The DynDN.eS Blog

About DynDN.eS, eQmail, Gentoo & some other network stuff

User Tools

Site Tools


eQmail password wrapper: qmail-pwrap

qmail-pwrap is a wrapper for eQmail/(net)qmail around checkpassword compatible tools. It allows the use of multiple checkpassword tools one after another and as a result of this different authentication backends.

It is based of one of the quick and dirty hacks I did some years ago. After publishing eQmail I decided to make it a clean tool as extension and publish it too. The advantages are:

  • authentication methods can be changed/added on the fly - without a restart
  • more than one authentication method can be used - after one is successful qmail-qwrap exits immediatily
  • different user groups can use different authentication methods

  Update:  Recent documentation and download of the latest release is available at openqmail.org!

Download: qmail-pwrap (sha256sum)

qmail-pwrap will be discussed on the openqmail mailing list (closed!).

Install

Download the tarball and unpack it. I recommend to put  qmail-pwrap  into $QMAILHOME/bin/, still any other location is fine. Set correct permissions on the target:

$ chown qmaild:qmail /var/qmail/bin/qmail-pwrap
$ chmod 0755 /var/qmail/bin/qmail-pwrap

Edit your qmail-smtpd run file like:

exec /usr/bin/tcpserver 
     ... <tcpserver stuff> ...
     /var/qmail/bin/qmail-smtpd /var/qmail/bin/qmail-pwrap 2>&1

Save the file and restart  qmail-smtpd  after you did the

Configuration

  Important:  The configuration changed! The description below is valid for versions prior to 0.3 only!

Edit qmail-pwrap in the section “user configuration” like:

...
#***** user configuration *******************************************************
# Define all checkpassword tools you want to use here, one per line seperated by
# a space (best practice is maybe to start each line by a space). Savely more
# lines can be inserted if needed.
CPW="
 /bin/cmd5checkpw
 /var/qmail/bin/qmail-chkpw
 /bin/checkpassword
" # End of list    **************************************************************
...

After the line  CPW=“  (stands for CheckPassWord) insert the checkpassword tools with full path you wish to use. One per line, each line should start by a space. The line  ” # End of list *  closes the configuration - do not edit this line. At least one tool have to be defined.

Important: Make sure each tool/method is working well before using it by qmail-pwrap.

How it works

qmail-pwrap reads from file descriptor 3 and saves the data temporarily. Then it closes fd3. It writes the data to fd3 again and calls one of the configured checkpassword tools. Typically any checkpassword tool will read from fd3 and closes fd3 by itself.

qmail-pwrap reads the exitcode of the checkpassword tool. On successful authentication it exits, otherwise it tries the next one. If all of them fail, authentication fails. The exitcode is always passed-through from the checkpassword tool.

qmail-pwrap logs through the system log.

The AUTH environment variable

If there is set an evironment variable  AUTH=0 , then authentication will be disabled. qmail-pwrap exist with code “0”.Thus the MTA acts maybe as an open relay (depends on other settings).  DANGEROUS! 

By using tcpserver the AUTH var can be set in your run file, like:

...
export AUTH=1
exec /usr/bin/tcpserver \
...

Anyway - I recomment to do it through qmail-pwrap. At the first line of code the AUTH variable will be set if not exists. The value can be changed - it takes effect immeditily:

...
# Check for environment variable  AUTH  and set it if necessary. Valid values are
# 0 - disable authentication
# 1 - enable authentication (default)
# Next line has no effect if $AUTH is set somewhere before invoking qmail-pwrap !
# (then $AUTH will be set here - with one of the described values above ... )
if [ ! $AUTH ] ; then export AUTH=1 ; fi
# check if auth is disabled (env var: AUTH=0)
if [ $AUTH ] && [ $AUTH -eq 0 ]; then 
  exec 3>&-   # close fd3
  exit $AUTH ; fi
...

On succesful authentication qmail-pwrap re-sets AUTH to  AUTH=success  . This can be used for futher process decisions, e.g. do DKIM verification or not.