Part 5
l Chapter 12
Postfix Authentication with SASL
l Chapter 13
Postfix Authentication with TLS
Chapter
12 Postfix Authentication using SASL
1. Why to use SASL
Authentication?
§ uses the $mynetworks parameter to control access who
send or relay mail through the mail server.
§ for mobile
users that wish to use the mail server whilst away from base
§ need a mechanism to authenticate them as trusted users
so that they are able to send mail through the mail server.
§ SASL(Simple Authentication and Security
Layer) provides a mechanism of authenticating users using username and password
§ the most well known implementation of SASL is provided
by Cyrus SASL library
2. SASL Layers
consists of three layers – authentication interface, mechanism and method
2.1 Authentication interface
§ Client and server exchange data
to process ahthentication
§ This communication takes place in
the authentication interface
§ SASL
leaves this to their specific communication protocol
such as SMTP, IMAP or LDAP
Ex) # telnet ms1.chul.com 25
2.2 Mechanism
(/etc/sasl2/smtpd.conf)
§ represent the
second layer of SASL
§ determine the verification
strategy used during authentication
①
anonymous: allow anonymous access, Postfix does not offer this
access
②
plaintext: require the clients to calculate a Base64 encoded
string of the username and password , PLAIN and LOGIN
③
shared secret: based upon the assumption client and server both
share a secret using Challenge and Response, CRAM-MD5 and DIGEST-MD5
2.3 Method
(/etc/sysconfig/saslauthd)
§ Represented by
libraries in Cyrus SASL
§ Access data stores, which Cyrus SASL
not only refers to as methods but also as authentication backends.
①
rimap: remote imap, enable SASL to log in to an IMAP server
②
ldap: queries LDAP server to verify username and
password
③
kerberos: uses the popular Kerberos method and checks kerberos
ticket
④
Getpwent/shadow: access your system’s user
password database
⑤
pam: accesses any PAM module to verify authentication
request
⑥
sasldb: reads and even writes to Cyrus SASL’s database
called sasldb2
⑦
sql: uses SQL queries to access various SQL servers such
as MySQL and PostgreSQL
2.4 Password verification
service
①
saslauthd: a standalone daemon, handles
only plaintext mechanisms
②
auxprop: auxiliary property plugins, represents a library
used by the server offering authentication, handles plaintext and shared secret
③
authdaemond: to use Courier’s authdaemond as password verifier,
deal only plaintext mechanisms.
|
Method
|
PLAIN
|
LOGIN
|
CRAM-MD5
|
DIGEST-MD5
|
|
saslauthd
|
yes
|
yes
|
no
|
no
|
|
auxprop
|
yes
|
yes
|
yes
|
yes
|
|
authdaemond
|
yes
|
yes
|
no
|
no
|
2.5 Configuration for Mechanism
and Password service (/etc/sasl2/smtpd.conf)
a. pwcheck_method:
saslauthd
mech_list: plain login
b. pwcheck_method:
auxprop
mech_list: plain login cram-md5
digest-md5
2.6 Saslauthd in /etc/sysconfig/saslauthd
a. # saslauthd –a shadow
b. # saslauthd –a rimap –O ms1.chul.com
3. To find what SASL implementation are complied into
Postfix
# postconf -a //SASL
support in the SMTP server
# postconf -A //SASL
support in the SMTP+LMTP client
4. Postfix Configuration in /etc/postfix/main.cf
# sasl authentication
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
5. Dovecot configuration
# vi
/etc/dovecot/conf.d/10-master.conf
service auth {
unix_listener auth-userdb {
# Postfix smtp-auth
unix_listener
/var/spool/postfix/private/auth {
mode = 0666
}
# service postfix restart
# service dovecot restart
6. SASL Testing
a. Testing Cyrus SASL Authentication
# saslpasswd2 -c tland
# sasl2-sample-server –s rcmd –p 8000
In the other console
# sasl2-sample-client –s
rcmd –p 8000 –m PLAIN 127.0.0.1
please enter an authentication id: tland
# saslauthd –a shadow ; ps –ef |
grep sasl
# testsaslauthd –u linux –p
linux1234
b. Testing SMTP AUTH
# perl -MMIME::Base64 -e 'print
encode_base64("\000linux\000linux1234");'
AHRlc3QAdGVzdDEyMzQ=
# telnet server 25
ehlo localhost
auth plain AHRlc3QAdGVzdDEyMzQ=
235 2.7.0 Authentication
successful
# tail –f /var/log/maillog
c. Testing using Wireshark
Chapter 13 Postfix
Authentication using SSL/TLS
1. Why to
use TLS Authentication?
a. SMTP
AUTH using plaintext mechanisams is not really safe
b. The string
is merely encoded and not encrypted
c. TLS
encrypts the transmission of the encoded string
2. Using
TLS
a. Creating SSL certificate
# cd
/etc/pki/tls/certs ; make server.key
# openssl
rsa -in server.key -out server.key //remove
passpharse
# make server.csr
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
# make server.csr
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365
b. Postfix configuration (/etc/postfix/main.cf)
i) Only
TLS
smtpd_tls_key_file
= /etc/pki/tls/certs/server.key
smtpd_tls_cert_file
= /etc/pki/tls/certs/server.crt
smtpd_sasl_security_options
= noanonymous, noplaintext
smtpd_sasl_tls_security_options
= noanonymous
smtpd_tls_security_level
= may //replace
smtpd_use_tls=yes
smtpd_tls_loglevel
= 1
smtpd_tls_session_cache_timeout
= 3600s
smtpd_tls_session_cache_database
= btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source
= dev:/dev/urandom
smtpd_tls_auth_only
= yes //hide
sasl auth
ii) TLS
with SASL
smtpd_sasl_security_options
= noanonymous
smtpd_tls_auth_only
= no
d. TLS Testing on SMTP
# telnet sever 25
STARTTLS
3. Dovecot configuration
# vi /etc/dovecot/conf.d/10-master.conf
#unix_listener auth-userdb {
#mode = 0600
#user = postfix
#group = postfix
#}
inet_listener imaps {
port = 993
ssl = yes
}
# vi
/etc/dovecot/conf.d/10-ssl.conf
① ssl = yes
② ssl_cert_file =
</etc/pki/tls/certs/server.crt
③ ssl_key_file =
</etc/pki/tls/certs/server.key
④ ssl_cipher_list =
ALL:!LOW:!SSLv2
# service
dovecot restart
# service postfix restart
. Client configuration for Dovecot support
a.Thunderbird:
Server setting: Port 993, Security settings -> SSL/TLS,
Normal password
Outgoing server:
STARTLS, no authentication
b. Microsoft Outlook:
Tools-> Change->MoreSettings-> Advanced
l IMAP: 993, SSL
l SMTP: 25, TLS
# tail –f
/var/log/maillog
5. Testing TLS on
Dovecot and Wireshark
No comments:
Post a Comment