Is it ok if one disable da-popb4smtp?

zEitEr

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
15,567
Location
www.poralix.com
Hello,

We do not use pop-auth-before-smtp. Is it ok if we completely disable da-popb4smtp? Won't it break something?
 
Who or what is using/calling popb4smtp hen?
I presume Dovecot has it's own kind of authentication. And normally Dovecot and Exim are running.

I just wonder because if it isn't used by anything, I can remove it too.
At my little private homeserver I use it, but that's in combination with Postfix.
 
Your exim.conf file has a reference to /etc/virtual/pophosts. What you need to do is edit the code wherever that appears so it's not called but the code isn't broken.

Or you can just put at an empty file at /etc/virtual/pophosts.

Jeff
 
So if I understand it correctly, normally popb4smtp is indeed used by Exim.
And with your instructions it can be removed if necessary.

Thanks for the explanation!
 
Exim uses it under some circumstances to indicate that a sender is allowed to relay email through the server.

If you don't use it for that, then you can remove it.

Jeff
 
Function pop-auth-before-smtp (da-popb4smtp) in some certain cases is a bit dangerous.
All our customers should use SMTP Authentication instead to send emails. That's caused by a fact, that most users in Russia are still behind NAT and IP of their connection is not any private.
 
@Jeff: Thank you.

@zEiTeR: Could you explain what is a bit dangerous about it? As most customers in the Netherlands are also behind NAT. I'm also running an mail server at home for private use with some friends, also using popb4smtp without any problems.
This in combination with Postfix.
 
Perhaps, not even dangerous, but risky. As soon as an IP is added into /etc/virtual/pophosts by da-popb4smtp everyone and anyone behind the NATed IP can send any message via the server (SMTP) without a need of additional authentication.
 
Yes everyone in that company or local network etc. This is indeed a bit risky but only if the local netwerk clients can not standardly be seen are as trustworthy. And only for the limited time the ip is present in the popb4smtp.db.
So that's indeed a little and limited risk.

However I thought smtp authentication was active on DA/Exim anyway as additional authentication. This is not the case then? I always thought Dovecot take care of this.

Because we do have users which mail from home with domain email addresses belonging to domains on the server, so using the server as relay.

I'm getting confused now about popb4smtp and dovecot's functions in DA.
 
However I thought smtp authentication was active on DA/Exim anyway as additional authentication. This is not the case then? I always thought Dovecot take care of this.
Click to expand...

By default, as soon as your IP is added into /etc/virtual/pophosts, you won't need to pass through additional authentication in order to grant access to send outgoing emails with SMTP. As Jeff said "a sender is allowed to relay email through the server" since that.

But still no one but you can access to your certain email box in order to read messages.
 
Correct, but you would still need additional authentication (username/pass) for reading the mails was what I ment.
And this is still the case, so no worry's about that part. I'm reassured again.
Thank you.
 
The point that zEitEr is making is that in countries (he uses Russia as an example) where ISPs give uses a private IP# and then use one public IP# for many users (through NAT), then the use of that IP# for outgoing email authentication isn't just for one user or company for fifteen minutes, but perhaps for hundreds of users.

I don't really see it as a problem, since it would be only coincidentally that another user on that IP# would know which mailserver was open.

JEFF
 
where ISPs give uses a private IP# and then use one public IP# for many users (through NAT),
Click to expand...
So in that case the NATis being done at te ISP. Then I misunderstood.
I thought he ment NAT was done at the user/company which gets 1 public ip from the ISP, like it's done in most country's.

I don't know if it's a problem. If the ISP doesn't spread the private ip's, there is a bigger chance in bigger city's, thate more users are using their mailcheck on the same external ip. Which makes the risk a bit bigger that the ip will reside longer in the popb4 database, which gives it more chance being abused.

However, in that case I also don't see it as a big problem. And if that is leading to lots of spam, it's probably more a Russian ISP issue then a DA issue. I don't know much country's in which isp's work that way by providing private ip's and doing NAT themselves.
 
Localnets (ISP) in my city do offer dedicated IPs, but a year ago or two it was very expensive. And some localnets had (or even have) one-two public IPs for 1000-2000 users.

I've never said, it's a DA issue. You're free to keep it [da-popb4smtp] running on. But since we do use obligatory SMTP auth for all our customers (it's policy of our company), I was eager to know, weather is it necessary to leave da-popb4smtp running any longer.

I don't know anything about your users, but some of ours didn't know about pop-before-smtp auth type (they did not read and did not want to read any FAQ or tips). They've been always asking us, why they couldn't send emails. Perhaps SMTP AUTH is more common for my country. As far as I know, all public FREE mail services in RUSSIA use SMTP AUTH.
 
Thank you. I understand your decision to remove da-popb4smtp.
We don't have that problem in our country so that's why I decided to keep running da-popb4smtp for the time being, because users need to be able to relay mail and we don't need to have them use smtp-auth all.
Maybe we will introduce that on servers which will be newly installed.

But your question about the fact if popb4 was necessary, did brought up some questions for our use. And I did learn again some interesting things.

Thank you for explaining how it works with smtp auth in Russia. That's a good policy and it's interesting to know.
 
Little kick to the topic, I decided to disable the da-popb4smtp feature as well. I don't like the concept of it and doesn't seem to be necessary. For future reference: Best way is to remove it out of exim rather then disabling it completely, as it is being used for other things as well (example).

It's about this line in exim.conf:
Code: 
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts

Instead of commenting the whole line out, I just keep the definition empty:
Code: 
hostlist relay_hosts =

Because relay_hosts is being used at several places in the config, resulting in an error for not being defined.
 
You must log in or register to reply here.
Back
Top