----- Original Message ----- 
From: "davila" <[EMAIL PROTECTED]>

> 2) I don't fully understand the concept of roaming users in vpopmail

Here is some text that I wrote so it could be distributed with
vpopmail-5.4.0 as "README.roamingusers" :

November 2003 : Michael Bowe <[EMAIL PROTECTED]>

Latest version available from :

With qmail, the typical way to control mail relaying is to put a list of
rules into a file called tcp.smtp. The tcprules program is then used to
compile this file into cdb database format with the output being stored
in a file called tcp.smtp.cdb. The tcpserver program is configured (using
the -x parameter) to read this file and thus know which SMTP clients are
permitted to relay mail.

This type of configuration works well if there is a known range of IP
addresses that are permitted to relay mail. eg the IP's on the qmail
server's local LAN. However if the qmail server needs to provide outbound
SMTP services for clients who may be connecting from any IP, you are going
to run into problems. What is needed is some way to automate the process
of granting users the ability to relay mail, without opening up access
to all and sundry on the Internet.

vpopmail includes a solution for this problem. The solution is known as
"roaming users" and is implemented with a technique known as
"POP-before-SMTP". Once a client has successfully authenticated via POP3,
vpopmail will add the client's IP to a list. vpopmail then merges this
list with the contents of the tcp.smtp file and runs the tcprules
program to compile a new version of the tcp.smtp.cdb file. Thus the client
can now relay mail.

In addition to storing the client's IP address, vpopmail will also store
the time of authentication. The postmaster uses a cronjob on the qmail
server to periodically (eg once per hour) run the clearopensmtp program.
This program scans through the list of roaming clients and removes any
entries that exceed the nominated age (eg 3 hours). This ensures that
the list of IPs does not grow out of bounds, and that the roaming IPs
are closed within a reasonable timeframe after being opened.

Configuration options for vpopmail that relate to roaming users :

  ./configure \
  --enable-roaming-users \              <- enable roaming users
  --enable-tcprules-prog=path \         <- defaults to
  --enable-tcpserver-file=path \        <- defaults to
  --enable-relay-clear-minutes=minutes  <- defaults to 180

Notes :

qmail servers are typically built with the tcp.smtp files being located in
the /etc directory. This is not usually suitable for vpopmail roaming
users, since the /etc directory will (should) not have write permissions
for the vpopmail user. Therefore it is not going to be possible for vpopmail
to write out updated versions of the tcp.smtp.cdb file. For use with roaming
users, it is recommended that the tcp.smtp files are stored in ~vpopmail/etc

If a POP user auths, and their IP already exists in the roaming IP list,
the timestamp for the entry is updated, but the tcprules program is not run.
There is no need to rebuild the tcp.smtp.cdb file as the IP address is
already permitted to relay. Rebuilding the file will only waste disk and CPU

If the vpopmail server is using the default cdb authentication backend,
then the list of roaming IPs will be stored in a file called
~vpopmail/etc/open-smtp. If the vpopmail server is using the MySQL backend,
the roaming IPs will be stored in a database table called relay. The SQL
backend will give better performance on a busy server. Either way though,
you should be cautious about enabling roaming user functionality on a very
busy server, as a large amount of disk and CPU will be used with the
rebuilding of the tcp.smtp.cdb file. If the server is busy enough you could
run into nasty file locking issues which will cause vpopmail password
authentication to intermittently fail. If you absolutely must have
POP-before-SMTP functionality on your busy server, then there are only two
possible solutions that I can think of  : 1) you could try putting the
tcp.smtp files onto a RAM disk, or 2) use vpopmail's MySQL auth backend,
plus use Matt Simerson's tcpserver patch that allows all of the tcp.smtp
files to be stored in MySQL

Over time POP-before-SMTP seems to slowly becoming a less favored way of
allowing roaming users to relay mail. SMTP-Auth appears to becoming the more
preferred option, as it scales much more easily on a busy server. However
for a small to medium sized server, POP-before-SMTP is still quite a
option. If you would like investigate the use of SMTP-Auth, take a look at
patch http://www.fehcom.de/qmail/smtpauth.html#PATCHES


Reply via email to