Zimbra – Pop before smtp authentication howto

We had a client with 3000+ named users, and each of them were configured without authentication for smtp relaying, the qmail/vpopmail system they were migrating from had “pop before smtp” authentication. Well, we wanted to have as little disruption as possible for the migration so we needed to enable this same feature in Zimbra.

It is still planned to cutover the clients to SMTP Authentication, but this allows for a somewhat smoother transition.


1) Download and install Pop-before-smtp
– Changes in /etc/pop-before-smtp-conf.pl:
$dbfile = '/opt/zimbra/postfix/conf/pop-before-smtp';
$ENV{'PATH'} = '/opt/zimbra/postfix/sbin';
$logtime_pat = '(dddd-dd-dd d+:d+:d+)';

$pat = ‘[LOGTIME],d+ INFO [Pop3Server-d+\] [name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,4};oip=(d+.d+.d+.d+);] pop – user [A-Za-z0-9._%-
]+@[A-Za-z0-9.-]+.[A-Za-z]{2,4} authenticated, mechanism=login’;

$out_pat = ‘[LOGTIME],d+ INFO [Pop3Server-d+\] [name=[A-Z0-9._%+-]+@[A-Z0-9.-]+.[A-Z]{2,4};oip=(d+.d+.d+.d+);] pop – quit from client’;
(you can download my pop-before-smtp-conf.pl file at the bottom of the page)

2) Change /opt/zimbra/conf/log4j.properties.in:
from: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=INFO,LOGFILE
to: %%uncomment VAR:!zimbraLogToSyslog%%log4j.rootLogger=DEBUG,LOGFILE

3) add a line at the beginning of /opt/zimbra/conf/postfix_recipient_restrictions.cf
check_client_access hash:/opt/zimbra/postfix/conf/pop-before-smtp

Restart zimbra and start the pop-before-smtp daemon.

It would be nice if the INFO logging had the IP address of the authenticated user, rather than having to enable debug.

If you need help with this type of setup, our Linux and Zimbra experts are ready to help.

Update — You don’t need to set logging to debug. Use these rules in place of the ones in step 1:

$PID_pat = '^[LOGTIME],d+ INFO [Pop3[A-Za-z]+-(d+)] ';
$IP_pat = $PID_pat . '[ip=(d+.d+.d+.d+);] pop - connected';
$OK_pat = $PID_pat . '[name=[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,4};] pop - user [A-Za-z0-9._%-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,4} authenticated, mechanism=[A-Za-z]+';

As mentioned below, the quotes may not allow you to cut and paste properly. Use the download link for the proper config file format.

Download Config file to work with DEBUG logging. 

Download Config file to work with INFO logging.