Postfix + Auth + SSL + pop3s/imaps
norgaard at locolomo.org
Mon Feb 14 10:01:06 GMT 2005
BSD Mail wrote:
> I have a 5.3 Server. I'm planning to install Postfix.
> I'm planning to use the Maildir format.
> I'm going to generate my own SSL certificates for mail
> and use it for smpts/imaps/pop3s. But I'm not sure what
> to use for authentication. I need to have the mail
> users/password seperated from the system user/password.
> Because some users will only have mail accounts and they
> won't have any shell access.
You don't _need_ to separate them from the system password file, just
give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can
still authenticate to fetch mail. Secondly, if users should receive
mail, postfix must know about them. This is normally done by lookup in
the password file.
> I read about different auth mechanism and I know for sure that
> Plain Login is not what I want. I need DIGEST-MD5. I'm looking
> for something easier than SASL to configure. On my test server
> I tried to configure SASL and couldn't get DIGEST-MD5 to work.
> Any suggestion ?
SASL isn't difficult too if you use the system password file. Just set
mech_list: plain login
in /usr/local/lib/sasl2/smtpd.conf, remember to start saslauthd. Sasl
supports different schemes, I have only been able to make plain work,
maybe the others require use of sasldb.
> Someone mentioned that I shouldn't worry about the authentication
> if it's Plain or Login because I'm going to use SSL and that would
> encrypt both Login and the data channel. I'm not sure if this is
> 100% true. Any idea ?
First, your users don't have shell access, a compromise is a compromise
of their privacy not your system - ofcourse their privacy should be
protected, but it makes their account less interesting.
Using ssl/tls you are tunnelling clear text passwords through an
encrypted connection. This protects against sniffing.
> Last but not least, I'm going to add on top of all that a webmail.
> probably Openwebmail or squirrelmail. Which one of them
> would work better with all what I mentioned earlier:
I use squirrelmail, don't worry too much about that, squirrelmail
connects through imap, so you server must support imap. The web
interface must be setup with ssl also.
> I was checking one of squirrelmail password plugins and I read this sentence:
> "Cyrus SASL includes a shell utility called "saslpasswd" for manipulating user
> passwords in the "sasldb" database. This patch attempts to use this utility to
> perform password manipulations required by your squirrelmail users without any
> administrative interaction. Unfortunately, this scheme requires that the
> "saslpasswd" utility be run as the "cyrus" user - a horrible security problem
> since we have chosen to SUID a small script which will allow this to happen."
You will always have a security concern when letting some program mess
with passwords. Ofcourse this is particularly important if it messes
with system password file.
An alternative is to employ eg. a ldap server - same problem, but at
least you get things separated.
> I'm pretty confused about the authentication method to use. I'm trying to run
> everything as secure as possible. I configured Postfix to run chrooted.
> and I'm going to use SSL for sure. What auth should I choose for smtp ?
Ok, I have pretty much the setup you want, except that I use cyrus-imap
which does not use Maildir nor Mailbox. Postfix can be setup to use
saslauth, it can be configured only to accept authentication through
encrypted connection using ssl.
postfix supports the recommended use of start_tls to start an encrypted
connection on the default port 25 instead of smtps.
I am not clear on how cyrus-imap supports this, or it's my mail program.
The only reason not to use cyrus-imap is that you will have to
authenticate (again) if you read mail on the console, eg. using pine.
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
More information about the freebsd-questions