From 18962fafec9c71b36b55e9c7d7d1fc2b7e9e94b8 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 1 May 2018 15:11:47 +0200 Subject: [PATCH] SASL Auth: force ssl/tls connections. --- install_postfix_advanced.sh | 38 ++++++++++++++++++++++++++++++++++--- install_postfix_base.sh | 13 +++++++------ install_update_dovecot.sh | 6 +++++- 3 files changed, 47 insertions(+), 10 deletions(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index 6597710..fc4f5fb 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -833,15 +833,31 @@ if $IS_RELAY_HOST ; then cat <> /etc/postfix/main.cf #======= SASL Authentification ============ + +# Enable SASL authentication smtpd_sasl_auth_enable = $SASL_AUTH_ENABLED + +# Only offer SMTP AUTH when talking over an encrypted connection +smtpd_tls_auth_only = yes + smtpd_sasl_type = cyrus smtpd_sasl_path = smtpd +# Disallow methods that allow anonymous authentication. smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options -smtpd_sasl_authenticated_header = yes -broken_sasl_auth_clients = yes +# Report the SASL authenticated user name in the smtpd(8) Received message header. +smtpd_sasl_authenticated_header = yes + +# Enable interoperability with remote SMTP clients that implement an obsolete version +# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook +# Express version 4 and MicroSoft Exchange version 5.0. +# +# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support +# in a non-standard way. +# +broken_sasl_auth_clients = yes ## - Optional lookup table with the SASL login names that own ## - sender (MAIL FROM) addresses. @@ -868,6 +884,10 @@ else ## - smtpd_sasl_auth_enable = no +## - Only offer SMTP AUTH when talking over an encrypted connection +## - +smtpd_tls_auth_only = yes + ## - The SASL plug-in type that the Postfix SMTP server should use for authentication. ## - The available types are listed with the "postconf -a" command. ## - @@ -882,8 +902,20 @@ smtpd_sasl_type = dovecot ## - smtpd_sasl_path = private/dovecot-auth +# Disallow methods that allow anonymous authentication. smtpd_sasl_security_options = noanonymous -smtpd_sasl_authenticated_header = yes +smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options + +# Report the SASL authenticated user name in the smtpd(8) Received message header. +smtpd_sasl_authenticated_header = no + +# Enable interoperability with remote SMTP clients that implement an obsolete version +# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook +# Express version 4 and MicroSoft Exchange version 5.0. +# +# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support +# in a non-standard way. +# broken_sasl_auth_clients = yes diff --git a/install_postfix_base.sh b/install_postfix_base.sh index 7009c32..b87a02b 100755 --- a/install_postfix_base.sh +++ b/install_postfix_base.sh @@ -602,20 +602,21 @@ if $SASL_AUTH ; then # Enable SASL authentication smtp_sasl_auth_enable = yes +# Only offer SMTP AUTH when talking over an encrypted connection +smtpd_tls_auth_only = yes + # Forwarding to the ip-adress of host b.mx.oopen.de relayhost = [${RELAY_HOST}] # File including login data smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd -# Force using a (TLS) security connection -# obsulete - use smtp_tls_security_level instead -#smtp_use_tls = yes -#smtp_tls_enforce_peername = no -smtp_tls_security_level = encrypt - # Disallow methods that allow anonymous authentication. smtp_sasl_security_options = noanonymous +smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options + +# Report the SASL authenticated user name in the smtpd(8) Received message header. +smtpd_sasl_authenticated_header = no diff --git a/install_update_dovecot.sh b/install_update_dovecot.sh index a5e12a4..3d86449 100755 --- a/install_update_dovecot.sh +++ b/install_update_dovecot.sh @@ -2015,6 +2015,8 @@ EOF ## - /etc/postfix/main.cf ## - ## - add/uncomment: + ## - + ## - smtpd_tls_auth_only ## - ## - smtpd_sasl_type = dovecot ## - smtpd_sasl_path = private/dovecot-auth @@ -2030,7 +2032,9 @@ EOF _failed=false echononl "\tAdjust /etc/postfix/main.cf" - perl -i.$backup_date -n -p -e "s#^(\s*)(smtpd_sasl_auth_enable\ *=.*)#smtpd_sasl_auth_enable = no#" \ + perl -i.$backup_date -n -p -e "s#^(\s*)(smtpd_tls_auth_only\ *=.*)#smtpd_tls_auth_only = yes#" \ + /etc/postfix/main.cf || _failed=true + perl -i -n -p -e "s#^(\s*)(smtpd_sasl_auth_enable\ *=.*)#smtpd_sasl_auth_enable = no#" \ /etc/postfix/main.cf || _failed=true perl -i -n -p -e "s#^(\s*)(smtpd_sasl_type\ *=.*)#smtpd_sasl_type = dovecot#" \ /etc/postfix/main.cf || _failed=true