26 Mar 2008

Zimbra – Pop before smtp authentication howto 

By - Linux 4 Comments

We had a client with 3000+ named users, and each of them were configured without authentication for smtp relaying, the qmail/vpopmail system they were migrating from had “pop before smtp” authentication. Well, we wanted to have as little disruption as possible for the migration so we needed to enable this same feature in Zimbra.

It is still planned to cutover the clients to SMTP Authentication, but this allows for a somewhat smoother transition.


1) Download and install Pop-before-smtp
- Changes in /etc/pop-before-smtp-conf.pl:
$dbfile = '/opt/zimbra/postfix/conf/pop-before-smtp';
$ENV{'PATH'} = '/opt/zimbra/postfix/sbin';
$logtime_pat = '(\d\d\d\d-\d\d-\d\d \d+:\d+:\d+)';

$pat = ‘[LOGTIME],\d+\ INFO \[Pop3Server-\d+\\] \[name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4};oip=(\d+\.\d+\.\d+\.\d+);\] pop \- user [A-Za-z0-9._%-
]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=login’;

$out_pat = ‘[LOGTIME],\d+\ INFO \[Pop3Server-\d+\\] \[name=[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4};oip=(\d+\.\d+\.\d+\.\d+);\] pop \- quit from client’;
(you can download my pop-before-smtp-conf.pl file at the bottom of the page)

2) Change /opt/zimbra/conf/log4j.properties.in:
from: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=INFO,LOGFILE
to: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=DEBUG,LOGFILE

3) add a line at the beginning of /opt/zimbra/conf/postfix_recipient_restrictions.cf
check_client_access hash:/opt/zimbra/postfix/conf/pop-before-smtp

Restart zimbra and start the pop-before-smtp daemon.

It would be nice if the INFO logging had the IP address of the authenticated user, rather than having to enable debug.

If you need help with this type of setup, our Linux and Zimbra experts are ready to help.

Update — You don’t need to set logging to debug. Use these rules in place of the ones in step 1:

$PID_pat = '^[LOGTIME],\d+\ INFO \[Pop3[A-Za-z]+-(\d+)\] ';
$IP_pat = $PID_pat . '\[ip=(\d+\.\d+\.\d+\.\d+);\] pop \- connected';
$OK_pat = $PID_pat . '\[name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4};\] pop \- user [A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=[A-Za-z]+';

As mentioned below, the quotes may not allow you to cut and paste properly. Use the download link for the proper config file format.

Download Config file to work with DEBUG logging. 

Download Config file to work with INFO logging.

4 Responses to “Zimbra – Pop before smtp authentication howto”

  1. KR says:

    Great post, but it appears your single quotes were turned into “smart quotes” which might cause some people some problems if they cut-and-paste your instructions.

  2. Jason says:

    thanks for this article. after some tweaking of the INFO expressions, I came up with these in order to catch both IMAP and POP authentications:

    $PID_pat = ‘^[LOGTIME],\d+\ INFO \[(?:Pop3|Imap)[A-Za-z]+-(\d+)\] ‘;
    $IP_pat = $PID_pat . ‘[\S\s]+(?:\[|=)(\d+\.\d+\.\d+\.\d+)[\S\s]+ connected’;
    $OK_pat = $PID_pat . ‘[\S\s]+name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}[\S\s]+(?:pop|imap) \- user [A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4} authenticated, mechanism=[A-Za-z]+’;

  3. cmontero says:

    I have tried this, but the file /opt/zimbra/postfix/conf/pop-before-smtp.db does not have any data..

    maybe some file permissions need to be modified? i’m using zimbra version 5.0.9

    Thanks

  4. marnellej says:

    Tried this on Release 7.1.1_GA_3196.UBUNTU10_64 UBUNTU10_64 FOSS edition. but can’t seem to get it to work. do you have an updated conf.pl that I can try ?

Leave a Reply