1
1. POP3 (IMAP) before SMTP
2
1. Are you sure you want this?
3
1. Problems with POP-before-SMTP
4
2. Advantages of POP-before-SMTP over SMTP AUTH
8
1. Example for postgresql, postfix
11
POP3 (IMAP) before SMTP
12
=======================
14
/sometimes also called SMTP-after-POP3 or SMTP-after-IMAP/
16
Are you sure you want this?
17
---------------------------
19
POP-before-SMTP is generally considered a kludge, originally invented to make
20
up for the lack of authentication in the original SMTP
21
[http://en.wikipedia.org/wiki/Smtp] specification for clients on dynamic IP
22
addresses.ESMTP [http://en.wikipedia.org/wiki/Extended_SMTP] resolved that
23
shortcoming long ago, and all modern mail clients and servers support it by
24
now. You should consider implementing ESMTP AUTH
25
[http://en.wikipedia.org/wiki/SMTP-AUTH] in your mail transport/submission
26
agent, and using it in your clients, rather than using POP-before-SMTP. See
27
also<PostfixAndDovecotSASL.txt>.
29
Problems with POP-before-SMTP
30
-----------------------------
32
* *Shared IP addresses* are in widespread use. You are opening your server not
33
only to your user, but to anyone else who might be sharing the same IP
34
address, other users, other computers in the same NAT. If you lose the
35
connection, the next one who is assigned your IP also inherits your relay
36
permit. This might include virus-infected spambot machines. Or consider a
37
public wireless hotspot or an Internet cafe: both types of establishments
38
are known to be frequented by spammers.
39
* *Not properly implemented* in all mail clients: it only works right if the
40
client checks for new mail immediately before attempting to send. And it can
41
be very unsafe if longer timeouts are used, such that the user has time to
43
* Probably others. <I> [RobMcGee.txt] (<Rob McGee> [RobMcGee.txt]) just
44
thought it was wrong to have a HOWTO page here without a warning about why
45
/not/ to. Know what you are doing. If you are setting up a new mail service
46
from scratch, by all means, do it right!
48
Advantages of POP-before-SMTP over SMTP AUTH
49
--------------------------------------------
51
* Likely to be relatively easier to implement in your mail submission agent.
52
What's easier is a matter of opinion, and it varies, of course, but probably
53
all MTA/MSA servers support some form of access lists without patching or
55
* Simple non-technical instructions for users: /"Remember to check for new
56
mail before you try to send mail."/
61
If you want to use pop-before-smtp.pl (from http://popbsmtp.sourceforge.net/)
62
together with Dovecot, you can use this regular expression to match successful
65
---%<-------------------------------------------------------------------------
66
$pat = '^(... .. ..:..:..) \S+ (?:pop3|imap)-login: Login: .+
67
\[(\d+\.\d+\.\d+\.\d+)\]';
68
---%<-------------------------------------------------------------------------
70
v1.0RC2 seems to need this format to work properly:
72
---%<-------------------------------------------------------------------------
73
$pat = '^dovecot: (... .. ..:..:..) \S+ (?:pop3|imap)-login: Login: \S+ \S+ \S+
74
lip=(\d+\.\d+\.\d+\.\d+)';
75
---%<-------------------------------------------------------------------------
77
Note: This only works with IPv4, anyone who wants to fix it for IPv6, please do
80
worked for me on Fedora: <drak at navel.gr>
82
---%<-------------------------------------------------------------------------
83
$pat = '(?:pop3|imap)-login: (... .. ..:..:..) Info: Login: \S+
84
\[(\d+\.\d+\.\d+\.\d+)\]';
85
---%<-------------------------------------------------------------------------
87
With v1.0 Alpha 4, the following pattern works:
89
---%<-------------------------------------------------------------------------
90
$pat = '^(... .. ..:..:..) \S+ (?:dovecot: )?(?:imap|pop3)-login: Login: \S+
91
\S+ rip=(\d+\.\d+\.\d+\.\d+)'
92
---%<-------------------------------------------------------------------------
94
This works with RHEL 4.3 (at least until IPv6 really catches):
96
---%<-------------------------------------------------------------------------
97
$pat = '(?:pop3|imap)-login: (... .. ..:..:..) Info: Login: \S+
98
\[::ffff:(\d+\.\d+\.\d+\.\d+)\]';
99
---%<-------------------------------------------------------------------------
104
There is a Dovecot plugin for DRAC [http://mail.cc.umanitoba.ca/drac/] at
105
http://www.dovecot.org/patches/drac.c. DRAC runs as a separate daemon,
106
maintaining a BerkeleyDB database of IPs that have successfully authenticated
107
via POP3 or IMAP, expiring them after 30 minutes. Installing it therefore
108
requires that both your POP3/IMAP server and your SMTP daemon
109
(Postfix/Sendmail/qmail) be set up to support it. DRAC is a small C program,
110
and accessing BerkeleyDB databases is efficient so it works pretty well.
112
The file drac.c has instructions on how to compile it in a comment at the top.
113
By following the instructions you will install a file drac.so in your dovecot
114
'lib/' directories for IMAP and/or POP3 loadable modules.
116
To turn on the new DRAC plugin in dovecot, you must set up these lines in your
117
dovecot.conf. There is a separate section for ''protocol imap'' and another
118
under ''protocol pop3''; make sure you enable both.
120
---%<-------------------------------------------------------------------------
121
# Support for dynamically loadable modules
122
mail_plugin_dir = /usr/lib/dovecot/imap
123
mail_plugins = drac # provide a list of all
124
plugins you want to load here
125
---%<-------------------------------------------------------------------------
127
Permissions note: the directory containing the drac.so file has to be readable
128
by ordinary users. Check your Dovecot error log for help.
130
To get DRAC working on your machine, download the main DRAC
131
[http://mail.cc.umanitoba.ca/drac/] daemon, edit the makefile as directed in
132
the instructions, and make and install it. You will also want to ensure that
133
you register the rpcs by executing rpcgen. See the Makefile for more details.
138
Advantage: you do not have a multi-megabyte Perl daemon reading your logs
140
Disadvantage: for each login you need the time and space to execute this script
142
1. tell your MTA to look up IPs authorized to relay in an SQL table
143
2. delete old IPs from the table regularly (cron job for example, or a
144
modification to the script below)
145
3. tell dovecot to update the SQL table upon successful login
147
Dovecot 1.0 (and probably 0.99) can update a SQL table with the script below.
149
/!\ *Note* that *you* must set up a script that deletes old IPs separately, and
150
*you* also must configure your MTA properly. The script *only* performs the
151
'update on successful login' step, which alone is insecure without expiring
152
older IPs!/Add your working examples to this section. This Wiki depends on your
155
---%<-------------------------------------------------------------------------
157
# This script created 2005-08-21 by Lorens Kockum
158
# Released into the Public Domain
160
# 2006-06-06 Matthias Andree
161
# - changed $* to "$@" for more robust argument quoting
162
# Action: when called by dovecot 1.0 as described below, updates an SQL table
163
# with logged-in IP and current time, and then executes the relevant process.
164
# Output: normally nothing
165
# dovecot.conf should be modified with these lines (where
166
# /usr/lib/dovecot/popbsmtp.sh represents this script):
168
# mail_executable = /usr/lib/dovecot/popbsmtp.sh /usr/lib/dovecot/pop3
171
# mail_executable = /usr/lib/dovecot/popbsmtp.sh /usr/lib/dovecot/imap
173
# The HOME= lines are necessary to find $HOME/.my.cnf containing login info,
174
# because mail_executable is executed as root, but without a home directory.
175
# Of course this script must not be writable by anyone else than root.
177
# drop out IPs from local networks that can relay anyway
178
IP=`echo $IP | grep -v '^192\.168\.'`
182
echo "replace into popbsmtp VALUES('$IP',now());" | mysql mail
185
) >> /var/log/dovecot3 2>&1
187
---%<-------------------------------------------------------------------------
189
Example for postgresql, postfix
190
-------------------------------
192
/usr/lib/dovecot/popbsmtp.sh
194
---%<-------------------------------------------------------------------------
199
/usr/bin/psql -U popbsmtp -d popbsmtp -c "begin;update auth set
200
accessed=now() where host=substring('$IP' from 8);commit;insert into auth(host,
201
accessed) values(substring('$IP' from 8),now());"
204
) >> /var/log/dovecot3 2>&1
206
---%<-------------------------------------------------------------------------
208
The substring call was necessary because $IP has '::ffff:' or something like
209
that in front of the IP address on my system.The update followed by an insert,
210
with the update in a transaction is necessary to replicate mysql's REPLACE INTO
211
functionality. The INSERT will produce an error if the IP already exists but it
212
doesn't matter as the UPDATE will have committed by then.
216
---%<-------------------------------------------------------------------------
217
smtpd_recipient_restrictions =
219
permit_sasl_authenticated
220
permit_tls_clientcerts
221
check_client_access pgsql:/etc/postfix/popbsmtp.cf
222
reject_unauth_destination
223
check_policy_service unix:private/policy
224
---%<-------------------------------------------------------------------------
226
/etc/postfix/popbsmtp.cf
228
---%<-------------------------------------------------------------------------
233
query = SELECT 'OK' as result FROM auth WHERE host = '%s'
234
---%<-------------------------------------------------------------------------
236
/etc/cron.hourly/popbsmtp_purge
238
---%<-------------------------------------------------------------------------
240
/usr/bin/psql -U popbsmtp -d popbsmtp -c "DELETE FROM auth WHERE (now() -
241
accessed)> '30 minutes'::interval"
242
---%<-------------------------------------------------------------------------
247
relay-ctrl [http://untroubled.org/relay-ctrl/] consists of a few small programs
248
designed to fit in qmail-like command chains. The most important:
250
* 'relay-ctrl-allow' runs after a successful POP/IMAP login, recording the
251
client IP and timestamp
252
* 'relay-ctrl-check' runs before the SMTP server, enabling relaying if the
253
client IP has authenticated recently
255
'relay-ctrl-allow' expects to find the client IP in the environment as
256
'$TCPREMOTEIP'. Dovecot provides it as '$IP', so you'll need this tiny
257
'dovecot-settcpremoteip' wrapper script:
259
---%<-------------------------------------------------------------------------
262
# Wrapper for relay-ctrl-allow that sets TCPREMOTEIP.
263
TCPREMOTEIP="${IP}"; export TCPREMOTEIP
265
---%<-------------------------------------------------------------------------
267
Edit 'dovecot.conf' and set 'mail_executable' appropriately, e.g., for IMAP
268
(this is one long line):
270
---%<-------------------------------------------------------------------------
271
mail_executable: /usr/local/bin/envdir /etc/relay-ctrl
272
/usr/local/bin/relay-ctrl-chdir /usr/local/bin/dovecot-settcpremoteip
273
/usr/local/bin/relay-ctrl-allow /usr/local/libexec/dovecot/imap
274
---%<-------------------------------------------------------------------------
276
Restart Dovecot. Verify that your IMAP client still works. Verify that
277
relay-ctrl has recorded your client IP. Hook 'relay-ctrl-check' into your SMTP
278
service, as documented in the relay-ctrl README, and you're done.
280
(This file was created from the wiki on 2008-06-20 04:42)