Re: [vchkpw] roaming user for imap

[Lars Gustafson]

I had the same problem, as a lots of people has according to this list..
the solution, or let's say workaround, i came up with is pretty ugly.
but hey! it works.

First, i got the relay-ctrl package from www.qmail.org somewhere,
installed it by reading the docs shipped with it. made the needed
changes to the imap.rc/imap-ssl.rc (see docs)

What is needed to be modified is the qmails rcscript, making the
tcpserver to use the envdir binary (from the daemontools package, if you
dont use daemontols, download and compile it, and snip the binary from
the compiled sorce tree and put it in some reasonable path).
made the changes to your qmail start script (see the docs).

restart qmail and courier. now you will have a relay that allows roaming
users to realy unitil whatever you set the RELAY_CTRL_EXPIRY variable
to, defaults is 900 seconds i think.

next, the tricky part... i made up a simple shells script looking like
this. I guess it could be possible to add the ipaddresses the script get
into a sql or cdb batabase. anyways, this does the job. 


---

#!/bin/sh
#
# relay-ctrl-imap-tweek
#
# This script should be invoked from within roots crontab 
# instead of the relay-ctrl-age binary shipped with the 
# relay-ctrl package.
# 

# Where do we find the conf files for realy-ctrl?
$RLCDIR=/etc/relay­ctrl

# Enable _ONE_ of these
#PORT=143 # IMAP
PORT=993  # IMAPS

# Check what addreses are configured for relaying. 
# To end up in this list the client need to preform an
# authenticated login on the imap server.
for RELAY in `ls $RLCDIR/allow`; do

# First we need to find out what established conections we 
# have actually have.
# Let's sort them, and make sure we only get a single entry
# form each one, no matter how many connections we have from
# a single host, we just want it once.
NETS=`netstat --protocol=inet -n 2/dev/null \
| grep :$PORT | grep $RELAY \
| grep ESTABLISHED \
| awk '{print $5}' \
| awk -F: '{print $1}' \
| sort \
| uniq`

if [ $RELAY = $NETS ]; then
# _IF_ we have an establised connection on
# the right port, AND the address is configured 
# to allow realying, THEN we touches the file 
# in $RLCDIR/allow/, to increase the time the 
#client should be allowed to use our SMTP.
touch /var/qmail/relay-ctrl/allow/$NETS

# It might be handy to set some sane ownership
# and permissions on the file, making it possible 
# for the imap daemon to owerwrite them, if the 
# same ip conects again with another client. 
# Masquerading firewalls comes in mind here...
chown vpopmail.vchkpw /var/qmail/relay-ctrl/allow/$NETS
chmod 666 /var/qmail/relay-ctrl/allow/$NETS
fi

done

# Since this script is run every minute, it updates the 
# allowed relayhost just as often, we can safely set
# the value of $RLCDIR/RELAY_CTRL_EXPIRY to 300
# (seconds, 5 minutes). This will make it possible for
# the client host to send mails for 5 more minutes.
# You should not set this value to anything less,
# because some SMTP servers tries to preform auth/ident
# lookups of the sender (which most firewalls, as well 
# as mailservers reject nowadays anyway).
# Anyhow, i have been running this for about 5 mounts now,
# and there is no problem know with this settings, as long
# as the relay-ctrl is set up ok.

# Update the allowed relayhosts.
/usr/local/bin/envdir \
$RCLDIR/conf \
/usr/local/bin/relay-ctrl-age

#EOF
---







On Wed, 2003-01-15 at 00:29, Bill Shupp wrote:
 On Tuesday, January 14, 2003, at 03:25  PM, Andrew Kohlsmith wrote:
 
  That's a good point -- In my particular case authdaemon is not 
  updating the
  tcp.smtp.cdb file at all though.
 
 authdaemon does NOT pass the IP to vpopmail.  That's why you can't use 
 it if you want roaming IMAP users.
 
 Bill
 
 
-- 
i3 micro technology ab
Lars Gustafson
System Administrator
phone: +46(0)850638856
mobile:+46(0)708472037
[EMAIL PROTECTED]

Re: [vchkpw] roaming user for imap

[Ken Jones]

On Tuesday 14 January 2003 01:51 pm, dkwok wrote:
 I am sorry the question may be off topic.

 I am running vpopmail and courier-imap, roaming with vpopmail works fine
 but for user using imap roaming does not work. I have searched any
 relevant info on this topic but it is rather scare. Would anyone point
 me to the right direction?

 Many thanks in advance.

 David Kwok

Here is a slice of code i put in authlib/preauthvchkpw.c

It handles both courier imap and courier pop3 users.
vpopmail has to be installed with roaming users first.

Not sure if this is in the lastest courier releases

Ken Jones

preauthvchkpw.c: 

if ( strcmp(webmail, (char *)service) == 0 
 vpw-pw_gid  NO_WEBMAIL ) {
return(-1);

} else if ( strcmp(pop3, (char *)service) == 0 ) {
if ( vpw-pw_gid  NO_POP ) {
return(-1);
} else {
#ifdef POP_AUTH_OPEN_RELAY
/* open the relay to pop users */
open_smtp_relay();
#endif
}
} else if ( strcmp(imap, (char *)service) == 0 ) {
if ( vpw-pw_gid  NO_IMAP ) {
return(-1);
} else {
#ifdef POP_AUTH_OPEN_RELAY
/* open the relay to imap users */
open_smtp_relay();
#endif
}
}

RE: [vchkpw] roaming user for imap

[domi]

Hi !!

I've seen this topic come up over and over again so
I finally decided to contribute to the thread...

I think the problem has most likely to do with IMAP
clients using persistent connections. When they first
login successfully vpopmail updates tcp.smtp.cdb file
and the user has open relay for one hour or whatever 
it is for timeout. But since the IMAP client uses 
persistant connection a new login procedure never takes
place and the old RELAYCLIENT flag times out.

Maybe this is not the case in Davids problem but
I want to give a hint anyway...
I know there is solution for this problem but I do not
remember the webaddress.

=d0Mi=

 
 I am sorry the question may be off topic.
 
 I am running vpopmail and courier-imap, roaming with vpopmail works fine 
 but for user using imap roaming does not work. I have searched any 
 relevant info on this topic but it is rather scare. Would anyone point 
 me to the right direction?
 
 Many thanks in advance.

 David Kwok

Re: [vchkpw] roaming user for imap

[Andrew Kohlsmith]

 I think the problem has most likely to do with IMAP
 clients using persistent connections. When they first
 login successfully vpopmail updates tcp.smtp.cdb file
 and the user has open relay for one hour or whatever
 it is for timeout. But since the IMAP client uses
 persistant connection a new login procedure never takes
 place and the old RELAYCLIENT flag times out.

That's a good point -- In my particular case authdaemon is not updating the 
tcp.smtp.cdb file at all though.

 Maybe this is not the case in Davids problem but
 I want to give a hint anyway...
 I know there is solution for this problem but I do not
 remember the webaddress.

A solution could be to revalidate the IP on any IMAP access, instead of just 
the initial login.

Regards,
Andrew

Re: [vchkpw] roaming user for imap

[Bill Shupp]

On Tuesday, January 14, 2003, at 03:25  PM, Andrew Kohlsmith wrote:


That's a good point -- In my particular case authdaemon is not 
updating the
tcp.smtp.cdb file at all though.

authdaemon does NOT pass the IP to vpopmail.  That's why you can't use 
it if you want roaming IMAP users.

Bill