May 9, 2005

Allowing exactly the right people to send email

Author: Keith Winston

EXACT, the EXperimental Access Control Thing, is a POP-before-SMTP daemon that integrates with most email systems to control email relaying and thereby potentially reduce spamming. Here's how you can install and configure EXACT to keep spammers from taking advantage of your mail server.

According to its README file, EXACT supports these POP and IMAP servers:

  • Cyrus
  • Courier (IMAPD and POPD)
  • Perdition
  • Qpopper
  • TeaPOP
  • Cubic Circle's cucipop

and these MTAs:

  • Exim
  • Sendmail
  • Postfix

You can extend EXACT to support additional POP/IMAP servers by adding parse rules to the exact-servers.conf file. Once installation is complete, there is one main configuration file that controls how EXACT operates called exact.conf.

EXACT is distributed in source code form. You install it with the standard configure/make/make install routine. For dbm database support, which Postfix needs, add the --with-db option to the configure step. If you're using the Exim mail server, you don't need dbm support, because Exim can read a plain text file. There are no other outside dependencies.

My installation uses the UW-IMAPD server (which also provides POP3) and Postfix on Red Hat Enterprise Linux 3.

After a painless installation, I had to make only two changes to my exact.conf configuration file. One was to edit the exact.conf file and change the maillog option to tell it where to find the mail log:

maillog /var/log/maillog

The second change was to edit the server option to tell it which POP/IMAP server to use:

server uw-imap

A quick mail primer

Mail servers, more formally known as Message Transfer Agents (MTA), exchange email messages with each other using the Simple Mail Transfer Protocol (SMTP). Mail clients, more formally known as user agents, handle retrieving mail using either the Post Office Protocol (POP) or Internet Message Access Protocol (IMAP).

An email server that accepts mail from any source and relays it to any destination is called an open relay. Spammers can use open relays to send their messages. Most mail servers have some mechanism to control who they will accept mail from and where it can be relayed, but most of those mechanisms are based on IP address or domain name and not on user authentication, so one problem a mail administrator faces is how to allow valid users to relay mail while stopping unwanted users.

One solution is to employ authentication software, such as the Simple Authentication and Security Layer (SASL). However, integrating SASL with a mail server software can be difficult, and using it requires mail clients that also support SASL; not all do.

Another solution, and the one EXACT uses, is called POP-before-SMTP. The POP protocol (and IMAP too) requires that user agents retrieving mail authenticate to the POP/IMAP daemon before retrieving messages. The POP/IMAP daemon logs authentication requests in a log file (unless logging is turned off). EXACT reads the logs, determines the IP address of recent valid logins, and adds those addresses to a file. The mail server can then read those addresses and allow SMTP relaying for those addresses only for a specified period of time.

Because the log format for each POP/IMAP server is slightly different, EXACT needs to know how to parse the log entries to extract the valid logins and IP addresses. Another option you may want to adjust is the timeout setting, which determines how long you want EXACT to keep an address
in the relay file. After that period of time, it is automatically removed and a new POP login is required to add the address back to the file. The default timeout is set to 30 minutes.

EXACT runs in the background as a service and updates the relay file every minute.

Mail server configuration

Postfix needs to know where to read the valid addresses from, and that requires one change to the /etc/postfix/ file. Postfix's mynetworks setting controls relaying by IP address. I modified my setting to look like this:

mynetworks =, hash:/usr/local/var/state/exact/relay

See the Postfix documentation for more details.

I ran into one problem while testing EXACT with Postfix. EXACT is supposed to be able to write dbm databases directly when compiled and run with the correct options. However, I was not able get it to create a dbm file as output; it would only create a plain text file. But since Postfix comes with a program called postmap that creates dbm files, instead of debugging EXACT, I took the lazy way out and wrote a small script to take the text file output and use postmap to create the dbm file that Postfix needed.

Final touches

Finally, you should create a startup and shutdown script so that EXACT will start automatically when the system is restarted. I used the /etc/rc.d/init.d/postfix script as a template and made slight changes to it, saving it as /etc/rc.d/init.d/exact. (You can download it here.) The script handles startup, shutdown, and status checks like any other server process. Then, I created the necessary symlink in the /etc/rc.d/rc3.d directory with the ln command:

ln -s ../init.d/exact S81exact

To test whether EXACT was working properly, I retrieved mail with my POP mail client and confirmed that EXACT was adding and removing IP addresses correctly, and that Postfix was honoring them. During testing, I set the timeout option to five minutes and made sure my address was removed from the relay file after that time. When my IP address was in the relay file, I could relay mail through Postfix, and when it was not, I received the appropriate error.

In one sense, POP-before-SMTP is a hack, but it is an elegant one that fills the authentication hole in SMTP. It handles users with dynamic addresses because the relay file gets updated every minute. This allows your remote users to roam or change ISPs and still use the mail server with no administrator intervention.