* Terry L. Inzauro <tinza...@ha-solutions.net>: > What is the recommended and most scalable method for implementing SMTP Auth > against OpenLDAP that currently manages all IMAP accounts?
Cyrus SASL ldapdb plugin: The ldapdb auxprop plugin provides access to credentials stored in an OpenLDAP LDAP server. It is the only plugin that implements proxy authorization. Proxy authorization in this context means: The ldapdb plugin must SASL authenticate with the OpenLDAP server. The server then decides if the ldapdb plugin should be authorized to read the authenticating users password. Once the ldapdb plugin has gone through proxy authorization it may proceed and authenticate the submitted credentials. In a nutshell: Configuring ldapdb means authentication and authorization must be configured twice - once in the Postfix SMTP server smtpd to authenticate and authorize mail clients and once in the OpenLDAP slapd server to authenticate and authorize the ldapdb plugin. This example configures libsasl to use the ldapdb plugin and the plugin to connect to an OpenLDAP server: /etc/sasl2/smtpd.conf: pwcheck_method: auxprop auxprop_plugin: ldapdb mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5 ldapdb_uri: ldap://localhost ldapdb_id: proxyuser ldapdb_pw: password ldapdb_mech: DIGEST-MD5 Important Set appropriate permissions if smtpd.conf contains a password. auxprop_plugin Set ldapdb to enable the plugin ldapdb_uri Specify either ldapi:// for a UNIX domain socket, ldap:// for an unencrypted TCP socket or ldaps:// to use an encrypted TCP connection. ldapdb_id Sets the login name for the the ldapdb plugin (proxy authorization) ldapdb_pw Sets the password (in cleartext) for the ldapdb plugin (proxy authorization) ldapdb_mech Specify the mechanism ldapdb should use, when it authenticates with the OpenLDAP slapd server. Note It must be a mechanism supported by the OpenLDAP slapd server. ldapdb_rc (optional) Specifies the path to a file containing individual configuration options for the ldapdb LDAP client (libldap). This allows to specify a TLS client certificate which in turn can be used to use the SASL EXTERNAL mechanism. Note This mechanism provides authentication over an encrypted transport layer, which is recommended if the plugin must connect to an OpenLDAP server on a remote machine. ldapdb_starttls (optional) Specify either "try" or "demand" for a TLS policy. If the option is "try" the plugin will attempt to establish a TLS encrypted connection and will fallback to an unencrypted connection if TLS fails. If it is "demand" and a TLS encrypted connection fails no subsequent attempts will be made and the connection fails completely. When the ldapdb plugin connects to the OpenLDAP server and successfully authenticates, the server must decide if the plugin user should be authorized to read other users passwords. The following configuration gives an example of authorization configuration in the OpenLDAP slapd server: /etc/openldap/slapd.conf: authz-regexp uid=(.*),cn=.*,cn=auth ldap:///dc=example,dc=com??sub?cn=$1 authz-policy to The "authz-regexp" option serves authentication of the ldapdb user. It maps its login name (SASL identity) to a DN in the LDAP directory tree where slapd can lookup the password. The "authz-policy" options defines the authentication policy. In this case it grants authentication privileges "to" the ldapdb plugin. The last configuration step is to tell the OpenLDAP slapd server where ldapdb may search for usernames matching the one given by the mail client. An additional attribute added to the ldapdb user object (here: authzTo because the authz-policy is "to") configures the scope within the ldapdb login name "proxyuser" may search: dn: cn=proxyuser,dc=example,dc=com changetype: modify add: authzTo authzTo: dn.regex:uniqueIdentifier=(.*),ou=people,dc=example,dc=com Use the ldapmodify or ldapadd command to add the additional attribute. HTH, p...@rick -- All technical answers asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>