191 lines
6.2 KiB
Plaintext
191 lines
6.2 KiB
Plaintext
## - Configure a postfix server to act as relay host for
|
|
## - AUTENTiCATED clients
|
|
## -
|
|
## - see also Postfix SASL Howto:
|
|
## - http://www.postfix.org/SASL_README.html
|
|
## - http://www.synology-wiki.de/index.php/Mail-Relay_mit_Postfix
|
|
## -
|
|
|
|
|
|
## - Todo:
|
|
## - 1.) Configuring SASL authentication in the Postfix SMTP server
|
|
## - - Configuring Cyrus SASL - using accounts are stored in a Cyrus SASL
|
|
## - Berkeley DB database
|
|
## - 2.) Configuring SASL authentication in the Postfix SMTP/LMTP client
|
|
|
|
## - ------------------------------------------------------------- - ##
|
|
## - 1. Configuring SASL authentication at the Postfix SMTP server - ##
|
|
## - ------------------------------------------------------------- - ##
|
|
|
|
## -----------------------------
|
|
## - Create the sasldb2 Database
|
|
## -
|
|
## - To create and maintain the database, we will user the
|
|
## - command-line utility "saslpasswd2". So, we have to install
|
|
## - the packages sasl2-bin
|
|
## -
|
|
apt-get install sasl2-bin
|
|
|
|
|
|
## - The sasldb auxprop plugin authenticates SASL clients against credentials
|
|
## - that are stored in a Berkeley DB database. The database schema is specific
|
|
## - to Cyrus SASL. The database is usually located at /etc/sasldb2
|
|
## -
|
|
## - !!!!
|
|
## - NOTE: in chrooted postfix, thats if chroot in master.cf is not set (have
|
|
## - "-") or is set to yes (have "y"), the database "sasdb2" ist
|
|
## - searched in the chrooted path. In debian it is file
|
|
## - /var/spool/postfix/etc/sasldb2
|
|
## - !!!!
|
|
## -
|
|
|
|
|
|
## - Create a new account
|
|
## -
|
|
## - Note:
|
|
## - 1.) usernames of accounts are of the Form:
|
|
## - <username>@<domain> and NOT <username>
|
|
## -
|
|
## - 2.) The database-file defaults to "/etc/sasldb2". But on chrooted
|
|
## - postfix (as we have), the database file must placed to
|
|
## - /var/spool/postfix/etc/sasldb2 - on default debian postfix
|
|
## - install. So use flag "-f"
|
|
## -
|
|
saslpasswd2 -c -u b.mx.oopen.de <username> -f /var/spool/postfix/etc/sasldb2
|
|
|
|
## - Check with command-line utility "sasldblistusers2"
|
|
## -
|
|
sasldblistusers2 -f /var/spool/postfix/etc/sasldb2
|
|
|
|
|
|
## ------------------------------------------------
|
|
## - Configure and Enable Cyrus SASL authentication
|
|
|
|
|
|
## - in /etc/postfix/main.cf set:
|
|
## -
|
|
## - smtpd_sasl_type = cyrus
|
|
## -
|
|
## - # Define the name of the configuration file. Cyrus SASL add's the
|
|
## - # suffix ".conf". The location where Cyrus SASL searches for the named
|
|
## - # file depends on the Cyrus SASL version and the OS/distribution used.
|
|
## - # For debian it is: /etc/postfix/sasl/
|
|
## - smtpd_sasl_path = smtpd
|
|
## -
|
|
## - # enable SASL authentication
|
|
## - smtpd_sasl_auth_enable = yes
|
|
## -
|
|
## - # Disallow methods that allow anonymous authentication.
|
|
## - smtpd_sasl_security_options = noanonymous
|
|
## - smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
|
|
## -
|
|
## - # Do not accept SASL authentication over unencrypted connections
|
|
## - smtpd_tls_auth_only = yes
|
|
## -
|
|
vim /etc/postfix/main.cf
|
|
|
|
## - create /etc/postfix/sasl/smtpd.conf
|
|
## -
|
|
## - pwcheck_method: auxprop
|
|
## - auxprop_plugin: sasldb
|
|
## - mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
|
|
## -
|
|
## - Take care only to use provided login mechanisms
|
|
## - # saslpluginviewer -x AUXPROP_MECHS
|
|
## -
|
|
vim /etc/postfix/sasl/smtpd.conf
|
|
|
|
|
|
## - To allow (dynamic) ip-adresses to relay, even if they ar blacklistet
|
|
## - you can use permit_sasl_authenticated in postfix smtpd_relay_restrictions
|
|
## - BEFOR checking against blacklists
|
|
## -
|
|
## - in /etc/postfix/main.cf set:
|
|
## -
|
|
## - smtpd_recipient_restrictions =
|
|
## - ...
|
|
## - # permit trusted network mynetwork
|
|
## - permit_mynetworks,
|
|
## - # sasl authenticated user (we work as relayhost for some office networks)
|
|
## - permit_sasl_authenticated,
|
|
## - # dont' accept misconfigured Mail
|
|
## - reject_non_fqdn_recipient,
|
|
## - reject_unknown_sender_domain,
|
|
## - reject_unknown_recipient_domain,
|
|
## - reject_unlisted_recipient,
|
|
## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
|
|
## - permit_dnswl_client dnswl.oopen.de,
|
|
## - #reject_rbl_client zen.spamhaus.org,
|
|
## - reject_rbl_client ix.dnsbl.manitu.net,
|
|
## - reject_rbl_client bl.spamcop.net,
|
|
## - reject_rbl_client dnsbl.njabl.org,
|
|
## - # Policyd-Weight
|
|
## - ...
|
|
## -
|
|
vim /etc/postfix/main.cf
|
|
|
|
|
|
## - --------------------------------------------------------------- - ##
|
|
## - Configuring SASL authentication in the Postfix SMTP/LMTP client - ##
|
|
## - --------------------------------------------------------------- - ##
|
|
|
|
|
|
## - Notice: you have to install Pluggable Authentication Modules for SASL
|
|
## - for debian: install package libsasl2-modules
|
|
## -
|
|
apt-get install libsasl2-modules
|
|
|
|
|
|
## - Edit file /etc/postfix/main.cf and set:
|
|
## -
|
|
## - # Enable SASL authentication
|
|
## - smtp_sasl_auth_enable = yes
|
|
## -
|
|
## - # Forwarding to the ip-adress of host b.mx.oopen.de
|
|
## - relayhost = [b.mx.oopen.de]
|
|
## -
|
|
## - # File including login data
|
|
## - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
|
|
## -
|
|
## - # Force using a (TLS) security connection
|
|
## - # obsulete - use smtp_tls_security_level instead
|
|
## - #smtp_use_tls = yes
|
|
## - #smtp_tls_enforce_peername = no
|
|
## - smtp_tls_security_level = encrypt
|
|
## -
|
|
## - # Disallow methods that allow anonymous authentication.
|
|
## - smtp_sasl_security_options = noanonymous
|
|
## -
|
|
vim /etc/postfix/main.cf
|
|
|
|
|
|
## - Enter SASL account data into file /etc/postfix/sasl_passwd
|
|
## -
|
|
## - <relayhost> <username>:<password>
|
|
## -
|
|
## - Note: if relayhost is configured as above, username is of the form
|
|
## - <username>@<domain>
|
|
## -
|
|
vim /etc/postfix/sasl_passwd
|
|
|
|
## - Important
|
|
## -
|
|
## - Keep the SASL client password file in /etc/postfix, and make the file
|
|
## - read+write only for root to protect the username/password combinations against
|
|
## - other users. The Postfix SMTP client will still be able to read the SASL
|
|
## - client passwords. It opens the file as user root before it drops privileges,
|
|
## - and before entering an optional chroot jail.
|
|
## -
|
|
chown root:root /etc/postfix/sasl_passwd
|
|
chmod 600 /etc/postfix/sasl_passwd
|
|
|
|
## - Create databasefile of /etc/postfix/sasl_passwd
|
|
## -
|
|
postmap /etc/postfix/sasl_passwd
|
|
|
|
|
|
## - Reload postfix
|
|
## -
|
|
/etc/init.d/postfix reload
|
|
|