1408.html

著名的linux英雄站点的文档打包

C: quit<br>
S: 221 Bye<br>
<br>
Now it's up to you to send mail to a remote user through the Postfix server. But behold, don't close your telnet-program after the session. You'll need some of the information that was specific to your session in a few paragraphs from now.<br>
Why did relaying work for us?<br>
<br>
We were able to relay a message using Postfix, because Postfix knows the remote machine is part of the network (see: mynetworks) that it permits relaying.<br>
<br>
Before we will configure smtp auth there's something that we have to take care of...<br>
Step 12: Deleting Mail that can't get delivered<br>
<br>
Remember that we've just sent a mail to howto@domain.com. Since the Postfix server in our HOWTO is not connected to the real world it hardly will be able to deliver the message. So what is Postfix doing with the mail at the moment? It's still trying, holding the mail in the queue...<br>
<br>
Time to learn something about a helper application that comes with Postfix which is used to remove mails from Postfix's mqueue: postsuper<br>
<br>
When you delete a mail it goes like this: postsuper -d MESSAGEID<br>
<br>
Every message has it's unique ID provided by Postfix when it accepts a message. This MESSAGEID was given to us, when we did our telnet session. Have a look at the second last message that Postfix gave us in the HOWTO before we quit the session.<br>
<br>
250 Ok: queued as 84BA64078A<br>
<br>
84BA64078A is our HOWTOS MESSAGEID.<br>
<br>
Look at your telnet program. What is your MESSAGEID?<br>
<br>
At the command prompt enter:<br>
<br>
[root@example.com]# postsuper -d MESSAGEID<br>
postsuper: MESSAGEID: removed<br>
postsuper: Deleted: 1 message<br>
[root@example.com]#<br>
<br>
We removed the undeliverable mail. Postfix should feel better now... ;-)<br>
Step 13: Preparing relay permissions for smtp auth testing<br>
<br>
Let's do it the XP way and define and test a test before we do the configuration. Huh? Read on...<br>
<br>
Since our remote machine is part of the network defined in mynetworks it will be allowed to relay no matter if we configured smtp auth correctly or not. This will not help us to prove, our configuration for smtp auth works.<br>
<br>
In order to gain valid results whether relaying with smtp auth works the way we want it, we'll have to ensure that we are not part of mynetworks. We do this by simply removing our subnet from the mynetworks parameter and only let the IP-range for localhost remain.<br>
<br>
[root@example.com]# vi /etc/postfix/main.cf<br>
<br>
We reduce mynetworks = 172.16.0.0/24, 127.0.0.0/8 to mynetworks = 127.0.0.0/8.<br>
<br>
It should look like this:<br>
<br>
mynetworks = 127.0.0.0/8<br>
<br>
In order to let the changes be known to Postfix we must restart it.<br>
<br>
[root@example.com]# postfix reload<br>
postfix/postfix-script: refreshing the Postfix mail system<br>
<br>
Let's prove that our test setup will not allow us to relay messages. We telnet from our remote machine. Keep in mind that relaying means sending a message through Postfix to a remote user. The value we provide with rcpt to: must not be a local user.<br>
<br>
This is the transcript from our session:<br>
<br>
S: 220 mail.example.com ESMTP Postfix<br>
C: EHLO example.com<br>
S: 250-mail.example.com<br>
S: 250-PIPELINING<br>
S: 250-SIZE 10240000<br>
S: 250-VRFY<br>
S: 250-ETRN<br>
S: 250-XVERP<br>
S: 250 8BITMIME<br>
C: mail from:&lt;test@example.com&gt;<br>
S: 250 Ok<br>
C: rcpt to:&lt;howto@domain.com&gt;<br>
S: 554 &lt;howto@domain.com&gt;: Recipient address rejected: Relay access denied<br>
C: quit<br>
S: 221 Bye<br>
<br>
Relay access denied. Just the way we want it at the moment. Postfix will not allow us to relay mails to remote users. Now that we've configured this we can go on and add SASL which will provide us with the functionality to relay even if we are not part of Postfix's network.<br>
Summary<br>
<br>
    * We gathered informations to use for configuration.<br>
    * We configured Postfix to give us basic functionality.<br>
    * We added a user for testing purposes.<br>
    * Then we sent testmessages from localhost to a local user,<br>
    * from a remote machine to a local user and<br>
    * from the remote machine to a remote user.<br>
    * We did this the hard way in order to exclude failures that could be introduced by more complex Mailclients<br>
    * We successfully deleted a non-deliverable message from Postfix without stopping it or manually deleting files from it's mail queue.<br>
    * We prepared Postfix to reject relaying for our network in order to prove SASL to work correctly later on. <br>
    <br>
Howto smtp auth with Postfix(11)<br>
<br>
(27 阅读)   <br>
<br>
<br>
<br>
Smtp authentication for Mailclients<br>
<br>
This chapter deals with Authentication for mailclients that need to relay through your Postfix server.<br>
<br>
To keep in mind. There are several apps within Postfix that take care of correct mail delivery. In this chapter our focus will be on the smtpd daemon, which receives mail from clients before deciding what to do with it and passing it on to other apps.<br>
<br>
Note<br>
You can tell we are dealing with the smtpd, because most of our configuration settings will start with smtpd_....<br>
Step 1: Enable SASL support<br>
<br>
To enable SASL support in Postfix we must configure some settings in the main.cf.<br>
<br>
[root@example.com]# vi /etc/postfix/main.cf<br>
<br>
You will notice that there is no section in the main.cf that offers pre-installed settings. Therefore we will add a new section on our own.<br>
<br>
We add the following lines:<br>
<br>
# SASL SUPPORT FOR CLIENTS<br>
#<br>
# The following options set parameters needed by Postfix to enable<br>
# Cyrus-SASL support for authentication of mailclients.<br>
#<br>
Enable smtp auth<br>
<br>
The first thing we need to do is to tell Postfix to enable smtp auth. We do this by adding the following line:<br>
<br>
smtpd_sasl_auth_enable = yes<br>
Security options<br>
<br>
There's a really nice, but insecure fallback feature in smtp auth when authenticating. If one mechanism doesn't work it'll try another one. Insecure? The idea is nice, but look how it's done...<br>
<br>
It appears that clients try authentication methods in the order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) which means that if you disable plaintext passwords, clients will log in anonymously, even when they should be able to use CRAM-MD5. So, if you disable PLAIN logins, disable ANONYMOUS logins too. Postfix treats ANONYMOUS login as no authentication.<br>
<br>
Since we want to use the plaintext mechanism in this HOWTO, but not anonymous we'll simple set:<br>
<br>
smtpd_sasl_security_options = noanonymous<br>
<br>
This will keep Postfix from offering anonymous logins.<br>
Passing the realm<br>
<br>
When you use method sasldb Cyrus-SASL needs to know a value from a parameter that's called realm. It's about the same as a domain. In Cyrus-SASL this is used to authenticate users with the same username, but from different domains (e.g. joe@domain.com, joe@example.com).<br>
<br>
Since our users don't pass the realm when they authenticate, but Cyrus-SASL requires it in order to work properly we set a default value in Postfix. Postfix will append this when it hands over data for Cyrus-SASL to authenticate our relay-users.<br>
<br>
In our HOWTO we'll simply reuse a value that we've set when we did or first configuration:<br>
<br>
smtpd_sasl_local_domain = $myhostname<br>
<br>
sasldb users<br>
If you plan to use sasldb you might want to add this to your paper that holds the parameters that are specific to your setting.<br>
Supporting non-standard mailclients<br>
<br>
The broken_sasl_auth_clients controls inter-operability with SMTP clients that do not recognize that Postfix supports RFC 2554 (AUTH command). Examples of such clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange version 5.0.<br>
<br>
Specify yes to have Postfix also advertise smtp auth in a non-standard way.<br>
<br>
broken_sasl_auth_clients = yes<br>
<br>
Now we have configured Postfix to enable SASL support, but one last step is still missing. We must tell Postfix that SASL authenticated clients are allowed to relay. So keep your editor on main.cf open...<br>
Enable relaying for smtp auth users<br>
<br>
There are a number of values that we can add to the following parameter. For the moment we stick with a minimum to keep our setup simple and under control.<br>
<br>
Search for relay_domains = and add the following line below:<br>
<br>
smtpd_recipient_restrictions =<br>
   permit_sasl_authenticated,<br>
   permit_mynetworks,<br>
   check_relay_domains<br>
Configuration overview<br>
<br>
When you are done with the configurations from above, your should have added the following lines:<br>
<br>
# SASL SUPPORT FOR CLIENTS<br>
#<br>
# The following options set parameters needed by Postfix to enable<br>
# Cyrus-SASL support for authentication of mailclients.<br>
#<br>
smtpd_sasl_auth_enable = yes<br>
smtpd_sasl_security_options = noanonymous<br>
smtpd_sasl_local_domain = $myhostname<br>
broken_sasl_auth_clients = yes<br>
...<br>
smtpd_recipient_restrictions =<br>
   permit_sasl_authenticated,<br>
   permit_mynetworks,<br>
   check_relay_domains<br>
<br>
If you have entered all of this you save the file. Now we will have to make Postfix reread it's configuration.<br>
Step 2: Reload Postfix<br>
<br>
You can always stop and start Postfix, but this takes time which you may not have when your online and your have lots of traffic. So we rather have Postfix reread it's configuration by ordering it to reload. Still it will not deliver or receive messages while it reloads, but the downtime will be shorter.<br>
<br>
[root@example.com]# postfix reload<br>
postfix/postfix-script: refreshing the Postfix mail system<br>
Step 3: Check for smtp auth support<br>
<br>
So, now that we've have enabled SASL authentication in the configuration we need to verify that Postfix serves us the new feature. We check from a remote host and telnet to the Postfix server.<br>
<br>
S: 220 mail.example.com ESMTP Postfix<br>
C: EHLO example.com<br>
S: 250-mail.example.com<br>
S: 250-PIPELINING<br>
S: 250-SIZE 10240000<br>
S: 250-VRFY<br>
S: 250-ETRN<br>
S: 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI<br>
S: 250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI<br>
S: 250-XVERP<br>
S: 250 8BITMIME<br>
C: quit<br>
S: 221 Bye<br>
<br>
Notice the two new lines?<br>
<br>
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI<br>
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI<br>
<br>
These are the lines that Postfix issues when it offers the use of smtp auth and we can see two things from looking at them:<br>
Fallback feature<br>
<br>
First let us remember the insecure fallback feature:<br>
<br>
PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI is the order of the mechanisms in which a Mailclient would try to authenticate to. If SASL issued ANONYMOUS in between LOGIN and DIGEST-MD5 we'd be lost or rather an open relay to every spammer in the world who knew this 'feature'.<br>
Broken clients<br>
<br>
Did you notice that there are two lines that only differ in an extra '=' in between AUTH and PLAIN. The AUTH=PLAIN statement is the one that broken clients need in order to recognize that they may use smtp auth.<br>
<br>
Note:<br>
If you don't see all the mechanisms as pointed out in this HOWTO it means that you didn't install or compile all the SASL mechanisms. Please make sure that you have at least the following as we are going to need them in the HOWTO.<br>
PLAIN<br>
LOGIN<br>
Step 4: Check if smtp auth works<br>
<br>
Before we start and configure a Mailclient to relay mail using smtp auth we do one more last check. If we pass this we know were done with server side smtp auth configuration. In this step we will telnet to the server and pass our username and password just to see if we pass the authentication.<br>
<br>
Since we use PLAIN as mechanism we will have to pass our credentials plaintext. But hold, the credentials must be Base64 encoded, when we issue them. This can easily be done on our server. The basic script looks like this:<br>
<br>
[root@example.com]# printf 'username<br>
<br>
Howto smtp auth with Postfix(12)<br>
<br>
(34 阅读)   <br>
<br>
<br>
<br>
Configuring SASL to use sasldb<br>
<br>
If you installed the RPMs you might not have been through this yet. By default Cyrus-SASL's configuration file needs to be put in