I have written a few simple tools to allow POP before SMTP relay info to be stored in each user's LDAP entry, instead of in a database on the hard drive.
They are available for now at: http://nausicaa.interq.or.jp/qmail/ Please note that these tools work for me, but like the rest of qmail-ldap, your mileage may vary. This system has been in production for about 6 months at a large ISP that keeps the POP cluster separate from the SMTP cluster. It consists of two tools: * pop3-record, run by auth_pop.c When a user successfully authenticates via POP-3, auth_pop.c tries to run (by default) "/usr/local/bin/pop3-record". This version of the tool records the authenticating user's IP (from $TCPREMOTEHOST) and the current time (in seconds since the Unix epoch) in the user's LDAP entry. * ldap-relay, run between tcpserver and qmail-smtpd Uses the incoming user's IP (from $TCPREMOTEIP) to do an LDAP query to find if the user has authenticated successfully via POP in the last 30 minutes. If so, sets RELAYCLIENT to allow the user to relay. If not, just calls qmail-smtpd as normal. Example qmail-smtpd/run script: #!/bin/sh QMAILDUID=`/usr/xpg4/bin/id -u qmaild` NOFILESGID=`/usr/xpg4/bin/id -g qmaild` MAXSMTPD=`cat /var/qmail/control/concurrencyincoming` exec /usr/local/bin/softlimit -m 20000000 \ /usr/local/bin/tcpserver -v -R -l 0 -x \ /etc/qmail/access/tcp.smtp.cdb -c "$MAXSMTPD" \ -u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \ /var/qmail/bin/qmail-smtpd /var/qmail/bin/auth_smtp \ /usr/bin/true 2>&1 These two tools allow a dynamic relay environment to be used, and removes the need for local databases to store the users' auth information. There are both C and Perl versions of pop3-record, but only a C version of ldap-relay available at the URL above. To store this information in LDAP, a small patch to the qmail.schema file is needed. It is also available at the URL above, but follows here for completeness. Comments, etc. are appreciated. If these tools are useful for everyone, I hope they can be modified and included with qmail-ldap. Ben --- qmail/qmail.schema Thu Oct 4 18:53:28 2001 +++ qmail-gmo-1.2/qmail.schema Mon Feb 25 12:52:53 2002 @@ -90,6 +90,23 @@ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE ) +# schema for recording the last time a user successfully +# authenticated. Used to allow SMTP relaying if the lastAuthTime is +# after a certain time (say, 15 minutes before the current time). + +# Written 2001 August 23 by Ben Gertzfield <[EMAIL PROTECTED]> + +attributetype ( 1.3.6.1.4.1.7914.1.2.1.15 NAME 'lastAuthTime' + DESC 'Time (in seconds since the UNIX epoch, 00:00:00 1970-01-01 UTC) when a +user last authenticated themselves' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.7914.1.2.1.16 NAME 'lastAuthIP' + DESC 'Last known IP address a user successfully authenticated from' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) + # Object Class Definitions objectclass ( 1.3.6.1.4.1.7914.1.2.2.1 NAME 'qmailUser' @@ -99,5 +116,5 @@ mailAlternateAddress $ qmailUID $ qmailGID $ mailQuota $ mailHost $ mailForwardingAddress $ deliveryProgramPath $ qmailDotMode $ deliveryMode $ mailReplyText $ - accountStatus $ qmailAccountPurge ) ) + accountStatus $ qmailAccountPurge $ lastAuthTime $ lastAuthIP ) ) -- Brought to you by the letters G and J and the number 18. "Whoa. I know Kung Fu." Debian GNU/Linux maintainer of Gimp and Nethack -- http://www.debian.org/
