Postfix + Auth + SSL + pop3s/imaps

Erik Norgaard norgaard at locolomo.org
Mon Feb 14 10:01:06 GMT 2005 

BSD Mail wrote:
> I have a 5.3 Server. I'm planning to install Postfix.
> I'm planning to use the Maildir format. 
> 
> I'm going to generate my own SSL certificates for mail
> and use it for smpts/imaps/pop3s. But I'm not sure what
> to use for authentication. I need to have the mail 
> users/password seperated from the system user/password. 
> Because some users will only have mail accounts and they 
> won't have any shell access. 

You don't _need_ to separate them from the system password file, just 
give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can 
still authenticate to fetch mail. Secondly, if users should receive 
mail, postfix must know about them. This is normally done by lookup in 
the password file.

> I read about different auth mechanism and I know for sure that 
> Plain Login is not what I want. I need DIGEST-MD5. I'm looking 
> for something easier than SASL to configure. On my test server
> I tried to configure SASL and couldn't get DIGEST-MD5 to work.
> Any suggestion ?

SASL isn't difficult too if you use the system password file. Just set

pwcheck_method: saslauthd
mech_list: plain login

in /usr/local/lib/sasl2/smtpd.conf, remember to start saslauthd. Sasl 
supports different schemes, I have only been able to make plain work, 
maybe the others require use of sasldb.

> Someone mentioned that I shouldn't worry about the authentication
> if it's Plain or Login because I'm going to use SSL and that would 
> encrypt both Login and the data channel. I'm not sure if this is 
> 100% true. Any idea ?

First, your users don't have shell access, a compromise is a compromise 
of their privacy not your system - ofcourse their privacy should be 
protected, but it makes their account less interesting.

Using ssl/tls you are tunnelling clear text passwords through an 
encrypted connection. This protects against sniffing.

> Last but not least, I'm going to add on top of all that a webmail.
> probably Openwebmail or squirrelmail. Which one of them 
> would work better with all what I mentioned earlier:

I use squirrelmail, don't worry too much about that, squirrelmail 
connects through imap, so you server must support imap. The web 
interface must be setup with ssl also.

> I was checking one of squirrelmail password plugins and I read this sentence:
> "Cyrus SASL includes a shell utility called "saslpasswd" for manipulating user 
> passwords in the "sasldb" database. This patch attempts to use this utility to 
> perform password manipulations required by your squirrelmail users without any 
> administrative interaction. Unfortunately, this scheme requires that the 
> "saslpasswd" utility be run as the "cyrus" user - a horrible security problem 
> since we have chosen to SUID a small script which will allow this to happen."

You will always have a security concern when letting some program mess 
with passwords. Ofcourse this is particularly important if it messes 
with system password file.

An alternative is to employ eg. a ldap server - same problem, but at 
least you get things separated.

> I'm pretty confused about the authentication method to use. I'm trying to run 
> everything as secure as possible. I configured Postfix to run chrooted. 
> and I'm going to use SSL for sure. What auth should I choose for smtp ?

Ok, I have pretty much the setup you want, except that I use cyrus-imap 
which does not use Maildir nor Mailbox. Postfix can be setup to use 
saslauth, it can be configured only to accept authentication through 
encrypted connection using ssl.

postfix supports the recommended use of start_tls to start an encrypted 
connection on the default port 25 instead of smtps.

I am not clear on how cyrus-imap supports this, or it's my mail program.

The only reason not to use cyrus-imap is that you will have to 
authenticate (again) if you read mail on the console, eg. using pine.

Cheers, Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list