SYNOPSIS

       qmail-popup hostname subprogram

DESCRIPTION

       qmail-popup  reads  a  POP  username and	password from the network.  It
       then runs subprogram.

       qmail-popup expects descriptor 0	to read	from the network and  descrip-
       tor  1  to write	to the network.	 It reads a username and password from
       descriptor 0 in POP's USER-PASS style or	APOP style.  File descriptor 5
       is used to provide additional logging.  It invokes subprogram, with the
       same descriptors	0 and 1; descriptor 2  writing	to  the	 network;  and
       descriptor  3  reading  the username, a 0 byte, the password, another 0
       byte, an	APOP timestamp derived from hostname,  and  a  final  0	 byte.
       qmail-popup  then  waits	 for subprogram	to finish.  It prints an error
       message if subprogram crashes or	exits nonzero.

       qmail-popup has a 20-minute idle	timeout.

AUTHENTICATION

       qmail-popup supports both username/password  and	 APOP  authentication.
       This  latter  is	invoked, once the environment variable POP3AUTH='apop'
       or POP3AUTH='+apop' is set.  In this case, you need to provide a	 APOP-
       capable PAM, eg.	 qmail-authuser.

       qmail-popup  should be used only	within a secure	network.  Otherwise an
       eavesdropper can	steal passwords.  Even if  you	use  APOP,  an	active
       attacker	can still take over the	connection and wreak havoc.

STLS/POP3S SUPPORT

       qmail-popup can be adviced to work on a TLS encrypted connection.

       At  first,  using sslserver and binding qmail-popup, qmail-pop3d	on (in
       particular) the POP3S port 995 provides mandatory TLS encryption.

       Second, in  case	 you  provide  the  environment	 variable  UCSPITLS=''
       together	 with  sslserver,  qmail-popup communicates with the sslserver
       program interface through a control socket, a  reading  and  a  writing
       pipe created dynamically	during the session start after announcing STLS
       to the client, thus  allowing  TLS  encryption  on  request.   In  case
       UCSPITLS='!'  is	set, STLS is required; while setting UCSPITLS='-' dis-
       ables STLS.

LOGGING

       qmail-popup provides logging of accepted	 and  rejected	POP3  sessions
       using  about the	same format as qmail-smtpd.  The authentication	mecha-
       nism is indicated via User in case the userid/password method was used,
       and  Apop if APOP challenge/response was	applicable.  The communication
       protocol	may be either POP3 or POP3S for	of a STLS/POP3S	 secured  con-
       nection.   The  username provided for authentication is displayed after
       the sequence '?~'.  In case qmail-popup  is  setup  requiring  STLS  by
       means  of  UCSPITLS='!',  the  log  displays  'Any'  as auth method and
       'unknown' as username.

       The log is available on file descriptor 5.  In  order  to  display  the
       result use the redirection '5>&1'.

       qmail-popup is based on a program contributed by Russ Nelson.

SEE ALSO

       maildir(5), qmail-authuser(8), qmail-pop3d(8), qmail-
       log.  

				       8		 s/qmail:(qmail-popup)