From baby at baby.com.ar Tue May 8 00:22:54 2001 From: baby at baby.com.ar (Mariano Absatz) Date: Tue Dec 20 11:33:47 2005 Subject: LDAP and whoson support for SolidPOP3d Message-ID: <3AF6F60E.21989.C16EA71@localhost> Hi, We have been using solidpop3d for a few months with a couple of modifications we had to do. We pulished them now so you are able to use it and, if you want to, incorporate them in future versions. Our mail server is ZMailer (see http://zmailer.org). First, we added support for LDAP authentication (since we have our users in an LDAP DIT). Second, we added support for POP before SMTP. For this, we are using a small contributed-to-zmailer protocol called "whoson". This protocol allows remote "login", "logout" and "verify" of IP addressess with username information to a small "on line users database" indexed by IP address with username and timestamp info in it. It can be used from, say, a radius server, to allow to asociate smtp messages coming from an IP address with a radius user. In our case, as we only provide e-mail (and, in fact, we don't have trustable IP addresses), we use it to asociate smtp messages coming from an IP address with a POP or IMAP user. Since, in the case of POP the user is not logged into de POP server while he/she is sending the mail, and rather, logs to POP, downloads, exits POP and THEN he/she connects to SMTP, we only use the "login" and our SMTP server verifies using a predefined timeout. That is, the SMTP does the following (simplified): -if the message is inbound, allow it. -if the message is oubound: -verify the IP of the client in the whoson database -if you don't find it, reject it. -if you find it: -if the time elapsed since the timestamp is greater than your predefined timeout, reject it. -else, allow the realying and put the username in the Received: header generated. For this to work, and taking into account that we could have relatively short timeouts and maybe long POP download times, we do a "whoson login" with the user authentication AND with the user's POP logout. So, in POP, we do this "whoson login" right after the authentication and right after the client send the QUIT (obviously, having had a correct authentication :-) ====================================================================== In order to implement this stuff, we modified four files, and added two more. Modified files: configure.in acconfig.h src/main.c src/Makefile.in new files: src/auth_ldap.h src/auth_ldap.c The new files, along with "diff -u"s of the modified versions (relative to the 0.15 tarball, no CVS) are attached. ====================================================================== To enable the use of this options you have to use the following configure options: --enable-whoson=PATH compile server with whoson support where PATH is the PATH you have whoson installed (defaults to /usr/local/whoson) --enable-ldap=PATH compile server with ldap authentication support where PATH is the PATH you have LDAP installed (defaults to /usr/local/ldap) --with-ldapconfigfile define ldap config file (default is /etc/ldap.conf) --with-uidmaildir define owner of the maildir directory (default nobody). This is the Unix user which will read and write to the maildirs... it has to have read/write permissions on the maildirs. ======================================================================= # # Example /etc/ldap.conf file # # You must at least define "base", "ldaphost", "filter" & "attr". # base ou=mailUsers,o=exampleOrganization ldaphost ldap.example.com ldapport 389 binddn cn=ReadOnlyUser, o=exampleOrganization passwd secret filter (&(objectclass=mailUser)(uid=%s)) passattr userPassword attr maildirFileName scope sub ======================================================================= We added a -n option to solidpop3d to handle a base path from where maildirFileName is relative. You can use it from /etc/inetd with: pop-3 stream tcp nowait root /usr/sbin/tcpd \ /usr/local/sbin/spop3d -n /maildir-base/%s -t maildir if in the maildirFileName attribute you have "/x/y/somebody", it will look for the maildir in /maildir-base/x/y/somebody. ========================================================================== Acknowledgements: This stuff wasn't made by me... I am only the "guy who better writes in English" :-) The author is Edgardo Szulsztein . The LDAP code was taken from the ZMailer LDAP code made (as stated in the source code) by: Lai Yiu Fai | Tel.: (852) 2358-6202 Centre of Computing Services | Fax.: (852) 2358-0967 & Telecommunications | E-mail: ccyflai@ust.hk | The Hong Kong University of | Clear Water Bay, Science & Technology | Kowloon, Hong Kong. -- Mariano Absatz - El Baby mailto:baby@baby.com.ar http://www.baby.com.ar/ PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp |\ _ _\\/'> Powered by Pegasus Mail /|__) http://www.pmail.com ) )\ ----------------------------------------------------------- Programming is an art form that fights back. From baby at baby.com.ar Tue May 8 00:28:54 2001 From: baby at baby.com.ar (Mariano Absatz) Date: Tue Dec 20 11:33:47 2005 Subject: LDAP and whoson support for SolidPOP3d In-Reply-To: <3AF6F60E.21989.C16EA71@localhost> Message-ID: <3AF6F776.28641.C1C68EB@localhost> Apparently, attachments don't make it through the list... I guess Jerzy or someone else can make it available to the rest... otherwise I can repost the sources one in each message within the body or send them in private to anyone who ask me for... suggestions? El 7 May 2001, a las 19:22, Mariano Absatz escribi?: > Hi, > > We have been using solidpop3d for a few months with a couple of > modifications we had to do. > > We pulished them now so you are able to use it and, if you want to, > incorporate them in future versions. > > Our mail server is ZMailer (see http://zmailer.org). > > First, we added support for LDAP authentication (since we have our users > in an LDAP DIT). > > Second, we added support for POP before SMTP. For this, we are using a > small contributed-to-zmailer protocol called "whoson". > > This protocol allows remote "login", "logout" and "verify" of IP > addressess with username information to a small "on line users database" > indexed by IP address with username and timestamp info in it. > > It can be used from, say, a radius server, to allow to asociate smtp > messages coming from an IP address with a radius user. > > In our case, as we only provide e-mail (and, in fact, we don't have > trustable IP addresses), we use it to asociate smtp messages coming from > an IP address with a POP or IMAP user. > > Since, in the case of POP the user is not logged into de POP server while > he/she is sending the mail, and rather, logs to POP, downloads, exits POP > and THEN he/she connects to SMTP, we only use the "login" and our SMTP > server verifies using a predefined timeout. > > That is, the SMTP does the following (simplified): > > -if the message is inbound, allow it. > -if the message is oubound: > -verify the IP of the client in the whoson database > -if you don't find it, reject it. > -if you find it: > -if the time elapsed since the timestamp is greater > than your predefined timeout, reject it. > -else, allow the realying and put the username in the > Received: header generated. > > For this to work, and taking into account that we could have relatively > short timeouts and maybe long POP download times, we do a "whoson login" > with the user authentication AND with the user's POP logout. > > So, in POP, we do this "whoson login" right after the authentication and > right after the client send the QUIT (obviously, having had a correct > authentication :-) > > > ====================================================================== > > In order to implement this stuff, we modified four files, and added two > more. > > Modified files: > > configure.in > acconfig.h > src/main.c > src/Makefile.in > > new files: > > src/auth_ldap.h > src/auth_ldap.c > > The new files, along with "diff -u"s of the modified versions (relative > to the 0.15 tarball, no CVS) are attached. > > ====================================================================== > > To enable the use of this options you have to use the following configure > options: > > --enable-whoson=PATH > compile server with whoson support where PATH is the PATH you have whoson > installed (defaults to /usr/local/whoson) > > --enable-ldap=PATH > compile server with ldap authentication support where PATH is the PATH > you have LDAP installed (defaults to /usr/local/ldap) > > --with-ldapconfigfile > define ldap config file (default is /etc/ldap.conf) > > --with-uidmaildir > define owner of the maildir directory (default nobody). This is the Unix > user which will read and write to the maildirs... it has to have > read/write permissions on the maildirs. > > ======================================================================= > > # > # Example /etc/ldap.conf file > # > # You must at least define "base", "ldaphost", "filter" & "attr". > # > base ou=mailUsers,o=exampleOrganization > ldaphost ldap.example.com > ldapport 389 > binddn cn=ReadOnlyUser, o=exampleOrganization > passwd secret > filter (&(objectclass=mailUser)(uid=%s)) > passattr userPassword > attr maildirFileName > scope sub > > ======================================================================= > > We added a -n option to solidpop3d to handle a base path from where > maildirFileName is relative. You can use it from /etc/inetd with: > > pop-3 stream tcp nowait root /usr/sbin/tcpd \ > /usr/local/sbin/spop3d -n /maildir-base/%s -t maildir > > if in the maildirFileName attribute you have "/x/y/somebody", it will > look for the maildir in /maildir-base/x/y/somebody. > > ========================================================================== > Acknowledgements: > > This stuff wasn't made by me... I am only the "guy who better writes in > English" :-) > > The author is Edgardo Szulsztein . > > The LDAP code was taken from the ZMailer LDAP code made (as stated in the > source code) by: > > Lai Yiu Fai | Tel.: (852) 2358-6202 > Centre of Computing Services | Fax.: (852) 2358-0967 > & Telecommunications | E-mail: ccyflai@ust.hk > | > The Hong Kong University of | Clear Water Bay, > Science & Technology | Kowloon, Hong Kong. > > > -- > Mariano Absatz - El Baby > mailto:baby@baby.com.ar > http://www.baby.com.ar/ > PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp > |\ _ > _\\/'> Powered by Pegasus Mail > /|__) http://www.pmail.com > ) )\ > ----------------------------------------------------------- > Programming is an art form that fights back. > > > -- Mariano Absatz - El Baby mailto:baby@baby.com.ar http://www.baby.com.ar/ PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp |\ _ _\\/'> Powered by Pegasus Mail /|__) http://www.pmail.com ) )\ ----------------------------------------------------------- Allow me to introduce my selves. From help at visp.net Tue May 8 01:56:19 2001 From: help at visp.net (VISP Systems Administration) Date: Tue Dec 20 11:33:47 2005 Subject: LDAP and whoson support for SolidPOP3d In-Reply-To: <3AF6F776.28641.C1C68EB@localhost> References: <3AF6F60E.21989.C16EA71@localhost> Message-ID: <5.1.0.14.0.20010507165232.03030118@visp.net> I ran into one issue running popb4smtp. And anyone out there conquored this yet? Running sendmail-8.11 and I ran into the issue with it massivly crapping when the /etc/mail/access file get's too big. I'm running (or rather.. was running) popb4smtp where it just basicaly tail's the messages and steals the ips from successful POP connections from spop3d. The problem, with the large database, sendmail starts rejecting everything and acts as if it's ignoring the access database. A rebuild (makemap) seems to stunt the errors for a few seconds, and then it starts again. A sendmail restart will usually stunt the Relaying denied errors for about a minute. Anyone have suggestions? btw: my access database grew to about 8500 lines in 1 day. sendmail seems to die at about 5000 lines. Apologies beforehand, I know this is not a sendmail list, but I know a lot of us are running sendmail and spop3d. The combo of sendmail, spop3d, and popb4smtp seems to be very powerful, it'd just be nice if it worked better! =) At 07:28 PM 5/7/2001 -0300, you wrote: >Apparently, attachments don't make it through the list... I guess Jerzy >or someone else can make it available to the rest... otherwise I can >repost the sources one in each message within the body or send them in >private to anyone who ask me for... suggestions? > >El 7 May 2001, a las 19:22, Mariano Absatz escribi?: > > > Hi, > > > > We have been using solidpop3d for a few months with a couple of > > modifications we had to do. > > > > We pulished them now so you are able to use it and, if you want to, > > incorporate them in future versions. > > > > Our mail server is ZMailer (see http://zmailer.org). > > > > First, we added support for LDAP authentication (since we have our users > > in an LDAP DIT). > > > > Second, we added support for POP before SMTP. For this, we are using a > > small contributed-to-zmailer protocol called "whoson". > > > > This protocol allows remote "login", "logout" and "verify" of IP > > addressess with username information to a small "on line users database" > > indexed by IP address with username and timestamp info in it. > > > > It can be used from, say, a radius server, to allow to asociate smtp > > messages coming from an IP address with a radius user. > > > > In our case, as we only provide e-mail (and, in fact, we don't have > > trustable IP addresses), we use it to asociate smtp messages coming from > > an IP address with a POP or IMAP user. > > > > Since, in the case of POP the user is not logged into de POP server while > > he/she is sending the mail, and rather, logs to POP, downloads, exits POP > > and THEN he/she connects to SMTP, we only use the "login" and our SMTP > > server verifies using a predefined timeout. > > > > That is, the SMTP does the following (simplified): > > > > -if the message is inbound, allow it. > > -if the message is oubound: > > -verify the IP of the client in the whoson database > > -if you don't find it, reject it. > > -if you find it: > > -if the time elapsed since the timestamp is greater > > than your predefined timeout, reject it. > > -else, allow the realying and put the username in the > > Received: header generated. > > > > For this to work, and taking into account that we could have relatively > > short timeouts and maybe long POP download times, we do a "whoson login" > > with the user authentication AND with the user's POP logout. > > > > So, in POP, we do this "whoson login" right after the authentication and > > right after the client send the QUIT (obviously, having had a correct > > authentication :-) > > > > > > ====================================================================== > > > > In order to implement this stuff, we modified four files, and added two > > more. > > > > Modified files: > > > > configure.in > > acconfig.h > > src/main.c > > src/Makefile.in > > > > new files: > > > > src/auth_ldap.h > > src/auth_ldap.c > > > > The new files, along with "diff -u"s of the modified versions (relative > > to the 0.15 tarball, no CVS) are attached. > > > > ====================================================================== > > > > To enable the use of this options you have to use the following configure > > options: > > > > --enable-whoson=PATH > > compile server with whoson support where PATH is the PATH you have whoson > > installed (defaults to /usr/local/whoson) > > > > --enable-ldap=PATH > > compile server with ldap authentication support where PATH is the PATH > > you have LDAP installed (defaults to /usr/local/ldap) > > > > --with-ldapconfigfile > > define ldap config file (default is /etc/ldap.conf) > > > > --with-uidmaildir > > define owner of the maildir directory (default nobody). This is the Unix > > user which will read and write to the maildirs... it has to have > > read/write permissions on the maildirs. > > > > ======================================================================= > > > > # > > # Example /etc/ldap.conf file > > # > > # You must at least define "base", "ldaphost", "filter" & "attr". > > # > > base ou=mailUsers,o=exampleOrganization > > ldaphost ldap.example.com > > ldapport 389 > > binddn cn=ReadOnlyUser, o=exampleOrganization > > passwd secret > > filter (&(objectclass=mailUser)(uid=%s)) > > passattr userPassword > > attr maildirFileName > > scope sub > > > > ======================================================================= > > > > We added a -n option to solidpop3d to handle a base path from where > > maildirFileName is relative. You can use it from /etc/inetd with: > > > > pop-3 stream tcp nowait root /usr/sbin/tcpd \ > > /usr/local/sbin/spop3d -n /maildir-base/%s -t maildir > > > > if in the maildirFileName attribute you have "/x/y/somebody", it will > > look for the maildir in /maildir-base/x/y/somebody. > > > > ========================================================================== > > Acknowledgements: > > > > This stuff wasn't made by me... I am only the "guy who better writes in > > English" :-) > > > > The author is Edgardo Szulsztein . > > > > The LDAP code was taken from the ZMailer LDAP code made (as stated in the > > source code) by: > > > > Lai Yiu Fai | Tel.: (852) 2358-6202 > > Centre of Computing Services | Fax.: (852) 2358-0967 > > & Telecommunications | E-mail: ccyflai@ust.hk > > | > > The Hong Kong University of | Clear Water Bay, > > Science & Technology | Kowloon, Hong Kong. > > > > > > -- > > Mariano Absatz - El Baby > > mailto:baby@baby.com.ar > > http://www.baby.com.ar/ > > PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp > > |\ _ > > _\\/'> Powered by Pegasus Mail > > /|__) http://www.pmail.com > > ) )\ > > ----------------------------------------------------------- > > Programming is an art form that fights back. > > > > > > > > >-- >Mariano Absatz - El Baby >mailto:baby@baby.com.ar >http://www.baby.com.ar/ > PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp > |\ _ > _\\/'> Powered by Pegasus Mail > /|__) http://www.pmail.com > ) )\ >----------------------------------------------------------- >Allow me to introduce my selves. > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: solidpop3d-list-unsubscribe@lists.pld.org.pl >For additional commands, e-mail: solidpop3d-list-help@lists.pld.org.pl ---------------------------------- Visp Systems Administration Voice: 541-476-5352 ext. 4 Support Board: http://support.visp.net/bb From Piotr.Sulecki at ios.krakow.pl Wed May 30 14:54:46 2001 From: Piotr.Sulecki at ios.krakow.pl (Piotr Sulecki) Date: Tue Dec 20 11:33:47 2005 Subject: SolidPOP3D breaks RFC1939 Message-ID: <3B14ED96.9AAA82BC@ios.krakow.pl> Ave! I have tried SolidPOP3d yesterday and it looks good and stable. However, I was browsing RFC1939 today and found at least two points where SolidPOP3d breaks it. First, SolidPOP3d allows setting the inactivity timeout to any value, and one example mentions setting it to 5 seconds. RFC1939 specifies that if an optional inactivity timeout is present, it must be of at least 10 minutes duration. Second, mailbox lock handling is different that the one specified in RFC1939: it says clearly that the mailbox should be exclusively locked since the successfull authorization throughout the whole transaction and update state and only released when the update is finished and the connection broken. Both of these issues are rather minor and should be easy to fix. Regards, Piotr Sulecki, Institute of Metal Cutting, Cracow, Poland.