Checkpassword software

From Qmailwiki
Jump to: navigation, search

Wiki Note: This page still needs review.

qmail-popup and qmail-pop3d are glued together by a program called checkpassword. It's run by qmail-popup, reads the username and password handed to the POP3 daemon, looks them up in /etc/passwd, verifies them, switches to the username/home directory, and runs pop3d. At least that's what the standard one does. Some alternatives are listed below.


  • Mark Delany has a clever way to test your checkpassword with a bit of command line re-direction.
For example, with username fred, password bloggs,
printf "%s\0%s\0%s\0" fred bloggs Y123456 | /bin/checkpassword id 3<&0
will execute /bin/id if the password is right.

If you haven't a printf then enter the data into a file with your favourite binary editor, such as emacs, and then it's simply:

/bin/checkpassword id 3<test.file

Or use perl:

perl -e 'printf "%s\0%s\0Y123456\0","fred","bloggs"' | ...

Or use qmail-popup and use the 'user' and 'pass' commands:

/var/qmail/bin/qmail-popup /bin/checkpassword id
  • Jedi/Sector One has a checklocalpwd.c that checks a configuration file in addition to the users mentioned in /etc/passwd.
  • Jos Backus has a mkpoppass/chkpoppass pair. It uses an alternate username/password file and is written in perl.
  • Bruce Guenter has a virtual domain mail manager package called vmailmgr. It's designed to manage multiple domains of mail addresses and mailboxes on a single host. Co-operates with qmail for mail delivery and program control. Has corresponding add/deluser and change-passwd commands, and CGI scripts. Knows about shadow and MD5-encrypted passwords. Uses CDBs for the virtual domain tables. Supports IMAP via an authentication module for Courier-IMAP.
  • Russell Nelson pop-subaddr patch allows multiple maildirs per POP3 user, all of them authenticated with the same password.
  • Petr Novotny wrote an alternative to Russell Nelson's Open-SMTP patch for checkpassword. His code is PAM module which calls external program to log $TCPREMOTEIP. It requires a PAM-enabled checkpassword or any POP3/IMAP system that uses PAM for authentication.
  • Bruce Guenter has yet another SMTP relay control package. It uses a setuid program called from checkpassword to avoid patching checkpassword. Strictly speaking, it's not a patch, but it's here so people can find it along with the others.
  • Inter7's vpopmail is a complete system for managing virtual domains that includes a checkpassword implementation. Works with backends of cdb, mysql, postgresql, ldap, and oracle. It integrates with qmailadmin, vqadmin, squirrelmail, bincimap, pureftp and the courier packages sqwebmail and courierimap.
    • Dynamic delivery - no need to have dozens of .qmail files all over the place. Just a single .qmail-default handles all the deliveries
    • Shadow password support - something that seemed to be lacking in the other programs
    • Only takes up 1 entry in /etc/passwd - everything runs under a single UID/GID
    • Decent documentation
    • Delivers direct to a Maildir for use with qmail-pop3d
  • Inter7 has a program for administration of virtual domains called QmailAdmin using the vchkpw program. It handles pop acccounts, aliases, forwards, autorepsonder and ezmlm mailing list.
  • Inter7 has a program for system administration of virtual domains called VqAdmin.
  • André Oppermann has patches to do user lookup (deliver and retrieval via qmail-pop3) using LDAP.
  • Pedro Melo has a patch to checkpassword-0.81 which uses a CDB file.
  • Chris Johnson wrote checkcdb, a version of checkpassword that authenticates users from a cdb database. It includes perl scripts to maintain the user database file.
  • Shinya Ohira fixed a security lapse in checkpw, which gets its password from a file in the user's home directory, and allows both POP and APOP authentication.
  • Magnus Bodin has a copy if that site happens to be unavailable.
  • David McNicol wrote qmail-authpop which uses Sam Varshavchik's's authlib. This library is used by his sqwebmail and courier-imap applications, linked-to from elsewhere in this document.
  • Matthias Andree has a patch to Dan's checkpassword that allows checkpasswd to use an arbitrary base directory for finding Maildirs.
  • Jesse Sweetland has added Postgres support to his checkpassword and qmail-getpw replacements. He calls the package sql-xpw. These differ from Takeshi's code because his is a patch to qmail and this code is not.
  • Ariel Kirsman has written a checkpassword which authenticates using an NT domain. It is derived from code taken from squid.
  • Andrew Richards has a checkpassword for Radius, written in C. It's based around Dan's checkpassword, and uses the Radius client library from FreeBSD, as well as MD5, since that's how Radius encodes its data.
  • Scott Gifford has notes for using checkpassword w/ Courier-IMAP.
  • Andrew Richards has a checkpassword that wraps around Courier-IMAP's authentication for use by qmail-pop3d.
  • Andreas Aardal Hanssen has a way to run multiple checkpasswords and authenticate against one, and if that fails, then the other. If none succeed, it returns failure.
  • David Phillips has a checkpassword which authenticates via a pop3 connection. While this may seem counter-productive, you can use it for smtp-auth where the smtp server does not have direct access to the user database.
  • Plácido Revilla wrote a checkpassword that authentifies against a PHPNuke users database. This allows administrators of these kind of portals to automatize the creation of pop3 accounts in their system.
  • Courierpasswd allows users to to check and change their passwords using Courier authentication modules. It can optionally read authentication tokens from stdin and send logging information to syslog or stderr.
  • Adam Aube's chkpass.pl authenticates using a Squid auth helper program.
  • Tino Reichardt has a qpasswd checkpassword.



Personal tools