An older and more indirect scheme for roaming user authentication is POP-before-SMTP, first used in 1997. It's a very simple idea and has been implemented many times. Whenever a user successfully logs in using POP or IMAP to pick up mail, it notes the IP address where the user logged in. For the next hour or so, that IP address is allowed to use the mail gateway. It has the practical advantage of working with any POP or IMAP MUA, merely by telling users to check their mail before sending. For MUAs that support SMTP AUTH, which is now most of them, AUTH is better than POP-before-SMTP because it doesn't require the extra mail check, and it identifies sent mail with a particular user, not just an IP address. But for the benefit of users who never upgrade their MUA, it's worth keeping POP-before-SMTP around. I wrote a homebrew POP-before-SMTP system with a daemon that updates the smtprules files, but I now prefer Bruce Guenther's relay-ctrl package (http://untroubled.org/relay-ctrl/), which has the advantage of not needing any patches to existing software and working reasonably well on clusters of multiple hosts running POP, IMAP, and SMTP servers. POP-before-SMTP has three parts. The first part observes the POP and IMAP logins and notes the IP addresses. relay-ctrl uses the filesystem for its database, so if a user logs in from address 10.1.2.3, it creates a file /var/spool/relay-ctrl/allow/10.1.2.3. The second part checks the IP address on each incoming SMTP connection, and if the IP has a corresponding file in /var/spool/relay-ctrl/allow, it sets the environment to allow relay. The third cleans up stale entries by deleting files in /var/spool/relay-ctrl/allow that are older than the window of time allowed for POP-before-SMTP. The relay-ctrl documentation suggests 15 minutes, but I've used times as long as a day without trouble. To keep the relay database reasonably secure, make /var/spool/relay-ctrl owned by root with mode 0500 so that only root can chdir into it, but make /var/spool/relay-ctrl/allow mode 777 so that the unprivileged program that notes logins can write there. For clusters of multiple hosts, whenever a user is authenticated on one host, relay-ctrl sends notices to the other hosts about the IP that authenticated, using UDP packets. To install relay-ctrl, download it from http://untroubled.org/relay-ctrl/. (This description is of Version 3.1.1.) Unpack it, adjust the conf-cc, conf-ld and conf-man if you need to reflect your local commands for compiling and linking, and the place to put the man files, then make. Become super-user and run ./installer to install the various programs. The runtime configuration of the relay-ctrl package is almost entirely done through environment variables. I suggest creating a directory /etc/relay-ctrl so you can use envdir from the daemontools package to set the environment. (Each file in the directory is the name of a variable, the contents of the file becomes the value of the variable.) Files and environment variables to create include:
7.5.1 Adding POP-before-SMTP to the POP ServerChapter 13 describes the procedure for setting up the qmail POP server. Example 7-7 shows the modifications to handle POP-before SMTP, in the script /etc/popd/run. Example 7-7. The POP listening script with POP-before-SMTP1. #!/bin/sh 2. limit datasize 2m 3. exec \ 3a. envdir /etc/relay-ctrl \ 3b. relay-ctrl-chdir \ 4. tcpserver \ 5. -HRv -l pop.example.com \ 6. -x /etc/popd/rules.cdb \ 7. 0 110 \ 8. /var/qmail/bin/qmail-popup pop.example.com \ 9. checkpassword \ 9a. relay-ctrl-allow \ 9b. relay-ctrl-send \ 10. /var/qmail/bin/qmail-pop3d Maildir 2>&1 Line 3a sets the environment from the files in /etc/relay-ctrl, and line 3b, which runs with root privileges, opens the allow directory so that later nonroot programs can modify it. Line 9a creates the allow/nn.nn.nn.nn file noting that the IP has authenticated, and line 9b sends UDP notifications to other local mail servers. (If you only have one server, leave out line 9b.) The rest of the script is unmodified from the version in Chapter 13. 7.5.2 Adding POP-Before-SMTP to the SMTP ServerThe additions to the SMTP script in /var/qmail/supervise/qmail-smtpd/run are similar to the ones for the POP server, as shown in Example 7-8. Example 7-8. The SMTP listening script, with POP-before-SMTP 1. #!/bin/sh 2. limit datasize 2m 3. exec \ 3a. envdir /etc/relay-ctrl \ 3b. relay-ctrl-chdir \ 4. tcpserver -u000 -g000 -v -p -R \ 4a. relay-ctrl-check \ 5. -x/var/qmail/rules/smtprules.cdb 10.1.2.3 25 \ 6. /var/qmail/bin/qmail-smtpd 2>&1 Lines 3a and 3b set environment variables and open the allow directory, as before. Line 4a checks to see if allow/nn.nn.nn.nn exists and isn't too old (older than RELAY_CTRL_EXPIRY seconds), and if so sets RELAYCLIENT. If you want to provide both POP-before-SMTP and SMTP AUTH, install the SMTP AUTH patches as described earlier in this chapter, and then add in the POP-before-SMTP programs to the run script, as shown in Example 7-9. Example 7-9. The SMTP listening script with POP-before-SMTP and SMTP AUTH 1. #!/bin/sh 2. limit datasize 2m 3. exec \ 3a. envdir /etc/relay-ctrl \ 3b. relay-ctrl-chdir \ 4. tcpserver -u000 -g000 -v -p -R \ 4a. relay-ctrl-check \ 5. -x/var/qmail/rules/smtprules.cdb 10.1.2.3 25 \ 6. /var/qmail/bin/qmail-smtpd \ 6a. mail.example.com \ 6b. checkpassword \ 6c. /bin/true 2>&1 7.5.3 Using POP-before-SMTP with ofmipdIf you use ofmipd to accept injected mail, it's a little harder to use POP-before-SMTP. The reason is that :deny rules prevent relay-ctrl-check from running at all for IP addresses that aren't on the local network. There's a straightforward workaround using the anti-spam program rblsmtpd, discussed in Chapter 9. 7.5.4 Other POP-before-SMTP DaemonsEvery once in a while, you should delete expired files from the allow directory to avoid clutter. There's no great urgency since relay-ctrl-check checks each time it uses a file that the file isn't expired, so running the cleanup program once a day is plenty. If your system has a daily or daily.local script that's run as root once a day, add a line to the end that says: envdir /etc/relay-ctrl relay-ctrl-age If not, run that line directly from cron once a day. Finally, if you have multiple mail servers, on each SMTP server you must run the UDP server that receives messages about IP addresses that have authenticated. The server does no validation at all of source addresses, so if possible you should adjust your router to discard all packets addressed to UDP port 811 (or whatever other port you use). Create directories /var/qmail/supervise/relay-ctrl/udp and /var/qmail/supervise/relay-ctrl/udp/log. The run file just starts the UDP listener as root, as in Example 7-10. Example 7-10. The POP-before-SMTP UDP listener script1. #!/bin/sh 2. exec \ 3. envdir /etc/relay-ctrl \ 4. relay-ctrl-udp 2>&1
|