Igor Morgado Pereira wrote:
>
> I want know if qmail have some method to stop realy. I want that only
> authorized POP3 users can use the SMTP, how can I do that?
> I have already a running qmail + vpopmail + mysql.
>From vpopmail FAQ:
4. How do I allow roaming users to use our smtp server without opening
the machine up to everyone on the internet?
Your startup script for the qmail smtp server must use the
tcpserver -x file command similar to this startup line.
env - PATH="/var/qmail/bin:/usr/local/bin" \
tcpserver -H -R -x /path/to/vpopmail/etc/tcp.smtp.cdb \
-c20 -u503 -g503 0 smtp \
/var/qmail/bin/qmail-smtpd 2>&1 > /dev/null &
Here are our qmail /etc/passwd entries
alias:x:503:503::/var/qmail/alias:/bin/bash
qmaild:x:504:503::/var/qmail:/bin/bash
qmaill:x:505:503::/var/qmail:/bin/bash
qmailp:x:506:503::/var/qmail:/bin/bash
qmailq:x:507:504::/var/qmail:/bin/bash
qmailr:x:508:504::/var/qmail:/bin/bash
qmails:x:509:504::/var/qmail:/bin/bash
modify the -u503 and -g503 to match your systems alias users
user id and group id
Configure vpopmail with an additional option --enable-roaming-users=y
Then edit the /path/to/vpopmail/etc/tcp.smtp file and put in lines
for all
static IP's that you will always want to allow relay access to.
For example:
127.0.0.:allow,RELAYCLIENT=""
10.1.1.:allow,RELAYCLIENT=""
The above lines will allow the localhost and all machines on the
10.1.1 C
class to relay thru.
You should always put in the 127.0.0 and the IP of the machine
vpopmail is running on and any aliased IPs.
Then run the following command
/path/to/vpopmail/bin/clearopensmtp
Then, every time someone pops in and authenticates, the follow
happens:
1) vpopmail asks for an exclusive lock on the
~vpopmail/etc/open-smtp.lock file
2) it will wait for the lock, once it gets it, it will continue
3) it adds the pop users IP into ~vpopmail/etc/open-smtp file
with a
time stamp. If the IP already exsists, it updates the
timestamp.
4) it runs tcprules to regenerate the /etc/tcp.smtp.cdb file
5) releases lock and new IP becomes available to the next
smtp invocation.
At this point, the smtp server configured above will allow that
IP to relay for 1 hour (default).
You should setup cron to run the following:
40 * * * * /home/vpopmail/bin/clearopensmtp
clearopenstmp will ask for a lock, clear out any roaming IP's
whos timestamps are over 1 hour old since last pop authentication.
merges the two files vpopmail does above and run tcprules.
Thus closing off relay for those aged IPs.
