popbsmtpd-users
[EnGarde] Re: pop-before-smtp daemon
Awesome!! I too am really looking forward to this, so I can finally become
a secure open relay. My users access my mail server from EVERYWHERE so
it's impossible (it was) for me to allow usage of SMTP at all. So my
clients had to use this squirrelmail to send via sendmail. Now, they can
enjoy SMTP after they initially used the POP. And I am assuming here, but
I am 90% sure that POP-BEFORE-SMTP will also mean IMAP is acceptable?
Also, Ryan or someone, please enlighten me again on how to become an open
relay... Thanks!
>
> Awesome!! I am really looking forward to this as it would solve a lot
> of problems.
>
> Please keep me informed (eg. add me to the mailing list if you can). I
> will even post a link on my website if you want :)
>
> Hopefully someone will take it upon themselves to write an rpm for
> Engarde so it can be installed easily :)
>
> Yours,
>
> Leon Letto
>
> -----Original Message-----
> From: Marcus Redivo
> Sent: Thursday, August 08, 2002 9:39 PM
> To: Engarde-Users
> Subject: [EnGarde] pop-before-smtp daemon
>
>
>
> Hello Ryan and list,
>
> I have written a pop-before-smtp daemon in C, which I am testing now
> before I make it publically available for download. I would like to get
> comments on the architecture I have chosen from those more knowledgable
> than me.
>
> So far, it works like a charm, and uses very few resources. If no-one
> points out a problem, it is almost ready to post for download. What
> remains is a security audit; buffer overflows, dealing with malicious
> input, etc. This was kept in mind while writing the code, but another
> look after the fact is always good.
>
> Background (I know, I know, most of you don't need it...):
>
> Mail servers are usually configured to deny relaying mail unless it
> originates on the local network, or is destined for a local user. When a
> user travels, they are no longer on the local network, so the server
> refuses to relay their mail. Basic SMTP has no
> identification/authorization capabilities that the mail server can
> trust, so the user is out of luck.
>
> However, when the user _retrieves_ mail via POP, that is an
> authentication we can trust. All we need to do is capture the user's
> current IP address, and then permit relaying from that IP address for a
> limited length of time; problem solved. The program I wrote does just
> that.
>
> Here's how it works:
>
> As a source of login information, I have added a new destination pipe to
> my syslog-ng configuration. My program listens on this pipe, and
> responds to logins by writing entries to a hash DB checked by Postfix.
> It also wakes up when the oldest entry reaches its expiry time, and
> deletes the entry from the hash DB. This repeats indefinitely.
>
> Here is the syslog-ng additional configuration:
>
> ---syslog-ng.conf---
> destination spop3 { pipe("/var/log/spop3.log"); };
> filter f_spop3 { match("stunnel"); };
> log { source(src); filter(f_spop3); destination(spop3); };
> ---syslog-ng.conf---
>
> I created the pipe with mkfifo, mode "prw-------". The entries that
> appear on it are of the form
>
> ---/var/log/spop3.log---
> Aug 6 14:10:11 spruce stunnel[27983]: spop3 connected from
> 192.168.1.14:3228
> Aug 6 14:10:12 spruce stunnel[27983]: Connection closed: 136 bytes sent
> to SSL, 36 bytes sent to socket
> ---/var/log/spop3.log---
>
> I ignore all lines except the ones containing "spop3 connected from",
> and extract the IP address and timestamp from them.
>
> All the rest is just programming. My questions:
>
> -- If my daemon stops for any reason, what happens to the data that
> syslog-ng writes to the pipe? Can this cause syslog to block, or
> otherwise hang the system?
>
> -- Would it be better to use a unix-stream (mode "srw-------")? I can't
> even find out how to create one of these in the file system, let alone
> compare tradeoffs with what mkfifo creates.
>
> (Note: while I have a long history of (non-MS) programming, I have only
> recently become exposed to UNIX. Too bad it took so long...)
>
> All comments/pointers are welcome, as are expressions of interest in
> using it. (You may want to respond off-list, to keep traffic down.)
>
> Thanks in advance,
> Marcus Redivo
>
> The Binary Tool Foundry
> http://www.binarytool.com
>
------------------------------------------------------------------------
To unsubscribe email engarde-users-request
with "unsubscribe" in the subject of the message.
This archive was generated by hypermail 2.1.6 on 2005-11-05 00:15:03 PST
| |
