[opensuse] Postfix & authenticated relay
Hi, I'm running Suse 10.3. I'm trying to set up Postfix to allow users to send mail from the Internet through my mailserver if they are authenticated. I have most things set up OK I think, except for one thing, but I don't know were to look for it. The fact is pam tries to authenticate the user via mysql, but in the query it omits the domain from the mail-address. Where can I configure this ? I installed pam_mysql from the buildservice, but this did complain about some dependencies. As far as I could see all was installed, so I forced pam-mysql to be installed. Maybe that is the problem ? In /etc/pam.d this is smtp : #%PAM-1.0 auth required pam_mysql.so user=xxx passwd=yyy db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 account required pam_permit.so In the README in /usr/doc/packages/pam_mysql I read : For instance, if you want to use it in conjunction with Postfix, the SASL configuration file "smtpd.conf", which is put in the Cyrus-SASL's plugin directory (or the location included in the SASL_PATH environment variable), would look like the following: pwcheck_method: auxprop mech_list: plain login cram-md5 digest-md5 sql_engine: mysql sql_database: sys sql_user: someuser sql_passwd: fubar sql_select: SELECT password FROM users WHERE name='%u' and domain='%r'; But I don't find that smtpd.conf. I hope I made myself clear, so any suggestions ? Thanks. -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, May 30, 2008 at 7:38 AM, Koenraad Lelong
Hi, I'm running Suse 10.3. I'm trying to set up Postfix to allow users to send mail from the Internet through my mailserver if they are authenticated. I have most things set up OK I think, except for one thing, but I don't know were to look for it. The fact is pam tries to authenticate the user via mysql, but in the query it omits the domain from the mail-address. Where can I configure this ?
Relying on a email address (or any art there of) is insecure. You want to rely on username and password, as these are the only things common clients pass anyway during the authentication process.
I installed pam_mysql from the buildservice, but this did complain about some dependencies. As far as I could see all was installed, so I forced pam-mysql to be installed. Maybe that is the problem ?
In /etc/pam.d this is smtp : #%PAM-1.0 auth required pam_mysql.so user=xxx passwd=yyy db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 account required pam_permit.so
In the README in /usr/doc/packages/pam_mysql I read :
For instance, if you want to use it in conjunction with Postfix, the SASL configuration file "smtpd.conf", which is put in the Cyrus-SASL's plugin directory (or the location included in the SASL_PATH environment variable), would look like the following:
pwcheck_method: auxprop mech_list: plain login cram-md5 digest-md5 sql_engine: mysql sql_database: sys sql_user: someuser sql_passwd: fubar sql_select: SELECT password FROM users WHERE name='%u' and domain='%r';
But I don't find that smtpd.conf.
I hope I made myself clear, so any suggestions ? Thanks.
There is a great deal of evidence on the net that cram and digest do NOT work and so you should not advertise them, because clients may try to use them. For situations where you want to allow remote users to relay thru your box you have to set up secure smtp. Then login and authentication is done in a ssl tunnel and you only need plain and login methods. I've not done this with sql, but we allow authenticated smtp connections to relay using regular accounts. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen schreef:
On Fri, May 30, 2008 at 7:38 AM, Koenraad Lelong
wrote: Hi, I'm running Suse 10.3. I'm trying to set up Postfix to allow users to send mail from the Internet through my mailserver if they are authenticated. I have most things set up OK I think, except for one thing, but I don't know were to look for it. The fact is pam tries to authenticate the user via mysql, but in the query it omits the domain from the mail-address. Where can I configure this ?
Relying on a email address (or any art there of) is insecure. You want to rely on username and password, as these are the only things common clients pass anyway during the authentication process.
...
There is a great deal of evidence on the net that cram and digest do NOT work and so you should not advertise them, because clients may try to use them.
For situations where you want to allow remote users to relay thru your box you have to set up secure smtp. Then login and authentication is done in a ssl tunnel and you only need plain and login methods.
I've not done this with sql, but we allow authenticated smtp connections to relay using regular accounts.
I left some things out, to simplify, but maybe they do matter. The setup will use TLS and the e-mail-address/password combination. The query I mention sould get the password based on the mail-address, but since the domain-name gets lost, there is no valid user. (replying from home) Koenraad Lelong. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, May 31, 2008 at 1:34 AM, Koenraad Lelong
I left some things out, to simplify, but maybe they do matter. The setup will use TLS and the e-mail-address/password combination. The query I mention sould get the password based on the mail-address, but since the domain-name gets lost, there is no valid user.
Yes. understood what you were trying to do Koenraad, its just that it is not the normal way to do it, and most clients don't even pass the email address when authenticating. They pass a name and password pair. If the client is not supplying the domain portion of the email address for authentication there is no reliable way of getting it. -- ----------JSA--------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-05-31 at 09:03 -0700, John Andersen wrote:
Yes. understood what you were trying to do Koenraad, its just that it is not the normal way to do it, and most clients don't even pass the email address when authenticating.
They pass a name and password pair. If the client is not supplying the domain portion of the email address for authentication there is no reliable way of getting it.
Some mail servers I use require the email address to be used again as login name, usually with the '@' replaced with another char. It is not the email address, it is the login name, that "happens" to be the same. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIQY3ltTMYHG2NR9URAhrFAJ0WP2UPt5hUT74k9bSAURve615vzACgiBBD +CfMbk9gfhnXduWKczcRSMU= =44k0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
John Andersen schreef:
On Sat, May 31, 2008 at 1:34 AM, Koenraad Lelong
wrote: I left some things out, to simplify, but maybe they do matter. The setup will use TLS and the e-mail-address/password combination. The query I mention sould get the password based on the mail-address, but since the domain-name gets lost, there is no valid user.
Yes. understood what you were trying to do Koenraad, its just that it is not the normal way to do it, and most clients don't even pass the email address when authenticating.
They pass a name and password pair. If the client is not supplying the domain portion of the email address for authentication there is no reliable way of getting it.
Actually, the name/password-pair _is_ the e-mail-address and the e-mail-password, I don't want to manage two pieces of credentials. In the client (Thunderbird) I set the smtp-authentication to the e-mail-address and e-mail-password. But on the server only the "username" gets through, everything after that, including the @, is lost. In Thunderbird I set the username to "username@mydomain.be" and pam-mysql tries to verify "username". I have this working fine on another server, but that's running Suse 10.1. I suspect pam-mysql, but I don't know how to fix this. Would it be possible to see what postfix sends to pam-mysql ? Regards, Koenraad Lelong. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Koenraad Lelong schreef:
Hi, I'm running Suse 10.3. I'm trying to set up Postfix to allow users to send mail from the Internet through my mailserver if they are authenticated. I have most things set up OK I think, except for one thing, but I don't know were to look for it. The fact is pam tries to authenticate the user via mysql, but in the query it omits the domain from the mail-address. Where can I configure this ?
I installed pam_mysql from the buildservice, but this did complain about some dependencies. As far as I could see all was installed, so I forced pam-mysql to be installed. Maybe that is the problem ?
In /etc/pam.d this is smtp : #%PAM-1.0 auth required pam_mysql.so user=xxx passwd=yyy db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 account required pam_permit.so
In the README in /usr/doc/packages/pam_mysql I read :
For instance, if you want to use it in conjunction with Postfix, the SASL configuration file "smtpd.conf", which is put in the Cyrus-SASL's plugin directory (or the location included in the SASL_PATH environment variable), would look like the following:
pwcheck_method: auxprop mech_list: plain login cram-md5 digest-md5 sql_engine: mysql sql_database: sys sql_user: someuser sql_passwd: fubar sql_select: SELECT password FROM users WHERE name='%u' and domain='%r';
But I don't find that smtpd.conf.
I hope I made myself clear, so any suggestions ? Thanks.
Answering my own question after a long search : start saslauthd with the -r switch. So in /etc/init.d/saslauthd the start-case becomes : /sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH -n $SASLAUTHD_THREADS -r > /dev/null 2>&1 -r means saslauthd will add the realm to the user, so the user becomes 'user@realm'. In this case the realm is the domain-name of the email-address. -- Met vriendelijke groeten, Koenraad Lelong R&D Manager ACE electronics n.v. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Jun 4, 2008 at 1:25 AM, Koenraad Lelong
Answering my own question after a long search :
start saslauthd with the -r switch. So in /etc/init.d/saslauthd the start-case becomes : /sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH -n $SASLAUTHD_THREADS -r > /dev/null 2>&1
-r means saslauthd will add the realm to the user, so the user becomes 'user@realm'. In this case the realm is the domain-name of the email-address.
I'm glad you were able to figure it out. :) Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Carlos E. R.
-
John Andersen
-
Koenraad Lelong
-
Koenraad Lelong
-
Michael Mientus