diff options
Diffstat (limited to 'man/qmail-popup.8')
-rw-r--r-- | man/qmail-popup.8 | 131 |
1 files changed, 131 insertions, 0 deletions
diff --git a/man/qmail-popup.8 b/man/qmail-popup.8 new file mode 100644 index 0000000..bc4aeef --- /dev/null +++ b/man/qmail-popup.8 @@ -0,0 +1,131 @@ +.TH s/qmail: qmail-popup 8 +.SH NAME +qmail-popup \- read a POP username and password +.SH SYNOPSIS +.B qmail-popup +.I hostname +.I subprogram +.SH DESCRIPTION +.B qmail-popup +reads a POP username and password from the network. +It then runs +.IR subprogram . + +.B qmail-popup +expects descriptor 0 to read from the network +and descriptor 1 to write to the network. +It reads a username and password from descriptor 0 +in POP's USER-PASS style or APOP style. +File descriptor 5 is used to provide additional logging. +It invokes +.IR subprogram , +with the same descriptors 0 and 1; +descriptor 2 writing to the network; +and descriptor 3 reading the username, a 0 byte, the password, +another 0 byte, +an APOP timestamp derived from +.IR hostname , +and a final 0 byte. +.B qmail-popup +then waits for +.I subprogram +to finish. +It prints an error message if +.I subprogram +crashes or exits nonzero. + +.B qmail-popup +has a 20-minute idle timeout. + +.SH "AUTHENTICATION" +.B qmail-popup +supports both username/password and APOP authentication. +This latter is invoked, once the +environment variable +.I POP3AUTH='apop' +or +.I POP3AUTH='+apop' +is set. +In this case, you need to provide a +APOP-capable PAM, eg. +.BR qmail-authuser . + +.B qmail-popup +should be used only within a secure network. +Otherwise an eavesdropper can steal passwords. +Even if you use APOP, +an active attacker can still take over the connection +and wreak havoc. + +.SH "STLS/POP3S SUPPORT" +.B qmail-popup +can be adviced to work on a TLS encrypted connection. + +At first, using +.B sslserver +and binding +.BR qmail-popup , +.B qmail-pop3d +on (in particular) the POP3S port +.I 995 +provides mandatory TLS encryption. + +Second, in case you provide +the environment variable +.I UCSPITLS='' +together with +.BR sslserver , +.B qmail-popup +communicates with the +.B sslserver +program interface through a control socket, +a reading and a writing pipe created dynamically +during the session start after announcing +.I STLS +to the client, thus allowing TLS encryption on request. +In case +.IR UCSPITLS='!' +is set, STLS is required; while setting +.IR UCSPITLS='-' +disables STLS. + +.SH "LOGGING" +.B qmail-popup +provides logging of accepted and rejected POP3 sessions +using about the same format as +.BR qmail-smtpd . +The authentication mechanism is indicated via +.I User +in case the userid/password method was used, and +.I Apop +if APOP challenge/response was applicable. +The communication protocol may be either +.I POP3 +or +.I POP3S +for of a STLS/POP3S secured connection. +The +.I username +provided for authentication is displayed after the +sequence +.IR '?~' . +In case +.B qmail-popup +is setup requiring STLS by means of +.IR UCSPITLS='!' , +the log displays 'Any' as auth method +and 'unknown' as username. + + +The log is available on file descriptor 5. +In order to display the result use the redirection '5>&1'. + +.B qmail-popup +is based on a program contributed by Russ Nelson. + +.SH "SEE ALSO" +maildir(5), +qmail-authuser(8), +qmail-pop3d(8), +qmail-log(8). + |