aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org76
1 files changed, 53 insertions, 23 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index ec340fd..2656cf8 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -1461,7 +1461,7 @@ speaks to the master).
[...]
START=yes
MECHANISMS=ldap
- OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
+ OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -O /etc/saslauthd.conf"
[...]
(Note: The socket has to be readable by postfix.)
@@ -1471,7 +1471,7 @@ speaks to the master).
ldap_servers: ldap://127.0.0.1:3890/
ldap_version: 3
ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org
- ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6
+ ldap_bind_pw: xxxxxx
ldap_auth_method: bind
ldap_search_base: uid=%U,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE))
@@ -1493,18 +1493,14 @@ If everything goes through, it is now time to modify Postfix's main.cf:
[...]
smtpd_sasl_authenticated_header = yes
smtpd_sasl_auth_enable = yes
- smtpd_sasl_local_domain =
+ smtpd_sasl_local_domain = fripost.org
+ # TODO:add sasl exceptions for our other clients
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
- smtp_sasl_auth_enable = yes
- smtp_sasl_password_maps = hash:$config_directory/sasl_passwd
- # Note: `sasl_passwd' may be empty but Postfix complains if it doesn't exist
- smtp_sasl_security_options = noanonymous, noplaintext
- smtp_sasl_tls_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
@@ -1515,11 +1511,11 @@ If everything goes through, it is now time to modify Postfix's main.cf:
Finally, we can add the submission service to our master.cf, with customized policy:
:: /etc/postfix/master.cf
- [...]
+
+ smtp inet n - - - - smtpd
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
[...]
@@ -1529,20 +1525,54 @@ is enough actually.)
**** Test it
-(desactivate smtpd_sasl_exceptions_networks for localhost first)
-
-openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/
-
-echo -ne '\000user@fripost.org\000user' | openssl base64
-
-EHLO localhost
-AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==
-
-mail from:<user@fripost.org>
-rcpt to:<me@guilhem.org>
-
-
+[Note: if you test it from localhost, you have to uset smtpd_sasl_exceptions_networks
+first.]
+
+First, we ensured that encrypted conections are required.
+
+ :: telnet localhost 25
+ [...]
+ 250-VRFY
+ 250-ETRN
+ 250-STARTTLS
+ 250-ENHANCEDSTATUSCODES
+ 250-8BITMIME
+ 250 DSN
+
+What the user type is here emphasized and prefixed with a `*'
+
+ :: openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/
+ [...]
+ Verify return code: 0 (ok)
+ ---
+ 250 DSN
+ * EHLO localhost
+ [...]
+ 250-VRFY
+ 250-ETRN
+ 250-AUTH LOGIN PLAIN
+ 250-AUTH=LOGIN PLAIN
+ 250-ENHANCEDSTATUSCODES
+ 250-8BITMIME
+ 250 DSN
+ * AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==
+ 235 2.7.0 Authentication successful
+ * mail from:<user@fripost.org>
+ 250 2.1.0 Ok
+ * rcpt to:<user@fripost.org>
+ 250 2.1.5 Ok
+ * DATA
+ 354 End data with <CR><LF>.<CR><LF>
+ * Subject: test
+ * \o/
+ * .
+ 250 2.0.0 Ok: queued as 3D7767B4BD
+
+Where "AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==" is a base-64 encoding of the user's,
+credentials, in our case login "user@fripost.org" and password "user", which
+can be obtained by the command
+ echo -ne '\000user@fripost.org\000user' | openssl base64
**** Anonymize the senders
If RoudCube automatically anonymize the sender (by simply shortening the