SUMMARY: BlackBox Mail Server-> WEB Interface for user PW,Fwd setting ?

From: Tim Chipman <Chipman_at_EcopiaBio.com>
Date: Fri Apr 20 2001 - 11:16:22 EDT
Hi all,

This is a SUMMARY regarding this posting I made to the list a few weeks
ago (approx). Alas, I can't even find my copy of the original query so
paraphrase it below; nor can I find the three replies I recived from
kind folks (sorry for not giving credit where due as a consequence).

----------------------------------------------------------
Original question was (more-or-less):

Given a "blackbox mail server" on which users have local accounts but no
shell access (i.e., shell is set to /bin/false for all accounts except
admin, root) - is there a straightforward way to permit end-users to
change their own passwords, and setup / configure mail
forwarding/vacation message settings - ideally through a nice WWW-type
interface. The box is running solaris 8 (10/00, 12/00 jumbo patch); POP
server from Sun and Postfix for SMTP.
----------------------------------------------------------

Suggested solutions were:

(1) specify the shell in the file, /etc/passwd, for all "users" as
/bin/passwd instead of /bin/false. This permits them to telnet onto the
"blackbox". Once they authenticate successfully (standard login), they
are then prompted for old password, new password, confirm new password.
If this is done successfully they are kicked off the server and their
password has been changed.

(2) two folks suggested I investigate "webmin" (http://www.webmin.com),
a web-based management package which is modular / configurable.  Alas, I
had previously investigated this and determined its focus is to provide
"admin level access" (full access to high level admin functions) rather
than "user level access" (ie, authenticate the user and then let them do
something like set their own password). Without building a new module
from scratch for use in webmin, I don't think I could use it to achieve
my goals.

Since I asked the question, I've done a bit more digging and found a 3rd
alternative which may be of interest to people - hence I mention it
here.

For quite some time, there has been a daemon available from qualcomm for
use from the Eudora mail client called "Poppass.d" - it listens on port
106 for a connection and interactively allows you to authenticate, then
specify a new password. This thing has evolved with time and despite
obvious "security issues" (cleartext password transmission - no worse
than POP3 though - IMHO), "Somewhat less insecure" versions exist. In
particular:

http://www.usg.edu/oiit/support/build/poppasswd.html , which seems to be
tweaked by the systems people @ the university of Georgia,  is tweaked
such that

-it works on solaris 2.X (unlike most prior versions of poppassd that I
mucked about with)
-flags passed to poppassd via command line allow constraint of which
GROUPS it will even think about allowing member-users to change their
passwords via this tool
-it works with TCP Wrappers, permitting further control of who can
attack your server via this port :-)

So: The other reason poppassd is of interest is that Jerry Workman of
Mountain Software (http://www.newwave.net/~jerry/poppass.html) has made
freely available a perl CGI appropriate for use with a web server to
provide a web-interface onto the PopPass daemon. Like all good perl CGIs
it appears to be very easy to customize (i.e., brand it with a logo, etc
etc). which is an added bonus :-)

Finally: For the really security concious out there, I can envision a
solution where

-poppassd runs listening to port 106, protected by TCP wrappers to ONLY
accept connections from ITSELF
-this machine is also running an SSL-only web server (Apache ModSSL
would be my choice) which has the poppass CGI available at a known URL.
For the truly paranoid, run the SSL server on an atypical port and
require server-issued SSL certs for all your clients to even get access
:-) Bingo - you now have a pretty secure GUI / web interface way for
users to change their passwords on the blackbox mail server.

(I'm quite sure I'm not going to go this far in paranoia - I may even
leave port 106 open to the workgroup subnet where windoze users run
Eudora, which is by coincidence the mail client of choice here - since
this is a conveninent option too, allowing them to change their password
from within their mail client).

Alas, this does nothing to address the query of user-web-gui for
vacation messages / forwarding - but it is a bit of a start.  And - to
be honest - I am **amazed** that there isn't anything else out there for
solaris, given the abundance of such things for
"linux-based-server-appliances" like e-smith or Cobalt-RAQ. Sigh. I
guess it just isn't considered a "solaris kind of thing" ?

Anyhow. That is the summary. I hope it is of slight use / interest to
anyone else who may be out there (now or in the future?) seeking to
achieve similar things. And, of course, if anyone *does* find a better
way to do this - or to address the issue of web-vacation-forwarding
interface :-) -- Please let me know.


Thanks,

Tim Chipman
Received on Fri Apr 20 16:16:22 2001

This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:53 EDT