I had no idea I'd be opening such a big can of worms when I posted my
patch, though thankfully all of the feedback I've gotten has been polite,
constructive and coherent even if it's been negative :)

As I see it, this patch may fill a need that still exists, but it probably
needs a little more work before it hits prime time.  First off, lets
(re-)examine how Vpopmail handles things without my patch, looking at it
from (yet) another direction:

Case #1: No auth-before-smtp (POP or IMAP, as opposed to SMTP AUTH)
roaming users - tcpserver cdb is statically built.
Case #2: Roaming auth-before-smtp (POP or IMAP) is used for all IPs not
statically configured in the tcpserver cdb (that is, all static addresses
are configured to either allow relaying or deny the connection).
Case #3: Roaming auth-before-smtp (POP or IMAP) is used and some or all of
the static IPs in tcpserver cdb are allowed to be overridden by
pre-authenticating via a non-SMTP method.

Case #1 can occur in several different cases (--disable-roaming-users,
--disable-rebuild-tcpserver-file, or just not using the dynamic tcpserver
file).  In any case, my patch is (mostly) irrelevant, as unless you're
just nor using the dynamic tcpserver file, the code to update the CDB is
not even compiled in, and if that's the case you should reconfigure
Vpopmail appropriately in any case.

Case #2 is where my patch is most useful: you have specific, statically
authorized (or denied) relay IPs that you don't want to take the time to
update the cdb for, but need to dynamically allow auth'd clients to relay
(for whatever reason - I agree that SMTP AUTH is preferred, but some
people still need to support auth-before-smtp for legacy reasons, and I'm
not one of thos people who feels that you should eliminate functionality
just because you want to discourage its use, unless it's actually broken,
violates some part of the official spec, or is actually dangerous.  Yes, I
know it's a bad idea, and if you want to deprecate it and mark it for
elimination 6-12 months from now, that's OK too.  But don't just yank it
without warning).  Also, my patch is pretty much a requirement if you're
using webmail, so that the webmail server doesn't keep getting updated in
the CDB with every page access...

Case #3 is the difficult one - one which my patch doesn't adequately allow
for at this time.  There has been some discussion about how to dynamically
allow for different tcpserver flags to be applied on authentication,
rather than the default 'RELAYCLIENT="",RBLSMTPD=""', which I think is a
good idea.  Currently, if you have a static IP address range set to deny a
connection, Vpopmail allows clients who have pre-authenticated via POP or
IMAP to connect via SMTP for the auth timeout period.  Combined with
custom tcpserver flags, this can be used to allow connections without
necessarily automatically enabling relaying from otherwise denied IPs.  It
also allows RBL bypassing on authenticated IP addresses that would
otherwise still have to bypass the RBL (Note - I don't use rblsmtpd at
this time, so I don't know how well it really works.  If you want to
school me, that's fine, but please either start a new thread or take it
offlist - thanks).  I believe that I can adjust my patch to do this, but
it will take a little thought and mapping out the possibilities to do it
both correctly and efficiently.  I'll probably try and tackle it this
week, but no guarantees.  Also, please note that this usage actually
improves the standing of auth-before-smtp (if RELAYCLIENT isn't set
automatically) by limiting SMTP traffic from non-approved IP addresses to
known authorized users' IPs, while still requiring SMTP AUTH to relay mail
(which eliminates the possibility of an IP address being "hijacked" after
a legitimate user disconnects but before the open smtp entry expires).

So we now have the question:  What is the best way to proceed.  I think
that I would like to see the following changes made to the whole "roaming
users" functionality in Vpopmail:

1) Document that the auth-before-smtp RELAYCLIENT="" functionality is
deprecated, and schedule it for removal 6-12 months down the line.
2) Hijack the --enable-roaming-users config line to allow a different
default set of tcpserver flags to be added.  For now, the default would be
'--enable-roaming-users="RELAYCLIENT=\"\",RBLSMTPD=\"\""', but once #1 is
finalized the RELAYCLIENT part would be removed.
3) Allow the roaming tcpserver flags to be dynamically modified using
either a configuration entry in a file (possibly a a second comment in the
tcp.smtp file like my STATICUPDATE tweak) or an environment variable
(which could be passed via tcpserver to the POP/IMAP service, coming full
circle :)).
4) Implement my localrelay functionality with 2 enhancements:
  a) Recognize the IP address of or NULL and skip the CDB update
altogether (I though of this this morning and have already implemented
  b) Provide some sort of tcpserver flag (e.g., 'UPDATESTATIC=""') on
various static tcp.smtp lines to indicate that if a match is found for
that rule, DO update the cdb as the dynamic tcpserver flags will
override the static ones (such as allowing in an otherwise denied

This will preserve the ability to run vpopmail in exactly the same manner
as it currently is, but move in the direction of eliminating
auth-before-smtp relaying as the default method AND improving the ability
to use auth-before-smtp for other access control methods.  Plus, it gives
people options without requiring them to be set if they don't use them.


Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
  - Layman's translation of the Laws of Thermodynamics

Reply via email to