Auth-relay

Summary:

• General setup
• The problem with qmail's pop3 daemons
• Providing secure pop3 with sslwrap
• The ipop3d hack
• Issues with Vmailmgr
• Issues with Vpopmail
• Disclaimer

• 1. edit config.h to set the following parameters:
  • QMAILDIR - the root directory of your qmail installation, e.g. /var/qmail
  • QMAIL_SMTPD_NOAUTH - the new name of qmail-smtpd. See step 8
  • SSL_HACK_PASS - the ssl-hack password file (read "Providing secure pop3 with sslwrap")
  • DBHOST - the database server address
  • DBNAME - the database name
  • DBUSER - the username used for connecting to the database
  • DBPASS - the password used for connecting to the database
  • EXP_TIME - how long (in seconds) we should allow a client to send mail using us after s/he last authenticated through pop3
  • ALRM_TIME - how often (still in seconds) we should check for expired IPs. It is better to leave this to its default value of 60 seconds if you set an integer number of minutes for EXP_TIME.
  • SYSLOG_FIFO - the fifo where syslogd will send us authentication data. See below for further details.
  • CHECK_DAEMON_IPOP3D - uncomment this line if you are running wu's ipop3d at your site
  • CHECK_DAEMON_VCHKPW - uncomment this line if you are using vpopmail
  • CHECK_DAEMON_HACKED_QMAILPOP3D - uncomment this if you are using the patched version of qmail-popup and qmail-pop3d that I provide with this package
  • CONFIGURED - this check is here to make sure you read config.h. You have to uncomment this line in order for compilation to work.
  
  Note: you can tell pop3-authd to look for messages from all the 3 currently supported pop3 daemons at the same time.
• 2. auth-relay needs libpq for postgres binding, so you have to have postgres or at least libpq installed on the machine. If you don't, get it at http://www.postgresql.org, it's great software. If you do (or AFTER you do) and you installed it in another place than /usr/local/pgsql, edit auth-wrap/Makefile and pop3-authd/Makefile and set the include and libs directories of the postgres installation to where they are on your system. A common case is Linux RedHat systems with a default Postgres installation. RedHat installs headers in /usr/include/pgsql and libs in /usr/lib, so change PGSQL_INCS and PGSQL_LIBS to the respective directories.
• 3. type make. It should work. If it doesn't and you're sure it should (i.e. you've set up everything right so far), mail me with the problem and I'll try to fix it. If you can fix it yourself and mail me the solution too I'd be even happier.
• 4. create a database with the name you specified in config.h (default "pop3authd"). Connect to it and run the pop3authd.sql script. Example:
  

  	pgsql -d pop3authd -U postgres -f pop3authd.sql
  

• 5. create the fifo you specified in the config.h file using mkfifo. Example:
  

  	mkfifo -m 600 /var/pop3-auth/fifo
  

  Here I assume that the directory /var/pop3-auth already exists, mkfifo doesn't automatically create directories.
• 6. instruct syslogd to send pop3 authentication messages to the fifo you've just created. For this you need to know the facility and priority with which your pop3 daemon logs the authentication messages. The facility defaults to mail, so the line you should add to your /etc/syslog.conf is:
  

  mail.*			|/var/pop3-auth/fifo
  

  You can leave your old mail.* line untouched, syslogd will still deliver messages there. Also, you can pass any messages to that fifo, but make sure that among them you also pass authentication messages, otherwise it won't work.
• 7. copy the executable pop3-authd somewhere. Run it, it should say "starting" in the logs and go in the background. If it doesn't crash, make it run at startup. If it dies, make sure it can read the fifo (the command given as an example above creates the fifo mode 600, so it can only read it if it runs as root). If it can read it and it still dies, send a bug report including any messages it wrote in the logs. If it core dumps it would also help if you could compile it in debug mode (edit its Makefile, comment the CFLAGS and LDFLAGS which are marked "production" and uncomment those marked "debug", do "make clean" and then "make"), run it and attach the resulted core to the bug report.
• 8. rename your current qmail-smtpd file into qmail-smtpd.noauth or whatever you specified in config.h for QMAIL_SMTPD_NOAUTH. Copy the executable auth-wrap in the bin/ directory of your qmail root and rename it qmail-smtpd.
• 8b. alternatively, you could simply copy the original qmail-smtpd to qmail-smtpd.noauth and leave it untouched. Then make a tcpserver bind to an arbitrary port and run auth-wrap:
  

  	tcpserver -x /etc/tcp.smtp.cdb -v -u 0 -g 0 0 10101 \
  		/var/qmail/bin/auth-wrap 2>&1 | /var/qmail/bin/splogger smtpd 3 &
  

  (or whatever suits your system). This way you can test delivery using port 10101 (in this example) while still having a working mail delivery system. When you're sure it works, just rename auth-wrap into qmail-smtpd and kill the tpcserver started above.
• 9. you're done, test things. Again, if something goes wrong, send a bug report and I'll try to fix it.