Old but basically still valid
Changes to GNU pop3d 0.9.8
(including some changes not related to virtual domains e.g. POP-before-SMTP)
Based on my own needs I have made a patch for GNU-pop3d vers. 0.9.8
I also listened to some of the requests on the GNU pop3d mailing list.
The patch may be applied also if you don’t need the virtual domain stuff.
Basicallly I took the virtual-patch by Jeremy Reed, made it more general and added my own GNU pop3d changes:
- allowing virtual domain users to be real users too with mailboxes elsewhere
- adding APOP support for virtual domain users
- adding default domain to be stripped if used for the real domain e.g. “[email protected]” -> “userid”
- added logging of non-zero error codes of commands
- added the UIDL commmand providing unique-ids for each message
- corrected the computation of message size
- cleaned the code a little, especially freeing allocated memory
- j6: added ” from <IP address>” to the logmessage “Incoming connection opened”
- j7: added new msg “Authenticated IP <IP address>” to the maillog for POP-before-SMTP support
- j8: removed (commented out) the maillog msg “Authenticated IP <IP address>”
added ” from <IP address>” to the logmessage “User %s logged in with mailbox %s”, so that the POP-before-SMTP utility by Bennett Todd can be used without modification
The search for a users mailbox is performed as
- search MAILSPOOLHOME (e.g. /home/user/Mail/mailbox)
- search _MAILDIR (e.g. /var/mail/user)
- search VIRTUAL_MAILDIR (e.g. /var/spool/virtual/domain/user)
- give up and use /dev/null
Patching GNU pop3d
In stead of everybody applying the patches I have done it.
- Download the patched source gnu-pop3d-0.9.11.tar.gz
- Create the config.h file by
./configure
or
./configure –enable-ip-based-virtual
(se also another call below)
- If needed/wanted define MAILSPOOLHOME (e.g. “/Mail/mailbox”) and/or DEFAULT_DOMAIN in config.h
- Compile by executing make
The technical changes
- the format of the virtual domain password file has been made equal to the standard /etc/passwd file format
username:password:user id:(group id):(user name):mailbox directory:(shell)
allowing it to be checked by the pwck command e.g.
pwck -r /etc/virtual/domain.com/passwd
The fields enclosed in parenthesis are not used. Mailbox directory should be ‘.’ if not used
- APOP support was disabled in the 0.9.8 distribution. It is reenabled apart from the test, that an APOP user should not be allowed to use the USER command to login. This is not logical as users may use different mail programs to check the mail. Some of these may not support APOP
- the original virtual patch uses encrypted passwords in the passwd file. In order to support APOP from the same file the passwords are now unencrypted
- the unique-id of a message is computed as a MD5 digest on the initial “From “-line and all the header lines exluding the need for the optional Message-ID:-field
- line buffer length increased from 80 to 160 characters to avoid reading a line with 2 fgets-calls in most cases. People using proportional fonts may easily exceed 80 characters/line
- added “UIDL” to the capabilities shown by the CAPA command
- added message “Authenticated IP a.b.c.d” to maillog as well as IP address to “Incoming connection opened” for POP-before-SMTP support
Implementing virtual domains in Postfix and GNU pop3d
The reason for not using the standard Postfix virtual domains are twofold:
1) this implementation focuses on virtual domains with each its own administrator
2) the following limitations (quote from the Postfix documentation (my emphasis)):
This agent was originally based on the Postfix local delivery agent. Modifications mainly consisted of removing code that either was not applicable or that was not safe in this context: aliases, ~user/.forward files, delivery to “|command” or to /file/name
The following shows one way of implementing a virtual domain, kvt.dk, in Postfix and GNU pop3d.
A real user kvt_dk has been defined on the system. The home directory of this user contains some data for the virtual domain kvt.dk.
Two users are defined at kvt.dk: [email protected] (virtual user only) and [email protected] (real user kvt_dk at the mail server)
The implementation is based upon Redhat Linux 7.0
GNU pop3d
Jeremy Reeds original description of the virtual patch
The virtual patch assumes the following file structures:
/etc/virtual/<domain>/passwd
for the definition of users, passwords and mailbox directory
In this example create the directory /etc/virtual/kvt.dk
The default mailbox for a virtual user is
/var/spool/virtual/<domain>/<user>
In this example create the directory /var/spool/virtual/kvt.dk
At my server the mail is stored in the user’s homedir /home/<usr>/Mail/mailbox requiring the definition of MAILSPOOLHOME in config.h.
I also have only one IP-address and want my main domain “jth.net” to be automatically stripped from mail requests to GNU pop3d.
I generated the config.h file by the command
./configure --enable-64bit --enable-maildir -enable-default-domain=jth.net --enable-language=DA
Before compiling GNU pop3d I made sure the following constants were defined in config.h:
#define MAILSPOOLHOME "/Mail/mailbox"
#define USE_VIRTUAL 1
#define DEFAULT_DOMAIN "jth.net”
/etc/virtual/kvt.dk/passwd
Create this file with the following contents
kvt:kvtpasswd:601:100:kvtname:/home/kvt_dk/:
abc:abcpasswd:601:100:abcname:.:
601 is the userid of the kvt_dk user. 100 is the groupid (group mail at my server). The ‘.’ homedir for abc is just to make pwck happy.
Mail for [email protected] is delivered to /home/kvt_dk/Mail/mailbox (see below).
Mail for [email protected] is delivered to /var/spool/virtual/kvt.dk/abc
If you trust the kvt_dk user, then create the passwd file in the home directory of the user kvt_dk. and link it into the /etc/virtual/kvt.dk directory
ln -s /home/kvt_dk/passwd /etc/virtual/kvt.dk/passwd
Note, that there might be a security risk here, because GNU pop3d will execute with any userid specified in the passwd file. Whether this is a real threat remains to be analyzed.
The owner and permissions on the files and directories should be kvt_dk.mail and 700 e.g
chmod 700 /etc/virtual/kvt.dk /etc/virtual/kvt.dk/passwd /var/spool/virtual/kvt.dk
chown kvt_dk.100 /etc/virtual/kvt.dk /etc/virtual/kvt.dk/passwd /var/spool/virtual/kvt.dk
Postfix
This implementation may be more complex than other ones, but it allows different administrators of each virtual domain keeping everything in the home directory of the domain administrator.
/etc/postfix/main.cf
recipient_delimiter = +
home_mailbox = Mail/mailbox
allow_mail_to_commands = forward
allow_mail_to_files = forward
/home/kvt_dk
-rw-r--r-- 1 kvt_dk mail 12 Dec 10 02:52 .forward
-rw-r--r-- 1 kvt_dk mail 25 Dec 10 01:55 .forward+abc--kvt.dk
-rw-r--r-- 1 kvt_dk mail 20 Dec 10 02:53 .forward+kvt--kvt.dk
/home/kvt_dk/.forward
|"exit 67"
Bounce any message not for [email protected] or [email protected]
/home/kvt_dk/.forward+abc–kvt.dk
|/usr/local/bin/virtual
Deliver all mail for [email protected] to the virtual domain mailbox for abc changing the Delivered-To: header line to the correct one.
/home/kvt_dk/.forward+kvt–kvt.dk
/home/kvt_dk/Mail/mailbox
Deliver all mail for [email protected] to the mailbox of kvt_dk
/etc/postfix/virtual
kvt.dk anything
[email protected] postmaster
[email protected] jth
The real users: postmaster and jth must receive all mail for the postmaster and webmaster of the virtual domain
/etc/postfix/virtual_regexp
/^(.+)@(.+\.)?(kvt\.dk)$/ kvt_dk+$1--$2$3
This expression will cause postfix to deliver any mail with adresses [email protected] and [email protected] to the real user kvt_dk keeping the original envelope recipient as an extension to the new recipient address.
/usr/local/bin/virtual
awk -F: -f /usr/local/bin/virtual.awk
# J. Thomsen 2002-04-11 Postfix utility
# /usr/local/bin/virtual.awk
#
# Used by Postfix for delivering mail to a GNU-pop3d virtual domain
# mailbox.
#
# Postfix will use this utility for delivering a message to the local
# mailbox rewriting the Delivered-To header line to the original recipient
# address.
# 2002-04-11 Fix 'From ' lines in msg body and add empty line to msgs to ensure the separation of messages
#