2008/9/12 Brian Evans - Postfix List <[EMAIL PROTECTED]>:
> David Ballano wrote:
>> Hello people,
>>
>> I'm new Here, and I have a lot of questions for you, thanks in advance :)
>>
>>
>> I'm configuring a postfix 2.3 server in a debian etch, I'ts my first
>> time so I would like to do a simple configuration.
>>
>> I've been reading de documentation of postfix.org, believe me.
>>
>> That is what I've done
>>
>> 1- Installed Postfix
>>
>> that's my main.cf file (I'm following the Postfix virtual MAILBOX
>> example: separate domains, non-UNIX accountsconf from postfix.org, so
>> I added some things)
>>
>>
> Next time, please show 'postconf -n'. Your eyes can play tricks on you
> vs. what Postfix sees.
That's my postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = $mydomain, orion.ballano.net, localhost.ballano.net, localhost
mydomain = ballano.net
myhostname = orion.ballano.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP (Microsoft Exchange)
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains = $mydomain
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_uid_maps = static:5000
>> smtpd_sasl_path = smtpd
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_local_domain = $myhostname
>> broken_sasl_auth_clients = yes
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated, check_relay_domains
>>
>>
> This is totally wrong.. you need to have reject_unauth_destination after
> permit_sasl_authenticated.
ok I modified
>> myhostname = orion.ballano.net
>> alias_maps = hash:/etc/aliases
>> alias_database = hash:/etc/aliases
>> myorigin = /etc/mailname
>> mydestination = ballano.net, orion.ballano.net, localhost.ballano.net,
>> localhost
>> relayhost =
>> mynetworks = 127.0.0.0/8
>> mailbox_size_limit = 0
>> recipient_delimiter = +
>> inet_interfaces = all
>>
>> virtual_mailbox_domains = ballano.net
>>
> Do *not* list a domain in virtual_(mailbox|alias)_domains AND mydestination.
> Doing so will cause issues and postfix will complain and possibly hand
> off to the wrong delivery agent.
I put mydomain variable instead, I think that is ok, isn't it?
>> virtual_mailbox_base = /var/mail/vhosts
>> virtual_mailbox_maps = hash:/etc/postfix/vmailbox
>>
>> virtual_minimun_uid = 100
>> virtual_uid_maps = static:5000
>> virtual_gid_maps = static:5000
>>
>>
>> My questions are, how can I secure the access to the smtp? I've been
>> reading abous sasl2 so I Installed sasl2 and saslauth demon, (is in
>> the same packet I think ??)
>>
>> saslauth is running
>> ps wax | grep saslauthd
>> 19707 ? Ss 0:00 /usr/sbin/saslauthd -a pam -c -n 5
>> 19708 ? S 0:00 /usr/sbin/saslauthd -a pam -c -n 5
>> 19709 ? S 0:00 /usr/sbin/saslauthd -a pam -c -n 5
>> 19710 ? S 0:00 /usr/sbin/saslauthd -a pam -c -n 5
>>
>> auth with pam?? I'dont wont to creat UNIX users.
>>
>> "/usr/local/lib/sasl2/smtpd.conf"
>> pwcheck_method: auxprop
>> auxprop_plugin: sasldb
>> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>>
>> I also create a sasldb2 database but I don't know how to paste the
>> whole thing...
>>
>> I want to autenticate my client with a secure layer, you know I don't
>> want to send the pass and user in plain text. and the problem is that
>> I'm not sure if this is the correct way to do it.
>>
>>
>
> Experiment with setting: smtpd_tls_security_level = may and
> smtpd_tls_auth_only = yes.
> This forces clients to use TLS in order to AUTH and TLS is like OpenSSL
> for a connection.
> Make sure to read http://www.postfix.org/SASL_README.html#server_cyrus
> and the documentation for Cyrus SASL.
>
for know, I think all configuration are the same as docs, I added a
user to the sasldb with the command saslpasswd2,
sasldblistusers2
[EMAIL PROTECTED]: userPassword
cat /etc/postfix/vmailbox
[EMAIL PROTECTED] ballano.net/david/
cat /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
I don't know what to put in mech_list for sasl to auth secured, that
is what I saw for Internet, probably wrong...
and the last thing is de saslaut daemon, which I imagine is the most
important for sasl because do the authentication, but if I do a ps
ps -ef | grep saslauth
root 11840 7526 0 17:19 pts/0 00:00:00 grep saslauth
root 19707 1 0 06:23 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -n 5
root 19708 19707 0 06:23 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -n 5
root 19709 19707 0 06:23 ? 00:00:00 /usr/sbin/saslauthd -a
pam -c -n 5
pam ? this could not be ok, I want to auth with sasldb, ...
> If this is a private submission port, you can set
> smtpd_tls_security_level = encrypt, but this should NOT be on the smtp
> port of an MX.
>
> Brian
>
Thanks for all the help guys,
David.
