POP3 on single IP?

Lightfoot · July 29, 2007, 11:46am

I’m trying to run POP3 and POP3-SSL on a single IP address. I’ve changed /etc/courier/pop3d.dist and /etc/courier/pop3d-ssl.dist to read:

ADDRESS=(my mail ip)
-and-
SSLADDRESS=(my mail ip)

and restarted the pop daemons but netstat is still saying:

0.0.0.0:110
0.0.0.0:995

Any ideas?

Justec · July 29, 2007, 6:59pm

0.0.0.0 should be your main IP i think, have you tried it out?

Lightfoot · July 29, 2007, 7:10pm

I just tested this in Outlook. I put in a couple different IP addresses from the server as the incoming mail server and they all connected. I had assumed 0.0.0.0 was a wildcard address to show it is listening on every available IP? This isn’t really important I just only use the POP3 server on one IP address and will stay that way. Seems to me the configuration files should change this as I had changed another option in those files and it had worked.

Lightfoot · July 31, 2007, 2:04pm

Okay I think I found out what to change. I want to verify this with a known before changing anything.

In /service/pop3/run:


exec /usr/bin/softlimit -m 25600000 \
/usr/bin/tcpserver -v -R -c 200 0 110 \
/var/qmail/bin/qmail-popup $HOSTNAME \
$PASSPROG /var/qmail/bin/qmail-pop3d Maildir 2>&1

change the 0 before 110 to my mail server IP address?? And then I can do this for pop3-ssl and smtp as well?

Lightfoot · July 31, 2007, 10:57pm

Well I’m up late and decided to try this. And it worked! netstat is showing a single IP bound to pop3, pop3-ssl and smtp. Also when testing in Outlook I can no longer connect to just any IP on the system for incoming mail, only the specified hostname. Just need to be sure that all of the mail.domain.com DNS records are setup to one IP.

Lightfoot · August 1, 2007, 4:41pm

Do either of these have to be binded to the loopback interface? I haven’t been experiencing any mail server troubles but NodeWorx is saying that SMTP is stopped on the home page but shows as running on the MTA Settings page. Any thoughts?

Is there any reasons SMTP or POP3 should be on the loopback interface? I understand SMTP uses that for delivering mail between users on the same server but none of my clients use the SMTP server, just the SMTP of their ISP.

I tried to create SMTP to listen on both the hostname and localhost ONLY but this created a new service called smtp2 somehow, which I’ve now gotten rid of. I’m not sure if that is a possibility to keep or not.

I currently have POP3 and POP3-SSL listening on just the hostname IP but SMTP listening on 0, or all interfaces.

Any help appreciated.

Lightfoot · August 3, 2007, 11:54pm

I’m going to assume that it’s not absolutely necessary that these services be binded to the loopback interface. Qmail seemed to be running fine when I had these all configured to a single IP on the ethernet interface only. Qmail was still doing its job delivering mail locally to the domains in control/virtualdomains.

Sorry, just trying to figure out how Qmail is working internally. Please correct me if I’m wrong here. And if anyone has a nice explanation of Qmail’s internal job and requirements, even just a link, that would be much appreciated!

Lightfoot · August 19, 2007, 10:18am

Well I found that link I was looking for about how all of the little qmail programs are working…

http://www.nrg4u.com/

“The big qmail picture” column. Hope this helps somebody else.

I’ve also been running POP3/SMTP on a single external IP address for a couple of weeks now without any noticeable problems or any complaints. I’m waiting to hear back from some other forums about NOT running qmail on the loopback interface and what problems it may cause in the future. I’ll post again with any information I receive about that.

EDIT: More informative links:
http://cr.yp.to/qmail/pictures.html
http://www.thedjbway.org/qmail/qmailflow.html

Justec · August 19, 2007, 10:38am

So what is the actual advantage to doing this?

This would mean that if i host sites on 2 different IPs, the main IP and a secondary IP that both the mail.domains.com would point to the one main IP??

Lightfoot · August 19, 2007, 4:24pm

[quote=Justec;14197]So what is the actual advantage to doing this?

This would mean that if i host sites on 2 different IPs, the main IP and a secondary IP that both the mail.domains.com would point to the one main IP??[/quote]

Right. I have the hostname on a dedicated IP address. I use this for the mail server, ssh/sftp, and NodeWorx/SiteWorx. Mainly using it this way because I have an SSL certificate from Comodo setup for the hostname when using POP3-SSL, IMAP-SSL, SMTP-SSL and then of course NodeWorx/SiteWorx over an SSL connection (I’ve changed NodeWorx and SiteWorx redirects to follow to the hostname). I was also going to use it for FTP over SSL but am just using SFTP now instead.

But anyway, all on that one IP is just to avoid warnings and things like that when making the connections over SSL.

So then if my clients do want to use POP3-SSL they connect to the hostname address instead of the mail.domain.com address. They can still connect to mail.domain.com (which is setup to the hostname IP anyway) they just wouldn’t use SSL (they could but would receive the warning message saying this SSL certificate belongs to “hostname” and not “mail.domain.com”).

There’s also the reverse DNS error on all of the other IP addresses not matching the A record of my hostname, which could cause mail delivery troubles on some servers if the reverse DNS is a mismatch. But that all depends on how your DNS setup as well.

Beside all that, I’m just a believer in the saying, “If it’s not going to be used then disable it.” So if I’m only using that one IP address for my mail server I feel like a bigger target if it’s open on 10 other IP addresses when it’s not needed there. It’s just a little obscurity, but I was having problems with dictionary attacks awhile ago. The attacks were all happening on the IP addresses of the actual websites, which used to have an unused SMTP port open on those IP’s (the DNS would show the mail server on a seperate address). After binding the mail server to a single IP address I’ve noticed less attacks. They still happen of course, but less frequently. None of the websites that I host are on the same IP address as the mail server, giving me less open ports on those IP addresses.

It may not all make sense but works for me. HTH.

Lightfoot · August 24, 2007, 4:52pm

http://www.oreilly.com/catalog/qmail/

The best book I’m currently reading. I’ll soon post a how-to in the Hacks / Tools / Tips / Tricks forum once I get my setup to the intended way. For the how’s and why’s of qmail I highly suggest the above book. It explains the complexities in simple context. And coming from being with Exim… I love qmail!

EDIT: See http://www.interworx.com/forums/showthread.php?t=2497