http:// / patches / authcdb.shtml

qmail AUTH_CDB patch

The AUTH_CDB patch allows qmail-smtpd to validate AUTH commands by reading a .cdb file, as opposed to running an external checkpassword program (like vpopmail's vchkpw.) There are several advantages to doing it this way:

There is a dis-advantage to doing it this way as well: you have to create the .cdb file, and you need to update it every time a mailbox is added or deleted, or somebody changes their password.

I have written a script called "mkauth" which reads the system and vpopmail password databases and either writes out a text file which can then be converted into the .cdb file, or writes out the .cdb file directly.

Of course the problem becomes knowing when to run it- which is why I created the onchange patch for vpopmail, so that any time vpopmail makes a change, it runs an external script which can be used to do pretty much anything you need to do, including running the script to rebuild the .cdb file.

The problem there is that when vpopmail runs the script, the script runs as whatever userid was running the vpopmail command- and if that user is not root, it won't have write access to the .cdb file we need to update. This is why I always set up a qmail-updater service, which listens for incoming data on a named pipe, and runs a certain command whenever data is received.

The idea is that any userid is able to send data to the pipe, but the service itself is running as root and only runs the exact script it's been programmed with. If this script happens to rebuild the .cdb files used for AUTH and validrcptto.cdb purposes, then the problem is solved, in a secure manner.

This page is not here to explain the vpopmail onchange patch or how a qmail-updater service works, I already have pages for that. This page will cover the specifics of working with the AUTH_CDB patch itself.


At the current time, the AUTH_CDB patch is only available as part of my combined qmail patch. This is because I wrote it as part of the combined patch, and it relies on code which is part of the earlier AUTH patch in order to do much of its work. At some point in the future I may have a go at building a stand-alone patch for djb's source code and for netqmail, but the truth is I don't really have the time to mess with it.

The AUTH_CDB code, which I was testing at the time, was accidentally released on 2006-03-08, with version "6c5" of the combined patch. Several people started using it, and nobody reported any problems (other than things like "how does it work?" and "how do i configure it?") so I'm pretty sure it works.

I later updated the code on 2007-09-12, with version 7.02 of the combined patch. I changed the file format- in addition to a user's encrypted password, the .cdb file can now also contain one or more environment variable definitions, which are added to the environment whenever that particular user logs in. A sample entry with an environment variable attached looks like this: $1$gTMo92Qd$GleoTVwVOW2p3EKe4czdtE,DATABYTES="0"


This walks through a sample process of creating and using an auth.cdb file. You will note that we actually create the file using a different name, and then rename it into place. This is to avoid the possibility that qmail-smtpd will try to read the file while it's in the process of being built, or doesn't have the correct permissions.

# cd /var/qmail
# mkauth Not necessary, I'm including it here so you can see what the output looks like. $1$gTMo92Qd$GleoTVwVOW2p3EKe4czdtE $1$yAtNxu9/$fGYT/9dHhtx2AA/cHc2VUp $1$VAl0sfPn$72JVombnjkHi6CdQmA1ZAm $1$UhWq.z67$R7Yakpq/60rDNZBUg1mIKp $1$PF1YFb4Y$LBkHT6kmBh1mf3DyYjK3mX $1$E4E0fVUL$Hhnw1I3DfSRNxEXzWW9El8 $1$pYO0zym7$XKxV9eITSx8PByn1ZcNgLp $1$5YNzuueW$IriOVyuAzQIcn1tYxT9R24 $1$FdSz1A7w$X.jNvcNW6rEIzcQq/EOAvk
# mkauth > auth.txt
# cdbmake-12 work.cdb work.tmp < auth.txt
# chown root:nofiles work.cdb
# chmod 0640 work.cdb
# mv work.cdb auth.cdb