POP-before-SMTP Relay Configuration on FreeBSD Sendmail

Important Note (1 Feb 2005)

Before following the instructions in this document (written in June 2004), check out the FreeBSD ports collection at: /usr/ports/mail/pop-before-smtp. In installs the same package I describe in this document. It is quite possible that the FreeBSD installation procedure might be as simple as:


# cd /usr/ports/mail/pop-before-smtp
# make
# make install

(I no longer use POP before SMTP to control relaying, so I haven't tried this recently.) --Weldon

1. Introduction

POP before SMTP relay is a method of allowing only certain mail users to relay e-mail through your sendmail server.

In this document, relaying is the case where a remote user sends e-mail to your mail server, asking it to relay the e-mail to some other remote user. Neither the sender's domain nor the recipient's domain (the part to the right of the "@" sign in the e-mail address) is in sendmail's /etc/mail/local-host-names file (class $=w).

Only users who have "popped" their mailbox--by authenticating to the server's POP or IMAP daemon--are allowed to relay.

These instructions do not consider the merits of POP before SMTP versus SMTP AUTH. SMTP AUTH is considered by many to be far superior to POP before SMTP.

2. Download and Decompress pop-before-smtp

These instructions use the pop-before-smtp daemon that you can download from http://popbsmtp.sourceforge.net/. Visit that web site and download the current version of popbsmtp.

I downloaded version 1.33 of the code by visiting https://sourceforge.net/project/showfiles.php?group_id=5017 and clicking on the file pop-before-smtp-1.33.tar.gz

Place the file in a temporary directory.

I placed it in the directory ~/tmp". Be sure that you are logged in as root.

Then change to the temporary directory and decompress the file:


# cd /tmp
# tar xvzf pop-before-smtp-1.33.tar.gz

Pop-before-smtp Quickstart Guide

The pop-before-smtp distribution includes a file named ./pop_before-smtp-1.33/README.QUICKSTART. That page is the basis of the next series of steps below.

Install four perl modules from CPAN (Comprehensive Perl Archive Network), by issuing the following commands (still logged on as root):
```
# perl -MCPAN -e 'install Time::HiRes'
# perl -MCPAN -e 'install File::Tail'
# perl -MCPAN -e 'install Date::Parse'
# perl -MCPAN -e 'install Net::Netmask'
```
Each of the above invokes perl, using the CPAN macro, passing it a command to install a perl module. The first time you use CPAN, perl will prompt you for information. I generally give the default answer to each prompt, except when prompted for my favorite CPAN sites. I specify three sites with the string "3 4 43".
Edit and modify the file named pop-before-smtp-conf.pl.
Change back to the temporary directory that holds the pop-before-smtp distribution and edit the file. On my server the file is at: /tmp/pop-before-smtp-1.33/pop-before-smtp-conf.pl

Find the line that reads
```
#$file_tail{'name'} = '/var/log/maillog';
```
and remove the leading comment character (#).

Find the following two lines:
```
=cut #-------------------------- Sendmail SMTP -----------------------START-
=cut #-------------------------- Sendmail SMTP -------------------------END-
```
and comment them out by inserting a # at the very beginning of the line (before "=cut").

The above two lines are at the beginning and end of a section of the configuration file that make pop-before-smtp work with sendmail.
Test the pop-before-smtp daemon
A successful test requires that /var/log/maillog contains at least one line that records a user successfully authenticating to IMAP or POP. Have a client check her e-mail using POP or IMAP if you haven't previously, to add the entry to /var/log/maillog.

Without changing directories from the previous step, issue the command:
```
# ./pop-before-smtp --config=./pop-before-smtp-conf.pl --debug --nowrite --reprocess
```
The command should display a list of IP addresses that have successfully popped their mail (as recorded in /var/log/maillog).

Press Ctrl-c to end the test.
Install the daemon script and support files:
```
# cp pop-before-smtp.init /usr/local/etc/rc.d/pop-before-smtp
# cp pop-before-smtp /usr/sbin/
# cp pop-before-smtp-conf.pl /etc
```
The first line (above) copies the init script to a different directory than the README.QUICKSTART tells you to. This is because FreeBSD's initialization scripts are stored in /usr/local/etc/rc.d, rather than /etc/rc.d/init.d ...)
Start the pop-before-smtp daemon by issuing the command:
```
# /usr/local/etc/rc.d/pop-before-smtp start 
```
Note that the path is slightly different from the path given in README.QUICKSTART.

The daemon should create a pop authentication database file that lists the IP addresses of those tho have popped their mailboxes (and can now relay through sendmail). Verify that the daemon created the file by issuing the command:
```
ls -l /etc/mail/popauth*
```
The command should list a file named /etc/mail/popauth.db.
Configure sendmail to check the new popauth-db file. (See the following section, below.)

Modify sendmail.cf to Check the popauth.db

Note: On FreeBSD, the default sendmail.cf file at /etc/mail/sendmail.cf is identical to the file /etc/mail/freebsd.cf, generated from the file /etc/mail/freebsd.mc. Rather than edit freebsd.mc, copy freebsd.mc to another file and edit that mc file.
On my server--mail.whipple.org--I issued the following command: cd /etc/mail; make, which created an mc file named mail.whipple.org.mc. I make changes to the file mail.whipple.org.mc.

Add a K configuration command to your sendmail mc (macro configuration) file. The K configuration command makes sendmail aware of the /etc/mail/popauth.db file.

If your mc file doesn't already have a LOCAL_CONFIG section, add one. If it does, just add the following line to the existing LOCAL_CONFIG section:


LOCAL_CONFIG
Kpopauth hash -a<OK> /etc/mail/popauth

The 3rd edition of the "Bat" book (pp. 155, 155ff) says that LOCAL_CONFIG and LOCAL_RULESETS go at the very end of the mc file--after the MAILER lines. I used to place them before the MAILER lines ... and they still worked.

Add some rules to the LOCAL_RULESETS section of the mc file

These rules make sendmail check the /etc/mail/popauth.db file, selectively allowing relaying. Be careful to separate the left and right sides of each rule with with a tab (by pressing the tab key within your editor):

Add the following lines to your mc file:


LOCAL_RULESETS
SLocal_check_rcpt
R$*     <tab>$: $(popauth $&{client_addr} $: <?> $)
R<?>    <tab>$@ NoPopAuth
R$*<OK> <tab>$# OK

Be sure to replace <tab> with actual tab characters! (Press the tab key in your editor.)

Use make to generate a cf file from your mc file

Issue the following command (with /etc/mail as your current directory):


# make

Watch for error messages indicating that your mc file might contain typos that need to be corrected.

On my mail server, the above command reads the file mail.whipple.org.mc and generates a cf file named mail.whipple.org.cf

Use make to install the new sendmail.cf file

Issue the following command (in the same directory as above):


# make install

On my mail server (running sendmail 8.12.10 on FreeBSD 4.9), the above command copies the file mail.whipple.org.cf to sendmail.cf

Use make to restart the sendmail daemons

Issue the following command (in the /etc/mail directory):


# make restart

Both sendmail daemons should restart.

Verify the Installation

Configure a remote e-mail client to check its mailbox using IMAP or POP, then have the client check its mail. Without configuring an outgoing SMTP server (i.e., without configuring SMTP AUTH), the client should be able to send outgoing mail through the e-mail server to a recipient not serviced by the sendmail server just configured.

Check /var/log/maillog as you send and receive e-mail to make sure that POP before SMTP works as expected.