..//..
Nothing like finding what appears to be a bug in your email system at 3am. When you are tired. Too tired to fix it now.
Here’s the problem: When vpopmail (the virtual domain mail management add-in for qmail) authenticates a user via pop3 or imap, it adds an entry to a database stating that the IP address the user coming from is allowed to send mail through the server, via SMTP. This all generally works fine, except when you are checking your email via POP3 with SSL.
Then, instead of the standard line like this:
68.60.89.18:allow,RELAYCLIENT=””,RBLSMTPD=”” 1091862544
You instead get something like this:
__ffff_68.60.89.18:allow,RELAYCLIENT=””,RBLSMTPD=”” 1091861372
As the second line doesn’t work, someone with an account on my mail server won’t be able to relay mail through my mail server.
So, I’m not completely sure what’s going on as of yet. I think maybe if I update vpopmail (qmailadmin needs it as well) things will get straightened out, but we’ll have to see.
Actually, I’m now starting to think that the problem could be with my config in general. It seems I overlooked something, and I currently have qmail doing POP3, and courier doing POP3-SSL. So, I may have overlooked something when I set my mail server up way back when, and this whole time I’ve been working around the problem without knowing it, simply by having just one of my accounts check via POP3 as opposed to POP3 with SSL.
Hmm… So yeah, if this is the case, I need to figure out how to have courier make the required changes to have POP before SMTP work with it, too.
I guess I didn’t do it right instead of the first place.
go the extra step and throw qmail out.
Postfix+SASL+SSL makes for a nice REAL smtp auth.
POP before SMTP is nice when you have to… but go for the real thing!
I actually do POP with SSL for myself (and IMAP, all via Courier), but the problem is that without a properly signed cert, or with a cert that doesn’t match the hostname of the mail server, the various people that I host mail for will get SSL errors. So, most of them don’t even use it.
I myself just deal with the errors.
Make your own CA, and provide a weblink for them to integrate your CA into their browser. IE does this VERY well.
Problem is, they don’t use IE nor Outlook Express. Firefox and Thunderbird will accept a privately signed cert, but if the name of the site on the cert and the name of the site they are connecting to is different, it’ll always prompt. I also don’t think it’s possible to have Courier (or any other IMAP server that I know of) serve up a different cert based on the hostname that the client machine initally attempts to access. Actually, I think you can only have one cert per IP anyway. So, that wouldn’t work either. :\