Letting Valid Users to Relay Email
Have a hitch in controlling email conveying? Go for Exact, stands for EXperimental Access Control Thing, for the solution to manage email relaying. It is a POP-before-SMTP daemon that integrates with most email systems. Let us spend a little time discussing the somewhat abstruse problem it solves before getting into the details of setup and configuration.
Quick Mail Primer
Mail servers, more formally acknowledged as Mail Transfer Agents (MTAs), handle receiving and transporting mail between servers. The protocol used for sending mail is the Simple Mail Transfer Protocol (SMTP). Mail clients, more officially known as Mail User Agents (MUAs), handle retrieving mail. One of the most popular protocols used by clients to retrieve mail is the Post Office Protocol (POP).
When SMTP and related mail protocols were formed, no one imagined how rife the Internet would become, how the tiny holes in email protocols would be browbeaten to create the blight of spam that has become part of daily life. One of those holes is something called an open relay, an email server that accepts mail from any source and conveys it to any destination. Most mail servers have some mechanism to control who they will accept mail from and where it can be relayed. Still, most of those mechanisms are based on IP address or domain name and not on user authentication.
Therefore, one problem a mail administrator faces is how to allow exactly the right people to send mail to the world while thwarting unwanted users from doing the same. This is not an issue if your mail server is inside your firewall and all of your users are also inside your firewall. But, if you have remote users that need to relay mail, it becomes more knotty.
Methods of Controlling Mail Relaying
To fix the authentication and relaying problem with SMTP, one solution, generally called SMTP AUTH, adds authentication software, such as the Simple Authentication and Security Layer (SASL). Integrating SASL with your mail server software can be intricate, which requires configuration changes in email client to tell it to provide the ID and password when sending mail. Some mail clients may not support this feature. Yet, if your clients support SMTP AUTH, it is the best long term solution.
Another solution is called POP-before-SMTP and that is what the Exact program provides. The POP protocol is previously required authentication and it logs authentication requests in a log file (unless logging is turned off). Exact reads the logs, determines the IP address of recent valid logins and adds those addresses to a file. After that, the mail server can read those addresses and allow SMTP relaying for those addresses for a specified period of time. A valid POP login is required to add an IP address to the file, hence POP-before-SMTP. Exact can also read logs for another popular mail client protocol, the Internet Message Access Protocol (IMAP).
How to Install Exact
Exact is distributed in source code form. Fortunately, installing it is as simple as the standard configure/make/make install routine. For dbm database support, which Postfix needs, add the --with-db option to the configure step. The Exim mail server can read a plain text file and does not require dbm support. Otherwise, there are no outside dependencies.
From the README file, it supports these combinations of servers:
POP/IMAP servers:
- UW-IMAPD
- Cyrus
- Courier (IMAPD and POPD)
- Perdition
- Qpopper
- TeaPOP
- Cubic Circle's cucipop
and these MTAs:
- Exim
- Sendmail
- Postfix
It can be extended to support additional POP/IMAP servers by adding parse rules to the exact-servers.conf file. In example, installation uses the UW-IMAPD server (which also provides POP3) and Postfix on Red Hat Enterprise Linux 3. Once installation is complete, there is one main configuration file that controls how Exact operates called exact.conf. According to the prior example, you only had to make two changes to the exact.conf configuration file. One was to tell it where to find the mail log: maillog /var/log/maillog. The second change was to tell it which POP/IMAP server to use: server uw-imap
Since the log format for each POP/IMAP server is slightly different, it needs to know how to parse the log entries to extract the valid logins and IP addresses. Another preference you may want to adjust is the timeout setting, which determines how long you want Exact to keep an address in the relay file. After that period of time, it is automatically removed and a new POP login is required to add the address back to the file. The default timeout is set to 30 minutes.
When Exact is started, it runs in the background as a service and updates the relay file every minute.
Mail Server Configuration
Postfix needs to know where to read the valid addresses from and that requires one change to the /etc/postfix/main.cf file. The mynetworks setting is used control relaying by IP address. In this case, the setting looks like this: mynetworks = 127.0.0.0/8, hash:/usr/local/var/state/exact/relay. See the Postfix documentation for more details.
Additionally, Postfix comes with a program called postmap that creates dbm files. Exact is able to write dbm databases directly when compiled with the correct option and setting the output format in the exact.conf file. You have to debug Exact to create a dbm file as output.
Final Touches
At last, to get Exact starts automatically when the system is restarted, you must create a startup and shutdown script. You can use one of the existing system scripts as a template and made slight changes to it, then created the necessary symlinks in the /etc/rc.d/rc3.d directory. Then, run a series of tests to confirm that the addresses were being correctly added or removed and that Postfix was honoring them.
In one sense, POP-before-SMTP is a hack, but it is an elegant one that fills the authentication hole in SMTP. It handles users with dynamic addresses as the address file gets updated every minute. This allows your remote users to roam or change ISPs and still use the mail server with no administrator intervention.
|
By Location