hi,
I figured out, by accident, that although I hoped I was using
/etc/postfix/sasl_passwd.db
as my authentication store, I wasn't. I'm using regular login
stuff, a la PAM. So anyone in my /etc/passwd file can send
authenticated email.
What I'd like to do is change that so you can only send authenticated
email if you're in /etc/postfix/sasl_passwd.db.
My email server is smail. So this:
[r...@smail ~]# more /etc/postfix/sasl_passwd
smail.arlut.utexas.edu user1:clearpass
followed by this:
postmap hash:/etc/postfix/sasl_passwd
should set up user1 to be authenticated by the password clearpass
when sending email through the host smail. Right?
The groovy part of /etc/postfix/main.cf:
#-------------------------------------------------------------------------------
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_sasl_authenticated, reject_unauth_destination
smtpd_client_restrictions = permit_sasl_authenticated, reject
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
cyrus_sasl_config_path = /usr/lib64/sasl2
smtp_sasl_type = cyrus
smtpd_sasl_type = cyrus
smtpd_sasl_local_domain = $myhostname
#-------------------------------------------------------------------------------
Now, is the stuff I need to change in the part above? Or is it in
saslauthd's smtpd.conf?
more /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd
log_level: 5
mech_list: PLAIN LOGIN CRAM-MD5
What I'm really after: I want to control (in a way I understand)
which users get to send authenticated email.
I know how to disable passwords for users in /etc/passwd, /etc/shadow,
but I don't want root sending authenticated email. Yet I also don't want
to disable root's password. Is there something I don't know?
I thought I couldn't prevent root authentication for email and still
let root log in.
So, I thought /etc/postfix/sasl_passwd would be the ticket.
List the users there and that's that. Well, I find that I've
been testing using a user not in sasl_passwd. The tests have worked.
So I'm clearly going against /etc/passwd.
But I thought saslauthd did not support cram-md5 and digest-md5, and
I want to use md5 to encrypt the passwords. Or at least allow it.
Thus, I had to have PLAIN LOGIN in smtpd.conf. I surmise that
mech_list: PLAIN LOGIN is turning on loggin in through /etc/passwd.
Clearly, I'm a noob.
j.
--
Jay Scott 512-835-3553 [email protected]
Head of Sun Support, Sr. Operating Systems Specialist
Applied Research Labs, Computer Science Div. S224
University of Texas at Austin
