Jim Flanagan wrote:
Sandy Drobic wrote:
The usual way is to use an authentication daemon that is queried by all mailservices: SMTP/Imap/POP3/Webmail
The default for Cyrus is saslauthd, which again will query pam as default. On the positive side for saslauthd you can set it up pretty easy, and everything will work. The negative side is that saslauthd will only use cleartext mechanisms, so you should set up TLS/SSL encryption to prevent password snooping.
You can also use a sasldb to auth against, that would give you encrypted challenge/response mechanisms like CRAM-MD5. It is a bit more complicated to setup since you need to take care of access rights to the sasldb yourself.
Though for 15-20 users I would just use saslauthd and deny them a login shell.
Another question is how many domains you expect to administer on your server and what other services you might want to offer.
Hi Sandy,
Saslauthd sounds OK to me. I did set up SSL on my last install, so I think I can do that again. I restricted access to only ssl connections at my router (that made squirrelmail easier to set up). I did not get TLS working on that install, I was not sure where to put the certs for
Okay. Do yourself a favor and use the same certificate for all services, so users only have to import and verify one certificate instead of several.
that, so used a different smtp server till now when out of the house, and did not enable smtpd_sasl_auth_enable to prevent unencrypted messages as a result. I would like to get that going this time around
you can encrypt unauthenticated mail delivery, it is completely independent of smtp auth. For example, if I send a mail to the opensuse listserver the transmission will be TLS encrypted but not authenticated.
too, but can get to that later if required. One step at a time. I do have postfix set to relay (inside lan) messages thru my ISP smtp server. I don't believe that is encrypted.
There's not much use for encryption if you have to relay via your provider anyway.
So, for my 15-20 users, are you saying to use saslauthd with pam and deny them shell access? In this case could I set up the users in yast, but check the box that says disable user login? Is that all there is to it? You probably don't use yast for any of this.
Yes, that's the easiest way. Actually, I do use yast to set up users, though I don't use yast to configure the services.
As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As
The real question here is if these domains will have independent mailboxes or if all domains point to the same user in the end: Postfix domain classes: mydestination: user1@example.com = user1@example.net loginname: user1 virtual_mailbox_domain: user1@example.com != user1@example.net loginname: user1@example.com user1@example.net So the question should be considered now, bevor you have to migrate your setup to virtual_mailbox_domains if you need to have independent addresses in your domains.
to services, I didn't mention but my old install does offer squirrelmail on the one doman, and that works fine. I have it set to switch over to an ssl connection for the entire session. It is conceivable that I could offer web hosting for a few domains as well, but not a large number. I'm on a home internet service. I don't see adding ftp or anything else. I would use ssh for remote admin purposes, and have used scp too, but that would only be for me. Thats all I can think of for now.
Okay, so we only need to consider Postfix/Cyrus/Squirrelmail/saslauthd. A basic setup would look like this: saslauthd is installed (and also the sasl libraries for the mechs) and configured to auth against pam. This is the default for saslauthd, so you should be able to use it out of the box: salsauthd and PAM should already have these settings out of the box: Saslauthd: /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH="pam" PAM: /etc/pam.d/imap #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session /etc/pam.d/pop #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session /etc/pam.d/sieve #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session /etc/pam.d/smtp #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session Postfix might need manual work: Postfix: /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login /etc/postfix/main.cf: # auth smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous # tls smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/server.crt smtpd_tls_key_file = /etc/postfix/certs/server.key smtpd_tls_security_level = may Cyrus: /etc/cyrus.conf: # activate tls/ssl encryption SERVICES { imaps cmd="imapd -s" listen="imaps" proto="tcp4" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" proto="tcp4" prefork=0 } /etc/imapd.conf: # auth sasl_pwcheck_method: saslauthd sasl_security_options: noanonymous sasl_mech_list: plain login # tls tls_cert_file: /var/lib/imap/ssl/server.crt tls_key_file: /var/lib/imap/ssl/server.key tls_ca_path: /usr/ssl/CA A bit of advice: don't implement everything at once. Do it in small steps, so you can understand the changes and retrace if necessary. -- Sandy List replies only please! Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org