Postfix and Dovecot SASL
Desde la versión 2.3, Postfix permite usar SMTP AUTH a traves de Dovecot SASL
insertado en las series tipo Dovecot 1.0. Si estas usando un postfix obtenido
de un binario (como un .rpm o un .deb), tu puedes chequear si Postfix fue
compilado con soporte para Dovecot SASL ejecutando el comando:
postconf -a
Una vez que hayas verificado que tu instalación de Postfix soporta Dovecot
SASL, es muy sencillo de configurar:
Ejemplo de dovecot.conf:
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
# Assuming the default Postfix $queue_directory setting
path = /var/spool/postfix/private/auth
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
}
}
}
Ejemplo de Postfix main.cf:
smtpd_sasl_type = dovecot
# Can be an absolute path, or relative to $queue_directory
smtpd_sasl_path = private/auth
# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
A continuación le hago un copy y paste al txt que tengo (en inglés) que también
te puede ayudar, porque los attachments se los come el servidor.
Dovecot SASL configuration for the Postfix SMTP server
Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side
you need to specify the location of the Dovecot authentication daemon socket.
We use a pathname relative to the Postfix queue directory, so that it will work
whether or not the Postfix SMTP server runs chrooted:
/etc/postfix/main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
On the Dovecot side you also need to specify the Dovecot authentication daemon
socket. In this case we specify an absolute pathname. In the example we assume
that the Postfix queue is under /var/spool/postfix/.
/some/where/dovecot.conf:
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
See the Dovecot documentation for how to configure and operate the Dovecot
authentication server.
Cyrus SASL configuration for the Postfix SMTP server
You need to configure how the Cyrus SASL library should authenticate a remote
SMTP client's username and password. These settings must be stored in a
separate configuration file.
The name of the configuration file (default: smtpd.conf) will be constructed
from a value that the Postfix SMTP server sends to the Cyrus SASL library,
which adds the suffix .conf. The value is configured using one of the following
variables:
/etc/postfix/main.cf:
# Postfix 2.3 and later
smtpd_sasl_path = smtpd
# Postfix < 2.3
smtpd_sasl_application_name = smtpd
Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/ (Cyrus
SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL version 2.1.x).
Note: some Postfix distributions are modified and look for the smtpd.conf file
in /etc/postfix/sasl.
Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
*
To authenticate against the UNIX password database, use:
(Cyrus SASL version 1.5.x)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: pwcheck
IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck
and waits for authentication requests. The Postfix SMTP server must have
read+execute permission to this directory or authentication attempts will fail.
The pwcheck daemon is contained in the cyrus-sasl source tarball.
(Cyrus SASL version 1.5.26)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: saslauthd
(Cyrus SASL version 2.1.x)
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
The saslauthd daemon is also contained in the cyrus-sasl source tarball.
It is more flexible than the pwcheck daemon, in that it can authenticate
against PAM and various other sources. To use PAM, start saslauthd with "-a
pam".
IMPORTANT: saslauthd usually establishes a UNIX domain socket in
/var/run/saslauthd and waits for authentication requests. The Postfix SMTP
server must have read+execute permission to this directory or authentication
attempts will fail.
Note: The directory where saslauthd puts the socket is configurable. See
the command-line option "-m /path/to/socket" in the saslauthd --help listing.
*
To authenticate against Cyrus SASL's own password database:
(Cyrus SASL version 1.5.x)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: sasldb
(Cyrus SASL version 2.1.x)
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
This will use the Cyrus SASL password file (default: /etc/sasldb in
version 1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained with the
saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On some
poorly-supported systems the saslpasswd command needs to be run multiple times
before it stops complaining. The Postfix SMTP server needs read access to the
sasldb file - you may have to play games with group access permissions. With
the OTP authentication mechanism, the Postfix SMTP server also needs WRITE
access to /etc/sasldb2 or /etc/sasldb (or the back end SQL database, if used).
IMPORTANT: To get sasldb running, make sure that you set the SASL domain
(realm) to a fully qualified domain name.
EXAMPLE:
(Cyrus SASL version 1.5.x)
% saslpasswd -c -u `postconf -h myhostname` exampleuser
(Cyrus SASL version 2.1.x)
% saslpasswd2 -c -u `postconf -h myhostname` exampleuser
You can find out SASL's idea about the realms of the users in sasldb with
sasldblistusers (Cyrus SASL version 1.5.x) or sasldblistusers2 (Cyrus SASL
version 2.1.x).
On the Postfix side, you can have only one realm per smtpd(8) instance,
and only the users belonging to that realm would be able to authenticate. The
Postfix variable smtpd_sasl_local_domain controls the realm used by smtpd(8):
/etc/postfix/main.cf:
smtpd_sasl_local_domain = $myhostname
IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd
can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus
SASL library doesn't know this, and will happily advertise other authentication
mechanisms that the SASL library implements, such as DIGEST-MD5. As a result,
if a remote SMTP client chooses any mechanism other than PLAIN or LOGIN while
pwcheck or saslauthd are used, authentication will fail. Thus you may need to
limit the list of mechanisms advertised by the Postfix SMTP server.
*
With older Cyrus SASL versions you remove the corresponding library files
from the SASL plug-in directory (and again whenever the system is updated).
*
With Cyrus SASL version 2.1.x or later the mech_list variable can specify
a list of authentication mechanisms that Cyrus SASL may offer:
/usr/local/lib/sasl2/smtpd.conf:
mech_list: plain login
For the same reasons you might want to limit the list of plugins used for
authentication.
*
With Cyrus SASL version 1.5.x your only choice is to delete the
corresponding library files from the SASL plug-in directory.
*
With SASL version 2.1.x:
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sql
To run software chrooted with SASL support is an interesting exercise. It
probably is not worth the trouble.
Testing SASL authentication in the Postfix SMTP server
To test the server side, connect (for example, with telnet) to the Postfix SMTP
server port and you should be able to have a conversation as shown below.
Information sent by the client (that is, you) is shown in bold font.
$ telnet server.example.com 25
. . .
220 server.example.com ESMTP Postfix
EHLO client.example.com
250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
250 8BITMIME
AUTH PLAIN AHRlc3QAdGVzdHBhc3M=
235 Authentication successful
Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64 encoded form of
\0username\0password (the \0 is a null byte). The example above is for a user
named `test' with password `testpass'.
In order to generate base64 encoded authentication information you can use one
of the following commands:
% printf '\0username\0password' | mmencode
% perl -MMIME::Base64 -e \
'print encode_base64("\0username\0password");'
The mmencode command is part of the metamail software. MIME::Base64 is
available from http://www.cpan.org/.
Caution: when posting logs of the SASL negotiations to public lists, please
keep in mind that username/password information is trivial to recover from the
base64-encoded form.
Trouble shooting the SASL internals
In the Cyrus SASL sources you'll find a subdirectory named "sample". Run make
there, then create a symbolic link from sample.conf to smtpd.conf in your Cyrus
SASL library directory /usr/local/lib/sasl2. "su" to the user postfix (or
whatever your mail_owner directive is set to):
% su postfix
then run the resulting sample Cyrus SASL server and client in separate
terminals. The sample applications send log messages to the syslog facility
auth. Check the log to fix the problem or run strace / ktrace / truss on the
server to see what makes it unhappy. Repeat the previous step until you can
successfully authenticate with the sample Cyrus SASL client. Only then get back
to Postfix.
Enabling SASL authentication in the Postfix SMTP client
Turn on client-side SASL authentication, and specify a table with per-host or
per-destination username and password information. The Postfix SMTP client
first searches the table for an entry with the remote SMTP server hostname; if
no entry is found, then the Postfix SMTP client searches the table for an entry
with the next-hop destination. Usually, that is the right-hand part of an email
address, but it can also be the information that is specified with the
relayhost parameter or with a transport(5) table.
/etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
relayhost = [mail.myisp.net]
# Alternative form:
# relayhost = [mail.myisp.net]:submission
/etc/postfix/sasl_passwd:
[mail.myisp.net] username:password
[mail.myisp.net]:submission username:password
Notes:
*
The "submission" destination port tells Postfix to send mail via TCP
network port 587, which is normally reserved for email clients. The default is
to send mail to the "smtp" destination port (TCP port 25), which is used for
receiving mail across the internet. If you use an explicit destination port in
main.cf, then you must use the same form also in the smtp_sasl_password_maps
file.
*
Postfix does not deliver mail via TCP port 465 (the obsolete
"wrappermode" protocol). See TLS_README for a solution that uses the "stunnel"
command.
*
The "[" and "]" prevent Postfix from looking up the MX (mail exchanger)
records for the enclosed name. If you use this form in main.cf, then you must
use the same form also in the smtp_sasl_password_maps file.
*
The Postfix SMTP client opens the SASL client password file before
entering the optional chroot jail, so you can keep the file in /etc/postfix and
set permissions read / write only for root to keep the username:password
combinations away from other system users.
*
Specify dbm instead of hash if your system uses dbm files instead of db
files. To find out what lookup tables Postfix supports, use the command
"postconf -m".
*
Execute the command "postmap /etc/postfix/sasl_passwd" whenever you
change the sasl_passwd table.
Workarounds:
*
Some remote SMTP servers support PLAIN or LOGIN authentication only. By
default, the Postfix SMTP client does not use authentication methods that send
plaintext passwords, and defers delivery with the following error message:
"Authentication failed: cannot SASL authenticate to server". To enable
plaintext authentication specify, for example:
/etc/postfix/main.cf:
smtp_sasl_security_options = noanonymous
*
Some remote SMTP servers announce authentication mechanisms that don't
actually work. It is possible via the smtp_sasl_mechanism_filter parameter to
restrict the list of server mechanisms that the Postfix SMTP client will take
into consideration:
/etc/postfix/main.cf:
smtp_sasl_mechanism_filter = !gssapi, !external, static:all
In the above example, the Postfix SMTP client will decline to use
mechanisms that require special infrastructure such as Kerberos or TLS.
*
The Postfix SMTP client is backwards compatible with SMTP servers that
use the non-standard "AUTH=method..." syntax in response to the EHLO command;
there is no Postfix client configuration needed to work around it.
Supporting multiple ISP accounts in the Postfix SMTP client
Postfix version 2.3 supports multiple ISP accounts. This can be useful when one
person uses the same machine for work and for personal use, or when people with
different ISP accounts share the same Postfix server. To make this possible,
Postfix 2.3 supports per-sender SASL passwords and per-sender relay hosts. In
the example below, Postfix will search the SASL password file by sender before
it searches that same file by destination. Likewise, Postfix will search the
per-sender relayhost file, and use the default relayhost only as a final resort.
/etc/postfix/main.cf:
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = [mail.myisp.net]
# Alternative form:
# relayhost = [mail.myisp.net]:submission
/etc/postfix/sasl_passwd:
# Per-sender authentication; see also /etc/postfix/sender_relay.
[EMAIL PROTECTED] username2:password2
[EMAIL PROTECTED] username2:password2
# Login information for the default relayhost.
[mail.myisp.net] username:password
[mail.myisp.net]:submission username:password
/etc/postfix/sender_relay:
# Per-sender provider; see also /etc/postfix/sasl_passwd.
[EMAIL PROTECTED] [mail.example.com]:submission
[EMAIL PROTECTED] [mail.example.net]
Notes:
*
If you are creative, then you can try to combine the two tables into one
single MySQL database, and configure different Postfix queries to extract the
appropriate information.
*
Specify dbm instead of hash if your system uses dbm files instead of db
files. To find out what lookup tables Postfix supports, use the command
"postconf -m".
*
Execute the command "postmap /etc/postfix/sasl_passwd" whenever you
change the sasl_passwd table.
*
Execute the command "postmap /etc/postfix/sender_relay" whenever you
change the sender_relay table.
-----Mensaje original-----
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Julio Capote
(Informático Emp. Gráfica de VC)
Enviado el: Tuesday, October 21, 2008 2:21 PM
Para: [email protected]
Asunto: [linux-l] alguin tiene algun How To para postfix+dovecot
Hola Listeros... alguno tiene algun manual o How To que sirva para
implementar un server de correo con postfix+dovecot+sasl para pop3 e imap
Saludos cordiales
Lic. Julio Capote Peralta
Informático
Empresa Gráfica de VC
Telf.: 292564 e.mail: [EMAIL PROTECTED]
_______________________________________________
Cancelar suscripción
https://listas.softwarelibre.cu/mailman/listinfo/linux-l
Buscar en el archivo
http://listas.softwarelibre.cu/buscar/linux-l
__________ Información de ESET NOD32 Antivirus, versión de la base de firmas de
virus 3543 (20081021) __________
ESET NOD32 Antivirus ha comprobado este mensaje.
http://www.eset.com
Mensaje de correo electronico - esta correcto
Mensaje de correo electronico - esta correcto
__________ Información de ESET NOD32 Antivirus, versión de la base de firmas de
virus 3544 (20081021) __________
ESET NOD32 Antivirus ha comprobado este mensaje.
http://www.eset.com
Mensaje de correo electronico - esta correcto
Mensaje de correo electronico - esta correcto
_______________________________________________
Cancelar suscripción
https://listas.softwarelibre.cu/mailman/listinfo/linux-l
Buscar en el archivo
http://listas.softwarelibre.cu/buscar/linux-l
