23.8 Enabling POP Before SMTP

SMTP Authentication, or SMTP Auth (RFC 2554) is the preferred method of providing SMTP relay server security. SMTP Auth allows only authenticated users to send mail through the MTA. However, some legacy clients only provide support for POP before SMTP. If this is the case for your system, you may enable POP before SMTP as described below. If possible, however, encourage your users to upgrade their POP clients rather than using POP before SMTP. Once POP before SMTP is deployed at a site users will become dependent on clients which fail to follow Internet security standards, putting end users at greater risk of hacking and slowing your site with the unavoidable performance penalty because of the necessity of having to track and coordinate IP addresses of recent successful POP sessions.

The Messaging Server implementation of POP before SMTP is completely different from either SIMS or Netscape Messaging Server. POP before SMTP is supported by configuring a Messaging Multiplexor (MMP) to have both a POP and SMTP proxy. When an SMTP client connects to the SMTP proxy, the proxy will check an in-memory cache of recent POP authentications. If a POP authentication from the same client IP address is found, the SMTP proxy will inform the SMTP server that it should permit messages directed to both local and non-local recipients.

To Install the SMTP Proxy

For guidelines on using the SMTP proxy see Using the MMP SMTP Proxy in Sun Java Communications Suite 5 Deployment Planning Guide.

1. Install a Messaging Multiplexor (MMP).

   See the Sun Java Communications Suite 5 Installation Guide for instructions.

2. Enable the SMTP proxy on the MMP.

   Add the string:

   msg-svr-base/lib/SmtpProxyAService@25|587

   to the ServiceList option in the msg-svr-base/config/AService.cfg file. That option is one long line and can’t contain line breaks.

   ---

   Note –

   When the MMP is upgraded, four new files which correspond to the existing four configuration files for the MMP are created. The new files are:

   AService-def.cfg, ImapProxyAService-def.cfg, PopProxyAService-def.cfg, and SmtpProxyAService-def.cfg

   The four configuration files described in the documentation are not created or affected by the install process. When the MMP starts up, it will look for the normal configuration file (as currently documented). If it doesn’t find the normal configuration file, it will attempt to copy the respective *AService-def.cfg file to the corresponding *AService.cfg file name.

   ---

3. Set the PROXY_PASSWORD option in the SMTP channel option file tcp_local_option at each SMTP relay server.

   When the SMTP proxy connects to the SMTP server, it has to inform the SMTP server of the real client IP address and other connection information so that the SMTP server can correctly apply relay blocking and other security policy (including POP before SMTP authorization). This is a security sensitive operation and must be authenticated. The proxy password configured on both the MMP SMTP Proxy and the SMTP server assures that a third party cannot abuse the facility.

   Example: PROXY_PASSWORD=A_Password

4. Make sure the IP address that the MMP uses to connect to the SMTP server is not treated as “internal” by the INTERNAL_IP mapping table.

   See the 18.6 To Add SMTP Relaying of the Chapter 18, Mail Filtering and Access Control for information about the INTERNAL_IP mapping table.

5. Configure the SMTP proxy to Support POP before SMTP.

   1. Edit the msg-svr-base /config/SmtpProxyAService.cfg configuration file.

      The following SMTP proxy options operate identically to the same options for the IMAP and POP proxies (see Chapter 7, Configuring and Administering Multiplexor Services these options in the Encryption (SSL) Option section in the Encryption (SSL) Option in Sun Java System Messaging Server 6.3 Administration Reference.

      LdapURL, LogDir, LogLevel, BindDN, BindPass, Timeout, Banner, SSLEnable, SSLSecmodFile, SSLCertFile, SSLKeyFile, SSLKeyPasswdFile, SSLCipherSpecs, SSLCertNicknames, SSLCacheDir, SSLPorts, CertMapFile, CertmapDN, ConnLimits, TCPAccess

      Other MMP options not listed above (including the BacksidePort option) do not currently apply to the SMTP Proxy.

      Add the following five options:

      SmtpRelays is a space-separated list of SMTP relay server hostnames (with optional port) to use for round-robin relay. These relays must support the XPROXYEHLO extension. This option is mandatory with no default.

      Example: default:SmtpRelays manatee:485 gonzo mothra

      SmtpProxyPassword is a password used to authorize source channel changes on the SMTP relay servers. This option is mandatory with no default and must match the PROXY_PASSWORD option on the SMTP servers.

      Example: default:SmtpProxyPassword A_Password

      EhloKeywords option provides a list of EHLO extension keywords for the proxy to pass through to the client, in addition to the default set. The MMP will remove any unrecognized EHLO keywords from the EHLO list returned by an SMTP relay. EhloKeywords specifies additional EHLO keywords which should not be removed from the list. The default is empty, but the SMTP proxy will support the following keywords, so there is no need to list them in this option: 8BITMIME, PIPELINING, DSN, ENHANCEDSTATUSCODES, EXPN, HELP, XLOOP, ETRN, SIZE, STARTTLS, AUTH

      The following is an example that might be used by a site which uses the rarely used “TURN” extension:

      Example: default:EhloKeywords TURN

      PopBeforeSmtpKludgeChannel option is set to the name of an MTA channel to use for POP before SMTP authorized connections. The default is empty and the typical setting for users who want to enable POP before SMTP is tcp_intranet. This option is not required for optimizing SSL performance (see 23.5.4 How to Optimize SSL Performance Using the SMTP Proxy.

      Example: default:PopBeforeSmtpKludgeChannel tcp_intranet

      ClientLookup option defaults to no. If set to yes, a DNS reverse lookup on the client IP address will be performed unconditionally so the SMTP relay server doesn’t have to do that work This option may be set on a per hosted domain basis.

      Example: default:ClientLookup yes

   2. Set the PreAuth option and the AuthServiceTTL option in PopProxyAService.cfg configuration file. This option is not required for optimizing SSL performance. (See 23.5.4 How to Optimize SSL Performance Using the SMTP Proxy

      These options specify how long in seconds a user is authorized to submit mail after a POP authentication. The typical setting is 900 to 1800 (15-30 minutes).

      Example:

      default:PreAuth yes default:AuthServiceTTL 900

   3. You may optionally specify how many seconds the MMP will wait for an SMTP Relay to respond before trying the next one in the list.

      The default is 10 (seconds). If a connection to an SMTP Relay fails, the MMP will avoid trying that relay for a number of minutes equivalent to the failover time-out (so if the failover time-out is 10 seconds, and a relay fails, the MMP won’t try that relay again for 10 minutes).

      Example: default:FailoverTimeout 10