SASL SMTP認證

Postfix SASL SMTP認證配置

  1. pam_ldap

    debian:/etc/postfix# vi /etc/pam.d/smtp
    #%PAM-1.0
    auth required pam_ldap.so
    account sufficient /lib/security/pam_ldap.so
    			

  2. pam_ldap.conf

    Note

    redhat linux 中是/etc/ldap.conf

    host 127.0.0.1				
    base ou=postfix,dc=example,dc=net
    ldap_version 3
    binddn cn=admin,dc=example,dc=net
    bindpw chen
    #rootbinddn cn=admin,dc=example,dc=net
    scope sub
    pam_filter objectclass=postfix
    				

    Example 3. pam_ldap.conf

    debian:/etc# cat pam_ldap.conf
    ###DEBCONF###
    # the configuration of this file will be done by debconf as long as the
    # first line of the file says '###DEBCONF###'
    #
    # you should use dpkg-reconfigure to configure this file
    #
    # @(#)$Id: ldap.conf,v 1.28 2003/05/29 13:01:04 lukeh Exp $
    #
    # This is the configuration file for the LDAP nameservice
    # switch library and the LDAP PAM module.
    #
    # PADL Software
    # http://www.padl.com
    #
    
    # Your LDAP server. Must be resolvable without using LDAP.
    # Multiple hosts may be specified, each separated by a
    # space. How long nss_ldap takes to failover depends on
    # whether your LDAP client library supports configurable
    # network or connect timeouts (see bind_timelimit).
    host 127.0.0.1
    
    # The distinguished name of the search base.
    base ou=postfix,dc=example,dc=net
    
    # Another way to specify your LDAP server is to provide an
    # uri with the server name. This allows to use
    # Unix Domain Sockets to connect to a local LDAP Server.
    #uri ldap://127.0.0.1/
    #uri ldaps://127.0.0.1/
    #uri ldapi://%2fvar%2frun%2fldapi_sock/
    # Note: %2f encodes the '/' used as directory separator
    
    # The LDAP version to use (defaults to 3
    # if supported by client library)
    ldap_version 3
    
    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    #binddn cn=proxyuser,dc=padl,dc=com
    binddn cn=admin,dc=example,dc=net
    
    # The credentials to bind with.
    # Optional: default is no credential.
    #bindpw secret
    bindpw chen
    
    # The distinguished name to bind to the server with
    # if the effective user ID is root. Password is
    # stored in /etc/ldap.secret (mode 600)
    #rootbinddn cn=manager,dc=example,dc=net
    #rootbinddn cn=admin,dc=example,dc=net
    
    # The port.
    # Optional: default is 389.
    #port 389
    
    # The search scope.
    scope sub
    #scope one
    #scope base
    
    # Search timelimit
    #timelimit 30
    
    # Bind timelimit
    #bind_timelimit 30
    
    # Idle timelimit; client will close connections
    # (nss_ldap only) if the server has not been contacted
    # for the number of seconds specified below.
    #idle_timelimit 3600
    
    # Filter to AND with uid=%s
    #pam_filter objectclass=account
    pam_filter objectclass=postfix
    
    # The user ID attribute (defaults to uid)
    #pam_login_attribute uid
    #pam_login_attribute mail
    
    # Search the root DSE for the password policy (works
    # with Netscape Directory Server)
    #pam_lookup_policy yes
    
    # Check the 'host' attribute for access control
    # Default is no; if set to yes, and user has no
    # value for the host attribute, and pam_ldap is
    # configured for account management (authorization)
    # then the user will not be allowed to login.
    #pam_check_host_attr yes
    
    # Check the 'authorizedService' attribute for access
    # control
    # Default is no; if set to yes, and the user has no
    # value for the authorizedService attribute, and
    # pam_ldap is configured for account management
    # (authorization) then the user will not be allowed
    # to login.
    #pam_check_service_attr yes
    
    # Group to enforce membership of
    #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
    
    # Group member attribute
    #pam_member_attribute uniquemember
    
    # Specify a minium or maximum UID number allowed
    #pam_min_uid 0
    #pam_max_uid 0
    
    # Template login attribute, default template user
    # (can be overriden by value of former attribute
    # in user's entry)
    #pam_login_attribute userPrincipalName
    #pam_template_login_attribute uid
    #pam_template_login nobody
    
    # HEADS UP: the pam_crypt, pam_nds_passwd,
    # and pam_ad_passwd options are no
    # longer supported.
    
    # Do not hash the password at all; presume
    # the directory server will do it, if
    # necessary. This is the default.
    pam_password crypt
    
    # Hash password locally; required for University of
    # Michigan LDAP server, and works with Netscape
    # Directory Server if you're using the UNIX-Crypt
    # hash mechanism and not using the NT Synchronization
    # service.
    #pam_password crypt
    
    # Remove old password first, then update in
    # cleartext. Necessary for use with Novell
    # Directory Services (NDS)
    #pam_password nds
    
    # Update Active Directory password, by
    # creating Unicode password and updating
    # unicodePwd attribute.
    #pam_password ad
    
    # Use the OpenLDAP password change
    # extended operation to update the password.
    #pam_password exop
    
    # Redirect users to a URL or somesuch on password
    # changes.
    #pam_password_prohibit_message Please visit http://internal to change your password.
    
    # RFC2307bis naming contexts
    # Syntax:
    # nss_base_XXX          base?scope?filter
    # where scope is {base,one,sub}
    # and filter is a filter to be &'d with the
    # default filter.
    # You can omit the suffix eg:
    # nss_base_passwd       ou=People,
    # to append the default base DN but this
    # may incur a small performance impact.
    #nss_base_passwd        ou=People,dc=padl,dc=com?one
    #nss_base_shadow        ou=People,dc=padl,dc=com?one
    #nss_base_group         ou=Group,dc=padl,dc=com?one
    #nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
    #nss_base_services      ou=Services,dc=padl,dc=com?one
    #nss_base_networks      ou=Networks,dc=padl,dc=com?one
    #nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
    #nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
    #nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
    #nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
    #nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
    #nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
    #nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one
    
    # attribute/objectclass mapping
    # Syntax:
    #nss_map_attribute      rfc2307attribute        mapped_attribute
    #nss_map_objectclass    rfc2307objectclass      mapped_objectclass
    
    # configure --enable-nds is no longer supported.
    # For NDS now do:
    #nss_map_attribute uniqueMember member
    
    # configure --enable-mssfu-schema is no longer supported.
    # For MSSFU now do:
    #nss_map_objectclass posixAccount User
    #nss_map_attribute uid msSFUName
    #nss_map_attribute uniqueMember posixMember
    #nss_map_attribute userPassword msSFUPassword
    #nss_map_attribute homeDirectory msSFUHomeDirectory
    #nss_map_objectclass posixGroup Group
    #pam_login_attribute msSFUName
    #pam_filter objectclass=User
    #pam_password ad
    
    # configure --enable-authpassword is no longer supported
    # For authPassword support, now do:
    #nss_map_attribute userPassword authPassword
    #pam_password nds
    
    # For IBM SecureWay support, do:
    #nss_map_objectclass posixAccount aixAccount
    #nss_map_attribute uid userName
    #nss_map_attribute gidNumber gid
    #nss_map_attribute uidNumber uid
    #nss_map_attribute userPassword passwordChar
    #nss_map_objectclass posixGroup aixAccessGroup
    #nss_map_attribute cn groupName
    #nss_map_attribute uniqueMember member
    #pam_login_attribute userName
    #pam_filter objectclass=aixAccount
    #pam_password clear
    
    # Netscape SDK LDAPS
    #ssl on
    
    # Netscape SDK SSL options
    #sslpath /etc/ssl/certs/cert7.db
    
    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    #ssl start_tls
    #ssl on
    
    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    # Default is "no"
    #tls_checkpeer yes
    
    # CA certificates for server certificate verification
    # At least one of these are required if tls_checkpeer is "yes"
    #tls_cacertfile /etc/ssl/ca.cert
    #tls_cacertdir /etc/ssl/certs
    
    # Seed the PRNG if /dev/urandom is not provided
    #tls_randfile /var/run/egd-pool
    
    # SSL cipher suite
    # See man ciphers for syntax
    #tls_ciphers TLSv1
    
    # Client certificate and key
    # Use these, if your server requires client authentication.
    #tls_cert
    #tls_key
    					
  3. Note

    在Debian中沒有/etc/sysconfig/目錄,對應的是/etc/default/

    debian:~# find / -name saslauthd
    /etc/default/saslauthd
    /etc/init.d/saslauthd
    /var/run/saslauthd
    
    debian:/var/log# echo "START=yes" >> /etc/default/saslauthd
    debian:/var/log# cat /etc/default/saslauthd
    # This needs to be uncommented before saslauthd will be run automatically
    # START=yes
    
    # You must specify the authentication mechanisms you wish to use.
    # This defaults to "pam" for PAM support, but may also include
    # "shadow" or "sasldb", like this:
    # MECHANISMS="pam shadow"
    
    MECHANISMS="pam"
    
    START=yes
    				
  4. smtpd.conf

    redhat linux:/usr/lib/sasl2/smtpd.conf (debian: /etc/postfix/sasl/smtpd.conf)

    debian:/etc/postfix# cat sasl/smtpd.conf
    pwcheck_method: saslauthd
    mech_list: login plain CRAM-MD5 DIGEST-MD5 GSSAPI
    debian:/etc/postfix#
    				
    debian:/etc/postfix# mkdir -p /var/spool/postfix/var/run/saslauthd
    debian:/etc/postfix# chgrp sasl /var/spool/postfix/var/run/saslauthd/
    				

    Cyrus SASL 配置選項 [1]

  5. 測試 saslauthd

    debian:/var/log# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -s smtp -r example.net -u chen -p chen
    0: OK "Success."
    debian:/var/log# saslauthd -O /etc/pam_ldap.conf -m /var/spool/postfix/var/run/saslauthd -a ldap
    
    debian:~# saslpasswd2 -c -u mail.example.net -a smtpauth test
    			

Notes

[1]

Cyrus SASL 配置選項

這個文檔包含了 Cyrus SASL 庫和捆綁的機制能使用到的選項的信息。大部分通常使用到的
選項同時也是經常被誤解的選項是 pwcheck_method 和 auxprop_plugin 。如果工作不正常
的話,請確保你正確的配置了他們。另外,mech_list選項能方便的限制某特定的應用程序
所能使用的機制。

選項 使用者 預設值

authdaemond_path SASL 庫 /dev/null
(描述:Courier-IMAP 的 authdaemond 的 Unix 套接字的路徑。僅當 pwcheck_method 設
置為 authdaemond 時可用。)

auto_transition SASL 庫 no
(描述:當設置為 'yes'或'noplain'時,同時使用一個 auxprop 插件時,當用戶成功的進
行了純文字檔案認證時自動的他們到其他機制。當設置為 'noplain' 時,僅非純文字檔案秘密將
被寫。注意,當前實現,不使用純文字檔案秘密的機制僅有 OTP 和 SRP)。

canon_user_plugin SASL 庫 INTERNAL
(描述:canon_user 插件使用的名字)

log_level SASL 庫 1 (SASL_LOG_ERR) 
(描述:日誌記錄登記的數字,參考 sasl.h 中的 SASL_LOG_* 瞭解值和描述)

mech_list SASL 庫 使用所有有效插件
(描述:空格分隔開的允許使用的機制的列表,比如:'plain otp'。用來在安裝的插件
中限製出一個可用機制的子集。)

plugin_list SASL 庫 無
(描述:插件列表的位置【不支持】)

pwcheck_method SASL 庫 auxprop
(描述:空格分隔開的用來效驗密碼的機制列表,值可能是 sasl_checkpass,auxprop,
saslauthd,pwcheck,authdaemond【如果編譯時添加了 --with-authdaemond 的話】 和
alwaystrue【如果編譯時添加了 --enable-alwaystrue 的話】)

saslauthd_path SASL 庫 系統相關(通常不需要更改)
(描述:saslauthd 運行的目錄,包括 "/mun" 命名管道)

auxprop_plugin 輔助屬性 (空) - 查詢所有插件
(描述:使用的輔助插件的插件名,你可以指定一個空格格開的插件名列表,這些插件將按
照順序被查詢。)

keytab GSSAPI /etc/krb5.keytab(系統相關)
(描述:keytab 檔案的位置)

ntlm_server NTLM (伺服器) (空) - 執行內部代理
(描述:認證將被代理的系統名【WinNT,Win2K,Samba等】)

ntlm_v2 NTLM (客戶端) no (發送 NTLMv1)
(描述:發送 NTLMv2 響應給伺服器)

opiekeys OTP (用於 OPIE) /etc/opiekeys
(描述:opiekeys 檔案位置)

otp_mda OTP (w/o OPIE) md5 
(描述:OTP 的消息摘要算法,用於 sasl_setpass,值有:'md4','md5','sha1')

reauth_timeout DIGEST-MD5 0
(描述:為加快再次認證而緩存認證信息的保留時間(單位:分鐘)。0 禁止緩存。)

srp_mda SRP sha1 
(描述:SRP 計算的消息摘要算法,值有:'md5','sha1','rmd160')

srvtab KERBEROS_V4 /etc/srvtab (系統相關)
(描述:srvtab 檔案的位置)

sasldb_path sasldb 插件 /etc/sasldb2 (系統相關)
(描述:sasldb 檔案的路徑)

sql_engine SQL 插件 mysql
(描述:使用的 SQL 資料庫引擎名,可能值為:'mysql','pgsql')


sql_hostnames SQL 插件 無 (引擎相關)
(描述:逗號分隔開的 SQL 伺服器列表,使用 主機地址[:連接埠] 的格式)

sql_user SQL 插件 無 (引擎相關)
(描述:資料庫伺服器的登陸用戶名)

sql_passwd SQL 插件 無 (引擎相關)
(描述:資料庫伺服器的登陸用戶密碼)


sql_database SQL 插件 無 (引擎相關)
(描述:包含輔助屬性的資料庫名)

sql_select SQL 插件 無
(描述:用來獲取屬性的 SELECT 語句。使用 SQL 插件時,這個選項時必須的。)

sql_insert SQL 插件 無
(描述:用來為新用戶創建屬性的 INSERT 語句。)

sql_update SQL 插件 無
(描述:用來修改屬性的 UPDATE 語句)

sql_usessl SQL 插件 no
(描述:當設置為'yes','on','1'或者'true'時,將使用安全連接連接資料庫伺服器)


SQL auxprop 選項的注意事項:
sql_insert 和 sql_update 選項是可選的而且僅在你希望允許 SASL 庫(比如:saslpasswd2)和插件(比如:OTP)向 SQL 伺服器寫入某些屬性信息時有用。如果使用了,這兩個語句都必須同時提供用來添加、更新、刪除屬性。注意:可寫的屬性表格列必須能夠接收 NULL 值。

由 sql_select,sql_insert 和 sql_update 選項提供的 SQL 語句能夠包含將用合適的值取代其值的參數。這些參數是:

%u 被獲取(或存儲)屬性的用戶的用戶名。
%p 被獲取(或存儲)的屬性的名字。在技術上,它可以是任何東西,不過 SASL認證將會
嘗試 userPassword 和 cmusaslsecretMECHNAME (MECHNAME 是 SASL 機制的
名字)。
%r 用戶屬於的領域。它可以是 kerberos 領域,正在運行 SASL 應用的計算機的正式域名
或者一個用戶名中 @ 之後的任何東西。(請參考領域文檔)
%v 要被存儲的屬性的值(僅用於 INSERT 或 UPDATE)。除依賴于屬性本身外,技術上它可
以是任何值,不過一般是 userPassword。

注意:不要為整個SQL語句加引號,不過每個單獨的 %u, %r 和 %v 參數必須被加引號。

例子:
sql_select: SELECT %p FROM user_table WHERE username = '%u' and realm = '%r'

下面將發送到資料庫伺服器的SQL語句表示將查詢用戶名為“bovik”,預設領域為機器
“madoka.surf.org.uk” 的用戶密碼:
SELECT userPassword FROM user_table WHERE username = 'bovik' and
realm = 'madoka.surf.org.uk';

sql_insert: INSERT INTO user_table (username, realm, %p) VALUES ('%u', '%r', '%v')


將為用戶名為“bovik”,領域為“madoka.surf.org.uk”,userPassword 為 “wert”
的用戶產生下面的 SQL 語句:
INSERT INTO user_table (username, realm, userPassword) VALUES
('bovik', 'madoka.surf.org.uk', 'wert');


注意,不一定所有的替代都要使用。比如,

SELECT password FROM auth WHERE username = '%u'

也是一個有效的 sql_select 值。