[SOLVED] pop before smtp authentication

[nwilkens]

We are migrating from Qmail/Vpopmail to Zimbra. On the qmail side, we have pop before smtp authentication configured for relay access.

Is some form of pop before smtp available for Zimbra?

Thanks,
Nick

[nwilkens]

I was able to get this working. Zimbra team, maybe you should consider this as an option in the future..

1) Download and install Pop-before-smtp Home
- Changes in /etc/pop-before-smtp-conf.pl:
$dbfile = '/opt/zimbra/postfix/conf/pop-before-smtp';
$ENV{'PATH'} = '/opt/zimbra/postfix/sbin';
$logtime_pat = '(\d\d\d\d-\d\d-\d\d \d+:\d+:\d+)';

$pat = '[LOGTIME],\d+\ INFO \[Pop3Server-\d+\\] \[name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4};oip=(\d+\.\d+\.\d+\.\d+);\] pop \- user [A-Za-z0-9._%-
]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=login';

$out_pat = '[LOGTIME],\d+\ INFO \[Pop3Server-\d+\\] \[name=[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4};oip=(\d+\.\d+\.\d+\.\d+);\] pop \- quit from client';


(you can download my pop-before-smtp-conf.pl file http://www.mnxsolutions.com/scripts/...e-smtp-conf.pl )

2) Change /opt/zimbra/conf/log4j.properties.in:
from: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=INFO,LOGF ILE
to: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=DEBUG,LOG FILE

3) add a line at the beginning of /opt/zimbra/conf/postfix_recipient_restrictions.cf

check_client_access hash:/opt/zimbra/postfix/conf/pop-before-smtp


Restart zimbra and start he pop-before-smtp daemon.

It would be nice if the INFO logging had the IP address of the authenticated user, rather than having to enable debug.

nick - mnxsolutions.com

[nwilkens]

I tried posting this here, but it did go through. Anyhow, I created a posting on our blog with all the details here:.


Quick summary:
1) Download and install Pop-before-smtp
2) Change /opt/zimbra/conf/log4j.properties.in
3) add a line at the beginning of opt/zimbra/conf/postfix_recipient_restrictions.cf
4) Restart zimbra and start the pop-before-smtp daemon.

[mmorse]

Cool & welcome to the forums!
I see you've already met our watchdog fido: Forum Spam & Security Update
-Don't worry, he won't bite ya too hard anymore

[serivo]

I have created RPM for centos-5 with patches you proposed in pop-before-smtp-conf.pl. For me it was required to patch pop-before-smtp to make it use perl Date::Format and Date::Parse installed with zimbra-core, instead of installing it from CPAN.
These changes for /opt/zimbra/conf/log4j.properties.in and /opt/zimbra/conf/postfix_recipient_restrictions.cf are done by post install script of the RPM and they are reverted at uninstall of the rpm by preun script.
If anybody interested I can place this rpm, spec and patch somewhere for viewing/downloading.

--
Sergey.

[nwilkens]

I actually rewrote the pop-before-smtp configuration to support standard multi-line logging, no need to update the log4j properties.

Refer to the blog posting for the latest updated information: http://www.mnxsolutions.com/blog/lin...ion-howto.html

Use these rules in place of $pat and $out_pat in step 1:

$PID_pat = ‘^[LOGTIME],\d+\ INFO \[Pop3[A-Za-z]+-(\d+)\] ‘;
$IP_pat = $PID_pat . ‘\[ip=(\d+\.\d+\.\d+\.\d+);\] pop \- connected’;
$OK_pat = $PID_pat . ‘\[name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4};\] pop \- user [A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=[A-Za-z]+’;
$FAIL_pat='sdfsdf';

[serivo]

How did you managed zimbra to write Pop3 authentication messages to /var/log/maillog?
Or have you changed it to be /opt/zimbra/log/mailbox.log and did not mentioned it here in your previous posts?
--
Sergey.

[nwilkens]

I left that part out on accident. The config files are available for download on the blog posting, and point to the mailbox.log file.

[simgar]

Due to out zimbra implementation being a migration from an existing server with hundreds of users all using pop-before-smtp, we were require to enable this tool as well. Everything from the mnxsolutions blog posting above worked fine except that the INFO multiline authentication patterns did not catch IMAP logins, so we changed them to the following and everything appears to be working correctly, both POP3 and IMAP:

$PID_pat = '^[LOGTIME],\d+\ INFO \[(?:Pop3|Imap)[A-Za-z]+-(\d+)\] ';
$IP_pat = $PID_pat . '[\S\s]+(?:\[|=)(\d+\.\d+\.\d+\.\d+)[\S\s]+ connected';
$OK_pat = $PID_pat . '[\S\s]+name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}[\S\s]+(?op|imap) \- user [A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=[A-Za-z]+';

[jaydorado]

Does the above pattern matching applicable for zimbra 6?