| Version: | 1.41 |
|---|---|
| Author: | Doug Winter |
| Contact: | doug@pigeonhold.com |
| Date: | 2004-03-27 |
| Web site: | http://www.britishsteal.com/dist/exact/ |
EXACT is a program that implements "POP Before SMTP Relay Authentication".
It will work as is with these POP/IMAP servers:
and these MTAs:
It doesn't support qmail as-is, because qmail is rather unique. See below for some other software that might help though.
All patches to improve compatibility, and regex stanzas for other POP/IMAP servers gratefully received.
EXACT stands for EXperimental Access Control Thing. With apologies to Philip Hazel. As you may have guessed, marketing is not my strong suit.
POP Before SMTP Relay Authentication is commonly used on systems that provide both IMAP or POP services and SMTP services. If you have users who move from system to system, and access their mail over IMAP or POP, it is a fair bet that they will also want to send mail via your IMAP server.
If your users are using Windows they probably don't have a locally installed mail relay, so they have to use someone elses. Also, some (broken) sites refuse email from dialup systems on the grounds that the email might be spam.
Generally you should send mail through your network providers local SMTP servers. However, sometimes it's not obvious what those servers are (at least to your users), and sometimes these servers provide poor service and so you wish to avoid them.
Therefore, you would like to provide an SMTP relay for those users only. SMTP Authentication is an option, however not all clients provide it and, more irritatingly, on PAM-based systems authenticating against the shadow file is impossible for non root processes. Well, I couldn't get it to work anyway.
So a simple hack is often used - to selectively allow SMTP relaying for IP addresses that have recently authenticated against a local IMAP or POP server.
When started, the program watches a log file for lines written by a POP or IMAP server that indicate a successful login. Generally this is a file written by syslog, by default /var/log/mail.log. On your system it may be different.
You have two options for the output format of EXACT:
The venerable 'db' or 'dbm' format. If the Berkeley Database libraries (libdb) are available on your system, then run configure with --with-db. Exact will then output dbm files instead of a text format relay file. This is compatible with Exim and Postfix.
If you haven't got these libraries they are probably packaged by your distro. To compile from source, download them from Sleepycat.
To write in text format even though you configured with --with-db, see the authtype parameter in exact.conf.
Alternatively you can write the database out in text format, with one ip address per line.
Your MTA can then be configured to read this file, to determine hosts that are allowed to relay.
The current production version of EXACT is 1.41. This is available here:
http://adju.st/dist/exact/exact-1.41.tar.gz
There is also a mailing list for announcements. I suggest you join this for bug fix and security information.
DRAC performs the same task, using patched IMAP and POP servers. I didn't like this approach and haven't tried it, however YMMV.
popbsmtp uses the same technique as EXACT, and is written in Perl.
There are also some perl scripts from some other guy called Doug available, that work with exim pretty easily (although they do require tweaking) - I've not tried them with any other MTA.
For qmail, smtp-poplock works well.
The exact-servers.conf file contains the necessary configuration for all the servers I've tried, or that users have provided configurations for.
To select the server that you wish to use, just change the 'server' parameter in the exact.conf file to match one of the stanzas in exact-servers.conf. This is done automatically by the configure script, when you use the --with-server option.
If your POP/IMAP server isn't listed in exact-servers.conf, you can add your own configuration easily if you have some experience of regular expressions. The REs used are in Extended POSIX Regular Expression Syntax.
The order parameter can be either 'username,address' or 'address,username' and this specifies the order of the parenthesised expressions for those terms that will be extracted. For historical reasons (supporting the weird UW-IMAP logging output in fact), these are in fact the SECOND and THIRD parenthesised expressions respectively. The FIRST bracketed expression is dropped on the floor.
See the examples in the exact-servers.conf file, hopefully it'll make sense.
This is very simple to implement in Exim.
For text-format output, add a line like:
host_accept_relay = 127.0.0.1:net-lsearch;/var/state/exact/relay
For db-format output, add a line like:
host_accept_relay = 127.0.0.1:net-dbmnz;/var/state/exact/relay
where /var/state/exact/relay is the location of the relay file written by exact.
You should be aware that when using exim, exact should be started first - if exim cannot find the state file when it starts then it will exit.
Here's a tip from Johan Vansant describing how to make EXACT work with Sendmail:
In order to have sendmail check an extra file you need to expand the rules. Here is what I added to the 'mc' file, this can be added to the 'cf' file directly if you leave out the 'LOCAL_CONFIG' and 'LOCAL_RULESETS' lines:
LOCAL_CONFIG
#POP Auth
F{POPAuth} /var/state/exact/relay
SLocal_check_rcpt
R<$+ @ $=w > $@ OK # if it is to domain delivered by us
R$+ $: $(dequote "" $&{client_addr} $) $| $1 # get address
R$={POPAuth}$* $| $* $@ OK # OK if from a POP-authed address
ROK $@ OK
R$* $#error $@ 5.5.0 $: "550 Relaying denied: authenticate with POP first"
Thanks Johan :)
In main.cf have a line like:
mynetworks = 127.0.0.0/8, hash:/var/state/exact/relay
You must use db format output for postfix to work. Apparently postfix requires this file to be owned by root. I suggest therefore that once Exact is running you should:
# chmod 660 /var/state/exact/relay # chgrp root:mail /var/state/exact/relay
I suggest you put this in your init scripts.
If you are reading the text version of this file, you might have noticed some odd syntax. This file is written in reStructuredText. This can be converted to HTML (and other things) using docutils.
Copyright 2003 Doug Winter <doug@pigeonhold.com>
Many thanks to the following for their help in providing fixes, patches & suggestions:
- Mike Whitaker
- William Armitage
- Jon R Luini
- Jorey Bump
- Jeremy Zawodny
- Johan Vansant
- Blair Harrison
- Mikhail Goussev
- Ward Willats
EXACT is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
EXACT is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with EXACT; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA