[opensuse] Setting up new email server on 10.3
Hi all, I'm getting around to setting up my email server on opensuse 10.3 to migrate from an older setup. Its a clean 10.3 install. I've used postfix-cyrus imap-amavis-spamassassin-sieve in the past and like that setup. I'd like to have email users separate from local users. At present I only have one local user, but may have a few family members use this machine with their own logins at some point. I plan to have approx 10 to 20 email users, so this is no big install, just my home email server. Looking at yast to set up the MTA, it offers to set postfix up to auth against an LDAP server and offers to set up that as a local LDAP. That sounds interesting, but I don't need anything else to use LDAP except posftix and imap. Is this the best way to accomplish what I want, or is using another method of authing my email users better, and what would that be? Many thanks, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Apr 8, 2008 at 7:07 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Hi all,
I'm getting around to setting up my email server on opensuse 10.3 to migrate from an older setup. Its a clean 10.3 install. I've used postfix-cyrus imap-amavis-spamassassin-sieve in the past and like that setup.
I'd like to have email users separate from local users. At present I only have one local user, but may have a few family members use this machine with their own logins at some point. I plan to have approx 10 to 20 email users, so this is no big install, just my home email server.
Looking at yast to set up the MTA, it offers to set postfix up to auth against an LDAP server and offers to set up that as a local LDAP. That sounds interesting, but I don't need anything else to use LDAP except posftix and imap. Is this the best way to accomplish what I want, or is using another method of authing my email users better, and what would that be?
Many thanks,
Jim F
I don't think you need ldap for Imap accounts with Cyrus. Just add the users via cyrus admin and let cyrus take care of it. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Tue, Apr 8, 2008 at 7:07 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Hi all,
I'm getting around to setting up my email server on opensuse 10.3 to migrate from an older setup. Its a clean 10.3 install. I've used postfix-cyrus imap-amavis-spamassassin-sieve in the past and like that setup.
I'd like to have email users separate from local users. At present I only have one local user, but may have a few family members use this machine with their own logins at some point. I plan to have approx 10 to 20 email users, so this is no big install, just my home email server.
Looking at yast to set up the MTA, it offers to set postfix up to auth against an LDAP server and offers to set up that as a local LDAP. That sounds interesting, but I don't need anything else to use LDAP except posftix and imap. Is this the best way to accomplish what I want, or is using another method of authing my email users better, and what would that be?
Many thanks,
Jim F
I don't think you need ldap for Imap accounts with Cyrus. Just add the users via cyrus admin and let cyrus take care of it.
OK, I see how that will take care of cyrus imap, but do I need to do anything different with postfix to have that accept emails from those cyrus users, or will it already know that? Thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen wrote:
On Tue, Apr 8, 2008 at 7:07 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Hi all,
I'm getting around to setting up my email server on opensuse 10.3 to migrate from an older setup. Its a clean 10.3 install. I've used postfix-cyrus imap-amavis-spamassassin-sieve in the past and like that setup.
I'd like to have email users separate from local users. At present I only have one local user, but may have a few family members use this machine with their own logins at some point. I plan to have approx 10 to 20 email users, so this is no big install, just my home email server.
Looking at yast to set up the MTA, it offers to set postfix up to auth against an LDAP server and offers to set up that as a local LDAP. That sounds interesting, but I don't need anything else to use LDAP except posftix and imap. Is this the best way to accomplish what I want, or is using another method of authing my email users better, and what would that be?
Many thanks,
Jim F
I don't think you need ldap for Imap accounts with Cyrus. Just add the users via cyrus admin and let cyrus take care of it.
OK, as root I set a password for user cyrus, and now can log into cyradm. There was my one user mailbox there already. I created another user (mailbox), but don't see where to set a password for that user in cyradm. I "think" I need to change the way cyrus authenticates, in etc/sysconfig, but am unsure exactly how to do this and which auth scheme to use. Can anyone give me some guidance with this? Many thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
John Andersen wrote:
On Tue, Apr 8, 2008 at 7:07 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
Hi all,
I'm getting around to setting up my email server on opensuse 10.3 to migrate from an older setup. Its a clean 10.3 install. I've used postfix-cyrus imap-amavis-spamassassin-sieve in the past and like that setup.
I'd like to have email users separate from local users. At present I only have one local user, but may have a few family members use this machine with their own logins at some point. I plan to have approx 10 to 20 email users, so this is no big install, just my home email server.
Looking at yast to set up the MTA, it offers to set postfix up to auth against an LDAP server and offers to set up that as a local LDAP. That sounds interesting, but I don't need anything else to use LDAP except posftix and imap. Is this the best way to accomplish what I want, or is using another method of authing my email users better, and what would that be?
I don't think you need ldap for Imap accounts with Cyrus. Just add the users via cyrus admin and let cyrus take care of it.
OK, as root I set a password for user cyrus, and now can log into cyradm. There was my one user mailbox there already. I created another user (mailbox), but don't see where to set a password for that user in cyradm.
I "think" I need to change the way cyrus authenticates, in etc/sysconfig, but am unsure exactly how to do this and which auth scheme to use. Can anyone give me some guidance with this?
The usual way is to use an authentication daemon that is queried by all mailservices: SMTP/Imap/POP3/Webmail The default for Cyrus is saslauthd, which again will query pam as default. On the positive side for saslauthd you can set it up pretty easy, and everything will work. The negative side is that saslauthd will only use cleartext mechanisms, so you should set up TLS/SSL encryption to prevent password snooping. You can also use a sasldb to auth against, that would give you encrypted challenge/response mechanisms like CRAM-MD5. It is a bit more complicated to setup since you need to take care of access rights to the sasldb yourself. Though for 15-20 users I would just use saslauthd and deny them a login shell. Another question is how many domains you expect to administer on your server and what other services you might want to offer. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Jim Flanagan wrote:
John Andersen wrote:
On Tue, Apr 8, 2008 at 7:07 PM, Jim Flanagan <linuxjim@jjfiii.com> wrote:
I'd like to have email users separate from local users. At present I only have one local user, but may have a few family members use this machine with their own logins at some point. I plan to have approx 10 to 20 email users, so this is no big install, just my home email server.
Looking at yast to set up the MTA, it offers to set postfix up to auth against an LDAP server and offers to set up that as a local LDAP. That sounds interesting, but I don't need anything else to use LDAP except posftix and imap. Is this the best way to accomplish what I want, or is using another method of authing my email users better, and what would that be?
I don't think you need ldap for Imap accounts with Cyrus. Just add the users via cyrus admin and let cyrus take care of it.
OK, as root I set a password for user cyrus, and now can log into cyradm. There was my one user mailbox there already. I created another user (mailbox), but don't see where to set a password for that user in cyradm.
I "think" I need to change the way cyrus authenticates, in etc/sysconfig, but am unsure exactly how to do this and which auth scheme to use. Can anyone give me some guidance with this?
The usual way is to use an authentication daemon that is queried by all mailservices: SMTP/Imap/POP3/Webmail
The default for Cyrus is saslauthd, which again will query pam as default. On the positive side for saslauthd you can set it up pretty easy, and everything will work. The negative side is that saslauthd will only use cleartext mechanisms, so you should set up TLS/SSL encryption to prevent password snooping.
You can also use a sasldb to auth against, that would give you encrypted challenge/response mechanisms like CRAM-MD5. It is a bit more complicated to setup since you need to take care of access rights to the sasldb yourself.
Though for 15-20 users I would just use saslauthd and deny them a login shell.
Another question is how many domains you expect to administer on your server and what other services you might want to offer.
Hi Sandy, Saslauthd sounds OK to me. I did set up SSL on my last install, so I think I can do that again. I restricted access to only ssl connections at my router (that made squirrelmail easier to set up). I did not get TLS working on that install, I was not sure where to put the certs for that, so used a different smtp server till now when out of the house, and did not enable smtpd_sasl_auth_enable to prevent unencrypted messages as a result. I would like to get that going this time around too, but can get to that later if required. One step at a time. I do have postfix set to relay (inside lan) messages thru my ISP smtp server. I don't believe that is encrypted. So, for my 15-20 users, are you saying to use saslauthd with pam and deny them shell access? In this case could I set up the users in yast, but check the box that says disable user login? Is that all there is to it? You probably don't use yast for any of this. As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As to services, I didn't mention but my old install does offer squirrelmail on the one doman, and that works fine. I have it set to switch over to an ssl connection for the entire session. It is conceivable that I could offer web hosting for a few domains as well, but not a large number. I'm on a home internet service. I don't see adding ftp or anything else. I would use ssh for remote admin purposes, and have used scp too, but that would only be for me. Thats all I can think of for now. Thanks for any assistance. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Sandy Drobic wrote:
The usual way is to use an authentication daemon that is queried by all mailservices: SMTP/Imap/POP3/Webmail
The default for Cyrus is saslauthd, which again will query pam as default. On the positive side for saslauthd you can set it up pretty easy, and everything will work. The negative side is that saslauthd will only use cleartext mechanisms, so you should set up TLS/SSL encryption to prevent password snooping.
You can also use a sasldb to auth against, that would give you encrypted challenge/response mechanisms like CRAM-MD5. It is a bit more complicated to setup since you need to take care of access rights to the sasldb yourself.
Though for 15-20 users I would just use saslauthd and deny them a login shell.
Another question is how many domains you expect to administer on your server and what other services you might want to offer.
Hi Sandy,
Saslauthd sounds OK to me. I did set up SSL on my last install, so I think I can do that again. I restricted access to only ssl connections at my router (that made squirrelmail easier to set up). I did not get TLS working on that install, I was not sure where to put the certs for
Okay. Do yourself a favor and use the same certificate for all services, so users only have to import and verify one certificate instead of several.
that, so used a different smtp server till now when out of the house, and did not enable smtpd_sasl_auth_enable to prevent unencrypted messages as a result. I would like to get that going this time around
you can encrypt unauthenticated mail delivery, it is completely independent of smtp auth. For example, if I send a mail to the opensuse listserver the transmission will be TLS encrypted but not authenticated.
too, but can get to that later if required. One step at a time. I do have postfix set to relay (inside lan) messages thru my ISP smtp server. I don't believe that is encrypted.
There's not much use for encryption if you have to relay via your provider anyway.
So, for my 15-20 users, are you saying to use saslauthd with pam and deny them shell access? In this case could I set up the users in yast, but check the box that says disable user login? Is that all there is to it? You probably don't use yast for any of this.
Yes, that's the easiest way. Actually, I do use yast to set up users, though I don't use yast to configure the services.
As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As
The real question here is if these domains will have independent mailboxes or if all domains point to the same user in the end: Postfix domain classes: mydestination: user1@example.com = user1@example.net loginname: user1 virtual_mailbox_domain: user1@example.com != user1@example.net loginname: user1@example.com user1@example.net So the question should be considered now, bevor you have to migrate your setup to virtual_mailbox_domains if you need to have independent addresses in your domains.
to services, I didn't mention but my old install does offer squirrelmail on the one doman, and that works fine. I have it set to switch over to an ssl connection for the entire session. It is conceivable that I could offer web hosting for a few domains as well, but not a large number. I'm on a home internet service. I don't see adding ftp or anything else. I would use ssh for remote admin purposes, and have used scp too, but that would only be for me. Thats all I can think of for now.
Okay, so we only need to consider Postfix/Cyrus/Squirrelmail/saslauthd. A basic setup would look like this: saslauthd is installed (and also the sasl libraries for the mechs) and configured to auth against pam. This is the default for saslauthd, so you should be able to use it out of the box: salsauthd and PAM should already have these settings out of the box: Saslauthd: /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH="pam" PAM: /etc/pam.d/imap #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session /etc/pam.d/pop #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session /etc/pam.d/sieve #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session /etc/pam.d/smtp #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session Postfix might need manual work: Postfix: /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login /etc/postfix/main.cf: # auth smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous # tls smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/server.crt smtpd_tls_key_file = /etc/postfix/certs/server.key smtpd_tls_security_level = may Cyrus: /etc/cyrus.conf: # activate tls/ssl encryption SERVICES { imaps cmd="imapd -s" listen="imaps" proto="tcp4" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" proto="tcp4" prefork=0 } /etc/imapd.conf: # auth sasl_pwcheck_method: saslauthd sasl_security_options: noanonymous sasl_mech_list: plain login # tls tls_cert_file: /var/lib/imap/ssl/server.crt tls_key_file: /var/lib/imap/ssl/server.key tls_ca_path: /usr/ssl/CA A bit of advice: don't implement everything at once. Do it in small steps, so you can understand the changes and retrace if necessary. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Sandy Drobic wrote:
The usual way is to use an authentication daemon that is queried by all mailservices: SMTP/Imap/POP3/Webmail
The default for Cyrus is saslauthd, which again will query pam as default. On the positive side for saslauthd you can set it up pretty easy, and everything will work. The negative side is that saslauthd will only use cleartext mechanisms, so you should set up TLS/SSL encryption to prevent password snooping.
You can also use a sasldb to auth against, that would give you encrypted challenge/response mechanisms like CRAM-MD5. It is a bit more complicated to setup since you need to take care of access rights to the sasldb yourself.
Though for 15-20 users I would just use saslauthd and deny them a login shell.
Another question is how many domains you expect to administer on your server and what other services you might want to offer.
Hi Sandy,
Saslauthd sounds OK to me. I did set up SSL on my last install, so I think I can do that again. I restricted access to only ssl connections at my router (that made squirrelmail easier to set up). I did not get TLS working on that install, I was not sure where to put the certs for
Okay. Do yourself a favor and use the same certificate for all services, so users only have to import and verify one certificate instead of several.
that, so used a different smtp server till now when out of the house, and did not enable smtpd_sasl_auth_enable to prevent unencrypted messages as a result. I would like to get that going this time around
you can encrypt unauthenticated mail delivery, it is completely independent of smtp auth. For example, if I send a mail to the opensuse listserver the transmission will be TLS encrypted but not authenticated.
too, but can get to that later if required. One step at a time. I do have postfix set to relay (inside lan) messages thru my ISP smtp server. I don't believe that is encrypted.
There's not much use for encryption if you have to relay via your provider anyway.
So, for my 15-20 users, are you saying to use saslauthd with pam and deny them shell access? In this case could I set up the users in yast, but check the box that says disable user login? Is that all there is to it? You probably don't use yast for any of this.
Yes, that's the easiest way. Actually, I do use yast to set up users, though I don't use yast to configure the services. OK, regarding users, I did set up two new users in yast, but when I click the disable login box, those users cannot access the mailbox in cyrus. If I un-check that box to allow them to log in, they can access
Sandy Drobic wrote: their mailbox. So this is not yet what I want. I need to somehow limit their access to only email services, still unclear on how to do that. I have not edited the main.cf yet, more on that further down.
As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As
The real question here is if these domains will have independent mailboxes or if all domains point to the same user in the end:
Postfix domain classes:
mydestination: user1@example.com = user1@example.net loginname: user1
virtual_mailbox_domain: user1@example.com != user1@example.net loginname: user1@example.com user1@example.net
So the question should be considered now, bevor you have to migrate your setup to virtual_mailbox_domains if you need to have independent addresses in your domains.
Are you saying here that using the first method, mydestination, user1 will have access to both example.com AND example.net? So in this case I couldn't have a different individual, both with the same name of say user1, one at example.com and the other at example.net. I've never considered these two different setups you are describing, but understand this needs to be decided first.
to services, I didn't mention but my old install does offer squirrelmail on the one doman, and that works fine. I have it set to switch over to an ssl connection for the entire session. It is conceivable that I could offer web hosting for a few domains as well, but not a large number. I'm on a home internet service. I don't see adding ftp or anything else. I would use ssh for remote admin purposes, and have used scp too, but that would only be for me. Thats all I can think of for now.
Okay, so we only need to consider Postfix/Cyrus/Squirrelmail/saslauthd.
A basic setup would look like this:
saslauthd is installed (and also the sasl libraries for the mechs) and configured to auth against pam. This is the default for saslauthd, so you should be able to use it out of the box:
salsauthd and PAM should already have these settings out of the box:
Saslauthd: /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH="pam"
PAM: /etc/pam.d/imap #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
/etc/pam.d/pop #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
/etc/pam.d/sieve #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
/etc/pam.d/smtp #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
All the above is set up the same on my machine, just like you layed it out.
Postfix might need manual work:
Postfix: /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login
The above here is also set up the same. I have not edited the below to make these changes. I'll try adding permit_sasl_authenticated, as this looks like it may solve my user login issue. Will try that and revert.
/etc/postfix/main.cf: # auth smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous # tls smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/server.crt smtpd_tls_key_file = /etc/postfix/certs/server.key smtpd_tls_security_level = may
Cyrus: /etc/cyrus.conf: # activate tls/ssl encryption SERVICES { imaps cmd="imapd -s" listen="imaps" proto="tcp4" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" proto="tcp4" prefork=0 }
/etc/imapd.conf: # auth sasl_pwcheck_method: saslauthd sasl_security_options: noanonymous sasl_mech_list: plain login # tls tls_cert_file: /var/lib/imap/ssl/server.crt tls_key_file: /var/lib/imap/ssl/server.key tls_ca_path: /usr/ssl/CA
A bit of advice: don't implement everything at once. Do it in small steps, so you can understand the changes and retrace if necessary.
As you can tell, I am taking this slowly, and one step at a time. I cna't work on this every day, but will do more this weekend. Thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/12/2008 05:41 AM, Jim Flanagan wrote:
OK, regarding users, I did set up two new users in yast, but when I click the disable login box, those users cannot access the mailbox in cyrus. If I un-check that box to allow them to log in, they can access their mailbox. So this is not yet what I want. I need to somehow limit their access to only email services, still unclear on how to do that. I have not edited the main.cf yet, more on that further down. Set there login to use /bin/false instead of /bin/bash
-- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Yes, that's the easiest way. Actually, I do use yast to set up users, though I don't use yast to configure the services. OK, regarding users, I did set up two new users in yast, but when I click the disable login box, those users cannot access the mailbox in cyrus. If I un-check that box to allow them to log in, they can access their mailbox. So this is not yet what I want. I need to somehow limit their access to only email services, still unclear on how to do that. I have not edited the main.cf yet, more on that further down.
Set login shell to /bin/false, so they don't have a login shell, that's all.
As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As
The real question here is if these domains will have independent mailboxes or if all domains point to the same user in the end:
Postfix domain classes:
mydestination: user1@example.com = user1@example.net loginname: user1
virtual_mailbox_domain: user1@example.com != user1@example.net loginname: user1@example.com user1@example.net
So the question should be considered now, bevor you have to migrate your setup to virtual_mailbox_domains if you need to have independent addresses in your domains.
Are you saying here that using the first method, mydestination, user1 will have access to both example.com AND example.net? So in this case I couldn't have a different individual, both with the same name of say user1, one at example.com and the other at example.net. I've never considered these two different setups you are describing, but understand this needs to be decided first.
Exactly. If you only have one main domain and several alias domains, then you can also set these additional domains as virtual_alias_domains, but the real question is if you have independent domains or not. If you do have independent domains or you think it is possible that some day you might need them, then you should probably set up your domain as virtual_mailbox_domain. [sasl/pam setup]
All the above is set up the same on my machine, just like you layed it out.
Then you should be able to use testsaslauthd to check if a user is able to authenticate: testsaslauthd -u user -p password -s service examples: testsaslauthd -u jim -p password -s smtp testsaslauthd -u jim -p password -s imap If that works you can implement the sasl authentication in your services.
Postfix might need manual work:
Postfix: /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login
The above here is also set up the same.
Okay.
I have not edited the below to make these changes. I'll try adding permit_sasl_authenticated, as this looks like it may solve my user login issue. Will try that and revert.
/etc/postfix/main.cf: # auth smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous
Then you should be able to use authentication with Postfix: telnet postfix-server 25 ehlo clientname you should get something like this: 250-japantest.homelinux.com 250-PIPELINING 250-SIZE 100000000 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Important is the "250-AUTH LOGIN PLAIN" line of the capabilities.
A bit of advice: don't implement everything at once. Do it in small steps, so you can understand the changes and retrace if necessary.
As you can tell, I am taking this slowly, and one step at a time. I cna't work on this every day, but will do more this weekend.
Very good. Do yourself another favor and make backups bevore you change the config files. (^-^) If you break something a simple diff will tell you what you changed. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Jim Flanagan wrote:
Yes, that's the easiest way. Actually, I do use yast to set up users, though I don't use yast to configure the services. OK, regarding users, I did set up two new users in yast, but when I click the disable login box, those users cannot access the mailbox in cyrus. If I un-check that box to allow them to log in, they can access their mailbox. So this is not yet what I want. I need to somehow limit their access to only email services, still unclear on how to do that. I have not edited the main.cf yet, more on that further down.
Set login shell to /bin/false, so they don't have a login shell, that's all.
As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As
The real question here is if these domains will have independent mailboxes or if all domains point to the same user in the end:
Postfix domain classes:
mydestination: user1@example.com = user1@example.net loginname: user1
virtual_mailbox_domain: user1@example.com != user1@example.net loginname: user1@example.com user1@example.net
So the question should be considered now, bevor you have to migrate your setup to virtual_mailbox_domains if you need to have independent addresses in your domains.
Are you saying here that using the first method, mydestination, user1 will have access to both example.com AND example.net? So in this case I couldn't have a different individual, both with the same name of say user1, one at example.com and the other at example.net. I've never considered these two different setups you are describing, but understand this needs to be decided first.
Exactly. If you only have one main domain and several alias domains, then you can also set these additional domains as virtual_alias_domains, but the real question is if you have independent domains or not. If you do have independent domains or you think it is possible that some day you might need them, then you should probably set up your domain as virtual_mailbox_domain.
[sasl/pam setup]
All the above is set up the same on my machine, just like you layed it out.
Then you should be able to use testsaslauthd to check if a user is able to authenticate:
testsaslauthd -u user -p password -s service
examples:
testsaslauthd -u jim -p password -s smtp testsaslauthd -u jim -p password -s imap
If that works you can implement the sasl authentication in your services.
Postfix might need manual work:
Postfix: /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login
The above here is also set up the same.
Okay.
I have not edited the below to make these changes. I'll try adding permit_sasl_authenticated, as this looks like it may solve my user login issue. Will try that and revert.
/etc/postfix/main.cf: # auth smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous
Then you should be able to use authentication with Postfix:
telnet postfix-server 25 ehlo clientname
you should get something like this:
250-japantest.homelinux.com 250-PIPELINING 250-SIZE 100000000 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
Important is the "250-AUTH LOGIN PLAIN" line of the capabilities.
A bit of advice: don't implement everything at once. Do it in small steps, so you can understand the changes and retrace if necessary.
As you can tell, I am taking this slowly, and one step at a time. I cna't work on this every day, but will do more this weekend.
Very good. Do yourself another favor and make backups bevore you change the config files. (^-^) If you break something a simple diff will tell you what you changed.
OK, I'm back, hope I haven't lost eveyone's interest in this. I run testsaslauthd as 3 users, each for smtp and imap, and all return "success". I faked a password and that returned "failure" so it looks like saslauthd is working correctly. However, running "telnet localhost 25" returns the following: ----------------- jimmee:/home/jim # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 jimmee.local ESMTP Postfix ----------------- I just hangs at that point, nothing else happens until is says connection closed by foreign host. Not sure where to go now. Regarding domains, as I said I am only using one for now, but I would like to set up virtual domains so that I can add one or more as the need arrises. Can I do that is Yast? I see where to add them, but have not done so yet. Would I just add my one domain in there for now? I have edited my main.cf file manually now, to add all the items you listed (except for the cert stuff, will get to that making sure all this works first). So I'm not sure working in Yast at this point will affect my main.cf? Many thanks, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-04-27 at 14:44 -0500, Jim Flanagan wrote:
However, running "telnet localhost 25" returns the following:
----------------- jimmee:/home/jim # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 jimmee.local ESMTP Postfix
-----------------
I just hangs at that point, nothing else happens until is says connection closed by foreign host. Not sure where to go now.
:-) Type "ehlo clientname" and you will se the answer.
Regarding domains, as I said I am only using one for now, but I would like to set up virtual domains so that I can add one or more as the need arrises. Can I do that is Yast? I see where to add them, but have not done so yet. Would I just add my one domain in there for now?
I have edited my main.cf file manually now, to add all the items you listed (except for the cert stuff, will get to that making sure all this works first). So I'm not sure working in Yast at this point will affect my main.cf?
Many thanks,
Jim F
- -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIFNnJtTMYHG2NR9URAuJRAJwJPt5TbjQW19ruT44CiIZTQ5ZKgQCfVMg3 kNMsmX3bU1DG71j8/RJ+pn8= =k48R -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Sunday 2008-04-27 at 14:44 -0500, Jim Flanagan wrote:
However, running "telnet localhost 25" returns the following:
----------------- jimmee:/home/jim # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 jimmee.local ESMTP Postfix
-----------------
I just hangs at that point, nothing else happens until is says connection closed by foreign host. Not sure where to go now.
:-)
Type "ehlo clientname" and you will se the answer.
Ah, so....and so it is ---------------- 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN ------------------------------ I don't see auth login plain here. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Carlos E. R. wrote:
The Sunday 2008-04-27 at 14:44 -0500, Jim Flanagan wrote:
However, running "telnet localhost 25" returns the following:
----------------- jimmee:/home/jim # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 jimmee.local ESMTP Postfix
-----------------
I just hangs at that point, nothing else happens until is says connection closed by foreign host. Not sure where to go now.
:-)
Type "ehlo clientname" and you will se the answer.
Ah, so....and so it is
---------------- 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
------------------------------
I don't see auth login plain here.
Jim F
Just for drill, here's what I get - lucy: /home/jjs (tty/dev/pts/4): bash: 1143 > telnet toro 25 Trying 192.168.111.2... Connected to toro. Escape character is '^]'. 220 toro.mainphrame.com ESMTP Postfix (2.5.1) ehlo lucy 250-toro.mainphrame.com 250-PIPELINING 250-SIZE 20480000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN So it looks like you haven't yet set up your postfix config for auth. Here's an overview of postfix setup that you might find it useful - http://enricozini.org/2006/etiopia/seventh-day-in-addis.html There's also a lot of info on the postfix.org website, but if you're really serious, I'd recommend 'the book of postix' from nostarch press. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Jim Flanagan wrote:
Carlos E. R. wrote:
The Sunday 2008-04-27 at 14:44 -0500, Jim Flanagan wrote:
However, running "telnet localhost 25" returns the following:
----------------- jimmee:/home/jim # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 jimmee.local ESMTP Postfix
-----------------
I just hangs at that point, nothing else happens until is says connection closed by foreign host. Not sure where to go now.
:-)
Type "ehlo clientname" and you will se the answer.
Ah, so....and so it is
---------------- 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
------------------------------
I don't see auth login plain here.
Jim F
Just for drill, here's what I get -
lucy: /home/jjs (tty/dev/pts/4): bash: 1143 > telnet toro 25 Trying 192.168.111.2... Connected to toro. Escape character is '^]'. 220 toro.mainphrame.com ESMTP Postfix (2.5.1) ehlo lucy 250-toro.mainphrame.com 250-PIPELINING 250-SIZE 20480000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
So it looks like you haven't yet set up your postfix config for auth.
Here's an overview of postfix setup that you might find it useful -
http://enricozini.org/2006/etiopia/seventh-day-in-addis.html
There's also a lot of info on the postfix.org website, but if you're really serious, I'd recommend 'the book of postix' from nostarch press.
Joe
OK, I forgot to enable smptd_sasl_auth_enable =yes, I had it as now. Now running telnet localhost 25 I get, ------------------ 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN ----------------- So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20 Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2008-04-27 at 16:59 -0500, Jim Flanagan wrote:
So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
I'm not sure that should work. It doesn't on my machine: Apr 28 00:14:25 nimrodel postfix/smtpd[28923]: warning: Illegal address syntax from localhost[127.0.0.1] in RCPT command: <cer@192.168.1.12> and: *** The message WAS NOT relayed to: <cer@192.168.1.12>: [127.0.0.1] said: 501 5.1.3 Failed, id=26204-09, from MTA([127.0.0.1]:10025): 501 5.1.3 Bad recipient address syntax This nondelivery report was generated by the program amavisd-new at host nimrodel.valinor. Our internal reference code for your message is 26204-09/LJ8yho7H+9+Z *** Email works with names, not IPs numbers. And for anything non local (meaning the same machine), you need a DNS. with MX lines. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIFPzGtTMYHG2NR9URAuOOAJwMcINu210QQUfDx4qkPPMkaPXETACeIvQJ TwcHVR0R/4pusyNXlTg+Gu0= =BE6T -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Sunday 2008-04-27 at 16:59 -0500, Jim Flanagan wrote:
So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
I'm not sure that should work. It doesn't on my machine:
Apr 28 00:14:25 nimrodel postfix/smtpd[28923]: warning: Illegal address syntax from localhost[127.0.0.1] in RCPT command: <cer@192.168.1.12>
If you use an address literal it has to be inclosed in square brackets. A real domain name is prefered. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-04-28 at 00:26 +0200, Sandy Drobic wrote:
I'm not sure that should work. It doesn't on my machine:
Apr 28 00:14:25 nimrodel postfix/smtpd[28923]: warning: Illegal address syntax from localhost[127.0.0.1] in RCPT command: <cer@192.168.1.12>
If you use an address literal it has to be inclosed in square brackets. A real domain name is prefered.
Ah! It works. I learnt a new trick tonight :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIFP/MtTMYHG2NR9URAj9dAJwNcIrWeHXJIlKjDgNYnVS5FvgjrACeI2nF T46sE1JKd5yOk9MWW5+XKF8= =xT2q -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
The Sunday 2008-04-27 at 16:59 -0500, Jim Flanagan wrote:
So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
I'm not sure that should work. It doesn't on my machine:
Apr 28 00:14:25 nimrodel postfix/smtpd[28923]: warning: Illegal address syntax from localhost[127.0.0.1] in RCPT command: <cer@192.168.1.12>
and:
*** The message WAS NOT relayed to: <cer@192.168.1.12>: [127.0.0.1] said: 501 5.1.3 Failed, id=26204-09, from MTA([127.0.0.1]:10025): 501 5.1.3 Bad recipient address syntax
This nondelivery report was generated by the program amavisd-new at host nimrodel.valinor. Our internal reference code for your message is 26204-09/LJ8yho7H+9+Z ***
Email works with names, not IPs numbers. And for anything non local (meaning the same machine), you need a DNS. with MX lines.
-- Cheers, Carlos E. R.
Ok, understood. I seem to remember testing my previous email server like this, but OK it dosen't work. How can I check this new install to make sure it is sending and receiving properly, before I put it on the firing line for my domain? JIm F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
OK, I forgot to enable smptd_sasl_auth_enable =yes, I had it as now.
Now running telnet localhost 25 I get, ------------------ 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN ----------------- So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
It depends on where your domain is. Please show "postconf -n". -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Jim Flanagan wrote:
OK, I forgot to enable smptd_sasl_auth_enable =yes, I had it as now.
Now running telnet localhost 25 I get, ------------------ 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN ----------------- So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
It depends on where your domain is. Please show "postconf -n".
OK, here it is... Jim F # postconf -n alias_maps = hash:/etc/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = jjfiii.com masquerade_exceptions = root message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain myhostname = jimmee.local mynetworks_style = subnet newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES relayhost = smtpauth.earthlink.net relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtp_use_tls = no smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_use_tls = no strict_8bitmime = yes strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Sandy Drobic wrote:
Jim Flanagan wrote:
OK, I forgot to enable smptd_sasl_auth_enable =yes, I had it as now.
Now running telnet localhost 25 I get, ------------------ 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN ----------------- So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
It depends on where your domain is. Please show "postconf -n".
OK, here it is...
Jim F
# postconf -n alias_maps = hash:/etc/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = jjfiii.com masquerade_exceptions = root message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain myhostname = jimmee.local
So you should be able to use "username@jimmee.local" as address, provided that your local client can resolve jimmee.local. So, now that you have smtp auth enabled and saslauthd is running, you should be able to authenticate against passwd. I assume that you have installed the cyrus sasl libraries, and /etc/sasl2/smtpd.conf contains the lines for saslauthd: pwcheck_method: saslauthd mech_list: plain login If you need to check against the entire email address, then saslauthd has to be startet with the option "-r". -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Jim Flanagan wrote:
Sandy Drobic wrote:
Jim Flanagan wrote:
OK, I forgot to enable smptd_sasl_auth_enable =yes, I had it as now.
Now running telnet localhost 25 I get, ------------------ 220 jimmee.local ESMTP Postfix ehlo clientname 250-jimmee.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN ----------------- So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
It depends on where your domain is. Please show "postconf -n".
OK, here it is...
Jim F
# postconf -n alias_maps = hash:/etc/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix debug_peer_level = 2 defer_transports = disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = jjfiii.com masquerade_exceptions = root message_size_limit = 10240000 mydestination = $myhostname, localhost.$mydomain myhostname = jimmee.local
So you should be able to use "username@jimmee.local" as address, provided that your local client can resolve jimmee.local.
So, now that you have smtp auth enabled and saslauthd is running, you should be able to authenticate against passwd. I assume that you have installed the cyrus sasl libraries, and /etc/sasl2/smtpd.conf contains the lines for saslauthd:
pwcheck_method: saslauthd mech_list: plain login
If you need to check against the entire email address, then saslauthd has to be startet with the option "-r".
OK, now that I got postfix working with saslauthd, part my issue with sending was that I have my old and this new postfix install set up to relay smtp thru my ISPs server. So I'm not getting a local delivery, but sent outside, and that fails as it cannot resolve [192.168.2.20]. I disabled that (temporarily) on both machines and can happily bounce emails back and forth from one and another now. :-) So I guess my next steps are to set up my domain as a virtual domain (so I can add more domains later). And then set up the certs. You mentioned before to set up one cert to handle everything. In the past I has my hostname set up as mail.domain.com, and apache serving www.domain.com. I needed a cert for www.domain.com to handle my squirrrelmail users. So would i need a separate cert for that? Or could I redirect squirrelmail users to mail.domain.com? Also, where do the TLS certs go, or would that use the same cert?? Many thanks for the great help. We are getting somewhere now. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
So I guess my next steps are to set up my domain as a virtual domain (so I can add more domains later). And then set up the certs. You mentioned before to set up one cert to handle everything. In the past I has my hostname set up as mail.domain.com, and apache serving www.domain.com. I needed a cert for www.domain.com to handle my squirrrelmail users. So would i need a separate cert for that? Or could I redirect squirrelmail users to mail.domain.com?
Also, where do the TLS certs go, or would that use the same cert??
You need one cert for every hostname that you set up for ssl/tls. Of course, nothing hinders you to use "www.example.com" as your mx. (^-^) -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Jim Flanagan wrote:
So I guess my next steps are to set up my domain as a virtual domain (so I can add more domains later). And then set up the certs. You mentioned before to set up one cert to handle everything. In the past I has my hostname set up as mail.domain.com, and apache serving www.domain.com. I needed a cert for www.domain.com to handle my squirrrelmail users. So would i need a separate cert for that? Or could I redirect squirrelmail users to mail.domain.com?
Also, where do the TLS certs go, or would that use the same cert??
You need one cert for every hostname that you set up for ssl/tls. Of course, nothing hinders you to use "www.example.com" as your mx. (^-^)
Ok thanks. Will set those up. One last question for now. Can you tell me how to set up this domain as a virtual domain, so I can add more separate domains later? Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
Sandy Drobic wrote:
Jim Flanagan wrote:
So I guess my next steps are to set up my domain as a virtual domain (so I can add more domains later). And then set up the certs. You mentioned before to set up one cert to handle everything. In the past I has my hostname set up as mail.domain.com, and apache serving www.domain.com. I needed a cert for www.domain.com to handle my squirrrelmail users. So would i need a separate cert for that? Or could I redirect squirrelmail users to mail.domain.com?
Also, where do the TLS certs go, or would that use the same cert??
You need one cert for every hostname that you set up for ssl/tls. Of course, nothing hinders you to use "www.example.com" as your mx. (^-^)
Ok thanks. Will set those up.
One last question for now. Can you tell me how to set up this domain as a virtual domain, so I can add more separate domains later?
You just have to adjust the settings that now deal with the local transport: # must NOT include the virtual_mailbox_domain: mydestination = localhost.$mydomain virtual_mailbox_domains = jimmee.local virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_addresses virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp If you have several domains you probably want to authenticate not only with your localport as username but with the complete address, so you have to adjust saslauthd to use the complete address in /etc/sysconfig/saslauthd: #SASLAUTHD_AUTHMECH="pam" SASLAUTHD_AUTHMECH="pam -r" local_domains are useful for purposes that require scripts or interaction with the system. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Jim Flanagan wrote:
Sandy Drobic wrote:
Jim Flanagan wrote:
So I guess my next steps are to set up my domain as a virtual domain (so I can add more domains later). And then set up the certs. You mentioned before to set up one cert to handle everything. In the past I has my hostname set up as mail.domain.com, and apache serving www.domain.com. I needed a cert for www.domain.com to handle my squirrrelmail users. So would i need a separate cert for that? Or could I redirect squirrelmail users to mail.domain.com?
Also, where do the TLS certs go, or would that use the same cert??
You need one cert for every hostname that you set up for ssl/tls. Of course, nothing hinders you to use "www.example.com" as your mx. (^-^)
Ok thanks. Will set those up.
One last question for now. Can you tell me how to set up this domain as a virtual domain, so I can add more separate domains later?
You just have to adjust the settings that now deal with the local transport:
# must NOT include the virtual_mailbox_domain: mydestination = localhost.$mydomain virtual_mailbox_domains = jimmee.local virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_addresses virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp
If you have several domains you probably want to authenticate not only with your localport as username but with the complete address, so you have to adjust saslauthd to use the complete address in /etc/sysconfig/saslauthd:
#SASLAUTHD_AUTHMECH="pam" SASLAUTHD_AUTHMECH="pam -r"
local_domains are useful for purposes that require scripts or interaction with the system.
I'm still not quite finished getting it right, and am not clear on a few points. I have postfix authing against saslauthd, setting up local users (with login to null), and cyrus imap working, I still am not sure how to set up virtual domains and users. I could really use a step by step guide with this, as I'm stuck on this point. Also, what happens with local messages to root under this setup? Where would warning messages to root go if I'm using virtual domains? Also, I have not done any certs yet, and am trying to minimize the number needed and keep them located in a central location. As I understand it I will need one cert for each incoming tls/ssl domain, meaning one for imapd. Another for smtpd. Another for squirrelmail on apache. Is this correct? And can they go in one directory, or should I use the default locations, for example /etc/ssl, and /var/lib/imap/ssl, etc. Thanks for your great help and patience. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
I'm still not quite finished getting it right, and am not clear on a few points.
I have postfix authing against saslauthd, setting up local users (with login to null), and cyrus imap working, I still am not sure how to set up virtual domains and users. I could really use a step by step guide with this, as I'm stuck on this point.
Hm, you should probably start with Cyrus and configure Cyrus to use the full address as mailbox. Then configure saslauthd to use the full address and Postfix to use the full address (not just the localpart). It also means that you can't use local users anymore, you probably want either a sasldb (few users and easy to set up but a bother to maintenance) or mysql with webinterface (more users or frequent changes, but more difficult to set up). Though if you want to go that way, there are plenty of how-tos that describe how to set up webcyradm. That would probably be the best way to you. It would give you virtual domains and a webinterface for maintenance.
Also, what happens with local messages to root under this setup? Where would warning messages to root go if I'm using virtual domains?
You would use virtual_alias_maps and rewrite the recipient to an existing user.
Also, I have not done any certs yet, and am trying to minimize the number needed and keep them located in a central location. As I understand it I will need one cert for each incoming tls/ssl domain, meaning one for imapd. Another for smtpd. Another for squirrelmail on apache. Is this correct? And can they go in one directory, or should I use the default locations, for example /etc/ssl, and /var/lib/imap/ssl, etc.
All services have their own certificate. Though you could just reuse one certificate for all purposes, provided the users access the different services via the same hostname. If you have different hostnames (mail, imap, pop3, web...) then you need separate certs. Though you might get away with a wildcard cert or alternate names if you use a selfsigned certificate. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sandy Drobic wrote:
Jim Flanagan wrote:
I'm still not quite finished getting it right, and am not clear on a few points.
I have postfix authing against saslauthd, setting up local users (with login to null), and cyrus imap working, I still am not sure how to set up virtual domains and users. I could really use a step by step guide with this, as I'm stuck on this point.
Hm, you should probably start with Cyrus and configure Cyrus to use the full address as mailbox. Then configure saslauthd to use the full address and Postfix to use the full address (not just the localpart). It also means that you can't use local users anymore, you probably want either a sasldb (few users and easy to set up but a bother to maintenance) or mysql with webinterface (more users or frequent changes, but more difficult to set up).
Though if you want to go that way, there are plenty of how-tos that describe how to set up webcyradm. That would probably be the best way to you. It would give you virtual domains and a webinterface for maintenance.
Ok, now I'm really confused. I thought that by using local users I would be able to get the ability to have separate domains. To be clear, for now, I only need one domain, but I was looking down the road in the event that I would need to add one or more domains later. I guess I could re-work this to use sasldb. I tried it in the past and seem to remember it was a pain to work with. But I really need to move off my 10.0 install soon, its working great but I'm concerned about ongoing security issues. I had to shut down clam due to security issues already, with no suse updates coming. Webcyradm sounds interesting. Do you know if it sets up and configures the actual database? I have very little experience with sql databases.
Also, what happens with local messages to root under this setup? Where would warning messages to root go if I'm using virtual domains?
You would use virtual_alias_maps and rewrite the recipient to an existing user.
At this point, based on my using only one domain, would there be an advantage to set this one domain up as a virtual domain, or just leave it as the only domain? I guess the question should be would it be feasible to set the system up for now for one virtual domain for now, and then change my user auth system to webcyradm later if I needed to add a second domain?
Also, I have not done any certs yet, and am trying to minimize the number needed and keep them located in a central location. As I understand it I will need one cert for each incoming tls/ssl domain, meaning one for imapd. Another for smtpd. Another for squirrelmail on apache. Is this correct? And can they go in one directory, or should I use the default locations, for example /etc/ssl, and /var/lib/imap/ssl, etc.
All services have their own certificate. Though you could just reuse one certificate for all purposes, provided the users access the different services via the same hostname. If you have different hostnames (mail, imap, pop3, web...) then you need separate certs. Though you might get away with a wildcard cert or alternate names if you use a selfsigned certificate.
This part understood. Many thanks, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
Well, jimf@192.168.2.20 doesn't sound like a normal email address, but it should work if you have that set up as one of the "mydestination" names and you are using 192.168.2.20 as the mail server. What does the last few lines of /var/log/mail say about the matter? BTW for mail to work as it should, dns really needs to be fully working. Can you send to jimf@localost successfully? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
Jim Flanagan wrote:
So, plain login is runing now, but I still cant send a message to a user on this machine. I'm using the email address (from the same lan) jim@192.168.2.20
Well, jimf@192.168.2.20 doesn't sound like a normal email address, but it should work if you have that set up as one of the "mydestination" names and you are using 192.168.2.20 as the mail server.
bah, sandy is right - you really should enclose the IP in brackets if you're going to do it that way. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Carlos E. R. -
Jim Flanagan -
Joe Morris -
Joe Sloan -
John Andersen -
Sandy Drobic