Jim Flanagan wrote:
Sandy Drobic wrote:
The usual way is to use an authentication daemon that is queried by all mailservices: SMTP/Imap/POP3/Webmail
The default for Cyrus is saslauthd, which again will query pam as default. On the positive side for saslauthd you can set it up pretty easy, and everything will work. The negative side is that saslauthd will only use cleartext mechanisms, so you should set up TLS/SSL encryption to prevent password snooping.
You can also use a sasldb to auth against, that would give you encrypted challenge/response mechanisms like CRAM-MD5. It is a bit more complicated to setup since you need to take care of access rights to the sasldb yourself.
Though for 15-20 users I would just use saslauthd and deny them a login shell.
Another question is how many domains you expect to administer on your server and what other services you might want to offer.
Hi Sandy,
Saslauthd sounds OK to me. I did set up SSL on my last install, so I think I can do that again. I restricted access to only ssl connections at my router (that made squirrelmail easier to set up). I did not get TLS working on that install, I was not sure where to put the certs for
Okay. Do yourself a favor and use the same certificate for all services, so users only have to import and verify one certificate instead of several.
that, so used a different smtp server till now when out of the house, and did not enable smtpd_sasl_auth_enable to prevent unencrypted messages as a result. I would like to get that going this time around
you can encrypt unauthenticated mail delivery, it is completely independent of smtp auth. For example, if I send a mail to the opensuse listserver the transmission will be TLS encrypted but not authenticated.
too, but can get to that later if required. One step at a time. I do have postfix set to relay (inside lan) messages thru my ISP smtp server. I don't believe that is encrypted.
There's not much use for encryption if you have to relay via your provider anyway.
So, for my 15-20 users, are you saying to use saslauthd with pam and deny them shell access? In this case could I set up the users in yast, but check the box that says disable user login? Is that all there is to it? You probably don't use yast for any of this.
Yes, that's the easiest way. Actually, I do use yast to set up users, though I don't use yast to configure the services. OK, regarding users, I did set up two new users in yast, but when I click the disable login box, those users cannot access the mailbox in cyrus. If I un-check that box to allow them to log in, they can access
Sandy Drobic wrote: their mailbox. So this is not yet what I want. I need to somehow limit their access to only email services, still unclear on how to do that. I have not edited the main.cf yet, more on that further down.
As to number of domains I'm only serving one at present. I guess its conceivable that I could add a few more, say 1 to 4 more? Possibly. As
The real question here is if these domains will have independent mailboxes or if all domains point to the same user in the end:
Postfix domain classes:
mydestination: user1@example.com = user1@example.net loginname: user1
virtual_mailbox_domain: user1@example.com != user1@example.net loginname: user1@example.com user1@example.net
So the question should be considered now, bevor you have to migrate your setup to virtual_mailbox_domains if you need to have independent addresses in your domains.
Are you saying here that using the first method, mydestination, user1 will have access to both example.com AND example.net? So in this case I couldn't have a different individual, both with the same name of say user1, one at example.com and the other at example.net. I've never considered these two different setups you are describing, but understand this needs to be decided first.
to services, I didn't mention but my old install does offer squirrelmail on the one doman, and that works fine. I have it set to switch over to an ssl connection for the entire session. It is conceivable that I could offer web hosting for a few domains as well, but not a large number. I'm on a home internet service. I don't see adding ftp or anything else. I would use ssh for remote admin purposes, and have used scp too, but that would only be for me. Thats all I can think of for now.
Okay, so we only need to consider Postfix/Cyrus/Squirrelmail/saslauthd.
A basic setup would look like this:
saslauthd is installed (and also the sasl libraries for the mechs) and configured to auth against pam. This is the default for saslauthd, so you should be able to use it out of the box:
salsauthd and PAM should already have these settings out of the box:
Saslauthd: /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH="pam"
PAM: /etc/pam.d/imap #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
/etc/pam.d/pop #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
/etc/pam.d/sieve #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
/etc/pam.d/smtp #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
All the above is set up the same on my machine, just like you layed it out.
Postfix might need manual work:
Postfix: /etc/sasl2/smtpd.conf: pwcheck_method: saslauthd mech_list: plain login
The above here is also set up the same. I have not edited the below to make these changes. I'll try adding permit_sasl_authenticated, as this looks like it may solve my user login issue. Will try that and revert.
/etc/postfix/main.cf: # auth smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous # tls smtpd_tls_CApath = /etc/postfix/certs smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certs/server.crt smtpd_tls_key_file = /etc/postfix/certs/server.key smtpd_tls_security_level = may
Cyrus: /etc/cyrus.conf: # activate tls/ssl encryption SERVICES { imaps cmd="imapd -s" listen="imaps" proto="tcp4" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" proto="tcp4" prefork=0 }
/etc/imapd.conf: # auth sasl_pwcheck_method: saslauthd sasl_security_options: noanonymous sasl_mech_list: plain login # tls tls_cert_file: /var/lib/imap/ssl/server.crt tls_key_file: /var/lib/imap/ssl/server.key tls_ca_path: /usr/ssl/CA
A bit of advice: don't implement everything at once. Do it in small steps, so you can understand the changes and retrace if necessary.
As you can tell, I am taking this slowly, and one step at a time. I cna't work on this every day, but will do more this weekend. Thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org