POP before SMTP is a way of allowing hosts to relay through you for a set period of time. This is useful when you host domains for people who are not on the same local network as you, and need to send mail coming from these domains.
This assumes you use some kind of POP server on the same server as you use for SMTP. You'll want a piece of software that listens on your POP daemon's log file for any connections, and when it sees a valid connection, will add the IP address to a file. You configure your MTA to check this file as a list of allowed relay IP addresses.
One such piece of software is called exact , and it works great with Exim, provided you make a small modification to your exim startup script after following the installation instructions for exact.
For me, running debian, I had to edit /etc/init.d/exim , and just under the line that says
echo -n "Starting MTA: "
put something like
and just after the lines where it says
start-stop-daemon --stop --pidfile /var/run/exim/exim.pid \
--oknodo --retry 30 --exec $DAEMON
kill `cat /var/run/exact/exact.pid`
Note, I could never get it going properly on sendmail using the provided instructions.
For Cyrus 2.x under Debian, I had to change the logfile regex a bit:
- It used to read
match (login): \[([[0-9\.?)\] ([^?)
- Which is fine, except it matches on text like
- ..... login: [ip.ad.dr.ess? someusername ...
- Whereas, the cyrus 2.x logfiles (under Debian anyway, backported from unstable), look more like
- ..... login: some.host.name[ip.ad.dr.ess? someusername ...
The following like will naively match. It works for me :)
match (login): .*\[([[0-9\.?)\] ([^?)
If you have ipv6 enabled cyrus, it seems you need some extra magic in your regex to deal with this. 'normal' ipv4 addresses are reported as
Sep 16 09:22:49 hydrogen cyrus/pop3d[16212?: login: dsl33-66.world-net.co.nz \
:ffff:220.127.116.11? monkey__feet_net_nz plaintext
- The ::ffff: here screws things up - so I added :f to the inner regex above
- match (login): .*\f0-9\.?)\] ([^?)
This probably wont match on any real ipv6 addresses yet, but i'll cross that bridge when I get to it.
See also EximSmtpAuth for an alternative method of achieving the same end.