subject:"newbie confused about authentication"

Re: newbie confused about authentication

2009-10-02 Thread Ivan Stepaniuk

Jay G. Scott wrote:
> What I'd like to do is change that so you can only send authenticated
> email if you're in /etc/postfix/sasl_passwd.db.

Don't forget to run postmap for that file.

> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

You probably want 'smtpd_sender_login_maps', not
'smtp_sasl_password_maps', the last is used when postfix connects to
another smtp server that requires authentication.

-- 
Iván Stepaniuk
Alba Fotónica S.L.
http://www.albafotonica.com

RE: newbie confused about authentication

2009-09-30 Thread Jay G. Scott

postconf -n

broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = arlut.utexas.edu
myhostname = smail.arlut.utexas.edu
mynetworks = 10.3.0.0/16
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_enforce_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:/var/postfix/smtp_tls_session_cache
smtpd_client_restrictions = permit_sasl_authenticated, reject
smtpd_enforce_tls = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/public.pem
smtpd_tls_key_file = /etc/postfix/smail_private.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:/var/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550


saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Sep 30 09:52:56 CDT 2009
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.3
System: Red Hat Enterprise Linux Server release 5.3 (Tikanga)

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x2acc6655f000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/public.pem
smtpd_tls_key_file = /etc/postfix/smail_private.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:/var/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s


-- listing of /usr/lib64/sasl2 --
total 3592
drwxr-xr-x  2 root root   4096 Aug 13 17:15 .
drwxr-xr-x 35 root root  20480 Aug  5 04:03 ..
-rwxr-xr-x  1 root root890 Sep 29  2006 libanonymous.la
-rwxr-xr-x  1 root root  16168 Sep 29  2006 libanonymous.so
-rwxr-xr-x  1 root root  16168 Sep 29  2006 libanonymous.so.2
-rwxr-xr-x  1 root root  16168 Sep 29  2006 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root876 Sep 29  2006 libcrammd5.la
-rwxr-xr-x  1 root root  19296 Sep 29  2006 libcrammd5.so
-rwxr-xr-x  1 root root  19296 Sep 29  2006 libcrammd5.so.2
-rwxr-xr-x  1 root root  19296 Sep 29  2006 libcrammd5.so.2.0.22
-rwxr-xr-x  1 root root899 Sep 29  2006 libdigestmd5.la
-rwxr-xr-x  1 root root  48552 Sep 29  2006 libdigestmd5.so
-rwxr-xr-x  1 root root  48552 Sep 29  2006 libdigestmd5.so.2
-rwxr-xr-x  1 root root  48552 Sep 29  2006 libdigestmd5.so.2.0.22
-rwxr-xr-x  1 root root939 Sep 29  2006 libgssapiv2.la
-rwxr-xr-x  1 root root  28416 Sep 29  2006 libgssapiv2.so
-rwxr-xr-x  1 root root  28416 Sep 29  2006 libgssapiv2.so.2
-rwxr-xr-x  1 root root  28416 Sep 29  2006 libgssapiv2.so.2.0.22
-rwxr-xr-x  1 root root883 Sep 29  2006 libldapdb.la
-rwxr-xr-x  1 root root  18024 Sep 29  2006 libldapdb.so
-rwxr-xr-x  1 root root  18024 Sep 29  2006 libldapdb.so.2
-rwxr-xr-x  1 root root  18024 Sep 29  2006 libldapdb.so.2.0.22
-rwxr-xr-x  1 root root862 Sep 29  2006 liblogin.la
-rwxr-xr-x  1 root root  16768 Sep 29  2006 liblogin.so
-rwxr-xr-x  1 root root  16768 Sep 29  2006 liblogin.so.2
-rwxr-xr-x  1 root root  16768 Sep 29  2006 liblogin.so.2.0.22
-rwxr-xr-x  1 root root864 Sep 29  2006 libntlm.la
-rwxr-xr-x  1 root root  32928 Sep 29  2006 libntlm.so
-rwxr-xr-x  1 root root  32928 Sep 29  2006 libntlm.so.2
-rwxr-xr-x  1 root root  32928 Sep 29  2006 libntlm.so.2.0.22
-rwxr-xr-x  1 root root862 Sep 29  2006 libplain.la
-rwxr-xr-x  1 root root  16736 Sep 29  2006 libplain.so
-rwxr-xr-x  1 root root  16736 Sep 29  2006 libplain.so.2
-rwxr-xr-x  1 root root  16736 Sep 29  2006 libplain.so.2.0.22
-rwxr-xr-x  1 root root936 Sep 29  2006 libsasldb.la
-rwxr-xr-x  1 root root 893176 Sep 29  2006 libsasldb.so
-rwxr-xr-x  1 root root 893176 Sep 29  2006 libsasldb.so.2
-rw

Re: newbie confused about authentication

2009-09-30 Thread Patrick Ben Koetter

Jay,

please run "postconf -n" and send that as well as output from the saslfinger
script.


p...@rick


* Jay G. Scott :
> 
> hi,
> 
> I figured out, by accident, that although I hoped I was using
> /etc/postfix/sasl_passwd.db
> as my authentication store, I wasn't.  I'm using regular login
> stuff, a la PAM.  So anyone in my /etc/passwd file can send
> authenticated email.
> 
> What I'd like to do is change that so you can only send authenticated
> email if you're in /etc/postfix/sasl_passwd.db.
> 
> My email server is smail.  So this:
> [r...@smail ~]# more /etc/postfix/sasl_passwd
> smail.arlut.utexas.edu  user1:clearpass
> 
> followed by this:
> postmap hash:/etc/postfix/sasl_passwd
> 
> should set up user1 to be authenticated by the password clearpass
> when sending email through the host smail.  Right?
> 
> The groovy part of /etc/postfix/main.cf:
> #---
> 
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> 
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> 
> smtpd_recipient_restrictions =
> permit_sasl_authenticated, reject_unauth_destination
> 
> smtpd_client_restrictions = permit_sasl_authenticated, reject
> smtpd_sasl_authenticated_header = yes
> 
> broken_sasl_auth_clients = yes
> 
> cyrus_sasl_config_path = /usr/lib64/sasl2
> 
> smtp_sasl_type = cyrus
> smtpd_sasl_type = cyrus
> 
> smtpd_sasl_local_domain = $myhostname
> #---
> 
> Now, is the stuff I need to change in the part above?  Or is it in
> saslauthd's smtpd.conf?
> 
> more /usr/lib64/sasl2/smtpd.conf
> pwcheck_method: saslauthd
> log_level: 5
> mech_list: PLAIN LOGIN CRAM-MD5
> 
> What I'm really after:  I want to control (in a way I understand)
> which users get to send authenticated email.
> 
> I know how to disable passwords for users in /etc/passwd, /etc/shadow,
> but I don't want root sending authenticated email.  Yet I also don't want
> to disable root's password.  Is there something I don't know?
> I thought I couldn't prevent root authentication for email and still
> let root log in.
> 
> So, I thought /etc/postfix/sasl_passwd would be the ticket.
> List the users there and that's that.  Well, I find that I've
> been testing using a user not in sasl_passwd.  The tests have worked.
> So I'm clearly going against /etc/passwd.
> 
> But I thought saslauthd did not support cram-md5 and digest-md5, and
> I want to use md5 to encrypt the passwords.  Or at least allow it.
> Thus, I had to have PLAIN LOGIN in smtpd.conf.  I surmise that
> mech_list: PLAIN LOGIN is turning on loggin in through /etc/passwd.
> 
> Clearly, I'm a noob.
> 
> j.
> 
> -- 
> Jay Scott 512-835-3553g...@arlut.utexas.edu
> Head of Sun Support, Sr. Operating Systems Specialist
> Applied Research Labs, Computer Science Div.   S224
> University of Texas at Austin

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

newbie confused about authentication

2009-09-29 Thread Jay G. Scott


hi,

I figured out, by accident, that although I hoped I was using
/etc/postfix/sasl_passwd.db
as my authentication store, I wasn't.  I'm using regular login
stuff, a la PAM.  So anyone in my /etc/passwd file can send
authenticated email.

What I'd like to do is change that so you can only send authenticated
email if you're in /etc/postfix/sasl_passwd.db.

My email server is smail.  So this:
[r...@smail ~]# more /etc/postfix/sasl_passwd
smail.arlut.utexas.edu  user1:clearpass

followed by this:
postmap hash:/etc/postfix/sasl_passwd

should set up user1 to be authenticated by the password clearpass
when sending email through the host smail.  Right?

The groovy part of /etc/postfix/main.cf:
#---

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous

smtpd_recipient_restrictions =
permit_sasl_authenticated, reject_unauth_destination

smtpd_client_restrictions = permit_sasl_authenticated, reject
smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes

cyrus_sasl_config_path = /usr/lib64/sasl2

smtp_sasl_type = cyrus
smtpd_sasl_type = cyrus

smtpd_sasl_local_domain = $myhostname
#---

Now, is the stuff I need to change in the part above?  Or is it in
saslauthd's smtpd.conf?

more /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd
log_level: 5
mech_list: PLAIN LOGIN CRAM-MD5

What I'm really after:  I want to control (in a way I understand)
which users get to send authenticated email.

I know how to disable passwords for users in /etc/passwd, /etc/shadow,
but I don't want root sending authenticated email.  Yet I also don't want
to disable root's password.  Is there something I don't know?
I thought I couldn't prevent root authentication for email and still
let root log in.

So, I thought /etc/postfix/sasl_passwd would be the ticket.
List the users there and that's that.  Well, I find that I've
been testing using a user not in sasl_passwd.  The tests have worked.
So I'm clearly going against /etc/passwd.

But I thought saslauthd did not support cram-md5 and digest-md5, and
I want to use md5 to encrypt the passwords.  Or at least allow it.
Thus, I had to have PLAIN LOGIN in smtpd.conf.  I surmise that
mech_list: PLAIN LOGIN is turning on loggin in through /etc/passwd.

Clearly, I'm a noob.

j.

-- 
Jay Scott   512-835-3553g...@arlut.utexas.edu
Head of Sun Support, Sr. Operating Systems Specialist
Applied Research Labs, Computer Science Div.   S224
University of Texas at Austin

Re: newbie confused about authentication

RE: newbie confused about authentication

Re: newbie confused about authentication

newbie confused about authentication

4 matches

Site Navigation

Mail list logo

Footer information