From 11a3b6218a47b1f69373e156cedab928417b51a9 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Thu, 8 Oct 2020 14:11:52 +0200 Subject: support only Dovecot-based SASL (drop Cyrus-based SASL) --- postfix/postfix.sh | 65 ++++++------------------------------------------------ 1 file changed, 7 insertions(+), 58 deletions(-) (limited to 'postfix/postfix.sh') diff --git a/postfix/postfix.sh b/postfix/postfix.sh index a328986..f95f339 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -54,16 +54,6 @@ fi #else # exit1 "ERROR: Greylisting support (Debian package postgrey) missing." #fi -cyrus= -if [ -x /usr/sbin/saslauthd ]; then - if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then - cyrus=1 - else - warn "Cyrus SASL too old - requires >= 2.1.1)." - fi -else - warn "Cyrus SASL missing - (Debian package sasl2-bin)." -fi dovecot= dovecot_deliver= if [ -x /usr/sbin/dovecot ]; then @@ -82,24 +72,11 @@ if [ -f /etc/ssl/certs/postfix.pem ]; then else warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem." fi -sasl_main_type= -sasl_dovecot= -sasl_cyrus= -if [ -n "$sslcert" ]; then - # FIXME: We really want to check for at least 2.1.1 but that's tricky... - if [ -n "$cyrus" ]; then - sasl_cyrus=1 - sasl_main_type=cyrus - fi - if [ -n "$dovecot" ]; then - sasl_dovecot=1 - sasl_main_type=dovecot - fi - if [ -z "$sasl_main_type" ]; then - warn "No SASL authentication - requires Cyrus SASL or Dovecot." - fi +sasl= +if [ -n "$sslcert" ] && [ -n "$dovecot" ]; then + sasl=1 else - warn "No SASL authentication - requires TLS encryption." + warn "No SASL authentication - requires TLS encryption and Dovecot." fi amavis= default_amavis_maxproc=2 @@ -284,36 +261,10 @@ $postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550" if [ -n "$dovecot_deliver" ]; then $postconf -c "$tempdir" -e mailbox_command=/usr/lib/dovecot/deliver fi -if [ -n "$sasl_cyrus" ]; then - saslsubdir="sasl" - mkdir -p "$tempdir/$saslsubdir" - echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf" - echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf" - echo 'sasl_pwcheck_method: saslauthd' >> "$tempdir/$saslsubdir/smtpd.conf" - echo 'auto_transition: false' >> "$tempdir/$saslsubdir/smtpd.conf" - groups postfix | grep -q sasl || echo "adduser postfix sasl" >> "$tempdir/COMMANDS" - # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) - sed --in-place \ - -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \ - -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \ - -e "s/^#\(tlsmgr$sp\)/\1/" \ - "$tempdir/master.cf" - addoroverwritewithindents $tempdir/master.cf '^tlsmgr\h' << EOF -tlsmgr unix - - - 300 1 tlsmgr -EOF -fi -case "$sasl_main_type" in - '') ;; - dovecot) +if [ -n "$sasl" ]; then $postconf -c "$tempdir" -e smtpd_sasl_type=dovecot $postconf -c "$tempdir" -e smtpd_sasl_path=private/auth - ;; - cyrus) - $postconf -c "$tempdir" -e smtpd_sasl_type=cyrus - $postconf -c "$tempdir" -e smtpd_sasl_path=smtpd - ;; - *) exit1 "ERROR: Wrong SASL type \"$sasl_main_type\"!";; -esac +fi # Avoid smtpd_tls_CApath or smtpd_tls_CAfile to trick outlook.com # See if [ -n "$sslcert" ]; then @@ -485,9 +436,7 @@ fi # PCRE stuff avoided, as PCRE is only optional on newest Debian packages # RBLs replaced with those recommended by http://www.antispews.org/ # AMaViS tweaks as documented in amavisd-new package -# AUTH-SMTP based on these: -# http://lists.q-linux.com/pipermail/plug/2003-July/029503.html -# http://www.porcupine.org/postfix-mirror/newdoc/SASL_README.html +# AUTH-SMTP based on this: http://www.postfix.org/SASL_README.html # Here's a convenient overview of different blackholes: # http://rbls.org/ -- cgit v1.2.3