the djb way


poppin' with qmail: checkpassword and qmail-pop3d

Version: checkpassword-0.90 (2000.12.22, gamma)
Download: checkpassword-0.90.tar.gz
MD5 (checkpassword-0.90.tar.gz) = e75842e908f96571ae56c3da499ba1fc
Build type: djb classic (make setup check)
errno patch: checkpassword-0.90.errno.patch

Swell. We've got qmail, delivering to maildir mailboxes named ~/MAILDIR.POP/ to users' accounts on our server. Now, how are users actually supposed to retrieve and read their mail, using their favorite Mutt, Pine, Sylpheed, or (ick!) Doubtlook email software?

As usual with qmail, your choices are abundant. Bernstein provides a POP3 server with the qmail distribution itself, named qmail-pop3d. All we need to use it is to:

Bernstein's password authenticator is available in a separate package called checkpassword. So, grab, patch and build the checkpassword package in the usual make setup check way. A single binary, checkpassword, will be installed in /bin.

Then, make the local service directories:

# mkdir -p /var/svc.d/qmail-pop3d/log

Create the daemontools run script for /var/svc.d/qmail-pop3d/run:

# qmail-pop3d/run

exec 2>&1
echo "*** Starting qmail-pop3d..."
echo "*** >> configured for maildir: ${POPDIR}"
exec env -i PATH="/var/qmail/bin:$PATH" \
  softlimit -m 3000000 \
    tcpserver -v -HR  \
    -c ${CONLIMIT} \
    -x /etc/tcprules/pop3.cdb \
    0 110 \
      qmail-popup ${POPHOST} \
        /bin/checkpassword qmail-pop3d ${POPDIR}

### that's all, folks!

Make the script executable, chmod 755. The $POPHOST variable should be set to the fully-qualified hostname of the server that you want to appear in the banner generated by qmail-popup. Often this will simply be the value in control/me. The $POPDIR variable should be set to the common name for the Maildir-type mailbox, relative to each user's home directory, where qmail-pop3d will serve mail from. The rest of the script is familiar daemontools/ucspi-tcp territory.

Set up the usual multilogger in /var/svc.d/qmail-pop3d/log/run:

# qmail-pop3d/log/run
exec setuidgid multilog multilog t /var/multilog/qmail-pop3d

Make the script executable, chmod 755. Then prepare the log directory in /var/multilog:

# mkdir -p /var/multilog/qmail-pop3d
# chown multilog /var/multilog/qmail-pop3d

Now determine the tcpserver rules you want to control access to this POP3 service, and install them in /etc/tcprules/pop3.rules:

# pop3.rules

In this example, connections will only be allowed from hosts on the local network, in this case All other connections are explicitly denied. (The standard POP3 protocol transmits passwords over the network in the clear. If you are setting up a server for clients outside the local network, a more secure authentication and/or mail retrieval solution may be preferred. See the secure socket solutions section for the setup of an SSL-enabled qmail-pop3sd service.)

Compile the rules:

# (cd /etc/tcprules; make pop3.cdb)

The big moment:

# ln -s /var/svc.d/qmail-pop3d /service/qmail-pop3d

The qmail-pop3 service is linked into /service, and daemontools svscan starts it up automatically within five seconds.

Now you're poppin'!

Copyright © 2002, 2003, 2004 Wayne Marshall.
All rights reserved.

Last edit 2004.10.04, wcm.