Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto: Pop-before-SMTP authentication with the vmail guide
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Oopsz
Guru
Guru


Joined: 08 Oct 2002
Posts: 340

PostPosted: Sun Mar 21, 2004 4:59 am    Post subject: Howto: Pop-before-SMTP authentication with the vmail guide Reply with quote

So, you've followed this guide to the letter, and you've got a fully functional mail server. But you want people to be able to send mail without their ip address listed explicitly in your postfix main.cf? A solution to this is to use Pop-Before-SMTP authentication. Anytime someone checks their pop3/imap email, their IP address is authenticated for outgoing email for 5 minutes, after which it expires. Your SMTP server is secure against spammers, but still usable.

For this howto, we'll be using DRAC, and a utility called drac-add. It's assumed you're running postfix and courier-imap as described in the virtual mail howto.

1) Install DRAC.
Code:
$ emerge drac


deceptively simple. ;)

2) Install drac-add:

First, download and decompress it.

Code:
$ wget http://venus.tripadelic.com/ebuilds/sources/drac-add.c.gz
$ gunzip drac-add.c.gz


Browse the source if you'd like. It's very straightforward. The default drac_update_host() variable should work fine for you, if you're updating a remote drac server, you probably know what you're doing and don't need this howto.

Once you have that file ready, we need to compile it.

Code:
$ gcc -o drac-add drac-add.c -L/usr/sbin/drac -ldrac -mcpu=i686 -march=i686 -Os -fomit-frame-pointer -fstack-protector -pipe
$ strip drac-add


If it compiles cleanly, copy the drac-add program to courier's authlib directory.

Code:
$ cp drac-add /usr/lib/courier-imap/authlib/


Now, we need to set up courier-imap to call drac-add, so that whenever anyone checks their email, the database will be updated properly.

First, the pop3 server.
Code:
$ nano -w /etc/courier/pop3d


Change the following line:
Code:
AUTHMODULES="authdaemon"

TO
Code:
AUTHMODULES="authdaemon drac-add"


Then, imap.
Code:
$ nano -w /etc/courier/imapd

Change the following line:
Code:
AUTHMODULES="authdaemon"

TO
Code:
AUTHMODULES="authdaemon drac-add"


Okay, now we just have to make postfix check the drac database when it wants to authenticate users. This requires a quick configuration tweak.

Code:
$ nano -w /etc/postfix/main.cf


Add these lines (or edit the existing lines, as appropriate)
Code:
smtpd_recipient_restrictions =
   permit_mynetworks,reject_non_fqdn_recipient,
   check_client_access btree:/var/lib/drac/drac,
   reject_unauth_destination

mynetworks = 127.0.0.0/8, your.ip.address, btree:/var/lib/drac/drac


REPLACE your.ip.address WITH YOUR PUBLIC NUMERIC IP ADDRESS!!

There, we're done! Let's get the servers up.

First, if you're running portsentry, stop it. It plays havoc with new daemons.

Code:
$ /etc/init.d/portsentry stop


Now, start up drac.

Code:
$ /etc/init.d/dracd start


Restart courier:

Code:
$ /etc/init.d/authdaemond restart


And reload postfix

Code:
$ /etc/init.d/postfix reload


You're done! Rock out! Test that it works using your favourite mail client, and check that its secure by using an open relay test. Once you're sure its working, you can clean up:

Code:
$ rc-update add portmap default
$ rc-update add dracd default


And start up portsentry again, if you are so inclined. :)
_________________
Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide


Last edited by Oopsz on Thu Apr 08, 2004 7:46 pm; edited 2 times in total
Back to top
View user's profile Send private message
BobOki
n00b
n00b


Joined: 23 Feb 2004
Posts: 67
Location: Svannah, Ga

PostPosted: Tue Mar 23, 2004 2:42 pm    Post subject: Reply with quote

Now if someone can make this for qmail, I would be rocking!
_________________
We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing.
Back to top
View user's profile Send private message
chrisyu
Apprentice
Apprentice


Joined: 10 Apr 2003
Posts: 207
Location: China

PostPosted: Wed Apr 28, 2004 10:48 am    Post subject: Reply with quote

Yeah!

Worked well for me(postfix). :D
Thank you very much!

BTW
In my case /etc/courier is /etc/courier-imap. :)
Back to top
View user's profile Send private message
Oopsz
Guru
Guru


Joined: 08 Oct 2002
Posts: 340

PostPosted: Thu Apr 29, 2004 1:19 am    Post subject: Reply with quote

Yay, someone used my guide! I feel all warm and fuzzy..
_________________
Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide
Back to top
View user's profile Send private message
atac
Apprentice
Apprentice


Joined: 04 Jan 2003
Posts: 234
Location: haninge, swe

PostPosted: Tue Sep 21, 2004 5:01 pm    Post subject: Reply with quote

just what i needed! thanks :D
_________________
1 + 1 + 1 = 11
Back to top
View user's profile Send private message
lectrix
n00b
n00b


Joined: 03 Apr 2003
Posts: 17
Location: austria

PostPosted: Tue Oct 26, 2004 5:20 pm    Post subject: Reply with quote

hi!

this howto helped me some time ago - thanks for that.
in the meantime, after some major updates and different config changes, i noticed this in syslog:

Code:

Oct 26 19:09:52 igor drac-add: dracauth() Error "127.0.0.1: RPC: Program not registered " for user $REMOTEIP

whereas $REMOTEIP is some non-local ip.
this is repeated very often, each time dracd is called?

what does this mean?

rpcinfo -p says this:
Code:

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    391002    2   tcp   1017  sgi_fam


/etc/postfix/main.cf contains
Code:

mynetworks = 62.99.149.26, 127.0.0.0/8, btree:/var/lib/drac/drac
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,
    check_client_access btree:/var/lib/drac/drac,
    reject_unauth_destination


/etc/courier-imap/pop3d contains
Code:

AUTHMODULES="authdaemon drac-add"
AUTHMODULES_ORIG="authdaemon"


/etc/courier-imap/imapd contains
Code:

AUTHMODULES="authdaemon drac-add"
AUTHMODULES_ORIG="authdaemon"


thanks for helping...

stefan.
_________________
huh, was that me?!
Back to top
View user's profile Send private message
ministry
n00b
n00b


Joined: 29 Sep 2004
Posts: 5

PostPosted: Mon Dec 06, 2004 8:31 pm    Post subject: Thanks a Bunch! Reply with quote

Just wanted to thank you for your work around solution.
I'd been messing with smtp-auth for like 4 days.
And everything seemed to be authenticating but it wouldn't pass any outoing smtp traffic!

I think it is really important that people who post howtos make sure they work.
And should also specify what system the howto is for and update them everytime a new version of any of the packages involved comes out.

I found that 80% of of the stuff out there on postfix+cryus-sasl+smtp-auth was not even close to complete and working.

In fact most of the guides I found on it that looked pretty good were in japanese or german.

Anyway gentoo is great! and I'm sticking to my guns with regards to using it in the corporate environment.

Ministry
Back to top
View user's profile Send private message
meulie
l33t
l33t


Joined: 17 Jun 2003
Posts: 845
Location: a Dutchman living in Norway

PostPosted: Tue Jan 04, 2005 9:44 am    Post subject: Reply with quote

I just implemented this guide as well, and so far it seems to be working great! 8)
_________________
Greetz,
Evert Meulie
Back to top
View user's profile Send private message
Oopsz
Guru
Guru


Joined: 08 Oct 2002
Posts: 340

PostPosted: Mon Mar 28, 2005 3:39 pm    Post subject: Reply with quote

The guy that was having trouble with weird syslog entries: try recompiling the drac-add utility, might be a stale link..

I'm sorry I can't support this howto much anymore, I switched to dbmail as my backend, and it has native support for pop-before-smtp by storing IPs and timestamps in an sql table, ridiculously easy to get postfix to auth from using "mysql:/".
_________________
Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide
Back to top
View user's profile Send private message
sander85
n00b
n00b


Joined: 21 Apr 2005
Posts: 1

PostPosted: Thu Apr 21, 2005 12:58 pm    Post subject: Still working ? Reply with quote

It worked great. Only am I right that courier now uses courier-authlib ?

Since an update to this newer version of courier Drac won't work anymore.

Does someone else has also troubles with this ?
Back to top
View user's profile Send private message
Oopsz
Guru
Guru


Joined: 08 Oct 2002
Posts: 340

PostPosted: Thu Apr 21, 2005 1:09 pm    Post subject: Reply with quote

I'm sorry if it doesn't work; as I said before I've switched my mailstore from postfix+courier-imap+maildirs to postfix+dbmail+mysql, so I can't support this howto anymore. :( It worked great for the better part of a year though.. not too shabby.
_________________
Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide
Back to top
View user's profile Send private message
dschein
Tux's lil' helper
Tux's lil' helper


Joined: 10 Aug 2003
Posts: 121

PostPosted: Mon Jun 27, 2005 5:15 pm    Post subject: Reply with quote

I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas?
Back to top
View user's profile Send private message
hurricane
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2004
Posts: 107

PostPosted: Mon Sep 26, 2005 5:17 am    Post subject: Reply with quote

dschein wrote:
I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas?


Same problem here...

Looking at the locations of courier's files, it seems that someone changed stuff for courier... And now??

Does anyone know what happened?
Back to top
View user's profile Send private message
hurricane
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2004
Posts: 107

PostPosted: Mon Sep 26, 2005 6:56 am    Post subject: Not working anymore! Reply with quote

So AUTHMODULES does not work anymore, because now the modules are compiled straight into the daemon! (How fucking stupid! then why are they modules?? [No. Security is no excuse!])

But we're lucky, because now there exists a solution!
Back to top
View user's profile Send private message
zomps
n00b
n00b


Joined: 08 Dec 2004
Posts: 59

PostPosted: Wed Nov 09, 2005 7:37 pm    Post subject: Reply with quote

The solution:
change drac-add.c line

from
Code:
if (getenv("AUTHUSER") && getenv("AUTHARGV0") && getenv("AUTHENTICATED")) {

to
Code:
if (getenv("AUTHENTICATED")) {


add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d
Code:
LOGINRUN="/usr/local/bin/drac-add"

and no more need to change AUTHMODULES parameter

net-libs/courier-authlib-0.57-r1
net-mail/courier-imap-4.0.4
Back to top
View user's profile Send private message
TheCarNinja
Tux's lil' helper
Tux's lil' helper


Joined: 16 Sep 2003
Posts: 124
Location: New York

PostPosted: Tue Nov 15, 2005 4:05 am    Post subject: Reply with quote

Nice solution, everything compiles, but i have a problem.
After implementing everything (I don't have my IP addy in mynetworks because that would defeat the purpose) I still get relay access denied.

mail.log (relevant)
Code:

 >>> START Recipient address RESTRICTIONS <<<
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_mynetworks: cpe-24-90-103-234.nyc.res.rr.com 24.90.103.234
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? <serverip>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? <serverip>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? 127.0.0.1
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? 127.0.0.1
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? btree:/var/lib/drac/drac(0,100)
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? btree:/var/lib/drac/drac(0,100)
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: cpe-24-90-103-234.nyc.res.rr.com: no match
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: 24.90.103.234: no match
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks status=0
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: reject_unauth_destination: thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_auth_destination: thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: ctable_locate: leave existing entry key thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: NOQUEUE: reject: RCPT from cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail
.com>: Relay access denied; from=<dummymail@<serverip>> to=<thecarninja@gmail.com> proto=ESMTP helo=<[10.0.0.5]>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination status=2
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: > cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail.com>: Relay access denied


An ls -l of /var/lib/drac/drac.db shows that the modified date is not when i tried logging in, so that means that either courier isn't calling drac-add or that it doesn't have proper permissions (which im sure it does since i changed them as well as no error message). I can't find any reference anywhere to drac-add being called other than the line i added into the courier files.
_________________
TheCarNinja
--
~Adopt an unanswered post today!~
Life is more fun sideways.
Back to top
View user's profile Send private message
zomps
n00b
n00b


Joined: 08 Dec 2004
Posts: 59

PostPosted: Tue Nov 15, 2005 12:42 pm    Post subject: Reply with quote

hmm i saw drac-add messages in /var/log/messages log file
Back to top
View user's profile Send private message
TheCarNinja
Tux's lil' helper
Tux's lil' helper


Joined: 16 Sep 2003
Posts: 124
Location: New York

PostPosted: Tue Nov 15, 2005 2:50 pm    Post subject: Reply with quote

zomps wrote:
The solution:
add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d
Code:
LOGINRUN="/usr/local/bin/drac-add"



This means that i add that line to the end of /etc/courier-imap/pop3d and imapd right?
Also, /var/log/messages hasn't been modified recently at all. Nor is there any drac related activity in there.
_________________
TheCarNinja
--
~Adopt an unanswered post today!~
Life is more fun sideways.
Back to top
View user's profile Send private message
TheCarNinja
Tux's lil' helper
Tux's lil' helper


Joined: 16 Sep 2003
Posts: 124
Location: New York

PostPosted: Wed Nov 16, 2005 5:50 pm    Post subject: Reply with quote

*bump*
_________________
TheCarNinja
--
~Adopt an unanswered post today!~
Life is more fun sideways.
Back to top
View user's profile Send private message
zomps
n00b
n00b


Joined: 08 Dec 2004
Posts: 59

PostPosted: Wed Nov 16, 2005 7:07 pm    Post subject: Reply with quote

what happens when you call drac-add command
Code:
TCPREMOTEIP="127.0.0.1" AUTHENTICATED="username" drac-add

and without parameters, does there appear any log or change /var/lib/drac/drac time/size
Back to top
View user's profile Send private message
poco
n00b
n00b


Joined: 06 Jan 2005
Posts: 11
Location: Nice, France

PostPosted: Tue Dec 20, 2005 1:53 pm    Post subject: drac-add not called Reply with quote

Same problem here, I added the line "LOGINRUN="/usr/local/bin/drac-add"" to the /etc/courier-imap/pop3d file, I think it is the correct one since I have lines like "source /etc/courier-imap/pop3d" in my /etc/init.d/courier-pop3d init script.

I added some syslog to see if drac-add its called when I'm logging into the server, but it isn't :'( I can call it by hand (for example with 'TCPREMOTEIP="192.168.0.7" AUTHENTICATED="plouf" drac-add') and syslog is notified (and the db file modified).

Any help would be welcome.
Back to top
View user's profile Send private message
JackPo
n00b
n00b


Joined: 23 Jan 2004
Posts: 19

PostPosted: Wed Jan 04, 2006 2:44 am    Post subject: Reply with quote

anyone have any idea how to fix this?

I have reached the same stage as the previous poster.. but can progress no further...
Back to top
View user's profile Send private message
JackPo
n00b
n00b


Joined: 23 Jan 2004
Posts: 19

PostPosted: Wed Jan 04, 2006 5:08 am    Post subject: Reply with quote

nevermind...

I think the route to go is now to use

pop-before-smtp

emerge pop-before-smtp.. and then follow the instructions from the QUICKSTART
Back to top
View user's profile Send private message
poco
n00b
n00b


Joined: 06 Jan 2005
Posts: 11
Location: Nice, France

PostPosted: Wed Jan 04, 2006 3:08 pm    Post subject: Reply with quote

And if anyone is interested i used, for pop-before-smtp with postfix and courier-imap, the following regex :
Code:
$pat = '^(... .. ..:..:..) \[(?:courier)?(?:pop3|imap)(?:login|d|d-ssl)\] LOGIN, user=\S+, ip=\[[:f]*(\d+\.\d+\.\d+\.\d+)\]';

and I changed one variable
Code:
$file_tail{'name'} = '/var/log/mail/current';


Thanks, JackPo, now it rox :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum