The configuration file (cgipaf.conf) contains one directive per line. The directive names are case insensitive, the values are case sensitive. Everything after a hash ( # ) is ignored. Empty lines and whitespaces are also ignored. If a directive appears more than ones the last one is used. Sections are grouped between <section_name> ... </section_name>, the section names are like the directive names case insensitive.
The configuration file has three sections "global", "passwd" and "mailcfg".
The directives that don't belong to a section are global. Global directives
apply to all sections unless they're overwritten in the sections.
The "passwd" section is used by passwd.cgi, viewmailcfg.cgi and mailcfg.cgi
use the "mailcfg" section.
The following parameters control cgipaf features and configuration. If a option is not specified or invalid the default built-in messages are used.
Syntax: syslog on|off
Default: on
Context: global, <passwd>, <mailcfg>
enable syslog messages
all the authentication events are logged with LOG_AUTHPRIV facility, other events are logged with the LOG_USER facility
Syntax: loglevel number
Default: 6
Context: global, <passwd>, <mailcfg>
set the syslog level, messages of a higher significance will be reported as well.
e.g. if loglevel is set to 1 (LOG_ALERT) messages with loglevel 0 (LOG_EMERG) are also reported.
| 0 | LOG_EMERG | system is unusable |
| 1 | LOG_ALERT | action must be taken immediately |
| 2 | LOG_CRIT | critical conditions |
| 3 | LOG_ERR | error conditions |
| 4 | LOG_WARNING | warning conditions |
| 5 | LOG_NOTICE | normal, but significant, condition |
| 6 | LOG_INFO | informational message |
| 7 | LOG_DEBUG | debug-level message |
Syntax: pam_service pam service name
Default: passwd
Context: global, <passwd>, <mailcfg>
Set the pam service name, if not set "passwd" is used. The passwd pam service ( /etc/pam.d/passwd ) usually doesn't have an entry for user authentication, therefor /etc/pam.d/other has to have a line auth set to pam_unix.so.
auth required pam_unix.so
account required pam_unix.so
If you don't like this for security reason etc, you can set the pam_service directive to "cgipaf" and create the file /etc/pam.d/cgipaf that looks like this
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so md5
Syntax: document_root path
Default: not set
Context: global, <passwd>, <mailcfg>
location of the custom html message files
Syntax: login_document filename OR
login_document Redirect location
Default: "error reading data please contact the
webmaster\n"
Context: <passwd>, <mailcfg>
if the program is executed without parameters this message is displayed
The user forgot to type his loginname.
The user try to logon as root or the user's uid isn't between min_uid & max_uid.
The password is incorrect or the user doesn't exists
can't read new password
The new passwords doesn't match
Password Unchanged
the password length is below min_length
the password length is above max_length
The user has exceeded the max_invalid tries
The user has enabled mail forwarding, but didn't supply a forward to mail address
The forward to email address is invalid
The password or mail configuration is updated successfully
see msg_success
see msg_success
mailcfg.cgi is unable to read to username, this is probably an error in mailcfg_document.
mailcfg.cgi is unable to read forward, this is probably an error in mailcfg_document.
mailcfg.cgi is unable to read keep_msg, this is probably an error in mailcfg_document.
mailcfg.cgi is unable to read autoreply, this is probably an error in mailcfg_document.
The user has enabled autoreply, but didn't supply a autoreply message.
mailcfg.cgi can't update the mail configuration without cookies.
mailcfg.cgi can't update the mail configuration because the cookie is too old.
(view)mailcfg.cgi can't work without an accessdb
cracklib error
run_mailcfg failed.
run_viewmailcfg failed.
pam error
The new password contains an illegal word.
minimum user id, if a uid is bellow min_uid access will be denied. You can't set min_uid lower then 10.
maximum user id, if the uid is higher than max_uid access will be denied. If max_uid isn't set there is no maximum.
minimum password length
maximum password length
accessdb path, if not set no access database is used. If not set Users can try to change their password as many times they like. (view)mailcfg.cgi don't work without an accessdb.
enable cracklib test, the new password is tested with cracklib. if the password is invalid error_cracklib is displayed.
you have to set the cracklib_dictpath directive to your cracklib dictpath otherwise cracklib is disabled.
CGIpaf support cracklib password testing in the PAM configuration, if cracklib is enabled in your PAM configuration and you should set cracklib to off.
Set the cracklib_dictpath, the cracklib_dictpath should be set to the dictionary filename without the extension ( .pwi ), not the directory path.
Enable support for Linuxconf virtual email domains passwords
This directive is only available if you've compiled CGIpaf without
PAM support and isn't supported on *BSD systems.
Set the password file location. This directive is only available if you've compiled CGIpaf without PAM support and isn't supported on *BSD systems.
Set the shadow file location. This directive is only available if you've compiled CGIpaf without PAM support and isn't supported on *BSD systems.
Specify a list of words that are illegal to use as a part of a new password
Set the PAM_CHANGE_EXPIRED_AUTHTOK flag.
This directive is obsolete and will be removed in the next Releases of CGIpaf
maximum invalid tries, if not set the default value (3) will be used.
time in seconds that a user will be locked out if the max_invalid tries has been exceeded.
mailcfg.cgi uses the path_to_sendmail in ~/.procmailrc, if your mailer is on another location location than "/usr/lib/sendmail" you've to set the sendmail directive.
A "X-loop: user@domainname" header is added to the forwarded or the replied mail to avoid mail looping. With the domain directive you can set the domainname in the "X-loop" header. If domain is not set mailcfg.cgi will use hostname.nisadomainname, if your server isn't part of a NIS domain it'll use the domain in /etc/resolv.conf.
CGIpaf creates a state file ( $HOME/.cgipaf_state ) in the user's home directory.
This file contains the user's current mail configuration state. This file is used by
run_before_mailcfg, run_after_mailcfg and run_mailcfg.
By default viewmailcfg.cgi doesn't use this file ( mainly for compatibility reasons ),
but reads the user's .procmailrc to determine the user mail configuration.
If you set "use_statefile" to "yes" viewmailcfg.cgi will read the state file instead
of the user's .procmailrc to get the user's current mail configuration.
If your user's uses their own .procmailrc to distribute their mailinglists into separated
mailboxes you must set "use_statefile" to "yes". The user's original .procmailrc
could confuse CGIpaf.
runs a script is a password / mail configuration is successfully updated. Example:
run_success "/usr/sbin/smbpasswd -U %{name} > /dev/null 2>&1" "%{password}\n%{password}\n"
Will update the SAMBA password file.
run a script is a user is locked.
run a script before the mail configuration. mailcfg.cgi will
execute the "run_before_mailcfg" script if the mail configuration state
goes from not active ( no mail forwarding and no autoreply ) to active.
This can be used to copy the user's .procmailrc to a backup file.
run a script after the mail configuration. mailcfg.cgi will
execute the "run_after_mailcfg" script if the mail configuration state
goes from active ( mail forwarding or autoreply enabled ) to non-active.
This script can be used to restore the user's .procmailrc to his original
state
define a mail configuration script, if not set the built-in procmail
configuration updater is used
if set, use_statefile is enabled.
enables or disables mailcfg.cgi internal HTTP POST parameters checking
you can only disable mailcfg_check if
run_mailcfg is defined.
if disabled mailcfg.cgi will run run_mailcfg after the authentication without testing the HTTP POST variables. This is something you must do within your run_mailcfg script.
if mailcfg_check is disabled:
defines a view mail configuration script.
if not set the mailcfg_document is used
after a successful login.
set the SCRIPT_FILENAME environment variable to the real scriptname.
unset the SCRIPT_FILENAME environment variable.
cookie life time in seconds.
Path to the mail configuration document
Unable to delete .forward
Unable to delete .forward
Unable to open ~/vacations.txt
Unable to update ~/.procmailrc
Set the Acl order.
Specify a list of users that are allowed to use CGIpaf see Access Control List
Specify a list of users that are denied to use CGIpaf see acl
Specify a list of groups that are allowed to use CGIpaf see acl
Specify a list of groups that are denied to use CGIpaf see acl
For each document you can as use a plain html file with a few PHP extensions (see bellow) or a redirect. In a redirect, file or run_success and run_locked you can use the following variables:
| Variable name | Description |
| name | loginname |
| min_length | minimum password length |
| max_length | maximum password length |
| max_invalid | maximum invalid tries |
| invalid_timeout | time in seconds that a user will be locked out if the max_invalid tries has been exceeded. |
| invalid_wait | a locked user will have to wait invalid_wait seconds |
| forward_to | the email where the mails will forward to |
| forward | if mail forwarding is enabled $forward is set to "yes". if mail forwarding is disabled $forward is "no" |
| not_forward | not_forward is the reverse of forward, so if $forward is "yes" $not_forward is "no" |
| keep_msg | $keep_msg is set to "yes" if the use want to keep his forwarded mails, set to "no" otherwise |
| not_keep_msg | the reverse of $keep_msg |
| autoreply | is "yes" if the use has enabled autoreply |
| not_autoreply | reverse of $autoreply |
| autoreply_msg | the autoreply message |
| cookietimeout | cookie lifetime is seconds |
| cracklib_error | cracklib error message |
| bad_password | The new password contains a illegal word, is set to cracklib_error if there is cracklib error |
| pam_error | pam error message |
| password | the user's new password, is only set at run_success |
| mailcfg_exitcode | exitcode of the run_mailcfg script |
| viewmailcfg_exitcode | exitcode of the run_viewmailcfg script |
| homedir | the user's home directory |
| domain | the domainname, only set by mailcfg.cgi |
| user_maildomain | The user maildomain ( only available if vmail support is enabled |
| message | A string with the default message |
| post_string | A string with the original HTTP POST |
| _POST[] | An associative array of variables with the original HTTP POST |
example:
msg_success redirect /pwchanged.php?name="%{name}"
Will redirect to /pwchanged.php?name="loginname" after a user has succeed to change his password.
If you don't use a redirect you can use plain html files with two PHP extensions "include" and "echo". The same variables as by a redirect are available.
<? echo $name; include "bottom.php" ?>
Will print the user's name and include bottom.php. Please note that the PHP implementation is very limited. include("bottom.php") won't work for example.
The first argument is the script name, the second argument is send to stdout. The second argument is usually used to pass the new password to a script.
<passwd>
...
run_success "/usr/sbin/smbpasswd -U %{name} > /dev/null 2>&1" "%{password}\n%{password}\n"
...
</passwd>
Executes a script to update the SAMBA password file after the system password is updated.
<mailcfg>
...
mailcfg_check off
run_viewmailcfg /etc/cgipaf/scripts/mailcfg.pl "%{poststring}"
run_mailcfg "/etc/cgipaf/scripts/mailcfg.pl update %{domain}" "%{poststring}"
...
</mailcfg>
Emulates a cgi environment for the mail configuration.
The original http post is send back to stdout.
mailcfg.cgi doesn't evaluate the httpd parameters since
mailcfg_check is disabled. This way CGIpaf
only handles the authentication.
With the Access Control list you can allow or deny users or groups.
The AclOrder directive control the default access state and the order in which the acl is processed.
A star (*) in the user or group list means any user or group other wildcards are not supported.
AclOrder Deny,Allow
DenyUsers *
AllowUsers foo
Access to user "foo" will be allowed and all others will be denied.
AclOrder Allow,Deny
AllowUsers foo
Give the same result as above.
AclOrder Allow,Deny
Will denied access to all, because the default state is set to deny.