Why this patch

I wanted authenticated SMTP submission without patching ofmipd(8) or qmail-smtpd(8). Reasons:

  1. To avoid patch conflicts with the TLS patch, so I can easily and safely keep up with the latest.
  2. To provide a more qmail-ish design for SMTP AUTH, so I can have improved security and new user-controlled features.

Already using one of the popular SMTP AUTH patches? acceptutils is different:

Without this patch

POP3 runs as the authenticated user, even if that happens to be root. SMTP AUTH runs as a hardcoded unprivileged user, needs checkpassword marked setuid-root in order to invoke it strangely, and is implemented by a patch to ofmipd or qmail-smtpd.

SMTP AUTH can be abused to dictionary-attack the root password. So can POP3, where guessing right gets you qmail-pop3d running as root!

If TLS is supported, it likely comes from linking directly with OpenSSL and running in your service’s address space with its privileges.

With this patch

POP3 runs as the authenticated user, who will never be root. SMTP AUTH works the same way, invokes checkpassword as intended, and does not require any changes to ofmipd or qmail-smtpd.

If someone manages to guess the root password, they won’t know they did: it looks exactly like any other failed checkpassword login.

Both POP3 and SMTP AUTH run green thanks to these new programs:

  • reup runs a program repeatedly until it succeeds.
  • authup offers SMTP or POP3 authentication and calls checkpassword.
  • checknotroot refuses to run as UID 0.
  • fixsmtpio filters SMTP I/O and exit status to suit authup.

TLS is supported by running under ucspi-ssl, which links with OpenSSL and runs TLS as a separate unprivileged user via the UCSPI-TLS interface. authup and fixsmtpio rely on UCSPI-TLS to offer STARTTLS for message submission and incoming SMTP, respectively.

Security

Please consider carefully the risks and mitigations and decide for yourself whether acceptutils might safely improve your SMTP AUTH submission service.

Get this patch

(Generated with git diff netqmail-1.06 netqmail-1.06-acceptutils-20181108.)

This patch only adds new programs. You can merge it into your main qmail source tree if you feel the need, or (my recommendation) into a fresh, previously unpatched tree:

  1. Extract netqmail into qmail-acceptutils.
  2. Apply netqmail-1.06-acceptutils-20181108.patch there.
  3. Copy over conf-* from your main qmail source tree.

Then simply:

# make acceptutils
# cp reup authup checknotroot fixsmtpio /var/qmail/bin
# cp reup.8 authup.8 checknotroot.8 fixsmtpio.8 /var/qmail/man/man8

Then switch from your current setup and enjoy new user-controlled features.

Possible future directions

Here are some ideas for the future of acceptutils.

Improve this patch

If you see a simpler way to do it, I’d love to know.