help: setting up dial-in mail server
g'day Debianers... It's been a long day. I've been searching through the HOWTOs and on the Web. My brain is burnt. I need some help! :-) I set up a Debian (slink) box set up as a mail/file server for a small local newspaper a few months ago. The same machine connects their Win95 LAN to the Net through a cable modem. Works great! Today, I was asked to set up a special use account. They want to allow a few select users to be able to dial in from a Windows machine to get/send mail through a POP server and *nothing else*. The nothing else was emphasized. They don't want the users to be able to roam around the Linux box, the internal LAN or get out on to the Net directly. If the user somehow breaks out of POP server, they want to connection to die immediately. I already have a dial-in PPP account for a branch office of the paper. However, that account it allowed to do anything any local user can do. So obviously sharing the account it out. I tried two different approaches today and ran into problems with each. I could use some advice and help on which is the better approach and some suggestions why it isn't working. First, I tried setting up another PPP account , but couldn't figure out how to restrict it to only pop3, imap and smtp. I had it sort of working, however once the POP or IMAP server exited, the user is dumped into a regular shell. Definitely not good! Second, I tried a regular shell account, however the user's .bash_profile contained: /bin/stty -echo -onlret exec /usr/sbin/ipop3d exit 0 (Probably don't need the last line, but it's there as a just in case.) That worked better, but not perfectly. When we ran tests with Eudora Light, which is what they will be using, we had some problems. Apparently, Eudora barfs if sees any newlines or echoed characters. This the reason for the first line. This wasn't reliable though. Watching the output from the ipop3d, we saw newlines would sometimes get sent, choking Eudora. Try again worked fine. Try again sometimes it worked correctly other times not. When it did work, the Windows machine could receive mail just fine. However, it would hang when it tried to send mail with a telnet to mail.example.com port 25. Eventually, it would time out. Other than not reliably passing mail, the connection died as soon as the POP server died, so that much is good. :-/ I'm hoping someone has already gotten Eudora to talk to a Debian box. If not some advice on what I'm doing wrong with either approach would be very well! Thanks for the help!! bob -- bob billson email: [EMAIL PROTECTED] ham: kc2wz (\/) {|||8- beekeeper ...3 years -8|||} Linux! Because there is (/60,000 head of livestock\) no place like $HOME. CIA terrorist NSA bomb spy KGB drugs nuclear agent war GCHQ... Hi Echelon!
Re: help: setting up dial-in mail server
Also, I don't know if this is at all helpful, but the mail daemon, qpopper is made by Qualcomm, who of course make Eudora. So maybe compatibility might help there. I am not sure exactly what your setup could be, but I thought I'd let you know in case you didn't. From: Bob Billson [EMAIL PROTECTED] To: debian-user@lists.debian.org Subject: help: setting up dial-in mail server Date: Thu, 8 Jul 1999 20:55:05 -0400 g'day Debianers... It's been a long day. I've been searching through the HOWTOs and on the Web. My brain is burnt. I need some help! :-) I set up a Debian (slink) box set up as a mail/file server for a small local newspaper a few months ago. The same machine connects their Win95 LAN to the Net through a cable modem. Works great! Today, I was asked to set up a special use account. They want to allow a few select users to be able to dial in from a Windows machine to get/send mail through a POP server and *nothing else*. The nothing else was emphasized. They don't want the users to be able to roam around the Linux box, the internal LAN or get out on to the Net directly. If the user somehow breaks out of POP server, they want to connection to die immediately. I already have a dial-in PPP account for a branch office of the paper. However, that account it allowed to do anything any local user can do. So obviously sharing the account it out. I tried two different approaches today and ran into problems with each. I could use some advice and help on which is the better approach and some suggestions why it isn't working. First, I tried setting up another PPP account , but couldn't figure out how to restrict it to only pop3, imap and smtp. I had it sort of working, however once the POP or IMAP server exited, the user is dumped into a regular shell. Definitely not good! Second, I tried a regular shell account, however the user's .bash_profile contained: /bin/stty -echo -onlret exec /usr/sbin/ipop3d exit 0 (Probably don't need the last line, but it's there as a just in case.) That worked better, but not perfectly. When we ran tests with Eudora Light, which is what they will be using, we had some problems. Apparently, Eudora barfs if sees any newlines or echoed characters. This the reason for the first line. This wasn't reliable though. Watching the output from the ipop3d, we saw newlines would sometimes get sent, choking Eudora. Try again worked fine. Try again sometimes it worked correctly other times not. When it did work, the Windows machine could receive mail just fine. However, it would hang when it tried to send mail with a telnet to mail.example.com port 25. Eventually, it would time out. Other than not reliably passing mail, the connection died as soon as the POP server died, so that much is good. :-/ I'm hoping someone has already gotten Eudora to talk to a Debian box. If not some advice on what I'm doing wrong with either approach would be very well! Thanks for the help!! bob -- bob billson email: [EMAIL PROTECTED] ham: kc2wz (\/) {|||8- beekeeper ...3 years -8|||} Linux! Because there is (/60,000 head of livestock\) no place like $HOME. CIA terrorist NSA bomb spy KGB drugs nuclear agent war GCHQ... Hi Echelon! -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null ___ Get Free Email and Do More On The Web. Visit http://www.msn.com
Re: help: setting up dial-in mail server
Why not just set their shell to /bin/false or some such. That prevents login access, and should prevent ftp access (you have to check - try man ftpd ). But it allows pop access, and imap access. Carl
Re: help: setting up dial-in mail server
I've just done something similar here at Ban-Koe. I just set up normal PPP access, then used ipfwadm to filter out all packets except those destined for the appropriate ports on the mail server. It appears to be working-- allows access to the mail server, and prevents any other types of use. I'd be happy to provide more specific information, if you decide to go this way. Marc -- Marc Mongeon [EMAIL PROTECTED] Unix Specialist Ban-Koe Systems 9100 W Bloomington Fwy Bloomington, MN 55431-2200 (612)888-0123, x417 | FAX: (612)888-3344 -- It's such a fine line between clever and stupid. -- David St. Hubbins and Nigel Tufnel of Spinal Tap Bob Billson [EMAIL PROTECTED] 07/08 7:57 PM g'day Debianers... It's been a long day. I've been searching through the HOWTOs and on the Web. My brain is burnt. I need some help! :-) I set up a Debian (slink) box set up as a mail/file server for a small local newspaper a few months ago. The same machine connects their Win95 LAN to the Net through a cable modem. Works great! Today, I was asked to set up a special use account. They want to allow a few select users to be able to dial in from a Windows machine to get/send mail through a POP server and *nothing else*. The nothing else was emphasized. They don't want the users to be able to roam around the Linux box, the internal LAN or get out on to the Net directly. If the user somehow breaks out of POP server, they want to connection to die immediately. I already have a dial-in PPP account for a branch office of the paper. However, that account it allowed to do anything any local user can do. So obviously sharing the account it out. I tried two different approaches today and ran into problems with each. I could use some advice and help on which is the better approach and some suggestions why it isn't working. First, I tried setting up another PPP account , but couldn't figure out how to restrict it to only pop3, imap and smtp. I had it sort of working, however once the POP or IMAP server exited, the user is dumped into a regular shell. Definitely not good! Second, I tried a regular shell account, however the user's .bash_profile contained: /bin/stty -echo -onlret exec /usr/sbin/ipop3d exit 0 (Probably don't need the last line, but it's there as a just in case.) That worked better, but not perfectly. When we ran tests with Eudora Light, which is what they will be using, we had some problems. Apparently, Eudora barfs if sees any newlines or echoed characters. This the reason for the first line. This wasn't reliable though. Watching the output from the ipop3d, we saw newlines would sometimes get sent, choking Eudora. Try again worked fine. Try again sometimes it worked correctly other times not. When it did work, the Windows machine could receive mail just fine. However, it would hang when it tried to send mail with a telnet to mail.example.com port 25. Eventually, it would time out. Other than not reliably passing mail, the connection died as soon as the POP server died, so that much is good. :-/ I'm hoping someone has already gotten Eudora to talk to a Debian box. If not some advice on what I'm doing wrong with either approach would be very well! Thanks for the help!! bob -- bob billson email: [EMAIL PROTECTED] ham: kc2wz (\/) {|||8- beekeeper ...3 years -8|||} Linux! Because there is (/60,000 head of livestock\) no place like $HOME. CIA terrorist NSA bomb spy KGB drugs nuclear agent war GCHQ... Hi Echelon! -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null
Re: help: setting up dial-in mail server
On 09-Jul-99 Carl Mummert wrote: Why not just set their shell to /bin/false or some such. That prevents login access, and should prevent ftp access (you have to check - try man ftpd ). But it allows pop access, and imap access. Does setting the shell to /bin/false prevent ftp access? Anonymous and for users with accounts too? Seems I recall it does not prevent ftp for users with accounts on the system. -- Andrew
Re: help: setting up dial-in mail server
On Fri, Jul 09, 1999 at 02:00:07AM -0400, Carl Mummert wrote: Why not just set their shell to /bin/false or some such. Thanks. I'll give it a try. bob
Re: help: setting up dial-in mail server
On Fri, 9 Jul 1999, Pollywog wrote: On 09-Jul-99 Carl Mummert wrote: Why not just set their shell to /bin/false or some such. That prevents login access, and should prevent ftp access (you have to check - try man ftpd ). But it allows pop access, and imap access. Does setting the shell to /bin/false prevent ftp access? Anonymous and for users with accounts too? Seems I recall it does not prevent ftp for users with accounts on the system. It depends on the ftp daemon. For example, Proftpd has a configuration option (quote from the manual): RequireValidShell Syntax: RequireValidShell on|off Default: RequireValidShell on Context: server config, VirtualHost, Anonymous, Global Compatibility: 0.99.0 and later The RequireValidShell directive configures the server, virtual host or anonymous login to allow or deny logins which do not have a shell binary listed in /etc/shells. By defualt, proftpd disallows logins if the user's default shell is not listed in /etc/shells. If /etc/shells cannot be found, all default shells are assumed to be valid. So, by default or with RequireValidShell on in the proper section of the config file, users with a shell /bin/false would be denied login (unless /bin/false is in /etc/shells). man 5 shells for more info on the /etc/shells file.