aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-01 15:28:29 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-01 15:32:45 +0200
commitb090cf1444342b20a1cfdd3ea01c602d1988f121 (patch)
treee14b92cb6a8f7e6cba0d32fa3db5aef12cff745f
parent29639331a22c90c8dd1f57fb3d724cd4fd499fea (diff)
Use LDAP's authenticate binds with Postfix and Dovecot.
-rw-r--r--fripost-docs.org176
1 files changed, 176 insertions, 0 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 686e39b..91c8943 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -256,6 +256,18 @@ This server should be referred to as the main `IMAP server'. We will have two or
more mail gateways that will relay e-mail to the main server over secure
connections. These are called `smarthosts'.
+Credentials are managed by a LDAP server. For the users to be able to
+authenticate to e.g., the IMAP server or the outgoing SMTP (via SASL), we will
+use the so called "authenticate binds": services simply forward the login
+information of the user to the LDAP server, that in turn hashes the password and
+checks wheter it maches the stored copy; if it does, the LDAP server answers back
+the query. See http://wanderingbarque.com/howtos/mailserver/big_picture.gif .
+This way, if the IMAP or SMTP server is compromised, the attacker will NOT have
+access to all credentials. Of course the LDAP server should only be listening to
+the machines hosting these services and ideally, should not be directly facing the
+internet.
+
+[TODO: Find a suitable LDAP schema, and drop the MySQL database]
The main server will also be responsible for keeping all users in an MySQL
database that will be replicated using MySQL.
@@ -263,8 +275,12 @@ database that will be replicated using MySQL.
IMAP server = the main storage server
+LDAP server = the server that stores users credentials and various other informations.
+
smarthost = the server receiving email from the internet (configured as MX)
+outgoing SMTP = a SMTP server that can relay mails of authenticated users (via SASL).
+
*** Configuring an SSH tunnel between two hosts
# Definitions:
@@ -601,6 +617,52 @@ mysql -u root -p
quit;
+*** Configuring the LDAP server
+
+On Debian Squeeze, OpenLDAP's configuration no longer uses `/etc/ldap/slapd.conf'
+(by default, but may completely igore it in the future), but the
+`/etc/ldap/slapd.d' directory instead. Unfortunately most of the online
+tutorials are describing methods using `/etc/ldap/slapd.conf'.
+
+**** Install packages
+
+Here is a basic installation tutorial for Debian Squeeze:
+http://www.rjsystems.nl/en/2100-d6-openldap-provider.php
+
+sudo apt-get install slapd ldap-utils
+
+If it does not prompt for your domain, admin password, etc., run
+`dpkg-reconfigure -plow slapd'.
+
+We do not want to listen all the Internet: in `/etc/default/slapd', change
+`SLAPD_SERVICES' accordingly. E.g., to only listen to localhost (non SSL) and
+unix sockets, specify
+
+SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"
+
+(This should be enough if the connection from the IMAP/SASL services are
+wrapped into SSH or SSL tunnels.)
+
+We can check the configuration with
+
+ ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
+
+and modify a .ldif file with
+
+ ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>"
+
+**** Our schema
+
+[TODO: find something suitable to subsume the MySQL databases; we could find some
+inspiration here: http://dhits.nl/download/qmail.new.schema]
+
+If the task is only to provide a secure way to authenticate, the "basic tree" of
+http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree is good enough.
+
+After adding an user, we can check that the authentication works properly:
+
+ldapwhoami -xD uid=myuserid,ou=account,dc=fripost,dc=org -W
+
*** Configuring the main IMAP server
**** Install packages
@@ -751,6 +813,47 @@ sudo /etc/init.d/dovecot restart
**** Making sure the services are not started at boot [might not be needed]
sudo update-rc.d -n dovecot stop 2 3 4 5 .
sudo update-rc.d -n postfix stop 2 3 4 5 .
+
+**** Use LDAP authenticate binds.
+
+Instead of making a SQL query to fetch the (hashed) passwords, which implies to
+expose all credentials to Dovecot, an other approach is to forward the login
+information to our LDAP server, that will match it against the hashed copy contained
+in its database. This way if your IMAP server is compromised, the attacker will not
+have access to all the e-mails and user credentials.
+
+Documentation:
+http://wiki2.dovecot.org/HowTo/DovecotOpenLdap
+http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
+
+Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf .
+Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
+
+hosts = localhost # Or wherever is our LDAP server
+auth_bind = yes
+auth_bind_userdn = uid=%u,ou=accounts,dc=fripost,dc=org
+ldap_version = 3
+base = ou=accounts,dc=fripost,dc=org
+pass_filter = (&(objectClass=posixAccount)(uid=%u))
+
+(And the TLS-related lines in case we are not using a tunnel.) The "base" is the root
+of our tree structure, in our case dn="ou=accounts,dc=fripost,dc=org".
+
+We can now amend the `dovecot.conf': Comment the "passwd sql {...}" and "userdb sql {...}"
+blocks, and uncomment
+
+ passdb ldap {
+ args = /etc/dovecot/dovecot-ldap.conf
+ }
+# and
+ userdb ldap {
+ args = /etc/dovecot/dovecot-ldap-userdb.conf
+ }
+
+Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds, `dovecot-ldap-userdb.conf'
+can simply be a symlink to `dovecot-ldap.conf'. The names have to differ for Dovecot to send
+asynchronous request to the LDAP server.
+
*** Configuring a new smarthost to relay e-mail to the main IMAP server
**** Overview
@@ -774,6 +877,79 @@ emails through the tunnel.
TODO: add the necessary configuration files
*** Configuring the outgoing SMTP
+We will offer a SMTP relay for authenticated users (via SASL).
+
+**** Install packages
+
+sudo apt-get install sasl2-bin libsasl2-modules-ldap
+
+(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
+test our installation.)
+
+**** Configure saslauthd
+
+Customize `/etc/default/saslauthd' as follows:
+
+START=yes
+MECHANISMS=ldap
+OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
+
+(The socket has to be readable by postfix.)
+
+Now, in the `/etc/saslauthd.conf':
+
+ldap_servers: ldap://localhost
+ldap_version: 3
+ldap_search_base: ou=accounts,dc=fripost,dc=org
+ldap_scope: sub
+ldap_filter: uid=%u
+ldap_auth_method: bind
+
+After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
+authentication: testsaslauthd -u userid -p password. (The password cannot be
+prompted, so you may want to create a dummy user.)
+
+**** Configure Postfix
+
+If everything goes through, it is now time to modify Postfix's main.cf:
+(Documentation: http://www.postfix.org/SASL_README.htm)
+
+smtpd_sasl_authenticated_header = yes
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_local_domain =
+smtpd_sasl_exceptions_networks = $mynetworks
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+broken_sasl_auth_clients = yes
+smtpd_sasl_type = cyrus
+smtpd_sasl_path = smtpd
+
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:$config_directory/sasl_passwd
+smtp_sasl_security_options = noanonymous, noplaintext
+smtp_sasl_tls_security_options = noanonymous
+
+# `sasl_passwd' may be empty but Postfix complains if it doesn't exist
+
+And still in the main.cf, add a policy stating that authenticate users are
+allowed to connect and send mail:
+
+smtpd_recipient_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ [...]
+
+Finally, we can add the submission service to our master.cf, with customized policy:
+
+submission inet n - - - - smtpd
+ -o smtpd_tls_security_level=encrypt
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+ -o milter_macro_daemon_name=ORIGINATING
+
+We can now restart Postfix: `/etc/init.d/postfix restart'.
+
+
**** Anonymize the senders
If RoudCube automatically anonymize the sender (by simply shortening the
trace), it's not the case (by default) for SquirrelMail, or when clients