Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
lpi2:postfix-sasl [2017/04/02 19:42] |
lpi2:postfix-sasl [2022/05/20 20:43] (aktuell) |
||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | |||
+ | ====== Benutzerauthentifizierung für postfix ====== | ||
+ | Vorraussetzung: [[postfix]] [[sasl]] | ||
+ | |||
+ | Empfohlen wird die Verwendung von [[postfix-tls|SSL]] | ||
+ | |||
+ | ===== Benötigte Pakete ===== | ||
+ | * ''postfix'' ( SuSE ) | ||
+ | * ''postfix sasl2-bin'' ( Debian ab 4.0 ): | ||
+ | * ''cyrus-sasl cyrus-sasl-plain'' (CentOS ab 7 ) | ||
+ | |||
+ | ===== postfix - saslauthd ===== | ||
+ | ''/etc/postfix/main.cf'' : | ||
+ | <file> | ||
+ | smtpd_sasl_auth_enable = yes | ||
+ | smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination | ||
+ | broken_sasl_auth_clients = yes | ||
+ | </file> | ||
+ | |||
+ | ''/etc/postfix/sasl/smtpd.conf'' : Debian (ab 3.1) | ||
+ | |||
+ | ''/etc/sasl2/smtpd.conf'' : openSuSE ( ab 11.4 ), CentOS (ab 4): | ||
+ | |||
+ | <file> | ||
+ | pwcheck_method: saslauthd | ||
+ | mech_list: plain login | ||
+ | </file> | ||
+ | |||
+ | __Achtung__: Problem mit Postfix-Chroot. | ||
+ | Lösungsmöglichkeiten: Postfix ''smtpd'' aus Chroot entfernen, oder ''saslauthd'' Socket ins Chroot legen | ||
+ | |||
+ | |||
+ | ==== Konfiguration ohne Postfix-Chroot ==== | ||
+ | postfix ''smtpd'' aus der chroot Umgebung entfernen. Ist bei CentOS und openSuSE ( 11.1 ) per default der Fall | ||
+ | |||
+ | ''/etc/postfix/master.cf'' : | ||
+ | <file> | ||
+ | # ========================================================================== | ||
+ | # service type private unpriv chroot wakeup maxproc command + args | ||
+ | # (yes) (yes) (yes) (never) (100) | ||
+ | # ========================================================================== | ||
+ | smtp inet n - n - - smtpd | ||
+ | </file> | ||
+ | |||
+ | === saslauthd testen === | ||
+ | testsaslauthd -s login -u username -p password | ||
+ | |||
+ | ==== Konfiguration mit Postfix-Chroot ==== | ||
+ | postfix ''smtpd'' in chroot Umgebung. Ist bei Debian ( 4.0 ) per default der Fall. | ||
+ | |||
+ | ''/etc/postfix/master.cf'': | ||
+ | <file> | ||
+ | # ========================================================================== | ||
+ | # service type private unpriv chroot wakeup maxproc command + args | ||
+ | # (yes) (yes) (yes) (never) (100) | ||
+ | # ========================================================================== | ||
+ | smtp inet n - - - - smtpd | ||
+ | </file> | ||
+ | |||
+ | === Debian === | ||
+ | ''/etc/default/saslauthd'' : (Debian 4.0) | ||
+ | <file> | ||
+ | OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" | ||
+ | </file> | ||
+ | |||
+ | dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd | ||
+ | rm -r /var/run/saslauthd | ||
+ | ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd | ||
+ | adduser postfix sasl | ||
+ | /etc/init.d/saslauthd restart | ||
+ | /etc/init.d/postfix restart | ||
+ | | ||
+ | == SuSE 12.1 == | ||
+ | mkdir -p /var/spool/postfix/var/run/ | ||
+ | mv /var/run/sasl2 /var/spool/postfix/var/run/ | ||
+ | ln -s /var/spool/postfix/var/run/sasl2 /var/run/sasl2 | ||
+ | |||
+ | (( | ||
+ | Nicht notwendig, erhöht aber vielleicht die Sicherheit: | ||
+ | groupadd sasl | ||
+ | groupmod -A postfix sasl | ||
+ | chgrp sasl /var/spool/postfix/var/run/sasl2 | ||
+ | chmod 750 /var/spool/postfix/var/run/sasl2 | ||
+ | )) | ||
+ | /etc/init.d/saslauthd restart | ||
+ | /etc/init.d/postfix restart | ||
+ | |||
+ | === SASL Testen === | ||
+ | == Debian == | ||
+ | testsaslauthd -u username -p password -f /var/spool/postfix/var/run/saslauthd/mux | ||
+ | == openSuSE 12.1 == | ||
+ | testsaslauthd -u username -p password -s login -f /var/spool/postfix/var/run/sasl2/mux | ||
+ | |||
+ | ===== postfix - auxprop ===== | ||
+ | ==== Benötigte Pakete ==== | ||
+ | libsasl2-modules | ||
+ | ==== Relay Server ==== | ||
+ | ''/etc/postfix/main.cf'' : | ||
+ | <file> | ||
+ | smtpd_sasl_auth_enable = yes | ||
+ | smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination | ||
+ | broken_sasl_auth_clients = yes | ||
+ | </file> | ||
+ | |||
+ | ''/etc/postfix/sasl/smtpd.conf'' : Debian (ab 3.1) | ||
+ | |||
+ | ''/usr/lib/sasl2/smtpd.conf'': SuSE, CentOS (ab 4): | ||
+ | |||
+ | <file> | ||
+ | pwcheck_method: auxprop | ||
+ | mech_list: plain login cram-md5 digest-md5 | ||
+ | auxprop_plugin: sasldb | ||
+ | </file> | ||
+ | |||
+ | adduser postfix sasl | ||
+ | saslpasswd2 -c -u $(postconf -h myhostname) kimba | ||
+ | |||
+ | ==== Relay Client ==== | ||
+ | ''/etc/postfix/main.cf'' : | ||
+ | <file> | ||
+ | smtp_sasl_auth_enable = yes | ||
+ | smtp_sasl_password_maps = hash:/etc/postfix/sasl/relay-passwd | ||
+ | </file> | ||
+ | |||
+ | ''/etc/postfix/sasl/relay-passwd'' : | ||
+ | <file> | ||
+ | # postmap hash:/etc/postfix/sasl/relay-passwd | ||
+ | notebook12.linuxhotel.de kimba:uqu3Phoo | ||
+ | </file> | ||
+ | |||
+ | postmap hash:/etc/postfix/sasl/relay-passwd | ||
+ | |||
+ | ===== Testen ===== | ||
+ | === Benötigte Pakete === | ||
+ | Debian: | ||
+ | swaks oder libmime-perl oder metamail | ||
+ | |||
+ | === swaks === | ||
+ | swaks -f from@example.com -t to@example.com -s localhost -a -au nutzer14 -ap test -apt | ||
+ | |||
+ | === netcat / telnet === | ||
+ | Encodiertes Passwort erzeugen: | ||
+ | perl -MMIME::Base64 -e 'print encode_base64("iw\0iw\0passwort")' | ||
+ | oder: | ||
+ | echo -en "iw\0iw\0passwort" | mimencode | ||
+ | |||
+ | Authentifizierung testen: | ||
+ | netcat -v localhost 25 | ||
+ | 220 notebook12.linuxhotel.de ESMTP Postfix (Debian/GNU) | ||
+ | EHLO localhost | ||
+ | 250-localhost | ||
+ | 250-AUTH LOGIN PLAIN | ||
+ | AUTH PLAIN aXcAaXcAdGVzdA== | ||
+ | 235 Authentication successful | ||
+ | |||
+ | ===== Verschlüsselung erzwingen ===== | ||
+ | ''/etc/postfix/main.cf'' : | ||
+ | <file> | ||
+ | smtpd_tls_auth_only = yes | ||
+ | </file> | ||
+ | |||
+ | ===== Dokumentation ===== | ||
+ | ==== Debian ==== | ||
+ | * /usr/share/doc/sasl2-bin/README.Debian | ||