Sandy Drobic wrote:
Jim Flanagan wrote:
John Andersen wrote:
On Tue, Apr 8, 2008 at 7:07 PM, Jim Flanagan
wrote: I'd like to have email users separate from local users. At present I only have one local user, but may have a few family members use this machine with their own logins at some point. I plan to have approx 10 to 20 email users, so this is no big install, just my home email server.
Looking at yast to set up the MTA, it offers to set postfix up to auth against an LDAP server and offers to set up that as a local LDAP. That sounds interesting, but I don't need anything else to use LDAP except posftix and imap. Is this the best way to accomplish what I want, or is using another method of authing my email users better, and what would that be?
I don't think you need ldap for Imap accounts with Cyrus. Just add the users via cyrus admin and let cyrus take care of it.
OK, as root I set a password for user cyrus, and now can log into cyradm. There was my one user mailbox there already. I created another user (mailbox), but don't see where to set a password for that user in cyradm.
I "think" I need to change the way cyrus authenticates, in etc/sysconfig, but am unsure exactly how to do this and which auth scheme to use. Can anyone give me some guidance with this?
The usual way is to use an authentication daemon that is queried by all mailservices: SMTP/Imap/POP3/Webmail
The default for Cyrus is saslauthd, which again will query pam as default. On the positive side for saslauthd you can set it up pretty easy, and everything will work. The negative side is that saslauthd will only use cleartext mechanisms, so you should set up TLS/SSL encryption to prevent password snooping.
You can also use a sasldb to auth against, that would give you encrypted challenge/response mechanisms like CRAM-MD5. It is a bit more complicated to setup since you need to take care of access rights to the sasldb yourself.
Though for 15-20 users I would just use saslauthd and deny them a login shell.
Another question is how many domains you expect to administer on your server and what other services you might want to offer.
Hi Sandy, Saslauthd sounds OK to me. I did set up SSL on my last install, so I think I can do that again. I restricted access to only ssl connections at my router (that made squirrelmail easier to set up). I did not get TLS working on that install, I was not sure where to put the certs for that, so used a different smtp server till now when out of the house, and did not enable smtpd_sasl_auth_enable to prevent unencrypted messages as a result. I would like to get that going this time around too, but can get to that later if required. One step at a time. I do have postfix set to relay (inside lan) messages thru my ISP smtp server. I don't believe that is encrypted. So, for my 15-20 users, are you saying to use saslauthd with pam and deny them shell access? In this case could I set up the users in yast, but check the box that says disable user login? Is that all there is to it? You probably don't use yast for any of this. As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As to services, I didn't mention but my old install does offer squirrelmail on the one doman, and that works fine. I have it set to switch over to an ssl connection for the entire session. It is conceivable that I could offer web hosting for a few domains as well, but not a large number. I'm on a home internet service. I don't see adding ftp or anything else. I would use ssh for remote admin purposes, and have used scp too, but that would only be for me. Thats all I can think of for now. Thanks for any assistance. Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org