Jednym z ciekawszych deamonów pop3 jest tpop3d, umożliwoa on uzyskanie połączeń ssl bez dodatkowego porogramu stunnel.

Instalacja jak zwykle jest prosta.

Pierwszym krokiem jest ściągnięcie i rozpakowanie źródeł:

wget http://mirror.lihnidos.org/GNU/savannah/tpop3d/tpop3d-1.5.5.tar.gz

Teraz kolej na Configure

./configure –prefix=/usr –sysconfdir=/etc –localstatedir=/var –disable-auth-pam –enable-auth-passwd –enable-shadow-passwords –enable-mbox-bsd –disable-dotfile-locking –enable-tls –with-openssl-root=/usr/local/openssl

następni standardowo make && make install

Konfiguracja daemona jest prosta, poniżej przykład: plik tpop3d.conf w katalogu /etc

#
# tpop3d.conf.sample:
# Sample configuration file for tpop3d.
#
# $Id$
#

#
# Global options
#

# listen-address: address[:port][(domain)|/regex/][;tls-options] …
# most basic syntax; listen on every interface on default port:
#listen-address: 0.0.0.0
# or perhaps you want to enable SSL using
# the certificate /usr/local/etc/tpop3d-cert:
#listen-address: 0.0.0.0;tls=stls,/usr/local/etc/tpop3d-cert
listen-address: 0.0.0.0;tls=stls,/etc/exim/cert/exim.crt,/etc/exim/cert/exim.key
0.0.0.0;tls=immediate,/etc/exim/cert/exim.crt,/etc/exim/cert/exim.key
# max-children: number
# maximum number of connections to serve at any given time. [default: 100]
#max-children: 100

# append-domain: (yes|true)
# Fall back onto authenticating with username@domain if required, where
# domain is the domain name associated with the address on which the
# connection was received. [default: no]
#append-domain: true

# strip-domain: (yes|true)
# Fall back onto authenticating with username only if username@domain is
# supplied and fails to authenticate. [default: no]
#strip-domain: true

# domain-separators: string
# Specifies which characters can be used to separate local_parts from
# domains in POP3 usernames. [default: @%!:]
#domain-separators: @

# apop-only: (yes|true)
# Disconnect any client which sends a USER command. [default: no]
#apop-only: true

# timeout-seconds: number
# Number of seconds for which a connection may be idle before it is closed.
# The RFC requires 600. [default: 30]
timeout-seconds: 600

# log-facility: facility
# The `facility’ as which tpop3d emits system log messages.
#log-facility: mail

# log-level: level
# The `level’ at which tpop3d logs system log messages.
#log-level: debug

# log-stderr: (yes|true)
# Send log messages to standard error as well as the system log.
#log-stderr: true

# no-detach: (yes|true)
# Do not detach from controlling terminal.
#no-detach: true

# mailbox: [mailbox-driver:]path-spec …
# Selects the location, and optionally the type, of the mailbox to use when
# a user is authenticated.
mailbox: bsd:/var/mail/$(user)

# mailspool-index: path-spec
# Selects the location of metadata cache files for BSD mailspools
# tpop3d needs to be able to create files in your mailspool path for this;
# alternatively change the path specified. [default: no index]
#mailspool-index: $(name).tpop3d-index

# maildir-exclusive-lock: (yes|true)
# Indicates that tpop3d should attempt to lock maildirs for exclusive access.
# [default: no]
#maildir-exclusive-lock: true

# maildir-recursion: (yes|true)
# Tells tpop3d to recurse into IMAP folders when searching for messages.
# [default: no]
#maildir-recursion: true

# maildir-ignore-folders: foldername
# Specifies IMAP Folders that should be excluded when recursing into IMAP
# folders. (separated by spaces or tabs, supports regex, may be emtpy)
# [default: Trash Sent]
#maildir-ignore-folders: Trash Sent Draft Spam

# maildir-evaluate-filename: (yes|true)
# If enabled, tpop3d tries to extract modification time and message size out
# of message filenames instead of doing a stat() on the file.
# [default: no]
#maildir-evaluate-filename: true

# maildir-size-string: string
# Tells tpop3d where to find the message size in the filename.
# [default: ,S=]
#maildir-size-string: ,S=

# tcp-wrappers-name: name
# Selects the `daemon name’ used by tpop3d with TCP Wrappers. [default: tpop3d]
#tcp-wrappers-name: tpop3d

# drac-server: hostname
# Gives the name of a server to which tpop3d should send DRAC notifications.
#drac-server: localhost

# whoson-enable: (yes|true)
# Enable notification of successful logins to a WHOSON server as defined in
# /etc/whoson.conf. [default: no]
#whoson-enable: true

# tls-no-bug-workarounds: (yes|true)
# Disable workarounds for various bugs in client TLS implementations
#tls-no-bug-workarounds: true

#
# Authentication options
#

# permit-empty-password: (yes|true)
# Users may log in with an empty password. [default: no]
#permit-empty-password: true

# onlogin-child-wait: (yes|true)
# If the authenticator offers an `onlogin’ action, the user’s mailbox won’t
# be opened until after the onlogin action completes. See man page for info.
#onlogin-child-wait: true

# log-bad-passwords: (yes|true)
# If switched on, wrong passwords will be recorded in the logs. This is an
# invasion of privacy, but may help in debugging problems.
#log-bad-passwords: true

# authcache-enable: (yes|true)
# If switched on, tpop3d will cache the results of successful authentications.
# This feature is experimental, and is only likely to be useful for very busy
# sites. [default: no]
#authcache-enable: true

# authcache-entry-lifetime: number
# How long a successful authentication is cached for, in seconds. To be useful,
# this must be much longer than the interval between POP3 logins. [default:
# 3600 (1 hour)]
#authcache-entry-lifetime: 3600

# authcache-use-client-host: (yes|true)
# If you have authenticators which use the $(clienthost) substitution variable
# (so that authentication depends on the IP address from which a client
# connects) you must switch this on, since otherwise tpop3d may use for a new
# connection a cached authentication result for a client who connected from
# a different address. [default: no]
#authcache-use-client-host: true

#
# PAM authentication options
#

# auth-pam-enable: (yes|true)
# Enable authentication using Pluggable Authentication Modules.
#auth-pam-enable: yes

# auth-pam-facility: facility
# Sets the PAM facility name used by tpop3d. [default: tpop3d]
#auth-pam-facility: tpop3d

# auth-pam-mail-group: (group-name | gid)
# The group name or gid under which access to the mailspool will take place.
# [default: gid of authenticated user]
#auth-pam-mail-group: mail

# auth-pam-mail-user: (user-name | uid)
# Names a local user whose credentials are used for users without local
# accounts.
#auth-pam-mail-user: mailnull

#
# Password authentication options
#

# auth-passwd-enable: (yes|true)
# Enable authentication using /etc/passwd.
auth-passwd-enable: true

# auth-passwd-mail-group: (group-name | gid)
# The group name or gid under which access to the mailspool will take place.
auth-passwd-mail-group: mailmta

#
# MySQL authentication options
#

# auth-mysql-enable: (yes | true)
# Enable MySQL authentication.
#auth-mysql-enable: true

# auth-mysql-mail-group: (group-name | gid)
# The group name or gid under which access to the mailspool will take place.
# [default: group of user associated with virtual domain]
#auth-mysql-mail-group: mail

# auth-mysql-hostname: hostname [[hostname] hostname] ..
# Host on which to connect to MySQL. Tried in order until a working host is
# found. [default: localhost]
#auth-mysql-hostname: localhost

# auth-mysql-database: database
# MySQL database to use for authentication.
#auth-mysql-database: mail

# auth-mysql-username: username
# MySQL username used to access the database.
#auth-mysql-username: mail

# auth-mysql-password: password
# Password of MySQL user.
#auth-mysql-password: s3cr3t

# auth-mysql-pass-query: substitution string
# Query template to use for USER/PASS authentication. Must return mailpath,
# password, userid, mailspool type; uses substitution variables as described
# in the man page.
#auth-mysql-pass-query: SELECT mailpath, password, userid, spooltype FROM …

# auth-mysql-apop-query: substitution string
# Query template to use for APOP authentication. See auth-mysql-pass-query.

# auth-mysql-onlogin-query: substitution string
# Query template to use for POP-before-SMTP operation. See man page.

#
# Postgres authentication options
#

# auth-pgsql-enable: (yes | true)
# Enable Postgres authentication.
#auth-pgsql-enable: true

# These options are analogous to their MySQL counterparts.
#auth-pgsql-username:
#auth-pgsql-password:
#auth-pgsql-database:
#auth-pgsql-hostname:
#auth-pgsql-pass-query:
#auth-pgsql-apop-query:
#auth-pgsql-onlogin-query:
#auth-pgsql-mail-group:

#
# LDAP authentication options
#

# Please read the man page for thorough details of these.

# auth-ldap-enable: (yes | true)
# Enable LDAP authentication.
#auth-ldap-enable: true

# auth-ldap-url: LDAP URL
# LDAP URL indicating server against which to make authentication requests.
#auth-ldap-url:

# auth-ldap-searchdn: LDAP server username
# DN to use when binding to LDAP server to search for a user.
#auth-ldap-searchdn:

# auth-ldap-password: LDAP server password
# Password of search user.
#auth-ldap-password:

# auth-ldap-filter: substitution string
# Filter template to use when searching for a user’s account.
#auth-ldap-filter:

# auth-ldap-scope: (subtree|base|onelevel)
# Scope of LDAP searches. If not specified, the default is `sub-tree’.
#auth-ldap-scope:

# auth-ldap-mailbox: [mailbox-driver:]path-spec …
# User mailbox location, as described above.

# auth-ldap-mailbox-attr: attribute name
# auth-ldap-mboxtype-attr: attribute name
# LDAP attributes which contains the name of a user’s mailbox, and its type.

# auth-ldap-mail-user: (user-name | uid)
# auth-ldap-mail-group: (group-name | gid)
# User and group under which access to the mailbox will take place

# auth-ldap-mail-user-attr: attribute name
# auth-ldap-mail-group-attr: attribute name

#
# Flat file authentication options
#

# auth-flatfile-enable: (yes | true)
# Enable flat file authentication.
#auth-flatfile-enable: yes

# auth-flatfile-passwd-file: substitution string
# Specify the file in which tpop3d will search for a user’s password. Use
# substitution variables to make this domain-dependent. See man page for more
# details.
#auth-flatfile-passwd-file: /usr/local/etc/tpop3d/passwd

# auth-flatfile-mail-user: (user-name | uid)
# auth-flatfile-mail-group: (group-name | gid)
# User and group under which access to the mailbox will take place.

#
# External program (`other’) authentication options
#

# auth-other-enable: (yes | true)
# Enable external program authentication.
#auth-other-enable: true

# auth-other-program: path
# Program to use for external authentication.
#auth-other-program: /usr/local/sbin/..

# auth-other-user: (user-name | uid)
# auth-other-group: (group-name | gid)
# The user and group under which to run the authentication program.

# auth-other-timeout: time
# The timeout in seconds for authentication. [default: 0.75]
#auth-other-timeout: 0.75

#
# Perl authentication options
#

# auth-perl-enable: (yes | true)
# Enable authentication via an embedded perl interpreter.
#auth-perl-enable: true

# auth-perl-start: perl code
# Specify a line of perl code to be executed at startup.
#auth-perl-start: do '/usr/local/etc/tpop3d/tpop3d.pl’

# auth-perl-finish: perl code
# Specify a line of perl code to be executed when the authentication driver
# is shut down.
#auth-perl-finish:

# auth-perl-apop: subroutine name
# Specify the name of a perl subroutine which will be called when
# a request for APOP authentication is received.
#auth-perl-apop:

# auth-perl-pass: subroutine name
# Specify the name of a perl subroutine which will be called when
# a request for USER/PASS authentication is received.
#auth-perl-pass:

# auth-perl-onlogin: subroutine name
# Specify the name of a perl subroutine which will be called after
# a successful login for POP-before-SMTP operation.
#auth-perl-onlogin:

#
# GDBM authentication options
#

# auth-gdbm-enable: (yes | true)
# Enable authentication via GNU dbm files.
#auth-gdbm-enable: true

# auth-gdbm-passwd-file: string
# Specify the dbm file in whichtpop3d will search for a user’s password.
#auth-gdbm-passwd-file: /var/lib/gdbm/…

# auth-gdbm-persistent: (yes | true)
# Tell tpop3d to use persistent filehandles.
#auth-gdbm-enable: true

# auth-gdbm-mail-user: (user-name | uid)
# auth-gdbm-mail-group: (group-name | gid)
# User and group under which access to the mailbox will take place.

Jak widać w konfiguracjai mamy bardzo wiele możliwości, deamon współpracuje z PAm, MySql itd. W pierwszych liniach konfluguracji jest definioanie adresów na których nasłuchuje tpop3d po ssl i certyfikaty, celowo wykożystano tutaj certyfikaty exim’a. Teraz należy wyłaczyc standardowy daemon pop3d w inetd.conf oraz dodać dokonfiguracji exima w sekcji „MAIN CONFIGURATION” linie wskazującą na jakich portach bedzie nasłuchiwal Exim.

daemon_smtp_ports = 25 : 465
tls_on_connect_ports = 465

Zapytacie napewno dlaczego port 465, a dlatego ze TPSA wyłaczyła port 25 do komunikacji smtp ze względu na spam, nie wyslecie poczty mając neostrade i skonfigurowane konto w Outlooku czy innym programem pocztowym.

W stunnel zostawiamy tylko tunelowanie dla IMAP.

uruchomienie daemona sprowadza sie do dopisanie linie w skrypcie uruchamiającym usługi zwiazane z pocztą

/usr/sbin/tpop3d