HOWTO: Adding POP3 to Postfix with akpop3d on FreeBSD 4.x

HOWTO: Adding POP3 to Postfix with akpop3d on FreeBSD 4.x

Glenn Sidman
email address
Created: January 30, 2004

1 - About this HOWTO
2 - Installing akpop3d
3 - Configuring And Running akpop3d
4 - POP3 Client Connections
5 - Beyond POP3--Sending Mail
6 - Additional Resources

1.0 About This HOWTO

This HOWTO covers installing a POP3 server, specifically akpop3d, on FreeBSD with the Postfix MTA. POP3 (Post Office Protocol version 3) allows users to connect to a mailserver, authenticate with a plain text password, and retrieve mail. Before users can retrieve mail from your mail server with clients such as Outlook Express, Eudora Light, or Mozilla, you will need to install a POP3 (or IMAP) server. Before doing so, you should be aware that while SMTP provides some security risk, POP3 is completely security-challenged. POP3 without SSL sends passwords in plain text and can be easily captured (something to keep in mind if you are trying to access your your root mail account via POP3!). POP3 communications can be encrypted with SSL (Secure Socket Layer), however, this HOWTO does not go into the details of SSL.

Though not covered in this HOWTO, another protocol that can be used to retrieve mail is IMAP (Interactive Mail Access Protocol). While IMAP provides additional features it does introduce new security issues. This HOWTO will focus on a simple, and hopefully secure, implementation of POP3 with akpop3d. Small and simple normally equates to fewer bugs and more security.

The following versions were used for this HOWTO:

FreeBSD 4.7
postfix-2.0.14
akpop3d-0.7.4

2.0 Installing akpop3d

Installing akpop3d from the Ports collection is very simple. As always, be sure you are using the latest Port. I recommend using CVSup to update your Ports collection prior to installing. If you are new to CVSup and the Ports collection, you can refer to the FreeBSD handbook or my HOWTO: Installing CVSup and the Ports Collection. Alternatively you can download the precompiled package (akpop3d-0.7.4.tgz) an install with "pkg_add akpop3d-0.7.4.tgz".

Issue the following to locate akpop3d in the Ports collection.

cd /usr/ports
make search name=akpop3d

The output of "make search" should return the following path: /usr/ports/mail/akpop3d. Now lets change to that directory and install:

cd /usr/ports/mail/akpop3d
make install

3.0 Configuring And Running akpop3d

There is no real configuration for akpop3d which is fortunate as there is basically no documentation other than a brief man page (Newbe Note: access the manual page with the following command: man akpop3d). The only option we will use here is the '-d' which puts akpop3d in the background. You may want to investigate other options such as '-s' for SSL, '-l' to listen on specific interfaces. Use the '-l' option if you have multiple interfaces, one connected to your internal network and one connected to the Internet, and you only want to use POP3 within your internal network.

To start akpop3d manually issue:

/usr/local/bin/akpop3d -d (you must use the full path. The 'd' puts it in the background.)

You can verify a happy POP3 daemon by any of the following:

netstat an (look for a listening TCP 110 port)
ps aux | grep akpop3d (there should only be one instance.)
telnet localhost 110 (Should reply with +OK. Use quit to get out)

I do not know a good way to initialize akpop3d on boot for FreeBSD. It will start when called by /etc/inetd.conf, but will not accept connections (actually is seems to create too may connections). I have successfully scripted it to start from /usr/local/etc/rc.d, but it hangs on shutdown. The last practical option, other than Cron, is to start it from /etc/rc.local. The /etc/rc.local file is antiquated and not created by default on Free BSD later than 3.1, though you may have one. The following will add our startup command in ether case.

echo "/usr/local/bin/akpop3d -d" >> /etc/rc.local

That is it. You should now be able to connect via a remote mail client from your internal network. If you do not intend on being accessible from the Internet, be sure to block TCP port 110 (as well as TCP port 995 if you enable SSL). Also, take a look at the '-l' option in the man page.

4.0 POP3 Client Connections

At this point you can setup your favorite POP3 mail client (Outlook, Mozilla, Eudora, Kmail, etc.) to connect to your new POP3 enabled mail server. The specifics of each client varies, but the minimum information we need to configure is:

Mailserver Address: (The domain name or IP address of your POP3 mail server)
Username and Password: (Your real Unix username and password.)

Note that akpop3d uses real Unix (FreeBSD) accounts. This is not a virtual POP3 server. Also remember that POP3 without SSL passes passwords over the network in plain text. If you are unable to retrieve mail, I would first make sure that you are able to connect to your server's TCP port 110 which is easily done by using Telnet from your client machine.

telnet [your_mailserver] 110(Ex. telent mail.mydomain 110)

If you receive "+OK", then you are connected and can exit by issuing "quit". Double check your POP3 client's settings. If your connection attempt times out you will need to ensure akpop3d is running and listening on the same interface you are trying to connect of. Try "netstat an" and look for TCP 110. Also, ensure that you are not being blocked by a firewall. While we are on the subject, you can also log in and check for messages via Telnet as shown below. I have indented the server responses. You will need to type anything that is no indented. (Note: You will be typing blind if you are using a Windows telnet session.)

telnet [your_mailserver] 110
   +OK
user [your_username]
   +OK
pass [your_password]
   +OK
list
   1 4794
   2 27898
   3 ... and so on.

5.0 Beyond POP3--Sending Mail

By now you are hopefully able to retrieve mail via POP3. Now, provided that our client machine is on the same network as our mail server and we have not changed the Postfix default settings, we can also relay mail via SMTP through our mail server to users on other mail servers. In other words, any machine on our local network is trusted to relay mail through our mailserver to any other mail server on the Internet. This is the default behavior of Postfix--to trust all machines within our own network. Connections from outside of our network are NOT trusted and will NOT be permitted to relay mail. No mail server should ever relay mail from an untrusted client or server without some form of authentication. Without this protection, our mailserver can be used to send email anonymously from anyone to anyone--SPAM.

If you only intend to use your POP3 connection from within your own network, you are done. If, however, you would like to provide external users, or yourself while on the road, with the ability to send (relay) mail, you must provide some form of authentication before Postfix will relay these messages. The two most popular methods are pop-before-smtp and SASL (Simple Authentication and Security Layer). If you are interested in either of these, you can check out the documentation at www.postfix.org. Also, you can refer to my HOWTO: Adding SASL to Postfix.

6.0 Additional Resources

The Home of Postfix:
www.postfix.org

The Home of akpop3d:
www.synflood.at/akpop3d/

Please feel free to contact me with comments, corrections, or additions.

Glenn Sidman
email address