postfixadmin-tracker Mailing List for PostfixAdmin (Page 40)
Brought to you by:
christian_boltz,
gingerdog
Menu
▾
▴
postfixadmin-tracker — Postfix Admin tracker notification - READ ONLY!
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(5) |
Oct
(67) |
Nov
(83) |
Dec
(47) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(57) |
Feb
(15) |
Mar
(21) |
Apr
(38) |
May
(27) |
Jun
(38) |
Jul
(35) |
Aug
(50) |
Sep
(8) |
Oct
(9) |
Nov
(59) |
Dec
(59) |
| 2009 |
Jan
(27) |
Feb
(42) |
Mar
(63) |
Apr
(46) |
May
(26) |
Jun
(25) |
Jul
(40) |
Aug
(19) |
Sep
(17) |
Oct
(35) |
Nov
(26) |
Dec
(21) |
| 2010 |
Jan
(11) |
Feb
(19) |
Mar
(40) |
Apr
(25) |
May
(23) |
Jun
(17) |
Jul
(10) |
Aug
(18) |
Sep
(21) |
Oct
(12) |
Nov
(10) |
Dec
(22) |
| 2011 |
Jan
(30) |
Feb
(23) |
Mar
(23) |
Apr
(38) |
May
(32) |
Jun
(19) |
Jul
(20) |
Aug
(36) |
Sep
(11) |
Oct
(28) |
Nov
(4) |
Dec
(4) |
| 2012 |
Jan
(6) |
Feb
(3) |
Mar
(16) |
Apr
(28) |
May
(29) |
Jun
(10) |
Jul
(2) |
Aug
(3) |
Sep
|
Oct
(13) |
Nov
(1) |
Dec
(1) |
| 2013 |
Jan
(11) |
Feb
(7) |
Mar
(29) |
Apr
(2) |
May
(3) |
Jun
(15) |
Jul
(8) |
Aug
(5) |
Sep
(5) |
Oct
(4) |
Nov
(27) |
Dec
(81) |
| 2014 |
Jan
(12) |
Feb
(13) |
Mar
(5) |
Apr
|
May
(41) |
Jun
(16) |
Jul
(7) |
Aug
(10) |
Sep
(24) |
Oct
(50) |
Nov
|
Dec
(2) |
| 2015 |
Jan
(5) |
Feb
(2) |
Mar
(7) |
Apr
(20) |
May
(1) |
Jun
(3) |
Jul
(12) |
Aug
(1) |
Sep
(17) |
Oct
(5) |
Nov
(20) |
Dec
(10) |
| 2016 |
Jan
(10) |
Feb
(11) |
Mar
(22) |
Apr
(30) |
May
(33) |
Jun
(3) |
Jul
|
Aug
(12) |
Sep
(20) |
Oct
(11) |
Nov
(15) |
Dec
(8) |
| 2017 |
Jan
(1) |
Feb
(11) |
Mar
(10) |
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(2) |
Feb
|
Mar
(1) |
Apr
|
May
(4) |
Jun
(2) |
Jul
(4) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: SourceForge.net <no...@so...> - 2009-03-08 21:17:27
|
Patches item #2567466, was opened at 2009-02-05 08:53 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2567466&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) >Status: Closed >Resolution: Accepted Priority: 5 Private: No Submitted By: Fabio Bonelli (fabiobon) Assigned to: Nobody/Anonymous (nobody) Summary: Create alias even if there is a mailbox with that name Initial Comment: Hi, we want this in order toto support keep&forward for a real mailbox, creating an alias for a mailbox that already exists. Patch against r562. ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-03-08 21:17 Message: See changeset 572. There were two typos - one missing } and an unnecessary , in some SQL. ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-03-08 21:12 Message: Hi, in the process of merging... ---------------------------------------------------------------------- Comment By: Fabio Bonelli (fabiobon) Date: 2009-02-05 12:48 Message: I reindented just the SQL queries I modified, to improve the readability. Additionaly, I should mention that I didn't test it with PostgreSQL. ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-05 12:18 Message: Hi, I think you've re-indented (beautification?) some of the code; although I'm happy in principal to merge it, I'd need to test it..... can someone else let meknow if the code works? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2567466&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-03-08 21:12:46
|
Patches item #2567466, was opened at 2009-02-05 08:53 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2567466&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: Fabio Bonelli (fabiobon) Assigned to: Nobody/Anonymous (nobody) Summary: Create alias even if there is a mailbox with that name Initial Comment: Hi, we want this in order toto support keep&forward for a real mailbox, creating an alias for a mailbox that already exists. Patch against r562. ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-03-08 21:12 Message: Hi, in the process of merging... ---------------------------------------------------------------------- Comment By: Fabio Bonelli (fabiobon) Date: 2009-02-05 12:48 Message: I reindented just the SQL queries I modified, to improve the readability. Additionaly, I should mention that I didn't test it with PostgreSQL. ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-05 12:18 Message: Hi, I think you've re-indented (beautification?) some of the code; although I'm happy in principal to merge it, I'd need to test it..... can someone else let meknow if the code works? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2567466&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-03-08 19:50:37
|
Patches item #2607332, was opened at 2009-02-16 23:43 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add dovecotpw encrypt support option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-03-08 19:50 Message: Hi, Any chance of an updated patch then? ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-25 22:17 Message: Unfortunately "works for me" doesn't mean it is good - at least from my POV. But maybe I'm too strict ;-) The patch looks much better than the previous one, but I still have some things that should be improved: a) tempfile for the password Basically a good idea, but please switch to the tmpfile() PHP function - in comparison to tempnam() it has some advantages: - no need to specify the path - might be relevant on systems with open_basedir, where /tmp is outside the allowed path. (In this case $TMPDIR has to be set as environment variable, but this is easier to do (via apache config) than a hardcoded path.) - the tempfile is automatically deleted After re-reading the code and some PHP documentation, I think that proc_open (allows two-way communication with external processes) might be the best solution. You can even catch STDERR on a separate pipe to check for error messages. See http://www.php.net/manual/en/function.proc-open.php for description and an example. (With proc_open, no tempfile will be needed.) b) error checking The only error checking you do is not to use the pipe to dovecotpw if it can't be opened. If opening the pipe works, you blindly read the encrypted password from the temp file (or whatever the file contains ;-) Please check that the output looks like an encrypted password - shouldn't be too hard since it has to contain "{$method}" at the beginning. Untested: if ( !preg_match("/^{$method}/", $password) { die("can't encrypt password with dovecotpw") } I don't really like the die() method, but the pacrypt function doesn't offer a better way to error out currently :-( Additionally the calling functions expect pacrypt to "always work" - which was not a real problem up to now because it used only PHP-internal functions. c) if (strstr($CONF['encrypt'], 'dovecot:')) -> Please ensure that the $CONF parameter _begins_ with "dovecot:" - for example by using preg_match("/^dovecot:/", $CONF['encrypt']) Besides that, I like the idea of using "method:detail" - @GingerDog: This might also be an option for authlib / $CONF['authlib_default_flavour']. d) check/validate what becomes $method Even if $method comes from $CONF['encrypt'] , it may still contain an invalid value (like "dovecot:foobar") or evil characters ("dovecot:md5';rm -rf /"). There are several ways how this can be secured. I'll start with the best one. - check against an array of allowed password encryption methods. This is the most secure method, but has the disadvantage that it needs a code modification in case dovecot starts to support a new encryption method - check $method against a regular expression. preg_match("/[a-zA-Z0-9-]+/", $method) should do if I get the dovecot documentation right. - at least use escapeshellarg($method) if you really don't want to validate $method e) path to dovecotpw I'm quite sure "dovecotpw must be in $PATH" will cause some problems - for example the openSUSE package has dovecotpw in /usr/sbin - and therefore not in the webserver's $PATH. The only solution for this is a $CONF['dovecotpw'] = "/path/to/dovecotpw" parameter. (If this is not set or empty, you can still default to just "dovecotpw".) Maybe it can be included in $CONF['encrypt'] - something like "dovecot:MD5:/usr/sbin/dovecotpw" would work. However, things will become complicated when we add another 5 parameters to this string *g* BTW: Feel free to include the needed config.inc.php changes in your patch. The comment should mention the most common CRYPT-METHODs for dovecot. ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-25 16:07 Message: Absolutely, it works for me. Please make sure you add # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) or something more descriptive to config.inc.php though - the patch only modifies the functions file. Greetings, Christian ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-24 20:33 Message: Christian - are you happy with this now? Can it be merged? ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 08:24 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 06:58 Message: alright, here's a revised patch.. hopefully this will do - as this is not the default in config.inc.php anyway, a note along the other encrypt methods will probably do: # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) best wishes, cmuelle8 (Christian Müller) File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 22:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 01:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-03-04 12:12:44
|
Bugs item #2661366, was opened at 2009-03-04 15:12 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2661366&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Pavel Volkovitskiy (olfway) Assigned to: Nobody/Anonymous (nobody) Summary: add parameter to disable alias magic Initial Comment: not everyone needs to have alias for every mailbox, so there should be a way to disable automagically alias creating ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2661366&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-03-03 09:35:33
|
Feature Requests item #2332595, was opened at 2008-11-23 15:15 Message generated for change (Comment added) made by olfway You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=2332595&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface Improvements (example) Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: Christian Boltz (christian_boltz) Assigned to: Nobody/Anonymous (nobody) Summary: add "show password" link for mailboxes Initial Comment: SVN r482 introduced showing passwords in edit-mailbox.php - but in a quite broken way because it relied on an browser extension to change the stars in the password field to readable text. r482 was therefore reverted. We should add this feature in a way that works for everybody. (Needless to say that this is only useful for non-encrypted passwords ;-) Some sniplets and ideas from the mailinglist: add a "show password" link (with a $CONF setting to enable it, default should be disabled) which displays the password somewhere (using flash_info or a alert() feeded with a AJAX request) This would have some advantages: - it works in every browser and does not depend on special browser extensions - it only transfers the password on request - which reduces the risk (and number) of passwords in browser cache etc. a lot - it would easily allow to mail a notification to the user, which might be required by some people/companies for privacy or policy reasons > (So far, Postfixadmin is AJAX free, perhaps it should stay this way?) I don't want to do "big" things with AJAX. But I don't see a problem in using something like alert($password_fetched_by_AJAX_request>) The fallback could be that the "show password" link uses flash_info for this - with the disadvantage of causing a page reload (and possibly loose changes). ---------------------------------------------------------------------- Comment By: Pavel Volkovitskiy (olfway) Date: 2009-03-03 12:35 Message: why would you open edit-mailbox if you don't want to change name/password? so user should be notified if someone open it mailbox in edit mode if you care about security you should use https to avoid passwords sniffing also i'm not sure that you can copy password from js alert box the real issue was only missing check if password stored in clear text or not also, you can't always change password for user b/c then you will have to change settings on every users pc/gadget ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937967&aid=2332595&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-27 20:03:39
|
Bugs item #2646447, was opened at 2009-02-27 23:03 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2646447&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Pavel Volkovitskiy (olfway) Assigned to: Nobody/Anonymous (nobody) Summary: show admin's password too Initial Comment: if $CONF['show_password'] == "YES" then show admin's password too PS: there is extension for FF "Unhide Passwords" so passwords will be in "****" form until you clicked on password field ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2646447&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-26 23:03:09
|
Bugs item #2613791, was opened at 2009-02-18 20:56 Message generated for change (Settings changed) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Closed Resolution: Fixed Priority: 5 Private: No Submitted By: Reiner Keller (reiner030) Assigned to: Nobody/Anonymous (nobody) Summary: Creating new backup MX domain uses default values Initial Comment: when a new domain is created the values $CONF['aliases'], $CONF['mailboxes'] and $CONF['maxquota'] where used even when I write other values in the fields. When editing the domain changes takes effekt. ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-27 00:02 Message: If I got the commit message right, the initially reported problem should be fixed in SVN r569. However, some testing showed that this bug covers more files: - edit-domain.php resets the values to -1 - list-virtual hides the "create alias" / "create mailbox" links I fixed these two files (SVN r571). I hope that now all related bugs are fixed - in case I overlooked something, please reopen this tracker item. ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-24 21:28 Message: Hi, Thanks - yes... this only happens if you ask the domain to be a backupmx. See forum thread - https://sourceforge.net/forum/forum.php?thread_id=2897067&forum_id=676076 ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-18 21:34 Message: What version is this against? 2.3beta? svn? 2.2.1? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-26 23:02:46
|
Bugs item #2613791, was opened at 2009-02-18 20:56 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Reiner Keller (reiner030) Assigned to: Nobody/Anonymous (nobody) >Summary: Creating new backup MX domain uses default values Initial Comment: when a new domain is created the values $CONF['aliases'], $CONF['mailboxes'] and $CONF['maxquota'] where used even when I write other values in the fields. When editing the domain changes takes effekt. ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2009-02-27 00:02 Message: If I got the commit message right, the initially reported problem should be fixed in SVN r569. However, some testing showed that this bug covers more files: - edit-domain.php resets the values to -1 - list-virtual hides the "create alias" / "create mailbox" links I fixed these two files (SVN r571). I hope that now all related bugs are fixed - in case I overlooked something, please reopen this tracker item. ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-24 21:28 Message: Hi, Thanks - yes... this only happens if you ask the domain to be a backupmx. See forum thread - https://sourceforge.net/forum/forum.php?thread_id=2897067&forum_id=676076 ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-18 21:34 Message: What version is this against? 2.3beta? svn? 2.2.1? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-26 22:37:20
|
Bugs item #2641660, was opened at 2009-02-26 14:12 Message generated for change (Settings changed) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2641660&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface (example) Group: v 2.3 Status: Closed Resolution: Fixed Priority: 5 Private: No Submitted By: Dystopian (dystopian) Assigned to: Nobody/Anonymous (nobody) Summary: Incorrect encoding in broadcast message "subject" and "from" Initial Comment: If PHP setting mbstring.internal_encoding is not set to "UTF-8" (it is commented by default), broadcast message "subject" and "from" will be broken if they are not in English. Universal solution is in broadcast-message.php: place mb_internal_encoding("UTF-8"); before $b_name = mb_encode_mimeheader( $_POST['name'], 'UTF-8'); $b_subject = mb_encode_mimeheader( $_POST['subject'], 'UTF-8'); ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-26 23:36 Message: Fixed in SVN r570. Thanks for your bugreport! ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2641660&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-26 22:37:02
|
Bugs item #2641660, was opened at 2009-02-26 14:12 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2641660&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface (example) Group: v 2.3 >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Dystopian (dystopian) Assigned to: Nobody/Anonymous (nobody) Summary: Incorrect encoding in broadcast message "subject" and "from" Initial Comment: If PHP setting mbstring.internal_encoding is not set to "UTF-8" (it is commented by default), broadcast message "subject" and "from" will be broken if they are not in English. Universal solution is in broadcast-message.php: place mb_internal_encoding("UTF-8"); before $b_name = mb_encode_mimeheader( $_POST['name'], 'UTF-8'); $b_subject = mb_encode_mimeheader( $_POST['subject'], 'UTF-8'); ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2009-02-26 23:36 Message: Fixed in SVN r570. Thanks for your bugreport! ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2641660&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-26 13:12:58
|
Bugs item #2641660, was opened at 2009-02-26 16:12 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2641660&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Interface (example) Group: v 2.3 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Dystopian (dystopian) Assigned to: Nobody/Anonymous (nobody) Summary: Incorrect encoding in broadcast message "subject" and "from" Initial Comment: If PHP setting mbstring.internal_encoding is not set to "UTF-8" (it is commented by default), broadcast message "subject" and "from" will be broken if they are not in English. Universal solution is in broadcast-message.php: place mb_internal_encoding("UTF-8"); before $b_name = mb_encode_mimeheader( $_POST['name'], 'UTF-8'); $b_subject = mb_encode_mimeheader( $_POST['subject'], 'UTF-8'); ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2641660&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-25 23:32:36
|
Patches item #2607332, was opened at 2009-02-17 00:43 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add dovecotpw encrypt support option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2009-02-25 23:17 Message: Unfortunately "works for me" doesn't mean it is good - at least from my POV. But maybe I'm too strict ;-) The patch looks much better than the previous one, but I still have some things that should be improved: a) tempfile for the password Basically a good idea, but please switch to the tmpfile() PHP function - in comparison to tempnam() it has some advantages: - no need to specify the path - might be relevant on systems with open_basedir, where /tmp is outside the allowed path. (In this case $TMPDIR has to be set as environment variable, but this is easier to do (via apache config) than a hardcoded path.) - the tempfile is automatically deleted After re-reading the code and some PHP documentation, I think that proc_open (allows two-way communication with external processes) might be the best solution. You can even catch STDERR on a separate pipe to check for error messages. See http://www.php.net/manual/en/function.proc-open.php for description and an example. (With proc_open, no tempfile will be needed.) b) error checking The only error checking you do is not to use the pipe to dovecotpw if it can't be opened. If opening the pipe works, you blindly read the encrypted password from the temp file (or whatever the file contains ;-) Please check that the output looks like an encrypted password - shouldn't be too hard since it has to contain "{$method}" at the beginning. Untested: if ( !preg_match("/^{$method}/", $password) { die("can't encrypt password with dovecotpw") } I don't really like the die() method, but the pacrypt function doesn't offer a better way to error out currently :-( Additionally the calling functions expect pacrypt to "always work" - which was not a real problem up to now because it used only PHP-internal functions. c) if (strstr($CONF['encrypt'], 'dovecot:')) -> Please ensure that the $CONF parameter _begins_ with "dovecot:" - for example by using preg_match("/^dovecot:/", $CONF['encrypt']) Besides that, I like the idea of using "method:detail" - @GingerDog: This might also be an option for authlib / $CONF['authlib_default_flavour']. d) check/validate what becomes $method Even if $method comes from $CONF['encrypt'] , it may still contain an invalid value (like "dovecot:foobar") or evil characters ("dovecot:md5';rm -rf /"). There are several ways how this can be secured. I'll start with the best one. - check against an array of allowed password encryption methods. This is the most secure method, but has the disadvantage that it needs a code modification in case dovecot starts to support a new encryption method - check $method against a regular expression. preg_match("/[a-zA-Z0-9-]+/", $method) should do if I get the dovecot documentation right. - at least use escapeshellarg($method) if you really don't want to validate $method e) path to dovecotpw I'm quite sure "dovecotpw must be in $PATH" will cause some problems - for example the openSUSE package has dovecotpw in /usr/sbin - and therefore not in the webserver's $PATH. The only solution for this is a $CONF['dovecotpw'] = "/path/to/dovecotpw" parameter. (If this is not set or empty, you can still default to just "dovecotpw".) Maybe it can be included in $CONF['encrypt'] - something like "dovecot:MD5:/usr/sbin/dovecotpw" would work. However, things will become complicated when we add another 5 parameters to this string *g* BTW: Feel free to include the needed config.inc.php changes in your patch. The comment should mention the most common CRYPT-METHODs for dovecot. ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-25 17:07 Message: Absolutely, it works for me. Please make sure you add # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) or something more descriptive to config.inc.php though - the patch only modifies the functions file. Greetings, Christian ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-24 21:33 Message: Christian - are you happy with this now? Can it be merged? ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 09:24 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 07:58 Message: alright, here's a revised patch.. hopefully this will do - as this is not the default in config.inc.php anyway, a note along the other encrypt methods will probably do: # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) best wishes, cmuelle8 (Christian Müller) File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 23:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 02:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-25 16:07:41
|
Patches item #2607332, was opened at 2009-02-17 00:43 Message generated for change (Comment added) made by trendypack You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add dovecotpw encrypt support option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: cmuelle8 (trendypack) Date: 2009-02-25 17:07 Message: Absolutely, it works for me. Please make sure you add # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) or something more descriptive to config.inc.php though - the patch only modifies the functions file. Greetings, Christian ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-24 21:33 Message: Christian - are you happy with this now? Can it be merged? ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 09:24 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 07:58 Message: alright, here's a revised patch.. hopefully this will do - as this is not the default in config.inc.php anyway, a note along the other encrypt methods will probably do: # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) best wishes, cmuelle8 (Christian Müller) File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 23:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 02:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-24 20:33:52
|
Patches item #2607332, was opened at 2009-02-16 23:43 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add dovecotpw encrypt support option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-02-24 20:33 Message: Christian - are you happy with this now? Can it be merged? ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 08:24 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 06:58 Message: alright, here's a revised patch.. hopefully this will do - as this is not the default in config.inc.php anyway, a note along the other encrypt methods will probably do: # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) best wishes, cmuelle8 (Christian Müller) File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 22:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 01:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-24 20:29:01
|
Bugs item #2613791, was opened at 2009-02-18 19:56 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Reiner Keller (reiner030) Assigned to: Nobody/Anonymous (nobody) Summary: Creating new domain uses default values Initial Comment: when a new domain is created the values $CONF['aliases'], $CONF['mailboxes'] and $CONF['maxquota'] where used even when I write other values in the fields. When editing the domain changes takes effekt. ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-02-24 20:28 Message: Hi, Thanks - yes... this only happens if you ask the domain to be a backupmx. See forum thread - https://sourceforge.net/forum/forum.php?thread_id=2897067&forum_id=676076 ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-18 20:34 Message: What version is this against? 2.3beta? svn? 2.2.1? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-19 11:04:12
|
Bugs item #2605817, was opened at 2009-02-16 15:50 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2605817&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Vacation Group: None >Status: Pending Resolution: None Priority: 5 Private: No Submitted By: Henrique Bueno (henriquebueno) Assigned to: Nobody/Anonymous (nobody) Summary: problem to send auto-reply - function do_mail Initial Comment: the var $orig_to sometimes was wrong value, ex: $orig_to= KF5X00$E00913775B96D4FF419472648EEE6670@multidominios instead of $orig_to=lop...@te... Solution: do_mail ($orig_to, $orig_from, $row[0], $row[1]); alter to do_mail ($email, $orig_from, $row[0], $row[1]); on line 163 ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2009-02-19 12:04 Message: I grepped the current SVN version for do_mail and found nothing. Searching in older versions brings up the old MySQL-only vacation.pl, which had a function named do_mail. Henrique, you are most probably using an old version. Please upgrade to the latest version of Postfixadmin (2.3 beta or SVN) and test again. Does this fix your problem? ---------------------------------------------------------------------- Comment By: GingerDog (gingerdog) Date: 2009-02-18 21:35 Message: Hi, Which file is this in reference to? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2605817&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-18 20:41:21
|
Bugs item #2046389, was opened at 2008-08-11 12:40 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2046389&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 4 Private: No Submitted By: Christian Boltz (christian_boltz) Assigned to: Nobody/Anonymous (nobody) Summary: encode_header() does not break overlong header lines Initial Comment: SVN r442 (history: encode_header() is mostly from r1 and was changed slightly in r21) encode_header() in functions.inc.php needs some fixes: - it does not add linebreaks in overlong headers, but "just" inserts end-of-encoding markers - it ends the encoding in the middle of a word if it hits the length limit, so just adding \n\t won't work Oh, and the function is not really easy to understand, rewriting it from scratch in a simpler way might be an option. See also http://php.net/mb-encode-mimeheader - the comments include some functions that do something like encode_header. (Using PHP's mb_encode_header is not an option - it adds linebreaks in the middle of a word.) ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-02-18 20:41 Message: I think we should use e.g. Pear::Mail or Zend_Mail - this would solve this problem, and also allow us to remove the raw SMTP stuff too... Only problem is another dependency... ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2046389&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-18 20:35:40
|
Bugs item #2605817, was opened at 2009-02-16 14:50 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2605817&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Vacation Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Henrique Bueno (henriquebueno) Assigned to: Nobody/Anonymous (nobody) Summary: problem to send auto-reply - function do_mail Initial Comment: the var $orig_to sometimes was wrong value, ex: $orig_to= KF5X00$E00913775B96D4FF419472648EEE6670@multidominios instead of $orig_to=lop...@te... Solution: do_mail ($orig_to, $orig_from, $row[0], $row[1]); alter to do_mail ($email, $orig_from, $row[0], $row[1]); on line 163 ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-02-18 20:35 Message: Hi, Which file is this in reference to? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2605817&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-18 20:34:04
|
Bugs item #2613791, was opened at 2009-02-18 19:56 Message generated for change (Comment added) made by gingerdog You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Reiner Keller (reiner030) Assigned to: Nobody/Anonymous (nobody) Summary: Creating new domain uses default values Initial Comment: when a new domain is created the values $CONF['aliases'], $CONF['mailboxes'] and $CONF['maxquota'] where used even when I write other values in the fields. When editing the domain changes takes effekt. ---------------------------------------------------------------------- >Comment By: GingerDog (gingerdog) Date: 2009-02-18 20:34 Message: What version is this against? 2.3beta? svn? 2.2.1? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-18 19:56:49
|
Bugs item #2613791, was opened at 2009-02-18 20:56 Message generated for change (Tracker Item Submitted) made by Item Submitter You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: Reiner Keller (reiner030) Assigned to: Nobody/Anonymous (nobody) Summary: Creating new domain uses default values Initial Comment: when a new domain is created the values $CONF['aliases'], $CONF['mailboxes'] and $CONF['maxquota'] where used even when I write other values in the fields. When editing the domain changes takes effekt. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937964&aid=2613791&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-18 08:24:19
|
Patches item #2607332, was opened at 2009-02-17 00:43 Message generated for change (Comment added) made by trendypack You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add dovecotpw encrypt support option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: cmuelle8 (trendypack) Date: 2009-02-18 09:24 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 07:58 Message: alright, here's a revised patch.. hopefully this will do - as this is not the default in config.inc.php anyway, a note along the other encrypt methods will probably do: # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) best wishes, cmuelle8 (Christian Müller) File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 23:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 02:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-18 06:58:51
|
Patches item #2607332, was opened at 2009-02-17 00:43 Message generated for change (Settings changed) made by trendypack You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) >Summary: add dovecotpw encrypt support option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-18 07:58 Message: alright, here's a revised patch.. hopefully this will do - as this is not the default in config.inc.php anyway, a note along the other encrypt methods will probably do: # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) best wishes, cmuelle8 (Christian Müller) File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 23:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 02:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-18 06:58:15
|
Patches item #2607332, was opened at 2009-02-17 00:43 Message generated for change (Comment added) made by trendypack You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add CRAM-MD5 encrypt option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: cmuelle8 (trendypack) Date: 2009-02-18 07:58 Message: alright, here's a revised patch.. hopefully this will do - as this is not the default in config.inc.php anyway, a note along the other encrypt methods will probably do: # dovecot:CRYPT-METHOD => use dovecotpw -s 'CRYPT-METHOD' (needs to be in PATH) best wishes, cmuelle8 (Christian Müller) File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 23:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 02:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-17 23:12:03
|
Patches item #2607332, was opened at 2009-02-17 00:43 Message generated for change (Comment added) made by christian_boltz You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add CRAM-MD5 encrypt option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: Christian Boltz (christian_boltz) Date: 2009-02-17 23:54 Message: Thanks for your patch! However, I see some problems with it: a) the password should be quoted/escaped/whatever before using it in the command line. You'll understand what I mean when somebody uses "topsecret ; rm -rf /" as his password *g* Hint: use escapeshellarg($pw) b) I don't really like that an external program is called with the password as parameter (which will be visilble for a short time in the process list). c) no error checking (what happens if dovecotpw is not installed or not in $PATH?) As you can see: things aren't that easy once you start calling external programs ;-) Unfortunately dovecotpw isn't easy to "emulate" in PHP, so calling dovecotpw might be the easiest option, even with the described disadvantages. For some information about "emulating" dovecotpw, see http://markmail.org/message/ug4mfvulgsajg3wk#query:dovecotpw%20php+page:1+mid:snbusk5sempgouyb+state:results http://www.scconsult.com/bill/crampass.pl http://www.dovecot.org/list/dovecot/2007-March/020889.html ---------------------------------------------------------------------- Comment By: cmuelle8 (trendypack) Date: 2009-02-17 02:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
|
From: SourceForge.net <no...@so...> - 2009-02-17 01:02:33
|
Patches item #2607332, was opened at 2009-02-17 00:43 Message generated for change (Comment added) made by trendypack You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Core Group: SVN (please specify revision!) Status: Open Resolution: None Priority: 5 Private: No Submitted By: cmuelle8 (trendypack) Assigned to: Nobody/Anonymous (nobody) Summary: add CRAM-MD5 encrypt option for dovecot users Initial Comment: Hi, please apply the following patch to functions.inc.php. Background: I don't want to store the pws plain. Auth mechanisms supported in dovecot: plain login cram-md5 digest-md5 (crypt-md5 is not supported as an auth mechanism, look at http://wiki.dovecot.org/Authentication/Mechanisms and ). I'm aware that using PLAIN or LOGIN over SSL is a viable option (in this case dovecot does PLAIN to MD5-CRYPT and compares). However, in a non-ssl scenario PLAIN and LOGIN are a bad option and disabled by default in dovecot. Using CRAM-MD5 or DIGEST-MD5 is possible, but then the passwords have to be in CRAM-MD5 format as well (since dovecot can't do CRAM-MD5 to MD5-CRYPT, obviously). The patch below makes this an option for dovecot users. A hint in config.inc.php will probably also be needed (along the comment lines for the other authentication methods). Greetings, cmuelle8 --- functions.inc.php.orig 2009-02-17 00:06:37.000000000 +0100 +++ functions.inc.php.cram-md5 2009-02-17 00:00:23.000000000 +0100 @@ -1126,6 +1126,11 @@ $password = md5($pw); } + if ($CONF['encrypt'] == 'cram-md5') { + $password = shell_exec("dovecotpw -s CRAM-MD5 -p $pw"); + $password = trim(str_replace('{CRAM-MD5}', '', $password)); + } + if ($CONF['encrypt'] == 'system') { if (ereg ("\$1\$", $pw_db)) { $split_salt = preg_split ('/\$/', $pw_db); ---------------------------------------------------------------------- >Comment By: cmuelle8 (trendypack) Date: 2009-02-17 02:02 Message: File Added: postfixadmin.functions.patch ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=937966&aid=2607332&group_id=191583 |
700 messages has been excluded from this view by a project administrator.
