Talk:Complete Virtual Mail Server/SMTP Authentication

From Gentoo Wiki
Jump to: navigation, search
Note
This is a talk page. Please add newer comments below older ones, and sign your comments using four tildes (~~~~). When adding a new section (at the bottom of the page), please mark it as "open for discussion" by using {{talk|open}} so it will show up in the list of open discussions.

Todo

Talk status
This discussion is still ongoing.

Several things that can be concidered todo for this section. A section to add postgres authentication directly cyrus-sasl, dovecot-sasl, which can be extra interesting when dovecot imap is used instead of cyrus sasl.

— The preceding unsigned comment was added by Oliver (talkcontribs) 29 November 2011‎

Postfix 2.10

Talk status
This discussion is still ongoing.

Since postfix 2.10 (http://www.postfix.org/announcements/postfix-2.10.0.html), the smtpd_relay_restrictions and the smtpd_recipient_restrictions have been separated. the config should be something like that:

  • smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
  • smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks

— The preceding unsigned comment was added by Zaratan (talkcontribs) 19 July 2013

*******
I got errors with the above. a better relay_restrictions is :

disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
       permit_sasl_authenticated
       permit_mynetworks,
        check_client_access
        hash:/usr/local/etc/postfix/broken_helo_clients,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname,
        reject_invalid_helo_hostname

smtpd_client_restrictions =
       permit_sasl_authenticated
       permit_mynetworks,
        check_client_access
        hash:/usr/local/etc/postfix/broken_helo_clients,
        reject_unknown_client_hostname

smtpd_sender_restrictions =
       permit_sasl_authenticated
        reject_non_fqdn_sender,
        reject_unknown_sender_domain

smtpd_relay_restrictions =
       permit_sasl_authenticated
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

smtpd_recipient_restrictions =
       permit_sasl_authenticated
        permit_mynetworks,
        permit_sasl_authenticated

smtpd_data_restrictions = reject_unauth_pipelining

— The preceding unsigned comment was added by Wamarine (talkcontribs) 30 August 2013

Using PAM pgsql

Talk status
This discussion is still ongoing.

I had difficulties authenticating smtp connections using this setup.

From: Postfix SASL Howto [1]:

The sql auxprop plugin is a generic SQL plugin. It provides access to credentials stored in a MySQL, PostgreSQL or SQLite database. This plugin requires that SASL client passwords are stored as plaintext.
If you must store encrypted passwords, you cannot use the sql auxprop plugin. Instead, see section "Using saslauthd with PAM", and configure PAM to look up the encrypted passwords with, for example, the pam_mysql module. You will not be able to use any of the methods that require access to plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-MD5.

To get the pam_pgsql setup working the following is required:

root #emerge --ask sys-auth/pam-pgsql
FILE /etc/sasl2/smtpd.confUse saslauthd for authentication
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN DIGEST-MD5
FILE /etc/pam.d/smtpWhen using SMTP PAM service use pgsql module
auth        required    pam_pgsql.so
account     required    pam_pgsql.so
FILE /etc/security/pam_pgsql.confpam-pgsql setup
connect = dbname=postfix user=postfix password=$password
auth_query = SELECT password FROM mailbox WHERE local_part = %u
pw_type = crypt

Lemmerk (talk) 08:30, 13 February 2014 (UTC)

cyrus-sasl fail

Talk status
This discussion is still ongoing.

I cannot get even cyrus-sasl to compile.

Calculating dependencies... done! [ebuild R ] dev-libs/cyrus-sasl-2.1.26-r9 USE="authdaemond*"

>>> Failed to execute postinst for dev-libs/cyrus-sasl-2.1.26-r9
>>> Jobs: 1 of 1 complete                           Load avg: 1.09, 0.38, 0.22
* Messages for package dev-libs/cyrus-sasl-2.1.26-r9:
* FAILED postinst: 1
* ERROR: dev-libs/cyrus-sasl-2.1.26-r9::gentoo failed (postinst phase):
*   Failed to generate sasldb2
# less /var/tmp/portage/dev-libs/cyrus-sasl-2.1.26-r9/temp/build.log
/var/tmp/portage/dev-libs/cyrus-sasl-2.1.26-r9/temp/build.log: No such file or directory

Will file a bugreport. See https://bugs.gentoo.org/show_bug.cgi?id=192753#c10

Rico666 (talk) 09:25, 25 June 2015 (UTC)

Using cyrus-sasl with courier-authlib

Talk status
This discussion is still ongoing.
courier-imap -----------\
                          -> courier-authlib -> database
postfix -> cyrus-sasl --/

I had to compile cyrus-sasl without database support (USE= -mysql -berkdb -postgres) to get the authentication working. I hope this helps somebody.

— The preceding unsigned comment was added by Vice (talkcontribs) 21 August 2015