Loading ...
Sorry, an error occurred while loading the content.

292434Re: Setting up secure submission for remote users

Expand Messages
  • Jeroen Geilman
    Apr 8, 2013
      On 04/08/2013 01:32 AM, LuKreme wrote:
      > I've long used pop-before-smtp to allow authenticated users a short window in which to send mail, but now that I've setup postfix 2.8.14 I want to also setup secure submission on port 587 with ssl and something like Kerberos 5 or MD5 challenge/response (or, frankly, even password) over SSL.
      >
      > I built postfix with:
      >
      > make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/mysql -I/usr/local/include/sasl' 'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto -L/usr/local/lib -lsasl2'
      >
      > Seems to work:
      > # postconf -a
      > cyrus
      > dovecot
      > # postconf -A
      > cyrus
      >
      > Also, the SASL Readme says:
      > Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/.
      > Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/.
      >
      > (I am running 2.1.22_2)

      I would personally recommend using dovecot for SASL, especially if you
      don't need client SASL (from postfix to remote servers); dovecot is way,
      way easier to set up, and evolves quite nicely.

      It's also ridiculously easy to set up from scratch:

      http://www.postfix.org/SASL_README.html#server_dovecot


      > postconf -n
      > smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_sender_access hash:$config_directory/backscatter permit
      > smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit
      > smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, warn_if_reject reject_unknown_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit
      > smtpd_sender_restrictions = check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, permit_mynetworks

      Submission should disable all of the above (in master.cf) except
      "smtpd_recipient_restrictions=permit_sasl_authenticated,reject".
      You can prefix that with any reject_ restrictions you wish to impose on
      your users, such as a proper sender- and/or recipient domain.
      The clue is that there should be no permit_ rules before /or/ after
      permit_sasl_authenticated, and the last rule should be an explicit "reject".

      --
      J.
    • Show all 12 messages in this topic