Loading ...
Sorry, an error occurred while loading the content.

SASL user restriction

Expand Messages
  • Gaby vanhegan
    Hi, I have SASL working and authenticating in postfix, and over SSL and TLS quite happily. I have had to go down the getpwent() route for user authentication,
    Message 1 of 6 , Jun 4, 2006
    • 0 Attachment
      Hi,

      I have SASL working and authenticating in postfix, and over SSL and TLS quite happily.  I have had to go down the getpwent() route for user authentication, which effectively means that every account with a password in /etc/passwd can authenticate and send mail.  I don't really want to use sasldb or an SQL backend, if avoidable.

      How can I limit this in postfix to a subset of these users?  Can I do this:

      smtpd_client_restrictions = hash:/etc/postfix/relay_users, ...

      And then have a list of user names in /etc/postfix/relay_users that are allowed to relay?  Can I limit the sasl authentication to only allow users who are in a given group?

      On my previous qmail setup, there was a poppasswd file that had username/passwords that were allowed to relay, and this was checked using checkpasswd, an external program.  I suspect that I can use this with saslauthd, which would restrict the usernames more effectively, as well as provide CRAM-MD5 authentication, but the documentation for cyrus-sasl seems non-existant.

      I feel like I'm stumbling around in the dark here.  Can anybody help?

      Gaby

      --
      Junkets for bunterish lickspittles since 1998!


    • Andreas Winkelmann
      ... http://www.postfix.org/RESTRICTION_CLASS_README.html#external -- Andreas
      Message 2 of 6 , Jun 4, 2006
      • 0 Attachment
        Am Sunday 04 June 2006 17:14 schrieb Gaby vanhegan:

        > I have SASL working and authenticating in postfix, and over SSL and
        > TLS quite happily. I have had to go down the getpwent() route for
        > user authentication, which effectively means that every account with
        > a password in /etc/passwd can authenticate and send mail. I don't
        > really want to use sasldb or an SQL backend, if avoidable.
        >
        > How can I limit this in postfix to a subset of these users? Can I do
        > this:
        >
        > smtpd_client_restrictions = hash:/etc/postfix/relay_users, ...
        >
        > And then have a list of user names in /etc/postfix/relay_users that
        > are allowed to relay? Can I limit the sasl authentication to only
        > allow users who are in a given group?
        >
        > On my previous qmail setup, there was a poppasswd file that had
        > username/passwords that were allowed to relay, and this was checked
        > using checkpasswd, an external program. I suspect that I can use
        > this with saslauthd, which would restrict the usernames more
        > effectively, as well as provide CRAM-MD5 authentication, but the
        > documentation for cyrus-sasl seems non-existant.
        >
        > I feel like I'm stumbling around in the dark here. Can anybody help?

        http://www.postfix.org/RESTRICTION_CLASS_README.html#external

        --
        Andreas
      • Gaby vanhegan
        ... This is indeed one way round it. I was thinking of something that was more tied in with with the SASL layer. One idea was to put all the users with
        Message 3 of 6 , Jun 4, 2006
        • 0 Attachment

          On 4 Jun 2006, at 16:29, Andreas Winkelmann wrote:

          Am Sunday 04 June 2006 17:14 schrieb Gaby vanhegan:

          I have SASL working and authenticating in postfix, and over SSL and
          TLS quite happily.  I have had to go down the getpwent() route for
          user authentication, which effectively means that every account with
          a password in /etc/passwd can authenticate and send mail.  I don't
          really want to use sasldb or an SQL backend, if avoidable.

          How can I limit this in postfix to a subset of these users?


          This is indeed one way round it.  I was thinking of something that was more tied in with with the SASL layer.  One idea was to put all the users with SMTP-AUTH access into one group, and have SASL only permit those accounts.  This restriction class still means that somebody could spoof the FROM address in the SMTP conversation.  I really need something with a password, so something in SASL or the auth layer would be better.

          Is using auxprop in some way going to help at all, in cyrus-sasl?

          Gaby

          --

          Junkets for bunterish lickspittles since 1998!



        • Andreas Winkelmann
          ... http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch ... --
          Message 4 of 6 , Jun 4, 2006
          • 0 Attachment
            Am Sunday 04 June 2006 17:50 schrieb Gaby vanhegan:

            > >> I have SASL working and authenticating in postfix, and over SSL and
            > >> TLS quite happily. I have had to go down the getpwent() route for
            > >> user authentication, which effectively means that every account with
            > >> a password in /etc/passwd can authenticate and send mail. I don't
            > >> really want to use sasldb or an SQL backend, if avoidable.
            > >>
            > >> How can I limit this in postfix to a subset of these users?
            > >
            > > http://www.postfix.org/RESTRICTION_CLASS_README.html#external
            >
            > This is indeed one way round it. I was thinking of something that
            > was more tied in with with the SASL layer. One idea was to put all
            > the users with SMTP-AUTH access into one group, and have SASL only
            > permit those accounts. This restriction class still means that
            > somebody could spoof the FROM address in the SMTP conversation. I
            > really need something with a password, so something in SASL or the
            > auth layer would be better.

            http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
            http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch

            > Is using auxprop in some way going to help at all, in cyrus-sasl?

            --
            Andreas
          • Gaby vanhegan
            ... For example, I have two accounts on the system, userx and usery. I only want usery to be able to send mail through this server using SMTP-AUTH, from
            Message 5 of 6 , Jun 4, 2006
            • 0 Attachment

              On 4 Jun 2006, at 17:52, Andreas Winkelmann wrote:

              Am Sunday 04 June 2006 17:50 schrieb Gaby vanhegan:
              This is indeed one way round it.  I was thinking of something that
              was more tied in with with the SASL layer.  One idea was to put all
              the users with SMTP-AUTH access into one group, and have SASL only
              permit those accounts.  This restriction class still means that
              somebody could spoof the FROM address in the SMTP conversation.  I
              really need something with a password, so something in SASL or the
              auth layer would be better.


              For example, I have two accounts on the system, userx and usery.  I only want usery to be able to send mail through this server using SMTP-AUTH, from domain.com:

              /etc/postfix/main.cf:
              myhostname=mailhost.com
              ...
              smtpd_sender_login_maps=hash:/etc/postfix/relay_users
              smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

              /etc/postfix/relay_users:
              @... usery

              This setup prevents userx from relaying mail through this machine, whilst usery can send mail, provided it's from <something>@....  Is this correct?  Another account on that machine (such as userz) would be unable to relay mail as well?

              Gaby

              --

              Junkets for bunterish lickspittles since 1998!



            • Gaby vanhegan
              ... This seems to work fine for the moment but is not totally ideal. I d like to prevent unlisted users from even logging in with SMTP-AUTH, not just having
              Message 6 of 6 , Jun 5, 2006
              • 0 Attachment

                On 4 Jun 2006, at 19:39, Gaby vanhegan wrote:

                For example, I have two accounts on the system, userx and usery.  I only want usery to be able to send mail through this server using SMTP-AUTH, from domain.com:

                /etc/postfix/main.cf:
                myhostname=mailhost.com
                ...
                smtpd_sender_login_maps=hash:/etc/postfix/relay_users
                smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

                /etc/postfix/relay_users:
                @... usery

                This setup prevents userx from relaying mail through this machine, whilst usery can send mail, provided it's from <something>@....  Is this correct?  Another account on that machine (such as userz) would be unable to relay mail as well?

                This seems to work fine for the moment but is not totally ideal.  I'd like to prevent unlisted users from even logging in with SMTP-AUTH, not just having their sending access restricted.  Is there a way to make the setup above restrict access at the AUTH stage rather than the MAIL FROM stage?

                Gaby

                --

                Junkets for bunterish lickspittles since 1998!



              Your message has been successfully submitted and would be delivered to recipients shortly.