From bc9de55c7fc6c92fa89d557473f6cf98f31f8ee9 Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 27 Apr 2004 12:59:07 +0000 Subject: Implement working AUTH-SMTP. --- postfix/TODO | 1 - postfix/postfix.sh | 25 ++++++++++++++++++------- 2 files changed, 18 insertions(+), 8 deletions(-) (limited to 'postfix') diff --git a/postfix/TODO b/postfix/TODO index c817f69..08b6e2d 100644 --- a/postfix/TODO +++ b/postfix/TODO @@ -1,2 +1 @@ * Always replace master.cf lines (currently they are only added if not alreeady exist - later improvements are ignored) - * Implement AUTH-SMTP as described here: http://lists.q-linux.com/pipermail/plug/2003-July/029503.html diff --git a/postfix/postfix.sh b/postfix/postfix.sh index c5a5546..9cfd653 100755 --- a/postfix/postfix.sh +++ b/postfix/postfix.sh @@ -1,9 +1,9 @@ #!/bin/bash # # /etc/local-COMMON/postfix/postfix.sh -# Copyright 2002-2003 Jonas Smedegaard +# Copyright 2002-2004 Jonas Smedegaard # -# $Id: postfix.sh,v 1.24 2004-02-03 22:16:17 jonas Exp $ +# $Id: postfix.sh,v 1.25 2004-04-27 12:59:07 jonas Exp $ # # Auto-tweak plain installed postfix Debian package # @@ -24,6 +24,11 @@ pf2= if $postconf -d mail_version | grep -q '= 2'; then pf2=1 fi +# FIXME: We really want to check for at least 2.1.1 but that's tricky... +sasl2= +if saslauthd -v | grep -q '^saslauthd 2.1'; then + sasl2=1 +fi #function getlinesfromfile() { # param="$1" @@ -86,11 +91,13 @@ fi # TLS breaks postfix if no SASL modules available (and doesn't make sense either) # (change the test if using some other modules and avoid the plain ones) -if [ -f /usr/lib/postfix/tlsmgr -a -f /usr/lib/sasl2/libplain.so -a -f /etc/ssl/certs/postfix.pem ]; then +if [ -n "$sasl2" -a -f /etc/ssl/certs/postfix.pem ]; then mkdir -p $confdir/sasl - echo 'pwcheck_method: pam' >$confdir/sasl/smtpd.conf + echo 'mech_list: plain login' >$confdir/sasl/smtpd.conf + echo 'minimum_layer: 0' >>$confdir/sasl/smtpd.conf + echo 'pwcheck_method: saslauthd' >>$confdir/sasl/smtpd.conf echo 'auto_transition: false' >>$confdir/sasl/smtpd.conf - groups postfix | grep -q shadow || adduser postfix shadow + groups postfix | grep -q sasl || adduser postfix sasl # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy) cp -a $confdir/master.cf $confdir/master.cf.old cat $confdir/master.cf.old | sed \ @@ -107,11 +114,12 @@ if [ -f /usr/lib/postfix/tlsmgr -a -f /usr/lib/sasl2/libplain.so -a -f /etc/ssl/ $postconf -e 'smtpd_tls_loglevel = 1' $postconf -e 'smtpd_use_tls = yes' $postconf -e 'smtpd_tls_session_cache_database = sdbm:/var/spool/postfix/smtpd_scache' + $postconf -e 'smtpd_tls_session_cache_timeout = 3600s' $postconf -e 'tls_random_exchange_name = /var/spool/postfix/prng_exch' $postconf -e 'smtpd_tls_auth_only = yes' - $postconf -e 'smtpd_sasl_auth_enable = no' + $postconf -e 'smtpd_sasl_auth_enable = no' # SASL is enabled explicitly with TLS transport $postconf -e 'smtpd_sasl_security_options = noanonymous' - $postconf -e 'smtpd_sasl_local_domain = $myhostname' + $postconf -e 'smtpd_sasl_local_domain = ' $postconf -e 'smtpd_tls_received_header = yes' $postconf -e 'broken_sasl_auth_clients = yes' $postconf -e 'tls_random_source = dev:/dev/urandom' @@ -174,6 +182,9 @@ fi # PCRE stuff avoided, as PCRE is only optional on newest Debian packages # RBLs replaced with those recommended by http://www.antispews.org/ # AMaViS tweaks as documented in amavisd-new package +# AUTH-SMTP based on these: +# http://lists.q-linux.com/pipermail/plug/2003-July/029503.html +# http://www.porcupine.org/postfix-mirror/newdoc/SASL_README.html # Here's a convenient overview of different blackholes: # http://rbls.org/ -- cgit v1.2.3