This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature

Allowing exactly the right people to send email

By Keith Winston on May 09, 2005 (8:00:00 AM)

Share    Print    Comments   

EXACT, the EXperimental Access Control Thing, is a POP-before-SMTP daemon that integrates with most email systems to control email relaying and thereby potentially reduce spamming. Here's how you can install and configure EXACT to keep spammers from taking advantage of your mail server.

According to its README file, EXACT supports these POP and IMAP servers:

  • UW-IMAPD
  • Cyrus
  • Courier (IMAPD and POPD)
  • Perdition
  • Qpopper
  • TeaPOP
  • Cubic Circle's cucipop
and these MTAs:
  • Exim
  • Sendmail
  • Postfix

You can extend EXACT to support additional POP/IMAP servers by adding parse rules to the exact-servers.conf file. Once installation is complete, there is one main configuration file that controls how EXACT operates called exact.conf.

EXACT is distributed in source code form. You install it with the standard configure/make/make install routine. For dbm database support, which Postfix needs, add the --with-db option to the configure step. If you're using the Exim mail server, you don't need dbm support, because Exim can read a plain text file. There are no other outside dependencies.

My installation uses the UW-IMAPD server (which also provides POP3) and Postfix on Red Hat Enterprise Linux 3.

After a painless installation, I had to make only two changes to my exact.conf configuration file. One was to edit the exact.conf file and change the maillog option to tell it where to find the mail log:

maillog /var/log/maillog

The second change was to edit the server option to tell it which POP/IMAP server to use:

server uw-imap

A quick mail primer

Mail servers, more formally known as Message Transfer Agents (MTA), exchange email messages with each other using the Simple Mail Transfer Protocol (SMTP). Mail clients, more formally known as user agents, handle retrieving mail using either the Post Office Protocol (POP) or Internet Message Access Protocol (IMAP).

An email server that accepts mail from any source and relays it to any destination is called an open relay. Spammers can use open relays to send their messages. Most mail servers have some mechanism to control who they will accept mail from and where it can be relayed, but most of those mechanisms are based on IP address or domain name and not on user authentication, so one problem a mail administrator faces is how to allow valid users to relay mail while stopping unwanted users.

One solution is to employ authentication software, such as the Simple Authentication and Security Layer (SASL). However, integrating SASL with a mail server software can be difficult, and using it requires mail clients that also support SASL; not all do.

Another solution, and the one EXACT uses, is called POP-before-SMTP. The POP protocol (and IMAP too) requires that user agents retrieving mail authenticate to the POP/IMAP daemon before retrieving messages. The POP/IMAP daemon logs authentication requests in a log file (unless logging is turned off). EXACT reads the logs, determines the IP address of recent valid logins, and adds those addresses to a file. The mail server can then read those addresses and allow SMTP relaying for those addresses only for a specified period of time.

Because the log format for each POP/IMAP server is slightly different, EXACT needs to know how to parse the log entries to extract the valid logins and IP addresses. Another option you may want to adjust is the timeout setting, which determines how long you want EXACT to keep an address in the relay file. After that period of time, it is automatically removed and a new POP login is required to add the address back to the file. The default timeout is set to 30 minutes.

EXACT runs in the background as a service and updates the relay file every minute.

Mail server configuration

Postfix needs to know where to read the valid addresses from, and that requires one change to the /etc/postfix/main.cf file. Postfix's mynetworks setting controls relaying by IP address. I modified my setting to look like this:

mynetworks = 127.0.0.0/8, hash:/usr/local/var/state/exact/relay

See the Postfix documentation for more details.

I ran into one problem while testing EXACT with Postfix. EXACT is supposed to be able to write dbm databases directly when compiled and run with the correct options. However, I was not able get it to create a dbm file as output; it would only create a plain text file. But since Postfix comes with a program called postmap that creates dbm files, instead of debugging EXACT, I took the lazy way out and wrote a small script to take the text file output and use postmap to create the dbm file that Postfix needed.

Final touches

Finally, you should create a startup and shutdown script so that EXACT will start automatically when the system is restarted. I used the /etc/rc.d/init.d/postfix script as a template and made slight changes to it, saving it as /etc/rc.d/init.d/exact. (You can download it here.) The script handles startup, shutdown, and status checks like any other server process. Then, I created the necessary symlink in the /etc/rc.d/rc3.d directory with the ln command:
ln -s ../init.d/exact S81exact

To test whether EXACT was working properly, I retrieved mail with my POP mail client and confirmed that EXACT was adding and removing IP addresses correctly, and that Postfix was honoring them. During testing, I set the timeout option to five minutes and made sure my address was removed from the relay file after that time. When my IP address was in the relay file, I could relay mail through Postfix, and when it was not, I received the appropriate error.

In one sense, POP-before-SMTP is a hack, but it is an elegant one that fills the authentication hole in SMTP. It handles users with dynamic addresses because the relay file gets updated every minute. This allows your remote users to roam or change ISPs and still use the mail server with no administrator intervention.

Share    Print    Comments   

Comments

on Allowing exactly the right people to send email

Note: Comments are owned by the poster. We are not responsible for their content.

SMTP-Auth

Posted by: Anonymous Coward on May 09, 2005 05:50 PM
Any mail client made in the last 8 years supports SMTP-Auth. I would recommend using that instead of POP-before-SMTP. POP before can be annoying if it times out while writing an email and is a hack from a decade ago.

Please use proper password based authentication instead and preferrably with TLS or SSL(which again anything but a copy of Eudora from '95 should support).

#

Re:SMTP-Auth

Posted by: Anonymous Coward on May 09, 2005 06:33 PM
SMTP-Auth is ok. The only problem I've had with it is that only the PLAIN authentication scheme can work with existing Unix accounts, since the others require an unencrypted password on the server to verify against. And of course with plain authentication, you really need to use TLS or SSL.

For some reason, my office had standardized on a retarded mail client that wouldn't do TLS. I told them it was no longer supported. Apparently, using a different mail client completely broke my manager's brain. I've never heard so much complaining in all my life.

#

Re:SMTP-Auth

Posted by: Anonymous Coward on May 11, 2005 03:19 AM
If you're worried about plaintext passwords, POP before SMTP doesn't help you one bit.

Really though, if you're setting up an SMTP server and not also setting up AUTH support you should be shot.

#

What the heck? Use SMTP Auth

Posted by: Riskable on May 09, 2005 08:46 PM
Just want to point out that POP-before-SMTP was invented over a decade ago. EXACT makes it a bit simpler (and compatible with newer email servers), but the real solution is to use SMTP Auth (preferably with TLS).

Setting up SMTP Auth the first time can be confusing and difficult, but it is not beyond the skill level of an intermediate Linux user. Use Postfix and the difficulty level drops significantly (honestly, why use sendmail these days when Postfix is so much better?).

Tip: You can use a purchased SSL cert with Postfix and Cyrus if you convert your<nobr> <wbr></nobr>.crt and<nobr> <wbr></nobr>.key to unencrypted<nobr> <wbr></nobr>.pem format.

#

Quit the ./configure&amp;&amp;make&amp;&amp;make i

Posted by: JelleB on May 09, 2005 10:22 PM
And yet comes along the next article that completely ignores the fact that most (if not all) Linux distro's use a package manager to install software.
Use your pakage manager to install software, and nothing else! That will keep you from having to reinstall because all the cruft you have accumulated with these 'nice'<nobr> <wbr></nobr>./configure&&make&&make install nonsense.

That method is to be used as a last resort(for instance when you have to use a system that does not have a proper package management system), you will have to remove or update it yourself == lots of extra work.

So the new mantra is: "apt-get update && apt-get upgrade".

And most systems have a better method to keep the linkfarm in<nobr> <wbr></nobr>/etc/init.d in proper shape. chkconfig on redhat, update-rc.d on debian. Better use these too.

#

OK, but what about...

Posted by: Anonymous Coward on May 10, 2005 12:59 AM
OK. Your solution is adequate for an ISP that wants to allow its roaming users access to the SMTP servers but restrict all others. And in that respect the article is OK.

So, here is a different scenario. I want ALL of my internal corporate users to be able to send email to each other internally. But, I want to prevent certain users from sending or receiving internet emails. How-to-do?

With Microsoft Exchange or Novell GroupWise, this functionality is five clicks away.

#

Re:OK, but what about...

Posted by: SarsSmarz on May 10, 2005 06:40 AM
aack! You sound like the evil people at work! (not implying anything, evil or otherwise about your perfectly noble intentions)

#

Just use "pop-before-smtp" (the perl script)

Posted by: Anonymous Coward on May 10, 2005 05:39 AM
If you're going the route of a pop-before-smtp daemon, use the <A HREF="http://popbsmtp.sourceforge.net/" title="sourceforge.net">pop-before-smtp</a sourceforge.net> perl script that has been around for ages. It's already packaged for most Linux distributions, so it makes installation easier. Also, the perl nature of the project is a perfect fit for something as simple as scanning a log file and updating a DB file with IPs.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya