LDAP and whoson support for SolidPOP3d
Mariano Absatz
baby at baby.com.ar
Tue May 8 00:28:54 CEST 2001
Apparently, attachments don't make it through the list... I guess Jerzy
or someone else can make it available to the rest... otherwise I can
repost the sources one in each message within the body or send them in
private to anyone who ask me for... suggestions?
El 7 May 2001, a las 19:22, Mariano Absatz escribió:
> Hi,
>
> We have been using solidpop3d for a few months with a couple of
> modifications we had to do.
>
> We pulished them now so you are able to use it and, if you want to,
> incorporate them in future versions.
>
> Our mail server is ZMailer (see http://zmailer.org).
>
> First, we added support for LDAP authentication (since we have our users
> in an LDAP DIT).
>
> Second, we added support for POP before SMTP. For this, we are using a
> small contributed-to-zmailer protocol called "whoson".
>
> This protocol allows remote "login", "logout" and "verify" of IP
> addressess with username information to a small "on line users database"
> indexed by IP address with username and timestamp info in it.
>
> It can be used from, say, a radius server, to allow to asociate smtp
> messages coming from an IP address with a radius user.
>
> In our case, as we only provide e-mail (and, in fact, we don't have
> trustable IP addresses), we use it to asociate smtp messages coming from
> an IP address with a POP or IMAP user.
>
> Since, in the case of POP the user is not logged into de POP server while
> he/she is sending the mail, and rather, logs to POP, downloads, exits POP
> and THEN he/she connects to SMTP, we only use the "login" and our SMTP
> server verifies using a predefined timeout.
>
> That is, the SMTP does the following (simplified):
>
> -if the message is inbound, allow it.
> -if the message is oubound:
> -verify the IP of the client in the whoson database
> -if you don't find it, reject it.
> -if you find it:
> -if the time elapsed since the timestamp is greater
> than your predefined timeout, reject it.
> -else, allow the realying and put the username in the
> Received: header generated.
>
> For this to work, and taking into account that we could have relatively
> short timeouts and maybe long POP download times, we do a "whoson login"
> with the user authentication AND with the user's POP logout.
>
> So, in POP, we do this "whoson login" right after the authentication and
> right after the client send the QUIT (obviously, having had a correct
> authentication :-)
>
>
> ======================================================================
>
> In order to implement this stuff, we modified four files, and added two
> more.
>
> Modified files:
>
> configure.in
> acconfig.h
> src/main.c
> src/Makefile.in
>
> new files:
>
> src/auth_ldap.h
> src/auth_ldap.c
>
> The new files, along with "diff -u"s of the modified versions (relative
> to the 0.15 tarball, no CVS) are attached.
>
> ======================================================================
>
> To enable the use of this options you have to use the following configure
> options:
>
> --enable-whoson=PATH
> compile server with whoson support where PATH is the PATH you have whoson
> installed (defaults to /usr/local/whoson)
>
> --enable-ldap=PATH
> compile server with ldap authentication support where PATH is the PATH
> you have LDAP installed (defaults to /usr/local/ldap)
>
> --with-ldapconfigfile
> define ldap config file (default is /etc/ldap.conf)
>
> --with-uidmaildir
> define owner of the maildir directory (default nobody). This is the Unix
> user which will read and write to the maildirs... it has to have
> read/write permissions on the maildirs.
>
> =======================================================================
>
> #
> # Example /etc/ldap.conf file
> #
> # You must at least define "base", "ldaphost", "filter" & "attr".
> #
> base ou=mailUsers,o=exampleOrganization
> ldaphost ldap.example.com
> ldapport 389
> binddn cn=ReadOnlyUser, o=exampleOrganization
> passwd secret
> filter (&(objectclass=mailUser)(uid=%s))
> passattr userPassword
> attr maildirFileName
> scope sub
>
> =======================================================================
>
> We added a -n option to solidpop3d to handle a base path from where
> maildirFileName is relative. You can use it from /etc/inetd with:
>
> pop-3 stream tcp nowait root /usr/sbin/tcpd \
> /usr/local/sbin/spop3d -n /maildir-base/%s -t maildir
>
> if in the maildirFileName attribute you have "/x/y/somebody", it will
> look for the maildir in /maildir-base/x/y/somebody.
>
> ==========================================================================
> Acknowledgements:
>
> This stuff wasn't made by me... I am only the "guy who better writes in
> English" :-)
>
> The author is Edgardo Szulsztein <edgardosz at yahoo.com>.
>
> The LDAP code was taken from the ZMailer LDAP code made (as stated in the
> source code) by:
>
> Lai Yiu Fai | Tel.: (852) 2358-6202
> Centre of Computing Services | Fax.: (852) 2358-0967
> & Telecommunications | E-mail: ccyflai at ust.hk
> |
> The Hong Kong University of | Clear Water Bay,
> Science & Technology | Kowloon, Hong Kong.
>
>
> --
> Mariano Absatz - El Baby
> mailto:baby at baby.com.ar
> http://www.baby.com.ar/
> PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp
> |\ _
> _\\/'> Powered by Pegasus Mail
> /|__) http://www.pmail.com
> ) )\
> -----------------------------------------------------------
> Programming is an art form that fights back.
>
>
>
--
Mariano Absatz - El Baby
mailto:baby at baby.com.ar
http://www.baby.com.ar/
PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp
|\ _
_\\/'> Powered by Pegasus Mail
/|__) http://www.pmail.com
) )\
-----------------------------------------------------------
Allow me to introduce my selves.
More information about the solidpop3d-list
mailing list