This was something i've been wanting to do for a long time.. and finally got some free time to work it out. What follows is not a very detailed how-to with CLI instructions, just a view on the problem and general steps for the solution. Other solutions would be possible, this is what I came up with in short time, and it's more of a "hack" rather than a "clean" solution.
Scenario and problem:
I have some Plesk Linux servers, and clients like to use SMTP service on them. This is fine, but requires that this boxes have SMTP open to the world. I do not want them open to the world for two reasons:
1. I have two MX frontends (gamera like) to pre-filter all e-mail. These frontends do qmail-scanner, clamav, spamassassin, greylisting and tarpitting. Work wonderfully. Don't want any other box doing this kind of work.
2. Even when you have the domain's MX records pointing just to these frontends (as i do), you'll get e-mail delivered directly from the Internet to the Plesk boxes anyway, surely spam/virus.
So, SMTP for clients was all that was keeping me for closing port 25 on the firewall for the Plesk boxes (exceptions for the MX frontends of course).
When thinking of centralized SMTP, main question is "how the **** do i auth the clients this way?". Oh, and forget about POP-before-SMTP.
Well, Plesk software itself gives the solution.
1. The base installation here is a Fedora box with gamera. You will NOT need to patch qmail to make this work!! Mine is also patched to support greylisting and tarpitting, using gamera's src rpm, but that's me.
2. On top of this, we need three things from a binary compatible Plesk box:
/var/qmail/bin/smtp_auth
/var/qmail/bin/true
/var/qmail/bin/cmd5checkpw
Just copy these files over, and be sure to maintain modes (scp -p ...).
3. Now create /etc/psa/psa.conf. Yes, those binaries will need to find that file, probably to know qmail's base dir. Just copy over a standard one.
4. Now create user popuser, just as exists on Plesk (u can copy&paste it's lines on passwd, group and shadow)
5. Edit /service/smtpd/run:
[...]
fixcrio $rbl qmail-smtpd your.hostname \
/var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
At this point, qmail-smtpd is ready to auth you, against..:
Every Plesk box has a /var/qmail/users/poppasswd. This file maps mailboxes and their crypted passwords and their maildir locations.
All you need is to concatenate EVERY poppasswd on EVERY box, and place it on this machine's /var/qmail/users/poppasswd.
For this to happen, some sort of synchronization mechanism is needed.
Quick and dirty, i did something like this:
1. Install dnotify on plesk boxes and in the central smtp-auth server. Dnotify allows you to call a script/command immediately when a filesystem change occurs inside a directory.
(There are other tools/ways to do this, and i will use one of them in the future, as this setup is not perfect, as i can't specify the specific file to dnotify)
2. Create a "incoming users" directory on the central server, let's say /var/qmail/users.incoming/.
3. On each Plesk box, setup Dnotify to detect changes on /var/qmail/users/. When change occurs, scp poppasswd (compression is recommended) to central server's users incoming. Make sure to use a different destination file for every box.
4. Setup Dnotify on the central server, so that he knows right away when a new poppasswd is received. When detected, cat /var/qmail/users.incoming/* > /var/qmail/users/poppasswd
You'll need to create the scripts Dnotify calls. Also, Dnotify should be setup via inittab, to ensure permanent execution. Here's a sample:
DS
respawn:/usr/local/bin/dnotify -Bs /etc/qmail/users.incoming -e /etc/scripts/pwchangeDT:S016:wait:/usr/bin/killall dnotify
Please note that dnotify, or similar tool, is not a strict requirement. However, it does allow me two things: instant changes detection, and file sync ONLY when changes occur.
With this properly setup, you'll always have a to-the-second updated poppasswd on the central server, that works for ALL domains on your Plesk boxes. Now just tell your customers to start using SMTP-AUTH on smtp.domain., with every smtp.domain pointing to this box's IP.
While not clean and perfect, so far it's working fine for me. However, this has not been tested under stress situations (yet). Hell, tomorrow i might find this sucks anyway :p
Have fun,
Rodrigo