POP3,IMAP

courier 认证守护进程

其实SMTP SASL认证进程是可以与courier 认证守护进程使用同一个进程的.因为笔者使用了apt-get 方式安装所以不能实现这样功能.如果你兴趣,可以采用原码安装 [1]

配置 courier

debian:~# cd /etc/courier/
debian:/etc/courier#		
		

authdaemonrc

debian:/etc/courier# vi authdaemonrc

authmodulelist="authldap"
version="authdaemond.ldap"
		

authldaprc

debian:/etc/courier# cp authldaprc authldaprc.old
debian:/etc/courier# vi authldaprc

LDAP_SERVER             localhost
LDAP_PORT               389
LDAP_PROTOCOL_VERSION   3
LDAP_BASEDN             ou=postfix, dc=example, dc=net
LDAP_BINDDN             cn=admin,dc=example, dc=net
LDAP_BINDPW             chen
LDAP_GLOB_UID           postfix
LDAP_GLOB_GID           postfix
LDAP_HOMEDIR            homeDirectory
LDAP_MAILDIR            mailbox
LDAP_DEFAULTDELIVERY    defaultDelivery
LDAP_MAILDIRQUOTA       quota
LDAP_FULLNAME           cn
#LDAP_CLEARPW           clearPassword
LDAP_CRYPTPW            userPassword
LDAP_DEREF              never
LDAP_TLS                0
注:LDAP_TLS 与Postfix 没关系.它是OpenLDAP认证TLS.
		

重新启动 courier-authdaemon

debian:/etc/courier# /etc/init.d/courier-authdaemon start
Starting Courier authdaemon: done.
debian:/etc/courier#
		

配置 POP

debian:/etc/courier# vi pop3d
AUTHMODULES="authdaemon"
AUTHMODULES_ORIG="authdaemon"
DEBUG_LOGIN=3
POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
POP3AUTH_ORIG="LOGIN CRAM-MD5 CRAM-SHA1"
POP3AUTH_TLS=""
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
PORT=110
ADDRESS=0
TCPDOPTS="-nodnslookup -noidentlookup"
POP3DSTART=YES
MAILDIRPATH=Maildir
			

配置 IMAP


		

Notes

[1]
####sarge注意:由于系统中默认带有libsasl2,必须将其卸载:
apt-get --purge remove libsasl2
####
  mail:~# apt-get --purge remove libsasl2
  Reading Package Lists... Done
  Building Dependency Tree... Done
  The following packages will be REMOVED:
  apache2-common* at* exim* gnupg* libldap2* libsasl2* mailx* mutt* samba* samba-common* squid* squid-common* swat*
  0 upgraded, 0 newly installed, 13 to remove and 0 not upgraded.
  Need to get 0B of archives.
  After unpacking 40.8MB disk space will be freed.
  Do you want to continue? [Y/n] n
  Abort.
  mail:~# 
  #####################################
###ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
  #http://www.jonfullmer.com/smtpauth/
#sasl-authd
  ####
  mkdir -p /data/distfiles/src
  cd /data/distfiles
  wget -c ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.19.tar.gz
  tar xfz cyrus-sasl-2.1.19.tar.gz -C src
  cd src/cyrus-sasl-2.1.19
  ./configure --help
  ###
  --enable-sample compile sample code yes
  --enable-otp enable OTP authentication yes
  --enable-gssapi=<DIR> enable GSSAPI authentication yes
  --enable-plain enable PLAIN authentication yes
  --enable-anon enable ANONYMOUS authentication yes
  --enable-login enable unsupported LOGIN authentication no
  --enable-sql enable SQL auxprop [no]
  --with-dbpath=PATH set the DB path to use /etc/sasldb2
  --with-dblib=DBLIB set the DB library to use berkeley
  --with-bdb-libdir=DIR Berkeley DB lib files are in DIR
  --with-bdb-incdir=DIR Berkeley DB include files are in DIR
  --with-gdbm=PATH use gdbm from PATH
  --with-devrandom=PATH set the path to /dev/random /dev/random
  --with-pam=DIR use PAM (rooted in DIR) yes
  --with-saslauthd=DIR enable use of the saslauth daemon using state dir DIR
  --with-authdaemond=PATH enable use of authdaemon with default socket=PATH [no]
  --with-openssl=PATH use OpenSSL from PATH
  --with-mysql=PATH use MySQL from PATH
  --with-plugindir=DIR set the directory where plugins will
  be found /usr/lib/sasl2
  --with-rc4 use internal rc4 routines yes
  ###
#添加对authdaemon的支持
make clean
  ./configure --prefix=/usr --sysconfdir=/etc --infodir=/usr/share/info --mandir=/usr/share/man \
  --with-authdaemon=/data/modules/public/courier-imap/var/authdaemon/socket \
  --enable-login \
  --enable-plain \
  --with-pam \
  --enable-sample \
  --with-plugindir=/usr/lib/sasl2 \
  --with-saslauthd=/var/run/saslauthd \
  --disable-otp \
  --disable-sql \
  --disable-pwcheck \
  --disable-cram \
  --disable-digest \
  --disable-krb4 \
  --disable-gssapi \
  --disable-anon \
  --without-des \
  --without-openssl \
  --with-dblib=berkeley \
  --with-bdb-libdir=/usr/lib \
  --with-bdb-incdir=/usr/include
##补丁
cat >realmpatch <<MYGOD
  --- checkpw.c.org Sun Apr 4 16:24:55 2004
  +++ checkpw.c Sun Apr 4 16:26:32 2004
  @@ -572,6 +572,8 @@
  }
  
  /* Split out username/realm if necessary */
  + /* disable for e-mail address login for virtual domain user. */
  + /*
  if(strrchr(userid,'@') != NULL) {
  char *rtmp;
  
  @@ -583,6 +585,7 @@
  *rtmp = '\0';
  user_realm = rtmp + 1;
  }
  + */
  
  /*
  * build request of the form:
  MYGOD
cd lib
  patch -p0< ../realmpatch
  cd -
make && make install

############
  # telnet 127.0.0.1 25
  Trying 127.0.0.1...
  Connected to 127.0.0.1.
  Escape character is '^]'.
  220 bugfix.kingsoft.net ESMTP Postfix
  ehlo mail.163.com
  250-bugfix.kingsoft.net
  250-PIPELINING
  250-SIZE 10240000
  250-VRFY
  250-ETRN
  250-AUTH LOGIN PLAIN #必须保证系统中sasl的lib和系统中sasl.h的一致性,也就是说,必须是同一源码同一编译参数生成的;
  250-AUTH=LOGIN PLAIN #这里支持的LOGIN PLAIN验证方式是由上面的configure --enable-login决定的。
  250 8BITMIME #还要注意上述enable的验证参数的顺序也是有要求的,如果某个验证方式编译错误,虽然能编译出so文件,但在
  quit #调用时只要一个出错,后面的方式将都失效。
  221 Bye
  Connection closed by foreign host.
  #####################################################
##注意/data/modules/public/courier-imap/var/authdaemon/目录得权限默认不允许其他用户访问
  chmod +x /data/modules/public/courier-imap/var/authdaemon/
  #2.1.18才支持--with-authdaemon参数
  #### 
  #使用 --with-authdaemon=/data/modules/public/courier-imap/var/authdaemon/socket 支持最大的好处是authdaemon在单一连接中
  #支持多种验证方式
  ###
#vi /usr/local/sbin/sasl-server
  #!/bin/sh
  prefix=/usr
  saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program
  saslauthd_runpath="/var/run/saslauthd" # Working directory
  saslauthd_program="${prefix}/sbin/saslauthd" # Location of saslauthd
  name="saslauthd"
mkdir -p ${saslauthd_runpath}
pidfile="${saslauthd_runpath}/${name}.pid"
  flags="${saslauthd_flags} -m ${saslauthd_runpath}"
case $1 in
  start)
  ${saslauthd_program} ${saslauthd_flags} &
  if [ $? -ne 0 ]
  then
  echo "Error:start fail."
  fi
  ;;
  stop)
  kill `cat ${pidfile}`
  if [ $? -ne 0 ]
  then
  echo "Error:stop fail."
  fi 
  ;;
  restart)
  $0 stop 
  sleep 3 
  $0 start
  ;;
  *)
  echo "$0 <start|stop>"
  exit 1
  ;;
  esac
  exit 0
  ##end of sasl2-authd
chmod +x /usr/local/sbin/sasl-server
#system start up
  ln -s /usr/local/sbin/sasl-server /etc/init.d/
  #update-rc.d sasl-server start 98 2 3 4 5 . stop 10 0 1 6 .
#注意:使用authdaemond方式无需启动saslauthd,只需postfix中编译sasl2支持即可。
##

##SASL配置;
cat <<EOF> /usr/lib/sasl2/smtpd.conf
  pwcheck_method: authdaemond 
  authdaemond_path: /data/modules/public/courier-imap/var/authdaemon/socket
  mech_list: PLAIN LOGIN
  log_level: 3 
  #pwcheck_method: saslauthd
  #end
  EOF
#注意:使用authdaemond方式无需启动saslauthd,只需postfix中编译sasl2支持即可。
chmod +x /data/modules/public/courier-imap/var/authdaemon/ 

##################
  Jun 3 03:30:01 f5mail postfix/smtpd[1381]: warning: SASL authentication failure: cannot connect to Courier authdaemond: Permission denied
  ##################
  root->[email protected] % /var/log>ls -al /data/modules/public/courier-imap/var/authdaemon/socket
  srwxrwxrwx 1 root wheel 0 Jun 3 03:28 /data/modules/public/courier-imap/var/authdaemon/socket
  root->[email protected] % /var/log>ls -al /data/modules/public/courier-imap/var/authdaemon/ 
  total 6
  drwx------ 2 root wheel 512 Jun 3 03:28 . --------->>>>> 注意这个
  drwxr-xr-x 3 root wheel 512 Jun 2 22:50 ..
  -rw------- 1 root wheel 0 Jun 2 23:51 lock
  -rw-r--r-- 1 root wheel 5 Jun 3 03:28 pid
  srwxrwxrwx 1 root wheel 0 Jun 3 03:28 socket
  root->[email protected] % /var/log>chmod +x /data/modules/public/courier-imap/var/authdaemon/ 
  #############问题解决
#####################
  Jun 3 03:29:19 f5mail postfix/smtpd[1381]: sql_select option missing
  Jun 3 03:29:19 f5mail postfix/smtpd[1381]: auxpropfunc error no mechanism available 
  Jun 3 03:32:59 f5mail postfix/smtpd[1398]: sql_select option missing
  Jun 3 03:32:59 f5mail postfix/smtpd[1398]: auxpropfunc error no mechanism available 
########################这个提示不影响smtp auth 的发挥 #############