|SMTP-AFTER-POPD(8)||Unix System Manager's Manual||SMTP-AFTER-POPD(8)|
smtp-after-popd -- an SMTP-after-POP daemon for systems running Postfix with vm-pop3d, ipop3d, or UW imapd
nohup /usr/sbin/smtp-after-popd &
Version 0.5, 08/28/2005
WHERE TO GET
Temporarily authorizes trusted outgoing SMTP mail transmissions from IP addresses which have authenticated to receive incoming mail via the ipop3d or vm-pop3d POP protocol daemons. In its default configuration, smtp-after-popd grants a two-minute window for outgoing mail delivery beginning when a valid POP login is detected.
smtp-after-popd recognizes valid POP login activity by parsing
/var/log/maillog, by default, or another syslogd-produced
log file containing records POP daemon activity. This avoids
the need for any special modifications to the POP daemons.
smtp-after-popd "watches" the mail log file efficiently, keeping
track of its current read position and yielding the CPU briefly
between checks for new activity. When and only when it is determined
that the set of IP addresses that should be permitted to send mail
has changed, smtp-after-popd updates a Postfix hash and executes
postmap to make Postfix aware of it. In active use for
several years, smtp-after-popd has never taken up significant CPU time.
smtp-after-popd is typically launched at boot time, using the following syntax:
nohup /usr/local/sbin/smtp-after-popd &
As it is implemented as a simple Perl script, smtp-after-popd does not
currently redirect its output or automatically run in the background.
nohup to solve the first problem and
to solve the second.
Before smtp-after-popd can be used, it must be configured. Copy smtp-after-popd to /usr/local/sbin and edit the file with your preferred text editor. The necessary changes are explained there in comments.
Administrators wishing to use smtp-after-popd must also make a
small modification to /etc/postfix/main.cf. The
smtpd_recipient_restrictions block must include a
check_client_access step that looks at the Postfix hash
updated by smtp-after-popd. For example:
smtpd_recipient_restrictions = permit_mynetworks,reject_non_fqdn_recipient, check_client_access hash:$config_directory/authenticated_ips, reject_unauth_destinationThis is ONLY AN EXAMPLE. Your recipient restrictions block may be more complex. I am not attempting to document what your overall best practice there should be. Just make sure check_client_access precedes any
rejectcommands that it should override. You may have more than one
check_client_accessblock in order to allow various fixed "trusted" IPs to send mail.
Upgrade note: WITH VERSION 0.5, you NO LONGER want the
option to reference anything done by smtp-after-popd, and you may need to
restore it to its original setting, possibly found in the
$defaultNetworks setting of your installed copy of
smtp-after-popd version 0.4. New users of smtp-after-popd shouldn't need
to worry about this.
smtp-after-popd does not automatically redirect its output or
go into the background; use
to handle this. There is a theoretical possibility that
smtp-after-popd will read only part of a line from the mail log
file, possibly resulting in a missed POP login; however, in tests
to date, this does not actually appear to happen. A fix for this
theoretical problem could be made by checking for the presence of
a newline at the end of the data read and, if none, rolling back the
seek pointer to the location of the last newline read.
smtp-after-popd should probably log its own activity.
Version 0.5 uses a Postfix hash instead of restarting Postfix. Version 0.5 also recognizes imapd log output beginning with Authenticated as well as just Auth.
Version 0.4 added more rigorous regular expressions to match the output of vm-pop3d and ipop3d more closely so that a clever login attempt cannot spoof the system. Thanks to Jorey Bump. Version 0.4 also added support for UW imapd, a trivial addition to the regexp list.
Thanks are due to the denizens of Nerdsholm, especially dawn and Rocco Caputo, and many others who have contributed encouragement and/or source code to this and other open software projects.