1408.html

著名的linux英雄站点的文档打包

<br>
This HOWTO will help you to enable Postfix to provide smtp auth using Cyrus-SASL. Read about the benefits of using smtp auth and how smtp auth is beeing processed before you will find out what steps you will have to go to deploy your specific smtp auth solution.<br>
<br>
Howto smtp auth with Postfix(2)<br>
<br>
(52 阅读)   <br>
<br>
<br>
<br>
Benefits of using smtp auth<br>
Authentication for Mailclients<br>
Mobile Users<br>
<br>
   1. Using smtp auth we can make it possible for clients, colleagues, and ourselves to relay messages from everywhere in the world using only one (our) smtp server.<br>
   2. Being mobile then we don't have to deal with the hassle to find a smtp server that permits us to relay.<br>
   3. Once set up, we do not have to give extra support to others to reconfigure their mailclients properly.<br>
   4. We can make use of scripts and daemons that run on our server and provide services that we need e.g. server-side virus scanning. <br>
<br>
Corporate Network<br>
<br>
Imagine all users are allowed to send messages to users in the local network, but only a few should be permitted to send messages to remote users. If you check by IP the "forbidden users" simply have to use a machine with a valid IP. This is where smtp auth can also help you as it checks for users and not IP. You then only provide smtp auth accounts for those who may relay outbound messages and configure Postfix to reject other senders.<br>
Authentication for Mailservers (e.g. Dial-Up smtp, Corporate Networks)<br>
<br>
   1. We can enable our smtp server to authenticate itself with other smtp servers.<br>
   2. We might use this when our ISP requires us to authenticate our (dial-up) smtp server or even connect several (dial-up) company locations to each other in order to provide safe and explicit messaging.<br>
   3. Finally we can add an extra layer of security to encrypted communication (TLS). <br>
<br>
You want that? Understand the process of smtp auth first, before you install and configure. It will save lot's of time when you need to trace down a malfunction. You will know where things go wrong and be able to concentrate on that only.<br>
<br>
Howto smtp auth with Postfix(3)<br>
<br>
(31 阅读)   <br>
<br>
<br>
<br>
How smtp auth is processed<br>
Authentication for Mailclients<br>
<br>
   1. A Mailclient, configured to use smtp auth, connects to its smtp server.<br>
   2. The smtp server responds and offers one or more mechanisms for authentication.<br>
   3. The Mailclient chooses a mechanism and submits data for authentication.<br>
   4. The Mailclient's data is verified by the authentication service.<br>
   5. The authentication service submits the result (valid user/invalid user) of the verification to the smtp server.<br>
   6. If the Mailclient is a valid user the smtp server will receive message data otherwise it will end the connection. <br>
<br>
Authentication for Mailservers<br>
<br>
   1. A local smtp server wants to relay messages to a remote smtp server. It connects to the remote server.<br>
   2. The remote smtp server responds and offers smtp auth (one or more mechanisms for authentication) to the local server<br>
   3. The local smtp server looks up for preconfigured information that will tell username and password for the remote server<br>
   4. It submits the given data for authentication<br>
   5. The transmitted data is verified by the remote authentication service. It then submits the result (valid user/invalid user) of the verification to the remote smtp server<br>
   6. If the local smtp server is a valid user the smtp server will allow the messages to be relayed; otherwise it will end the connection. <br>
<br>
Now that we have split Authentication for Mailclients from Authentication for Mailservers, find out next what you will need to install and configure to get each of them running. Nonetheless important you should read and understand the job of Cyrus-SASL in smtp auth and which methods and mechanisms to choose from that software to suite your needs best.<br>
<br>
Howto smtp auth with Postfix(4)<br>
<br>
(26 阅读)   <br>
<br>
<br>
<br>
What do you need to offer smtp auth in Postfix?<br>
Authentication for Mailclients<br>
<br>
You want Postfix to authenticate incomming connections from Mailclients?<br>
You have to go through the following steps:<br>
<br>
   1. install Cyrus-SASL<br>
   2. configure Cyrus-SASL<br>
   3. configure Postfix source-code with Cyrus-SASL support<br>
   4. build Postfix<br>
   5. (re)install Postfix<br>
   6. configure Postfix to use the SASL smtpd features <br>
<br>
Mechanism Plain and/or Login<br>
<br>
If you want Postfix to authenticate incomming connections from Mailclients and offer the mechanism PLAIN and/or LOGIN we strongly recommend that you also add the use of TLS to your solution.<br>
You have to go through the following steps:<br>
<br>
   1. install Cyrus-SASL<br>
   2. configure Cyrus-SASL<br>
   3. patch Postfix source-code to add TLS support<br>
   4. configure Postfix source-code with Cyrus-SASL and TLS support<br>
   5. (re)install Postfix<br>
   6. configure Postfix to use the SASL smtpd features<br>
   7. configure Postfix to use TLS smtpd features <br>
<br>
Authentication for Mailservers<br>
<br>
You want Postfix to authenticate itself to other Mailservers?<br>
You have to go through the following steps:<br>
<br>
   1. install Cyrus-SASL<br>
   2. configure Cyrus-SASL<br>
   3. configure Postfix source-code with Cyrus-SASL support<br>
   4. build Postfix<br>
   5. (re)install Postfix<br>
   6. configure Postfix to use the SASL smtp features <br>
<br>
Mechanism Plain and/or Login<br>
<br>
If the other Mailserver only offers the mechanism PLAIN to Postfix, but also offers TLS, we strongly recommend that you also add the use of TLS to your solution.<br>
You have to go through the following steps:<br>
<br>
   1. install Cyrus-SASL<br>
   2. configure Cyrus-SASL<br>
   3. patch Postfix source code to add TLS support<br>
   4. configure Postfix source-code with Cyrus-SASL and TLS support<br>
   5. (re)install Postfix<br>
   6. configure Postfix to use the SASL smtpd features<br>
   7. configure Postfix to use TLS smtpd features <br>
   <br>
   Howto smtp auth with Postfix(5)<br>
<br>
(22 阅读)   <br>
<br>
<br>
<br>
Authentication service or what is Cyrus-SASL?<br>
<br>
Cyrus-SASL is a software that provides different methods and mechanisms of authentication. This software is often used in conjunction with Cyrus IMAP Server and is provided as standalone software. SASLs concept, the Simple Authentication and Security Layer, is written down in RFC 2222.<br>
<br>
This HOWTO will focus on the Cyrus-SASL version only.<br>
Methods to provide the authentication service<br>
<br>
Cyrus-SASL may use various methods to connect to a source that holds user and password data. By nature Cyrus-SASL is capable to connect to PAM and sasldb. However there are situations where this approach runs short:<br>
Permissions<br>
<br>
To authenticate via PAM from passwd/shadow requires root priviledges. Any daemon (here: Postfix) that uses SASL which is not run as root, will therefore not be permitted to query passwd/shadow. Some systems solve this by adding the SASL-user to a special group that is permitted to read from passwd/shadow. Is that good? Well consider running Postfix chrooted and having to copy your passwd/shadow files to the jail. Huh? Yes, you'd have to do that and that would make the idea running a chrooted Postfix to keep malicious users from your valuable password useless. You'd be at the start again... read on as there is a solution to this!<br>
user:pass sources<br>
<br>
There are situations where you don't want to use PAM or sasldb, because you want to have all the mailusers separated from machines users or have them on a different machine or you run a central auth service for single sign on and so on...<br>
<br>
For both scenarios you may configure SASL to use a deamon that will run as root and can connect to various backends e.g. a LDAP or SQL database.<br>
<br>
Note:<br>
Cyrus-SASL daemons don't support LDAP and e.g. MySQL from source. However there are patches available on the net that will give you those functionalities. You will have to patch Cyrus-SASL, recompile and install it, before these functionalities will be available to SASL.<br>
<br>
You may use different methods to provide authentication service with Cyrus-SASL.<br>
Daemons<br>
<br>
Cyrus-SASL comes with two daemons that may run on your mailserver: pwcheck and saslauthd. Basically they are pretty much the same. The newer daemon saslauthd (since Cyrus-SASL 1.5.27) is said to be based on the code of the former pwcheck. Anyway saslauthd goes beyond the functionality of pwcheck and pwcheck will be dropped in the future. So we will have a look at the newer daemon in this HOWTO.<br>
<br>
LDAP and SQL authentication<br>
If you want to authenticate your mailusers against an LDAP or SQL server you might want to go for the pwcheck daemon. There might be more patches available for this at the moment.<br>
Which method can you use in Postfix?<br>
<br>
You can use all of them, but note: If you use PAM, saslauthd or pwcheck you only have the mechanisms PLAIN and LOGIN at your command.<br>
Mechanisms for Authentication<br>
<br>
Cyrus-SASL offers various mechanisms to clients that seek authentication.<br>
ANONYMOUS<br>
<br>
Authentication data is transmitted plaintext. Anyone can authenticate to the system. This mechanism is of no use in our context as it would result in making our smtp server an open relay!<br>
PLAIN<br>
<br>
If you use PLAIN data is transmitted plaintext. The mechanism is simple and it works well, but imposes a security risk if used without encrypted communication layer!<br>
<br>
Used without encryption anyone can read the autentication data as it is transmitted plaintext. Anyone running a sniffer (e.g. snort, tcpdump) could read the secrets.<br>
<br>
The solution is to use the TLS-Patch (Transport Layer Security, formerly: SSL) as provided by Lutz J?nicke to Postfix. We believe this to be mandatory when using mechanism PLAIN and will also provide information on how to install and configure TLS-Support in this HOWTO.<br>
LOGIN<br>
<br>
Authentication data is transmitted plaintext. LOGIN imposes the same security risk as described in PLAIN. The same solution applies if you want to get rid of the problem.<br>
<br>
The LOGIN mechanism exists parallel with PLAIN, simply because there are Mailclients (e.g. Outlook Express, Outlook) that do not implement the RFC-standard when seeking authentication. Cyrus-SASL supports LOGIN, but there is no support to users by the makers of Cyrus-SASL.<br>
DIGEST-MD5<br>
<br>
RFC 2831<br>
<br>
You can use this mechanism without TLS.<br>
CRAM-MD5<br>
<br>
"It is conjectured that use of the CRAM authentication mechanism provides origin identification and replay protection for a session. Accordingly, a server that implements both a cleartext password command and this authentication type should not allow both methods of access for a given user." (from: RFC 2195, 4 Security Considerations)<br>
<br>
You can use this mechanism without TLS.<br>
GSSAPI (MIT Kerberos 5 oder Heimdal Kerberos 5)<br>
<br>
You can use this mechanism without TLS.<br>
KERBEROS_V4<br>
<br>
You can use this mechanism without TLS.<br>
Concerns on cyrus-SASLs SASL implementation<br>
<br>
The SASL concept as described in the RFC is a good idea. Yet at the moment Cyrus-SASL lacks sufficient documentation and does not provide meaningful error messages.<br>
<br>
Therefore it becomes a black-box to those who lack programming skills and simply would take look at the code to understand what's going on or wrong. Environments with high-security standards consider these issues as disqualifying criteria for use of software.<br>
<br>
As for the documentation this HOWTO aims to provide you with the knowledge needed to install, configure and run Cyrus-SASL in combination with Postfix.<br>
<br>
Note<br>
The Cryptix SASL Library is the second SASL library known at the moment. It runs with JAVA, but isn't supported by Postfix.<br>
While writing this HOWTO cabalSASL has become the next competitor to Cyrus-SASL. Read more at the official cabalSASL Homepage.<br>
<br>
Howto smtp auth with Postfix(6)<br>
<br>
(23 阅读)   <br>
<br>
<br>
<br>
Building RPMS from SOURCE or SRPMS<br>
<br>
If you haven't done so before: It is easy to build or rebuild RPMS from SRPMS. Let's get a quick overview how we build RPMS in our HOWTO.<br>
Build as non-root user<br>
<br>
We never build RPMS as root. So we log into our machine as a regular user. Then we create a mirror image of the main RPM directory structure in our HOMEDIR and tell RPM to use these directories instead of the original ones.<br>
Step1: Create RPM directories<br>
<br>
RPM needs a certain directory structure to build RPMS from SOURCE or from SRPMS. When we build them as non-root user, we cannot use the default location because only root is allowed to write to those directories. So we create the same directory structure in our regular users $HOME-directory:<br>
<br>
[user@example.com]# mkdir $HOME/rpm $HOME/rpm/SOURCES $HOME/rpm/SPECS $HOME/rpm/BUILD $HOME/rpm/SRPMS $HOME/rpm/RPMS $HOME/rpm/RPMS/i386<br>
<br>
When we are done with this, the directory tree of the new rpm directory in our $HOME-directory should look like that:<br>
<br>
rpm<br>
|-- BUILD<br>
|-- RPMS<br>
|   `-- i386<br>
|-- SOURCES<br>
|-- SPECS<br>
`-- SRPMS<br>
<br>
Step2: Set environment variables<br>
<br>
Now we need to tell the RPM-Manager that the non-root user wants this location to build RPMS instead of the default location.<br>
<br>
[user@example.com]# echo "%_topdir $HOME/rpm" &gt;&gt; $HOME/.rpmmacros<br>
<br>
Note:<br>
You will have to set the environment every time you log in and out as the user who build the RPMS.<br>
If you want to dig deeper into building RPMS you can find excellent information in the Maximum RPM HOWTO at rpm.org.<br>
<br>
That's it, you are ready to build RPMS.<br>
<br>
Howto smtp auth with Postfix(7)<br>
<br>
(19 阅读)   <br>
<br>
<br>
<br>
Cyrus-SASL Installation from SRPMS provided by Tuomo Soini<br>
<br>
Tuomo Soini currently provides RPMs for Cyrus-SASL and for Postfix. He constructed the RPMs so that they fit together well, which means that when you install both of his RPMs you will be half the way through on your way to a nicely working version of Cyrus-SASL and Postfix.<br>
<br>
Tuomos RPMs are SOURCE RPMs. This means that they have to be compiled before we can install them. But before we do this, we'll have to download them.<br>
Step 1: Download the SRPMS<br>