On 04/08/2013 01:32 AM, LuKreme wrote:
I've long used pop-before-smtp to allow authenticated users a short window in
which to send mail, but now that I've setup postfix 2.8.14 I want to also setup
secure submission on port 587 with ssl and something like Kerberos 5 or MD5
challenge/response (or, frankly, even password) over SSL.
I built postfix with:
make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH
-DUSE_CYRUS_SASL -I/usr/local/include/mysql -I/usr/local/include/sasl'
'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto
-L/usr/local/lib -lsasl2'
Seems to work:
# postconf -a
cyrus
dovecot
# postconf -A
cyrus
Also, the SASL Readme says:
Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/.
Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/.
(I am running 2.1.22_2)
I would personally recommend using dovecot for SASL, especially if you
don't need client SASL (from postfix to remote servers); dovecot is way,
way easier to set up, and evolves quite nicely.
It's also ridiculously easy to set up from scratch:
http://www.postfix.org/SASL_README.html#server_dovecot
postconf -n
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, check_sender_access
hash:$config_directory/backscatter permit
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, permit
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_invalid_hostname, permit_mynetworks, check_client_access
hash:$config_directory/pbs, permit_sasl_authenticated,
reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender,
reject_unknown_reverse_client_hostname, warn_if_reject
reject_unknown_client_hostname, check_client_access
cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access
pcre:$config_directory/sender_access.pcre, check_client_access
pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access
pcre:$config_directory/recipient_checks.pcre, check_client_access
hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit
smtpd_sender_restrictions = check_client_access hash:$config_directory/pbs,
permit_sasl_authenticated, permit_mynetworks
Submission should disable all of the above (in master.cf) except
"smtpd_recipient_restrictions=permit_sasl_authenticated,reject".
You can prefix that with any reject_ restrictions you wish to impose on
your users, such as a proper sender- and/or recipient domain.
The clue is that there should be no permit_ rules before /or/ after
permit_sasl_authenticated, and the last rule should be an explicit "reject".
--
J.
