1

Topic: POP Before SMTP Possible

We have a support nightmare. 2000+ users and they are not setup using smtp-auth.

Is there a way to get pop before smtp working on iredmail?

I have the pop-before-smtp.pl running, it is creating the pop-before-smtp.db but I can not get postfix to honor both pop-before-smtp and smtp auth.

Thanks,

Jerry

2

Re: POP Before SMTP Possible

There're some addons in postfix web site, search 'pop-before-smtp' in this page:
http://www.postfix.com/addon.html

And does this tutorial help:
http://www.arschkrebs.de/postfix/postfi … p_en.shtml

3

Re: POP Before SMTP Possible

ZhangHuangbin wrote:

There're some addons in postfix web site, search 'pop-before-smtp' in this page:
http://www.postfix.com/addon.html

And does this tutorial help:
http://www.arschkrebs.de/postfix/postfi … p_en.shtml

Thanks you for the quick response,

I have followed the tutorials and have everything functioning for example;
postmap -q 67.223.87.254 hash:/etc/postfix/pop-before-smtp returns OK.

Yet the server responds
553 Sender address rejected: not logged in.

Is there an additional step to using mysql - vmail tables with smtp-auth?

4

Re: POP Before SMTP Possible

JerryAllen wrote:

Is there an additional step to using mysql - vmail tables with smtp-auth?

Maybe you can hack pop-before-smtp.pl to query virtual users from MYSQL, but i'm not familiar with perl programming language and didn't test this before. Sorry sad

5

Re: POP Before SMTP Possible

After reading some tutorials, i think you can implement it like this:

  • Tracking user last login ip via Dovecot which provides POP3/IMAP services in iRedMail. Tutorial is available for iRedMail, it's able to update user last login ip address, date, mail protocol (pop3/imap) in plain text file, SQL or LDAP.

  • Let postfix query user last login ip from vmail.mailbox table.

  • Addition: If you want to define a timeout period, you can compare current date with the last login date.

With these steps, it seems you don't need addition pop-before-smtp program.

6

Re: POP Before SMTP Possible

ZhangHuangbin wrote:
JerryAllen wrote:

Is there an additional step to using mysql - vmail tables with smtp-auth?

Maybe you can hack pop-before-smtp.pl to query virtual users from MYSQL, but i'm not familiar with perl programming language and didn't test this before. Sorry sad

smtpd_sender_login_maps is where smtpauth all occurs?

I am drowning.

Jerry

7

Re: POP Before SMTP Possible

smtpd_sender_login_maps, smtpd_sender_restrictions

8

Re: POP Before SMTP Possible

ZhangHuangbin wrote:

smtpd_sender_login_maps, smtpd_sender_restrictions


If you disable mysql:/etc/postfix/mysql_sender_login_maps.cf

smtpauth and pop before smtp owrk.

What are we missing without mysql:/etc/postfix/mysql_sender_login_maps.cf?

Jerry

9

Re: POP Before SMTP Possible

Reference: http://www.postfix.org/postconf.5.html# … login_maps

10

Re: POP Before SMTP Possible

JerryAllen wrote:
ZhangHuangbin wrote:

smtpd_sender_login_maps, smtpd_sender_restrictions


If you disable mysql:/etc/postfix/mysql_sender_login_maps.cf

smtpauth and pop before smtp owrk.

What are we missing without mysql:/etc/postfix/mysql_sender_login_maps.cf?

Jerry

The real issue is around
reject_sender_login_mismatch (http://www.postfix.org/uce.html#reject_ … n_mismatch)
The way I read it and the way it works for me at least is, if you have both set, you in effect enforce smtpauth

Problem solved for the most part.

Thank you for your responses.

Jerry

11

Re: POP Before SMTP Possible

Would you mind share us the detail of how you solving this issue? smile

12 (edited by JerryAllen 2010-01-13 15:36:19)

Re: POP Before SMTP Possible

ZhangHuangbin wrote:

Would you mind share us the detail of how you solving this issue? smile

My understanding of this is as follows;

In the link above
quote
reject_sender_login_mismatch
    Reject the request when $smtpd_sender_owner_maps specifies an owner for the MAIL FROM address, but the client is not (SASL) logged in as that MAIL FROM address owner; or when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps.
/quote

This refers to smtpd_sender_owner_maps, the way I read this is if I am not SASL logged in postfix will refuse the mail when smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf is defined.

I first had a consultant look at it, he disabled smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf then I read some more and if both are set I believe you enforce smtpauth with the sending email address being required to match the auth address 100%.

In addition, if you have a user that is johndoe@domain.com and they try to send email from their office using your isp mail server and their sender email address is johndoe@work-domain.com, if reject_sender_login_mismatch is set, the mail will not be accepted.

In a very strict environment this is acceptable, in the real user non-corporate world it is too strict.

Jery

13

Re: POP Before SMTP Possible

You can try to replace 'reject_sender_login_mismatch' by 'reject_unauthenticated_sender_login_mismatch'. smile

14 (edited by JerryAllen 2010-01-13 15:40:15)

Re: POP Before SMTP Possible

I think that since it is not sasl or smtpauth the result will be denied sending mail for pop-auth users.
ref. http://www.postfix.org/uce.html#reject_ … n_mismatch
I may try it when the system slows down or on a test system later.

Thank you very much for the discussions here.

Jerry

15

Re: POP Before SMTP Possible

If you use pop-before-smtp, you don't need 'reject_xxx_sender_login_mismatch'. My mistake, sorry. sad

16

Re: POP Before SMTP Possible

Hi,

I'm trying to implement pop-before-smtp in our server. I've followed the procedure mentioned here. But got stuck up in pop-before-smtp $pat pattern. The dovecot log format is like this:

2011.05.13-14:54:58, test@xyz.com, 180.234.47.11, pop3
2011.05.13-14:57:26, test@xyz.com, 180.234.47.12, pop3
2011.05.13-14:57:54, www@somedomain.com, 66.22.22.124, imap
2011.05.13-14:57:55, www@somedomain.com, 66.22.22.124, imap
2011.05.13-15:03:08, www@somedomain.com, 66.22.22.124, pop3

Pop-before-smtp script by default offer the following pattern for Dovecot. But it's not working for me

Code:
# For Dovecot POP3/IMAP when using syslog.
$pat = '^[LOGTIME] \S+ (?:dovecot: )?(?:imap|pop3)-login: ' .
    'Login: .*? (?:\[|rip=)[:f]*(\d+\.\d+\.\d+\.\d+)[],]';
$out_pat = '^[LOGTIME] \S+ (?:dovecot: )?(?:imap|pop3)-login: ' .
    'Disconnected.*? (?:\[|rip=)[:f]*(\d+\.\d+\.\d+\.\d+)[],]';

# For Dovecot POP3/IMAP when it does its own logging.
$logtime_pat = '(\d\d\d\d-\d+-\d+ \d+:\d+:\d+)';
$pat = '^dovecot: [LOGTIME] Info: (?:imap|pop3)-login: ' .
    'Login: .+? rip=[:f]*(\d+\.\d+\.\d+\.\d+),';
$out_pat = '^dovecot: [LOGTIME] Info: (?:imap|pop3)-login: ' .
    'Disconnected.*? rip=[:f]*(\d+\.\d+\.\d+\.\d+),';

# For older Dovecot POP3/IMAP when it does its own logging.
$pat = '^(?:imap|pop3)-login: [LOGTIME] Info: ' .
    'Login: \S+ \[[:f]*(\d+\.\d+\.\d+\.\d+)\]';
$out_pat = '^(?:imap|pop3)-login: [LOGTIME] Info: ' .
    'Disconnected.*? \[[:f]*(\d+\.\d+\.\d+\.\d+)\]';

Pop-before-smtp needs to read the IP from the log by regex.

Thanks for you help in advance.

17 (edited by saif 2011-05-16 21:18:01)

Re: POP Before SMTP Possible

I've got it working with this regex format:

$pat = '^(\d\d\d\d-\d+-\d+ \d+:\d+:\d+) (?:imap|pop3)-login: Info: ' .
    'Login: .*? (?:\[|rip=)[:f]*(\d+\.\d+\.\d+\.\d+)[],]';

I've enabled pop before smtp to read dovecot's own log file located in /var/log/dovecot.log. Enable logging feature in dovecot before enabling pop-before-smtp.

18

Re: POP Before SMTP Possible

Hi Zhang,

I've enabled popb4smtp as JerryAllen did. It's holding the ip in the database. I've disabled "smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf" and remove "reject_sender_login_mismatch". I'm getting this error:


May 17 09:07:25 mail postfix/smtpd[6371]: connect from unknown[117.58.246.10]
May 17 09:07:27 mail postfix/smtpd[6371]: NOQUEUE: reject: RCPT from unknown[117.58.246.10]: 554 5.7.1 <unknown[117.58.246.10]>: Client host rejected: Access denied; from=<test@example.com> to=<test@test.com> proto=ESMTP helo=<[10.110.1.11]>

Is this because of the IP 117.58.246.10 don't have a dns record? How can I sending email from this type of Ip which don't have dns entry?. Another thing is I can connect to port 587 from the email client to send email but can't connect to port 25.

Thank you for nice co-operation.