Czech version

SMTP authentication for Qmail

While SMTP authentication?

Almost all SMTP servers do not permit SMTP relay - it is defense again spam. If somebody alternate between more IP providers (typically  "free Internet" dialup access users) and needs SMTP server for sending mail, he can:

• either set different SMTP server in his mail client configuration every time when he change dialup number 
• or set one SMTP server with SMTP authentication (more comfortable solution)

Administrator troubles with SMTP auth 

It seems that SMTP authentication is the best solution for users and for administrators too (users stop require to permit relay). I use SMTP authentication for Qmail from www.nimh.org (http://www.nimh.org/dl/qmail-smtpd.c). It works fine (thanks to author), but I discovered some problems:

1. Netscape mail client try authentication whenever it find that SMTP server support SMTP AUTH (from EHLO dialog) and asks user for password. Client use the same login as for POP. There is not possible to set anything. 
   MS clients MS Outlook and Outlook Express are different - it is possible to set everything (use authentication or not, use the same login and password as for POP or another...).
   Problems with Netscape mail clients users after SMTP authentication was implemented:
   • user must enter one more password. Also user must enter password when SMTP authentication is not necessary (his computer is in domain from which SMTP relay is permitted - e.g. our LAN).
   • if user use different POP server (e.g. remote) and SMTP (our) server with different login names, he can not send mail when SMTP authentication on our SMTP server is implemented
2. Netscape SMTP servers supports SMTP authentication. It seems to me that similar as Netscape client Netscape server try authentication whenever it find that second SMTP server supports SMTP AUTH. Because server does not know any password and use blank login (or anything else, e.g. "root"), our server ends SMTP connection. Probably not only Netscape servers know SMTP authentication today.
   Problems with Netscape servers (a another SMTP servers which supports SMTP authentication on sending):
   • it try authentication every time. Because it fails, our server ends SMTP session. Because SMTP session start at all, Netscape server does not try our MX server and leave message in queue. After few days server send message back as undelivered.
   • these servers administrators are not able to change their server behavior (or they do not know about this problem). And our users do not receive their mail.

Solving

I use SMTP authentication for Qmail from www.nimh.org (http://www.nimh.org/dl/qmail-smtpd.c) with minor changes:

1. Server hide its SMTP AUTH support (in EHLO command) when relay is permitted for remote computer (it solve problems with Netscape clients from LAN - the clients do not try to authenticate and do not ask user for password). 
2. When SMTP AUTH fail, server do not terminate connection - only waits 2 seconds and do not permit relay for messages (it solve problems with Netscape servers).
3. Server write to syslog about authentication.

Modified qmail-smtpd.c

qmail-smtpd.c for Qmail 1.03

Installation

• install Qmail 1.03
• replace file qmail-smtpd.c with modified version, compile Qmail and install again (make setup check)
• install and test checkpassword.
  • Checkpassword exists in more variations and depends on type and configuration of your unix server.
  • Original version and description: http://cr.yp.to/checkpwd.html.
  • Alternative Checkpassword Implementations: http://qmail.ruk.cuni.cz/#checkpassword.
     (version for OSF/Dec UNIX/Compaq Tru64 with enhanced security: http://www.cuni.cz/~vhor/qmail/checkpassword.c  )
• modify qmail-smtpd startup. In case of
  • inetd: use anything like
    "smtp stream tcp nowait qmaild /usr/sbin/tcpd /var/qmail/bin/tcp-env /var/qmail/bin/qmail-smtpd /bin/checkpassword /bin/true"
  • Xinetd:
    ###############################
    #/etc/xinetd.d/qmail-smtp
    ###############################
    service smtp
    {
     socket_type = stream
     wait = no
     user = qmaild
     server = /var/qmail/bin/tcp-env
     server_args = -R /var/qmail/bin/qmail-smtpd sever.com /bin/checkpassword /bin/true
     nice = 10
    }
    (thanks cameron (at) omigos (dot) ca)
    
• test:
  • From computer, which has not rely permitted, try
    • telnet server 25
    • EHLO
    • 250 AUTH=LOGIN should be in answer
  • From computer, which has not rely permitted, try send mail from client with SMTP authentication enabled (Netscape use authentication whenever, ms outlook need settings)
    • look at syslog
      • Jun 22 08:43:42 servername qsmtpd: auth ok for login: login  - OK
      • Jun 21 16:38:24 servername qsmtpd: auth fail for login: login - bad password
      • no record - client did not use authentication

Known problems

• modified qmail-smtpd.c tests (for security reason), if  login contains only alphanumeric characters. Unknown characters it replace with "X". In case that your login names contains other characters ("-" etc.) or you are using vpopmail, modify or comment this part of source code:
  /* vhor */
  for(i=0;i<strlen(smtpauthlogin);i++) {
  if (! isalnum(smtpauthlogin[i]) ) {
  smtpauthlogin[i] = 'X';
  }
  }
  
  (thanks Jonas Pasche jonas (at) domke (dot) de for warning).
  
• if authentication does not works, check permissions of your program for password check:
  • /bin/checkpassword: owner root.nofiles, permissions 4110 (run only owner and group, suid bit)
  • vchkpw must be SUID'ed and GUID'ed, owner vpopmail.vchkpw
    (thanks Joan Valduvieco joan (at) laigu (dot) net)

Useful links:

• www.nimh.org  
• Qmail HomePage
• RFC2554
• SMTP AUTH

Comments welcome 2004-06-08  Vladimír Horák