[EXIM] Using pop-before-relay authorization with Exim

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Doug S
Date:  
À: exim-users
Sujet: [EXIM] Using pop-before-relay authorization with Exim

I offered this information last week, and I've gotten some feedback.
I've also cleaned up the scripts some, fixed a runaway "tail" and a
parsing error on days < 10, so it's just about ready for prime time.

The components:

(1) a script (popwatch) that watches /var/adm/log to collect a list of
IP's and hosts that people pop from. This script will probably need
tailoring if you use something other than UW IMAP4.1/final and the POP3
server that comes with it. You may also have to modify your POP3 server
to put out IP's and/or host names (I use the IP's as filenames, but
exim wants the hostnames to put in the lookup file).

Since I have my local hosts permitted in a sender-net-accept-relay
entry, I exclude them here (the exclude pattern is at the top of the
script, set this to something meaningless like XYZZY if you want to
force all through this procedure).

(2) a script (popauth) that watches for files created by popwatch and
regenerates a popauth file that's referred to in exim's config file.

(3) a script (popclean) that cleans up old authorizations. Every five
minutes it wakes up and removes authorizations over 30 minutes old.

All three of the above scripts are launched at boot time and run
continuously. I use a batch file that's run as "exim" from rc.local:

/usr/local/etc/popwatch &
/usr/local/etc/popauth &
/usr/local/etc/popclean &

(4) a script (poproll) that's run right after the syslogs are rotated.
It kills and restarts popwatch so it goes after the new log, and it
rotates the popwatch log. This runs as root, just like the syslog
rotate does.

None of these are terribly portable - I didn't write it with that in
mind, but they're all fairly simple as perl scripts go.

(5) You need to put this in the exim config script:

sender_host_accept_relay = "127.0.0.1:\
lsearch;/usr/local/exim/popauth"

The "popauth" file is the one created by the script in (2) above.

Finally, you have to get all the permissions stuff done right. Since
my syslog isn't world-readable, I use ACL's (access control lists)
to give the exim group ability to read the syslogs. You may want to
handle this a different way.

There's a file at http://cc.ysu.edu/~doug/exim-pop.tar.Z that has
the 4 scripts above and a copy of this note in it.

--
Doug S. (doug@???) (http://cc.ysu.edu/~doug/)

If you get hung up on what you did wrong, you're never gonna get anywhere.
        -- Kenneth Copeland


--
*** Exim information can be found at http://www.exim.org/ ***