Topic: Pop-before-SMTP

[Nathan Fowler]

I've created some Perl code that grants users on the external network the ability to use the E-Smith server as a SMTP relay.  By default, only trusted networks are allows to use SMTP as a relay.  Opening up your SMTP relay to the world is a horrible idea and doing so will soon cause it to be abused by spammers.  When a user authenticates with the E-Smith POP3 server they are granted access to use the SMTP server for 10 minutes, after that they are removed and their rights to relay are revoked until they POP again.  This works with the Obtuse SMTP server, this has been tested on E-Smith 4.1.2

The program can be downloaded http://www.stickit.nu/pop-before-smtp/
The program must be run as root, the programs fork into the background in daemon mode.  There are two known programs like this out there but none that work well with the Obtuse SMTP server, I was forced to code my own.  If you have any questions please e-mail me and I will do my best to support you.

Before you try this program out, ensure you have /etc/smtpd_check_rules , this is the Obtuse SMTPD allow/deny configuration file (for lack of a better word).  This is still in a beta stage but it is believed to be bug free.

Nathan Fowler

[chris meredith]

Nice!  Works great on my hacked up 5.x install.  I put a symbolic link to /var/spool/smtpd/etc/smtpd_check_rules at /etc/smtpd_check_rules .  Not sure if it was even necessary, but I did it just in case.

Thanks, I had been looking for something like this.

[Nathan Fowler]

I just released a new version, I found a bug with the log files and reporting an incorrect local time, I won't get into the nitty-gritty of it, but the updated version is on the website.  Chris Meredith, you may want to go ahead and update.  Thanks for the positive feedback, let me know if you encounter any additional bugs along the way.

Nathan

[Tom Carroll]

Nathan, can you post something to the dev-info mailing list about your contribution?

There has been some discussion lately about this very topic and if it turns out to be a good solution, it could very well be incorporated into the next release of SME or later.  If it is not incorporated, either Mitel or one of the developers may be willing to host your contribution on their web site.

In any case, it would allow the development community to review and/or test it and provide you feedback on any issues that may be related to security.  The folks in the dev-info area are quite knowledgable when it comes to the inner workings of SME.

I look forward to looking over your work and certainly need something like this for myself.

Thanks!

Tom Carroll
Dataware Computers

[Nathan Fowler]

Sure, can you slap me a URL, I was unable to locate it on the main page, possibly because I didn't look hard enough.  I've been working with E-Smith for about two years now and love it, my version is so hacked it probably looks nothing like a vanilla distribution.  I'm glad you see the potential for this application, I would be more than happy to post it on the development site.  The real beauty of it is it does not require patching of binaries.  Based on about 2 days worth of research I found that there isn't a real solution to this issue, and those solutions present don't readily work with Obtuse SMTP.

Nathan Fowler

[Maarten]

http://www.e-smith.org/developers/

For all mailing list functions, simply send a message to the appropriate email address. The subject line and body can be left blank.


*To subscribe, send a message to devinfo-subscribe@lists.e-smith.org
*To unsubscribe, send a message to devinfo-unsubscribe@lists.e-smith.org
*For a summary of mailing list functions, send a message to devinfo-help@lists.e-smith.org
*For any other questions about the mailing list, send a message to devinfo-owner@lists.e-smith.org

[Tom Carroll]

Ah, Maarten got to it before me.

[Bill Talcott]

Is it possible to do something like this with IMAP? We use IMAP and have a few remote users that could really benefit from something like this...

[Nathan Fowler]

Sure, it's definately possible and just as easy.  Would you like me to code an IMAP-before-SMTP daemon for you?

[Nathan Fowler]

Bill, I went ahead and created your IMAP-before-smtp code.  New versions are available at http://www.stickit.nu/pop-before-smtp

I now support:
IMAP-before-SMTP
POPssl-before-SMTP
POP-before-SMTP

I've also modified the universal smtp-cleanup script to work with all versions, note that you may also run multiple different daemons on the same machine at the same time with no problems, such as IMAP, POP, and POPssl support while only needing to invoke the smtp-cleanup script once.

As always, let me know if you encounter any problems.

Nathan Fowler
evilghost@stickit.nu

[Bill Talcott]

Thanks, this should make things a lot easier for our remote users.

Could you (or someone else) do a writeup for us Linux newbies? Telling exactly what we would have to add/remove/change from a vanilla install to get this working? I'm not quite sure what needs to go where, and how to make it run automatically.

Thanks again for this,
Bill

[Nathan Fowler]

Certainly.  It's quite simple:

Login to your E-Smith box as root from the console.  If you are not familar with the way you should to this, simply do the following:

Hit [Alt]-[F2]
Login as root.
Enter the root password.

Do the following steps in exact order.
cd /root
wget --tries=3 -nc -c -nd -r --level=1 "http://www.stickit.nu/pop-before-smtp/install.sh"
chmod 700 install.sh
pico -w install.sh     'Note that you must edit this file and save your changes!
./install.sh

If you have any problems let me know.

[Nathan Fowler]

After running the install script (See above post 04-22-02 11:56), you should verify that the installation was successful.  At the console type:

ps -aux|grep /var/pop

You should see some running instances of the program...if you do not the installation failed.  Also type:

ls /var/pop-before-smtp

You should see the following files:
pop-before-smtp
popSSL-before-smtp
imap-before-smtp
smtp-cleanup

If you do not the installation failed.


Also,
cat /etc/rc.d/rc.local |grep /var/pop-before-smtp
You should see some declarations for calling the daemons you selected, if you do not, chances are you were not root when you logged in.

To kill the processes, simply kill the PID's.  It is not recommended that you kill -9 them, but gracefully kill the, doing a -9 (SIGHUP I believe) can cause the smtpd_check_rules to become corrupted.  If they do, don't panic, they are very eays to recover from template.  If they corrupt let me know and I'll give you the command.

To view your log files simply cat out the contents located in /var/pop-before-smtp

For those of you that installed it, please kick me an email over to evilghost@stickit.nu I'd like to see how many folks are running it.

[Bill Talcott]

It looks good according to the commands you listed, and it seemed to work when I did a quick test from an outside ISP. I'm going to do some more testing and make sure, but everything looks good so far.

If the need should ever arise, how would this be uninstalled?

[Nathan Fowler]

To uninstall the program simply run the following as root:

#Kill the PID's of the pop-before-smtp programs:
kill ps -aux |grep /var/pop |awk '{print $2}' > /dev/null

#Remove the pop-before-smtp directory:
rm -rf /var/pop-before-smtp

#Remove the bottom lines in rc.local that call the /var/pop-before-smtp programs
# and save the file:
pico -w /etc/rc.d/rc.local

That's it

Nathan