> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > cyradm.org] On Behalf Of Mikko Toivola > Sent: Tuesday, December 12, 2006 12:19 AM > To: [email protected] > Subject: Re: [Web-cyradm] help with SASL auth from SMTP clients please > > I've configured such a system myself, it's no biggie really, since > you already have set up sasl & stuff. You don't have to set up any > "duplicate" -systems, just configure your postfix to allow relaying > if user is authenticated, that's basically it. My postfix is also set > up to listen SMTP/SSL TCP-port (465), since my ISP is blocking > port-25 connections to anywhere else than their own mailserver (found > that out after hours of debugging). TLS works on port 25, so it's > possible to use that also, port 465 is strictly SSL. Blocking port-25 > access seems to be quite common nowadays (due to viruses & spam), so > I've told everyone just use port 465 and SSL (oh, and that's the only > secure-smtp apple mail understands). I can post critical parts of > postfix configs later on, now i'm in a bit of a horry. Net is also > full of tutorials for this, just google for "postfix sasl > authentication", it's not that uncommon setup. > > Mikko > > > On 11.12.2006, at 23:17, Carlos Hernandez wrote: > > > I need to be able to: > > > > I have closed my postfix down so we're not open relay, I've tested > > this thoroughly. > > As well as serving the current users, (IMAP or Pop3), where they > > send out their messages through their own ISP's SMTP servers.. > > I want to be able to allow any of my users to configure their email > > client, outlook, whatever, to send directly through my SMTP server, > > using their own password, hopefully using TLS > > > > makes sense? > > Carlos > >
Read this: http://postfix.state-of-mind.de/patrick.koetter/smtpauth/index.html Below some notes for Suse SASL configuration, you'll have to adjust to your system: ************************************************************* Cyrus SASL Configuration: MEMORY LEAK DEALING: a) # vi /etc/init.d/saslauthd : (add this line) FLAGS="-n0 -s 2048 -t 3600 -c" (add $FLAGS to the following line so it looks like) # /sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH $FLAGS > /dev/null 2>&1 # vi /etc/sysconfig/saslauthd : (add this line) FLAGS="-n0 -s 2048 -t 3600 -c" run: # SuSEconfig b) insserv /etc/init.d/saslauthd c) /etc/init.d/saslauthd start END OF MEMORY LEAK DEALING: Assure that you have following lines in your config (add them): # vi /etc/imapd.conf: # admins: cyrus allowanonymouslogin: no sasl_pwcheck_method: saslauthd allowplaintext: yes sasl_mech_list: PLAIN LOGIN # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/ssl/certs/cert.pem tls_key_file: /etc/ssl/certs/cert.pem tls_ca_file: /etc/ssl/certs/cert.pem tls_ca_path: /etc/ssl/certs ------- # vi imapd-local.conf: admins: cyrus allowanonymouslogin: no sasl_pwcheck_method: saslauthd allowplaintext: yes sasl_mech_list: PLAIN LOGIN # # if you want TLS, you have to generate certificates and keys # tls_cert_file: /etc/ssl/certs/cert.pem tls_key_file: /etc/ssl/certs/cert.pem tls_ca_file: /etc/ssl/certs/cert.pem tls_ca_path: /etc/ssl/certs ------------------ ****************************************************************** Create Certificates: It is, however, important to note that the common name listed in the certificate must be the same as the hostname the client connects to, or the client will either warn about or reject the certificate. # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out cert.pem Generating a 1024 bit RSA private key ..++++++ ....++++++ writing new private key to 'privkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: ------------- # ls . .. cert.pem privkey.pem # cat privkey.pem cert.pem > /etc/ssl/certs/cert.pem # mv -f privkey.pem /etc/ssl/certs/skey.pem # chown cyrus:mail /etc/ssl/certs/cert.pem # chmod 600 /etc/ssl/certs/cert.pem # Your key should be protected Configuration file for the Cyrus master process. It defines the startup procedures, services and events to be spawned by process »master«: # vi /etc/cyrus.conf: SERVICES { # add or remove based on preferences imap cmd="imapd" listen="192.168.40.10:imap" prefork=0 imaplocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imap" prefork=0 imaps cmd="imapd -s" listen="192.168.40.10:imaps" prefork=0 imapslocal cmd="imapd -C /etc/imapd-local.conf" listen="127.0.0.1:imaps" prefork=0 pop3 cmd="pop3d" listen="pop3" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" prefork=0 sieve cmd="timsieved" listen="192.168.40.10:sieve" prefork=0 sievelocal cmd="timsieved -C /etc/imapd-local.conf listen="127.0.0.1:sieve" prefork=0 ------------------- To add the Cyrus user to the sasldb use the command: saslpasswd2 -c cyrus Password: (enter your passwd) Again (for verification): (enter your password) To use the »cyradm« CLI please take care that the tool does not recognize standard CLI-options like -u and similar. Please follow the syntax like described in the man page »cyradm 1« like the following example: # insserv cyrus # /etc/init.d/cyrus start # /etc/init.d/saslauthd restart bond:~ # cyradm --user cyrus --server localhost --auth plain Password: # This is the SASL2 password IMAP Password: # This is the IMAP password that you need to enter in the -table »accountusers« localhost> *********************************************************** > > > > Jan Scholten wrote: > >> hi Carlos.. > >> > >> Debugging Sasl is a pain ;-) > >> > >> I don't really get what you want to do, if you have your Setup > >> running i assume your clients can get > >> and send mail from/to your server. (Hope you aren't a open relay) > >> > >> So whatfor do you need a seperate instance? What do you want to > >> achive? > >> > >> Jan > >> > >> > >> > >> > >>> Hi all: > >>> I have had WebCyradm working for a few months now, excellent work > >>> from dev > >>> I am stuck though in one little spot: > >>> I need to make SASL authentication work, so any valid SMTP client > >>> can forward through my server. > >>> Would you recommend setting up a second instance of postfix- > >>> cyradm to do that, in the same box, different TCP port? > >>> Would you be able to give me some help / hints if I paste here my > >>> config > >>> files?I tried the telnet localhost 25 test, and I am not sure I'm > >>> pasting the right password for one of my valid email accounts, > >>> because it says it > >>> > >>> got user name not the password..I'm lost here.Thanks, > >>> Carlos H. > >>> > >> > >> > >> > > > > _______________________________________________ > > This mailing list is hosted and supported > > by bit-heads GmbH | http://www.bit-heads.ch > > > > _______________________________________________ > > Web-cyradm mailing list > > [email protected] > > http://www.web-cyradm.org/mailman/listinfo/web-cyradm > > > > _______________________________________________ > This mailing list is hosted and supported > by bit-heads GmbH | http://www.bit-heads.ch > > _______________________________________________ > Web-cyradm mailing list > [email protected] > http://www.web-cyradm.org/mailman/listinfo/web-cyradm _______________________________________________ This mailing list is hosted and supported by bit-heads GmbH | http://www.bit-heads.ch _______________________________________________ Web-cyradm mailing list [email protected] http://www.web-cyradm.org/mailman/listinfo/web-cyradm
