nuxx.net
Making, baking, and (un-)breaking things in Southeast Michigan.

..//..

Nothing like finding what appears to be a bug in your email system at 3am. When you are tired. Too tired to fix it now.

Here’s the problem: When vpopmail (the virtual domain mail management add-in for qmail) authenticates a user via pop3 or imap, it adds an entry to a database stating that the IP address the user coming from is allowed to send mail through the server, via SMTP. This all generally works fine, except when you are checking your email via POP3 with SSL.

Then, instead of the standard line like this:

68.60.89.18:allow,RELAYCLIENT=””,RBLSMTPD=”” 1091862544

You instead get something like this:

__ffff_68.60.89.18:allow,RELAYCLIENT=””,RBLSMTPD=”” 1091861372

As the second line doesn’t work, someone with an account on my mail server won’t be able to relay mail through my mail server.

So, I’m not completely sure what’s going on as of yet. I think maybe if I update vpopmail (qmailadmin needs it as well) things will get straightened out, but we’ll have to see.

Actually, I’m now starting to think that the problem could be with my config in general. It seems I overlooked something, and I currently have qmail doing POP3, and courier doing POP3-SSL. So, I may have overlooked something when I set my mail server up way back when, and this whole time I’ve been working around the problem without knowing it, simply by having just one of my accounts check via POP3 as opposed to POP3 with SSL.

Hmm… So yeah, if this is the case, I need to figure out how to have courier make the required changes to have POP before SMTP work with it, too.

I guess I didn’t do it right instead of the first place.

4 Responses

  1. evarlast August 9, 2004

    go the extra step and throw qmail out.

    Postfix+SASL+SSL makes for a nice REAL smtp auth.

    POP before SMTP is nice when you have to… but go for the real thing!

    1. c0nsumer August 9, 2004

      I actually do POP with SSL for myself (and IMAP, all via Courier), but the problem is that without a properly signed cert, or with a cert that doesn’t match the hostname of the mail server, the various people that I host mail for will get SSL errors. So, most of them don’t even use it.

      I myself just deal with the errors.

      1. evarlast August 10, 2004

        Make your own CA, and provide a weblink for them to integrate your CA into their browser. IE does this VERY well.

        1. c0nsumer August 10, 2004

          Problem is, they don’t use IE nor Outlook Express. Firefox and Thunderbird will accept a privately signed cert, but if the name of the site on the cert and the name of the site they are connecting to is different, it’ll always prompt. I also don’t think it’s possible to have Courier (or any other IMAP server that I know of) serve up a different cert based on the hostname that the client machine initally attempts to access. Actually, I think you can only have one cert per IP anyway. So, that wouldn’t work either. :\

Leave a reply