Postfix Integrated Solution
<<< PreviousPostfix + OpenLDAP (Debian) 已完成 2004-9-28Next >>>

SASL SMTP認證

Postfix SASL SMTP認證配置

  1. pam_ldap

    debian:/etc/postfix# vi /etc/pam.d/smtp
#%PAM-1.0
auth required pam_ldap.so
account sufficient /lib/security/pam_ldap.so

  2. pam_ldap.conf

    Note

    redhat linux 中是/etc/ldap.conf

    host 127.0.0.1				
base ou=postfix,dc=example,dc=net
ldap_version 3
binddn cn=admin,dc=example,dc=net
bindpw chen
#rootbinddn cn=admin,dc=example,dc=net
scope sub
pam_filter objectclass=postfix

    Example 3. pam_ldap.conf

    debian:/etc# cat pam_ldap.conf
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.28 2003/05/29 13:01:04 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
host 127.0.0.1

# The distinguished name of the search base.
base ou=postfix,dc=example,dc=net

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com
binddn cn=admin,dc=example,dc=net

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
bindpw chen

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=net
#rootbinddn cn=admin,dc=example,dc=net

# The port.
# Optional: default is 389.
#port 389

# The search scope.
scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind timelimit
#bind_timelimit 30

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account
pam_filter objectclass=postfix

# The user ID attribute (defaults to uid)
#pam_login_attribute uid
#pam_login_attribute mail

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password crypt

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd        ou=People,dc=padl,dc=com?one
#nss_base_shadow        ou=People,dc=padl,dc=com?one
#nss_base_group         ou=Group,dc=padl,dc=com?one
#nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
#nss_base_services      ou=Services,dc=padl,dc=com?one
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
#nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-nds is no longer supported.
# For NDS now do:
#nss_map_attribute uniqueMember member

# configure --enable-mssfu-schema is no longer supported.
# For MSSFU now do:
#nss_map_objectclass posixAccount User
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# For authPassword support, now do:
#nss_map_attribute userPassword authPassword
#pam_password nds

# For IBM SecureWay support, do:
#nss_map_objectclass posixAccount aixAccount
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

  3. Note

    在Debian中沒有/etc/sysconfig/目錄,對應的是/etc/default/

    debian:~# find / -name saslauthd
/etc/default/saslauthd
/etc/init.d/saslauthd
/var/run/saslauthd

debian:/var/log# echo "START=yes" >> /etc/default/saslauthd
debian:/var/log# cat /etc/default/saslauthd
# This needs to be uncommented before saslauthd will be run automatically
# START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

MECHANISMS="pam"

START=yes

  4. smtpd.conf

    redhat linux:/usr/lib/sasl2/smtpd.conf (debian: /etc/postfix/sasl/smtpd.conf) 

    debian:/etc/postfix# cat sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: login plain CRAM-MD5 DIGEST-MD5 GSSAPI
debian:/etc/postfix#
				
    debian:/etc/postfix# mkdir -p /var/spool/postfix/var/run/saslauthd
debian:/etc/postfix# chgrp sasl /var/spool/postfix/var/run/saslauthd/

    Cyrus SASL 配置選項 [1]

  5. 測試 saslauthd

    debian:/var/log# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -s smtp -r example.net -u chen -p chen
0: OK "Success."
debian:/var/log# saslauthd -O /etc/pam_ldap.conf -m /var/spool/postfix/var/run/saslauthd -a ldap

debian:~# saslpasswd2 -c -u mail.example.net -a smtpauth test

Notes

[1]

Cyrus SASL 配置選項

這個文檔包含了 Cyrus SASL 庫和捆綁的機制能使用到的選項的信息。大部分通常使用到的
選項同時也是經常被誤解的選項是 pwcheck_method 和 auxprop_plugin 。如果工作不正常
的話,請確保你正確的配置了他們。另外,mech_list選項能方便的限制某特定的應用程序
所能使用的機制。

選項 使用者 預設值

authdaemond_path SASL 庫 /dev/null
(描述:Courier-IMAP 的 authdaemond 的 Unix 套接字的路徑。僅當 pwcheck_method 設
置為 authdaemond 時可用。)

auto_transition SASL 庫 no
(描述:當設置為 'yes'或'noplain'時,同時使用一個 auxprop 插件時,當用戶成功的進
行了純文字檔案認證時自動的他們到其他機制。當設置為 'noplain' 時,僅非純文字檔案秘密將
被寫。注意,當前實現,不使用純文字檔案秘密的機制僅有 OTP 和 SRP)。

canon_user_plugin SASL 庫 INTERNAL
(描述:canon_user 插件使用的名字)

log_level SASL 庫 1 (SASL_LOG_ERR) 
(描述:日誌記錄登記的數字,參考 sasl.h 中的 SASL_LOG_* 瞭解值和描述)

mech_list SASL 庫 使用所有有效插件
(描述:空格分隔開的允許使用的機制的列表,比如:'plain otp'。用來在安裝的插件
中限製出一個可用機制的子集。)

plugin_list SASL 庫 無
(描述:插件列表的位置【不支持】)

pwcheck_method SASL 庫 auxprop
(描述:空格分隔開的用來效驗密碼的機制列表,值可能是 sasl_checkpass,auxprop,
saslauthd,pwcheck,authdaemond【如果編譯時添加了 --with-authdaemond 的話】 和
alwaystrue【如果編譯時添加了 --enable-alwaystrue 的話】)

saslauthd_path SASL 庫 系統相關(通常不需要更改)
(描述:saslauthd 運行的目錄,包括 "/mun" 命名管道)

auxprop_plugin 輔助屬性 (空) - 查詢所有插件
(描述:使用的輔助插件的插件名,你可以指定一個空格格開的插件名列表,這些插件將按
照順序被查詢。)

keytab GSSAPI /etc/krb5.keytab(系統相關)
(描述:keytab 檔案的位置)

ntlm_server NTLM (伺服器) (空) - 執行內部代理
(描述:認證將被代理的系統名【WinNT,Win2K,Samba等】)

ntlm_v2 NTLM (客戶端) no (發送 NTLMv1)
(描述:發送 NTLMv2 響應給伺服器)

opiekeys OTP (用於 OPIE) /etc/opiekeys
(描述:opiekeys 檔案位置)

otp_mda OTP (w/o OPIE) md5 
(描述:OTP 的消息摘要算法,用於 sasl_setpass,值有:'md4','md5','sha1')

reauth_timeout DIGEST-MD5 0
(描述:為加快再次認證而緩存認證信息的保留時間(單位:分鐘)。0 禁止緩存。)

srp_mda SRP sha1 
(描述:SRP 計算的消息摘要算法,值有:'md5','sha1','rmd160')

srvtab KERBEROS_V4 /etc/srvtab (系統相關)
(描述:srvtab 檔案的位置)

sasldb_path sasldb 插件 /etc/sasldb2 (系統相關)
(描述:sasldb 檔案的路徑)

sql_engine SQL 插件 mysql
(描述:使用的 SQL 資料庫引擎名,可能值為:'mysql','pgsql')


sql_hostnames SQL 插件 無 (引擎相關)
(描述:逗號分隔開的 SQL 伺服器列表,使用 主機地址[:連接埠] 的格式)

sql_user SQL 插件 無 (引擎相關)
(描述:資料庫伺服器的登陸用戶名)

sql_passwd SQL 插件 無 (引擎相關)
(描述:資料庫伺服器的登陸用戶密碼)


sql_database SQL 插件 無 (引擎相關)
(描述:包含輔助屬性的資料庫名)

sql_select SQL 插件 無
(描述:用來獲取屬性的 SELECT 語句。使用 SQL 插件時,這個選項時必須的。)

sql_insert SQL 插件 無
(描述:用來為新用戶創建屬性的 INSERT 語句。)

sql_update SQL 插件 無
(描述:用來修改屬性的 UPDATE 語句)

sql_usessl SQL 插件 no
(描述:當設置為'yes','on','1'或者'true'時,將使用安全連接連接資料庫伺服器)


SQL auxprop 選項的注意事項:
sql_insert 和 sql_update 選項是可選的而且僅在你希望允許 SASL 庫(比如:saslpasswd2)和插件(比如:OTP)向 SQL 伺服器寫入某些屬性信息時有用。如果使用了,這兩個語句都必須同時提供用來添加、更新、刪除屬性。注意:可寫的屬性表格列必須能夠接收 NULL 值。

由 sql_select,sql_insert 和 sql_update 選項提供的 SQL 語句能夠包含將用合適的值取代其值的參數。這些參數是:

%u 被獲取(或存儲)屬性的用戶的用戶名。
%p 被獲取(或存儲)的屬性的名字。在技術上,它可以是任何東西,不過 SASL認證將會
嘗試 userPassword 和 cmusaslsecretMECHNAME (MECHNAME 是 SASL 機制的
名字)。
%r 用戶屬於的領域。它可以是 kerberos 領域,正在運行 SASL 應用的計算機的正式域名
或者一個用戶名中 @ 之後的任何東西。(請參考領域文檔)
%v 要被存儲的屬性的值(僅用於 INSERT 或 UPDATE)。除依賴于屬性本身外,技術上它可
以是任何值,不過一般是 userPassword。

注意:不要為整個SQL語句加引號,不過每個單獨的 %u, %r 和 %v 參數必須被加引號。

例子:
sql_select: SELECT %p FROM user_table WHERE username = '%u' and realm = '%r'

下面將發送到資料庫伺服器的SQL語句表示將查詢用戶名為“bovik”,預設領域為機器
“madoka.surf.org.uk” 的用戶密碼:
SELECT userPassword FROM user_table WHERE username = 'bovik' and
realm = 'madoka.surf.org.uk';

sql_insert: INSERT INTO user_table (username, realm, %p) VALUES ('%u', '%r', '%v')


將為用戶名為“bovik”,領域為“madoka.surf.org.uk”,userPassword 為 “wert”
的用戶產生下面的 SQL 語句:
INSERT INTO user_table (username, realm, userPassword) VALUES
('bovik', 'madoka.surf.org.uk', 'wert');


注意,不一定所有的替代都要使用。比如,

SELECT password FROM auth WHERE username = '%u'

也是一個有效的 sql_select 值。
<<< PreviousHomeNext >>>
創建所需條目Up配置 Postfix