[TCLUG] qmail + ssl?

Fri Feb 27 10:21:27 CST 2004

On Thu, 26 Feb 2004 22:37:21 -0600
"David Phillips" <david at acz.org> wrote:

> Josh Truwtin writes:
> > Thanks for the suggestion, now I have pop-ssl running - works pretty
> > good, except that it doesn't gell well with relay-ctrl which I use
> > for - you guessed it - relay control.  :)
> 
> Ah, in that case use sslserver.  It will work correctly for qmail-pop3d and
> qmail-smtpd (it supports the same tcprules database as tcpserver).

I found this: http://multivac.cwru.edu/#quickies (check the 4th link in the Quick Hacks section.  My run file now looks like:

#!/bin/sh
# qmail-pop3sd/run
# daemontools run script for qmail pop3s service
# ** ucspi-ssl: ssl enabled **
# ===
CONLIMIT=31
POPDIR="Maildir"
POPHOST="trutwins.homeip.net"

# relay-ctrl expects tcpserver, to get around this,
# set env var and use perl script uspci-proto-hack
# http://multivac.cwru.edu/#quickies
# see /etc/relay-ctrl/NEWPROTO

exec 2>&1
echo "*** Starting qmail-pop3sd (ssl)..."
echo "*** >> configured for maildir: ${POPDIR}"
exec /usr/local/bin/softlimit -m 5000000 \
    /usr/local/bin/envdir /service/qmail-pop3sd/env \
    /usr/local/bin/envdir /etc/relay-ctrl \
    /usr/local/bin/relay-ctrl-chdir \
    /usr/local/bin/sslserver -v -R -H -l 0  \
    -c ${CONLIMIT} \
    -x /etc/tcp.pop3s.cdb \
    0 995 \
      /var/qmail/bin/qmail-popup ${POPHOST} \
      /usr/local/bin/checkvpw \
      /usr/local/bin/uspci-proto-hack \
      /usr/local/bin/relay-ctrl-allow \
      /var/qmail/bin/qmail-pop3d ${POPDIR} 2>&1

Seems to work pretty well.

> > Does Binc support multiple authentication methods like Courier?  I
> > first have courier authenticate against authvmailmgr, then authmysql
> > for the few users I don't have under vmailmgr.
> 
> It supports the checkpassword interface, which is the interface that
> qmail-pop3d uses.  I don't know if there is a MySQL checkpassword program,
> but it wouldn't be very difficult to write one.  Check qmail.org.

The nice thing with Courier, and I hope Binc as well, is that you can have it attempt authentication in multiple ways, first MySQL, then LDAP, then /etc/passwd, etc.  If it cannot authenticate in any of the three methods it finally rejects the authentication.  That's my only concern with Binc for migrating.  

Josh

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list