Folks,
A while back I was looking for Cyrus+Postfix best practice. See:
http://msgs.SecurePoint.com/cgi-bin/get/postfix0012/336.html
I've made some progress and am basically soliciting feedback on my approach
thus far.
In a previous life, my setup used SASL to manage both Cyrus imapd logins
(mail checking) and postfix authenticated SMTP (mail sending). Both Cyrus and
Postfix were happy enough sharing /etc/sasldb and authenticating clients using
CRAM-MD5, and life was good.
First wrinkle. Enter the need to centralize authentication using LDAP. *ugh*
I can get Cyrus authenticating against LDAP using:
sasl_pwcheck_method: pam
and the appropriate additions to /etc/pam.d/imap, but I lose the ability to
authenticate CRAM-MD5 and instead have to use plaintext logins. To address
that, so that cleartext is never passed, I'll encrypt the entire IMAP protocol
(and see if I can handle the compute overhead for long-term use while I'm at
it). Using cyrus-2.0.11's imaps and OpenSSL I am now able to login to Cyrus
over an ssl-encrypted wire, so bye-bye plaintext:
Feb 19 22:24:39 mail2 imapd[28977]: login: somehost.some.org[###.###.##.##]
dnickerson plaintext+TLS
**PROBLEM** how the heck can I use authenticated SMTP with postfix in a secure
manner now? As I understand it, I'd need to use SASL, which is regrettably
passing plaintext around and postfix ain't talking SSL yet.
Here's what I did. I put the following in imapd.conf:
sasl_auto_transition: yes
to populate /etc/sasldb directly from imapd logins. I used the following
owner/group and modes on sasldb:
[root@mail2 /etc]# ls -al sasldb
-rw-r--r-- 1 cyrus root 12700 Feb 20 01:14 sasldb
Next, to allow postfix to read this I had to take smtpd out of its chroot jail
in master.conf:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
smtp inet n - n - - smtpd
To get smtpd to read sasldb I would have thought I would need something like:
pwcheck_method:sasldb
or
sasl_pwcheck_method: sasldb
in a file called /usr/lib/sasl/smtpd.conf (which is correct by the way?)
Independent of which is the correct form, it seems to be unnecessary . . . even
without a smtpd.conf file smtpd seems happy to grok sasldb. Perhaps this is the
default?
This approach seems to work fine for SMTP-AUTH. As a side effect, I also seem
to have managed to get CRAM-MD5 working for imap logins . . . is this just a
side effect of building up a sasldb?
Feb 20 00:50:30 mail2 imapd[30023]: starttls: TLSv1 with cipher DES-CBC3-SHA (168/168
bits) no authentication
Feb 20 00:50:30 mail2 imapd[30023]: login: somehost.some.org[###.###.##.##] dnickerson
CRAM-MD5+TLS User logged in
Well, I'm certainly not going to complain ;-) Here's the smtpd log:
Feb 20 00:53:23 mail2 postfix/smtpd[30025]: 5BDC9EBC3B:
client=somehost.some.org[###.###.##.##], sasl_method=CRAM-MD5, sasl_username=dnickerson
Sweet.
So I create a user, login once to imap with plaintext to populate sasldb with
the appropriate secret, then switch to CRAM-MD5 forever after for both IMAP and
SMTP-AUTH logins. And as an extra win, I've gone to the trouble of encrypting
IMAP traffic so our "road warriors" won't be showing our inbound mail to the
world.
I'd welcome comments on anything I've missed in terms of recommended
configuration, or security best-practice. I suppose the most glaring weakness
of the current scheme is the cleartext nature of outbound SMTP traffic. Since
postfix is not yet speaking ssl I'm not sure there's much to be done there
aside from using something like stunnel/ssh to setup a port redirection. Anyone
doing this?
Thanks in advance for any comments. . . I hope this is helpful to someone!
-Darren