help: setting up dial-in mail server
g'day Debianers... It's been a long day. I've been searching through the
HOWTOs and on the Web. My brain is burnt. I need some help! :-)
I set up a Debian (slink) box set up as a mail/file server for a small local
newspaper a few months ago. The same machine connects their Win95 LAN to the
Net through a cable modem. Works great!
Today, I was asked to set up a special use account. They want to allow a few
select users to be able to dial in from a Windows machine to get/send mail
through a POP server and *nothing else*. The nothing else was emphasized.
They don't want the users to be able to roam around the Linux box, the
internal LAN or get out on to the Net directly. If the user somehow breaks
out of POP server, they want to connection to die immediately.
I already have a dial-in PPP account for a branch office of the paper.
However, that account it allowed to do anything any local user can do. So
obviously sharing the account it out. I tried two different approaches
today and ran into problems with each. I could use some advice and help on
which is the better approach and some suggestions why it isn't working.
First, I tried setting up another PPP account , but couldn't figure out how to
restrict it to only pop3, imap and smtp. I had it sort of working, however
once the POP or IMAP server exited, the user is dumped into a regular shell.
Definitely not good!
Second, I tried a regular shell account, however the user's .bash_profile
contained:
/bin/stty -echo -onlret
exec /usr/sbin/ipop3d
exit 0
(Probably don't need the last line, but it's there as a just in case.)
That worked better, but not perfectly. When we ran tests with Eudora Light,
which is what they will be using, we had some problems. Apparently, Eudora
barfs if sees any newlines or echoed characters. This the reason for the
first line. This wasn't reliable though. Watching the output from the ipop3d,
we saw newlines would sometimes get sent, choking Eudora. Try again worked
fine. Try again sometimes it worked correctly other times not.
When it did work, the Windows machine could receive mail just fine. However,
it would hang when it tried to send mail with a telnet to mail.example.com
port 25. Eventually, it would time out. Other than not reliably passing
mail, the connection died as soon as the POP server died, so that much is
good. :-/
I'm hoping someone has already gotten Eudora to talk to a Debian box. If
not some advice on what I'm doing wrong with either approach would be very
well! Thanks for the help!!
bob
--
bob billson email: [EMAIL PROTECTED] ham: kc2wz
(\/)
{|||8- beekeeper ...3 years -8|||} Linux! Because there is
(/60,000 head of livestock\) no place like $HOME.
CIA terrorist NSA bomb spy KGB drugs nuclear agent war GCHQ... Hi Echelon!
Re: help: setting up dial-in mail server
Also, I don't know if this is at all helpful, but the mail daemon, qpopper
is made by Qualcomm, who of course make Eudora. So maybe compatibility might
help there. I am not sure exactly what your setup could be, but I thought
I'd let you know in case you didn't.
From: Bob Billson [EMAIL PROTECTED]
To: debian-user@lists.debian.org
Subject: help: setting up dial-in mail server
Date: Thu, 8 Jul 1999 20:55:05 -0400
g'day Debianers... It's been a long day. I've been searching through the
HOWTOs and on the Web. My brain is burnt. I need some help! :-)
I set up a Debian (slink) box set up as a mail/file server for a small
local
newspaper a few months ago. The same machine connects their Win95 LAN to
the
Net through a cable modem. Works great!
Today, I was asked to set up a special use account. They want to allow a
few
select users to be able to dial in from a Windows machine to get/send mail
through a POP server and *nothing else*. The nothing else was
emphasized.
They don't want the users to be able to roam around the Linux box, the
internal LAN or get out on to the Net directly. If the user somehow breaks
out of POP server, they want to connection to die immediately.
I already have a dial-in PPP account for a branch office of the paper.
However, that account it allowed to do anything any local user can do. So
obviously sharing the account it out. I tried two different approaches
today and ran into problems with each. I could use some advice and help on
which is the better approach and some suggestions why it isn't working.
First, I tried setting up another PPP account , but couldn't figure out how
to
restrict it to only pop3, imap and smtp. I had it sort of working, however
once the POP or IMAP server exited, the user is dumped into a regular
shell.
Definitely not good!
Second, I tried a regular shell account, however the user's .bash_profile
contained:
/bin/stty -echo -onlret
exec /usr/sbin/ipop3d
exit 0
(Probably don't need the last line, but it's there as a just in case.)
That worked better, but not perfectly. When we ran tests with Eudora
Light,
which is what they will be using, we had some problems. Apparently, Eudora
barfs if sees any newlines or echoed characters. This the reason for the
first line. This wasn't reliable though. Watching the output from the
ipop3d,
we saw newlines would sometimes get sent, choking Eudora. Try again worked
fine. Try again sometimes it worked correctly other times not.
When it did work, the Windows machine could receive mail just fine.
However,
it would hang when it tried to send mail with a telnet to mail.example.com
port 25. Eventually, it would time out. Other than not reliably passing
mail, the connection died as soon as the POP server died, so that much is
good. :-/
I'm hoping someone has already gotten Eudora to talk to a Debian box. If
not some advice on what I'm doing wrong with either approach would be very
well! Thanks for the help!!
bob
--
bob billson email: [EMAIL PROTECTED] ham: kc2wz
(\/)
{|||8- beekeeper ...3 years -8|||} Linux! Because there is
(/60,000 head of livestock\) no place like $HOME.
CIA terrorist NSA bomb spy KGB drugs nuclear agent war GCHQ... Hi
Echelon!
--
Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED]
/dev/null
___
Get Free Email and Do More On The Web. Visit http://www.msn.com
Re: help: setting up dial-in mail server
Why not just set their shell to /bin/false or some such. That prevents login access, and should prevent ftp access (you have to check - try man ftpd ). But it allows pop access, and imap access. Carl
Re: help: setting up dial-in mail server
I've just done something similar here at Ban-Koe. I just set up normal
PPP access, then used ipfwadm to filter out all packets except those
destined for the appropriate ports on the mail server. It appears to be
working-- allows access to the mail server, and prevents any other
types of use. I'd be happy to provide more specific information, if you
decide to go this way.
Marc
--
Marc Mongeon [EMAIL PROTECTED]
Unix Specialist
Ban-Koe Systems
9100 W Bloomington Fwy
Bloomington, MN 55431-2200
(612)888-0123, x417 | FAX: (612)888-3344
--
It's such a fine line between clever and stupid.
-- David St. Hubbins and Nigel Tufnel of Spinal Tap
Bob Billson [EMAIL PROTECTED] 07/08 7:57 PM
g'day Debianers... It's been a long day. I've been searching through the
HOWTOs and on the Web. My brain is burnt. I need some help! :-)
I set up a Debian (slink) box set up as a mail/file server for a small local
newspaper a few months ago. The same machine connects their Win95 LAN to the
Net through a cable modem. Works great!
Today, I was asked to set up a special use account. They want to allow a few
select users to be able to dial in from a Windows machine to get/send mail
through a POP server and *nothing else*. The nothing else was emphasized.
They don't want the users to be able to roam around the Linux box, the
internal LAN or get out on to the Net directly. If the user somehow breaks
out of POP server, they want to connection to die immediately.
I already have a dial-in PPP account for a branch office of the paper.
However, that account it allowed to do anything any local user can do. So
obviously sharing the account it out. I tried two different approaches
today and ran into problems with each. I could use some advice and help on
which is the better approach and some suggestions why it isn't working.
First, I tried setting up another PPP account , but couldn't figure out how to
restrict it to only pop3, imap and smtp. I had it sort of working, however
once the POP or IMAP server exited, the user is dumped into a regular shell.
Definitely not good!
Second, I tried a regular shell account, however the user's .bash_profile
contained:
/bin/stty -echo -onlret
exec /usr/sbin/ipop3d
exit 0
(Probably don't need the last line, but it's there as a just in case.)
That worked better, but not perfectly. When we ran tests with Eudora Light,
which is what they will be using, we had some problems. Apparently, Eudora
barfs if sees any newlines or echoed characters. This the reason for the
first line. This wasn't reliable though. Watching the output from the ipop3d,
we saw newlines would sometimes get sent, choking Eudora. Try again worked
fine. Try again sometimes it worked correctly other times not.
When it did work, the Windows machine could receive mail just fine. However,
it would hang when it tried to send mail with a telnet to mail.example.com
port 25. Eventually, it would time out. Other than not reliably passing
mail, the connection died as soon as the POP server died, so that much is
good. :-/
I'm hoping someone has already gotten Eudora to talk to a Debian box. If
not some advice on what I'm doing wrong with either approach would be very
well! Thanks for the help!!
bob
--
bob billson email: [EMAIL PROTECTED] ham: kc2wz
(\/)
{|||8- beekeeper ...3 years -8|||} Linux! Because there is
(/60,000 head of livestock\) no place like $HOME.
CIA terrorist NSA bomb spy KGB drugs nuclear agent war GCHQ... Hi Echelon!
--
Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: help: setting up dial-in mail server
On 09-Jul-99 Carl Mummert wrote: Why not just set their shell to /bin/false or some such. That prevents login access, and should prevent ftp access (you have to check - try man ftpd ). But it allows pop access, and imap access. Does setting the shell to /bin/false prevent ftp access? Anonymous and for users with accounts too? Seems I recall it does not prevent ftp for users with accounts on the system. -- Andrew
Re: help: setting up dial-in mail server
On Fri, Jul 09, 1999 at 02:00:07AM -0400, Carl Mummert wrote: Why not just set their shell to /bin/false or some such. Thanks. I'll give it a try. bob
Re: help: setting up dial-in mail server
On Fri, 9 Jul 1999, Pollywog wrote: On 09-Jul-99 Carl Mummert wrote: Why not just set their shell to /bin/false or some such. That prevents login access, and should prevent ftp access (you have to check - try man ftpd ). But it allows pop access, and imap access. Does setting the shell to /bin/false prevent ftp access? Anonymous and for users with accounts too? Seems I recall it does not prevent ftp for users with accounts on the system. It depends on the ftp daemon. For example, Proftpd has a configuration option (quote from the manual): RequireValidShell Syntax: RequireValidShell on|off Default: RequireValidShell on Context: server config, VirtualHost, Anonymous, Global Compatibility: 0.99.0 and later The RequireValidShell directive configures the server, virtual host or anonymous login to allow or deny logins which do not have a shell binary listed in /etc/shells. By defualt, proftpd disallows logins if the user's default shell is not listed in /etc/shells. If /etc/shells cannot be found, all default shells are assumed to be valid. So, by default or with RequireValidShell on in the proper section of the config file, users with a shell /bin/false would be denied login (unless /bin/false is in /etc/shells). man 5 shells for more info on the /etc/shells file.
