Howto: Pop-before-SMTP authentication with the vmail guide

[Oopsz]

So, you've followed this guide to the letter, and you've got a fully functional mail server. But you want people to be able to send mail without their ip address listed explicitly in your postfix main.cf? A solution to this is to use Pop-Before-SMTP authentication. Anytime someone checks their pop3/imap email, their IP address is authenticated for outgoing email for 5 minutes, after which it expires. Your SMTP server is secure against spammers, but still usable.

For this howto, we'll be using DRAC, and a utility called drac-add. It's assumed you're running postfix and courier-imap as described in the virtual mail howto.

1) Install DRAC.

Code: Select all

$ emerge drac

deceptively simple.

2) Install drac-add:

First, download and decompress it.

Code: Select all

$ wget http://venus.tripadelic.com/ebuilds/sources/drac-add.c.gz
$ gunzip drac-add.c.gz

Browse the source if you'd like. It's very straightforward. The default drac_update_host() variable should work fine for you, if you're updating a remote drac server, you probably know what you're doing and don't need this howto.

Once you have that file ready, we need to compile it.

Code: Select all

$ gcc -o drac-add drac-add.c -L/usr/sbin/drac -ldrac -mcpu=i686 -march=i686 -Os -fomit-frame-pointer -fstack-protector -pipe
$ strip drac-add

If it compiles cleanly, copy the drac-add program to courier's authlib directory.

Code: Select all

$ cp drac-add /usr/lib/courier-imap/authlib/

Now, we need to set up courier-imap to call drac-add, so that whenever anyone checks their email, the database will be updated properly.

First, the pop3 server.

Code: Select all

$ nano -w /etc/courier/pop3d

Change the following line:

Code: Select all

AUTHMODULES="authdaemon"

TO

Code: Select all

AUTHMODULES="authdaemon drac-add"

Then, imap.

Code: Select all

$ nano -w /etc/courier/imapd

Change the following line:

Code: Select all

AUTHMODULES="authdaemon"

TO

Code: Select all

AUTHMODULES="authdaemon drac-add"

Okay, now we just have to make postfix check the drac database when it wants to authenticate users. This requires a quick configuration tweak.

Code: Select all

$ nano -w /etc/postfix/main.cf

Add these lines (or edit the existing lines, as appropriate)

Code: Select all

smtpd_recipient_restrictions =
   permit_mynetworks,reject_non_fqdn_recipient,
   check_client_access btree:/var/lib/drac/drac,
   reject_unauth_destination

mynetworks = 127.0.0.0/8, your.ip.address, btree:/var/lib/drac/drac

REPLACE your.ip.address WITH YOUR PUBLIC NUMERIC IP ADDRESS!!

There, we're done! Let's get the servers up.

First, if you're running portsentry, stop it. It plays havoc with new daemons.

Code: Select all

$ /etc/init.d/portsentry stop

Now, start up drac.

Code: Select all

$ /etc/init.d/dracd start

Restart courier:

Code: Select all

$ /etc/init.d/authdaemond restart

And reload postfix

Code: Select all

$ /etc/init.d/postfix reload

You're done! Rock out! Test that it works using your favourite mail client, and check that its secure by using an open relay test. Once you're sure its working, you can clean up:

Code: Select all

$ rc-update add portmap default
$ rc-update add dracd default

And start up portsentry again, if you are so inclined.

[BobOki]

Now if someone can make this for qmail, I would be rocking!

[chrisyu]

Yeah!

Worked well for me(postfix).
Thank you very much!

BTW
In my case /etc/courier is /etc/courier-imap.

[Oopsz]

Yay, someone used my guide! I feel all warm and fuzzy..

[atac]

just what i needed! thanks

[lectrix]

hi!

this howto helped me some time ago - thanks for that.
in the meantime, after some major updates and different config changes, i noticed this in syslog:

Code: Select all

Oct 26 19:09:52 igor drac-add: dracauth() Error "127.0.0.1: RPC: Program not registered " for user $REMOTEIP

whereas $REMOTEIP is some non-local ip.
this is repeated very often, each time dracd is called?

what does this mean?

rpcinfo -p says this:

Code: Select all

   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    391002    2   tcp   1017  sgi_fam

/etc/postfix/main.cf contains

Code: Select all

mynetworks = 62.99.149.26, 127.0.0.0/8, btree:/var/lib/drac/drac
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,
    check_client_access btree:/var/lib/drac/drac,
    reject_unauth_destination

/etc/courier-imap/pop3d contains

Code: Select all

AUTHMODULES="authdaemon drac-add"
AUTHMODULES_ORIG="authdaemon"

/etc/courier-imap/imapd contains

Code: Select all

AUTHMODULES="authdaemon drac-add"
AUTHMODULES_ORIG="authdaemon"

thanks for helping...

stefan.

[ministry]

Just wanted to thank you for your work around solution.
I'd been messing with smtp-auth for like 4 days.
And everything seemed to be authenticating but it wouldn't pass any outoing smtp traffic!

I think it is really important that people who post howtos make sure they work.
And should also specify what system the howto is for and update them everytime a new version of any of the packages involved comes out.

I found that 80% of of the stuff out there on postfix+cryus-sasl+smtp-auth was not even close to complete and working.

In fact most of the guides I found on it that looked pretty good were in japanese or german.

Anyway gentoo is great! and I'm sticking to my guns with regards to using it in the corporate environment.

Ministry

[meulie]

I just implemented this guide as well, and so far it seems to be working great!

[Oopsz]

The guy that was having trouble with weird syslog entries: try recompiling the drac-add utility, might be a stale link..

I'm sorry I can't support this howto much anymore, I switched to dbmail as my backend, and it has native support for pop-before-smtp by storing IPs and timestamps in an sql table, ridiculously easy to get postfix to auth from using "mysql:/".

[sander85]

It worked great. Only am I right that courier now uses courier-authlib ?

Since an update to this newer version of courier Drac won't work anymore.

Does someone else has also troubles with this ?

[Oopsz]

I'm sorry if it doesn't work; as I said before I've switched my mailstore from postfix+courier-imap+maildirs to postfix+dbmail+mysql, so I can't support this howto anymore. It worked great for the better part of a year though.. not too shabby.

[dschein]

I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas?

[hurricane]

I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas?

Same problem here...

Looking at the locations of courier's files, it seems that someone changed stuff for courier... And now??

Does anyone know what happened?

[hurricane]

So AUTHMODULES does not work anymore, because now the modules are compiled straight into the daemon! (How fucking stupid! then why are they modules?? [No. Security is no excuse!])

But we're lucky, because now there exists a solution!

[zomps]

The solution:
change drac-add.c line

from

Code: Select all

if (getenv("AUTHUSER") && getenv("AUTHARGV0") && getenv("AUTHENTICATED")) {

to

Code: Select all

if (getenv("AUTHENTICATED")) {

add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d

Code: Select all

LOGINRUN="/usr/local/bin/drac-add"

and no more need to change AUTHMODULES parameter

net-libs/courier-authlib-0.57-r1
net-mail/courier-imap-4.0.4

[TheCarNinja]

Nice solution, everything compiles, but i have a problem.
After implementing everything (I don't have my IP addy in mynetworks because that would defeat the purpose) I still get relay access denied.

mail.log (relevant)

Code: Select all

 >>> START Recipient address RESTRICTIONS <<<
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_mynetworks: cpe-24-90-103-234.nyc.res.rr.com 24.90.103.234
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? <serverip>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? <serverip>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? 127.0.0.1
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? 127.0.0.1
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? btree:/var/lib/drac/drac(0,100)
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? btree:/var/lib/drac/drac(0,100)
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: cpe-24-90-103-234.nyc.res.rr.com: no match
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: 24.90.103.234: no match
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks status=0
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: reject_unauth_destination: thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_auth_destination: thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: ctable_locate: leave existing entry key thecarninja@gmail.com
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: NOQUEUE: reject: RCPT from cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail
.com>: Relay access denied; from=<dummymail@<serverip>> to=<thecarninja@gmail.com> proto=ESMTP helo=<[10.0.0.5]>
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination status=2
Nov 14 22:53:13 Diehard postfix/smtpd[15539]: > cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail.com>: Relay access denied

An ls -l of /var/lib/drac/drac.db shows that the modified date is not when i tried logging in, so that means that either courier isn't calling drac-add or that it doesn't have proper permissions (which im sure it does since i changed them as well as no error message). I can't find any reference anywhere to drac-add being called other than the line i added into the courier files.

[zomps]

hmm i saw drac-add messages in /var/log/messages log file

[TheCarNinja]

The solution:
add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d

Code: Select all

LOGINRUN="/usr/local/bin/drac-add"

This means that i add that line to the end of /etc/courier-imap/pop3d and imapd right?
Also, /var/log/messages hasn't been modified recently at all. Nor is there any drac related activity in there.

[TheCarNinja]

*bump*

[zomps]

what happens when you call drac-add command

Code: Select all

TCPREMOTEIP="127.0.0.1" AUTHENTICATED="username" drac-add

and without parameters, does there appear any log or change /var/lib/drac/drac time/size

[poco]

Same problem here, I added the line "LOGINRUN="/usr/local/bin/drac-add"" to the /etc/courier-imap/pop3d file, I think it is the correct one since I have lines like "source /etc/courier-imap/pop3d" in my /etc/init.d/courier-pop3d init script.

I added some syslog to see if drac-add its called when I'm logging into the server, but it isn't :'( I can call it by hand (for example with 'TCPREMOTEIP="192.168.0.7" AUTHENTICATED="plouf" drac-add') and syslog is notified (and the db file modified).

Any help would be welcome.

[JackPo]

anyone have any idea how to fix this?

I have reached the same stage as the previous poster.. but can progress no further...

[JackPo]

nevermind...

I think the route to go is now to use

pop-before-smtp

emerge pop-before-smtp.. and then follow the instructions from the QUICKSTART

[poco]

And if anyone is interested i used, for pop-before-smtp with postfix and courier-imap, the following regex :

Code: Select all

$pat = '^(... .. ..:..:..) \[(?:courier)?(?:pop3|imap)(?:login|d|d-ssl)\] LOGIN, user=\S+, ip=\[[:f]*(\d+\.\d+\.\d+\.\d+)\]';

and I changed one variable

Code: Select all

$file_tail{'name'} = '/var/log/mail/current';

Thanks, JackPo, now it rox