http:// qmail.jms1.net / vpopmaild.shtml

Running vpopmaild under daemontools

As of the time I write this (late March 2006), the latest development version of vpopmail (version 5.4.15) comes with a program called vpopmaild, which provides a way for authorized clients to perform most of the tasks you can do with the vpopmail command line tools, without having to ssh into the server and run them by hand.

The most basic capability of vpopmaild is to verify whether or not a given email address and password are correct. This is done with the login command, which is required before any other commands are accepted. Basically, if the login command succeeds, the address and password are valid. If not, then they are not valid.

One of my plans, now that vpopmaild is available, is to give qmail-smtpd the ability to support the AUTH command by sending a login command to vpopmaild. Of course, before this can be done, we need to have vpopmaild running as a service. The README.vpopmaild file which comes with the vpopmail-5.4.15 source code (local copy) is a bit thin on explaining how to set up a vpopmaild service, so this web page will give a better example.

There is one real difference between my script and a "generic" script- a "generic" script, using the directions from the README.vpopmaild file, tells you to set up a service listening on IP address "0", or listening on every interface on the server. This is a MAJOR security hole- allowing clients to connect across the network allows somebody with a packet sniffer to watch every byte which goes across the wire- including passwords. My script sets up a service which only listens on 127.0.0.1, which on most systems is the "localhost" interface- which means that the packets never physically leave the machine, and therefore cannot be "sniffed" by other machines.


Setting up the service

Before setting up the service, you may wish to look at the patches I have written for vpopmail. One is a major enhancement, the other fixes a bug which will prevent users whose passwords contain spaces from being able to authenticate.

I have written a simple "run" script for a vpopmaild service. This is the actual script which is running the service on my own server. Note that the commands below assume that your daemontools services are physically running in the /var/service directory (which is where they are on my server.) If you keep your services somewhere else, or want to set up your own service directory somewhere, that works as well- just make sure that the physical location is not under /service or you will not be able to reliably stop the service when needed.

As root...

# mkdir -m 1755 /var/service/vpopmaild or wherever you keep your services
# cd /var/service/vpopmaild
# mkdir -m 755 log
# wget http://qmail.jms1.net/scripts/service-vpopmaild-run
# mv service-vpopmaild-run run
# chmod 755 run
# cd log
# wget http://qmail.jms1.net/scripts/service-any-log-run
# mv service-any-log-run run
# chmod 755 run
# ln -s /var/service/vpopmaild /service/

Wait a few seconds...

# svstat /service/vpopmaild
/service/vpopmaild: up (pid 22457) 7 seconds
/service/vpopmaild/log: up (pid 22460) 7 seconds

2012-07-19 I changed the service-vpopmaild-run script so that it runs the service as the vpopmail user instead of root, and it listens on port 8900 instead of port 89 (because only root can listen on a low-numbered port like that.) The directions below will use port 8900, if you are using some other port number, please adjust accordingly.


Using the service

Once the service is running, you can test it by telnetting to localhost port 8900. This is a sample of what it looks like:

$ telnet 127.0.0.1 8900
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
+OK
login userid@domain.xyz p@ssw3rd
+OK+
vpopmail_dir /home/vpopmail
domain_dir /home/vpopmail/domains/domain.xyz
uid 89
gid 89
name userid
comment userid
quota NOQUOTA
user_dir /home/vpopmail/domains/domain.xyz/userid
encrypted_password $1$ZXWVRRi9$X.ZdqlNURS32jD4YdkFkq0
clear_text_password
no_password_change 0
no_pop 0
no_webmail 0
no_imap 0
bounce_mail 0
no_relay 0
no_dialup 0
user_flag_0 0
user_flag_1 0
user_flag_2 0
user_flag_3 0
no_smtp 0
domain_admin_privileges 0
override_domain_limits 0
no_spamassassin 0
delete_spam 0
system_admin_privileges 0
.
quit
+OK
Connection closed by foreign host.

As you can see, when you successfully log into the service, it shows you pretty much everything about the account you are logged into. A few things are worth mentioning here...