Postfix + Auth + SSL + pop3s/imaps
bsdmail at gmail.com
Mon Feb 14 21:38:01 GMT 2005
On Mon, 14 Feb 2005 11:00:57 +0100, Erik Norgaard <norgaard at locolomo.org> wrote:
> BSD Mail wrote:
> > I have a 5.3 Server. I'm planning to install Postfix.
> > I'm planning to use the Maildir format.
> > I'm going to generate my own SSL certificates for mail
> > and use it for smpts/imaps/pop3s. But I'm not sure what
> > to use for authentication. I need to have the mail
> > users/password seperated from the system user/password.
> > Because some users will only have mail accounts and they
> > won't have any shell access.
> You don't _need_ to separate them from the system password file, just
> give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can
> still authenticate to fetch mail. Secondly, if users should receive
> mail, postfix must know about them. This is normally done by lookup in
> the password file.
That's fine with me too. So with this method is PAM would be used for
authentication ? Or I would still need SASL for smtp ?
If there is a way to not use SASL at all I would like to know the
available options that I have. Because I'm going to use Dovecot
for pop3s and imaps, I would probably want to get rid of SASL
if it's possible throughtout the entire mail suite if possible and
use an easier and still secure as an auth method.
> > I read about different auth mechanism and I know for sure that
> > Plain Login is not what I want. I need DIGEST-MD5. I'm looking
> > for something easier than SASL to configure. On my test server
> > I tried to configure SASL and couldn't get DIGEST-MD5 to work.
> > Any suggestion ?
> SASL isn't difficult too if you use the system password file. Just set
> pwcheck_method: saslauthd
> mech_list: plain login
> in /usr/local/lib/sasl2/smtpd.conf, remember to start saslauthd. Sasl
> supports different schemes, I have only been able to make plain work,
> maybe the others require use of sasldb.
> > Someone mentioned that I shouldn't worry about the authentication
> > if it's Plain or Login because I'm going to use SSL and that would
> > encrypt both Login and the data channel. I'm not sure if this is
> > 100% true. Any idea ?
> First, your users don't have shell access, a compromise is a compromise
> of their privacy not your system - ofcourse their privacy should be
> protected, but it makes their account less interesting.
> Using ssl/tls you are tunnelling clear text passwords through an
> encrypted connection. This protects against sniffing.
So if SSL/TLS is tunneling clear text passwords and it's encrypting the
connection then why would I need SASL in the first place ? Shouldn't adding
user with nologin shell / nonexistent home and enabling TLS would suffice ?
or I'm I missing something here?
> > Last but not least, I'm going to add on top of all that a webmail.
> > probably Openwebmail or squirrelmail. Which one of them
> > would work better with all what I mentioned earlier:
> I use squirrelmail, don't worry too much about that, squirrelmail
> connects through imap, so you server must support imap. The web
> interface must be setup with ssl also.
I think I will go with Openwebmail there is a patch to make it work
with Maildir and also it does support SSL login.
> > I was checking one of squirrelmail password plugins and I read this sentence:
> > "Cyrus SASL includes a shell utility called "saslpasswd" for manipulating user
> > passwords in the "sasldb" database. This patch attempts to use this utility to
> > perform password manipulations required by your squirrelmail users without any
> > administrative interaction. Unfortunately, this scheme requires that the
> > "saslpasswd" utility be run as the "cyrus" user - a horrible security problem
> > since we have chosen to SUID a small script which will allow this to happen."
> You will always have a security concern when letting some program mess
> with passwords. Ofcourse this is particularly important if it messes
> with system password file.
> An alternative is to employ eg. a ldap server - same problem, but at
> least you get things separated.
> > I'm pretty confused about the authentication method to use. I'm trying to run
> > everything as secure as possible. I configured Postfix to run chrooted.
> > and I'm going to use SSL for sure. What auth should I choose for smtp ?
> Ok, I have pretty much the setup you want, except that I use cyrus-imap
> which does not use Maildir nor Mailbox. Postfix can be setup to use
> saslauth, it can be configured only to accept authentication through
> encrypted connection using ssl.
> postfix supports the recommended use of start_tls to start an encrypted
> connection on the default port 25 instead of smtps.
I thought if I want to use smtps I have to use port 465 instead of 25.
I want all outgoing email to use smtps. In this case if all mail is
sent via smpts would that work fine even if the second hop doesn't
have smtps ? In other words, would a mail server that uses port
25 for send and receive have a problem receiving mail from my server ?
> I am not clear on how cyrus-imap supports this, or it's my mail program.
> The only reason not to use cyrus-imap is that you will have to
> authenticate (again) if you read mail on the console, eg. using pine.
Is that behavior because of authentication / SSL ? Or it is specific
to cyrus-imap ?
> Cheers, Erik
> Ph: +34.666334818 web: http://www.locolomo.org
> S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
> Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
> Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
More information about the freebsd-questions