[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

LDAP and whoson support for SolidPOP3d

To: SolidPOP3d list <solidpop3d-list@lists.pld.org.pl>,Jerzy Balamut <jurekb@dione.ids.pl>
Subject: LDAP and whoson support for SolidPOP3d
From: "Mariano Absatz" <baby@baby.com.ar>
Date: Mon, 7 May 2001 19:22:54 -0300
CC: Edgardo Szulsztein <edgardosz@yahoo.com>,Eugene Crosser <crosser@online.ru>,ZMailer List <zmailer@nic.funet.fi>
Priority: normal

Hi,

We have been using solidpop3d for a few months with a couple of 
modifications we had to do.

We pulished them now so you are able to use it and, if you want to, 
incorporate them in future versions.

Our mail server is ZMailer (see http://zmailer.org).

First, we added support for LDAP authentication (since we have our users 
in an LDAP DIT).

Second, we added support for POP before SMTP. For this, we are using a 
small contributed-to-zmailer protocol called "whoson".

This protocol allows remote "login", "logout" and "verify" of IP 
addressess with username information to a small "on line users database" 
indexed by IP address with username and timestamp info in it.

It can be used from, say, a radius server, to allow to asociate smtp 
messages coming from an IP address with a radius user.

In our case, as we only provide e-mail (and, in fact, we don't have 
trustable IP addresses), we use it to asociate smtp messages coming from 
an IP address with a POP or IMAP user.

Since, in the case of POP the user is not logged into de POP server while 
he/she is sending the mail, and rather, logs to POP, downloads, exits POP 
and THEN he/she connects to SMTP, we only use the "login" and our SMTP 
server verifies using a predefined timeout.

That is, the SMTP does the following (simplified): 

-if the message is inbound, allow it.
-if the message is oubound:
    -verify the IP of the client in the whoson database
        -if you don't find it, reject it.
        -if you find it:
            -if the time elapsed since the timestamp is greater
                than your predefined timeout, reject it.
            -else, allow the realying and put the username in the
               Received: header generated.

For this to work, and taking into account that we could have relatively 
short timeouts and maybe long POP download times, we do a "whoson login" 
with the user authentication AND with the user's POP logout.

So, in POP, we do this "whoson login" right after the authentication and 
right after the client send the QUIT (obviously, having had a correct 
authentication :-)


======================================================================

In order to implement this stuff, we modified four files, and added two 
more.

Modified files:

configure.in
acconfig.h
src/main.c
src/Makefile.in

new files:

src/auth_ldap.h
src/auth_ldap.c

The new files, along with "diff -u"s of the modified versions (relative 
to the 0.15 tarball, no CVS) are attached.

======================================================================

To enable the use of this options you have to use the following configure 
options:

  --enable-whoson=PATH     
compile server with whoson support where PATH is the PATH you have whoson 
installed (defaults to /usr/local/whoson)  

  --enable-ldap=PATH       
compile server with ldap authentication support where PATH is the PATH 
you have LDAP installed (defaults to /usr/local/ldap)  

  --with-ldapconfigfile   
define ldap config file (default is /etc/ldap.conf) 

  --with-uidmaildir   
define owner of the maildir directory (default nobody). This is the Unix 
user which will read and write to the maildirs... it has to have 
read/write permissions on the maildirs.

=======================================================================

# 
# Example /etc/ldap.conf file
# 
# You must at least define "base", "ldaphost", "filter" & "attr". 
# 
base            ou=mailUsers,o=exampleOrganization
ldaphost        ldap.example.com
ldapport        389 
binddn          cn=ReadOnlyUser, o=exampleOrganization
passwd          secret
filter          (&(objectclass=mailUser)(uid=%s)) 
passattr        userPassword 
attr            maildirFileName
scope           sub 

=======================================================================

We added a -n option to solidpop3d to handle a base path from where 
maildirFileName is relative. You can use it from /etc/inetd with:

pop-3   stream  tcp     nowait  root    /usr/sbin/tcpd \
           /usr/local/sbin/spop3d -n /maildir-base/%s -t maildir 

if in the maildirFileName attribute you have "/x/y/somebody", it will 
look for the maildir in /maildir-base/x/y/somebody.

==========================================================================
Acknowledgements:

This stuff wasn't made by me... I am only the "guy who better writes in 
English" :-)

The author is Edgardo Szulsztein <edgardosz@yahoo.com>.

The LDAP code was taken from the ZMailer LDAP code made (as stated in the 
source code) by:

Lai Yiu Fai                       |  Tel.:       (852) 2358-6202 
Centre of Computing Services      |  Fax.:       (852) 2358-0967 
 & Telecommunications             |  E-mail:     ccyflai@ust.hk 
                                  | 
The Hong Kong University of       |  Clear Water Bay, 
Science & Technology              |  Kowloon, Hong Kong. 


--
Mariano Absatz - El Baby
mailto:baby@baby.com.ar
http://www.baby.com.ar/
    PGP KEYS: http://www.baby.com.ar/datos/personales.html#claves_pgp
  |\  _
  _\\/'>     Powered by Pegasus Mail
 /|__)       http://www.pmail.com
  ) )\
-----------------------------------------------------------
Programming is an art form that fights back.

configure.in.DIFF

Prev by Date: Re: bugs and questions
Next by Date: Virtual domains via $MAILVAR/db/routes
Prev by thread: Re: [courier-users] whoson support in pop3d and imapd
Next by thread: Virtual domains via $MAILVAR/db/routes
Index(es):
- Date
- Thread