首頁 » Mail » postfix

sasl (saslauthd)

由 datahunter 在 五, 05/04/2013 - 17:22 發表

最後更新: 2016-09-30

 

介紹

Postfix does not implement SASL itself, but instead uses existing implementations as building blocks.

This means that some SASL-related configuration files will belong to Postfix,

while other configuration files belong to the specific SASL implementation that Postfix will use.

SMTP server is linked with the Cyrus SASL library libsasl

Checking

postconf -a

cyrus
dovecot

 

Install & Postfix Setting

 

# Install

yum install cyrus-sasl cyrus-sasl-plain

# A concatenation from a value that the Postfix SMTP server sends to the Cyrus SASL library

smtpd_sasl_path = smtpd         # The name of a configuration file.Default: smtpd <= smtpd.conf
smtpd_sasl_type = cyrus

# configures the Cyrus SASL library to contact saslauthd as its password verification service

/etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

TLS 後才有得 Login

/etc/postfix/main.cf

# Default: no
smtpd_tls_auth_only = yes

 

saslauthd

 

# Version

saslauthd -v

saslauthd 2.1.26
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap httpform

# Basic Test

# -a authmech (pam, shadow, sasldb ...)

saslauthd -a shadow

testsaslauthd -u tim -p xxxx

0: OK "Success."

0: NO "authentication failed"

killall saslauthd

 

Service

To use PAM, start saslauthd with "-a pam".

vi /etc/sysconfig/saslauthd

MECH=pam

systemctl start saslauthd

systemctl enable saslauthd

P.S.

Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when using saslauthd!

It can only handle these two mechanisms, and authentication will fail if clients are allowed to choose other mechanisms.

Options

-c                # Enable cacheing of authentication credentials

-s kbyte       # size of the hash table

-t sec           # expiration time of the authentication cache

-n threads    # default: 5

-m path       # Socktet: /var/run/saslauthd/mux)

-r                # Combine the realm with the login (with an '@' sign in between). 

                   # e.g.  login: "foo" realm: "bar" will get passed as login: "foo@bar".

example:

OPTIONS="-t 3600 -s 500 -m /var/spool/postfix/var/run/saslauthd -r"

 

pluginviewer

 

在 Centos7 上安裝 cyrus-sasl.i686 同時會獲得 pluginviewer

它可以 list loadable SASL plugins and their properties

OPTIONS

  • -a     List auxprop plugins.
  • -s     List server authentication (SASL) plugins.

i.e.

pluginviewer -a

Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

 

postfix 與 sasldb plugin

 

Cyrus SASL uses a plugin infrastructure (called auxprop) to expand libsasl's capabilities.

# 設定 postfix 食 sasldb

/etc/sasl2/smtpd.conf

pwcheck_method: auxprop                # Whitespace separated list. 'auxprop', 'saslauthd', 'pwcheck', 'authdaemond'
auxprop_plugin: sasldb                 
mech_list: PLAIN LOGIN                 # Whitespace separated list of mechanisms to allow
sasldb_path: /etc/sasldb/sasldb2-189   # Path to sasldb file

此 config file 有誤時, log 會有以下 error

Jun  1 15:32:02 vm postfix-189/smtpd[28677]: warning: SASL per-process initialization failed: generic failure
Jun  1 15:32:02 vm postfix-189/smtpd[28677]: fatal: SASL per-process initialization failed
Jun  1 15:32:03 vm postfix-189/master[28673]: warning: process /usr/libexec/postfix/smtpd pid 28677 exit status 1
Jun  1 15:32:03 vm postfix-189/master[28673]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

service postfix restart

# Berkeley DB database location

/etc/sasldb2

# DB Permission

chgrp postfix /etc/sasldb2

chmod g=r /etc/sasldb2           (Default permission -rw-r----- )

# Create User

saslpasswd2 -c username

  • -c                # Creates an entry for the user if the user doesn't already exist.
  • -d                # Deletes the entry for the user.
  • -u domain    # use domain for user domain (realm).
  • -f file           # use file for sasldb (Default: /etc/sasldb2)

# List User

sasldblistusers2

xxx@xxx: userPassword

OR

# -f sasldb       use given file as sasldb

sasldblistusers2 -f /etc/sasldb2

 

testsaslauthd

 

usage:

testsaslauthd [ -r realm ] [ -s servicename ] [ -f socket ] [ -R repeatnum ]

example:

testsaslauthd -u testuser -p password

如果 result 是:

connect() : No such file or directory
0:

那就要:

testsaslauthd -u testuser -p password -f /var/spool/postfix/var/run/saslauthd/mux

另一個方法是

mount –bind  /var/spool/postfix/var/run/saslauthd/   /var/run/saslauthd/

0: NO "authentication failed"

 

DOC

http://asyd.net/docs/cyrus-options.html

 

 

 

»
  • 瀏覽次數: 109301

Creative Commons license icon Creative Commons license icon