SASL SMTP认证

Postfix SASL SMTP认证配置

  1. pam_ldap

    debian:/etc/postfix# vi /etc/pam.d/smtp
    #%PAM-1.0
    auth required pam_ldap.so
    account sufficient /lib/security/pam_ldap.so
    			

  2. pam_ldap.conf

    Note

    redhat linux 中是/etc/ldap.conf

    host 127.0.0.1				
    base ou=postfix,dc=example,dc=net
    ldap_version 3
    binddn cn=admin,dc=example,dc=net
    bindpw chen
    #rootbinddn cn=admin,dc=example,dc=net
    scope sub
    pam_filter objectclass=postfix
    				

    Example 3. pam_ldap.conf

    debian:/etc# cat pam_ldap.conf
    ###DEBCONF###
    # the configuration of this file will be done by debconf as long as the
    # first line of the file says '###DEBCONF###'
    #
    # you should use dpkg-reconfigure to configure this file
    #
    # @(#)$Id: ldap.conf,v 1.28 2003/05/29 13:01:04 lukeh Exp $
    #
    # This is the configuration file for the LDAP nameservice
    # switch library and the LDAP PAM module.
    #
    # PADL Software
    # http://www.padl.com
    #
    
    # Your LDAP server. Must be resolvable without using LDAP.
    # Multiple hosts may be specified, each separated by a
    # space. How long nss_ldap takes to failover depends on
    # whether your LDAP client library supports configurable
    # network or connect timeouts (see bind_timelimit).
    host 127.0.0.1
    
    # The distinguished name of the search base.
    base ou=postfix,dc=example,dc=net
    
    # Another way to specify your LDAP server is to provide an
    # uri with the server name. This allows to use
    # Unix Domain Sockets to connect to a local LDAP Server.
    #uri ldap://127.0.0.1/
    #uri ldaps://127.0.0.1/
    #uri ldapi://%2fvar%2frun%2fldapi_sock/
    # Note: %2f encodes the '/' used as directory separator
    
    # The LDAP version to use (defaults to 3
    # if supported by client library)
    ldap_version 3
    
    # The distinguished name to bind to the server with.
    # Optional: default is to bind anonymously.
    #binddn cn=proxyuser,dc=padl,dc=com
    binddn cn=admin,dc=example,dc=net
    
    # The credentials to bind with.
    # Optional: default is no credential.
    #bindpw secret
    bindpw chen
    
    # The distinguished name to bind to the server with
    # if the effective user ID is root. Password is
    # stored in /etc/ldap.secret (mode 600)
    #rootbinddn cn=manager,dc=example,dc=net
    #rootbinddn cn=admin,dc=example,dc=net
    
    # The port.
    # Optional: default is 389.
    #port 389
    
    # The search scope.
    scope sub
    #scope one
    #scope base
    
    # Search timelimit
    #timelimit 30
    
    # Bind timelimit
    #bind_timelimit 30
    
    # Idle timelimit; client will close connections
    # (nss_ldap only) if the server has not been contacted
    # for the number of seconds specified below.
    #idle_timelimit 3600
    
    # Filter to AND with uid=%s
    #pam_filter objectclass=account
    pam_filter objectclass=postfix
    
    # The user ID attribute (defaults to uid)
    #pam_login_attribute uid
    #pam_login_attribute mail
    
    # Search the root DSE for the password policy (works
    # with Netscape Directory Server)
    #pam_lookup_policy yes
    
    # Check the 'host' attribute for access control
    # Default is no; if set to yes, and user has no
    # value for the host attribute, and pam_ldap is
    # configured for account management (authorization)
    # then the user will not be allowed to login.
    #pam_check_host_attr yes
    
    # Check the 'authorizedService' attribute for access
    # control
    # Default is no; if set to yes, and the user has no
    # value for the authorizedService attribute, and
    # pam_ldap is configured for account management
    # (authorization) then the user will not be allowed
    # to login.
    #pam_check_service_attr yes
    
    # Group to enforce membership of
    #pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com
    
    # Group member attribute
    #pam_member_attribute uniquemember
    
    # Specify a minium or maximum UID number allowed
    #pam_min_uid 0
    #pam_max_uid 0
    
    # Template login attribute, default template user
    # (can be overriden by value of former attribute
    # in user's entry)
    #pam_login_attribute userPrincipalName
    #pam_template_login_attribute uid
    #pam_template_login nobody
    
    # HEADS UP: the pam_crypt, pam_nds_passwd,
    # and pam_ad_passwd options are no
    # longer supported.
    
    # Do not hash the password at all; presume
    # the directory server will do it, if
    # necessary. This is the default.
    pam_password crypt
    
    # Hash password locally; required for University of
    # Michigan LDAP server, and works with Netscape
    # Directory Server if you're using the UNIX-Crypt
    # hash mechanism and not using the NT Synchronization
    # service.
    #pam_password crypt
    
    # Remove old password first, then update in
    # cleartext. Necessary for use with Novell
    # Directory Services (NDS)
    #pam_password nds
    
    # Update Active Directory password, by
    # creating Unicode password and updating
    # unicodePwd attribute.
    #pam_password ad
    
    # Use the OpenLDAP password change
    # extended operation to update the password.
    #pam_password exop
    
    # Redirect users to a URL or somesuch on password
    # changes.
    #pam_password_prohibit_message Please visit http://internal to change your password.
    
    # RFC2307bis naming contexts
    # Syntax:
    # nss_base_XXX          base?scope?filter
    # where scope is {base,one,sub}
    # and filter is a filter to be &'d with the
    # default filter.
    # You can omit the suffix eg:
    # nss_base_passwd       ou=People,
    # to append the default base DN but this
    # may incur a small performance impact.
    #nss_base_passwd        ou=People,dc=padl,dc=com?one
    #nss_base_shadow        ou=People,dc=padl,dc=com?one
    #nss_base_group         ou=Group,dc=padl,dc=com?one
    #nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
    #nss_base_services      ou=Services,dc=padl,dc=com?one
    #nss_base_networks      ou=Networks,dc=padl,dc=com?one
    #nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
    #nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
    #nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
    #nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
    #nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
    #nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
    #nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one
    
    # attribute/objectclass mapping
    # Syntax:
    #nss_map_attribute      rfc2307attribute        mapped_attribute
    #nss_map_objectclass    rfc2307objectclass      mapped_objectclass
    
    # configure --enable-nds is no longer supported.
    # For NDS now do:
    #nss_map_attribute uniqueMember member
    
    # configure --enable-mssfu-schema is no longer supported.
    # For MSSFU now do:
    #nss_map_objectclass posixAccount User
    #nss_map_attribute uid msSFUName
    #nss_map_attribute uniqueMember posixMember
    #nss_map_attribute userPassword msSFUPassword
    #nss_map_attribute homeDirectory msSFUHomeDirectory
    #nss_map_objectclass posixGroup Group
    #pam_login_attribute msSFUName
    #pam_filter objectclass=User
    #pam_password ad
    
    # configure --enable-authpassword is no longer supported
    # For authPassword support, now do:
    #nss_map_attribute userPassword authPassword
    #pam_password nds
    
    # For IBM SecureWay support, do:
    #nss_map_objectclass posixAccount aixAccount
    #nss_map_attribute uid userName
    #nss_map_attribute gidNumber gid
    #nss_map_attribute uidNumber uid
    #nss_map_attribute userPassword passwordChar
    #nss_map_objectclass posixGroup aixAccessGroup
    #nss_map_attribute cn groupName
    #nss_map_attribute uniqueMember member
    #pam_login_attribute userName
    #pam_filter objectclass=aixAccount
    #pam_password clear
    
    # Netscape SDK LDAPS
    #ssl on
    
    # Netscape SDK SSL options
    #sslpath /etc/ssl/certs/cert7.db
    
    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    #ssl start_tls
    #ssl on
    
    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    # Default is "no"
    #tls_checkpeer yes
    
    # CA certificates for server certificate verification
    # At least one of these are required if tls_checkpeer is "yes"
    #tls_cacertfile /etc/ssl/ca.cert
    #tls_cacertdir /etc/ssl/certs
    
    # Seed the PRNG if /dev/urandom is not provided
    #tls_randfile /var/run/egd-pool
    
    # SSL cipher suite
    # See man ciphers for syntax
    #tls_ciphers TLSv1
    
    # Client certificate and key
    # Use these, if your server requires client authentication.
    #tls_cert
    #tls_key
    					
  3. Note

    在Debian中没有/etc/sysconfig/目录,对应的是/etc/default/

    debian:~# find / -name saslauthd
    /etc/default/saslauthd
    /etc/init.d/saslauthd
    /var/run/saslauthd
    
    debian:/var/log# echo "START=yes" >> /etc/default/saslauthd
    debian:/var/log# cat /etc/default/saslauthd
    # This needs to be uncommented before saslauthd will be run automatically
    # START=yes
    
    # You must specify the authentication mechanisms you wish to use.
    # This defaults to "pam" for PAM support, but may also include
    # "shadow" or "sasldb", like this:
    # MECHANISMS="pam shadow"
    
    MECHANISMS="pam"
    
    START=yes
    				
  4. smtpd.conf

    redhat linux:/usr/lib/sasl2/smtpd.conf (debian: /etc/postfix/sasl/smtpd.conf)

    debian:/etc/postfix# cat sasl/smtpd.conf
    pwcheck_method: saslauthd
    mech_list: login plain CRAM-MD5 DIGEST-MD5 GSSAPI
    debian:/etc/postfix#
    				
    debian:/etc/postfix# mkdir -p /var/spool/postfix/var/run/saslauthd
    debian:/etc/postfix# chgrp sasl /var/spool/postfix/var/run/saslauthd/
    				

    Cyrus SASL 配置选项 [1]

  5. 测试 saslauthd

    debian:/var/log# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -s smtp -r example.net -u chen -p chen
    0: OK "Success."
    debian:/var/log# saslauthd -O /etc/pam_ldap.conf -m /var/spool/postfix/var/run/saslauthd -a ldap
    
    debian:~# saslpasswd2 -c -u mail.example.net -a smtpauth test
    			

Notes

[1]

Cyrus SASL 配置选项

这个文档包含了 Cyrus SASL 库和捆绑的机制能使用到的选项的信息。大部分通常使用到的
选项同时也是经常被误解的选项是 pwcheck_method 和 auxprop_plugin 。如果工作不正常
的话,请确保你正确的配置了他们。另外,mech_list选项能方便的限制某特定的应用程序
所能使用的机制。

选项 使用者 缺省值

authdaemond_path SASL 库 /dev/null
(描述:Courier-IMAP 的 authdaemond 的 Unix 套接字的路径。仅当 pwcheck_method 设
置为 authdaemond 时可用。)

auto_transition SASL 库 no
(描述:当设置为 'yes'或'noplain'时,同时使用一个 auxprop 插件时,当用户成功的进
行了纯文本认证时自动的他们到其他机制。当设置为 'noplain' 时,仅非纯文本秘密将
被写。注意,当前实现,不使用纯文本秘密的机制仅有 OTP 和 SRP)。

canon_user_plugin SASL 库 INTERNAL
(描述:canon_user 插件使用的名字)

log_level SASL 库 1 (SASL_LOG_ERR) 
(描述:日志记录登记的数字,参考 sasl.h 中的 SASL_LOG_* 了解值和描述)

mech_list SASL 库 使用所有有效插件
(描述:空格分隔开的允许使用的机制的列表,比如:'plain otp'。用来在安装的插件
中限制出一个可用机制的子集。)

plugin_list SASL 库 无
(描述:插件列表的位置【不支持】)

pwcheck_method SASL 库 auxprop
(描述:空格分隔开的用来效验密码的机制列表,值可能是 sasl_checkpass,auxprop,
saslauthd,pwcheck,authdaemond【如果编译时添加了 --with-authdaemond 的话】 和
alwaystrue【如果编译时添加了 --enable-alwaystrue 的话】)

saslauthd_path SASL 库 系统相关(通常不需要更改)
(描述:saslauthd 运行的目录,包括 "/mun" 命名管道)

auxprop_plugin 辅助属性 (空) - 查询所有插件
(描述:使用的辅助插件的插件名,你可以指定一个空格格开的插件名列表,这些插件将按
照顺序被查询。)

keytab GSSAPI /etc/krb5.keytab(系统相关)
(描述:keytab 文件的位置)

ntlm_server NTLM (服务器) (空) - 执行内部代理
(描述:认证将被代理的系统名【WinNT,Win2K,Samba等】)

ntlm_v2 NTLM (客户端) no (发送 NTLMv1)
(描述:发送 NTLMv2 响应给服务器)

opiekeys OTP (用于 OPIE) /etc/opiekeys
(描述:opiekeys 文件位置)

otp_mda OTP (w/o OPIE) md5 
(描述:OTP 的消息摘要算法,用于 sasl_setpass,值有:'md4','md5','sha1')

reauth_timeout DIGEST-MD5 0
(描述:为加快再次认证而缓存认证信息的保留时间(单位:分钟)。0 禁止缓存。)

srp_mda SRP sha1 
(描述:SRP 计算的消息摘要算法,值有:'md5','sha1','rmd160')

srvtab KERBEROS_V4 /etc/srvtab (系统相关)
(描述:srvtab 文件的位置)

sasldb_path sasldb 插件 /etc/sasldb2 (系统相关)
(描述:sasldb 文件的路径)

sql_engine SQL 插件 mysql
(描述:使用的 SQL 数据库引擎名,可能值为:'mysql','pgsql')


sql_hostnames SQL 插件 无 (引擎相关)
(描述:逗号分隔开的 SQL 服务器列表,使用 主机地址[:端口] 的格式)

sql_user SQL 插件 无 (引擎相关)
(描述:数据库服务器的登陆用户名)

sql_passwd SQL 插件 无 (引擎相关)
(描述:数据库服务器的登陆用户密码)


sql_database SQL 插件 无 (引擎相关)
(描述:包含辅助属性的数据库名)

sql_select SQL 插件 无
(描述:用来获取属性的 SELECT 语句。使用 SQL 插件时,这个选项时必须的。)

sql_insert SQL 插件 无
(描述:用来为新用户创建属性的 INSERT 语句。)

sql_update SQL 插件 无
(描述:用来修改属性的 UPDATE 语句)

sql_usessl SQL 插件 no
(描述:当设置为'yes','on','1'或者'true'时,将使用安全连接连接数据库服务器)


SQL auxprop 选项的注意事项:
sql_insert 和 sql_update 选项是可选的而且仅在你希望允许 SASL 库(比如:saslpasswd2)和插件(比如:OTP)向 SQL 服务器写入某些属性信息时有用。如果使用了,这两个语句都必须同时提供用来添加、更新、删除属性。注意:可写的属性表格列必须能够接收 NULL 值。

由 sql_select,sql_insert 和 sql_update 选项提供的 SQL 语句能够包含将用合适的值取代其值的参数。这些参数是:

%u 被获取(或存储)属性的用户的用户名。
%p 被获取(或存储)的属性的名字。在技术上,它可以是任何东西,不过 SASL认证将会
尝试 userPassword 和 cmusaslsecretMECHNAME (MECHNAME 是 SASL 机制的
名字)。
%r 用户属于的领域。它可以是 kerberos 领域,正在运行 SASL 应用的计算机的正式域名
或者一个用户名中 @ 之后的任何东西。(请参考领域文档)
%v 要被存储的属性的值(仅用于 INSERT 或 UPDATE)。除依赖于属性本身外,技术上它可
以是任何值,不过一般是 userPassword。

注意:不要为整个SQL语句加引号,不过每个单独的 %u, %r 和 %v 参数必须被加引号。

例子:
sql_select: SELECT %p FROM user_table WHERE username = '%u' and realm = '%r'

下面将发送到数据库服务器的SQL语句表示将查询用户名为“bovik”,缺省领域为机器
“madoka.surf.org.uk” 的用户密码:
SELECT userPassword FROM user_table WHERE username = 'bovik' and
realm = 'madoka.surf.org.uk';

sql_insert: INSERT INTO user_table (username, realm, %p) VALUES ('%u', '%r', '%v')


将为用户名为“bovik”,领域为“madoka.surf.org.uk”,userPassword 为 “wert”
的用户产生下面的 SQL 语句:
INSERT INTO user_table (username, realm, userPassword) VALUES
('bovik', 'madoka.surf.org.uk', 'wert');


注意,不一定所有的替代都要使用。比如,

SELECT password FROM auth WHERE username = '%u'

也是一个有效的 sql_select 值。