Mailing List Archive

pre-announce: acceptutils patch (was Re: filtering ofmipd-submitted messages)
On 3 Jun 2017, at 12:31, Amitai Schleier wrote:

> I intend to factor all the SMTP AUTH behavior out to a new "ofmipup"
> program, at the end of which I suspect my ofmipd will be identical (or
> very nearly so) to DJB's original, and my three desired config options
> will work like so:
>
> 1. As root, "ofmipup checkpassword ofmipd"
> 2. As root, "ofmipup -u qmaild checkpassword ofmipd"
> 3. As qmaild, "ofmipd"
>
> stunnel has been fine for me, so I plan to avoid learning anything
> about TLS while solving this problem. ;-)

Progress: the above program is now called "authup", I'm nearly finished
with a redesigned approach to SMTP AUTH for qmail, and I've succeeded at
not needing to think much about TLS yet.

acceptutils, once released, will add a handful of small new programs
that fit together nicely with vanilla qmail/netqmail/mess822.

It _may_ offer improved security -- if I've done a good job, I believe
so -- and will definitely offer improved functionality. Teaser: it makes
both ofmipd and pymsgauth useful in new ways.

I'd love to get review and feedback on
https://schmonz.com/qmail/acceptutils/, and/or to hear from folks who
might be interested to try it out.

Thanks,

- Amitai
Re: pre-announce: acceptutils patch (was Re: filtering ofmipd-submitted messages) [ In reply to ]
On 28 Apr 2018, at 13:45, Amitai Schleier wrote:

> I'm nearly finished with a redesigned approach to SMTP AUTH for qmail,
> and I've succeeded at not needing to think much about TLS yet.
>
> acceptutils, once released, will add a handful of small new programs
> that fit together nicely with vanilla qmail/netqmail/mess822.
>
> It _may_ offer improved security -- if I've done a good job, I believe
> so -- and will definitely offer improved functionality. Teaser: it
> makes both ofmipd and pymsgauth useful in new ways.
>
> I'd love to get review and feedback on
> https://schmonz.com/qmail/acceptutils/, and/or to hear from folks who
> might be interested to try it out.

With my code, vanilla ofmipd (or qmail-smtpd) injects into the queue
with the privileges of the authenticated user. Inspect this message's
headers for something like these:

Received: (qmail 25831 invoked by uid 1000); 7 May 2018 14:32:19
-0000
Received: (ofmipd 127.0.0.1); 7 May 2018 14:31:57 -0000

(I'm UID 1000 on my server.)

As a result, I'm pretty sure you'll be reading this message without my
having seen or manually replied to a qsecretary challenge. Even though
I'm not sending from an MUA directly on the server, pymsgauth will have
handled qsecretary for me.

I'd love to hear comments on my approach :-)

- Amitai
Re: pre-announce: acceptutils patch (was Re: filtering ofmipd-submitted messages) [ In reply to ]
That looks appealing.

I am using a compiled qmail installation other than netqmail. i will give
it a try and review the patch.

Well done on the great effort.

On Mon, May 7, 2018 at 4:47 PM, Amitai Schleier <schmonz@schmonz.com> wrote:

> On 28 Apr 2018, at 13:45, Amitai Schleier wrote:
>
> I'm nearly finished with a redesigned approach to SMTP AUTH for qmail, and
>> I've succeeded at not needing to think much about TLS yet.
>>
>> acceptutils, once released, will add a handful of small new programs that
>> fit together nicely with vanilla qmail/netqmail/mess822.
>>
>> It _may_ offer improved security -- if I've done a good job, I believe so
>> -- and will definitely offer improved functionality. Teaser: it makes both
>> ofmipd and pymsgauth useful in new ways.
>>
>> I'd love to get review and feedback on https://schmonz.com/qmail/acce
>> ptutils/, and/or to hear from folks who might be interested to try it
>> out.
>>
>
> With my code, vanilla ofmipd (or qmail-smtpd) injects into the queue with
> the privileges of the authenticated user. Inspect this message's headers
> for something like these:
>
> Received: (qmail 25831 invoked by uid 1000); 7 May 2018 14:32:19 -0000
> Received: (ofmipd 127.0.0.1); 7 May 2018 14:31:57 -0000
>
> (I'm UID 1000 on my server.)
>
> As a result, I'm pretty sure you'll be reading this message without my
> having seen or manually replied to a qsecretary challenge. Even though I'm
> not sending from an MUA directly on the server, pymsgauth will have handled
> qsecretary for me.
>
> I'd love to hear comments on my approach :-)
>
> - Amitai
>



--
Shepherd Nhongo

Do not Queue mail with SENDMAIL, send mail with QMAIL

Botswana # +267 744 760 40
Zimbabwe # +263 772 688 072
Re: pre-announce: acceptutils patch (was Re: filtering ofmipd-submitted messages) [ In reply to ]
On 7 May 2018, at 15:50, Shepherd Nhongo wrote:

> That looks appealing.
>
> I am using a compiled qmail installation other than netqmail. i will
> give
> it a try and review the patch.
>
> Well done on the great effort.

Thank you for the feedback! It means a lot. I've been working on this
for about a year, on and off, and it'll be very satisfying when I can
finally ship it.

I'm hoping to get the patch released in the next few weeks. It'll be
announced here.

- Amitai
Re: pre-announce: acceptutils patch [ In reply to ]
acceptutils is my redesigned implementation of SMTP AUTH for qmail. I've
been running it in production for many months now, with no problems that
I can recall.

In that time, I've covered fixsmtpio (the trickiest of the four
acceptutils programs) pretty well with automated tests. And just now
I've test-driven the last feature: loading configuration from
control/fixsmtpio.

I can finally say with confidence that acceptutils will ship this week.
If you're so inclined, now's a great time to give me feedback of any
kind on <URL:https://schmonz.com/qmail/acceptutils>: the documentation,
the design, the config file format (find "these rules" in page and click
to expand), or anything else.

Thanks,

- Amitai

[.This message is brought to you by acceptutils and pymsgauth with the
pymsgauth-filter3 patch]