originally published on May 9, 2005 at newsforge.com

If you need a solution to control email relaying, a program called Exact may be just what you need. Exact stands for EXperimental Access Control Thing. It is a POP-before-SMTP daemon that integrates with most email systems. Before getting into the details of setup and configuration, it is worth spending a little time discussing the somewhat esoteric problem it solves.

Quick Mail Primer

Mail servers, more formally known as Mail Transfer Agents (MTAs), handle receiving and transporting mail between servers. The protocol used for sending mail is the Simple Mail Transfer Protocol (SMTP). Mail clients, more formally known as Mail User Agents (MUAs), handle retrieving mail. One of the most popular protocols used by clients to retrieve mail is the Post Office Protocol (POP).

When SMTP and related mail protocols were created, no one imagined how widespread the Internet would become. No one imagined how the tiny holes in email protocols would be exploited to create the scourge of spam that has become part of daily life.

One of those holes is something called an open relay, an email server that accepts mail from any source and relays it to any destination. Most mail servers have some mechanism to control who they will accept mail from and where it can be relayed. However, most of those mechanisms are based on IP address or domain name and not on user authentication.

So, one problem a mail administrator faces is how to allow valid users to relay mail to the world while preventing unwanted users from doing the same. If your mail server is inside your firewall and all of your users are also inside your firewall, this is not an issue. However, if you have remote users that need to relay mail, it becomes more complicated.

Methods of Controlling Mail Relaying

To fix the authentication and relaying problem with SMTP, one solution, generally called SMTP AUTH, adds authentication software, such as the Simple Authentication and Security Layer (SASL). Integrating SASL with your mail server software can be difficult. It also requires configuration changes in email client to tell it to provide the ID and password when sending mail. Some mail clients may not support this feature. Still, if your clients support SMTP AUTH, it is the best long term solution.

Another solution is called POP-before-SMTP and that is what the Exact program provides. The POP protocol already requires authentication and it logs authentication requests in a log file (unless logging is turned off). Exact reads the logs, determines the IP address of recent valid logins and adds those addresses to a file. Then, the mail server can read those addresses and allow SMTP relaying for those addresses for a specified period of time. A valid POP login is required to add an IP address to the file, hence POP-before-SMTP. Exact can also read logs for another popular mail client protocol, the Internet Message Access Protocol (IMAP).

How To Install Exact

Exact is distributed in source code form. Fortunately, installing it is as simple as the standard configure/make/make install routine. For dbm database support, which Postfix needs, add the --with-db option to the configure step. The Exim mail server can read a plain text file and does not require dbm support. Otherwise, there are no outside dependencies.

From the README file, it supports these combinations of servers:

POP/IMAP servers:

• UW-IMAPD
• Cyrus
• Courier (IMAPD and POPD)
• Perdition
• Qpopper
• TeaPOP
• Cubic Circle's cucipop

and these MTAs:

• Exim
• Sendmail
• Postfix

It can be extended to support additional POP/IMAP servers by adding parse rules to the exact-servers.conf file. My installation uses the UW-IMAPD server (which also provides POP3) and Postfix on Red Hat Enterprise Linux 3. Once installation is complete, there is one main configuration file that controls how Exact operates called exact.conf.

I only had to make two changes to the exact.conf configuration file. One was to tell it where to find the mail log:
maillog /var/log/maillog

The second change was to tell it which POP/IMAP server to use:
server uw-imap

Because the log format for each POP/IMAP server is slightly different, it needs to know how to parse the log entries to extract the valid logins and IP addresses. Another option you may want to adjust is the timeout setting. Timeout determines how long you want Exact to keep an address in the relay file. After that period of time, it is automatically removed and a new POP login is required to add the address back to the file. The default timeout is set to 30 minutes.

When Exact is started, it runs in the background as a service and updates the relay file every minute.

Mail Server Configuration

Postfix needs to know where to read the valid addresses from and that requires one change to the /etc/postfix/main.cf file. The mynetworks setting is used control relaying by IP address. In this case, the setting looks like this:

mynetworks = 127.0.0.0/8, hash:/usr/local/var/state/exact/relay

See the Postfix documentation for more details.

I ran into one problem while testing Exact with Postfix. Exact is supposed to be able to write dbm databases directly when compiled with the correct option and setting the output format in the exact.conf file. However, I was not able get it to create a dbm file as output, only plain text. Postfix comes with a program called postmap that creates dbm files. Instead of debugging Exact, I took the lazy way out and wrote a small script to take the text file output and create the dbm file that Postfix needed.

Final Touches

Finally, I created a startup and shutdown script so that Exact would start automatically when the system was restarted. I used one of the existing system scripts as a template and made slight changes to it, then created the necessary symlinks in the /etc/rc.d/rc3.d directory.

After running a series of tests, I confirmed that the addresses were being correctly added/removed and that Postfix was honoring them.

In one sense, POP-before-SMTP is a hack, but it is an elegant one that fills the authentication hole in SMTP. It handles users with dynamic addresses because the address file gets updated every minute. This allows your remote users to roam or change ISPs and still use the mail server with no administrator intervention.

This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.