February 15, 2021 Roberto Puzzanghera 35 comments
Those who are still using the
vpopmail auth driver should consider a migration to another backend, as on January 4, 2021
dovecot-2.3.13 was released and the
vpopmail auth driver removed (more info here).
I'll show below how to support domain aliases with the sql driver. You can find how to setup the driver in this page. A short reference to
vconvert program is presented toward the bottom of this page, in case one is planning to switch to sql.
If you browse the comments below you'll find some other nice solutions to replace the
- Tyler Simkin posted his auth.lua file
- Laurent Bercot posted a solution based on passwd-file driver
- Pablo Murillo improved the sql password_query to work with one table for each domain
- erdgeist showed how to convert cdb accounts to postgres
As some commentators have already pointed out, switching to
dovecot's sql auth can be painful if one have domain aliases. I will show below how to make
dovecot aware of the
aliasdomains, so that a user who tries to login with a domain alias can pass the authentication.
The idea is to save the pairs alias/domain in a new "aliasdomains"
MySQL table and modify the
sql query in order to select the user's domain from this table in case the domain is an alias or from the
vpopmail table otherwise. For example:
MariaDB [vpopmail]> SELECT * FROM aliasdomains; +----------------------+----------------------+ | alias | domain | +----------------------+----------------------+ | alias.net | domain.net | +----------------------+----------------------+
vpopmail patch will transparently do the sql stuff when creating/deleting the alias in the usual way by means of the
NB: if you are testing this solution, I would be glad if you give me a feedback by means of a comment below, so that I can speed up its introduction in the installation guide.
- February 15, 2021
- fix in the configure file. An autoreconf is needed as I modified the configure.in and Makefile.am files
- February 10, 2021
- a C program
vsavealiasdomainscan now save all the existing domain aliases to MySQL. It can be useful in case of migrations to the dovecot's sql auth driver.
- Feb 5, 2021
- The patch has been improved: the sql-aliasdomains stuff is now done by means of the
vpopmail's C programs and functions.
- Feb 3, 2021
- new patch and script released. Just
configure --enable-sql-aliasdomains(default) and forget. The dbtable will be created the first time you will create an
- Jan 18, 2021
- now everything is inside a vpopmail patch. The aliasdomain sql records will be created/deleted transparently when using vaddaliasdomain/vdeldomain in the usual way, provided that you have created the aliasdomains dbtable
- Jan 17, 2021
- I modified the dovecot's sql query so that a pair real_domain/real_domain is not needed anymore in the dbtable
- Jan 13, 2021
- added support for sql aliasdomains
January 29, 2021 Roberto Puzzanghera 65 comments
- Download my dovecot's config files
- January 29, 2021
- auth-sql.conf.ext now uses the userdb's prefetch driver in order to perform one single query when doing the auth
- dovecot-sql.conf.ext has been modified to allow authentication both with real and alias domains, provided that you patched vpopmail accordingly. More info in this page.
- the iterate_query in the sql driver now extracts the "user" field (was "username") as required by the docs.
- Info: http://www.dovecot.org/
- Documentation: http://wiki2.dovecot.org
- Mail Server overview: http://wiki2.dovecot.org/MailServerOverview
- Download: http://www.dovecot.org/releases/2.3/
- Version: dovecot-2.3.13
Dovecot is an open source IMAP and POP3 email server for Linux/UNIX-like systems, written with security primarily in mind. Dovecot is an excellent choice for both small and large installations. It's fast, simple to set up, requires no special administration and it uses very little memory.
December 4, 2020 Roberto Puzzanghera 289 comments
The complete changelog and patch info are inside the README.PATCH file.
received.c: some adjustments to compile with gcc-10 (diff here)
-dk-filter: corrected a bug where dk-filter was using DKIMDOMAIN unconditionally. Now it uses DKIMDOMAIN only if _SENDER is null (tx Manvendra Bhangui).
-added a fix for CVE-2005-2513 (tx C)
-qmail-smtpd.c: added rcptcount = 0; in smtp_rset function to prevent the maxrcpto error if control/maxrcpt limit has been exceeded in multiple messages sent sequentially rather than in a single mail (tx Alexandre Fonceca)
-qmail-remote-logging patch added (more info here)
-DKIM patch updated to v. 1.28
* outgoing messages from null sender ("<>") will be signed as well with the domain in env variable DKIMDOMAIN
* declaring NODK env variable disables old domainkeys signature, while defining NODKIM disables DKIM.
-qmail-tls patch updated to v. 20200107
* working client cert authentication with TLSv1.3
-BUG qmail-smtpd.c: now TLS is defined before chkuser.h call, to avoid errors on closing the db connection (tx ChangHo.Na)
- a couple of adjustments to chkuser (tx Luca Franceschini, more info here)
* BUG - since any other definition of starting_string ends up as "DOMAIN", if starting_string is otherwise defined, chkuser will be turned off.
* CHKUSER_ENABLE_ALIAS_DEFAULT, CHKUSER_VAUTH_OPEN_CALL and CHKUSER_DISABLE_VARIABLE are now defined in chkuser_settings.h
* Now CHKUSER_DISABLE_VARIABLE, CHKUSER_SENDER_NOCHECK_VARIABLE, CHKUSER_SENDER_FORMAT_NOCHECK, CHKUSER_RCPT_FORMAT_NOCHECK and CHKUSER_RCPT_MX_NOCHECK can be defined at runtime level as well.
- qmail-channels patch added
more info here http://www.thesmbexchange.com/eng/qmail-channels_patch.html
- improved verbosity of die_read function in qmail-smtpd.c (qmail-smtpd: read failure). More info here
November 18, 2020 Roberto Puzzanghera 25 comments
- Info: http://spamassassin.apache.org/
- Docs: http://spamassassin.apache.org/full/3.4.x/doc/
- Latest version: 3.4.4
- Download: http://spamassassin.apache.org/downloads.cgi
SpamAssassin is a mature, widely-deployed open source project that serves as a mail filter to identify Spam. SpamAssassin uses a variety of mechanisms including header and text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases. SpamAssassin runs on a server, and filters spam before it reaches your mailbox.
- Nov 18 2020
- solved some priviledge problems with the reports of the RC's markasjunk plugin, which is going to write inside the log dir and read the razor's identity file.
- moved all log files into /var/log/spamassassin (apache group now has +w priv). spamdctl and logrotate scripts modified accordingly
- Jul 15 2020
Spamcopconfiguration (thanks to Gabriel Torres for the hint).
October 30, 2020 Roberto Puzzanghera 0 comments
- More info here
The clamav-unofficial-sigs script provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, urlhaus, etc. The script will also generate and install cron, logrotate, and man files.
October 24, 2020 Roberto Puzzanghera 0 comments
- OpenBoard home page
- Download the patch
- Github discussion
- Willy Sudiarto's SlackBuild (for Slackware users)
These days I'm forced again to do lessons from remote. My school asked me to refer to
Google Meet for the videoconferences and one thing I disliked was the
Jam interactive whiteboard, which is completely inadequate for scientific subjects. On the other hand OpenBoard, my favourite board tool that I successfully use with
Zoom, seemed not to be recognized as an application to be shared, because it runs fullscreen.
After some googleing I found a patch from this guy (I big thank for his work!) which forces OpenBoard to run in a window, but at the cost of passing a variable at compilation time. I modified the logic of that patch so that a user can set how OpenBoard will run just modifying a configuration option. The "run in a window" feature is disabled by default, so it will not bother those teachers who are already familiar with the interface, but it can be easily switched on by advanced users.
September 1, 2020 Roberto Puzzanghera 62 comments
- Author: Inter7
- Version: 1.2.16
- Download the sources from http://sourceforge.net/projects/qmailadmin/files/
- Combined patch v. 20200902
qmailAdmin is a free software package that provides a web interface for managing a qmail system with virtual domains. It provides admin for adding/deleting users, Aliases, Forwards, Mailing lists and Autoresponders.
Combined patch details
- qmailadmin-skin, a patch that I created during covid-19 spare time, provides a new responsive skin to the control panel. It modifies everything under the html dir and many .c files in order to adjust the html embedded into the source files. Added a stylesheet style.css in the images folder and a couple of png files for the qmail logo.
- patch to call
cracklibin order to check for the password strenght. This should avoid unsafe accounts created by domain administrators such as "test 123456".
- A patch (thanks to Tony, original author unknown) which gets
qmailadminto have authentication failures logged. This makes possibile to ban malicious IPs via
fail2ban. It is required to create the log file
/var/log/qma-auth.loginitially and assign write priviledges to
- ezmlm-idx 7 compatibility patch (author unknown), which restores the compatibility with
ezmlm-idx-7(thanks to J.D. Trolinger for the advice).
- a fix to the catchall account (thanks to Luca Franceschini).
- another fix to autorespond.c to correct the way
.qmailfiles are modified
-mod_user.html: cleaned the html as it was printing unneeded strings
- mod_user.html: added the "value" attribute to the name/gecos input tag
- Makefile.in: added a line to install the css, as already done for Makefile.am
(tx Pablo Murillo)
- mod_user.html: removed the "required" attribute on password field, to allow modifications in case of no password change
August 4, 2020 Roberto Puzzanghera 50 comments
- Info: https://github.com/qmail/simscan/releases
- John Simpson's simscan page (patch and a lot of info)
- Download (local copy)
- Combined patch used
- Version: simscan-1.4.1
- Old 1.4.0 repo: http://sourceforge.net/projects/simscan/files/
Simscan is a simple program that enables the qmail smtpd service to reject viruses, spam, and block attachments during the SMTP conversation so the processing load on the email system is kept to a minimum.
Combined patch details
Version 1.4.1 is a fork of the original
simscan by Inter7. The sources have been polished and modernized a bit and contain a number of bug fixes and patches, including almost all the patches by jms (the only missing one is the "debug" patch which we will apply below) and the bug fix by Gustavo Castro that I had in my previous bundle of patches. Therefore the new patch simply adds the following:
- the jms "debug" patch, to improve the debugging of simscan on
- a bug fix by Bob Greco where a received message with multiple 'local' recipients executes
spamcas null user and not as the user extracted from the first local recipient.
July 16, 2020 Roberto Puzzanghera 24 comments
UPDATE as of Jul 15:
markasjunk plugin has now info about the
- Official repository: http://plugins.roundcube.net/
My enabled plugins are (at the moment):
- password, which is already included in the plugins folder
- managesieve, which writes sieve scripts to filter the incoming mails (reject, move to specific folders etc.). Note that in order to use it you must have Dovecot managesieve enabled.
- SpamAssassin-User-Prefs-SQL, which writes the spamassassin user preferences in the DB. The user will be allowed to create a black/white list, to adjust the required_score and so on.
- markasjunk. You can add the sender's email address to the blacklist, or run a command such as sa_learn. Requires sauprefs.
- rcguard. This plugin logs failed login attempts and requires users to go through a reCAPTCHA verification process when the number of failed attempts go too high.
- Context Menu. Adds context menus to the message list, folder list and address book. Menu includes the abilities mark messages as read/unread, delete, reply and forward.
- autologon. Autologin from external Site e.g. (CMS, Portal ...)
- logout_redirect. Modified version to only redirect to the homepage (depending on the domain part of the default identity)
- newmail_notifier. can notify new mail focusing browser window and changing favicon, playing a sound and displaying desktop notification (using webkitNotifications feature).
- carddav. CardDav client. You can sync your addressbook against a CardDav server like nextcloud or SoGO.
- enigma adds support for viewing and sending of signed and encrypted messages in PGP (RFC 2440) and PGP/MIME (RFC 3156) format