292434Re: Setting up secure submission for remote users
- Apr 8, 2013On 04/08/2013 01:32 AM, LuKreme wrote:
> I've long used pop-before-smtp to allow authenticated users a short window in which to send mail, but now that I've setup postfix 2.8.14 I want to also setup secure submission on port 587 with ssl and something like Kerberos 5 or MD5 challenge/response (or, frankly, even password) over SSL.I would personally recommend using dovecot for SASL, especially if you
> I built postfix with:
> make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/mysql -I/usr/local/include/sasl' 'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto -L/usr/local/lib -lsasl2'
> Seems to work:
> # postconf -a
> # postconf -A
> Also, the SASL Readme says:
> Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/.
> Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/.
> (I am running 2.1.22_2)
don't need client SASL (from postfix to remote servers); dovecot is way,
way easier to set up, and evolves quite nicely.
It's also ridiculously easy to set up from scratch:
> postconf -nSubmission should disable all of the above (in master.cf) except
> smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_sender_access hash:$config_directory/backscatter permit
> smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
> smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, warn_if_reject reject_unknown_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit
> smtpd_sender_restrictions = check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, permit_mynetworks
You can prefix that with any reject_ restrictions you wish to impose on
your users, such as a proper sender- and/or recipient domain.
The clue is that there should be no permit_ rules before /or/ after
permit_sasl_authenticated, and the last rule should be an explicit "reject".
- << Previous post in topic Next post in topic >>