Courier Mail Server

Bowie Bailey writes:

> « HTML content follows »
> 
> I have a message that is stuck in my mail queue.  I have tried to cancel 
> it, but apparently there is a problem creating the bounce message, so it 
> just sits there. 
>   
> This is what I see in the logs: 
>   
> courierd: 
> started,id=0013C117.477EDAD9.0000643D,from=<>,module=dsn,host=,addr=<@legit 
> imatecommitted.com>
> courierd: Waiting.  shutdown time=none, wakeup time=Fri Feb 15 17:17:33 
> 2008, queuedelivering=7, inprogress=2
> courierdsn: Problems injecting bounce - receipient 
> @legitimatecommitted.com rejected.
> courierd: completed,id=0013C117.477EDAD9.0000643D
> 
> How can I get rid of this message? 

Not easily. You'll need to track down the offending message's control and 
data file, remove them, then run 'courier restart'. There will be two files 
in msgs, and one in msgq subdirectory.

My reason for wanting to change to encrypted passwords is if someone 
managed to get in to my MySQL database they'd be able to read the 
passwords to my email and COULD try use that information to break in to 
more things.
I gave it a try in phpmyadmin to modify an existing row in the MySQL 
database - I cut the plaintext out of the plaintext-password field, 
pasted it in to the encrypted-password field and set the function to 
"ENCRYPT" from the dropdown list.
The account was still able to log in to Courier-IMAP and it's only got 
an encrypted password.

Having been successful with one, I proceeded to do the same for the rest 
of the addresses with passwords set (5 in total) - I've set Courier to 
require a password when you try to log in, so I have set up a LOT of 
"virtual"/"alias" addresses in the database which receive mail and dump 
it in the the same location as the "primary" address.

And when I check the database table, I see encrypted passwords only. :)

Bernd Wurst wrote:
> Hi.
>
> Am Freitag, 15. Februar 2008 schrieb Gordon Messmer:
>   
>> Having the plain text password allows you to use the CRAM-*
>> authentication methods, which may offer additional security.  In any
>> case, it allows for more flexible authentication options, and I wouldn't
>> be too quick to give that up.
>>     
>
> Let me hook in here. CRAM would be able to offer with an intermediate hash 
> value computet when the user sets his password. I don't know the backgrounds 
> here, but when reading about SASL v1.5, they talk about such things.
>
> Would this behaviour be possible to achieve with courier? Is it planned?
>
>
>   
>>> a) What function does the authmysql module use to encrypt the password
>>> that the client provides?
>>>       
>> I don't think that it does.  As far as I know, you need to use the
>> system's crypt() function.
>>     
>
> I don't know which types of hashing are supported, but I use salted-MD5 as 
> unix shadow-passwords use.
> They can be created by several programming languages but not by MySQL itself.
>
>
>   
>>> b) Is it just a matter of using something like phpmyadmin to dump the
>>> clear passwords in to the encrypted password fields via the function in
>>> answer a)?
>>>       
>> No.
>>     
>
> But it can be done by a script (python, perl, PHP, ...) that iterates over all 
> accounts and transforms passwords.
>
> cu, Bernd
>
>   
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> ------------------------------------------------------------------------
>
> _______________________________________________
> courier-users mailing list
> courier-users@...
> Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
>