Courier Mail Server

Hi there. I am running Courier 0.35.0 and am trying to set up a whitelist
system for e-mail addresses. The natural solution for this would seem to be
maildrop and .mailfilters/rcptfilter.

The basic code for the filter goes like this:

import SENDER
if ( lookup($SENDER,"whitelist","") )
    EXITCODE = 0
else
{
    echo "Not authorized to send."
    EXITCODE = 92
}

This allows me to maintain the whitelist in a text file without having to
modify the filter code. The problem is that (I think) the lookup function
fails and gives me a "511-maildrop: Unable to open whitelist."

I have read the relevant documentation. whitelist does exist in
$HOME/.mailfilters/.lists, and all files in the .mailfilters tree are
chmodded 600 with the .lists subdir chmodded 700.

What did I miss?

----
L.J. -- "One stands alone ..."

Your smtp server is trying to do a DNS & Ident lookup on the incomming
connection...
Check your TCPDOPTS in the <courierbase>/etc/esmtpd file and add
the -nodnslookup & -noidentlookup flags.
Here's mine.

<snip>
##NAME: TCPDOPTS:1
#
# TCPDOPTS can contain other couriertcpd options, such as
# -nodnslookup and -noidentlookup.
#

TCPDOPTS="-stderrlogger=/usr/courier/sbin/logger -nodnslookup -noidentlookup
"
</snip>



----- Original Message -----
From: James.Duanmu
To: courier-users
Sent: Thursday, August 02, 2001 6:19 AM
Subject: [courier-users] What's up with my esmtp?


I got two ips for my server: 127.0.0.1 and 192.9.198.4(LAN Address)

when I telnet 192.9.198.4 25from the sever ip(192.9.198.4) or telnet
127.0.0.1 from the server, exerything is ok, but when I telnet 192.9.198.4
25 from another computer 192.9.198.5(LAN Address), the "220 linux esmtp"
response apprears so slow that my email client always think that connection
time out.

Another Strange thing: When I connect 192.9.198.4 25 from 192.9.198.5, it
stuck, then I quit the telnet program, but in ps of server, still exist
process: couriertcp ....., the tcp connection still exist when the client is
aborted. So What'up?

Restarting the email server can not solve the problem, but after I reboot
the server(power off and power on) the first 1-3 connections from outside
computer is OK, and after that, all colapse.

For other daemons, pop3, imap are all OK.

Any idea?

Thanks for any input!

James.DM

Albert Yang writes: 

> Hey Sam, 
> 
> I get this in the logs, consequently I can't log in.  I don't know 
> what directory the permission is wrong on. 
> 
> Aug  1 09:10:33 macrohard pop3d: chdir: Permission denied 
> 
> That's all that the logs show, anywhere else I can look to see what 
> permissions is wrong on what directory?

The directory would be either the home directory or the maildir directory 
for this account.  Either the permissions are wrong, or the userid doesn't 
match the one in the authentication record. 

-- 
Sam

Bill Michell writes: 

>> Sure.  Encrypt/decrypt with GnuPG by yourself, then upload the end result 
>> as a binary attachment.  The recipient can download the attachment, and 
>> decrypt it with GnuPG by himself.   
>> 
> I don't know GnuPG but I do know PGP. The chain of trust model allows you 
> to create a long-lived, secure, pass-phrased key on a system you trust, 
> then use it to sign short-lived, less secure keys, with restricted 
> validity (e.g. they can't be used to sign other keys) and without a pass 
> phrase, that can be used in less secure environments. Then, even if your 
> key is compromised, it can be easily revoked and can't be used for too 
> much in the mean time either.

Good idea.  You can even have a weekly (daily?) cron job run GnuPG to create 
a new keypair, sign it, give it the right headers, and mail it to the 
sqwebmail account.  Then, all you have to do each time you receive it is to 
import the keypair, and delete the old keypair. 


-- 
Sam

Hi Sam Varshavchik!

>Yes.  This is why when you use pw2userdb+makeuserdb, userdb.dat gets=20
>searched instead of the passwd file, since authuserdb is listed first.=20

Applies that to pop3d also?=20
Yesterday I had this funny situation:

One username existed as a real mailaccount an by accident was set up as
a virtual account using mysql. So this user had two maildirs, one in the
default location ~/Maildir, the other somewhere else
(/virtual/user/mail) for example.
esmtpd auth was handled by pam but for pop3 the same account was read
out from mysql. that was quit easy to recognize, because of the two
maildirs.=20

I did not follow this issue because it is not a senseful setup and I
have to get it running first before having some mjore experiments...
(see other threat about not accepting mails for local users from
outside)...





Have a nice thread,
Peter

Frederic Corne writes: 

> Hi, 
> 
> Our platforms and others servers use OpenLdap 2.0.11. 
> 
> We wish to use Courier as our Imap server . But it seems that courier 
> requires OpenLdap 1.2.x  
> 
> Is there any workaround ?

Courier-IMAP will compile against openldap 2.0.7.  Apparently there are some 
API changes it 2.0.11 that I haven't yet gotten around to. 


-- 
Sam

Svetozar Mihailov - Dynacord Bulgaria Ltd writes: 

> Hello all,
> I use Redhat 7.0, sendmail + imap. I already have very large mail database ( over 1 GB ). It is possible to convert existing mails to Maildir format?

Yes, it's possible.  You will find a bunch of conversion scripts from mbox 
to maildir on http://www.qmail.org 

 


-- 
Sam

Peter Holm writes: 

> Hi Sam Varshavchik! 
> 
>>This is all documented in the courier(8) man page. 
> 
> Yes, I have read this, that=B4s why I asked. 
> As I understand the docs there can be either an file or an directory
> called "esmtpacceptmailfor" - I did not found anything about a directo=
ry
> called "esmtpacceptmailfor.dir".

It's actually documented in the makeacceptmailfor(8) man page, there's a=
 
reference to it from courier(8). 


-- 
Sam

KK writes: 


> 1. Can't I configure courier-imap to allow email
> clients to allow creation of new folders at the root
> level (by root, i mean at the same level as INBOX)? If
> yes, then how?

No.  See http://www.inter7.com/courierimap/FAQ.html#namespace 

> 2. How do I create new virtual email ids using java
> servlets/perl script dynamically, via internet? i mean

Creating mail accounts is not a part of the IMAP protocol.  IMAP defines the 
protocol to access existing mail accounts only.  You'll have to write your 
own custom, site-specific, code. 

-- 
Sam

Olivier Roset writes: 

> Hi. 
> 
> How to configure a default mailbox for unknow users of my domain ?  
> 
> Example :  If somebody send a mail to toto@... and toto is not a valid user
> , how can I receive the mail in a default mailbox ?? 
> 
> How to create and configure this default mailbox ?

It depends on how the domain was configured - by aliasing it to a local 
mailbox, or by setting it up in hosteddomains. 

See either the makealiases(8) or the makehosteddomains(8) man page. 

-- 
Sam

Jeroen Massar writes: 

> Sam Varshavchik wrote on Wednesday, 01 August 2001 13:51: 
> 
>> A PTR query for the in-addr.arpa zone is no different than a 
>> PTR query for 
>> the ip6.int zone.  It's just a PTR query.  It makes no difference 
>> whatsoever.  I fail to see why even bind8 would croak on a 
>> PTR query for the 
>> ip6.int zone. 
> 
> Indeed.... but... the fact is that ip6.int is quite broken and really
> doesn't serve the reverses
> for the IPv4 mapped addresses (::ffff), at least not at this moment and
> I don't see any ISP filling it in either.

And how different is that from non-resolving IP addresses in in-addr.arpa? 

Not every IPv4 address is to be found in in-addr.arpa either. 

So, what's the problem? 

-- 
Sam

On Thu, 2 Aug 2001, Ivailo Chipev wrote:

> my goal is to use authmysql with courier-imap. when running
> ./configure --with-authmysql i get the following error:
>
> --with-authmysql specified but no mysqlclient.so

Make sure /usr/local/bin is in your path.  The authlib/configure script
contains a mistake (methinks) in that after testing for the mysql_config
script, the script calls for the cflags and libs like this:
        MYSQL_CFLAGS="`$MYSQL_CONFIG --cflags`"
        MYSQL_LIBS="`mysql_config --libs`"
$MYSQL_CONFIG is set by AC_PATH_PROGS, but it'll fail on the libs if
mysql_config isn't in your path.

Otherwise, fix the configure.in script so that both use $MYSQL_CONFIG, and
run configure again (that *should* regen the configure script).

I also notice that the configure script isn't very consistent, using
_SAVE_LIBS in some places and saveLIBS in others.  Is there a particular
style that's adhered to in Courier's code, m4 and otherwise?

-- 
If I had a dollar for every brain that you don't have,
	I'd have one dollar. - Squidward to SpongeBob

Brian Grossman writes: 

> 
> In the case where there's a line like
> 	TCPDOPTS="-stderrlogger=/usr/local/bin/courier-logger"
> in etc/courierd, courierctl.start misparses.  The sed that is supposed
> to turn that into "export TCPDOPTS" turns it into
> 	export TCPDOPTS="-stderrlogger 
> 
> To fix, change in share/courierctl.start, the part that says
> 	... | /bin/sed 's/\(.*\)=.*/export \1/;$a\
> to
> 	... | /bin/sed 's/\([^=]*\)=.*/export \1/;$a\

Actually I was thinking of replacing this slop. 

Can everyone verify that their bourne, bash, or korn shell uses "set -a" to 
automatically export all variables to the environment? 


-- 
Sam

Hi Sam Varshavchik!

>No.  Authentication required means exactly that: authentication is =
required.=20
>This option is intended to be used for port 587 only.=20

Maybe there is a misunderstanding:=20

Local users can send mail to any other server outside, that works.
Local users can also send to other local users on the same machine.
All users, that I have set up on that machine must authenticate before
they are allowed to send mail. (AUTH_REQUIRED=3D1).

BUT if some mailserver outside tries to connect to deliver mail that is
addressed to one of the local users, it gets rejectet with an 535-Error.
This mail server should be able to deliver to that local machine without
authentication - this is the expected behaviour.

I did not understand your comment about port 587.

How can I configure courier to accept mail for local users without
authentication?

Thanks!





Have a nice thread,
Peter

Hi.

Following the recent thread regarding fixing up the received dates on
messages transfered from another server via IMAP, I eventually came up with
this:

------------------
#!/bin/bash
for FILE in $1*; do
       DATE=`cat $FILE | reformail -x Received: -uReceived: |cut -d ';' -f2
| cut -b2-`
       if [ "$DATE" = "" ]; then
               echo Using Date: header
               DATE=`cat $FILE | reformail -x Date: -uDate:`
       fi
       echo Setting $FILE to $DATE
       touch -d"$DATE" $FILE
done
------------------

Basically, it uses reformail (great tool Sam) to extract the date and time
from the first Received: header.
If that header is not found then it uses the date: header instead (useful
for fixing messages in the Sent Items folder).
touch has no trouble at all handling the various date formats which include
time zone information :)

I don't know if it will need to fix the file name as well. Does anything,
e.g. webmail use this?

By the way, I still don't know how to forward incoming mail to an external
email addres using .mailfilter.
Any ideas?

-- 
Tim Hosking
"I thought I had a great idea today, but it never really took off. In fact,
it didn't even get on the runway. I guess you could say it exploded in the
hangar." -- Calvin and Hobbes

<html><div style='background-color:'><DIV>
<DIV><FONT face=Arial size=2>Hi, </FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I've got an error running courier mailing lists on freebsd 4.3 stable.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I setup the lists fine (I've done it on other boxes and I actually&nbsp;wrote a script that does it perfectly, so I'm pretty sure it's not in the setup) but when trying to subscribe I get my confirmation letter with a blank </FONT><FONT face=Arial size=2>"Copy of the original subscription request received:" section.&nbsp; </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>No biggie I thought.&nbsp; Then I try to reply to it, adding the "yes" to the beginning of the subject and I receive the following reply:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>"This is a delivery status notification from ~MAILSERVER,<BR>running the Courier mail server, version 0.35.0.<BR><BR>The original message was received on Thu, 02 Aug 2001 12:55:36 -0600<BR>from&nbsp;~NAME (~NAME~ [~IP~])<BR><BR>---------------------------------------------------------------------------<BR><BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; UNDELIVERABLE MAIL<BR><BR>Your message to the following recipients cannot be delivered:<BR><BR>&lt;<A href="mailto:test-subconfirm-CAAOKAINADLCIJBOFBLIEPOBOLKECBGM@...; Invalid confirmation.<BR><BR>---------------------------------------------------------------------------<BR><BR>If your message was also sent to additional recipients, their delivery<BR>status is not included in this report.&nbsp; You may or may not receive<BR>other delivery status notifications for additional recipients.<BR><BR>The original message follows as a separate attachment.<BR><BR>"</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I checked the mailing list "commands" directory and it had the following:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>file-&gt; sub.CAAOKAINADLCIJBOFBLIEPOBOLKECBGM</FONT></DIV>
<DIV><FONT face=Arial size=2>contents-&gt;</FONT></DIV>
<DIV><FONT face=Arial size=2>"<A href="mailto:sir0n@...: "Courier Mailing List Manager" &lt;<A href="mailto:test-owner@...: <A href="mailto:test-subconfirm-CAAOKAINADLCIJBOFBLIEPOBOLKECBGM@...: <A href="mailto:sir0n@...: Mailing list confirmation request.<BR>Mime-Version: 1.0<BR>Content-Type: text/plain; charset=iso-8859-1<BR>Content-Transfer-Encoding: 8bit</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>==========================================================================</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; STOP!</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>==========================================================================</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>You MUST read the following instructions in its entirety, before replying<BR>to this message!</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Hello, this is the Courier mailing list manager.&nbsp; I manage the mailing<BR>list &lt;<A href="mailto:test@...>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I received the following subscription request.&nbsp; In order to make sure that<BR>this request really came from you, you must confirm your subscription<BR>request as follows.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>* Reply to this confirmation request.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>* Before sending the reply, go to the subject of your reply message and add<BR>&nbsp; the word "yes" to the beginning of the subject.&nbsp; You MUST add the word "yes"<BR>&nbsp; to the subject of your reply message in order for the confirmation request<BR>&nbsp; to go through.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>Copy of the original subscription request received:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>====<BR>"</FONT></DIV>
<DIV><FONT face=Arial size=2>Log contents:</FONT></DIV>
<DIV><FONT face=Arial size=2>"Aug&nbsp; 2 12:55:35 axion courieresmtpd: started,ip=[~MY SERVERS IP~]<BR>Aug&nbsp; 2 12:55:36 axion courierd: newmsg,id=0020D26D.3B69A227.0000E502<BR>Aug&nbsp; 2 12:55:36 axion courierd: started,id=0020D26D.3B69A227.0000E502,from=&lt;<A href="mailto:sir0n@... href="mailto:test@...; 2 12:55:36 axion courierd: Waiting.&nbsp; shutdown time=none, wakeup time=none, queuedelivering=1, inprogress=1<BR>Aug&nbsp; 2 12:55:36 axion courierlocal: id=0020D26D.3B69A227.0000E502,from=&lt;<A href="mailto:sir0n@... href="mailto:test-subconfirm-CAAOKAINADLCIJBOFBLIEPOBOLKECBGM@...;: Invalid confirmation.<BR>Aug&nbsp; 2 12:55:36 axion courierlocal: id=0020D26D.3B69A227.0000E502,from=&lt;<A href="mailto:sir0n@... href="mailto:test-subconfirm-CAAOKAINADLCIJBOFBLIEPOBOLKECBGM@...>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>I've checked most permissions out and everything is perfect.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>So, I'm lost for ideas, please HELP!!&nbsp; Thanks in advance!!</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=Arial size=2>-Scott</FONT><BR><BR></DIV></DIV></div><br clear=all><hr>Get your FREE download of MSN Explorer at <a href='http://go.msn.com/bql/hmtag_itl_EN.asp'>http://explorer.msn.com</a><br></html>

Hi i'm a newbie to IMAP and had troubles installing courier-imap last =
night. But after doing some investigation, i was able to get it =
installed. I'm having problems however configuring it. I'm not sure =
where to find the  docs for configuring it. Are there any docs on the =
web that someone can point me to?=20

I'm using it with qmail. I've installed qmail-smtpd qmail-pop3d =
successfully and want to use courier-imap with sqwebmail as a webmail. =
Do i need anything else to make this work? Any docs that you may think =
useful will be greatly appreciated.

thanks

-anoop

>Sam Varshavchik writes:
>
>>alan milligan writes:
>>
>>>Hi,
>>>
>>>I've been looking at this over the last day or so and immediately have
>>>come upon the problem of encrypted private keys and the --no-tty option
>>>being passed via mimegpg.
>>>
>>>As an aside, just how does one decrypt a gpg private key so that no pass
>>>phrase is required?
>>
>>Don't use a passphrase.  It's a documented option.
>>
>>>More importantly, to do this in a server style environment just does not
>>>make sense!!!
>>
>>So tell us what does make sense, then.
>>
>>Perhaps you think it's a much better idea to send the passphrase, in
>>cleartext, over the network?
>>
>>>If I am a Courier user am I supposed to meekly place my decrypted private
>>>key upon a server to which anyone with root access can then effectively
>>>masquerade as myself (and not just as my Unix user)??????
>>
>>That same someone, with root access, can trivially install a trojaned
>>version of GnuPG that covertly records your passphrase, instead.
>>
>>There's a very nice looking T-shirt available for sale from Thinkgeek.  It
>>carries a logo: "Bow before me, for I am root."
>>
>>>Requiring any form of private key to be stored on the server seems to me
>>>to compromise the entire asynchronous encryption model.
>>
>>How does storing a private key on a reasonably hack-proof server is more
>>secure than transmitting your private key, or a passphrase, in cleartext
>>over the network?
>>
>>>Ideally, the encryption/decryption should be done using private key
>>>information stored upon the client machine.  Dose anyone have any
>>>thoughts about implementing this?
>>
>>Sure.  Encrypt/decrypt with GnuPG by yourself, then upload the end result
>>as a binary attachment.  The recipient can download the attachment, and
>>decrypt it with GnuPG by himself.
>>
This IS indeed the only safe solution.  The entire asynchronous encryption 
model relies upon keeping your private key secure.  I do not believe that 
placing your private key with your Courier Mail provider is a good idea for 
most people!!!!

This is indeed a similar situation to a few years ago when the NSA wanted 
everyone to register their private key with them.  If you choose to directly 
use the encryption layer with Courier you ARE potentially exposing yourself 
to similarly serious security problems.

Firstly, there is the issue of someone else being able to decrypt and read 
your emails.  But worse, they could use your private key to sign documents 
etc etc etc.  If someone is clever enough to install Courier, they can 
surely brute force your pass-phrase (who really followed the sages in choice 
of appropriate pass phrase...).

For public key encryption to work, you MUST stringently control access to 
your private key.  This means that encryption/decryption must take place on 
the client where the private key resides!  Thus I suggest encryption 
functionality within Courier is laudible but misguiged.

For PC platforms, there is NetWare Associates PGPTool suite which is a well 
integrated OpenPGP client.  Using Courier IMAP/POP to download encrypted 
mail in conjunction with this local tool is probably a good solution (I will 
hopefully test this with Courier-encrypted messages next week).  I haven't 
discovered a good GUI counterpart for Unix yet.  Both PGP and GnuPG are 
command-line interfaces.  I don't suppose anyone is up to writing a Netscape 
plug-in???




>I don't know GnuPG but I do know PGP. The chain of trust model allows you 
>to
>create a long-lived, secure, pass-phrased key on a system you trust, then
>use it to sign short-lived, less secure keys, with restricted validity 
>(e.g.
>they can't be used to sign other keys) and without a pass phrase, that can
>be used in less secure environments. Then, even if your key is compromised,
>it can be easily revoked and can't be used for too much in the mean time
>either.

The chain of trust model is part of OpenPGP and is supported by GnuPG.  
However, it is not recommended for use so you can regularly recycle your 
public key.  This is cumbersome because all old documents can only be 
decrypted to the public key they were encrypted to.  Reviewing your mail 
archive would quickly become a nightmare!

Cheers, Alan

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp