[tpop3d-discuss] setting up POP before relay

Chris Lightfoot chris at ex-parrot.com
Wed, 9 Jan 2002 16:24:26 +0000

On Wed, Jan 09, 2002 at 08:32:36PM -0800, Ryan LeBlanc wrote:
> Hi,
> I am wondering if any of you could help me with setting up POP before SMTP
> relay.  I have tpop3d working with Exim, and mysql, using vmail-sql.
> I just don't really know where to begin.  So, any nudges in the right
> direction would be appreciated.

I take it that you have read the FAQ entry on this:

1. How can I do POP-before-SMTP relaying with tpop3d?

   The game here is to have some table which your MTA consults to determine
   whether a client may relay through this server. Successful POP connections
   cause the connected host to be allowed to relay for a few minutes, so that
   a client whose PC-based MUA retrieves mail and then sends other mail can be
   allowed to do so without opening your server to all sorts of bad
   spam-related abuse.
   There are two basic approaches:
        - watch the system log for a tell-tale line, and use this to trigger
          addition of an entry to a table;
        - have the POP server set this up itself.
   For the first approach, a suitable log line to use will (ignoring the date,
   time, process name and PID generated by syslog) look like: 
       fork_child: [6]chris( successfully authenticated with pam
   A perl statement to parse this looks like
       $user, $host, $method) =
           ($line =~ m/^fork_child:\ \[\d+\]([^\s(]+)\(([0-9.]+)\):
                           \ successfully\ authenticated\ with\ ([^\s]+)$/x);
   where $line contains the part of the syslog line corresponding to the
   example shown above.
   Bear in mind that this syslog-watching approach is only as secure as the
   contents of your system log, by which I mean `not very':
   $ logger -t 'tpop3d[1234]' -p mail.info \
       'fork_child: [42]billg( successfully authenticated with pam' 
   Of course, this may not be an issue if there are no shell users on your
   POP3 server system, though you might want to think carefully about whether
   any other process on your system could be tricked into writing a log line of
   the above form.

   The alternative is to have tpop3d trigger addition of a client to the
   allowed-to-relay table. If you are happy to alter the C code, then the best
   thing to do is to insert some code at the same place that the above log
   line is generated to do whatever book-keeping you need. This is in the
   function fork_child in main.c. Alternatively, you could write an auth-perl
   or auth-other authenticator which did the dirty work for cases of successful
   authentication. Of course, this means that you have to implement the
   authentication yourself, too, which is slightly wasteful.

   If there's enough demand, I may add configurable hooks for this sort of

 ``Do we really need two North Dakotas?
   I mean, we already have South Dakota as an emergency spare.'' (Scott Adams)