at colba dot net>
> To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
> Sent: Friday, August 09, 2002 9:17 AM
> Subject: Re: Filesystem quotas
>
>
> > What is this "boundary condition" and when does it come up?
> > We have the temp dir on a non-quota filesystem, and on the spool dir users
> > have a hard quota 100k more than the soft quota.
> > Yet we still occasionnally end up with a user with a corrupted mail spool
> > because somehow it went over quota, and when qpopper copies the spool
> back,
> > it gets corrupted.
> > I have tried turning off the X-UIDL writing, but that hasn't helped.
>
> Imagine a user with a 5120k hard quota, and 4.9MB in their mailfile.
> QPopper copies that mailfile over to the non-quota filesystem to POP it out,
> and while the user is checking his/her email (and apparently NOT deleting it
> from the server) they receive a 200k email. Now there's 200k in their
> mailfile, only 4.8MB available. The POP session is over and QPopper copies
> the .pop file back into the mail spool. 0.2MB + 4.9MB = 5.1MB > 5.0MB: the
> user is now over quota, and the last 100k or so is lost.
>
> That was my concern. But frankly, I don't like my users leaving their mail
> on the server. But that's not an entirely practical requirement when some
> people have multiple machines/people checking the same box (which I
> recommend multiple boxes with aliases) or using webmail as their primary or
> only mail viewing agent.
>
> But, that's what happens. I haven't decided if it would be nicer to have
> quota systems installed in the local mail delivery agent or not, as it would
> require a separate database of user quotas. I think procmail can do that,
> but I'm only beginning to learn about it.
>
> --
> Alan W. Rateliff, II
--
_____________________________________________________________________
/ Brian C. Hill bchill at bch.net http://brian.bch dot net \
| Unix Specialist BCH Technical Services http://www.bch.net |
Date: Fri, 9 Aug 2002 13:08:06 -0500
From: Justin Shore <listuser at neo.pittstate dot edu>
Subject: Re: Filesystem quotas
At 1:10 PM -0400 8/9/02, Jeff A. Earickson wrote:
>Hi,
> IMHO, quotas on mail file systems are a bad, bad idea. You don't ever
>want to loose email because a file system filled up or a user hit their
>quota (something they can't control if they aren't around to check email).
I'm a partial believer in mail spool quotas. I don't believe there
should be a quota set that we should expect users to ever reach
within reason. ie, basic mail usage shouldn't hit this quota. I am
however in favor or a high hard quota to save my mail filesystem.
I've seen on a couple occasions (at other places) where an auto-ack
script started looping in a bad bad way. The auto-ack sent a survey
to users that hadn't mailed our tech support list in 3 months. It
also CCd the team leaders. One of team leaders left. Mail to him
was bouncing. The From: was set to the list. IIRC mailer-daemon was
on an exclude list on the auto-ack, excluded from being recorded as a
recipient of the survey. Each bounce to that user went back to the
auto-ack and so on and so forth. Before all was said and done, the
remaining team leaders mail spools were multi-Gig in size. I'm a big
fan of a hard quota of a reasonably high number because of this.
This keeps your mail system from filling up which would cause a loss
of mail to all users, not just the one that caused the failure.
I don't think a 100MB hard quota is unreasonable. If a user was gone
for an extended period of time (say a year for medical reasons or on
a sabatical), then they should follow common Email Etiquette and
unsub from all mailing lists. If they don't, they deserve to have
mail bounce.
I'm also a fan of a soft quota with an infinite grace period. The
reason being is I plan on using repquota in a script to mail users'
spools that excede a certain size (maybe 15MB). I'd send them a form
letter explaining how to configure their MUA to remove mail from
server among other things. I'd run this nightly. The first mailing
would go only to the user. Subsequent mailings would also go to an
admin so the admin could call the user. Note that I'm not using the
soft quota to strictly limit the user's spool size. I'm just using
it as a reporting tool.
> Disk is cheap, buy more if your mail spool starts filling up. I use
>a 8 GB mail spool for 3000 users (with another 8+ GB in reserve). During
>the worst time in the summer when the students are gone, it will get about
>30% full. If it ever gets to 50% full, I will add more disk.
I like having a buffer too. Sometimes though the filesystem fills
overnight, or in a matter of hours. That's where the reasonably high
hard quota comes in handy. If one of my users hit a 100MB hard quota
and they're following my guidelines for deleting mail from the
server, I know something is wrong. They should too I would think.
> For those POP users who insist on using the "leave mail on server" option,
>I have a perl script that will read a standard mbox format file and delete
>messages based on different criteria (I didn't write the script). I run
>a cron job every week that deletes any message that has been opened for
>reading AND is more than 30 days old. This keeps the old drek cleaned
>out of the mail spool. The user community knows about this policy.
I've been searching from such a script. I found a user with mail
dating back to '97 yesterday. :) Would you mind sharing it?
Thanks
Justin
Date: Fri, 9 Aug 2002 11:37:39 -0700
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: Qpopper openssl patch.
And you shouldn't be using less than OpenSSL version 0.9.6g (f came
out yesterday, g this morning).
Quoting Brendan Bank (brendan at gnarst dot net):
> Hoi,
>
> If you compile qpopper with OpenSSL version 0.9.6d or higher there
> is a problem with some broken SSL implementation on Eudora 5.1.1
> on windows. Qualcomm is working looking into replacing the SSL ddl
> to correct the problem.
Date: Fri, 9 Aug 2002 11:49:02 -0700
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: Qpopper openssl patch.
At 4:25 PM +0200 8/9/02, Brendan Bank wrote:
> I've added created
> a patch for qpopper which stop's the CBC Countermeasure
I'm testing a patch to allow SSL options to be set in a configuration file.
Date: Fri, 9 Aug 2002 14:44:31 -0400 (EDT)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Filesystem quotas
On Fri, 9 Aug 2002, Jeff A. Earickson wrote:
> Disk is cheap, buy more if your mail spool starts filling up. I use
> a 8 GB mail spool for 3000 users (with another 8+ GB in reserve).
I have had 20 users _kill_ a 10Gb partition used by 2500 users.
Not to mention what happens when a looping mailer fills up a disk.
Which is better?
One user being foced to clean up because mail is bouncing due to overquota?
Or the entire mail spool being wiped out and _ALL_ users being unable to
receive mail due to a mailbomb or group of users who don't delete mail?
Date: Fri, 09 Aug 2002 13:45:11 -0500
From: J Bacher <jb at jbacher dot com>
Subject: Maildir Format
Has anyone completed a patch to qpopper allowing for Maildir/{cur|new} format?
Date: Fri, 9 Aug 2002 11:51:33 -0700
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: Filesystem quotas
Quoting Jeff A. Earickson (jaearick at colby dot edu):
> Hi,
> IMHO, quotas on mail file systems are a bad, bad idea. You don't ever
> want to loose email because a file system filled up or a user hit their
> quota (something they can't control if they aren't around to check email).
I'll change this to:
IMHO, using the system to manage quotas on mail file systems is
a bad, bad idea.
Qpopper "knows" how much mail you have. stat(3) can tell it.
Let QPOPPER handle the quota issue.
You might also tweak mail.local to handle quotae on delivery.
I'm also a big fan of TMPFAIL on overquota. I can teach sendmail
that local mail should try for N days and bounce it after that.
I hate the DOS that is being able to fill someones mail and make
them bounce all mail after that.
There are some bumps:
If I have a quota of Q, and I get a message > Q, it will
sit in the inbound queue failing to deliver.
With a commercial IMAP/POP server I used, there is the option
to allow "one message over quota" that's really useful. It
let's the user get the powerpoint mail (inevitably) and delete
it.
Bottom line: Let qpopper and mail.local deal with the quotae.
Limit the users who are getting the basic service.
Now: disk is cheap.
I'm sorry, but if I'm really running a semi-commercial service,
disk IS cheap, to a point. I don't have to spend a lot of time
selecting disk. There are criteria to ponder, for about a minute.
The "playground" box that handles mail for 50 friends? I can
go with big and slow. Maybe dual, mirrored. An 7200RPM IDE
is around $90 for 60GB.
For real mail sites (50k users+), I really want 15,000RPM 9GB
drives. I settle for whatever size, but partition it to just
use part of the disk.
Make a call: "Hi, I need a 10k or 15k drive, 36 or 70GB, please
send it over". There's a minute.
Managing the data may take more, but ISP's generally get to charge
more for "premium" customers that keep more mail. The ISP I
work with gives N pop accounts away, but if they want IMAP or huge
storage, they charge for it. $10/month/mailbox means another $120
every year. Times 5000 users is $600k. That covers a tape drive
and my time. "Dear Favorite Storage Vendor, please send me
another high end RAID box that for $30k with the minimum 500GB that
you sell" (which can handle 100k users performance and storage wise).
It's just basic business.
Subject: Re: Filesystem quotas
From: Kenneth Porter <shiva at well dot com>
Date: 09 Aug 2002 16:10:53 -0700
On Fri, 2002-08-09 at 11:51, Chuck Yerkes wrote:
> There are some bumps:
> If I have a quota of Q, and I get a message > Q, it will
> sit in the inbound queue failing to deliver.
The big bump is what Alan Rateliff explained. While qpopper has the
spool "swapped out", a delivery can happen that overflows the spool when
it swaps back in. Concatenating the new message to the old spool will
overflow the spool.
I suppose a workaround is to have qpopper re-deliver the new material if
it puts the user over-quota, so that the local delivery system will
queue it, but one would need, in the worst case, a queue big enough to
hold everyone's quota.
Date: Fri, 9 Aug 2002 19:36:31 -0700 (PDT)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: Maildir Format
On Fri, 9 Aug 2002, J Bacher wrote:
> Has anyone completed a patch to qpopper allowing for Maildir/{cur|new} format?
>
>
i have..the patch is in beta, as I haven't had a lot of feedback from it
yet.
P.S. I would like some if you try it! :-)
http://asteroid-b612.org/software/#qpopper
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"Strange, but it seems, there's a mutiny brewing inside of me"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
From: "Alan W. Rateliff, II" <alan at yourvillage dot com>
Subject: Re: Filesystem quotas
Date: Mon, 12 Aug 2002 01:26:10 -0400
----- Original Message -----
From: "Kenneth Porter" <shiva at well dot com>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Friday, August 09, 2002 7:10 PM
Subject: Re: Filesystem quotas
> On Fri, 2002-08-09 at 11:51, Chuck Yerkes wrote:
>
> > There are some bumps:
> > If I have a quota of Q, and I get a message > Q, it will
> > sit in the inbound queue failing to deliver.
>
> The big bump is what Alan Rateliff explained. While qpopper has the
> spool "swapped out", a delivery can happen that overflows the spool when
> it swaps back in. Concatenating the new message to the old spool will
> overflow the spool.
Pursuant to Justin Shore's message, I think a potential resolution is a soft
quota at the limit you'd like the box too be, and a hard quota of at least
double that. (I think someone else also mentioned this solution.) That
would potentially allow you to keep your .pop's and mailfiles in the same
spool directory as well.
I'll be spending some time this week researching a "nicer" method to handle
quotas. Since I've gotten procmail working as my local delivery agent, I'm
sure I can find some recipies that handle quotas quite nicely. Once that's
taken care of, a combination of permissible soft/hard quotas should handle
the rest.
It's nice to be able to use the filesystem quota system for the simple fact
that it's just one less step to managing users. Even so, having a separate
(or compatible) quota interface within the email daemons seems to be a
reasonable solution as well. To illustrate, Solaris will allow you to
update quotas on any filesystem that has a quota file in its root, even if
quotas are not activated for that filesystem. Using Solaris' native quota
utilities would allow easy management, while allowing a local delivery agent
(mail.local, procmail, etc.) to access and possibly update that quota file.
A potential drawback to this arrangement is "accidentally" turning the
filesystem quota management on, causing minor confusion between the MDA and
the OS.
I'm somewhat opposed to queuing the mail locally for a box that's over
quota. From what I understand of the SMTP RFC's, it should be left to the
sending system to retry sending to a full mailbox, seeing how a 4xx
(temporary, retryable failure) response code is recommended for this
situation. Although, I've seen most systems reject with a 5xx (permanent
failure) response for over-quota.
The bottom line seems that some form of active quota management is
absoultely necessary not just to curb usage abuse, but also to watchdog
against DoS-type events, list-loops, etc, that can easily and quickly fill a
filesystem. It seems that everyone here so far has come up with viable
options for doing so. In this regard, Sendmail can be set to start
4xx-rejecting emails once the filesystem free space reaches a specified
threshhold. Though that still allows for one person to cripple an entire
mail system.
--
Alan W. Rateliff, II
Subject: Re: Filesystem quotas
Date: Mon, 12 Aug 2002 09:29:58 +0200 (MET DST)
From: Eric Luyten <Eric.Luyten at vub.ac dot be>
[Justin Shore :]
> This is part of the reason why I'm still a Claris Emailer fan. It
> hasn't been sold or updated since '97 but I still love it. The
> feature that applies here is the "Leave on Server For X Days" option.
> I don't think I've ever seen another mail client with that ability.
Try Eudora or reasonably recent versions of Outlook and Outlook Express.
Eric Luyten, Computing Centre VUB/ULB.
Subject: Re: Filesystem quotas
Date: Mon, 12 Aug 2002 09:34:16 +0200 (MET DST)
From: Eric Luyten <Eric.Luyten at vub.ac dot be>
> Disk is cheap, buy more if your mail spool starts filling up. I use
> a 8 GB mail spool for 3000 users (with another 8+ GB in reserve). During
> the worst time in the summer when the students are gone, it will get about
> 30% full. If it ever gets to 50% full, I will add more disk.
Disk is cheap, yes, but storage bandwidth becomes rather expensive after
a certain point.
We operate 56 GB of spool for 25000 users and the (dual Ultra Wide SCSI)
I/O channels are pretty close to saturation during ofice hours.
While we have an extension to 400 GB of mail spool (and dual fibre channel
connections into those) in the pipeline, a change in mailbox storage format
is unavoidable at some stage and we think we have reached (surpassed) it.
Eric Luyten, Computing Centre VUB/ULB.
Date: Mon, 12 Aug 2002 11:11:11 -0400 (EDT)
From: "Jeff A. Earickson" <jaearick at colby dot edu>
Subject: Re: filesystem quotas
Y'all,
Thanks to those of you who thumped me over the head with the Clue Stick
(tm) on the subject of disk quotas for the mail queue last week. I
thought about it this weekend, and instituted a 50 MB soft limit (12 month
time limit) and a 100 MB hard limit for /var/mail. This is on a 8 GB
filesystem with 3000 users. I subjected my test user to 100 MB of email,
and found that once he hit his hard limit, further emails were returned
to sender. This looks good. Thanks.
** Jeff A. Earickson, Ph.D PHONE: 207-872-3659
** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick at colby dot edu
** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076
** Waterville ME, 04901-8842
----------------------------------------------------------------------------
Subject: Re: filesystem quotas
Date: Mon, 12 Aug 2002 17:31:57 +0200 (MET DST)
From: Eric Luyten <Eric.Luyten at vub.ac dot be>
[Jeff E.]
> I subjected my test user to 100 MB of email, and found that once
> he hit his hard limit, further emails were returned to sender.
> This looks good.
Depends.
What are your Mail Transfer Agent and local delivery agent ?
I do not consider a 'Service Unavailable' error message to sender
informative.
There does not appear to be a suitable code (/usr/include/sysexits.h)
that I can make procmail return to sendmail (our environment). Too bad.
Eric Luyten, Computing Centre VUB/ULB.
Date: Mon, 12 Aug 2002 09:11:14 -0700 (PDT)
From: Gregory Hicks <ghicks at cadence dot com>
Subject: Re: filesystem quotas
> Date: Mon, 12 Aug 2002 17:31:57 +0200 (MET DST)
> From: Eric Luyten <Eric.Luyten at vub.ac dot be>
>
> [Jeff E.]
> > I subjected my test user to 100 MB of email, and found that once
> > he hit his hard limit, further emails were returned to sender.
> > This looks good.
>
> Depends.
> What are your Mail Transfer Agent and local delivery agent ?
>
> I do not consider a 'Service Unavailable' error message to sender
> informative.
>
> There does not appear to be a suitable code (/usr/include/sysexits.h)
> that I can make procmail return to sendmail (our environment). Too
bad.
I was under the impression that procmail could return any desired code
to sendmail. I've been told that it is just how you code the 'rules'.
(I am not a procmail user but provide troubleshooting service to about
6k users...)
Regards,
Gregory Hicks
>
>
> Eric Luyten, Computing Centre VUB/ULB.
---------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3479
San Jose, CA 95134 | Internet: ghicks at cadence dot com
Never attribute to malice that which is adequately explained by
ignorance or stupidity.
Asking the wrong questions is the leading cause of wrong answers
"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton
You can have it done good, fast, or cheap -- pick any two.
Date: Mon, 12 Aug 2002 12:06:44 -0400 (EDT)
From: "Jeff A. Earickson" <jaearick at colby dot edu>
Subject: Re: filesystem quotas
Hi,
I use sendmail 8.12.5 with procmail 3.22 on Solaris 8. When I hit
the hard limit, the mail was returned to me (the sender) with the
explicit message "quota exceeded".
** Jeff A. Earickson, Ph.D PHONE: 207-872-3659
** Senior UNIX Sysadmin, Information Technology EMAIL: jaearick at colby dot edu
** Colby College, 4214 Mayflower Hill, FAX: 207-872-3076
** Waterville ME, 04901-8842
----------------------------------------------------------------------------
On Mon, 12 Aug 2002, Eric Luyten wrote:
> Date: Mon, 12 Aug 2002 17:31:57 +0200 (MET DST)
> From: Eric Luyten <Eric.Luyten at vub.ac dot be>
> To: Subscribers of Qpopper <qpopper at lists.pensive dot org>
> Subject: Re: filesystem quotas
>
> [Jeff E.]
> > I subjected my test user to 100 MB of email, and found that once
> > he hit his hard limit, further emails were returned to sender.
> > This looks good.
>
> Depends.
> What are your Mail Transfer Agent and local delivery agent ?
>
> I do not consider a 'Service Unavailable' error message to sender
> informative.
>
> There does not appear to be a suitable code (/usr/include/sysexits.h)
> that I can make procmail return to sendmail (our environment). Too bad.
>
>
> Eric Luyten, Computing Centre VUB/ULB.
>
Last updated on 12 Aug 2002 by Pensive Mailing List Admin