SMTP-AFTER-POPD(8)

SMTP-AFTER-POPD(8) Unix System Manager's Manual SMTP-AFTER-POPD(8)

NAME

smtp-after-popd -- an SMTP-after-POP daemon for systems running Postfix with vm-pop3d, ipop3d, or UW imapd

SYNOPSIS

nohup /usr/sbin/smtp-after-popd &

VERSION

Version 0.5, 08/28/2005

WHERE TO GET

Download from our web server

DESCRIPTION

Temporarily authorizes trusted outgoing SMTP mail transmissions from IP addresses which have authenticated to receive incoming mail via the ipop3d or vm-pop3d POP protocol daemons. In its default configuration, smtp-after-popd grants a two-minute window for outgoing mail delivery beginning when a valid POP login is detected.

smtp-after-popd recognizes valid POP login activity by parsing /var/log/maillog, by default, or another syslogd-produced log file containing records POP daemon activity. This avoids the need for any special modifications to the POP daemons. smtp-after-popd "watches" the mail log file efficiently, keeping track of its current read position and yielding the CPU briefly between checks for new activity. When and only when it is determined that the set of IP addresses that should be permitted to send mail has changed, smtp-after-popd updates a Postfix hash and executes postmap to make Postfix aware of it. In active use for several years, smtp-after-popd has never taken up significant CPU time.

smtp-after-popd is typically launched at boot time, using the following syntax:

nohup /usr/local/sbin/smtp-after-popd &

As it is implemented as a simple Perl script, smtp-after-popd does not currently redirect its output or automatically run in the background. Use nohup to solve the first problem and & to solve the second.

CONFIGURATION REQUIREMENTS

Before smtp-after-popd can be used, it must be configured. Copy smtp-after-popd to /usr/local/sbin and edit the file with your preferred text editor. The necessary changes are explained there in comments.

Administrators wishing to use smtp-after-popd must also make a small modification to /etc/postfix/main.cf. The smtpd_recipient_restrictions block must include a check_client_access step that looks at the Postfix hash updated by smtp-after-popd. For example:

smtpd_recipient_restrictions = permit_mynetworks,reject_non_fqdn_recipient,
  check_client_access hash:$config_directory/authenticated_ips,
  reject_unauth_destination
This is ONLY AN EXAMPLE. Your recipient restrictions block may be more complex. I am not attempting to document what your overall best practice there should be. Just make sure check_client_access precedes any reject commands that it should override. You may have more than one check_client_access block in order to allow various fixed "trusted" IPs to send mail.

Upgrade note: WITH VERSION 0.5, you NO LONGER want the mynetworks option to reference anything done by smtp-after-popd, and you may need to restore it to its original setting, possibly found in the $defaultNetworks setting of your installed copy of smtp-after-popd version 0.4. New users of smtp-after-popd shouldn't need to worry about this.

BUGS

smtp-after-popd does not automatically redirect its output or go into the background; use nohup and & to handle this. There is a theoretical possibility that smtp-after-popd will read only part of a line from the mail log file, possibly resulting in a missed POP login; however, in tests to date, this does not actually appear to happen. A fix for this theoretical problem could be made by checking for the presence of a newline at the end of the data read and, if none, rolling back the seek pointer to the location of the last newline read.

smtp-after-popd should probably log its own activity.

CHANGES

Version 0.5 uses a Postfix hash instead of restarting Postfix. Version 0.5 also recognizes imapd log output beginning with Authenticated as well as just Auth.

Version 0.4 added more rigorous regular expressions to match the output of vm-pop3d and ipop3d more closely so that a clever login attempt cannot spoof the system. Thanks to Jorey Bump. Version 0.4 also added support for UW imapd, a trivial addition to the regexp list.

LICENSE

Copyright (c) 2003, 2004, 2005, Thomas Boutell and Boutell.Com, Inc. This software is released for free use under the terms of the GNU General Public License, version 2 or higher.

CONTACT INFORMATION

See the smtp-after-popd web page for the latest release. See our contact page to contact us.

THANKS

Thanks are due to the denizens of Nerdsholm, especially dawn and Rocco Caputo, and many others who have contributed encouragement and/or source code to this and other open software projects.


Follow us on Twitter | Contact Us

Copyright 1994-2014 Boutell.Com, Inc. All Rights Reserved.