=head1 NAME

checkvpw - check passwords for virtual and non-virtual users

=head1 SYNOPSIS

B<checkvpw> B<subprogram> [B<arguments...>]

=head1 DESCRIPTION

This program is a drop-in replacement for the standard checkpassword,

written by D. J. Bernstein (djb@pobox.com).

In the absence of virtual hosting (determined by the use of

F</var/qmail/control/virtualdomainss> and IP aliases),

it behaves identically to checkpassword.

When virtual hosting is used, it permits logins from a unique set of

users for each of the aliases.

F<checkvpw> must be run from either the F<tcp-env> program

(part of the F<qmail>

package) or from a suitable substitute, such as F<tcpserver>

(part of the F<ucspi-tcp> package).

These packages are used to determine to

which address a remote host is connecting.

F<checkvpw> must also be passed the checkpassword-compatible

authentication data on file descriptor three.

This can be accomplished by running it from a tool such as

F<qmail-popup>.

F<checkvpw> accepts a command line in the following format:

	checkvpw [subprogram] [arguments...]

If the authentication information is valid, the subprogram is run,

otherwise F<checkvpw> returns an error to the program that invokes it.

If the user name contains the character C<@>, the host name

reported by F<tcp-env> is replaced by the string following the

C<@>, and the user name is replaced by the string preceding the

C<@>.

If the local host name reported by F<tcp-env> matches one of those

in F</var/qmail/control/virtualdomains>, F<checkvpw> prepends the

I<prepend> string associated with the host name to the given user

name.

Wildcards in F<virtualdomains> are permitted and are handled in the

same way F<qmail> handles them (see L<qmail-send>).

For example, if the line C<.bar.com:bar> appears in the virtual hosts

file, it matches C<one.two.bar.com> but not C<bar.com>.

If the user name resulting from the above step appears in the system

password file (typically F</etc/passwd>), the user is treated as a

local user and authenticated with the information from that file.

If this authentication succeeds, the mail directory is set to the

subdirectory named on the command line.

If the user name does not appear in the system password file and is of

the form C<name-ext> where C<name> does appear in the password

file, the user is treated as a "virtual" user and authenticated with the

information from a file named F<passwd> in the user's home directory.

If this authentication succeeds, the mail directory is set to the

subdirectory F<users/ext/> in the user's home directory, where

C<ext> is from the above step.

F<checkvpw> also does some rewriting on the arguments of the

subprogram.

Any argument matching the string "C<maildir>" (ignoring case) is

replaced with the full path of the mail directory, as determined by the

steps above.

This program may be invoked in combination with F<qmail-popup> and

F<qmail-pop3d> from inetd by placing the following line in the

F</etc/inetd.conf> configuration file (all one line):

	pop-3 stream tcp nowait root /var/qmail/bin/tcp-env tcp-env -R /var/qmail/bin/qmail-popup <hostname> /usr/bin/checkvpw /var/qmail/bin/qmail-pop3d Maildir/

=head1 RETURN VALUE

0 if the user is successfully authenticated, nonzero if any error

occurred.  Exit code 1 indicates that a bad password was given, 2

indicates that the program was used incorrectly, and 111 indicates

a temporary failure.

=head1 ENVIRONMENT

F<checkvpw> requires that C<TCPLOCALHOST> be set to the host name of

the local address of the connection.

=head1 SEE ALSO

vdeliver(1)

=head1 AUTHOR

Bruce Guenter <F<bruceg@em.ca>>.