May 22, 2020 Roberto Puzzanghera43 comments
qmailAdmin is a free software package that provides a web interface for managing a qmail system with virtual domains. It provides admin for adding/deleting users, Aliases, Forwards, Mailing lists and Autoresponders.
cracklibin order to check for the password strenght. This should avoid unsafe accounts created by domain administrators such as "test 123456".
qmailadminto have authentication failures logged. This makes possibile to ban malicious IPs via
fail2ban. It is required to create the log file
/var/log/qma-auth.loginitially and assign write priviledges to
ezmlm-idx-7(thanks to J.D. Trolinger for the advice).
.qmailfiles are modified
Cracklib is a library of functions providing a password complexity check against a word list.
cracklib compares the chosen password with the words contained in a database and if it is similar to one of the words stored in the database it outputs a negative response.
qmailadmin we have to set up
cracklib and then apply the patch. This patch upgrades the one of Inter7, which enforced
qmailadmin only in the case of user change but not when creating the user or simply when the user navigates the "change password" page.
It's likely that you have the
cracklib package and words list available in your Linux distribution repository. In this case proceed to the next step. If not, go ahead as follows in the normal way:
wget https://ftp.osuosl.org/pub/blfs/conglomeration/cracklib/cracklib-2.9.7.tar.bz2 tar xjf cracklib-2.9.7.tar.bz2 cd cracklib-2.9.7 ./configure --with-default-dict=/usr/share/cracklib/pw_dict make make install
# Create the dictionary folder (the same as used in the configure command) mkdir /usr/share/cracklib cd /usr/share/cracklib # download the words list wget https://ftp.osuosl.org/pub/blfs/conglomeration/cracklib/cracklib-words-2.9.7.bz2 bunzip2 cracklib-words-2.9.7.bz2 # format and pack the dictionary into pw_dict.* files cracklib-format cracklib-words-2.9.7 | cracklib-packer pw_dict
Now check that the
cracklibs-words database has been created:
ls cracklib-words-2.9.7 pw_dict.hwm pw_dict.pwd pw_dict.pwi
The database is made up of those three
pw_dict.* compiled files. You can always enrich the database adding lines to the plain-text file and using a combination of
cracklib-packer as shown above.Take also note of where the database has been installed because we'll have to pass its path to
Let's do some test to see how
# cracklib-check roberto roberto: it is based on a dictionary word 123456 123456: it is too simplistic/systematic roberto928 roberto928: it is based on a dictionary word robe99 robe99: it is based on a dictionary word 99robe 99robe: it is based on a dictionary word robe@99 robe@99: it is based on a dictionary word Qwerty123 Qwerty123: it is based on a dictionary word Qwerty!123 Qwerty!123: it is based on a dictionary word Rob&02f Rob&02f: OK Rob&rto Rob&rto: OK ^C
cracklib as a standalone patch you have to provide a combination of
aclocal/automake/autoconf in order to rebuild the
configure file. My combined patch already have the
configure file rebuilt.
cd /usr/local/src wget https://notes.sagredo.eu/files/qmail/tar/qmailadmin-1.2.16.tar.gz wget https://notes.sagredo.eu/files/qmail/patches/qmailadmin/roberto-qmailadmin/roberto-qmailadmin-1.2.16_20200522.patch touch /var/log/qma-auth.log chgrp apache /var/log/qma-auth.log chmod g+w /var/log/qma-auth.log tar xzf qmailadmin-1.2.16.tar.gz cd qmailadmin-1.2.16 patch -p1 < ../roberto-qmailadmin-1.2.16_20200522.patch chown -R root.root . ./configure \ --enable-htmldir=/usr/local/www/htdocs/qmail \ --enable-cgibindir=/usr/local/www/htdocs/qmail/cgi-bin \ --enable-cgipath=/cgi-bin/qmailadmin \ --enable-imagedir=/usr/local/www/htdocs/qmail/qmailadmin/files \ --enable-imageurl=/files \ --enable-htmllibdir=/usr/local/www/htdocs/qmail/qmailadmin \ --enable-qmaildir=/var/qmail \ --enable-domain-autofill \ --enable-vpopuser=vpopmail \ --enable-vpopgroup=vchkpw \ --enable-autoresponder-path=/usr/local/bin \ --enable-ezmlmdir=/usr/local/bin/ezmlm \ --enable-modify-quota \ --disable-ezmlm-mysql \ --disable-trivial-password \ --enable-cracklib=/usr/share/cracklib/pw_dict
Before compiling you may want to save the qmail logo png files into the "images" folder of your source directory. Then compile and install as usual:
make make install-strip
<VirtualHost *:443> ServerName yourdomain.net DocumentRoot /usr/local/www/htdocs/qmail ScriptAlias /cgi-bin/ "/usr/local/www/htdocs/qmail/cgi-bin/" ErrorLog "/usr/local/www/logs/qmailadmin_error.log" CustomLog "/usr/local/www/logs/qmailadmin_access.log" common <Directory "/usr/local/www/htdocs/qmail"> Require all granted AllowOverride None </Directory> <Directory "/usr/local/www/htdocs/qmail/cgi-bin"> AllowOverride None Options ExecCGI Require all granted </Directory> Alias /files/ "/usr/local/www/htdocs/qmail/qmailadmin/files/" <Directory "/usr/local/www/htdocs/qmail/qmailadmin/files"> Require all granted </Directory> </VirtualHost>
Now browse to
https://yourdomain.net/cgi-bin/qmailadmin and login as postmaster.
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin