Welcome!

This is the home of popAuth3, an enhanced POP-before-SMTP utility that also strengthens your mail server against abuse. This is a development site that contains the very latest version of this source code! This project is both protected and open under the terms of the GNU GPL. I have created this web site to field feedback on my adaptation of this project in order to further strengthen mail servers against the abuses we face today. At all times, keep in mind that popAuth3 is only one piece of a complete solution! In addition to installing popAuth3, it is still up to you to properly configure your MTA and install and maintain seperate anti-virus and anti-spam software.

If you are looking for a quick-and-easy POP-before-SMTP solution (only) which can be easily plugged into postfix (and not the version here which vastly exceeds the scope of the original popauther program), then please consider Stephen McHenry's popauth solution instead! The implementation of popAuth3 here is not guaranteed to be ready for large-scale production use. If your machine blows up and you think it was because of this project, don't come to me with complaints (or a lawsuit). Instead, tell me what you did differently than the procedures and recommendations listed here so we can all avoid duplicating your mistake(s). You have been warned.

That said, I have been running progressive versions of this code for over four years without catastrophe. In good faith, you should find that is does what it claims to do, and well. If you release this code in a production environment, please keep me posted on the results (see my obfuscated e-mail address in the page address, below), good or bad.

What is popAuth3?

In summary, popAuth3 is a derivative of popauther -- a simple POP-before-SMTP utility adapted by William R. Thomas of a concept by John Levine -- and an extension of your MTA for a stronger anti-UCE stance. popAuth3 is a complete rewrite of Harlann Stenn's adaptation of William R. Thomas' popauther source and it does MUCH more than just POP-before-SMTP relay authentication. In essence, popauther's core is a log watching utility that triggers actions based on events identified in the real-time maillog facility. From this vantage point, popauther takes action based on any activity exposed in the maillog, which could original from disparate sources (SMTP, POP3, IMAP, etc).

Note: Due to the highly modular nature of the popAuth3 source, there is no reason to assume it will function only with the postfix MTA and vm-pop3d POP3 daemon. It is a simple matter of updating regular expressions in the popAuth3 source code to match popAuth3's functionality to any mail server configuration, as long as events generated by your MTA/POP3/IMAP/etc programs can be uniquely identified and tracked at one source (e.g.: the maillog file ). You should also ensure that the "deliverables" out of popAuth3 (such as the list of IP addresses that are authorized for relaying, if used) match the data-file format and location that your MTA expects. Have fun experimenting, and please share your regular expressions and testimonials! Be sure to include the names and versions of the MTA/POP3/IMAP program to which your regular expressions match.

What does popAuth3 do for you?

The original purpose of popauth was simply to enable remote users (by IP Address) to relay mail through your SMTP server following a valid POP authorization. popAuth3 does much more and can be easily configured to disable the POP-before-SMTP trigger, rendering only its tracking and automated null-routing features effective. Frankly, I agree with others, including William R. Thomas: TLS/SASL and SMTPAUTH are better solutions than POP-before-SMTP -- I admit, and I don't personally use the POP-before-SMTP feature. However, read on to see why I still use popAuth3 on my mail gateway server and keep this project updated!

popAuth3's extensions in this version enable it to automatically and temporarilly null-route IP addresses based on offensive behavioral patterns. It is important to note that popauth is not a content filter. It does not scan for, or reject UCE that your system has already permitted. popAuth3 blocks identified abusers at the connection level before any data is transmitted from them to you (including the SMTP envelope). It is imperative that you understand that this codes does not block human traffic -- not even humans who mistype e-mail addresses --unless you specifically tell it to do so! This code is rate sensitive, so unless a user tries to resend their bad traffic repeatedly and very rapidly, then your users will not be trapped! You, the administrator, control the rate limits, so you decide what is "offensive" or characteristic of abusers whom you want to block! popAuth3 strenghtens your MTA against abuse.

Examples of how popAuth3 works

Simple, Local RBL Cache

  1. This example assumes your MTA subscribes to one or more RBL providers (which is not mandatory for popAuth3's other features).
  2. A spammer connects to your server, and one of your RBL providers rejects the connection attempt.
  3. popAuth3 notes this rejection and records the IP Address into its own cache. Note that entries in this cache expire automatically based on preferences you specify; this cache does not grow without bound.
  4. Every time that same spammer attempts to connect, popAuth3 heads off the connection attempt before your RBL provider list is consulted (in reality, your MTA heads off the connection when it performs a lookup against popAuth3's lookup table).
  5. When the rate of connection attempts from this spammer reach your threshold limits (either in total connection attempt count, or frequency over time), that spammer's IP Address is null-routed (via iptables) for a term you also specify -- differently based on which threshold was tripped.

Connection, Envelope, and Header Forgery Black-Listing

  1. Your MTA may or may not subscribe to RBL providers, but you do have filters set up that prevent spammers from forging connection/envelope/header data.
  2. Any time your MTA rejects messages or connections from abusers who attempt to forge their helo/sender/recipient/etc data, popAuth3 notes this rejection and records the IP Address into its own cache.
  3. Every time that same abuser attempts to connect, popAuth3 heads off the connection attempt before your RBL provider list is consulted (in reality, your MTA heads off the connection when it performs a lookup against popAuth3's lookup table).
  4. When the rate of connection attempts from this spammer reach your threshold limits (either in total connection attempt count, or frequency over time), that spammer's IP Address is null-routed (via iptables) for a term you also specify -- differently based on which threshold was tripped.

Protection Against Dictionary Attacks

  1. Your MTA bounces messages that are being sent to fictional addresses on your machine.
  2. popAuth3 notes the bounces, where they came from, and the nature of them (e.g.: unknown local part).
  3. If the same IP Address attempts to bounce many different bad e-mail addresses off of you, popAuth3 tracks the number and frequency of attempts. Based on your settings, it decides whether this person is attempting to guess local e-mail addresses in a dictionary or otherwise scripted fashion. Note that regular users who simply mistype an e-mail address will not be black-listed by this mechanism because it requires many different address attempts in a short time span (based on preferences you specify).
  4. When these attempts reach your thresholds of tolerance, the process results in a null-route as in the other examples.
Contributing Authors: William Kimball
Problems with this page can be reported via e-mail to: <popauth3 at kimballstuff dot com>
Last modified: $Date: 2006-01-13T12:30:12+07:00$

Valid XHTML 1.1 Valid CSS AA-level Web Accessibility Initiative Compliance