postfix 簡易 sasl

由 datahunter 在二, 16/07/2013 - 18:54 發表

最後更新: 2015-03-24

介紹

Part I: Postfix 的設定

main.cf 的設定如下

# 注意這裡是有一個 "d" 的
smtpd_sasl_auth_enable = yes

# this is default
smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

# The name of the Postfix SMTP server's local SASL authentication realm.
# Default: Null
smtpd_sasl_local_domain =

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth            # 相當於 /var/spool/postfix/private/auth

smtpd_recipient_restrictions = permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination

smtpd_sasl_local_domain

Postfix can append a domain name (or any other string) to a SASL login name that does not have a domain part,

e.g. "john" instead of "[email protected]":

Debian 6 package: dovecot-auth

# postfix 要 version >= 2.3 才可用 dovecot 的 sasl

測試:

postconf -a

cyrus
dovecot

Part II: Dovecot 的設定

/etc/dovecot/dovecot.conf

auth default {

      mechanisms = plain login

      passdb pam {
      }

      userdb passwd {
      }
      
      # 在 Deabin 6 上 Default 係沒有開的
      socket listen {
        client {
          path = /var/spool/postfix/private/auth
          mode = 0660
          user = postfix
          group = postfix
        }
        # deliver and some other programs need also auth-master:
        #master {
        #  path = /var/run/dovecot/auth-master
        #  mode = 0600
        #}
      }
    }

Mail header 設定

在 mail 的 header 加入 login 資料

smtpd_sasl_authenticated_header (default: no)

smtpd_sasl_authenticated_header = yes

Login name 對應 Return Path

此功能可以防止別人扮自己 Domain 比信自己人, 不過它是防不到假 Header 的 !!

smtpd_sender_restrictions

Applies in the context of a client "MAIL FROM:" command.

smtpd_sender_restrictions (default: empty) <== The default is to permit everything.

Restrictions are applied in the order as specified; the first restriction that matches wins.

smtpd_sender_restrictions =
 permit_mynetworks,
 reject_non_fqdn_sender,
 check_client_access hash:/etc/postfix/relay_ip,
 reject_sender_login_mismatch,
 permit_sasl_authenticated

reject_sender_login_mismatch

Reject the request when $smtpd_sender_login_maps specifies an owner for the MAIL FROM address

Reject the request when $smtpd_sender_login_maps (default: empty) specifies an owner for the MAIL FROM address

main.cf

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-sender_login_maps.cf

proxy_read_maps = ... $smtpd_sender_login_maps

mysql-sender_login_maps.cf

user        = ispconfig
password    = ????
hosts       = 127.0.0.1
port        = 3306
dbname      = dbispconfig
query       = SELECT mail_user.email FROM mailbox,domain WHERE mail_user.email='%s'

reject_sender_login_mismatch

它還有兩個細分類別

reject_authenticated_sender_login_mismatch
reject_unauthenticated_sender_login_mismatch

* Reject the request when

1. $smtpd_sender_login_maps specifies an owner for the MAIL FROM address
but the client is not (SASL) logged in as that MAIL FROM address owner;

2. when the client is (SASL) logged in, but the client login name doesn't own the MAIL FROM address according to $smtpd_sender_login_maps

usage

方式1:

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

smtpd_sender_login_maps

# lookup table with the SASL login names that own sender (MAIL FROM) addresses.
# default: empty

the result of table lookup must be either "not found" or a list of SASL login names separated by comma

query = SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username='%s' AND 
 mailbox.domain='%d' AND mailbox.domain=domain.domain AND 
 mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.active=1

方式2:

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

/etc/postfix/mysql/sender_login_maps.cf

user        = vmail
password    = ???????
hosts       = 127.0.0.1
port        = 3306
dbname      = vmail
query       = SELECT mailbox.username FROM mailbox WHERE mailbox.username='%s' AND mailbox.enablesmtp=1 AND mailbox.active=1

log:

553 5.7.1 <[email protected]>: Sender address rejected: not logged in

smtpd_reject_unlisted_recipient

# smtpd_reject_unlisted_recipient (default: yes)
smtpd_reject_unlisted_recipient = yes

# smtpd_reject_unlisted_sender (default: no)
smtpd_reject_unlisted_sender = yes

情況:

The sender domain matches $virtual_alias_domains but
the sender is not listed in $virtual_alias_maps.

The sender domain matches $virtual_mailbox_domains but
the sender is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps is not null.

The sender domain matches $relay_domains but the sender is not listed in $relay_recipient_maps, and $relay_recipient_maps is not null.

Optional lookup table with the SASL login names that own sender (MAIL FROM) addresses.

Search Order:

user@domain
@domain

進階設定

/etc/postfix/main.cf

smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = datahunter.org
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

master.cf

# port 587
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o mynetworks_style=host
  -o mynetworks=127.0.0.0/8
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=no
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_helo_restrictions=
  -o smtpd_sasl_authenticated_header=yes
  -o receive_override_options=no_header_body_checks,no_milters
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=

# port 465
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#  -o content_filter=

注意:

[1]

因為 main.cf 有 "receive_override_options = no_address_mappings" 及 header_checks

所以 master.cf 要加以下 setting

-o receive_override_options=no_header_body_checks,no_milters

[2]

如果那 port 會收信, 那就要

-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

Trobleshoot

<1> ehlo 後不見 "AUTH"

在設定了

smtpd_sasl_auth_enable = yes

telnet 25, ehlo 後仍見不到

250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN

remark:

250-AUTH=PLAIN LOGIN <-- ( "broken_sasl_auth_clients = yes" 才有 )

其中原因極可以係

smtpd_tls_auth_only = yes

<2> "No worthy mechs found"

Sep  9 15:50:27 vm postfix/smtp[20172]: warning: SASL authentication failure: No worthy mechs found

This same error message will also be logged when the libplain.so or liblogin.so modules

are not installed in the /usr/lib/sasl2 directory.

yum install cyrus-sasl-plain

<3> Window client login fail

Without the "LOGIN" version, a lot of MS-based clients (windows live, outlook express) can no longer send mail using SMTP Auth.

The "AUTH" command is an ESMTP command (SMTP service extension) that is used to authenticate the client to the server.

AUTH can be combined with some other keywords as PLAIN, LOGIN, CRAM-MD5 and DIGEST-MD5 to choose an authentication mechanism.

* Window Live Mail 要用 "LOGIN"

AUTH PLAIN

The username and password are combined to one string and BASE64 encoded

AUTH LOGIN

The server asks for username and password by sending BASE64 encoded text (questions) to the client.

AUTH CRAM-MD5

combines a challenge-response authentication mechanism to exchange information and a cryptographic Message Digest 5 algorithm to encrypt important information.

* the servers sends back an one-time BASE64 encoded "challenge" to the client

Dovecot 的 setting

** Default: auth_mechanisms = plain