Complete Virtual Mail Server/SMTP Authentication/ja

はじめに
これまでのところ、ローカルホストのみがメールの送信を許可されています. 残念ながら、postfixはcourier-authlibと直接連携できません. ただし、中間解決策としてがあります. cyrus-saslが認証情報を取得する方法は3つあります. データベースから直接、ローカルまたはリモートで. このアプローチを使用した設定は次のようになります.

courier-imap -> courier-authlib --\ +--> database postfix --> cyrus-sasl ---/

少し複雑にするだけで、cyrus-saslを使用してcourier-authlibを介して通信し、courier-authlibに認証を任せることができます.

courier-imap ---\ +-> courier-authlib -> database postfix -> cyrus-sasl --/

Ideally the last option would be the used solution, as one authentication back-end would be used, courier-authlib. The cyrus-sasl plugin to talk to courier-authlib however will only work via a unix socket and thus if courier-authlib is not running on the same host as cyrus-sasl this would not work. The first approach should thus only be used if courier-authlib can not be used.

Installing cyrus-sasl
A key feature of cyrus-sasl that is required is the  USE flag. It needs to be enabled or crypted passwords from the database cannot be authenticated with. Cyrus-sasl with the correct USE flag should have been pulled in earlier whilst emerging postfix.

Configuring postfix with cyrus-sasl
Postfix needs a few options to tell it to use sasl in its. These are not mentioned in the default config file so they should be added.

With authdaemond
Postfix queries the socket created by authdaemond which is protected by the user and group and thus postfix needs to be granted access.

Next cyrus-sasl needs to be told to authenticate with authdaemond:

Testing
To verify sasl support telnet can be used to check for the  statement:

Next test is to use a remote host and try to login to send a test message.

If perl with the base64 module is installed, it can be used to generate base64 encoded data. Otherwise base64 conversion can be done online. Again, be very careful when using production data on untrusted sites.

Wrapping it up
Once everything is working as expected, debugging can be disabled (or the line can be removed entirely):

Optionally  can be disabled again. It is very handy for tracking down mailing issues from users. It can however be potentially a security issue, as mentioned above, the users login name is written in the header. On the other hand, if the login name is the local_part of the e-mail address or even the e-mail address then the login name is already known anyway so no big harm there, right? Some caution is advised, but it shouldn't be a huge issue.