CHKUSER 2.0.8 - Running instructions Chkuser may run using the most of security, following very strictly the sacurity model used By Dan Berstein. To achieve this goal, chkuser may switch between differents UID/GID, for differente purposes. However this is incompatible with TLS patches (like toaster-0.6-1), as these patches want to run under a unique UID/GID. Luckily, qmail is enought robust to let us run this way. To achieve both these goals, chkuser uses a #define (CHKUSER_ENABLE_UIDGID) that indicates if UID/GID switching is wanted, and running instructions must adapt to this way. Instead, when this define is not used, another way of running must be used. (Just for precision, even if the CHKUSER_ENABLE_UIDGID define is used, chkuser may be run without switching UID/GID). Running with UID/GID switch =========================== If you want the most security when using chkuser, and you have enabled CHKUSER_ENABLE_UIDGID within chkuser_settings.h (it's enabled by default), use these instructions. Description. qmail-smtpd-chkusr must be installed (by default in /var/qmail/bin) with setuid (user qmaild) and setgid (group qnofiles), and executed by tcpserver with -u vpopmail-user and -g vchkpw-group parameters. qmail-smtpd-chkusr starts running with the original qmail-smtpd uid and gid, switching to needed uid and gid only for vpopmail checks on user existance, turning back to the starting uid and gid. Instructions. You have to set SUID (set-user-ID-on-execution) and SGID (set-group-ID-on-execution) bits on qmail-smtpd-chkusr: chown qmaild qmail-smtpd chgrp nofiles qmail-smtpd chmod 6555 qmail-smtpd and the result you see should be like (different size and date, of course): -r-sr-sr-x 1 qmaild nofiles 57056 Feb 14 18:18 qmail-smtpd-chkusr Integrate qmail-smtpd in your start files: As example, a real start command for qmail-smtpd-chkusr may be #!/bin/sh -e # # Using splogger to send the log through syslog. exec env - PATH="/var/qmail/bin:/usr/local/bin" \ tcpserver -t 5 -v -p -x \ -u -g -l 0 smtp \ qmail-smtpd-chkusr splogger smtpd & where = vpopmail uid = vchkpw gid = your host.domain (!) = your tcp.permission.to.relay cdb NOTE: if you are using more system users for your domains, the execution uid (which I indicated as vpopmail) should be set to root. Running with fixed UID/GID ========================== You may use these instructions if you've not defined CHKUSER_ENABLE_UIDGID, or if you want to run qmail-smtpd as unique user, despite of CHKUSER_ENABLE_UIDGID define. qmail-smtpd is well safe and robust, and there is no risk running it directly as vpopmail user, unless you use untrusted software layered down. Description. qmail-smtpd must be installed normally (-r-xr-xr-x) and executed by tcpserver with -u vpopmail-user and -g vchkpw-group parameters. Instructions. Integrate qmail-smtpd-chkusr in your start files: As example, a real start command for qmail-smtpd-chkusr may be #!/bin/sh -e # # Using splogger to send the log through syslog. exec env - PATH="/var/qmail/bin:/usr/local/bin" \ tcpserver -t 5 -v -p -x \ -u -g -l 0 smtp \ qmail-smtpd-chkusr splogger smtpd & where = vpopmail uid = vchkpw gid = your host.domain (!) = your tcp.permission.to.relay cdb NOTE: if you are using more system users for your domains, the execution user (which I indicated as vpopmail) should be set to root.