#5 ip+user auth with popbstmp
While I like the idea of pop-before-stmp as a quick authentication mechanism I disliked the lack of user authentication.
i.e. if pleb@bigcompany.com did a pop3 there was nothing preventing pleb sending a email as ceo@bigcompany.com.
It also doesn't help if pleb did a pop3/imap connection behind a big NAT and something decided to take advantage of the open relay.
Rather than complain about this I wrote a patch and a policy daemon.
I later realised that I just needed to create a sender access map (check_sender_access) however being a policy daemon it should be a little more portable.
Love to hear your feedback. Be nice on coding style - this is one of my first perl programs.
Supports:
Most pop/imap clients in pop-before-smtp-conf.pl
autodetermination of postfix $mydestination including parsing of variables.
use and caching of postfix postmaps in $mydestination
Doesn't support:
Cyrus + Perdition (pattern matching assumes that USER comes before IP in the log which doesn't occur for these products.
Differencing between sender domains. e.g.pleb@bigcompany.com does a pop connection can still send through as pleb@charity.org (assuming the same mail server) - sorry not enough detail in POP logs.
Databases other than berkDB for ipusername DB.
Tested:
Debian - postfix + dovecot 1.0.0 POP3 + IMAP
hash and mysql maps in $mydestination
Untested:
All other pop3/imap clients. I did fix their regexs to what I could find/assume is a username.
Match Many Patterns - code added - never run yet
Discussion
Anonymous
mega patch to support combined userip databases
Logged In: YES
user_id=612034
Originator: YES
File Added: pop-before-smtp-policyd
pop-before-smtp policy daemon
sample dovecot-1.0.0 imap and pop log
Logged In: YES
user_id=612034
Originator: YES
File Added: mail.log
Logged In: YES
user_id=612034
Originator: YES
small opp - username should be before ip in contrib/pat-tester