7.5 POP-before-SMTP

An older and more indirect scheme for roaming user authentication is POP-before-SMTP, first used in 1997. It's a very simple idea and has been implemented many times. Whenever a user successfully logs in using POP or IMAP to pick up mail, it notes the IP address where the user logged in. For the next hour or so, that IP address is allowed to use the mail gateway. It has the practical advantage of working with any POP or IMAP MUA, merely by telling users to check their mail before sending. For MUAs that support SMTP AUTH, which is now most of them, AUTH is better than POP-before-SMTP because it doesn't require the extra mail check, and it identifies sent mail with a particular user, not just an IP address. But for the benefit of users who never upgrade their MUA, it's worth keeping POP-before-SMTP around.

I wrote a homebrew POP-before-SMTP system with a daemon that updates the smtprules files, but I now prefer Bruce Guenther's relay-ctrl package (http://untroubled.org/relay-ctrl/), which has the advantage of not needing any patches to existing software and working reasonably well on clusters of multiple hosts running POP, IMAP, and SMTP servers.

POP-before-SMTP has three parts. The first part observes the POP and IMAP logins and notes the IP addresses. relay-ctrl uses the filesystem for its database, so if a user logs in from address 10.1.2.3, it creates a file /var/spool/relay-ctrl/allow/10.1.2.3. The second part checks the IP address on each incoming SMTP connection, and if the IP has a corresponding file in /var/spool/relay-ctrl/allow, it sets the environment to allow relay. The third cleans up stale entries by deleting files in /var/spool/relay-ctrl/allow that are older than the window of time allowed for POP-before-SMTP. The relay-ctrl documentation suggests 15 minutes, but I've used times as long as a day without trouble. To keep the relay database reasonably secure, make /var/spool/relay-ctrl owned by root with mode 0500 so that only root can chdir into it, but make /var/spool/relay-ctrl/allow mode 777 so that the unprivileged program that notes logins can write there.

For clusters of multiple hosts, whenever a user is authenticated on one host, relay-ctrl sends notices to the other hosts about the IP that authenticated, using UDP packets.

To install relay-ctrl, download it from http://untroubled.org/relay-ctrl/. (This description is of Version 3.1.1.) Unpack it, adjust the conf-cc, conf-ld and conf-man if you need to reflect your local commands for compiling and linking, and the place to put the man files, then make. Become super-user and run ./installer to install the various programs. The runtime configuration of the relay-ctrl package is almost entirely done through environment variables. I suggest creating a directory /etc/relay-ctrl so you can use envdir from the daemontools package to set the environment. (Each file in the directory is the name of a variable, the contents of the file becomes the value of the variable.) Files and environment variables to create include:


RELAY_CTRL_DIR

The directory where the relay data goes, usually /var/spool/relay-ctrl/allow.


RELAY_CTRL_EXPIRY

The time in seconds to permit relay after a user is validated. Defaults to 900 (15 minutes), but I suggest 3600 (an hour.)


RELAY_CTRL_RELAYCLIENT

The value to use for the RELAYCLIENT variable when a user is allowed to relay. Defaults to the null string, but if you're using the "fixme" trick to clean up headers on injected mail, make it @fixme, the same as the value in RELAYCLIENT lines in the smtprules file.


RELAY_CTRL_LOG_IPS

If defined, print log messages when an SMTP connection is authenticated for relay. The messages goes the same place as the log output from tcpserver and qmail-smtpd, typically the log files kept by multilog.


RELAY_CTRL_REMOTES

A comma-separated list of IP addresses to which UDP messages containing notices of IP addresses should be sent when a host is authenticated. Not needed if you're not using multiple hosts.


RELAY_CTRL_PORT

UDP port number to use for notifications. Defaults to 811, and there is no reason to change it unless something else on your network is using UDP port 811 packets.


RELAY_CTRL_TIMEOUT

How many seconds to wait for each remote host to acknowledge a notification packet before retrying. Defaults to one second, and there is no reason to change it unless your mail hosts are very slow.


RELAY_CTRL_TRIES

How many times to retry each notification if it doesn't get an acknowledgement. Defaults to 5, and there is no reason to change it unless your network is extremely congested.

7.5.1 Adding POP-before-SMTP to the POP Server

Chapter 13 describes the procedure for setting up the qmail POP server. Example 7-7 shows the modifications to handle POP-before SMTP, in the script /etc/popd/run.

Example 7-7. The POP listening script with POP-before-SMTP
 1. #!/bin/sh  2. limit datasize 2m  3. exec                                         \ 3a.   envdir /etc/relay-ctrl                     \ 3b.   relay-ctrl-chdir                           \  4.   tcpserver                                  \  5.     -HRv -l pop.example.com                  \  6.     -x /etc/popd/rules.cdb                   \  7.     0 110                                    \  8.   /var/qmail/bin/qmail-popup pop.example.com \  9.   checkpassword                              \ 9a.   relay-ctrl-allow                           \ 9b.   relay-ctrl-send                            \ 10.   /var/qmail/bin/qmail-pop3d Maildir 2>&1

Line 3a sets the environment from the files in /etc/relay-ctrl, and line 3b, which runs with root privileges, opens the allow directory so that later nonroot programs can modify it. Line 9a creates the allow/nn.nn.nn.nn file noting that the IP has authenticated, and line 9b sends UDP notifications to other local mail servers. (If you only have one server, leave out line 9b.) The rest of the script is unmodified from the version in Chapter 13.

7.5.2 Adding POP-Before-SMTP to the SMTP Server

The additions to the SMTP script in /var/qmail/supervise/qmail-smtpd/run are similar to the ones for the POP server, as shown in Example 7-8.

Example 7-8. The SMTP listening script, with POP-before-SMTP
 1. #!/bin/sh  2. limit datasize 2m  3. exec                                             \ 3a.  envdir /etc/relay-ctrl                          \ 3b.    relay-ctrl-chdir                              \  4.    tcpserver -u000 -g000 -v -p -R                \ 4a.    relay-ctrl-check                              \  5.     -x/var/qmail/rules/smtprules.cdb 10.1.2.3 25 \  6.    /var/qmail/bin/qmail-smtpd 2>&1

Lines 3a and 3b set environment variables and open the allow directory, as before. Line 4a checks to see if allow/nn.nn.nn.nn exists and isn't too old (older than RELAY_CTRL_EXPIRY seconds), and if so sets RELAYCLIENT.

If you want to provide both POP-before-SMTP and SMTP AUTH, install the SMTP AUTH patches as described earlier in this chapter, and then add in the POP-before-SMTP programs to the run script, as shown in Example 7-9.

Example 7-9. The SMTP listening script with POP-before-SMTP and SMTP AUTH
 1. #!/bin/sh  2. limit datasize 2m  3. exec                                             \ 3a.  envdir /etc/relay-ctrl                          \ 3b.    relay-ctrl-chdir                              \  4.    tcpserver -u000 -g000 -v -p -R                \ 4a.    relay-ctrl-check                              \  5.     -x/var/qmail/rules/smtprules.cdb 10.1.2.3 25 \  6.    /var/qmail/bin/qmail-smtpd                    \ 6a.    mail.example.com                              \ 6b.    checkpassword                                 \ 6c.    /bin/true 2>&1

7.5.3 Using POP-before-SMTP with ofmipd

If you use ofmipd to accept injected mail, it's a little harder to use POP-before-SMTP. The reason is that :deny rules prevent relay-ctrl-check from running at all for IP addresses that aren't on the local network. There's a straightforward workaround using the anti-spam program rblsmtpd, discussed in Chapter 9.

7.5.4 Other POP-before-SMTP Daemons

Every once in a while, you should delete expired files from the allow directory to avoid clutter. There's no great urgency since relay-ctrl-check checks each time it uses a file that the file isn't expired, so running the cleanup program once a day is plenty. If your system has a daily or daily.local script that's run as root once a day, add a line to the end that says:

envdir /etc/relay-ctrl relay-ctrl-age

If not, run that line directly from cron once a day.

Finally, if you have multiple mail servers, on each SMTP server you must run the UDP server that receives messages about IP addresses that have authenticated. The server does no validation at all of source addresses, so if possible you should adjust your router to discard all packets addressed to UDP port 811 (or whatever other port you use). Create directories /var/qmail/supervise/relay-ctrl/udp and /var/qmail/supervise/relay-ctrl/udp/log. The run file just starts the UDP listener as root, as in Example 7-10.

Example 7-10. The POP-before-SMTP UDP listener script
 1. #!/bin/sh  2. exec                                             \  3.  envdir /etc/relay-ctrl                          \  4.    relay-ctrl-udp 2>&1

IMAP Before SMTP

If you use the Courier IMAP server or the Courier POP server, relay-ctrl is designed to work with them as well, using the Courier authorization library interface. See the relay-ctrl README file for more details.




qmail
qmail
ISBN: 1565926285
EAN: 2147483647
Year: 2006
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net