David Ballano wrote: > Hello people, > > I'm new Here, and I have a lot of questions for you, thanks in advance :) > > > I'm configuring a postfix 2.3 server in a debian etch, I'ts my first > time so I would like to do a simple configuration. > > I've been reading de documentation of postfix.org, believe me. > > That is what I've done > > 1- Installed Postfix > > that's my main.cf file (I'm following the Postfix virtual MAILBOX > example: separate domains, non-UNIX accountsconf from postfix.org, so > I added some things) > > Next time, please show 'postconf -n'. Your eyes can play tricks on you vs. what Postfix sees. > smtpd_sasl_path = smtpd > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_local_domain = $myhostname > broken_sasl_auth_clients = yes > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, check_relay_domains > > This is totally wrong.. you need to have reject_unauth_destination after permit_sasl_authenticated. > myhostname = orion.ballano.net > alias_maps = hash:/etc/aliases > alias_database = hash:/etc/aliases > myorigin = /etc/mailname > mydestination = ballano.net, orion.ballano.net, localhost.ballano.net, > localhost > relayhost = > mynetworks = 127.0.0.0/8 > mailbox_size_limit = 0 > recipient_delimiter = + > inet_interfaces = all > > virtual_mailbox_domains = ballano.net > Do *not* list a domain in virtual_(mailbox|alias)_domains AND mydestination. Doing so will cause issues and postfix will complain and possibly hand off to the wrong delivery agent. > virtual_mailbox_base = /var/mail/vhosts > virtual_mailbox_maps = hash:/etc/postfix/vmailbox > > virtual_minimun_uid = 100 > virtual_uid_maps = static:5000 > virtual_gid_maps = static:5000 > > > My questions are, how can I secure the access to the smtp? I've been > reading abous sasl2 so I Installed sasl2 and saslauth demon, (is in > the same packet I think ??) > > saslauth is running > ps wax | grep saslauthd > 19707 ? Ss 0:00 /usr/sbin/saslauthd -a pam -c -n 5 > 19708 ? S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 > 19709 ? S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 > 19710 ? S 0:00 /usr/sbin/saslauthd -a pam -c -n 5 > > auth with pam?? I'dont wont to creat UNIX users. > > "/usr/local/lib/sasl2/smtpd.conf" > pwcheck_method: auxprop > auxprop_plugin: sasldb > mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 > > I also create a sasldb2 database but I don't know how to paste the > whole thing... > > I want to autenticate my client with a secure layer, you know I don't > want to send the pass and user in plain text. and the problem is that > I'm not sure if this is the correct way to do it. > >
Experiment with setting: smtpd_tls_security_level = may and smtpd_tls_auth_only = yes. This forces clients to use TLS in order to AUTH and TLS is like OpenSSL for a connection. Make sure to read http://www.postfix.org/SASL_README.html#server_cyrus and the documentation for Cyrus SASL. If this is a private submission port, you can set smtpd_tls_security_level = encrypt, but this should NOT be on the smtp port of an MX. Brian
