On Wed, 2003-08-27 at 12:09, Andreas Winkelmann wrote:
Tom Nielsen wrote:
8.2
In 8.2 Postfix and SASL are already installed. It is configured to use your shadow accounts. This means, you could only use mechs as plain or login. The big disadvantage is, the passwords are send in cleartext over the line. Better is to switch to sasldb. It's all installed, but you have something to reconfigure.
First create a Useraccount:
# saslpasswd2 -c username -u mailserver
I already have one. (I'm at home right now, but set one up for me while I was at work. I'm working at accessing my work info)
Behind -u should be a realm, maybe to start it is the best to let "mailserver".
Check this with
# sasldblistusers2
Configure SASL:
Edit /usr/lib/sasl2/smtpd.conf :
pwcheck_method: auxprop mech_list: DIGEST-MD5 CRAM-MD5
Will the above have any effect to those currently connected? I'm assuming a yes answer and that everyone that sends email must first submit a password, correct?
What means curently connected?
I can send and receive emails from home.
Have you got sasl configured yet?
Yes
Everyone who sends a mail gets an "AUTH..." Header in the EHLO from your Mailserver and normal the client do an authentication, but if a negative result rejects the client decides the smtpd_recipient_restriction in Postfix. The First line is permit_mynetworks, all clients in mynetworks come through without the right password.
I just setup mynetworks last night. Everything seems to work fine. I can send through home without a problem. My thought behind this all this work is so security sake. Have I gone too far?
But the next is permit_sasl_authenticated which rejects any client with is not in mynetworks and is sending the wrong password.
Understand.
Configure Postfix:
Edit /etc/postfix/main.cf :
broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = mailserver smtpd_sasl_security_options = noanonymous, noplaintext
Here's what I have currently: readme_directory = /usr/share/doc/packages/postfix/README_FILES mail_spool_directory = /var/mail canonical_maps = hash:/etc/postfix/canonical virtual_maps = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = mailserver.neuro-logic.com program_directory = /usr/lib/postfix masquerade_domains = mydestination = neuro-logic.com, localhost, localhost.$mydomain, $myhostname defer_transports = disable_dns_lookups = no content_filter = vscan: mailbox_command = #mailbox_transport = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = strict_rfc821_envelopes = no smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = no smtpd_use_tls = no alias_maps = hash:/etc/aliases mailbox_size_limit = 51200000 message_size_limit = 10240000 delay_notice_recipient = Bob bounce_notice_recipient = Should I not worry about all this since I have mynetworks configured? Again, this is all so that non-company people can't send spam from my system.
Restart Postfix:
# rcpostfix restart
Test it with your client.
I hope this is all. If this is not working, send an output from "postconf -n" and the part from /var/log/mail.
-- Andreas
- - - - - - - - - - - - - - - - - - Tom Nielsen Neuro Logic Systems, Inc. 805.389.5435 x18 www.neuro-logic.com