========================================================================= README netqmail-1.06-smtpd SMTP-AUTH Extension http://www.gentei.org/~yuuji/software/qmail-smtpd-auth-ext/ ========================================================================= Description: ------------ This patch is modified version of patches of Erwin Hoffmann - Hoehn's qmail-smtpd SMTP Authentication 0.51(2010-02-08). This patch is modifed to be applied to the source of netqmail-1.06 + netqmail-1.06-tls-20110119.patch(*). (*) http://inoa.net/qmail-tls/ - Qmail-TLS patch Installation: ------------- # tar zxpf netqmail-1.06.tar.gz # cd netqmail-1.06 # cat /netqmail-1.06-tls-20110119.patch | patch -p2 # cat /qmail-smtpd-auth-ext-5.diff | patch -p1 And then, follow the instructions in the file netqmail-1.06-tls-20110119.patch and README.auth. Setup: ------ You should read document of TLS patch and README.auth. Here is a digest. * CERTS # cd /var/qmail/control # openssl req -new -x509 -nodes -out servercert.pem \ -keyout servercert.pem -days 3650 # openssl ciphers tlsclientchiphers # openssl ciphers tlsserverchiphers * Invocation with daemontools Here is a typical `run' script. ----------------------------------------------- #!/bin/sh exec env - \ PATH=/var/qmail/bin:$PATH \ AUTHTLS=1 \ envuidgid qmaild softlimit -d3000000 \ tcpserver -vR -p -c40 -U 0 submission qmail-smtpd cmd5apoppw /usr/bin/true 2>&1 ----------------------------------------------- The cmd5apoppw command is described in the section "cmd5*" below. AUTHTLS=1 inhibit plain text transport of password, that is client should activate TLS for auth-login. If the administrator doesn't care about plain text communication, omit AUTHTLS=1 line. Note that if the system uses cmd5apoppw, password drain doesn't have DIRECT impact on system security because mail password is independent from system password. Of course, it brings privacy breakage and has indirect impact on system security, in such case as that an user always exchange administrative information in plain-text email. That is a matter of literacy but of internet protocol. cmd5*: ------ You might want to use smtp-auth with qmail-smtpd. You also need to install cmd5checkpw or cmd5apoppw(*2). (*2) http://www.gentei.org/~yuuji/software/qmapop-smtp-auth/ We recommend to use cmd5apoppw program, by which users can manipulate mail password by themselves and can have separate password for each extensional mail address. * User mail password manipulation in cmd5apoppw schema All users' mail password should be stored into their own ~/.apop file. The ~/.apop password file can be created by `apoppasswd' command. % apoppasswd (New password twice) If an user want to use mail extension `user-ext', its password can be set by as follows: % apoppasswd -e ext Password file for `user-ext' is ~/.apop-ext. -- HIROSE, Yuuji yuuji_at_yatex.org 2014-10-29