View previous topic :: View next topic |
Author |
Message |
Oopsz Guru
Joined: 08 Oct 2002 Posts: 340
|
Posted: Sun Mar 21, 2004 4:59 am Post subject: Howto: Pop-before-SMTP authentication with the vmail guide |
|
|
So, you've followed this guide to the letter, and you've got a fully functional mail server. But you want people to be able to send mail without their ip address listed explicitly in your postfix main.cf? A solution to this is to use Pop-Before-SMTP authentication. Anytime someone checks their pop3/imap email, their IP address is authenticated for outgoing email for 5 minutes, after which it expires. Your SMTP server is secure against spammers, but still usable.
For this howto, we'll be using DRAC, and a utility called drac-add. It's assumed you're running postfix and courier-imap as described in the virtual mail howto.
1) Install DRAC.
deceptively simple.
2) Install drac-add:
First, download and decompress it.
Code: | $ wget http://venus.tripadelic.com/ebuilds/sources/drac-add.c.gz
$ gunzip drac-add.c.gz |
Browse the source if you'd like. It's very straightforward. The default drac_update_host() variable should work fine for you, if you're updating a remote drac server, you probably know what you're doing and don't need this howto.
Once you have that file ready, we need to compile it.
Code: | $ gcc -o drac-add drac-add.c -L/usr/sbin/drac -ldrac -mcpu=i686 -march=i686 -Os -fomit-frame-pointer -fstack-protector -pipe
$ strip drac-add |
If it compiles cleanly, copy the drac-add program to courier's authlib directory.
Code: | $ cp drac-add /usr/lib/courier-imap/authlib/ |
Now, we need to set up courier-imap to call drac-add, so that whenever anyone checks their email, the database will be updated properly.
First, the pop3 server.
Code: | $ nano -w /etc/courier/pop3d |
Change the following line:
Code: | AUTHMODULES="authdaemon" |
TO
Code: | AUTHMODULES="authdaemon drac-add" |
Then, imap.
Code: | $ nano -w /etc/courier/imapd |
Change the following line:
Code: | AUTHMODULES="authdaemon" |
TO
Code: | AUTHMODULES="authdaemon drac-add" |
Okay, now we just have to make postfix check the drac database when it wants to authenticate users. This requires a quick configuration tweak.
Code: | $ nano -w /etc/postfix/main.cf |
Add these lines (or edit the existing lines, as appropriate)
Code: | smtpd_recipient_restrictions =
permit_mynetworks,reject_non_fqdn_recipient,
check_client_access btree:/var/lib/drac/drac,
reject_unauth_destination
mynetworks = 127.0.0.0/8, your.ip.address, btree:/var/lib/drac/drac |
REPLACE your.ip.address WITH YOUR PUBLIC NUMERIC IP ADDRESS!!
There, we're done! Let's get the servers up.
First, if you're running portsentry, stop it. It plays havoc with new daemons.
Code: | $ /etc/init.d/portsentry stop |
Now, start up drac.
Code: | $ /etc/init.d/dracd start |
Restart courier:
Code: | $ /etc/init.d/authdaemond restart |
And reload postfix
Code: | $ /etc/init.d/postfix reload |
You're done! Rock out! Test that it works using your favourite mail client, and check that its secure by using an open relay test. Once you're sure its working, you can clean up:
Code: | $ rc-update add portmap default
$ rc-update add dracd default |
And start up portsentry again, if you are so inclined. _________________ Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide
Last edited by Oopsz on Thu Apr 08, 2004 7:46 pm; edited 2 times in total |
|
Back to top |
|
|
BobOki n00b
Joined: 23 Feb 2004 Posts: 67 Location: Svannah, Ga
|
Posted: Tue Mar 23, 2004 2:42 pm Post subject: |
|
|
Now if someone can make this for qmail, I would be rocking! _________________ We the willing lead by the unknowing have done so much for so long with so little, we are now capable of doing everything with nothing. |
|
Back to top |
|
|
chrisyu Apprentice
Joined: 10 Apr 2003 Posts: 207 Location: China
|
Posted: Wed Apr 28, 2004 10:48 am Post subject: |
|
|
Yeah!
Worked well for me(postfix).
Thank you very much!
BTW
In my case /etc/courier is /etc/courier-imap. |
|
Back to top |
|
|
Oopsz Guru
Joined: 08 Oct 2002 Posts: 340
|
|
Back to top |
|
|
atac Apprentice
Joined: 04 Jan 2003 Posts: 234 Location: haninge, swe
|
Posted: Tue Sep 21, 2004 5:01 pm Post subject: |
|
|
just what i needed! thanks _________________ 1 + 1 + 1 = 11 |
|
Back to top |
|
|
lectrix n00b
Joined: 03 Apr 2003 Posts: 17 Location: austria
|
Posted: Tue Oct 26, 2004 5:20 pm Post subject: |
|
|
hi!
this howto helped me some time ago - thanks for that.
in the meantime, after some major updates and different config changes, i noticed this in syslog:
Code: |
Oct 26 19:09:52 igor drac-add: dracauth() Error "127.0.0.1: RPC: Program not registered " for user $REMOTEIP
|
whereas $REMOTEIP is some non-local ip.
this is repeated very often, each time dracd is called?
what does this mean?
rpcinfo -p says this:
Code: |
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
391002 2 tcp 1017 sgi_fam
|
/etc/postfix/main.cf contains
Code: |
mynetworks = 62.99.149.26, 127.0.0.0/8, btree:/var/lib/drac/drac
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,
check_client_access btree:/var/lib/drac/drac,
reject_unauth_destination
|
/etc/courier-imap/pop3d contains
Code: |
AUTHMODULES="authdaemon drac-add"
AUTHMODULES_ORIG="authdaemon"
|
/etc/courier-imap/imapd contains
Code: |
AUTHMODULES="authdaemon drac-add"
AUTHMODULES_ORIG="authdaemon"
|
thanks for helping...
stefan. _________________ huh, was that me?! |
|
Back to top |
|
|
ministry n00b
Joined: 29 Sep 2004 Posts: 5
|
Posted: Mon Dec 06, 2004 8:31 pm Post subject: Thanks a Bunch! |
|
|
Just wanted to thank you for your work around solution.
I'd been messing with smtp-auth for like 4 days.
And everything seemed to be authenticating but it wouldn't pass any outoing smtp traffic!
I think it is really important that people who post howtos make sure they work.
And should also specify what system the howto is for and update them everytime a new version of any of the packages involved comes out.
I found that 80% of of the stuff out there on postfix+cryus-sasl+smtp-auth was not even close to complete and working.
In fact most of the guides I found on it that looked pretty good were in japanese or german.
Anyway gentoo is great! and I'm sticking to my guns with regards to using it in the corporate environment.
Ministry |
|
Back to top |
|
|
meulie l33t
Joined: 17 Jun 2003 Posts: 845 Location: a Dutchman living in Norway
|
Posted: Tue Jan 04, 2005 9:44 am Post subject: |
|
|
I just implemented this guide as well, and so far it seems to be working great! _________________ Greetz,
Evert Meulie |
|
Back to top |
|
|
Oopsz Guru
Joined: 08 Oct 2002 Posts: 340
|
Posted: Mon Mar 28, 2005 3:39 pm Post subject: |
|
|
The guy that was having trouble with weird syslog entries: try recompiling the drac-add utility, might be a stale link..
I'm sorry I can't support this howto much anymore, I switched to dbmail as my backend, and it has native support for pop-before-smtp by storing IPs and timestamps in an sql table, ridiculously easy to get postfix to auth from using "mysql:/". _________________ Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide |
|
Back to top |
|
|
sander85 n00b
Joined: 21 Apr 2005 Posts: 1
|
Posted: Thu Apr 21, 2005 12:58 pm Post subject: Still working ? |
|
|
It worked great. Only am I right that courier now uses courier-authlib ?
Since an update to this newer version of courier Drac won't work anymore.
Does someone else has also troubles with this ? |
|
Back to top |
|
|
Oopsz Guru
Joined: 08 Oct 2002 Posts: 340
|
Posted: Thu Apr 21, 2005 1:09 pm Post subject: |
|
|
I'm sorry if it doesn't work; as I said before I've switched my mailstore from postfix+courier-imap+maildirs to postfix+dbmail+mysql, so I can't support this howto anymore. It worked great for the better part of a year though.. not too shabby. _________________ Pop-before-SMTP with the Gentoo Virtual Mailhosting Guide |
|
Back to top |
|
|
dschein Tux's lil' helper
Joined: 10 Aug 2003 Posts: 121
|
Posted: Mon Jun 27, 2005 5:15 pm Post subject: |
|
|
I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas? |
|
Back to top |
|
|
hurricane Tux's lil' helper
Joined: 15 Jul 2004 Posts: 107
|
Posted: Mon Sep 26, 2005 5:17 am Post subject: |
|
|
dschein wrote: | I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas? |
Same problem here...
Looking at the locations of courier's files, it seems that someone changed stuff for courier... And now??
Does anyone know what happened? |
|
Back to top |
|
|
hurricane Tux's lil' helper
Joined: 15 Jul 2004 Posts: 107
|
Posted: Mon Sep 26, 2005 6:56 am Post subject: Not working anymore! |
|
|
So AUTHMODULES does not work anymore, because now the modules are compiled straight into the daemon! (How fucking stupid! then why are they modules?? [No. Security is no excuse!])
But we're lucky, because now there exists a solution! |
|
Back to top |
|
|
zomps n00b
Joined: 08 Dec 2004 Posts: 59
|
Posted: Wed Nov 09, 2005 7:37 pm Post subject: |
|
|
The solution:
change drac-add.c line
from
Code: | if (getenv("AUTHUSER") && getenv("AUTHARGV0") && getenv("AUTHENTICATED")) { |
to
Code: | if (getenv("AUTHENTICATED")) { |
add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d
Code: | LOGINRUN="/usr/local/bin/drac-add" |
and no more need to change AUTHMODULES parameter
net-libs/courier-authlib-0.57-r1
net-mail/courier-imap-4.0.4 |
|
Back to top |
|
|
TheCarNinja Tux's lil' helper
Joined: 16 Sep 2003 Posts: 124 Location: New York
|
Posted: Tue Nov 15, 2005 4:05 am Post subject: |
|
|
Nice solution, everything compiles, but i have a problem.
After implementing everything (I don't have my IP addy in mynetworks because that would defeat the purpose) I still get relay access denied.
mail.log (relevant)
Code: |
>>> START Recipient address RESTRICTIONS <<<
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_mynetworks: cpe-24-90-103-234.nyc.res.rr.com 24.90.103.234
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? <serverip>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? <serverip>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? 127.0.0.1
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? 127.0.0.1
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? btree:/var/lib/drac/drac(0,100)
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? btree:/var/lib/drac/drac(0,100)
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: cpe-24-90-103-234.nyc.res.rr.com: no match
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: 24.90.103.234: no match
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks status=0
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: reject_unauth_destination: thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_auth_destination: thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: ctable_locate: leave existing entry key thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: NOQUEUE: reject: RCPT from cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail
.com>: Relay access denied; from=<dummymail@<serverip>> to=<thecarninja@gmail.com> proto=ESMTP helo=<[10.0.0.5]>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination status=2
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: > cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail.com>: Relay access denied |
An ls -l of /var/lib/drac/drac.db shows that the modified date is not when i tried logging in, so that means that either courier isn't calling drac-add or that it doesn't have proper permissions (which im sure it does since i changed them as well as no error message). I can't find any reference anywhere to drac-add being called other than the line i added into the courier files. _________________ TheCarNinja
--
~Adopt an unanswered post today!~
Life is more fun sideways. |
|
Back to top |
|
|
zomps n00b
Joined: 08 Dec 2004 Posts: 59
|
Posted: Tue Nov 15, 2005 12:42 pm Post subject: |
|
|
hmm i saw drac-add messages in /var/log/messages log file |
|
Back to top |
|
|
TheCarNinja Tux's lil' helper
Joined: 16 Sep 2003 Posts: 124 Location: New York
|
Posted: Tue Nov 15, 2005 2:50 pm Post subject: |
|
|
zomps wrote: | The solution:
add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d
Code: | LOGINRUN="/usr/local/bin/drac-add" |
|
This means that i add that line to the end of /etc/courier-imap/pop3d and imapd right?
Also, /var/log/messages hasn't been modified recently at all. Nor is there any drac related activity in there. _________________ TheCarNinja
--
~Adopt an unanswered post today!~
Life is more fun sideways. |
|
Back to top |
|
|
TheCarNinja Tux's lil' helper
Joined: 16 Sep 2003 Posts: 124 Location: New York
|
|
Back to top |
|
|
zomps n00b
Joined: 08 Dec 2004 Posts: 59
|
Posted: Wed Nov 16, 2005 7:07 pm Post subject: |
|
|
what happens when you call drac-add command
Code: | TCPREMOTEIP="127.0.0.1" AUTHENTICATED="username" drac-add |
and without parameters, does there appear any log or change /var/lib/drac/drac time/size |
|
Back to top |
|
|
poco n00b
Joined: 06 Jan 2005 Posts: 11 Location: Nice, France
|
Posted: Tue Dec 20, 2005 1:53 pm Post subject: drac-add not called |
|
|
Same problem here, I added the line "LOGINRUN="/usr/local/bin/drac-add"" to the /etc/courier-imap/pop3d file, I think it is the correct one since I have lines like "source /etc/courier-imap/pop3d" in my /etc/init.d/courier-pop3d init script.
I added some syslog to see if drac-add its called when I'm logging into the server, but it isn't :'( I can call it by hand (for example with 'TCPREMOTEIP="192.168.0.7" AUTHENTICATED="plouf" drac-add') and syslog is notified (and the db file modified).
Any help would be welcome. |
|
Back to top |
|
|
JackPo n00b
Joined: 23 Jan 2004 Posts: 19
|
Posted: Wed Jan 04, 2006 2:44 am Post subject: |
|
|
anyone have any idea how to fix this?
I have reached the same stage as the previous poster.. but can progress no further... |
|
Back to top |
|
|
JackPo n00b
Joined: 23 Jan 2004 Posts: 19
|
Posted: Wed Jan 04, 2006 5:08 am Post subject: |
|
|
nevermind...
I think the route to go is now to use
pop-before-smtp
emerge pop-before-smtp.. and then follow the instructions from the QUICKSTART |
|
Back to top |
|
|
poco n00b
Joined: 06 Jan 2005 Posts: 11 Location: Nice, France
|
Posted: Wed Jan 04, 2006 3:08 pm Post subject: |
|
|
And if anyone is interested i used, for pop-before-smtp with postfix and courier-imap, the following regex :
Code: | $pat = '^(... .. ..:..:..) \[(?:courier)?(?:pop3|imap)(?:login|d|d-ssl)\] LOGIN, user=\S+, ip=\[[:f]*(\d+\.\d+\.\d+\.\d+)\]'; |
and I changed one variable Code: | $file_tail{'name'} = '/var/log/mail/current'; |
Thanks, JackPo, now it rox |
|
Back to top |
|
|
|