diff options
-rw-r--r-- | fripost-docs.org | 76 |
1 files changed, 53 insertions, 23 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index ec340fd..2656cf8 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -1461,7 +1461,7 @@ speaks to the master). [...] START=yes MECHANISMS=ldap - OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" + OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -O /etc/saslauthd.conf" [...] (Note: The socket has to be readable by postfix.) @@ -1471,7 +1471,7 @@ speaks to the master). ldap_servers: ldap://127.0.0.1:3890/ ldap_version: 3 ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org - ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6 + ldap_bind_pw: xxxxxx ldap_auth_method: bind ldap_search_base: uid=%U,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE)) @@ -1493,18 +1493,14 @@ If everything goes through, it is now time to modify Postfix's main.cf: [...] smtpd_sasl_authenticated_header = yes smtpd_sasl_auth_enable = yes - smtpd_sasl_local_domain = + smtpd_sasl_local_domain = fripost.org + # TODO:add sasl exceptions for our other clients smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = cyrus smtpd_sasl_path = smtpd - smtp_sasl_auth_enable = yes - smtp_sasl_password_maps = hash:$config_directory/sasl_passwd - # Note: `sasl_passwd' may be empty but Postfix complains if it doesn't exist - smtp_sasl_security_options = noanonymous, noplaintext - smtp_sasl_tls_security_options = noanonymous smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated @@ -1515,11 +1511,11 @@ If everything goes through, it is now time to modify Postfix's main.cf: Finally, we can add the submission service to our master.cf, with customized policy: :: /etc/postfix/master.cf - [...] + + smtp inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes - -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING [...] @@ -1529,20 +1525,54 @@ is enough actually.) **** Test it -(desactivate smtpd_sasl_exceptions_networks for localhost first) - -openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/ - -echo -ne '\000user@fripost.org\000user' | openssl base64 - -EHLO localhost -AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg== - -mail from:<user@fripost.org> -rcpt to:<me@guilhem.org> - - +[Note: if you test it from localhost, you have to uset smtpd_sasl_exceptions_networks +first.] + +First, we ensured that encrypted conections are required. + + :: telnet localhost 25 + [...] + 250-VRFY + 250-ETRN + 250-STARTTLS + 250-ENHANCEDSTATUSCODES + 250-8BITMIME + 250 DSN + +What the user type is here emphasized and prefixed with a `*' + + :: openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/ + [...] + Verify return code: 0 (ok) + --- + 250 DSN + * EHLO localhost + [...] + 250-VRFY + 250-ETRN + 250-AUTH LOGIN PLAIN + 250-AUTH=LOGIN PLAIN + 250-ENHANCEDSTATUSCODES + 250-8BITMIME + 250 DSN + * AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg== + 235 2.7.0 Authentication successful + * mail from:<user@fripost.org> + 250 2.1.0 Ok + * rcpt to:<user@fripost.org> + 250 2.1.5 Ok + * DATA + 354 End data with <CR><LF>.<CR><LF> + * Subject: test + * \o/ + * . + 250 2.0.0 Ok: queued as 3D7767B4BD + +Where "AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==" is a base-64 encoding of the user's, +credentials, in our case login "user@fripost.org" and password "user", which +can be obtained by the command + echo -ne '\000user@fripost.org\000user' | openssl base64 **** Anonymize the senders If RoudCube automatically anonymize the sender (by simply shortening the |