[tpop3d-discuss] setting up POP before relay
chris at ex-parrot.com
Wed, 9 Jan 2002 16:24:26 +0000
On Wed, Jan 09, 2002 at 08:32:36PM -0800, Ryan LeBlanc wrote:
> I am wondering if any of you could help me with setting up POP before SMTP
> relay. I have tpop3d working with Exim, and mysql, using vmail-sql.
> I just don't really know where to begin. So, any nudges in the right
> direction would be appreciated.
I take it that you have read the FAQ entry on this:
1. How can I do POP-before-SMTP relaying with tpop3d?
The game here is to have some table which your MTA consults to determine
whether a client may relay through this server. Successful POP connections
cause the connected host to be allowed to relay for a few minutes, so that
a client whose PC-based MUA retrieves mail and then sends other mail can be
allowed to do so without opening your server to all sorts of bad
There are two basic approaches:
- watch the system log for a tell-tale line, and use this to trigger
addition of an entry to a table;
- have the POP server set this up itself.
For the first approach, a suitable log line to use will (ignoring the date,
time, process name and PID generated by syslog) look like:
fork_child: chris(10.73.32.1): successfully authenticated with pam
A perl statement to parse this looks like
$user, $host, $method) =
($line =~ m/^fork_child:\ \[\d+\]([^\s(]+)\(([0-9.]+)\):
\ successfully\ authenticated\ with\ ([^\s]+)$/x);
where $line contains the part of the syslog line corresponding to the
example shown above.
Bear in mind that this syslog-watching approach is only as secure as the
contents of your system log, by which I mean `not very':
$ logger -t 'tpop3d' -p mail.info \
'fork_child: billg(22.214.171.124) successfully authenticated with pam'
Of course, this may not be an issue if there are no shell users on your
POP3 server system, though you might want to think carefully about whether
any other process on your system could be tricked into writing a log line of
the above form.
The alternative is to have tpop3d trigger addition of a client to the
allowed-to-relay table. If you are happy to alter the C code, then the best
thing to do is to insert some code at the same place that the above log
line is generated to do whatever book-keeping you need. This is in the
function fork_child in main.c. Alternatively, you could write an auth-perl
or auth-other authenticator which did the dirty work for cases of successful
authentication. Of course, this means that you have to implement the
authentication yourself, too, which is slightly wasteful.
If there's enough demand, I may add configurable hooks for this sort of
``Do we really need two North Dakotas?
I mean, we already have South Dakota as an emergency spare.'' (Scott Adams)