Why these programs

I wanted mandatory TLS and AUTH for message submission without patching ofmipd(8), and opportunistic TLS for incoming deliveries without patching qmail-smtpd(8). Reasons:

  1. To avoid patch conflicts, so I can easily and safely keep up with the latest qmail-remote half of the TLS patch.
  2. To sow a more qmail-ish design, and reap new user-controlled features.

Already using one of the popular AUTH patches? acceptutils is different. Compare and contrast, noting that:

  • TLS is included
  • Message submission has been redesigned to cohere
  • Submission and incoming SMTP are distinct services
  • Neither of them runs weird privileged child processes
  • POP3 has been improved, too
  • These improvements come from new programs, not patches

Without these programs

TLS, if available, is provided by a patch that links OpenSSL directly into your SMTP and/or POP3 services, running in the same address space with the same privileges.

AUTH, if available, is provided by a patch that continues to run as a hardcoded unprivileged user but needs checkpassword to be marked setuid-root and invokes it strangely. The service can be abused to dictionary-attack the root password.

POP3 is provided by vanilla DJB qmail. It can also be abused to dictionary-attack the root password, and runs as the authenticated user even if that happens to be root. (Both fixed in notqmail 1.08.)

With these programs

TLS is provided by an external program (such as s6-ucspitlsd or sslserver) in its own address space. Such a program may be able to run its TLS engine in a further privilege-separated process. Relying on the UCSPI-TLS interface, acceptutils then offers TLS for incoming SMTP, message submission, and POP3 — via fixsmtpio, authup, and authup, respectively.

AUTH is provided by authup, a program derived from qmail-popup that extends its design to SMTP: it speaks just enough protocol to parse a username and password and invoke checkpassword normally (no setuid-root required). Thanks to checknotroot, a new program that refuses to run as UID 0, anyone who manages to guess the root password won’t know they did: it looks exactly like any other failed checkpassword login. Once authenticated, the service runs with the authenticated user’s privileges, which arguably improves security and unarguably enables new features. ofmipd and qmail-smtpd run unmodified because of fixsmtpio, a new program that filters their I/O and exit status to suit authup.

POP3 authentication is also provided by authup, a plug-in replacement for qmail-popup. Once authenticated, the qmail-pop3d service runs with the authenticated user’s privileges. Thanks to checknotroot, this will never be root.

Not included

If you’re relying on TLS and AUTH in qmail-remote, keep those patches. (Whether or not you stop patching qmail-smtpd and ofmipd, acceptutils will work with them.) Extending the acceptutils approach to qmail-remote will be a separate project.

Security

Please consider carefully the risks and mitigations and decide for yourself whether acceptutils might safely improve your incoming SMTP, message submission, and/or POP3 service.

Get these programs

(Generated with git diff netqmail-1.06 netqmail-1.06-acceptutils-20230511.)

acceptutils adds new programs and manual pages. It’s distributed as a patch, but that doesn’t mean it needs to be merged into your main qmail source tree. I recommend applying it to vanilla netqmail:

  1. Extract netqmail into qmail-acceptutils.
  2. Apply netqmail-1.06-acceptutils-20230511.patch there.
  3. Copy over conf-* from your main qmail source tree.

Then simply:

# make acceptutils
# make acceptutils-install

Then switch from your current setup and enjoy new user-controlled features.

Possible future directions

Here are some ideas for the future of acceptutils.

Improve these programs

If you see a simpler way to do it, I’d love to know.