Skip to main content

Posts

Showing posts from December, 2006

Authenticating web applications against vpopmail + qmail

We run qmail + vpopmail + spamassassin for email.  it is relatively nice, however the spamassassin config uses qmail-scanner and has a global configuration for multiple domains.  sooo... I wanted to build a web based app where users could manage a whitelist of email addresses to go into the global config.

The first challenge: I dont want to have to add new accounts for everybody that wants access to the whitelist, so I better re-use what security info is available.

Turns out that you can get lots of useful information about a domain in vpopmail by running this command:

/home/vpopmail/bin/vuserinfo -a postmaster@yourdomain.com

This will pull out the postmaster password and a bunch of other useful things.  For now at least, the password is all we need.

Now, choose your technology to write your web app, but use something that can execute local commands.  In this case, we have ColdFusion running on Redhat Enterprise Linux, so we can use the <cfexecute> tag to run the above command, c…