Zimbra – Pop before smtp authentication howto
We had a client with 3000+ named users, and each of them were configured without authentication for smtp relaying, the qmail/vpopmail system they were migrating from had “pop before smtp” authentication. Well, we wanted to have as little disruption as possible for the migration so we needed to enable this same feature in Zimbra.
It is still planned to cutover the clients to SMTP Authentication, but this allows for a somewhat smoother transition.
1) Download and install Pop-before-smtp
- Changes in /etc/pop-before-smtp-conf.pl:
$dbfile = '/opt/zimbra/postfix/conf/pop-before-smtp';
$ENV{'PATH'} = '/opt/zimbra/postfix/sbin';
$logtime_pat = '(\d\d\d\d-\d\d-\d\d \d+:\d+:\d+)';
$pat = ‘[LOGTIME],\d+\ INFO \[Pop3Server-\d+\\] \[name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4};oip=(\d+\.\d+\.\d+\.\d+);\] pop \- user [A-Za-z0-9._%-
]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=login’;
$out_pat = ‘[LOGTIME],\d+\ INFO \[Pop3Server-\d+\\] \[name=[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4};oip=(\d+\.\d+\.\d+\.\d+);\] pop \- quit from client’;
(you can download my pop-before-smtp-conf.pl file at the bottom of the page)
2) Change /opt/zimbra/conf/log4j.properties.in:
from: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=INFO,LOGFILE
to: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=DEBUG,LOGFILE
3) add a line at the beginning of /opt/zimbra/conf/postfix_recipient_restrictions.cf
check_client_access hash:/opt/zimbra/postfix/conf/pop-before-smtp
Restart zimbra and start the pop-before-smtp daemon.
It would be nice if the INFO logging had the IP address of the authenticated user, rather than having to enable debug.
If you need help with this type of setup, our Linux and Zimbra experts are ready to help.
Update — You don’t need to set logging to debug. Use these rules in place of the ones in step 1:
$PID_pat = '^[LOGTIME],\d+\ INFO \[Pop3[A-Za-z]+-(\d+)\] ';
$IP_pat = $PID_pat . '\[ip=(\d+\.\d+\.\d+\.\d+);\] pop \- connected';
$OK_pat = $PID_pat . '\[name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4};\] pop \- user [A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=[A-Za-z]+';
As mentioned below, the quotes may not allow you to cut and paste properly. Use the download link for the proper config file format.
Great post, but it appears your single quotes were turned into “smart quotes” which might cause some people some problems if they cut-and-paste your instructions.
thanks for this article. after some tweaking of the INFO expressions, I came up with these in order to catch both IMAP and POP authentications:
$PID_pat = ‘^[LOGTIME],\d+\ INFO \[(?:Pop3|Imap)[A-Za-z]+-(\d+)\] ‘;
$IP_pat = $PID_pat . ‘[\S\s]+(?:\[|=)(\d+\.\d+\.\d+\.\d+)[\S\s]+ connected’;
$OK_pat = $PID_pat . ‘[\S\s]+name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}[\S\s]+(?:pop|imap) \- user [A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=[A-Za-z]+’;
I have tried this, but the file /opt/zimbra/postfix/conf/pop-before-smtp.db does not have any data..
maybe some file permissions need to be modified? i’m using zimbra version 5.0.9
Thanks