I developed this solution under the following environment:
I am currently using this solution under the following environment:
At this time, I cannot vouch for whether this solution will work under any other environments, including differing version numbers of the listed programs. If you find success using different modules or versions, please let me know (you can find my obfuscated e-mail address below).
I used the following process to install the initial development environment. If you have naver before set up a mail server, you can use this as a walk-through if you wish to duplicate my (functional) environment. However, if you're a seasoned professional and you don't need to read the babbling utterance of a then-amateur, please skip ahead to the popAuth3 installation procedure.
As my first-ever Linux installation, I did my best to install it as a simple server. I used MS-DOS 6's FDISK utility to wipe the partition tables before dropping in Disk 1 of the Red Hat Enigma ISO distribution and rebooting. Using the installation GUI was simple, but I'll admit that I ended up installing far more than was necessary. Even today, I hope to fully rebuild this machine but I'm left with the problem that it's a production box now. I haven't decided on the best technique to replace the machine without losing mail (nor have I spent much time thinking about it). It's a toss-up against the logic of, "if it ain't broke, don't fix it." The fact is, the mail server is doing everything it needs to do, just fine.
I believe postfix was near version 1.1.10 when I first encountered it. Installation was relatively painless following the accompanying documentation. I accepted the defaults in all cases. Obviously, I have upgraded postfix -- and my entire network, for that matter -- several times since then. Fortunately, upgrades have been painless thanks to the care taken by the postfix documentation authors. For comprehensive installation instructions, I recommend you read the INSTALL file that comes with the postfix source.
It is worth noting that I have moved the entire collection of postfix regexp/pcre
and related .db files into a sub-directory called /etc/postfix/data/
.
At the very least, you need this directory for popAuth3's main RBL cache file
-- particularly if you would like to use the accompanying HTML report tools.
So that you can move this file anywhere you like, I have created related variables
in the popAuth3 source that enable you to specify where your data files are
stored, separate from the remaining postfix configuration files.
You must note that this configuration dictates using smtpd_delay_reject
= no
in /etc/postfix/main.cf
. In other words, reject immediately instead
of waiting for postfix's smtpd_recipient_restrictions
, as is so
common amongst postfix users. In some years of watching for it, I have found
that there aren't enough "broken SMTP clients out there" to truly
necessitate this delay. By following my technique, popAuth3 is able to perform
its duties sooner in the SMTP sequence, thus heading off the "tons of
garbage" that would otherwise be sent to syslog. I haven't yet established
whether smtpd_delay_reject = no
is mandatory for popAuth3 to work
in all cases, but I very highly recommend using it instead of smtpd_delay_reject
= yes
.
vm-pop3d was at version 1.1.6 when I first found it and it hasn't changed since. I don't know whether development has stopped on it (the development version 1.1.7 has been in development for at least a couple years), but frankly that doesn't matter. vm-pop3d does everything I needed it to for this scenario. As is typical for me, I accepted the defaults during configuration and installed it verbatim per the recommendations in the included INSTALL text file.
Note that you MUST alter the vm-pop3d source (and recompile) in order for it to work with either popauth or my version, popAuth3! This is because vm-pop3d normally splits user authentication logging across two lines, and popauth only receives those lines FIFO -- one at a time. Check my source code listing for details.
I originally followed Stephen
McHenry's instructions to the 'T' and installed his version of popauth
(based on Harlann
Stenn's popauth2) into /usr/local/sbin/
. My version,
popAuth3, requires a different installation procedure because it deals with
more files and requires very specific output from your MTA to perform its services.
The updated installation procedure is as follows (copied and adapted from Stephen
McHenry's installation procedure):
mkdir /var/spool/popauth/
mkdir /var/spool/popauth/authenticated/
mkdir /var/spool/popauth/fishers/
mkdir /etc/postfix/data/
/var/adm/
(create this directory
if it does not exist, which was the case with me):mkdir /var/adm/
mkfifo /var/adm/popauth.fifo
chmod 0600 /var/adm/popauth.fifo
/etc/syslog.conf
to copy mail log messages to the new
popauth.fifo
FIFO:vim /etc/syslog.conf
Look for:mail.* /var/log/maillog
Add IMMEDIATELY ABOVE this line:mail.info |/var/adm/popauth.fifo
yum install selinux-policy-targeted-sources selinux-policy-strict-sources
yum install policycoreutils
vim /etc/selinux/targeted/src/policy/domains/program/syslogd.te
allow syslogd_t var_t:fifo_file { read
write };
allow syslogd_t var_t:fifo_file ioctl;
cd /etc/selinux/targeted/src/policy
make load
service syslog restart
kill -s SIGHUP `cat /var/run/syslogd.pid`
/etc/postfix/data/
but this example
uses /etc/postfix/
because it is more common):touch /etc/postfix/data/popauth_checks
postmap /etc/postfix/data/popauth_checks
# Look
for a POP authentication.
You will have to become familiar with regular
expressions (regexp) -- if you aren't already -- in order to make this
change. If you need help with this, please submit the following
to me (e-mail address is below), unaltered, and someone will try to help
(time permitting).
Please do not expect a very fast answer, and understand that a solution
may require altering the source of your POP daemon -- particularly if the
necessary authentication data is reported across multiple lines.
/var/log/maillog
when your users authenticate a POP session. Note that, if your POP
daemon does not log the user's name, domain, IP address, and authentication
result on a single line, you will have to either use a different POP
daemon, or alter its source. /usr/local/sbin/
(or anywhere
you see appropriate).vim /etc/rc.local
/usr/local/sbin/popauth &
/usr/local/sbin/popauth &
/etc/postfix/main.cf
to enable your POP-authenticated
users to relay mail. See the full version of main.cf
that I use below for a complete reference of this configuration that does
not put "everything" into smtp_recipient_restrictions. popauth_checks = hash:/etc/postfix/popauth_checks
check_client_access $popauth_checks
554 Service unavailable;
Client host [123.123.123.123] blocked using some.rbl.tld; Some RBL
authority lookup or explaination;
554 <RDNS-lookup-name[123.123.123.123]>:
Client host rejected: Your IP address has been blacklisted by some.rbl.tld.
Visit their website or write <postmaster> to argue. Some RBL
authority lookup or explaination;
smtpd_restriction_classes = sender_checks
sender_checks = check_client_access hash:/etc/postfix/sender_checks,
reject
freemail_checks = hash:/etc/postfix/freemail_checks
check_sender_access $freemail_checks
/etc/postfix/freemail_checks
and /etc/postfix/sender_checks
to include a list of the free e-mail providers whom you wish to validate
RDNS lookups against:554 <fake@freemail-provider.tld>:
Sender address rejected: Access denied; from=<fake@freemail-provider.tld>
proto=SMTP helo=<usually-fake>
recipient_checks = pcre:/etc/postfix/recipient_checks
check_recipient_access $recipient_checks
554 <info@domain1.tld>:
Recipient address rejected: Access denied; from=<fake@somedomain.tld>
to=<info@domain1.tld> proto=SMTP helo=<usually-fake>
helo_checks = hash:/etc/postfix/helo_checks
check_helo_access $helo_checks
554 <123.123.123.123>:
Helo command rejected: Your machine is not part of this network. Forgery
is not tolerated here.; proto=SMTP helo=<123.123.123.123>
soft_bounce = no
unknown_local_recipient_reject_code = 550
user_database = hash:/etc/postfix/data/vmailbox
virtual_mailbox_maps = $user_database
local_recipient_maps = $user_database
550 <fake@domain1.tld>:
User unknown in local recipient table; from=<> to=<fake@domain1.tld>
proto=ESMTP helo=<usually-fake>
554 <local.part@domain1.tld>:
Relay access denied; from=<user@domain1.tld> to=<local.part@domain1.tld>
proto=SMTP helo=<usually-fake>
/etc/logrotate.d/
. If your
system does not use logrotate, you should come up with an appropriate mechanism
to rotate the popauth.log log file because it will grow endlessly. If unchecked,
it will fill up your HDD./var/www/vhosts/com-domain1-tld/admin/
folder). For example, if using Apache, set up a .htaccess
file in the same folder that you copy these files (if you don't understand
this file, please refer to the Apache
documentation):AuthType Basic
AuthName "Mail Server Administration"
AuthUserFile /etc/www/auth/com-domain1-mail/passwd
Require valid-user
mkdir /etc/www/
mkdir /etc/www/auth/
mkdir /etc/www/auth/com-domain1-mail/
htpasswd -bc /etc/www/auth/com-domain1-mail/passwd MailAdmin myP@ssword1234
/var/www/vhosts/com-domain1-tld/css/
).
Alternatively, you can copy the *.css files into the same directory
as the *.pl files as long as you update the *.pl source to output
the correct path to the *.css files./etc/postfix/data/
directory world-writable
so you can edit the rbl_cache file from a web browser:chmod o+w /etc/postfix/data
chmod o+w /etc/postfix/data/rbl_cache
/etc/postfix/data/rbl_cache
by double-checking the path variables in the source (if you
closely follow the installation procedure listed above, and
leave these variables unchanged when you first install popAuth3,
there should be no need for this double-check).poplog
any time you want to sit and watch popAuth3 do its work -- or catch bugs).
Copy poplog to the same directory to which you copied popAuth3 (e.g.: /usr/local/sbin/
)
and make it executable:chmod ug+x /usr/local/sbin/poplog
The version of RH Linux I installed automatically used ipchains by default, but it also installed iptables anyway. Because iptables is generally the preferred of the two firewalls today, I switched from ipchains to iptables and programmed popAuth3 to match. If you are a die-hard ipchains user, you will have to alter the popAuth3 source to work with your configuration. A firewall that can be updated dynamically via script is necessary for popAuth3 to function unless you edit the source and disable the automatic null-routing facility. Of course, if you don't want the automatic null-routing, then you should consider the simpler popauth and not my version.
I have written a few report scripts for popAuth3 that are designed to help you monitor what is going on with your mail server. If you prefer to fire-and-forget, then you don't need these reports and you won't need to put an HTTP daemon on your mail server. Red Hat Linux 7.2 came with an earlier httpd version 1.3-something. I have since upgraded to version 2 for no better reason than to gain the experience of upgrading more Linux modules. You are welcome to use any HTTP daemon you like, or none at all. Apache is not necessary to run popAuth3, unless you want to use the HTML reports.
Contributing Authors: William Kimball