Exim tpop3d ssl – inny pop3

Jednym z ciekawszych deamonów pop3 jest tpop3d, umożliwoa on uzyskanie połączeń ssl bez dodatkowego porogramu stunnel.

Instalacja jak zwykle jest prosta.

Pierwszym krokiem jest ściągnięcie i rozpakowanie źródeł:

wget http://mirror.lihnidos.org/GNU/savannah/tpop3d/tpop3d-1.5.5.tar.gz

Teraz kolej na Configure

./configure –prefix=/usr –sysconfdir=/etc –localstatedir=/var –disable-auth-pam –enable-auth-passwd –enable-shadow-passwords –enable-mbox-bsd –disable-dotfile-locking –enable-tls –with-openssl-root=/usr/local/openssl

następni standardowo make && make install

Konfiguracja daemona jest prosta, poniżej przykład: plik tpop3d.conf w katalogu /etc

#
# tpop3d.conf.sample:
# Sample configuration file for tpop3d.
#
# $Id$
#

#
# Global options
#

# listen-address: address[:port][(domain)|/regex/][;tls-options] …
# most basic syntax; listen on every interface on default port:
#listen-address: 0.0.0.0
# or perhaps you want to enable SSL using
# the certificate /usr/local/etc/tpop3d-cert:
#listen-address: 0.0.0.0;tls=stls,/usr/local/etc/tpop3d-cert
listen-address: 0.0.0.0;tls=stls,/etc/exim/cert/exim.crt,/etc/exim/cert/exim.key
0.0.0.0;tls=immediate,/etc/exim/cert/exim.crt,/etc/exim/cert/exim.key
# max-children: number
# maximum number of connections to serve at any given time. [default: 100]
#max-children: 100

# append-domain: (yes|true)
# Fall back onto authenticating with username@domain if required, where
# domain is the domain name associated with the address on which the
# connection was received. [default: no]
#append-domain: true

# strip-domain: (yes|true)
# Fall back onto authenticating with username only if username@domain is
# supplied and fails to authenticate. [default: no]
#strip-domain: true

# domain-separators: string
# Specifies which characters can be used to separate local_parts from
# domains in POP3 usernames. [default: @%!:]
#domain-separators: @

# apop-only: (yes|true)
# Disconnect any client which sends a USER command. [default: no]
#apop-only: true

# timeout-seconds: number
# Number of seconds for which a connection may be idle before it is closed.
# The RFC requires 600. [default: 30]
timeout-seconds: 600

# log-facility: facility
# The `facility’ as which tpop3d emits system log messages.
#log-facility: mail

# log-level: level
# The `level’ at which tpop3d logs system log messages.
#log-level: debug

# log-stderr: (yes|true)
# Send log messages to standard error as well as the system log.
#log-stderr: true

# no-detach: (yes|true)
# Do not detach from controlling terminal.
#no-detach: true

# mailbox: [mailbox-driver:]path-spec …
# Selects the location, and optionally the type, of the mailbox to use when
# a user is authenticated.
mailbox: bsd:/var/mail/$(user)

# mailspool-index: path-spec
# Selects the location of metadata cache files for BSD mailspools
# tpop3d needs to be able to create files in your mailspool path for this;
# alternatively change the path specified. [default: no index]
#mailspool-index: $(name).tpop3d-index

# maildir-exclusive-lock: (yes|true)
# Indicates that tpop3d should attempt to lock maildirs for exclusive access.
# [default: no]
#maildir-exclusive-lock: true

# maildir-recursion: (yes|true)
# Tells tpop3d to recurse into IMAP folders when searching for messages.
# [default: no]
#maildir-recursion: true

# maildir-ignore-folders: foldername
# Specifies IMAP Folders that should be excluded when recursing into IMAP
# folders. (separated by spaces or tabs, supports regex, may be emtpy)
# [default: Trash Sent]
#maildir-ignore-folders: Trash Sent Draft Spam

# maildir-evaluate-filename: (yes|true)
# If enabled, tpop3d tries to extract modification time and message size out
# of message filenames instead of doing a stat() on the file.
# [default: no]
#maildir-evaluate-filename: true

# maildir-size-string: string
# Tells tpop3d where to find the message size in the filename.
# [default: ,S=]
#maildir-size-string: ,S=

# tcp-wrappers-name: name
# Selects the `daemon name’ used by tpop3d with TCP Wrappers. [default: tpop3d]
#tcp-wrappers-name: tpop3d

# drac-server: hostname
# Gives the name of a server to which tpop3d should send DRAC notifications.
#drac-server: localhost

# whoson-enable: (yes|true)
# Enable notification of successful logins to a WHOSON server as defined in
# /etc/whoson.conf. [default: no]
#whoson-enable: true

# tls-no-bug-workarounds: (yes|true)
# Disable workarounds for various bugs in client TLS implementations
#tls-no-bug-workarounds: true

#
# Authentication options
#

# permit-empty-password: (yes|true)
# Users may log in with an empty password. [default: no]
#permit-empty-password: true

# onlogin-child-wait: (yes|true)
# If the authenticator offers an `onlogin’ action, the user’s mailbox won’t
# be opened until after the onlogin action completes. See man page for info.
#onlogin-child-wait: true

# log-bad-passwords: (yes|true)
# If switched on, wrong passwords will be recorded in the logs. This is an
# invasion of privacy, but may help in debugging problems.
#log-bad-passwords: true

# authcache-enable: (yes|true)
# If switched on, tpop3d will cache the results of successful authentications.
# This feature is experimental, and is only likely to be useful for very busy
# sites. [default: no]
#authcache-enable: true

# authcache-entry-lifetime: number
# How long a successful authentication is cached for, in seconds. To be useful,
# this must be much longer than the interval between POP3 logins. [default:
# 3600 (1 hour)]
#authcache-entry-lifetime: 3600

# authcache-use-client-host: (yes|true)
# If you have authenticators which use the $(clienthost) substitution variable
# (so that authentication depends on the IP address from which a client
# connects) you must switch this on, since otherwise tpop3d may use for a new
# connection a cached authentication result for a client who connected from
# a different address. [default: no]
#authcache-use-client-host: true

#
# PAM authentication options
#

# auth-pam-enable: (yes|true)
# Enable authentication using Pluggable Authentication Modules.
#auth-pam-enable: yes

# auth-pam-facility: facility
# Sets the PAM facility name used by tpop3d. [default: tpop3d]
#auth-pam-facility: tpop3d

# auth-pam-mail-group: (group-name | gid)
# The group name or gid under which access to the mailspool will take place.
# [default: gid of authenticated user]
#auth-pam-mail-group: mail

# auth-pam-mail-user: (user-name | uid)
# Names a local user whose credentials are used for users without local
# accounts.
#auth-pam-mail-user: mailnull

#
# Password authentication options
#

# auth-passwd-enable: (yes|true)
# Enable authentication using /etc/passwd.
auth-passwd-enable: true

# auth-passwd-mail-group: (group-name | gid)
# The group name or gid under which access to the mailspool will take place.
auth-passwd-mail-group: mailmta

#
# MySQL authentication options
#

# auth-mysql-enable: (yes | true)
# Enable MySQL authentication.
#auth-mysql-enable: true

# auth-mysql-mail-group: (group-name | gid)
# The group name or gid under which access to the mailspool will take place.
# [default: group of user associated with virtual domain]
#auth-mysql-mail-group: mail

# auth-mysql-hostname: hostname [[hostname] hostname] ..
# Host on which to connect to MySQL. Tried in order until a working host is
# found. [default: localhost]
#auth-mysql-hostname: localhost

# auth-mysql-database: database
# MySQL database to use for authentication.
#auth-mysql-database: mail

# auth-mysql-username: username
# MySQL username used to access the database.
#auth-mysql-username: mail

# auth-mysql-password: password
# Password of MySQL user.
#auth-mysql-password: s3cr3t

# auth-mysql-pass-query: substitution string
# Query template to use for USER/PASS authentication. Must return mailpath,
# password, userid, mailspool type; uses substitution variables as described
# in the man page.
#auth-mysql-pass-query: SELECT mailpath, password, userid, spooltype FROM …

# auth-mysql-apop-query: substitution string
# Query template to use for APOP authentication. See auth-mysql-pass-query.

# auth-mysql-onlogin-query: substitution string
# Query template to use for POP-before-SMTP operation. See man page.

#
# Postgres authentication options
#

# auth-pgsql-enable: (yes | true)
# Enable Postgres authentication.
#auth-pgsql-enable: true

# These options are analogous to their MySQL counterparts.
#auth-pgsql-username:
#auth-pgsql-password:
#auth-pgsql-database:
#auth-pgsql-hostname:
#auth-pgsql-pass-query:
#auth-pgsql-apop-query:
#auth-pgsql-onlogin-query:
#auth-pgsql-mail-group:

#
# LDAP authentication options
#

# Please read the man page for thorough details of these.

# auth-ldap-enable: (yes | true)
# Enable LDAP authentication.
#auth-ldap-enable: true

# auth-ldap-url: LDAP URL
# LDAP URL indicating server against which to make authentication requests.
#auth-ldap-url:

# auth-ldap-searchdn: LDAP server username
# DN to use when binding to LDAP server to search for a user.
#auth-ldap-searchdn:

# auth-ldap-password: LDAP server password
# Password of search user.
#auth-ldap-password:

# auth-ldap-filter: substitution string
# Filter template to use when searching for a user’s account.
#auth-ldap-filter:

# auth-ldap-scope: (subtree|base|onelevel)
# Scope of LDAP searches. If not specified, the default is `sub-tree’.
#auth-ldap-scope:

# auth-ldap-mailbox: [mailbox-driver:]path-spec …
# User mailbox location, as described above.

# auth-ldap-mailbox-attr: attribute name
# auth-ldap-mboxtype-attr: attribute name
# LDAP attributes which contains the name of a user’s mailbox, and its type.

# auth-ldap-mail-user: (user-name | uid)
# auth-ldap-mail-group: (group-name | gid)
# User and group under which access to the mailbox will take place

# auth-ldap-mail-user-attr: attribute name
# auth-ldap-mail-group-attr: attribute name

#
# Flat file authentication options
#

# auth-flatfile-enable: (yes | true)
# Enable flat file authentication.
#auth-flatfile-enable: yes

# auth-flatfile-passwd-file: substitution string
# Specify the file in which tpop3d will search for a user’s password. Use
# substitution variables to make this domain-dependent. See man page for more
# details.
#auth-flatfile-passwd-file: /usr/local/etc/tpop3d/passwd

# auth-flatfile-mail-user: (user-name | uid)
# auth-flatfile-mail-group: (group-name | gid)
# User and group under which access to the mailbox will take place.

#
# External program (`other’) authentication options
#

# auth-other-enable: (yes | true)
# Enable external program authentication.
#auth-other-enable: true

# auth-other-program: path
# Program to use for external authentication.
#auth-other-program: /usr/local/sbin/..

# auth-other-user: (user-name | uid)
# auth-other-group: (group-name | gid)
# The user and group under which to run the authentication program.

# auth-other-timeout: time
# The timeout in seconds for authentication. [default: 0.75]
#auth-other-timeout: 0.75

#
# Perl authentication options
#

# auth-perl-enable: (yes | true)
# Enable authentication via an embedded perl interpreter.
#auth-perl-enable: true

# auth-perl-start: perl code
# Specify a line of perl code to be executed at startup.
#auth-perl-start: do '/usr/local/etc/tpop3d/tpop3d.pl’

# auth-perl-finish: perl code
# Specify a line of perl code to be executed when the authentication driver
# is shut down.
#auth-perl-finish:

# auth-perl-apop: subroutine name
# Specify the name of a perl subroutine which will be called when
# a request for APOP authentication is received.
#auth-perl-apop:

# auth-perl-pass: subroutine name
# Specify the name of a perl subroutine which will be called when
# a request for USER/PASS authentication is received.
#auth-perl-pass:

# auth-perl-onlogin: subroutine name
# Specify the name of a perl subroutine which will be called after
# a successful login for POP-before-SMTP operation.
#auth-perl-onlogin:

#
# GDBM authentication options
#

# auth-gdbm-enable: (yes | true)
# Enable authentication via GNU dbm files.
#auth-gdbm-enable: true

# auth-gdbm-passwd-file: string
# Specify the dbm file in whichtpop3d will search for a user’s password.
#auth-gdbm-passwd-file: /var/lib/gdbm/…

# auth-gdbm-persistent: (yes | true)
# Tell tpop3d to use persistent filehandles.
#auth-gdbm-enable: true

# auth-gdbm-mail-user: (user-name | uid)
# auth-gdbm-mail-group: (group-name | gid)
# User and group under which access to the mailbox will take place.

Jak widać w konfiguracjai mamy bardzo wiele możliwości, deamon współpracuje z PAm, MySql itd. W pierwszych liniach konfluguracji jest definioanie adresów na których nasłuchuje tpop3d po ssl i certyfikaty, celowo wykożystano tutaj certyfikaty exim’a. Teraz należy wyłaczyc standardowy daemon pop3d w inetd.conf oraz dodać dokonfiguracji exima w sekcji „MAIN CONFIGURATION” linie wskazującą na jakich portach bedzie nasłuchiwal Exim.

daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465

Zapytacie napewno dlaczego port 465, a dlatego ze TPSA wyłaczyła port 25 do komunikacji smtp ze względu na spam, nie wyslecie poczty mając neostrade i skonfigurowane konto w Outlooku czy innym programem pocztowym.

W stunnel zostawiamy tylko tunelowanie dla IMAP.

uruchomienie daemona sprowadza sie do dopisanie linie w skrypcie uruchamiającym usługi zwiazane z pocztą

/usr/sbin/tpop3d

Korzystając z serwisu zgadzasz się na korzystanie z plików cookie. Więcej informacji

Aby zapewnić Tobie najwyższy poziom realizacji usługi, opcje ciasteczek na tej stronie są ustawione na "zezwalaj na pliki cookies". Kontynuując przeglądanie strony bez zmiany ustawień lub klikając przycisk "Akceptuję" zgadzasz się na ich wykorzystanie.

Zamknij