Working with POP Before SMTP

From CobaltFAQs

Jump to: navigation, search

The Cobalt RAQ 550 uses the poprelayd daemon to authorize users to relay mail through the server after validating themselves by checking their mail via POP3 or IMAP. The default relay window is 30 minutes; as long as the user's mail client is set to check their mail more frequently than every 30 minutes, they will perpetually be able to send mail through the server.

The poprelayd daemon is located at /usr/local/sbin/poprelayd and is initiated via a startup script in /etc/rc.d/rc.init


The poprelayd Help File

Usage: poprelayd [-p] [-a <ip>] [-r <ip>] [-d] [-f]
 -p          Displays a list of trusted IP addresses and their life in seconds.
 -a <ip>     Adds the specified IP address to the trusted pool.
 -r <ip>     Removes the specified IP address from the trusted pool.
 -f          Removes all members of the trusted pool.
poprelayd is used to enable temporary SMTP relaying trusts by monitoring POP and IMAP usage
in the mail logfile, /var/log/maillog.
Every time a POP occurs, the client IP address will be added to the relay trust for 30 
minutes.  Every time an IMAP session is started, that client will be added to the relay trust
for the same amount of time.  IMAP sessions that last longer than 30 minutes will need to be  
restarted prior to sending mail.

Contents of the Relaying IP Database

To see what IP addresses are in the POP authentication database, do:

su -
makemap hash -u /etc/mail/popip.db

or use the built-in switch:

 /usr/local/sbin/poprelayd -p

Note that the second column is slightly different between the two commands. In the first, you get a column of IPs and a column of Unix timestamps (seconds since the epoch). The time is when the IP will become invalid if it does not authenticate before then. To find the current timestamp for comparison, just do

date +%s

That will give you something to compare the db entries to and see when they will be expiring.

The second command gives you columns of IP addresses and the number of seconds remaining on their authorization period.

Deleting All Relaying IP Database Entries

To remove all existing entries in popip.db file, thereby dropping all poprelayd-granted relaying privileges, do:

su -
cd /etc/mail
mv popip.db popip.db.orig
touch popip
makemap hash popip.db < popip

At that point, if there are no POP clients active, nobody can relay mail through the server, unless they are connecting from an IP or domain name that's allowed with a RELAY directive in /etc/mail/access

Changing Daemon Parameters

You can change the amount of time the relay is open for all authenticated users, as well as how often the mail log is checked for new IPs. The shorter the delay between checks, the more quickly a user can send mail through the server after authenticating. Shorter check intervals increase CPU usage and disk access.

Edit /usr/local/sbin/poprelayd using your favorite editor and change the parameters $timeout_minutes and $log_wait_interval to meet your needs. For example:

 $timeout_minutes =  30;   # Minutes an entry lasts.
 $log_wait_interval = 5;   # Number of seconds between checks

Using POP-Authenticated Relaying with a "Front End" SMTP Server

If you use a front end SMTP server (i.e., users send mail through one server and check their mail on another server), you can still use poprelayd to allow access to the SMTP server for POP users by copying the popip.db file from the POP3 server to the SMTP server.

Use the following cron script, set to run every minute, on the SMTP server to pull popip.db from the POP server. The poprelayd daemon will see the popip.db and use it accordingly, even if you do not have POP-authenticated relaying enabled in the user interface.

 cd /home/users/admin
 wget -nv 2>&1
 chmod 0655 popip.db
 cp popip.db /etc/mail
 rm popip.db
Personal tools