The Qpopper list archive ending on 5 Mar 2003
Topics covered in this issue include:
1. Re[2]: compiling Qpopper with kerberos support
alessandro garsia <doh at freemail dot it>
Fri, 21 Feb 2003 20:21:42 +0100
2. QPOPPER SENDMAIL/PROCMAIL: AND NFS
Homer Wilson Smith <homer at lightlink dot com>
Wed, 26 Feb 2003 12:43:16 -0500 (EST)
3. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Wed, 26 Feb 2003 13:09:27 -0500
4. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Chris Shenton <Chris.Shenton at hq.nasa dot gov>
Wed, 26 Feb 2003 13:23:00 -0500
5. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Kenneth Porter <shiva at sewingwitch dot com>
Wed, 26 Feb 2003 10:35:24 -0800
6. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Alan Brown <alanb at digistar dot com>
Wed, 26 Feb 2003 13:59:19 -0500 (EST)
7. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Chris Shenton <Chris.Shenton at hq.nasa dot gov>
Wed, 26 Feb 2003 14:33:36 -0500
8. using qpopper as secure front end "POP proxy" for MS Exchange
"scott" <scotthenderson at qwest dot net>
26 Feb 2003 13:35:16 -0700
9. BLUEHILL - using qpopper as secure front end "POP proxy" for MS
"scott" <scotthenderson at qwest dot net>
26 Feb 2003 13:58:35 -0700
10. Re: using qpopper as secure front end "POP proxy" for MS Exchange
Clifton Royston <cliftonr at lava dot net>
Wed, 26 Feb 2003 12:38:35 -1000
11. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
The Little Prince <thelittleprince at asteroid-b612 dot org>
Wed, 26 Feb 2003 14:51:12 -0800 (PST)
12. Re: using qpopper as secure front end "POP proxy" for MS Exchange
"scott" <scotthenderson at qwest dot net>
26 Feb 2003 15:50:44 -0700
13. BLUEHILL password thingy??????
"scott" <scotthenderson at qwest dot net>
26 Feb 2003 16:43:42 -0700
14. Re: BLUEHILL password thingy??????
Alan Brown <alanb at digistar dot com>
Wed, 26 Feb 2003 18:50:24 -0500 (EST)
15. Re: using qpopper as secure front end "POP proxy" for MS Exchange
Clifton Royston <cliftonr at lava dot net>
Wed, 26 Feb 2003 14:33:55 -1000
16. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
"Caram Bola" <Caram.Bola at comcast dot net>
Wed, 26 Feb 2003 21:47:46 -0500
17. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Thu, 27 Feb 2003 00:32:47 -0500
18. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
The Little Prince <thelittleprince at asteroid-b612 dot org>
Thu, 27 Feb 2003 05:34:28 -0800 (PST)
19. Re: using qpopper as secure front end "POP proxy" for MS Exchange
"scott" <scotthenderson at qwest dot net>
27 Feb 2003 09:08:48 -0700
20. Indispensable admins (was Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS)
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Thu, 27 Feb 2003 12:41:50 -0500
21. Re: using qpopper as secure front end "POP proxy" for MS Exchange
Clifton Royston <cliftonr at lava dot net>
Thu, 27 Feb 2003 08:20:25 -1000
22. Re: Indispensable admins (was Re: QPOPPER SENDMAIL/PROCMAIL: AND
The Little Prince <thelittleprince at asteroid-b612 dot org>
Thu, 27 Feb 2003 10:25:29 -0800 (PST)
23. Re: using qpopper as secure front end "POP proxy" for MS Exchange
"scott" <scotthenderson at qwest dot net>
27 Feb 2003 11:39:47 -0700
24. Re: using qpopper as secure front end "POP proxy" for MS Exchange
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Thu, 27 Feb 2003 15:02:38 -0500
25. Correct permissions?
"Bart" <bart-list at redhanky dot net>
Thu, 27 Feb 2003 20:45:45 -0000
26. Re: Correct permissions?
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Thu, 27 Feb 2003 16:56:32 -0500
27. Re: Correct permissions?
Clifton Royston <cliftonr at lava dot net>
Thu, 27 Feb 2003 11:58:45 -1000
28. Qpopper/SSL problem
Bernt Guldbrandtsen <bg at genetics.agrsci dot dk>
Fri, 28 Feb 2003 16:09:54 +0100
29. Re: Qpopper + SSL + Eudora
Randall Gellens <randy at qualcomm dot com>
Fri, 28 Feb 2003 16:52:43 -0800
30. Re: using qpopper as secure front end "POP proxy" for MS
Randall Gellens <randy at qualcomm dot com>
Fri, 28 Feb 2003 18:21:40 -0800
31. qpopper ssl/tls
Roman Gavrilov <romio at il.aduva dot com>
Sun, 02 Mar 2003 18:57:26 +0200
32. Re: qpopper ssl/tls
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Sun, 2 Mar 2003 12:30:44 -0500
33. Re: qpopper ssl/tls
Gregory Hicks <ghicks at cadence dot com>
Sun, 2 Mar 2003 09:55:00 -0800 (PST)
34. Re: qpopper ssl/tls
Alan Brown <alanb at digistar dot com>
Sun, 2 Mar 2003 13:31:12 -0500 (EST)
35. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Homer Wilson Smith <homer at lightlink dot com>
Sun, 2 Mar 2003 20:07:06 -0500 (EST)
36. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Homer Wilson Smith <homer at lightlink dot com>
Sun, 2 Mar 2003 20:10:59 -0500 (EST)
37. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Homer Wilson Smith <homer at lightlink dot com>
Sun, 2 Mar 2003 20:12:29 -0500 (EST)
38. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Len Conrad <LConrad at Go2France dot com>
Sun, 02 Mar 2003 20:06:44 -0600
39. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Alan Brown <alanb at digistar dot com>
Mon, 3 Mar 2003 04:06:00 -0500 (EST)
40. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Alan Brown <alanb at digistar dot com>
Mon, 3 Mar 2003 04:20:58 -0500 (EST)
41. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Alan Brown <alanb at digistar dot com>
Mon, 3 Mar 2003 13:16:37 -0500 (EST)
42. sendmail vulnerability, DRAC
Kenneth Porter <shiva at sewingwitch dot com>
Mon, 03 Mar 2003 14:23:53 -0800
43. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Alan Brown <alanb at digistar dot com>
Mon, 3 Mar 2003 17:42:37 -0500 (EST)
44. Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Simon Byrnand <simon at igrin.co dot nz>
Tue, 04 Mar 2003 11:34:51 +1300
45. qpopper on tru64
<ldg at ulysium dot net>
Tue, 04 Mar 2003 01:18:48 -0500
46. Mailbox corrupt by disk quota
Chris Miller <ctodd at netgate dot net>
Tue, 4 Mar 2003 15:52:49 -0800 (PST)
47. qpopper on suse 8.1
"redlineracerx" <redlineracerx at hotmail dot com>
Tue, 4 Mar 2003 17:43:15 -0800
48. Re: Mailbox corrupt by disk quota
Matt Garretson <mattg at assembly.state.ny dot us>
Wed, 05 Mar 2003 13:34:02 -0500
49. Re: Mailbox corrupt by disk quota
Chris Miller <ctodd at netgate dot net>
Wed, 5 Mar 2003 10:51:00 -0800 (PST)
50. X-UIDL
Vasilios Hoffman <vhoffman01 at wesleyan dot edu>
Wed, 5 Mar 2003 14:20:20 -0500 (EST)
Date: Fri, 21 Feb 2003 20:21:42 +0100
From: alessandro garsia <doh at freemail dot it>
Subject: Re[2]: compiling Qpopper with kerberos support
>>I'm trying to compile qpopper 4.0.3 with kerberos support
>>on a mandrake 8.2 linux box (gcc 2.96) with MIT
>>kerberos 1.2.6 installed and working.
>>without kerberos support "make" works fine, with
>>kerberos I get the following error message:
[cut]
>>/root/tmp/qpopper4.0.3/common/maillock.c:278: the use of `tempnam' is dangerous, be
>>tter use `mkstemp'
>>/usr/local/lib/libkrb5util.a(compat_recv.o): In function `krb_v4_recvauth':
>>compat_recv.o(.text+0x71c): undefined reference to `krb_net_read'
>>compat_recv.o(.text+0x756): undefined reference to `krb_net_read'
> You need to add -lkrb -ldes425 (and maybe -lresolv) to the link line.
> --Ken
hi Ken,
I must confess, i don't have idea of what the "link line" is.. :)
anyway, I was able to compile correctly adding "-lkrb4" and "-lresolv" to
the "LIBS" line in popper/Makefile, but I needed to place "-lkrb4"
immediately after or immediately before "-lkrb5".
this seems a strange behaviour to me, but I'm not a unix guru..
thank you again
alessandro
p.s.: to compile succesfully "-lkrb4" must be added even if kerberos 4
compatibility is disabled in config.h, as explained in qpopper manual.
Date: Wed, 26 Feb 2003 12:43:16 -0500 (EST)
From: Homer Wilson Smith <homer at lightlink dot com>
Subject: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Running,
Linux 2.0.38 or 2.4.x,
sendmail 8.8.8 or 8.12.x
procmail 3.22
qpopper 4.0.2
Is there any way to run qpopper on one machine and sendmail/procmail
on multiple other machines, and allow sendmail/procmail to deliver mail to
drives that popper can read without corrupting mailboxes?
Pointers to RTFM encouraged as well as direct answers.
Thanks in advance,
Homer
------------------------------------------------------------------------
Homer Wilson Smith The Paths of Lovers Art Matrix - Lightlink
(607) 277-0959 KC2ITF Cross Internet Access, Ithaca NY
homer at lightlink.com In the Line of Duty http://www.lightlink dot com
Date: Wed, 26 Feb 2003 13:09:27 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Why?
With Linux, unlikely (NFS is, er, egregious, esp before 2.4.x).
Sendmail delivers all mail to one machine. One machihne delivers
mail locally which qpopper serves.
Anything wrong with that?
Quoting Homer Wilson Smith (homer at lightlink dot com):
> Running,
>
> Linux 2.0.38 or 2.4.x,
> sendmail 8.8.8 or 8.12.x
> procmail 3.22
> qpopper 4.0.2
>
> Is there any way to run qpopper on one machine and sendmail/procmail
> on multiple other machines, and allow sendmail/procmail to deliver mail to
> drives that popper can read without corrupting mailboxes?
>
> Pointers to RTFM encouraged as well as direct answers.
>
> Thanks in advance,
>
> Homer
>
> ------------------------------------------------------------------------
> Homer Wilson Smith The Paths of Lovers Art Matrix - Lightlink
> (607) 277-0959 KC2ITF Cross Internet Access, Ithaca NY
> homer at lightlink.com In the Line of Duty http://www.lightlink dot com
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
From: Chris Shenton <Chris.Shenton at hq.nasa dot gov>
Date: Wed, 26 Feb 2003 13:23:00 -0500
Homer Wilson Smith <homer at lightlink dot com> writes:
> Running,
>
> Linux 2.0.38 or 2.4.x,
> sendmail 8.8.8 or 8.12.x
> procmail 3.22
> qpopper 4.0.2
>
> Is there any way to run qpopper on one machine and sendmail/procmail
> on multiple other machines, and allow sendmail/procmail to deliver mail to
> drives that popper can read without corrupting mailboxes?
I think you're gonna get corruption over NFS unless you change the
mailbox format. NFS locking isn't terribly reliable and that's a big
concern when multiple processes on different machines are trying to
change the same mailbox file.
I was looking to do something like this because UNIX-style monolithic
mbox files are killing our sendmail/qpopper performance. I wanted to
switch to Maildir which I've used for an ISP with qmail+vpopmail --
one file per message, no contention, no NFS locking issues.
You can use "maildrop" (or recent procmail) as a local delivery agent
with sendmail. This works easily and doesn't upset any special
sendmail-dependent hacks you might have.
But I was not able to find stable Maildir-aware mods for qpopper,
though "The Little Prince" (on this list) had some which looked like
quality code. I was just too afraid to put them into production since
they didn't seem to be actively maintained.
What I ended up doing was replacing qpopper (version 2.53!) with
qmail's pop3d and a APOP authentication module which I found
elsewhere.
Seems like a fine combination in the lab but haven't put it into
production here yet.
(FWIW, I was doing this on FreeBS and Solaris/Sparc)
Date: Wed, 26 Feb 2003 10:35:24 -0800
From: Kenneth Porter <shiva at sewingwitch dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
--On Wednesday, February 26, 2003 12:43 PM -0500 Homer Wilson Smith
<homer at lightlink dot com> wrote:
> Is there any way to run qpopper on one machine and sendmail/procmail
> on multiple other machines, and allow sendmail/procmail to deliver mail to
> drives that popper can read without corrupting mailboxes?
That sounds backwards. Have all mail delivered to a hub, which then
delivers it to multiple machines running POP3 and IMAP services.
Perhaps you could post info explaining your motivation for wanting such a
beast?
Date: Wed, 26 Feb 2003 13:59:19 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
On Wed, 26 Feb 2003, Kenneth Porter wrote:
> That sounds backwards. Have all mail delivered to a hub, which then
> delivers it to multiple machines running POP3 and IMAP services.
>
> Perhaps you could post info explaining your motivation for wanting such a
> beast?
High Availability pop3 access springs to mind.
There are proabbly better ways though.
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
From: Chris Shenton <Chris.Shenton at hq.nasa dot gov>
Date: Wed, 26 Feb 2003 14:33:36 -0500
Alan Brown <alanb at digistar dot com> writes:
> High Availability pop3 access springs to mind.
>
> There are proabbly better ways though.
Not trying to start an MTA religious war but take a peek at the
architectural ideas in:
http://www.nrg4u.com/
http://www.lifewithqmail.org/ldap/
Date: 26 Feb 2003 13:35:16 -0700
From: "scott" <scotthenderson at qwest dot net>
Subject: using qpopper as secure front end "POP proxy" for MS Exchange
I'm looking for a Linux-based POP mail proxy to put in my company's DMZ
to field requests from sales personnel running POP clients on the
Internet. The mail these folks need would be on a MS Exchange 5.5
server, inside on the LAN. I don't want to open ports on the firewall
directly into the Exchange server - rather, I want to add an extra layer
or buffer of security between Exchange and that big bad Net (and I'm not
confident it is a secure enough product anyway). So I'm wondering if
qpopper can fill the bill. I would need to have qpopper use my internal
Active Directory to authenticate users, and allow them to pick up their
POP mail from the Exchange server. Has anyone done a config like this,
or can anyone offer suggestions on using qpopper in this way?
Thanks much!
Scott Henderson
Date: 26 Feb 2003 13:58:35 -0700
From: "scott" <scotthenderson at qwest dot net>
Subject: BLUEHILL - using qpopper as secure front end "POP proxy" for MS
I'm looking for a Linux-based POP mail proxy to put in my company's DMZ
to field requests from sales personnel running POP clients on the
Internet. The mail these folks need would be on a MS Exchange 5.5
server, inside on the LAN. I don't want to open ports on the firewall
directly into the Exchange server - rather, I want to add an extra layer
or buffer of security between Exchange and that big bad Net (and I'm not
confident it is a secure enough product anyway). So I'm wondering if
qpopper can fill the bill. I would need to have qpopper use my internal
Active Directory to authenticate users, and allow them to pick up their
POP mail from the Exchange server. Has anyone done a config like this,
or can anyone offer suggestions on using qpopper in this way?
Thanks much!
Scott Henderson
Date: Wed, 26 Feb 2003 12:38:35 -1000
From: Clifton Royston <cliftonr at lava dot net>
Subject: Re: using qpopper as secure front end "POP proxy" for MS Exchange
On Wed, Feb 26, 2003 at 01:35:16PM -0700, scott wrote:
> I'm looking for a Linux-based POP mail proxy to put in my company's DMZ
> to field requests from sales personnel running POP clients on the
> Internet. The mail these folks need would be on a MS Exchange 5.5
> server, inside on the LAN. I don't want to open ports on the firewall
> directly into the Exchange server - rather, I want to add an extra layer
> or buffer of security between Exchange and that big bad Net (and I'm not
> confident it is a secure enough product anyway). So I'm wondering if
> qpopper can fill the bill. I would need to have qpopper use my internal
> Active Directory to authenticate users, and allow them to pick up their
> POP mail from the Exchange server. Has anyone done a config like this,
> or can anyone offer suggestions on using qpopper in this way?
Popper can deliver the mail to the user, but it is not a proxy; it
includes no features for getting the mail from Exchange to its own
server. You could do this with a program such as fetchmail, I suppose,
but I am not sure this combination really does what you want.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr at lava dot net
"If you ride fast enough, the Specialist can't catch you."
"What's the Specialist?" Samantha says.
"The Specialist wears a hat," says the babysitter. "The hat makes noises."
She doesn't say anything else.
Kelly Link, _The Specialist's Hat_
Date: Wed, 26 Feb 2003 14:51:12 -0800 (PST)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
On Wed, 26 Feb 2003, Chris Shenton wrote:
>
> But I was not able to find stable Maildir-aware mods for qpopper,
> though "The Little Prince" (on this list) had some which looked like
> quality code. I was just too afraid to put them into production since
> they didn't seem to be actively maintained.
>
my patch is actively maintained. see my page
(http://www.asteroid-b612.org/software#qpopper)
although, i'm not a Maildir expert..but i've gotten good feedback about
it so far.
if it gives you the willies, like chris said, use qmail-pop3d.
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"This will prove a brave kingdom to me,
where I shall have my music for nothing"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Date: 26 Feb 2003 15:50:44 -0700
From: "scott" <scotthenderson at qwest dot net>
Subject: Re: using qpopper as secure front end "POP proxy" for MS Exchange
On Wed, 2003-02-26 at 15:38, Clifton Royston wrote:
> On Wed, Feb 26, 2003 at 01:35:16PM -0700, scott wrote:
> > I'm looking for a Linux-based POP mail proxy to put in my company's DMZ
> > to field requests from sales personnel running POP clients on the
> > Internet. The mail these folks need would be on a MS Exchange 5.5
> > server, inside on the LAN. I don't want to open ports on the firewall
> > directly into the Exchange server - rather, I want to add an extra layer
> > or buffer of security between Exchange and that big bad Net (and I'm not
> > confident it is a secure enough product anyway). So I'm wondering if
> > qpopper can fill the bill. I would need to have qpopper use my internal
> > Active Directory to authenticate users, and allow them to pick up their
> > POP mail from the Exchange server. Has anyone done a config like this,
> > or can anyone offer suggestions on using qpopper in this way?
>
> Popper can deliver the mail to the user, but it is not a proxy; it
> includes no features for getting the mail from Exchange to its own
> server. You could do this with a program such as fetchmail, I suppose,
> but I am not sure this combination really does what you want.
>
> -- Clifton
Well, actually, that sounds like it might just do what I want! But now
I'll have to find someone, who would know how to get a request from a
POP client, sent to qpopper, to launch fetchmail, to get the mail off
the Exchange server, that lived in the house that Jack built. Or
something like that. Now where would I find one of those???
Thanks for your help!
Scott
Date: 26 Feb 2003 16:43:42 -0700
From: "scott" <scotthenderson at qwest dot net>
Subject: BLUEHILL password thingy??????
Pardon my ignoramusnous, but why is it I get the following response,
whenever I send a post in to the qpopper list without the word BLUEHILL
in the subject line???
------------------
From: devnull at bluehill dot com
To: scotthenderson at qwest dot net
Subject: Returned mail: Re: using qpopper as secure front end "POP
proxy" for MS Exchange
Date: 26 Feb 2003 15:25:05 -0800
+-------------------------------------------------------------+
| This is a system generated message. |
| * Your message has NOT been delivered * |
+-------------------------------------------------------------+
| This mailbox is protected with an email password system, to |
| have your email delivered please resend the message and |
| include the string BLUEHILL in the subject. Thank You! |
+-------------------------------------------------------------+
Original Message:
From Qpopper-errors at lists.pensive dot org Wed Feb 26 15:15:46 2003
>Return-Path: <Qpopper-errors at lists.pensive dot org>
>Received: from turing.pensive.org (turing.pensive.org [66.27.56.122])
> by bluehill.com (8.9.3/(BHC/norelay)) with ESMTP id PAA04578;
> Wed, 26 Feb 2003 15:15:43 -0800
>Received: from mpls-qmqp-02.inet.qwest.net (63.231.195.113) by
> turing.pensive.org with SMTP
Date: Wed, 26 Feb 2003 18:50:24 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: BLUEHILL password thingy??????
On 26 Feb 2003, scott wrote:
> Pardon my ignoramusnous, but why is it I get the following response,
> whenever I send a post in to the qpopper list without the word BLUEHILL
> in the subject line???
Because some bozo subscribed to the list using a Tagged message delivery
agent (or other doorkeeper) without bothering to whitelist the list or
inspect his held queue (I assume that his setup is homebuilt and
doesn't bother with such things)
Would the list maintainers please remove whoever the bluehill.com person
is until they learn some list manners?
AB
Date: Wed, 26 Feb 2003 14:33:55 -1000
From: Clifton Royston <cliftonr at lava dot net>
Subject: Re: using qpopper as secure front end "POP proxy" for MS Exchange
On Wed, Feb 26, 2003 at 03:50:44PM -0700, scott wrote:
> On Wed, 2003-02-26 at 15:38, Clifton Royston wrote:
> > On Wed, Feb 26, 2003 at 01:35:16PM -0700, scott wrote:
> > > I'm looking for a Linux-based POP mail proxy to put in my company's DMZ
> > > to field requests from sales personnel running POP clients on the
> > > Internet. The mail these folks need would be on a MS Exchange 5.5
> > > server, inside on the LAN. I don't want to open ports on the firewall
> > > directly into the Exchange server - rather, I want to add an extra layer
> > > or buffer of security between Exchange and that big bad Net (and I'm not
> > > confident it is a secure enough product anyway). So I'm wondering if
> > > qpopper can fill the bill. I would need to have qpopper use my internal
> > > Active Directory to authenticate users, and allow them to pick up their
> > > POP mail from the Exchange server. Has anyone done a config like this,
> > > or can anyone offer suggestions on using qpopper in this way?
> >
> > Popper can deliver the mail to the user, but it is not a proxy; it
> > includes no features for getting the mail from Exchange to its own
> > server. You could do this with a program such as fetchmail, I suppose,
> > but I am not sure this combination really does what you want.
> >
> > -- Clifton
>
> Well, actually, that sounds like it might just do what I want! But now
> I'll have to find someone, who would know how to get a request from a
> POP client, sent to qpopper, to launch fetchmail, to get the mail off
> the Exchange server, that lived in the house that Jack built. Or
> something like that. Now where would I find one of those???
That's just it - I don't think you will. Fetchmail would work OK if
you would want *all* POP mail for certain users to be fed to the
Qpopper server all the time. I don't think it will work to have it
fired off when qpopper is starting up and pull down the mail at that
moment. Qpopper needs to have the mail already waiting on the hard
disk for it once the user authenticates.
I think you need an actual proxy server for what you want to do, and
presumably one which does a lot of data checking against buffer
overflows, etc. if you want it to protect the security of the Exchange
server.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr at lava dot net
"If you ride fast enough, the Specialist can't catch you."
"What's the Specialist?" Samantha says.
"The Specialist wears a hat," says the babysitter. "The hat makes noises."
She doesn't say anything else.
Kelly Link, _The Specialist's Hat_
From: "Caram Bola" <Caram.Bola at comcast dot net>
Date: Wed, 26 Feb 2003 21:47:46 -0500
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
> On Wed, 26 Feb 2003, Chris Shenton wrote:
>
> >
> > But I was not able to find stable Maildir-aware mods for qpopper,
> > though "The Little Prince" (on this list) had some which looked like
> > quality code. I was just too afraid to put them into production
> > since they didn't seem to be actively maintained.
> >
>
> my patch is actively maintained. see my page
> (http://www.asteroid-b612.org/software#qpopper)
>
> although, i'm not a Maildir expert..but i've gotten good feedback
> about it so far.
>
> if it gives you the willies, like chris said, use qmail-pop3d.
>
> --Tony
> .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-
> ._.-. Anthony J. Biacco -
> ._.-.
>
>
(Somehow, I did not receive any prior messages from this thread.)
I have being using The Little Prince's patch without incident on a
production box (Maildir only, no MySQL).
Maybe I'm crazy, but I think not. I would recommend the patch
without reservation to anyone. (Remember, though, your milage may
vary.)
Thank you Tony!
Caram
Date: Thu, 27 Feb 2003 00:32:47 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
Quoting Alan Brown (alanb at digistar dot com):
> On Wed, 26 Feb 2003, Kenneth Porter wrote:
>
> > That sounds backwards. Have all mail delivered to a hub, which then
> > delivers it to multiple machines running POP3 and IMAP services.
> >
> > Perhaps you could post info explaining your motivation for wanting such a
> > beast?
>
> High Availability pop3 access springs to mind.
>
> There are probably better ways though.
So again, we have someone asking how to do what they think is the
solution rather than presenting the problem.
Can you have multiple deliverers and poppers over NFS?
Sure, write your own locking, rewrite mail.local and qpopper chunks,
deal with the fact that NFS performance is likely 5-10% the
performance of RAID for several times the cost.
Never quit, because only you can run it.
Nick Christensen has a lovely paper on what they did while
he was at Earthlink. (see http://www.jetcafe.org/npc/doc/mail_arch.html)
Sendmail, Inc (with Nick) also implemented this notion (version 2?)
several years ago. Big NFS servers, front end machines.
Locking is hard, much hacking was done.
I had some involvement in this too.
Useful when you have 1-2 million users. Will grow to more (especially
now that we have 15k RPM disks and cheap(ish) NVRAM disks).
Mostly not useful when you don't.
I can run 200,000 IMAP users on a single box and run HA or a cold
spare if I need. (HA has several instrinsic costs that make
it not an automatic "yes")
Date: Thu, 27 Feb 2003 05:34:28 -0800 (PST)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
On Thu, 27 Feb 2003, Chuck Yerkes wrote:
>
> Can you have multiple deliverers and poppers over NFS?
> Sure, write your own locking, rewrite mail.local and qpopper chunks,
> deal with the fact that NFS performance is likely 5-10% the
> performance of RAID for several times the cost.
>
> Never quit, because only you can run it.
>
just another reason to justify a raise. :-)
my boss always used to tell me..man, if you ever got hit by a bus, we'd be
dead. kinda makes you feel like one of those metal briefcases people
handcuff to their wrists.
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"This will prove a brave kingdom to me,
where I shall have my music for nothing"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Date: 27 Feb 2003 09:08:48 -0700
From: "scott" <scotthenderson at qwest dot net>
Subject: Re: using qpopper as secure front end "POP proxy" for MS Exchange
On Wed, 2003-02-26 at 17:33, Clifton Royston wrote:
> On Wed, Feb 26, 2003 at 03:50:44PM -0700, scott wrote:
> > On Wed, 2003-02-26 at 15:38, Clifton Royston wrote:
> > > On Wed, Feb 26, 2003 at 01:35:16PM -0700, scott wrote:
> > > > I'm looking for a Linux-based POP mail proxy to put in my company's DMZ
> > > > to field requests from sales personnel running POP clients on the
> > > > Internet. The mail these folks need would be on a MS Exchange 5.5
> > > > server, inside on the LAN. I don't want to open ports on the firewall
> > > > directly into the Exchange server - rather, I want to add an extra layer
> > > > or buffer of security between Exchange and that big bad Net (and I'm not
> > > > confident it is a secure enough product anyway). So I'm wondering if
> > > > qpopper can fill the bill. I would need to have qpopper use my internal
> > > > Active Directory to authenticate users, and allow them to pick up their
> > > > POP mail from the Exchange server. Has anyone done a config like this,
> > > > or can anyone offer suggestions on using qpopper in this way?
> > >
> > > Popper can deliver the mail to the user, but it is not a proxy; it
> > > includes no features for getting the mail from Exchange to its own
> > > server. You could do this with a program such as fetchmail, I suppose,
> > > but I am not sure this combination really does what you want.
> > >
> > > -- Clifton
> >
> > Well, actually, that sounds like it might just do what I want! But now
> > I'll have to find someone, who would know how to get a request from a
> > POP client, sent to qpopper, to launch fetchmail, to get the mail off
> > the Exchange server, that lived in the house that Jack built. Or
> > something like that. Now where would I find one of those???
>
> That's just it - I don't think you will. Fetchmail would work OK if
> you would want *all* POP mail for certain users to be fed to the
> Qpopper server all the time. I don't think it will work to have it
> fired off when qpopper is starting up and pull down the mail at that
> moment. Qpopper needs to have the mail already waiting on the hard
> disk for it once the user authenticates.
>
> I think you need an actual proxy server for what you want to do, and
> presumably one which does a lot of data checking against buffer
> overflows, etc. if you want it to protect the security of the Exchange
> server.
> -- Clifton
Well, OK, so I need an "actual proxy server". Pardon my OT request
here, but (before I head off into the sunset with my little dilemma...)
I don't know of any such beast. Can anyone name some POP/IMAP proxy
servers?
Thanks,
Scott
Date: Thu, 27 Feb 2003 12:41:50 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Indispensable admins (was Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS)
Not to be taken personally, my petit prince; this ramble is
general, not targetted.
Quoting The Little Prince (thelittleprince at asteroid-b612 dot org):
> On Thu, 27 Feb 2003, Chuck Yerkes wrote:
> > Can you have multiple deliverers and poppers over NFS?
> > Sure, write your own locking, rewrite mail.local and qpopper chunks,
> > deal with the fact that NFS performance is likely 5-10% the
> > performance of RAID for several times the cost.
> >
> > Never quit, because only you can run it.
>
> just another reason to justify a raise. :-)
>
> my boss always used to tell me..man, if you ever got hit by a bus, we'd be
> dead. kinda makes you feel like one of those metal briefcases people
> handcuff to their wrists.
Yeah, I had guys who'd wack something together (and used to be one
of those). But the "hit by a bus" can also be pronounced "take a vacation".
If you feel cool cause you can't take a week off without being paged,
then your business is weaker because of you and you are failing.
If you can't leave for 1 or 6 months, then you haven't build a
sustainable environment. It's about professionalism in many ways.
unfo, several bad products get put in place because cowboy
system admins make businesses wary and put them in danger.
Yes, there is certainly the "clues for the clueless" - being
innovative and bringing in good things and strengthening your
company. But it's sometimes hard to tell that from the feeling
you get because you've got a co-dependant company that you've rigged
to nee *you* just cause you do things differently.
I'll offer two examples. There are many machines running different
things. Admins keep windows open to all and watch top and watch for
them to crash. When there is a problem, they leap into action.
For problem after problem.
A System Admin Goofus and Galant, if you will:
1) You've setup Net-SNMP to fully monitor and even be reactive on
several of your systems. BigBrother/Sister or Nocol let you
and your cohorts be paged when certain traps are emitted.
Scripts will take and parse data and look for combinations of
things to trip alarms (all of the WAN is down, but so are your
WAN routers and UPSs - maybe the WAN is fine and the problem is
your routers).
The NetOps folks can monitor your machines with HP OpenView;
your new SAGE Level 2 SA can take a couple of the SNMP-triggered
scripts and modify them to make them a little smarter.
While you were skiing, with no cell coverage, a machine ate it.
SCSI board went bad. Alerts went off and a cold spare was brought
in. Worst case they had to kickstart/jumpstart a new boot
disk that made the new machine into the dead server. You learn
about it on Monday.
You go about getting a more CPUs for your database machine cause
the load on it has been increasing by about 10% a quarter and
you need to get some budget for it.
2) You've written something that listens on a port and can report
machine and application statuses. You've got scripts watching
machines, running mail, managing LDAP. It's great - they had
NOTHING before and were all just reacting to fires before you
came in.
All the scripts are written in Python. Why Python? Because
it's the only language you'll deign to use. Perl is crap. Java
is a pig. C is an old joke. Oh, nobody else knows Python and
you are the GoTo guy for all problems with this system.
You get raises; you get praise; the CTO needs you.
You take the afternoon to hit Fryes and pickup a new motherboard
cause you need to make that server a bit faster and want to get
it in my next week.
You impress your friends with how important you are - this
company DEPENDS on you - as you get paged through the evening;
coming back they ask what's up? "I just saved their asses...
Again!" you crow.
One is good, one is bad; both feel about the same.
Be careful, cause you're never the bad guy.
If a reasonable business truly really needs you, you're not doing
your job well enough. You should be valuable but not indispensable.
And remember, a boss once told me, NOBODY is indispensable.
It's worthy of periodic self examination to discern where your
work is on that spectrum.
Date: Thu, 27 Feb 2003 08:20:25 -1000
From: Clifton Royston <cliftonr at lava dot net>
Subject: Re: using qpopper as secure front end "POP proxy" for MS Exchange
On Thu, Feb 27, 2003 at 09:08:48AM -0700, scott wrote:
...
> > I think you need an actual proxy server for what you want to do, and
> > presumably one which does a lot of data checking against buffer
> > overflows, etc. if you want it to protect the security of the Exchange
> > server.
> > -- Clifton
>
> Well, OK, so I need an "actual proxy server". Pardon my OT request
> here, but (before I head off into the sunset with my little dilemma...)
> I don't know of any such beast. Can anyone name some POP/IMAP proxy
> servers?
IMAP, yes - Perdition seems to be pretty well respected.
POP, not offhand. Sorry.
You can readily use software that is not so much a proxy server as a
generic tunnel server, like Peter da Silva's plugdaemon, for instance.
That would just plug in and "plumb" a POP tunnel from the DMZ machine
through to your internal machine. However, this would not seem to me
to add any security; it will happily pass through buffer overflow
exploits and whatever is coming in on the input stream.
<http://www.taronga.com/plugdaemon/>
If you can't find something that actually understands the POP
protocol and does bounds-checking on commands and parameters you
probably haven't added any security over just punching a hole. Though
you might add a little flexibility in terms of being able to move
around your internal network later without affecting what's visible.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr at lava dot net
"If you ride fast enough, the Specialist can't catch you."
"What's the Specialist?" Samantha says.
"The Specialist wears a hat," says the babysitter. "The hat makes noises."
She doesn't say anything else.
Kelly Link, _The Specialist's Hat_
Date: Thu, 27 Feb 2003 10:25:29 -0800 (PST)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: Indispensable admins (was Re: QPOPPER SENDMAIL/PROCMAIL: AND
On Thu, 27 Feb 2003, Chuck Yerkes wrote:
> >
> > my boss always used to tell me..man, if you ever got hit by a bus, we'd be
> > dead. kinda makes you feel like one of those metal briefcases people
> > handcuff to their wrists.
>
> Yeah, I had guys who'd wack something together (and used to be one
> of those). But the "hit by a bus" can also be pronounced "take a vacation".
heh, yeah, take a vacation is a totally interchangeable phrase
i didn't mean to give to give the impression i LIKED being that
highly-dependable person.
personally, i hate being the lynch pin. pager every weekend, 2am
pages, blah blah. we all wear our many hats.
but, you know, it was a start-up. profits were slim, budget tight.
i work a lot better when there's a few admins around..don't feel so
needed.
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"This will prove a brave kingdom to me,
where I shall have my music for nothing"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Date: 27 Feb 2003 11:39:47 -0700
From: "scott" <scotthenderson at qwest dot net>
Subject: Re: using qpopper as secure front end "POP proxy" for MS Exchange
On Thu, 2003-02-27 at 11:20, Clifton Royston wrote:
> On Thu, Feb 27, 2003 at 09:08:48AM -0700, scott wrote:
> ...
> > > I think you need an actual proxy server for what you want to do, and
> > > presumably one which does a lot of data checking against buffer
> > > overflows, etc. if you want it to protect the security of the Exchange
> > > server.
> > > -- Clifton
> >
> > Well, OK, so I need an "actual proxy server". Pardon my OT request
> > here, but (before I head off into the sunset with my little dilemma...)
> > I don't know of any such beast. Can anyone name some POP/IMAP proxy
> > servers?
>
> IMAP, yes - Perdition seems to be pretty well respected.
>
> POP, not offhand. Sorry.
>
> You can readily use software that is not so much a proxy server as a
> generic tunnel server, like Peter da Silva's plugdaemon, for instance.
> That would just plug in and "plumb" a POP tunnel from the DMZ machine
> through to your internal machine. However, this would not seem to me
> to add any security; it will happily pass through buffer overflow
> exploits and whatever is coming in on the input stream.
>
> <http://www.taronga.com/plugdaemon/>
>
> If you can't find something that actually understands the POP
> protocol and does bounds-checking on commands and parameters you
> probably haven't added any security over just punching a hole. Though
> you might add a little flexibility in terms of being able to move
> around your internal network later without affecting what's visible.
I THINK Perdition just pipes you through to your destination mail
server, though. Perhaps kind of like what you describe with
plugdaemon. No true proxying. But I want my clients to pick up their
mail from the proxy, and be UNABLE to directly attach to the true
backend mail server.
Thanks very much,
Scott
P.S. Doesn't the Specialist's hat bite? :)
Date: Thu, 27 Feb 2003 15:02:38 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: using qpopper as secure front end "POP proxy" for MS Exchange
5662853471906062 at lists.pensive dot org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <939925662853471906062 at lists.pensive dot org>
User-Agent: Mutt/1.4i
Sendmail, Inc has one that comes with their IMAP server.
It can do the initial auth (plain or via SSL), lookup
the username in LDAP and direct it to the appropriate
server.
First pass wasn't so long to write: Listen on port, pass data
in to server. Basic C (or even perl).
TIS had a proprietary one with Gauntlet, it's basically plug-gw
(TIS FWTK) with some mods. License is not acceptable for
redistrib freely.
google may show some things. Generally, I'm more of a fan of
making exchange go away. It's brutally expensive (far higher
than most managers believe and, for managers who brought it
in, higher than they're willing to share).
Qpopper isn't a proxy. It's not for exchange use.
Quoting scott (scotthenderson at qwest dot net):
> On Thu, 2003-02-27 at 11:20, Clifton Royston wrote:
> > On Thu, Feb 27, 2003 at 09:08:48AM -0700, scott wrote:
> > ...
> > > > I think you need an actual proxy server for what you want to do, and
> > > > presumably one which does a lot of data checking against buffer
> > > > overflows, etc. if you want it to protect the security of the Exchange
> > > > server.
> > > > -- Clifton
> > >
> > > Well, OK, so I need an "actual proxy server". Pardon my OT request
> > > here, but (before I head off into the sunset with my little dilemma...)
> > > I don't know of any such beast. Can anyone name some POP/IMAP proxy
> > > servers?
> >
> > IMAP, yes - Perdition seems to be pretty well respected.
> >
> > POP, not offhand. Sorry.
> >
> > You can readily use software that is not so much a proxy server as a
> > generic tunnel server, like Peter da Silva's plugdaemon, for instance.
> > That would just plug in and "plumb" a POP tunnel from the DMZ machine
> > through to your internal machine. However, this would not seem to me
> > to add any security; it will happily pass through buffer overflow
> > exploits and whatever is coming in on the input stream.
> >
> > <http://www.taronga.com/plugdaemon/>
> >
> > If you can't find something that actually understands the POP
> > protocol and does bounds-checking on commands and parameters you
> > probably haven't added any security over just punching a hole. Though
> > you might add a little flexibility in terms of being able to move
> > around your internal network later without affecting what's visible.
>
> I THINK Perdition just pipes you through to your destination mail
> server, though. Perhaps kind of like what you describe with
> plugdaemon. No true proxying. But I want my clients to pick up their
> mail from the proxy, and be UNABLE to directly attach to the true
> backend mail server.
>
> Thanks very much,
>
> Scott
>
> P.S. Doesn't the Specialist's hat bite? :)
>
From: "Bart" <bart-list at redhanky dot net>
Subject: Correct permissions?
Date: Thu, 27 Feb 2003 20:45:45 -0000
I receive the following error message when attempting to collect email:
-ERR [SYS/TEMP] Failed to create /var/mail/.bart.pop with uid 1000, gid 0.
Change permissions.
What should the correct permissions be?
Currently they're as follows:
-rwxrwxr-x 1 bart users 5753 Feb 27 20:09 Mailbox
Many thanks,
Bart
Date: Thu, 27 Feb 2003 16:56:32 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: Correct permissions?
The pop daemon must be able to write to the /var/mail DIRECTORY.
Oh, and with those permissions on your Mailbox (why it's named
Mailbox is beyond me) allows ANYone to read your mail and anyone
in group USER to write (change) your mail.
Quoting Bart (bart-list at redhanky dot net):
> I receive the following error message when attempting to collect email:
> -ERR [SYS/TEMP] Failed to create /var/mail/.bart.pop with uid 1000, gid 0.
> Change permissions.
>
> What should the correct permissions be?
>
> Currently they're as follows:
> -rwxrwxr-x 1 bart users 5753 Feb 27 20:09 Mailbox
>
> Many thanks,
> Bart
Date: Thu, 27 Feb 2003 11:58:45 -1000
From: Clifton Royston <cliftonr at lava dot net>
Subject: Re: Correct permissions?
On Thu, Feb 27, 2003 at 08:45:45PM -0000, Bart wrote:
> I receive the following error message when attempting to collect email:
> -ERR [SYS/TEMP] Failed to create /var/mail/.bart.pop with uid 1000, gid 0.
> Change permissions.
>
> What should the correct permissions be?
It's the directory permissions for /var/mail you need to look at.
(If the temp file should not be created there, you have a configuration
problem.)
> Currently they're as follows:
> -rwxrwxr-x 1 bart users 5753 Feb 27 20:09 Mailbox
That's in your home directory, not in /var/mail, I'd assume.
-- Clifton
--
Clifton Royston -- LavaNet Systems Architect -- cliftonr at lava dot net
"If you ride fast enough, the Specialist can't catch you."
"What's the Specialist?" Samantha says.
"The Specialist wears a hat," says the babysitter. "The hat makes noises."
She doesn't say anything else.
Kelly Link, _The Specialist's Hat_
Date: Fri, 28 Feb 2003 16:09:54 +0100
From: Bernt Guldbrandtsen <bg at genetics.agrsci dot dk>
Subject: Qpopper/SSL problem
Hi,
When trying to run qpopper with ssl support I keep running into a problem
that appears to be SSL-related.
We're running Qpopper 4.0.4 with OpenSSL 0.9.7a under AIX 4.3.3.0 compiled
with gcc-3.2.2.
In /etc/services I've got
spop3 995/tcp # SSL/POP3
In /etc/inetd.conf I've got
spop3 stream tcp nowait root /usr/local/etc/popper-4.0.4
popper-4.0.4 -s -f /usr/local/etc/qpopper.conf
/usr/local/etc/qpopper.conf contains
set tls-support = stls
set tls-server-cert-file = /etc/mail/certs/cert.pem
The certificate is self-signed
Hence, I think everything is set up according to the FAQ
(http://www.eudora.com/qpopper/faq.html#tls).
qpopper was configured with
./configure --with-openssl=/path/to/openssl --enable-log-login
When I run Netscape 7.02's mail client with "Use secure connection (SSL)"
checked the connection hangs and only terminates on clicking the "Stop"
button in the mail client. In the logfile I get the following entries:
Feb 28 15:47:52 node02 popper-4.0.4[45588]: (null) at hag-i001.agrsci.dk
(172.20.128.66): -ERR Unknown command: "^Àf^A^C^A".
Feb 28 15:47:57 node02 popper-4.0.4[45588]: (null) at hag-i001.agrsci.dk
(172.20.128.66): -ERR POP EOF or I/O Error
The latter entry clearly is the consequence of clicking the "Stop" button.
Using the same client as an ordinary pop-client (i.e. without ssl) on port
110 works fine. Pretty clearly this is an SSL-related problem but I cannot
figure out what it should be.
Any help would therefore be much appreciated.
Best regards,
Bernt Guldbrandtsen
Date: Fri, 28 Feb 2003 16:52:43 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: Qpopper + SSL + Eudora
At 4:24 PM +0100 2/18/03, Remy Zandwijk wrote:
> Hi list.
>
> I installed Qpopper 4.0.4, running as standalone binary. SSL is enabled
> and is working correct when users use Outlook. However, when my users
> use Eudora (V5.1) and the have choosen to use STLS, it appears there is
> no mail in the spool for them. When disabling STLS, there is mail.
>
> The logfile reports 'possible probe for account...' and 'TLS shutdown error'.
>
> What causes this behaviour?
There is an incompatibility between the TLS/SSL libraries used in
Eudora and recent OpenSSL changes. Try using the latest Qpopper
4.0.5b version, and set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS in your
Qpopper configuration file; for example, in the file add 'set
tls-options = 0x00000800'
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
Whenever people agree with me I always feel I must be wrong.
--Oscar Wilde
Date: Fri, 28 Feb 2003 18:21:40 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: using qpopper as secure front end "POP proxy" for MS
At 11:39 AM -0700 2/27/03, scott wrote:
> understands the POP protocol and does bounds-checking on commands
> and parameters
You could use fetchmail and Qpopper. Set up fetchmail to
periodically fetch mail for the target users from the Exchange server
and deposit the mail into a spool on the DMZ server. Tell it to not
delete the mail, just fetch new messages. Then users can connect in
and get at their mail. Downside: when they get back, all their mail
will still be there.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
The nice thing about standards is that there are so many of
them to choose from. --Andrew S. Tanenbaum
Date: Sun, 02 Mar 2003 18:57:26 +0200
From: Roman Gavrilov <romio at il.aduva dot com>
Subject: qpopper ssl/tls
Is it possible to run qpopper with ssl as non privileged user i.e root ?
--
-----------------------------------------------------------------------------
Roman Gavrilov
Aduva Inc., Web Development Services.
work +972-3-7534373 mobile +972-54-834668
romio at aduva.com, romio at netvision dot net dot il
Date: Sun, 2 Mar 2003 12:30:44 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: qpopper ssl/tls
Quoting Roman Gavrilov (romio at il.aduva dot com):
> Is it possible to run qpopper with ssl as non privileged user i.e root ?
qpopper needs to be able to read all the mail files.
Root does that.
Date: Sun, 2 Mar 2003 09:55:00 -0800 (PST)
From: Gregory Hicks <ghicks at cadence dot com>
Subject: Re: qpopper ssl/tls
> Date: Sun, 2 Mar 2003 12:30:44 -0500
> From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
> To: Subscribers of Qpopper <qpopper at lists.pensive dot org>
> Subject: Re: qpopper ssl/tls
>
> Quoting Roman Gavrilov (romio at il.aduva dot com):
> > Is it possible to run qpopper with ssl as non privileged user i.e
root ?
>
> qpopper needs to be able to read all the mail files.
> Root does that.
Good reason, but not the right one... (*I* think...)
qpopper doesn't real ALL the mail files, just one. qpopper needs to be
able to assume the identity of the user that wants to download the
mail. This "...assume the identity of..." is why root... Although
since the user has to provide their password, this might not be the
right reason...
My own thoughts, possibly wrong, but ...
Regards,
Gregory Hicks
---------------------------------------------------------------------
Never attribute to malice that which is adequately explained by
ignorance or stupidity.
Asking the wrong questions is the leading cause of wrong answers
"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton
Date: Sun, 2 Mar 2003 13:31:12 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: qpopper ssl/tls
On Sun, 2 Mar 2003, Gregory Hicks wrote:
> Good reason, but not the right one... (*I* think...)
You're right, it isn't.
> qpopper doesn't real ALL the mail files, just one. qpopper needs to be
> able to assume the identity of the user that wants to download the
> mail.
Which is why Qpopper switches to the ID of that user and drops all
privileges after authentication. If it didn't, permissions in the mail
spool directories wouldn't be as critical as they are - root can do
anything.
The REAL reason qpopper has to run as root is that it binds to a port
(or ports) under 1024 - which requires root privileges, and must be able
to switch to the user ID logging in after authentication.
It might be possible to run as root, bind to the port, then drop
privileges and then switch to the login UserID later, but some systems
will prevent switching userids from low privilege accounts and this
would require an authentication interface (which is there in some
systems, but not all) instead of direct access to /etc/shadow.
When running out of inetd, Qpopper only runs as root long enough to
verify passwords... :-)
Date: Sun, 2 Mar 2003 20:07:06 -0500 (EST)
From: Homer Wilson Smith <homer at lightlink dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
> On Wed, 26 Feb 2003, Kenneth Porter wrote:
>
> > That sounds backwards. Have all mail delivered to a hub, which then
> > delivers it to multiple machines running POP3 and IMAP services.
> >
> > Perhaps you could post info explaining your motivation for wanting such a
> > beast?
Not sure who this was directed at but since I posted the original
request here is our situation.
sendmail and qpopper exist on same machine.
The machine is being flooded by spam etc driving load
high. This affects perceived responsiveness of popper.
I would like to spread the incoming mail load across many
incoming mail servers, and yet have all of it go to one pop server
since the demands of reading mail are insignificant compared to
the demands of dealing with incoming connections and filtering
the spam.
Maybe I got this backwards, maybe 100's of sendmail's driving my load
to 40 and a few poppers driving it to 1 or 2 is my mis configuration error
:)
POint is that most incoming e-mail is spam and cpu and connection
resources dealing with the spammers and their spam is many times what
is necessary to read the valid e-mail that is finally delivered to
quiet and well behaved mailboxes.
Homer
Date: Sun, 2 Mar 2003 20:10:59 -0500 (EST)
From: Homer Wilson Smith <homer at lightlink dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
> Why?
> With Linux, unlikely (NFS is, er, egregious, esp before 2.4.x).
>
> Sendmail delivers all mail to one machine. One machihne delivers
> mail locally which qpopper serves.
>
> Anything wrong with that?
Yes, the load engendered by sendmail is being overwhelmed by
spammers, the load engendered by popper is almost nothing. We want
the reading to be on one machine that is not under constant strain,
and also be able to put in more than one round robin sendmail machine,
as many as necessary to deal with the spam that all deliever valid
e-mail to the popper machine drives.
Homer
>
> Quoting Homer Wilson Smith (homer at lightlink dot com):
> > Running,
> >
> > Linux 2.0.38 or 2.4.x,
> > sendmail 8.8.8 or 8.12.x
> > procmail 3.22
> > qpopper 4.0.2
> >
> > Is there any way to run qpopper on one machine and sendmail/procmail
> > on multiple other machines, and allow sendmail/procmail to deliver mail to
> > drives that popper can read without corrupting mailboxes?
> >
> > Pointers to RTFM encouraged as well as direct answers.
> >
> > Thanks in advance,
> >
> > Homer
> >
> > ------------------------------------------------------------------------
> > Homer Wilson Smith The Paths of Lovers Art Matrix - Lightlink
> > (607) 277-0959 KC2ITF Cross Internet Access, Ithaca NY
> > homer at lightlink.com In the Line of Duty http://www.lightlink dot com
>
Date: Sun, 2 Mar 2003 20:12:29 -0500 (EST)
From: Homer Wilson Smith <homer at lightlink dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
> > That sounds backwards. Have all mail delivered to a hub, which then
> > delivers it to multiple machines running POP3 and IMAP services.
> >
> > Perhaps you could post info explaining your motivation for wanting such a
> > beast?
>
> High Availability pop3 access springs to mind.
>
> There are proabbly better ways though.
Well I am certainly open to suggestions.
The spam is causing war time conditions here. We haven't been
able to concentrate on filtering the spam because there is so
much coming in we can't even deal with the number of connections
hitting on the server.
Homer
Date: Sun, 02 Mar 2003 20:06:44 -0600
From: Len Conrad <LConrad at Go2France dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
> Well I am certainly open to suggestions.
>
> The spam is causing war time conditions here. We haven't been
>able to concentrate on filtering the spam because there is so
>much coming in we can't even deal with the number of connections
>hitting on the server.
My free project at IMGate.MEIway.com has saved the bacon for many
ISP's. It's not only for Imail or FreeBSD, it just started out that
way. It runs in front of Imail, sendmail, Lotus, Exchnage, etc because
it's a pure SMTP relay.
Putting an mailbox server as MX is simply asking for the kind DoS you are
experiencing.
Len
Date: Mon, 3 Mar 2003 04:06:00 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
On Sun, 2 Mar 2003, Homer Wilson Smith wrote:
> sendmail and qpopper exist on same machine.
>
> The machine is being flooded by spam etc driving load
> high. This affects perceived responsiveness of popper.
It's not your popper playing up, nor is it your sendmail, it's your spam
filtering.
> Maybe I got this backwards, maybe 100's of sendmail's driving my load
> to 40 and a few poppers driving it to 1 or 2 is my mis configuration error
> :)
Hint: Look at the MaxDaemonChildren and Throttle parameters in sendmail.cf
At a LA of 40, your machine is dead anyway. It should be refusing
inbound connections at around 6-12 and you should limit the number of
concurrent connections somewhat.
The mailserver I had handling 1-2 million messages/day was only a
k6/400. Tweaking sendmail makes a big difference.
AB
Date: Mon, 3 Mar 2003 04:20:58 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
On Sun, 2 Mar 2003, Len Conrad wrote:
> My free project at IMGate.MEIway.com has saved the bacon for many
> ISP's. It's not only for Imail or FreeBSD, it just started out that
> way. It runs in front of Imail, sendmail, Lotus, Exchnage, etc because
> it's a pure SMTP relay.
People may also want to check out www.messagewall.org
Date: Mon, 3 Mar 2003 13:16:37 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
On Mon, 3 Mar 2003, Steve Hillman wrote:
> At 04:06 AM 3/3/2003 -0500, you wrote:
> >The mailserver I had handling 1-2 million messages/day was only a
> >k6/400. Tweaking sendmail makes a big difference.
>
> Just curious - Sendmail and qpopper (or some other popper) on the one box,
> or just sendmail acting as an MX?
Both on the same box, with some level of spam filtering too - using
DNSBLs (light load) and Spam Assassin (tagging only).
I had to update from a 486 to handle body tagging. Spam Assassin is
/bin/sh based so was killing the machine.
Perl based filtering agents have the same (or worse) problem. The
startup load for a dozen parallel perl proceses can quickly kill a
ramstarved (< 256Mb) machine.
Memory is more important than CPU most of the time - if you start
hitting swap, you're only going to run as fast as your hard drives, even
if you have a 200GHz Itanium processor from5 years in the future.
AB
Date: Mon, 03 Mar 2003 14:23:53 -0800
From: Kenneth Porter <shiva at sewingwitch dot com>
Subject: sendmail vulnerability, DRAC
FYI, for the sendmail/DRAC users on the list:
<http://rhn.redhat.com/errata/RHSA-2003-073.html>
<http://www.cert.org/advisories/CA-2003-07.html>
I updated my Red Hat 7.2 servers but found that DRAC became inaccessible.
sendmail complained that it couldn't open the DRAC btree database. I'm
still investigating, but I've temporarily disabled DRAC by commenting it
out in sendmail.mc. I suspect that the Red Hat errata packages were
compiled with a different version of the DB library, but it's reading my
other DB's such as aliases and virtusertable fine.
Date: Mon, 3 Mar 2003 17:42:37 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
On Tue, 4 Mar 2003, Simon Byrnand wrote:
> >Both on the same box, with some level of spam filtering too - using
> >DNSBLs (light load) and Spam Assassin (tagging only).
Bah, I meant Spambouncer.
> Whether you use Spam Assassin for "tagging only" or sorting spam into other
> folders, the load is the same. It is the tests that determine if it is spam
> or not which take most of the CPU time.
Yes, and people tend to fail to take it into account.
> Umm, not sure what you mean by /bin/sh based - Spam Assassin is most
> definately Perl based.
See above.
> >Perl based filtering agents have the same (or worse) problem. The
> >startup load for a dozen parallel perl proceses can quickly kill a
> >ramstarved (< 256Mb) machine.
>
> Which is why Spam Assassin gives you the option of using the spamc/spamd
> client server pair.
If you can deal with the security risks. There has already been one
advisory about it. :-(
Messagewall is probably a better overall solution for filtering, it's a
SMTP proxy.
AB
Date: Tue, 04 Mar 2003 11:34:51 +1300
From: Simon Byrnand <simon at igrin.co dot nz>
Subject: Re: QPOPPER SENDMAIL/PROCMAIL: AND NFS
At 13:16 3/03/03 -0500, Alan Brown wrote:
This is a bit off topic, but....
>On Mon, 3 Mar 2003, Steve Hillman wrote:
>
> > At 04:06 AM 3/3/2003 -0500, you wrote:
> > >The mailserver I had handling 1-2 million messages/day was only a
> > >k6/400. Tweaking sendmail makes a big difference.
> >
> > Just curious - Sendmail and qpopper (or some other popper) on the one box,
> > or just sendmail acting as an MX?
>
>Both on the same box, with some level of spam filtering too - using
>DNSBLs (light load) and Spam Assassin (tagging only).
Whether you use Spam Assassin for "tagging only" or sorting spam into other
folders, the load is the same. It is the tests that determine if it is spam
or not which take most of the CPU time.
>I had to update from a 486 to handle body tagging. Spam Assassin is
>/bin/sh based so was killing the machine.
Umm, not sure what you mean by /bin/sh based - Spam Assassin is most
definately Perl based.
>Perl based filtering agents have the same (or worse) problem. The
>startup load for a dozen parallel perl proceses can quickly kill a
>ramstarved (< 256Mb) machine.
Which is why Spam Assassin gives you the option of using the spamc/spamd
client server pair.
One spamd daemon (a full perl copy of spamassassin) runs in the background
waiting for connections. It uses approximately 15MB of ram, and because its
running all the time, that is preloaded.
spamc is a very small C program that connects to spamd, and has a
neglibible startup time or memory footprint. Each spamc request causes
spamd to fork off a process to handle it, but because of copy on write VM
there is no startup overhead or memory overhead in forking that new spamd
child.
>Memory is more important than CPU most of the time - if you start
>hitting swap, you're only going to run as fast as your hard drives, even
>if you have a 200GHz Itanium processor from5 years in the future.
Indeed.
Regards,
Simon
Date: Tue, 04 Mar 2003 01:18:48 -0500
Subject: qpopper on tru64
From: <ldg at ulysium dot net>
Hi all,
I'd like to share some experiences that I have with qpopper on tru64 and ask
a couple of questions at the same time.
qpopper comes bundled with tru64 as the default pop server but even the
latest version of tru64 doesn't come with the latest qpopper.
So I've been working on compiling the latest qpopper and I have a few
details to report that may help others having the same problems and perhaps
clear up some questions about the effect of the "fixes".
I've tried compiling qpopper 4.0.4 on tru64 v5.1 and then on v5.1b, there is
an error that occurs on v5.1 when it needs /usr/include/netdb.h which
doesn't occur on v5.1b, so I assume there was some fix done about that, not
on qpopper but on tru64.
The error is on the definition of n_net which has some conflict on its type
when it is attempted at being redefined. that error happens on line 127 of
netdb.h on v5.1 from a prior definition a few lines before (line 122) where
a type of unsigned long is given to n_net but that type is already defined
somewhere else as unsigned int, but this doesn't happen on 5.1b because that
line 122 isn't there at all, so there is no conflict there.
In this case, my quick "fix" was simply to rem out that line 122 in netdb.h
to prevent that error from happening and the compilation goes further then.
Now here's a question, is this ok to rem out that line (or just remove it)?
Will it break something else?
I made that change in the library and didn't touch the source of qpopper
because that library is actually changed that way in the latest version of
tru64, so I assumed it would be ok and it would sort of be like an
"upgrade". Is that wrong?
When that error is removed that way, an other happens in popauth.c with the
definition of srandom:
popauth.c, line 130: In this declaration, the type of "srandom" is not
compatible with the type of a previous declaration
of "srandom" at line number 319 in file /usr/include/stdlib.h. (notcompat)
extern void srandom();
this happens on both tru64 v5.1 and v5.1b, and I changed the void into an
int to make it compatible, but this time I made the change in the qpopper
source of popauth.c
That's my other big question, is this change from void to int of srandom in
popauth.c ok to make? will it break anything?
This is what I had to do to make this work on both tru64 v5.1 and v5.1b for
qpopper to compile all the way. But I'm wondering if what I did caused a
possible bug, fixed it or is something so benign that it won't matter...
Now on an other note about that small change on the netdb.h header, this
particular error on that n_net variable happens in many packages, including
sendmail and since that change I mentioned above was actually made in tru64
v5.1b, I didn't think it would be a big risk and it may actually fix several
compilation problems in several packages in the process.
--
Didier Godefroy
mailto:dg at ulysium dot net
Date: Tue, 4 Mar 2003 15:52:49 -0800 (PST)
From: Chris Miller <ctodd at netgate dot net>
Subject: Mailbox corrupt by disk quota
Hello,
I've been having problems with qpopper corrupting mailboxes when a
user is at their disk quota. Here's the background;
* User has a disk quota in /var/mail where mail is spooled (by
sendmail/procmail).
* User is close to or at disk quota due to "leave mail on server" setting.
* User pops mailbox, mail gets copied to a tempdrop on a different
filesystem with no quota (.user.pop file).
* Mail gets delivered to spool directory (/var/mail) during pop session
since the mailbox and quota are empty.
* Qpopper fails to copy mail back in it's entirety to spool directory due
to a quota violation (i.e. old mail + new mail > quota).
* Mailbox gets written up to quota limit resulting in the first header
of message being corrupted. The first line is binary data the size of the
quota. For example, if the quota is 10MB the first line would be 10MB in
size. Delete the first line and the mailbox returns to the size of the
message just delivered in the box (a few hundred k bytes).
* Subsequent popper sessions result in the following error :
-ERR [SYS/PERM] Unable to process From lines (envelopes), change
recognition modes or check for corrupted mail drop.
The problem seems to stem from the fact that qpopper does not lock the
mail spool file during the entire popper process. A .lock file is created
in /var/mail while the spool is copied to the temp drop directory, then
removed while the .user.pop file is being processed during the session.
Procmail (used as the LDA) respects .lock files and would not be able to
deliver mail if the mailbox was locked during the entire popper session,
I've tested this.
I've looked through the list archives (not searchable :-( ) and do not see
any report of this exact problem. I did however find an indication that
per the RFC that locking the mailbox during the entire popper process is
allowed. Previous versions of Qpopper did not corrupt mailboxes, but did
leave the mail behind in the tempdrop directory. The release notes
indicated that Qpopper 4.0 is supposed to handle disk quotas more
gracefully but this doesn't appear to be the case in my situation.
I'm running BSD/OS 4.3 with user quota on /var, but not on /usr
(tempdrop) Here's the compile and runtime options.
compile :
# --sbindir=/usr/local/libexec --libexecdir=/usr/local/libexec
# --enable-keep-temp-drops
# --enable-temp-drop-dir=/usr/local/var/mailtmp
# --enable-log-facility=LOG_LOCAL1
# --enable-log-login
# --enable-specialauth
# --enable-uw-kludge
# --enable-debugging
inetd :
pop stream tcp nowait root /usr/local/libexec/popper popper
-s -c -C
Due to user requirements, I cannot force them to remove mail from server.
Is the above a known bug, or is there an option I can change to fix this?
Regards,
Chris
From: "redlineracerx" <redlineracerx at hotmail dot com>
Subject: qpopper on suse 8.1
Date: Tue, 4 Mar 2003 17:43:15 -0800
Hi all,
I am having a heck of a time getting qpopper to even start on suse 8.1..
can anyone offer some help. I have uncommented the lines in initd.conf
and reloaded. still does not start.
Thanks,
-paul
Date: Wed, 05 Mar 2003 13:34:02 -0500
From: Matt Garretson <mattg at assembly.state.ny dot us>
Subject: Re: Mailbox corrupt by disk quota
Chris Miller wrote:
> I've been having problems with qpopper corrupting mailboxes when a
> user is at their disk quota. Here's the background;
Yes, this happens to us on a weekly basis, too. I find that
the mailbox can be pretty much reconstructed using a combination
of the temp pop drop and part of the corrupted spool file. If
you want, i can supply the exact steps i use to do this. There's
a chance that a message or two might get lost in this process, but
i don't sweat it too much anymore. Though it would be nice if
the problem never came up in the first place.
-Matt
Date: Wed, 5 Mar 2003 10:51:00 -0800 (PST)
From: Chris Miller <ctodd at netgate dot net>
Subject: Re: Mailbox corrupt by disk quota
Matt,
what OS are you running? Yes, I have a process too, and this one
doesn't lose mail :-).
head -1 /var/mail/user | strings > /var/mail/user.tmp
wc -l /var/mail/user (subtract 1)
tail -(above value) >> /var/mail/user.tmp
cp /var/mail/user.tmp /var/mail/user
One thing that is strange is that the quota command does not show the size
of the corrupt mailbox, but what the good mailbox size was. This puzzles
me because qpopper is not suid so the user really was writing the data
when the failure occured. Anyone have any suggestions on fixing this? Glad
it's not just me.
Regards,
Chris
On Wed, 5 Mar 2003, Matt Garretson wrote:
> Chris Miller wrote:
> > I've been having problems with qpopper corrupting mailboxes when a
> > user is at their disk quota. Here's the background;
>
>
> Yes, this happens to us on a weekly basis, too. I find that
> the mailbox can be pretty much reconstructed using a combination
> of the temp pop drop and part of the corrupted spool file. If
> you want, i can supply the exact steps i use to do this. There's
> a chance that a message or two might get lost in this process, but
> i don't sweat it too much anymore. Though it would be nice if
> the problem never came up in the first place.
>
> -Matt
>
Date: Wed, 5 Mar 2003 14:20:20 -0500 (EST)
From: Vasilios Hoffman <vhoffman01 at wesleyan dot edu>
Subject: X-UIDL
Hi,
I'd like to upgrade from qpopper3.11 to qpopper4.0.4. The only real
problem I've encountered is that we've been running qpopper3.11 in
server mode, without it updating the X-UIDL headers on disk.
using qpopper4.0.4 in server mode with update-status-headers turned off,
we get the same functionality.
BUT the X-UIDL headers calculated by qpopper4.0.4 seem to be different, as
pop clients will download a second copy when you switch from qpopper3.11
to qpopper4.0.4.
Is there a known work-around for this? I've been playing on a test-box,
and if I use a pop client to check mail with popper3.11 not in server mode
such that it DOES write X-UIDL headers, than switch to a popper4.0.4 in
server mode, it's fine as it doesn't recalculate the already calculated
headers.
but this would mean finding a way to force X-UIDL calculation by
popper3.11 for all the mailspools right before the transition. huge pain
in the butt, if even plausible to do.
So any ideas? Is there a secret popper-3.11-uidl-compatability mode?
thanks,
-V
p.s. solaris 8, sparc, gcc, etc.
Last updated on 5 Mar 2003 by Pensive Mailing List Admin