# Howto: Pop-before-SMTP authentication with the vmail guide

## Oopsz

So, you've followed this guide to the letter, and you've got a fully functional mail server.  But you want people to be able to send mail without their ip address listed explicitly in your postfix main.cf?  A solution to this is to use Pop-Before-SMTP authentication.  Anytime someone checks their pop3/imap email, their IP address is authenticated for outgoing email for 5 minutes, after which it expires.  Your SMTP server is secure against spammers, but still usable.

For this howto, we'll be using DRAC, and a utility called drac-add.  It's assumed you're running postfix and courier-imap as described in the virtual mail howto.

1)  Install DRAC.

```
$ emerge drac
```

deceptively simple.   :Wink: 

2) Install drac-add:

First, download and decompress it.

```
$ wget http://venus.tripadelic.com/ebuilds/sources/drac-add.c.gz

$ gunzip drac-add.c.gz
```

Browse the source if you'd like.  It's very straightforward.  The default drac_update_host() variable should work fine for you, if you're updating a remote drac server, you probably know what you're doing and don't need this howto.  

Once you have that file ready, we need to compile it.

```
$ gcc -o drac-add drac-add.c -L/usr/sbin/drac -ldrac -mcpu=i686 -march=i686 -Os -fomit-frame-pointer -fstack-protector -pipe

$ strip drac-add
```

If it compiles cleanly, copy the drac-add program to courier's authlib directory.

```
$ cp drac-add /usr/lib/courier-imap/authlib/
```

Now, we need to set up courier-imap to call drac-add, so that whenever anyone checks their email, the database will be updated properly.

First, the pop3 server.

```
$ nano -w /etc/courier/pop3d
```

Change the following line:

```
AUTHMODULES="authdaemon"
```

TO

```
AUTHMODULES="authdaemon drac-add"
```

Then, imap.

```
$ nano -w /etc/courier/imapd
```

Change the following line:

```
AUTHMODULES="authdaemon"
```

TO

```
AUTHMODULES="authdaemon drac-add"
```

Okay, now we just have to make postfix check the drac database when it wants to authenticate users.  This requires a quick configuration tweak.

```
$ nano -w /etc/postfix/main.cf
```

Add these lines (or edit the existing lines, as appropriate)

```
smtpd_recipient_restrictions =

   permit_mynetworks,reject_non_fqdn_recipient,

   check_client_access btree:/var/lib/drac/drac,

   reject_unauth_destination

mynetworks = 127.0.0.0/8, your.ip.address, btree:/var/lib/drac/drac
```

REPLACE your.ip.address WITH YOUR PUBLIC NUMERIC IP ADDRESS!!

There, we're done!  Let's get the servers up.

First, if you're running portsentry, stop it.  It plays havoc with new daemons.

```
$ /etc/init.d/portsentry stop
```

Now, start up drac.

```
$ /etc/init.d/dracd start
```

Restart courier:

```
$ /etc/init.d/authdaemond restart
```

And reload postfix

```
$ /etc/init.d/postfix reload
```

You're done!  Rock out!  Test that it works using your favourite mail client, and check that its secure by using an open relay test.  Once you're sure its working, you can clean up:

```
$ rc-update add portmap default

$ rc-update add dracd default
```

And start up portsentry again, if you are so inclined.   :Smile: 

----------

## BobOki

Now if someone can make this for qmail, I would be rocking!

----------

## chrisyu

Yeah!

Worked well for me(postfix).  :Very Happy: 

Thank you very much!

BTW

In my case /etc/courier is /etc/courier-imap.   :Smile: 

----------

## Oopsz

Yay, someone used my guide!  I feel all warm and fuzzy..

----------

## atac

just what i needed! thanks  :Very Happy: 

----------

## lectrix

hi!

this howto helped me some time ago - thanks for that.

in the meantime, after some major updates and different config changes, i noticed this in syslog:

```

Oct 26 19:09:52 igor drac-add: dracauth() Error "127.0.0.1: RPC: Program not registered " for user $REMOTEIP

```

whereas $REMOTEIP is some non-local ip.

this is repeated very often, each time dracd is called?

what does this mean?

rpcinfo -p says this:

```

   program vers proto   port

    100000    2   tcp    111  portmapper

    100000    2   udp    111  portmapper

    391002    2   tcp   1017  sgi_fam

```

/etc/postfix/main.cf contains

```

mynetworks = 62.99.149.26, 127.0.0.0/8, btree:/var/lib/drac/drac

smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_recipient,

    check_client_access btree:/var/lib/drac/drac,

    reject_unauth_destination

```

/etc/courier-imap/pop3d contains

```

AUTHMODULES="authdaemon drac-add"

AUTHMODULES_ORIG="authdaemon"

```

/etc/courier-imap/imapd contains

```

AUTHMODULES="authdaemon drac-add"

AUTHMODULES_ORIG="authdaemon"

```

thanks for helping...

stefan.

----------

## ministry

Just wanted to thank you for your work around solution.

I'd been messing with smtp-auth for like 4 days.

And everything seemed to be authenticating but it wouldn't pass any outoing smtp traffic!

I think it is really important that people who post howtos make sure they work.

And should also specify what system the howto is for and update them everytime a new version of any of the packages involved comes out.

I found that 80% of of the stuff out there on postfix+cryus-sasl+smtp-auth was not even close to complete and working.

In fact most of the guides I found on it that looked pretty good were in japanese or german.

Anyway gentoo is great! and I'm sticking to my guns with regards to using it in the corporate environment.

Ministry

----------

## meulie

I just implemented this guide as well, and so far it seems to be working great!    :Cool: 

----------

## Oopsz

The guy that was having trouble with weird syslog entries: try recompiling the drac-add utility, might be a stale link..

I'm sorry I can't support this howto much anymore, I switched to dbmail as my backend, and it has native support for pop-before-smtp by storing IPs and timestamps in an sql table, ridiculously easy to get postfix to auth from using "mysql:/".

----------

## sander85

It worked great. Only am I right that courier now uses courier-authlib ? 

Since an update to this newer version of courier Drac won't work anymore.

Does someone else has also troubles with this ?

----------

## Oopsz

I'm sorry if it doesn't work; as I said before I've switched my mailstore from postfix+courier-imap+maildirs to postfix+dbmail+mysql, so I can't support this howto anymore.   :Sad:   It worked great for the better part of a year though..  not too shabby.

----------

## dschein

I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas?

----------

## hurricane

 *dschein wrote:*   

> I'm trying to implement this but I dont seem to have an AUTHMODULES entry in my imapd-ssl file, or any of the other courier config files....any ideas?

 

Same problem here...

Looking at the locations of courier's files, it seems that someone changed stuff for courier... And now??

Does anyone know what happened?

----------

## hurricane

So AUTHMODULES does not work anymore, because now the modules are compiled straight into the daemon! (How fucking stupid! then why are they modules?? [No. Security is no excuse!])

But we're lucky, because now there exists a solution!

----------

## zomps

The solution:

change drac-add.c line

from

```
if (getenv("AUTHUSER") && getenv("AUTHARGV0") && getenv("AUTHENTICATED")) {
```

to

```
if (getenv("AUTHENTICATED")) {
```

add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d

```
LOGINRUN="/usr/local/bin/drac-add"
```

and no more need to change AUTHMODULES parameter

net-libs/courier-authlib-0.57-r1

net-mail/courier-imap-4.0.4

----------

## TheCarNinja

Nice solution, everything compiles, but i have a problem. 

After implementing everything (I don't have my IP addy in mynetworks because that would defeat the purpose) I still get relay access denied.

mail.log (relevant)

```

 >>> START Recipient address RESTRICTIONS <<<

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_mynetworks: cpe-24-90-103-234.nyc.res.rr.com 24.90.103.234

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? <serverip>

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? <serverip>

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? 127.0.0.1

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? 127.0.0.1

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostname: cpe-24-90-103-234.nyc.res.rr.com ~? btree:/var/lib/drac/drac(0,100)

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_hostaddr: 24.90.103.234 ~? btree:/var/lib/drac/drac(0,100)

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: cpe-24-90-103-234.nyc.res.rr.com: no match

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: match_list_match: 24.90.103.234: no match

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=permit_mynetworks status=0

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: reject_unauth_destination: thecarninja@gmail.com

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: permit_auth_destination: thecarninja@gmail.com

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: ctable_locate: leave existing entry key thecarninja@gmail.com

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: NOQUEUE: reject: RCPT from cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail

.com>: Relay access denied; from=<dummymail@<serverip>> to=<thecarninja@gmail.com> proto=ESMTP helo=<[10.0.0.5]>

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: generic_checks: name=reject_unauth_destination status=2

Nov 14 22:53:13 Diehard postfix/smtpd[15539]: > cpe-24-90-103-234.nyc.res.rr.com[24.90.103.234]: 554 <thecarninja@gmail.com>: Relay access denied
```

An ls -l of /var/lib/drac/drac.db shows that the modified date is not when i tried logging in, so that means that either courier isn't calling drac-add or that it doesn't have proper permissions (which im sure it does since i changed them as well as no error message). I can't find any reference anywhere to drac-add being called other than the line i added into the courier files.

----------

## zomps

hmm i saw drac-add messages in /var/log/messages log file

----------

## TheCarNinja

 *zomps wrote:*   

> The solution:
> 
> add line end to /etc/courier-imap/imapd and /etc/courier-imap/pop3d
> 
> ```
> ...

 

This means that i add that line to the end of /etc/courier-imap/pop3d and imapd right?

Also, /var/log/messages hasn't been modified recently at all. Nor is there any drac related activity in there.

----------

## TheCarNinja

*bump*

----------

## zomps

what happens when you call drac-add command

```
TCPREMOTEIP="127.0.0.1" AUTHENTICATED="username" drac-add
```

and without parameters, does there appear any log or change /var/lib/drac/drac time/size

----------

## poco

Same problem here, I added the line "LOGINRUN="/usr/local/bin/drac-add"" to the /etc/courier-imap/pop3d file, I think it is the correct one since I have lines like "source /etc/courier-imap/pop3d" in my /etc/init.d/courier-pop3d init script.

I added some syslog to see if drac-add its called when I'm logging into the server, but it isn't :'( I can call it by hand (for example with 'TCPREMOTEIP="192.168.0.7" AUTHENTICATED="plouf" drac-add') and syslog is notified (and the db file modified).

Any help would be welcome.

----------

## JackPo

anyone have any idea how to fix this?

I have reached the same stage as the previous poster.. but can progress no further...

----------

## JackPo

nevermind...

I think the route to go is now to use 

pop-before-smtp

emerge pop-before-smtp.. and then follow the instructions from the QUICKSTART

----------

## poco

And if anyone is interested i used, for pop-before-smtp with postfix and courier-imap, the following regex :

```
$pat = '^(... .. ..:..:..) \[(?:courier)?(?:pop3|imap)(?:login|d|d-ssl)\] LOGIN, user=\S+, ip=\[[:f]*(\d+\.\d+\.\d+\.\d+)\]';
```

and I changed one variable 

```
$file_tail{'name'} = '/var/log/mail/current';
```

Thanks, JackPo, now it rox  :Smile: 

----------

