From b090cf1444342b20a1cfdd3ea01c602d1988f121 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 1 Apr 2012 15:28:29 +0200 Subject: Use LDAP's authenticate binds with Postfix and Dovecot. --- fripost-docs.org | 176 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) diff --git a/fripost-docs.org b/fripost-docs.org index 686e39b..91c8943 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -256,6 +256,18 @@ This server should be referred to as the main `IMAP server'. We will have two or more mail gateways that will relay e-mail to the main server over secure connections. These are called `smarthosts'. +Credentials are managed by a LDAP server. For the users to be able to +authenticate to e.g., the IMAP server or the outgoing SMTP (via SASL), we will +use the so called "authenticate binds": services simply forward the login +information of the user to the LDAP server, that in turn hashes the password and +checks wheter it maches the stored copy; if it does, the LDAP server answers back +the query. See http://wanderingbarque.com/howtos/mailserver/big_picture.gif . +This way, if the IMAP or SMTP server is compromised, the attacker will NOT have +access to all credentials. Of course the LDAP server should only be listening to +the machines hosting these services and ideally, should not be directly facing the +internet. + +[TODO: Find a suitable LDAP schema, and drop the MySQL database] The main server will also be responsible for keeping all users in an MySQL database that will be replicated using MySQL. @@ -263,8 +275,12 @@ database that will be replicated using MySQL. IMAP server = the main storage server +LDAP server = the server that stores users credentials and various other informations. + smarthost = the server receiving email from the internet (configured as MX) +outgoing SMTP = a SMTP server that can relay mails of authenticated users (via SASL). + *** Configuring an SSH tunnel between two hosts # Definitions: @@ -601,6 +617,52 @@ mysql -u root -p quit; +*** Configuring the LDAP server + +On Debian Squeeze, OpenLDAP's configuration no longer uses `/etc/ldap/slapd.conf' +(by default, but may completely igore it in the future), but the +`/etc/ldap/slapd.d' directory instead. Unfortunately most of the online +tutorials are describing methods using `/etc/ldap/slapd.conf'. + +**** Install packages + +Here is a basic installation tutorial for Debian Squeeze: +http://www.rjsystems.nl/en/2100-d6-openldap-provider.php + +sudo apt-get install slapd ldap-utils + +If it does not prompt for your domain, admin password, etc., run +`dpkg-reconfigure -plow slapd'. + +We do not want to listen all the Internet: in `/etc/default/slapd', change +`SLAPD_SERVICES' accordingly. E.g., to only listen to localhost (non SSL) and +unix sockets, specify + +SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777" + +(This should be enough if the connection from the IMAP/SASL services are +wrapped into SSH or SSL tunnels.) + +We can check the configuration with + + ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" + +and modify a .ldif file with + + ldapmodify -Y EXTERNAL -H ldapi:/// -f "" + +**** Our schema + +[TODO: find something suitable to subsume the MySQL databases; we could find some +inspiration here: http://dhits.nl/download/qmail.new.schema] + +If the task is only to provide a secure way to authenticate, the "basic tree" of +http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree is good enough. + +After adding an user, we can check that the authentication works properly: + +ldapwhoami -xD uid=myuserid,ou=account,dc=fripost,dc=org -W + *** Configuring the main IMAP server **** Install packages @@ -751,6 +813,47 @@ sudo /etc/init.d/dovecot restart **** Making sure the services are not started at boot [might not be needed] sudo update-rc.d -n dovecot stop 2 3 4 5 . sudo update-rc.d -n postfix stop 2 3 4 5 . + +**** Use LDAP authenticate binds. + +Instead of making a SQL query to fetch the (hashed) passwords, which implies to +expose all credentials to Dovecot, an other approach is to forward the login +information to our LDAP server, that will match it against the hashed copy contained +in its database. This way if your IMAP server is compromised, the attacker will not +have access to all the e-mails and user credentials. + +Documentation: +http://wiki2.dovecot.org/HowTo/DovecotOpenLdap +http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds + +Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf . +Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines: + +hosts = localhost # Or wherever is our LDAP server +auth_bind = yes +auth_bind_userdn = uid=%u,ou=accounts,dc=fripost,dc=org +ldap_version = 3 +base = ou=accounts,dc=fripost,dc=org +pass_filter = (&(objectClass=posixAccount)(uid=%u)) + +(And the TLS-related lines in case we are not using a tunnel.) The "base" is the root +of our tree structure, in our case dn="ou=accounts,dc=fripost,dc=org". + +We can now amend the `dovecot.conf': Comment the "passwd sql {...}" and "userdb sql {...}" +blocks, and uncomment + + passdb ldap { + args = /etc/dovecot/dovecot-ldap.conf + } +# and + userdb ldap { + args = /etc/dovecot/dovecot-ldap-userdb.conf + } + +Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds, `dovecot-ldap-userdb.conf' +can simply be a symlink to `dovecot-ldap.conf'. The names have to differ for Dovecot to send +asynchronous request to the LDAP server. + *** Configuring a new smarthost to relay e-mail to the main IMAP server **** Overview @@ -774,6 +877,79 @@ emails through the tunnel. TODO: add the necessary configuration files *** Configuring the outgoing SMTP +We will offer a SMTP relay for authenticated users (via SASL). + +**** Install packages + +sudo apt-get install sasl2-bin libsasl2-modules-ldap + +(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to +test our installation.) + +**** Configure saslauthd + +Customize `/etc/default/saslauthd' as follows: + +START=yes +MECHANISMS=ldap +OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" + +(The socket has to be readable by postfix.) + +Now, in the `/etc/saslauthd.conf': + +ldap_servers: ldap://localhost +ldap_version: 3 +ldap_search_base: ou=accounts,dc=fripost,dc=org +ldap_scope: sub +ldap_filter: uid=%u +ldap_auth_method: bind + +After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the +authentication: testsaslauthd -u userid -p password. (The password cannot be +prompted, so you may want to create a dummy user.) + +**** Configure Postfix + +If everything goes through, it is now time to modify Postfix's main.cf: +(Documentation: http://www.postfix.org/SASL_README.htm) + +smtpd_sasl_authenticated_header = yes +smtpd_sasl_auth_enable = yes +smtpd_sasl_local_domain = +smtpd_sasl_exceptions_networks = $mynetworks +smtpd_sasl_security_options = noanonymous, noplaintext +smtpd_sasl_tls_security_options = noanonymous +broken_sasl_auth_clients = yes +smtpd_sasl_type = cyrus +smtpd_sasl_path = smtpd + +smtp_sasl_auth_enable = yes +smtp_sasl_password_maps = hash:$config_directory/sasl_passwd +smtp_sasl_security_options = noanonymous, noplaintext +smtp_sasl_tls_security_options = noanonymous + +# `sasl_passwd' may be empty but Postfix complains if it doesn't exist + +And still in the main.cf, add a policy stating that authenticate users are +allowed to connect and send mail: + +smtpd_recipient_restrictions = + permit_mynetworks + permit_sasl_authenticated + [...] + +Finally, we can add the submission service to our master.cf, with customized policy: + +submission inet n - - - - smtpd + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING + +We can now restart Postfix: `/etc/init.d/postfix restart'. + + **** Anonymize the senders If RoudCube automatically anonymize the sender (by simply shortening the trace), it's not the case (by default) for SquirrelMail, or when clients -- cgit v1.2.3