qmail-popup - read a POP username and password
qmail-popup hostname subprogram
qmail-popup reads a POP username and password from the network. It then runs subprogram.
qmail-popup expects descriptor 0 to read from the network and descriptor 1 to write to the network. It reads a username and password from descriptor 0 in POP’s USER-PASS style or APOP style. File descriptor 5 is used to provide additional logging. It invokes subprogram, with the same descriptors 0 and 1; descriptor 2 writing to the network; and descriptor 3 reading the username, a 0 byte, the password, another 0 byte, an APOP timestamp derived from hostname, and a final 0 byte. qmail-popup then waits for subprogram to finish. It prints an error message if subprogram crashes or exits nonzero.
qmail-popup has a 20-minute idle timeout.
qmail-popup supports both username/password and APOP authentication. This latter is invoked, once the environment variable POP3AUTH=’apop’ or POP3AUTH=’+apop’ is set. In this case, you need to provide a APOP-capable PAM, eg. qmail-authuser.
qmail-popup should be used only within a secure network. Otherwise an eavesdropper can steal passwords. Even if you use APOP, an active attacker can still take over the connection and wreak havoc.
qmail-popup can be adviced to work on a TLS encrypted connection.
At first, using sslserver and binding qmail-popup, qmail-pop3d on (in particular) the POP3S port 995 provides mandatory TLS encryption.
Second, in case you provide the environment variable UCSPITLS=’’ together with sslserver, qmail-popup communicates with the sslserver program interface through a control socket, a reading and a writing pipe created dynamically during the session start after announcing STLS to the client, thus allowing TLS encryption on request. In case UCSPITLS=’!’ is set, STLS is required; while setting UCSPITLS=’-’ disables STLS.
qmail-popup provides logging of accepted and rejected POP3 sessions using about the same format as qmail-smtpd. The authentication mechanism is indicated via User in case the userid/password method was used, and Apop if APOP challenge/response was applicable. The communication protocol may be either POP3 or POP3S for of a STLS/POP3S secured connection. The username provided for authentication is displayed after the sequence ’?~’. In case qmail-popup is setup requiring STLS by means of UCSPITLS=’!’, the log displays ’Any’ as auth method and ’unknown’ as username.
The log is available on file descriptor 5. In order to display the result use the redirection ’5>&1’.
qmail-popup is based on a program contributed by Russ Nelson.
maildir(5), qmail-authuser(8), qmail-pop3d(8), qmail-log(8).