Rich Winkel wrote:
Hi, I'm setting up a mail server with dovecot-1.0.13 and
postfix-2.5.1 on freebsd 7.0. I'm a newbie to postfix, I almost
have it running but have two questions:
I'm using dovecot auth-client for sasl authentication. I want it to
reject mail from anonymous logins, but this isn't working.
"postconf -a" says "dovecot"
OK, that's correct.
In main.cf I have:
smtpd_sasl_path=/var/run/dovecot/auth-client
smtpd_sasl_type=dovecot
auth-client is rw by group postfix.
The sasl_security options are the defaults from main.cf.default:
lmtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_security_options = noplaintext, noanonymous
The above two have no effect on dovecot (client side SASL not
implemented).
smtpd_sasl_security_options = noanonymous
OK.
I'm testing this in a local network, so I temporarily removed
"permit_mynetworks" from smtpd_sender_restrictions and
smtpd_recipient_restrictions, so that they read:
smtpd_sender_restrictions = permit_sasl_authenticated
Each smtpd_*_restrictions section ends with an implied
"permit", so the above has no effect; all clients are
accepted. That's OK.
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destinati
on
OK, SASL authenticated clients are allowed to relay off-site,
anyone else can send mail to your local/virtual/relay domains.
But it still accepts anonymous logins:
postfix/smtpd[29015]: Anonymous TLS connection established
and the delivery goes through.
Hold on a minute... Anonymous TLS connection does *not* imply
anonymous SASL authentication. Anonymous TLS is normal and
expected; it just says your client doesn't have it's own
security certificate.
You'll need to show more evidence that dovecot is accepting an
anonymous login...
http://www.postfix.org/DEBUG_README.html#mail
If the recipient is in your own domain the message will still
be accepted from any client, authenticated or not. To only
accept mail from authenticated clients, you need
smtpd_recipient_restrictions =
permit_sasa_authenticated
reject
Of course this is only suitable for testing, or on a MSA such
as the submission port 587, since it won't accept mail from
anyone else.
The other question I had was regarding where to specify the dovecot delivery
agent to postfix. There seem to be two ways:
in main.cf:
mailbox_command=/usr/local/libexec/dovecot/deliver
or in master.cf:
dovecot unix - n n - - pipe
flags=DRhu user=root:mail argv=/usr/local/libexec/dovecot/deliver -d
${recipient}
Could someone tell me the difference(s) ?
See the MAILDROP_README. The interface to postfix is the same
with both, so most of it applies directly to using any
alternate delivery agent.
http://www.postfix.org/MAILDROP_README.html
Many thanks for any help!!!
Rich
Enjoy!
--
Noel Jones