| Important notice: time has shown
that SMTP direct authentication has turned quite commonplace, making SMTP After POP authentication
obsolete. So I have decided to not further develop the SAPD project. This site with documentation and source code will remain available to the public. However, I will not support SAPD anymore. As SAPD is a daemon that can be modified to fit other purposes, feel free to get the code and derive other projects from it. Please note that SAPD is licensed under the GPL. |
SAPD - A SIMPLE E-MAIL SECURITY DAEMON
Copyleft 2002-2003 Milton Maldonado Junior
Introduction
This is the homepage for the SAPD project, a GPL'd security daemon aimed to work as a companion for Sendmail.
For those who don't know or don't remember, the protocol used to receive e-mail is called POP3 and is assigned to the port TCP 110. The protocol used to send e-mail is called SMTP and is assigned to the TCP port 25. From now and ever, we will always say in terms of POP3 protocol and SMTP protocol.
The protocol used to send a-mail, the SMTP, has a severe flaw, that is the fact it doensn't require passwords. Due to this fact, the e-mail server is vulnerable to all kinds of abuse via the Internet, like SPAM relaying and origination of e-mail with the sender's address forged.
SAPD is a daemon designed to protect a Sendmail server against such abuses, demanding the user fetches (reads) his e-mails before he can start sending. As fetching e-mail requires an username and password, we have here a good authentication method that prevents misuse of the SMTP protocol.
This kind of authentication is called SMTP-After-POP3, because it allows sending e-mail (SMTP) only after fetching e-mail (POP3). Hence the name SAPD, that means "SMTP After POP3 Daemon".
The highlights of SAPD are:
Open relay blockage: by default, the Sendmail shipped with most (if not all) distros acts as an open relay and it is necessary to change the settings everytime you reinstall a Linux distro.
Easy SMTP after POP authentication: although Sendmail can enforce this policy at its own, this setup is a bit complicated (it requires 3rd party software and special options for compilation), and this becomes a problem if you install new versions of your preferred distro (or Sendmail itself) often.
No more e-mail spoofing: under pure SMTP after POP authentication, the user is not forbidden to impersonate other's e-mail address. SAPD takes care beyond this point, forcing the user to send e-mail using ONLY authorized e-mail addresses as the sender's.
No more received junk mail lost in the server: spammers don't just rely on lists, they usually try to guess a recipient's address based upon a given domain. E.g., for the domain mydomain.com, it's very common to spammers try recipients like webmaster@mydomain.com, admin@mydomain.com, joe@mydomain.com, etc. In addiction to this, many e-mail addresses in these lists are deprecated. Without SAPD, such a message will put Sendmail to try to reply that the user is unknown, after some hours. SAPD cuts the problem at its beginning, closing the connection BEFORE the incoming message can even be received, saving time and bandwitdh.
Please see the documentation to learn more about SAPD.
In addition, you can check our FAQ for some important information.
System requirements
SAPD has been tested with Linux 2.4 kernel (IPTABLES enabled) running Sendmail and GNU-POP3D, but it will likely compile and run in other UNIX-like systems. I don't know much about other MTAs (like QMail, or VPOP3D) and if SAPD would be useful for them. Anyway, SAPD was written specifically for Sendmail. I will thank you for your feedback on building and running SAPD in other OSs, and on its adequacy for use with other MTAs.
2003-06-01: Feedback from users have reported problems with the VPOP3D, however I currently don't have an available test platform to address this issue.
SAPD History
2002-04-07: First release, version 1.2
Disclaimer
Well, you've already seen this before. No warranties of any kind are given by the author. SAPD is an original work licensed under GPL.
SAPD is a brand new project and it's in a very, very crude stage. No command line options nor config files are supported: every option has to be defined in build time. I hope I will be able to address these issues soon.