andrea.lai
n00b
Joined: 14 Nov 2003
Posts: 32
|
 Posted: Thu Oct 21, 2004 11:12 am Post subject: Autenticazione SASL +TLS + Postfix |
 |
|
Cari amici vi scrivo dopo aver passato giorni di disperazione nella configurazione di quanto in oggetto.
Nonostante tutto sono riuscito ad installare e configurare postfix con tls in modo tale che solo i client che hanno tls attivo possano inviare mail.
Il mio problema è ora quello di configurare postfix in modo tale che oltre all'obbligo d'usare TLS il client sia anche obbligato ad utilizzare utente e password.
Tutta la configurazione utilizza mysql x gestire gli utenti virtuali e soptrattuto non uso saslauthd .
vi posto i miei files di configurazione
Qualcuno può aiutarmi ?
main.cf
| Code: | ### MAIN.CF
# ===================================== PARTE DI CONFIGURAZIONE GLIOBALE ==================================================
home_mailbox = Maildir/
inet_interfaces = all
mynetworks = 192.168.0.0/24, 127.0.0.0/8
recipient_delimiter = +
mydestination = $myhostname, $transport_maps
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
transport_maps = mysql:/etc/postfix/mysql-transport.cf
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
# local_transport = local
# mailbox_transport = smtp
myhostname = cabubbi
mydomain = andrealaipec.com
# mydomain = ciccio.com
myorigin = $mydomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command = \
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin \
xxgdb $daemon_directory/$process_name $process_id & sleep 5 \
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = no
# ================ GESTIONE DEI DOMINI VIRTUALI SU MYSQL =================================================================
virtual_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual-uid.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual-gid.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
# virtual_minimum_uid = 1000
# virtual_transport = virtual
# virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
# virtual_mailbox_base = /home/vmail
# virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
# virtual_mailbox_limit = 51200000
# virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
# virtual_gid_maps = static:1004
# virtual_minimum_uid = 1004
# virtual_uid_maps = static:1004
# virtual_transport = virtual
# Additional for quota support
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = Attenzione, l'utente ha superato la propria quota disco, riprova piu' tardi.
#virtual_overquota_bounce = yes
#If you want to use MySQL also to store your Backup MX domains add this as well
#relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
# =============================== TLS AUTHENTICATION SERVER ============================================================
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
# smtpd_sasl_local_domain = $myhostname
# smtpd_sasl_application_name = smtpd
smtpd_delay_reject = yes
smtpd_sasl_password_maps = mysql:/etc/postfix/mysql-password.cf
# smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains, reject_unauth_destination
# permit_sasl_authenticated,
# permit_mynetworks,
# reject_non_fqdn_hostname,
# reject_non_fqdn_sender,
# reject_non_fqdn_recipient,
# reject_unauth_destination,
# reject_unauth_pipelining,
# reject_invalid_hostname,
smtpd_client_restrictions = permit_sasl_authenticated, reject_unauth_destination
# permit_mynetworks,
# reject_unauth_destination,
# reject_rbl_client opm.blitzed.org,
# reject_rbl_client list.dsbl.org,
# reject_rbl_client bl.spamcop.net,
# reject_rbl_client sbl-xbl.spamhaus.org
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_enforce_tls = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
# smtpd_tls_per_site =
smtpd_tls_scert_verifydepth = 5
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# =============================== TLS AUTHENTICATION CLIENT ============================================================
broken_sasl_auth_clients = yes
smtp_sasl_auth_enable = yes
smtp_sasl2_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_use_sasl = yes
smtp_enforce_sasl = yes
smtp_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, reject
smtp_client_restrictions = permit_sasl_authenticated, reject
# smtp_sasl_security_options = noplaintext
# smtp_sasl_application_name = smtp
smtp_sasl_password_maps = mysql:/etc/postfix/mysql-password.cf
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_enforce_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtp_tls_auth_only = yes
smtp_tls_cert_file = /etc/postfix/newcert.pem
smtp_tls_key_file = /etc/postfix/newreq.pem
smtp_tls_CAfile = /etc/postfix/cacert.pem
# smtp_tls_per_site =
smtp_tls_scert_verifydepth = 5
smtp_tls_loglevel = 3
smtp_tls_received_header = yes
smtp_tls_session_cache_timeout = 3600s
|
master.cf
| Code: | #
# Postfix master process configuration file. Each logical line
# describes how a Postfix daemon program should be run.
#
# A logical line starts with non-whitespace, non-comment text.
# Empty lines and whitespace-only lines are ignored, as are comment
# lines whose first non-whitespace character is a `#'.
# A line that starts with whitespace continues a logical line.
#
# The fields that make up each line are described below. A "-" field
# value requests that a default value be used for that field.
#
# Service: any name that is valid for the specified transport type
# (the next field). With INET transports, a service is specified as
# host:port. The host part (and colon) may be omitted. Either host
# or port may be given in symbolic form or in numeric form. Examples
# for the SMTP server: localhost:smtp receives mail via the loopback
# interface only; 10025 receives mail on port 10025.
#
# Transport type: "inet" for Internet sockets, "unix" for UNIX-domain
# sockets, "fifo" for named pipes.
#
# Private: whether or not access is restricted to the mail system.
# Default is private service. Internet (inet) sockets can't be private.
#
# Unprivileged: whether the service runs with root privileges or as
# the owner of the Postfix system (the owner name is controlled by the
# mail_owner configuration variable in the main.cf file). Only the
# pipe, virtual and local delivery daemons require privileges.
#
# Chroot: whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
# The proxymap server can run chrooted, but doing so defeats most of
# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
# Wakeup time: automatically wake up the named service after the
# specified number of seconds. A ? at the end of the wakeup time
# field requests that wake up events be sent only to services that
# are actually being used. Specify 0 for no wakeup. Presently, only
# the pickup, queue manager and flush daemons need a wakeup timer.
#
# Max procs: the maximum number of processes that may execute this
# service simultaneously. Default is to use a globally configurable
# limit (the default_process_limit configuration parameter in main.cf).
# Specify 0 for no process count limit.
#
# Command + args: the command to be executed. The command name is
# relative to the Postfix program directory (pathname is controlled by
# the daemon_directory configuration variable). Adding one or more
# -v options turns on verbose logging for that service; adding a -D
# option enables symbolic debugging (see the debugger_command variable
# in the main.cf configuration file). See individual command man pages
# for specific command-line options, if any.
#
# General main.cf options can be overridden for specific services.
# To override one or more main.cf options, specify them as arguments
# below, preceding each option by "-o". There must be no whitespace
# in the option itself (separate multiple values for an option by
# commas).
#
# In order to use the "uucp" message tranport below, set up entries
# in the transport table.
#
# In order to use the "cyrus" message transport below, configure it
# in main.cf as the mailbox_transport.
#
# SPECIFY ONLY PROGRAMS THAT ARE WRITTEN TO RUN AS POSTFIX DAEMONS.
# ALL DAEMONS SPECIFIED HERE MUST SPEAK A POSTFIX-INTERNAL PROTOCOL.
#
# DO NOT SHARE THE POSTFIX QUEUE BETWEEN MULTIPLE POSTFIX INSTANCES.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd -v
-o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_wrappermode=no
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
#tlsmgr fifo - - n 300 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus unix - n n - - pipe
user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
|
smtpd.conf
| Code: |
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: PLAIN LOGIN
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_passwd: *****
sql_database: postfix
sql_statment: SELECT clear FROM postfix_smtp WHERE email = '%u@%r'
sql_select: SELECT clear FROM postfix_smtp WHERE email = '%u@%r'
sql_usessl: no
|
Grazie in anticipo per le risposte . |
|
Forum italiano (Italian)
