Shulou(Shulou.com)06/01 Report--

Editor to share with you how to install Postfix email authentication configuration under Linux, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

How Postfix+Dovecot+Sasl works

1. A user uses MUA client to log in to SMTPD server with smtp protocol, which requires user and password authentication first, while SMTPD server supports sasl authentication. For example, if there is a sasl client, it will connect to SASL. When SASL receives the verification request, it will verify according to the verification method, such as PAM,passwd and so on. After successful verification, it will be returned to the Smtpd server. Smtpd will allow A users to log in and send emails.

After receiving the mail forwarding request, the 2.Smtpd server checks whether the mail is local or external. If it is a user in this domain, it will start the MDA process and deliver the mail to the user's mailbox.

3.B users use MUA client to log on to dovecot server with the help of pop3 protocol, they need to authenticate users and passwords first, and the Dovecot server itself has the function of sasl authentication, and authenticates users and passwords according to the set authentication mode. After the user logs in after successful authentication, Dovecot will use the MDR tool to retrieve the mail from the user's mailbox and download it to the user's client for local viewing.

Postfix+SASL authenticates users by sending email.

By verifying the configuration, it can be found that if you want to send mail to the outside (relay mail), the basic configuration can only be used within the ip scope specified by mynetwork. This approach is also not feasible in reality. The common way on the Internet is to allow relay mail through the authentication of the account. However, Postfix itself has no authentication function, so it can only be realized with the help of the third-party authentication component SASL. SASL that works well with Postfix are dovecot-SASL and cyrus-SASL, as well as courier-authlib components. Each has its own advantages, which one can be chosen according to the actual situation.

① determines that cyrus-sasl is installed

[root@localhost] # rpm-qa | grep cyrus-saslcyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64cyrus-sasl-2.1.23-13.el6_3.1.x86_64cyrus-sasl-md5-2.1.23-13.el6_3.1. X86_64cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64

② confirms that Postfix supports sasl authentication

[root@localhost ~] # postconf-acyrusdovecot # supports cyrus and dovecot authentication by default

The ③ Postfix master configuration adds the following

[root@localhost ~] # vim / etc/postfix/main.cf#CYRUS-SASL#broken_sasl_auth_clients = yes # defines whether to support things like outlook, Foxmail and other non-standard protocol authentication smtpd_sasl_auth_enable = yes # enable sasl authentication user function smtpd_sasl_local_domain = $myhostname # used to identify local host smtpd_sasl_security_options = noanonymous # does not support anonymous users smtpd_sasl_path = smtpd # specify program name using sasl smtpd_banner = welcome to smtp.ywnds.com # define telnet connection display information smtpd_client_restrictions = permit_sasl_authenticated # used to restrict customers End-to-end connection server smtpd_sasl_authenticated_header = yes # find user name smtpd_sender_restrictions = permit_mynetworks from scratch information Reject_sender_login_mismatch # define sender rules smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated, reject_invalid_hostname Reject_unauth_destination # define recipient rule # permit_mynetworks: allow local network # permit_sasl_authenticated: allow sasl authenticated users to send emails # reject_unauth_destination: reject unauthenticated destination addresses (this must be placed last) # host name in the # reject_invalid_hostname:HELO command is invalid if the host name in the 501 # reject_non_fqdn_hostname:HELO command is not If it is in FQDN form, it returns 504 # reject_non_fqdn_recipient: if the pickup address is not FQDN, it returns 504 # reject_non_fqdn_sender; if the sender address is not FQDN, it returns 504 # reject_unauth_pipelining: reject non-compliant pipeline operation # reject_unknown_client:DNS cannot find the PTR record of client IP. Reject # reject when the host name in # reject_unknown_hostname:HELO command has no An and MX record. _ unknown_recipient_domain: reject if the domain portion of the recipient address cannot find a valid An or MX record # reject_unknown_sender_domain: reject if the domain portion of the sender address cannot find a valid An or MX record

④ checks which authentication mechanisms are supported by SASL

[root@localhost ~] # saslauthd-vsaslauthd 2.1.23authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

⑤ Postfix enables user authentication based on SASL

Here we introduce two authentication methods, saslauthd and auxprop, one is to use the account of the system for authentication, and the other is to use an external account for authentication. For security, of course, it is more secure to use an external account. The way of using sasldb2 database and mysql is not introduced for the time being. You can choose one of the two ways. Saslauthd [root@localhost ~] # vim / usr/lib64/sasl2/smtpd.confpwcheck_method: saslauthdmech_list: PLAIN LOGIN# login method Auxprop [root@localhost ~] # vim / usr/lib64/sasl2/smtpd.confpwcheck_method: auxpropauxprop_plugin: sasldbmech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM# login method

⑥ SASL profile / etc/sysconfig/saslauthd

SASL is only an authentication framework, authentication is achieved by the authentication module, and pam is the default authentication module used by sasl. If you use shadow for authentication, you can modify it directly and you don't need to do any other configuration. Saslauthd [root@localhost ~] # vim / etc/sysconfig/saslauthdSOCKETDIR=/var/run/saslauthd#MECK= pamMECK = shadowAuxprop [root@localhost ~] # vi / etc/sysconfig/saslauthd#MECH=FLAGS=sasldb [root@localhost ~] # saslpasswd2-c-u 'ywnds.com' redis # enter the password twice after execution [root@localhost ~] # sasldblistusers2 # View the added user [root@localhost ~] # saslpasswd2-d redis@ywnds.com # Delete user [root@localhost ~] # chown postfix : postfix / etc/sasldb2 [root@localhost ~] # chmod 640 / etc/sasldb2 # Database permission modification

⑦ restart service

[root@localhost ~] # / usr/sbin/postfix reload [root@localhost ~] # service saslauthd restart [root@localhost ~] # chkconfig saslauthd on Test account [root@localhost ~] # testsaslauthd-u hadoop-p hadoop0: OK "Success" SMTP Authentication Directive Postfix Internal email filtering

In addition to some of the filtering instructions used in the configuration file above, administrators can also use access tables (access map) to customize restrictions. Custom access table conditions are usually done using check_client_access, check_helo_access, check_sender_access, check_recipient_access, followed by the type and name of the access table in type:mapname format. Among them, check_sender_access and check_recipient_access are used to check the e-mail address provided by the client, so the complete e-mail address can be used in the access table, such as admin@magedu.com; or only the domain name, such as magedu.com;, and only the user name, such as marion@.

Case

1. Here, the host 172.16.100.66 is prohibited from sending mail through the postfix service working on 172.16.100.1 as an example to illustrate its implementation process. Access table uses the format of hash

(1) first edit the / etc/postfix/access file as the control file for client inspection Define the following line inside: 172.16.100.66 REJECT (2) convert this file to hash format to produce an access.db file postmap / etc/postfix/access (3) configuration postfix uses this file to check and edit the client / etc/postfix/main.cf file adds the following parameter: smtpd_client_restrictions = check_client_access hash:/etc/postfix/access (4) causes postfix to reload the configuration text Can be used to test the effect of sending control.

two。 Here we take the prohibition of sending mail to the Microsoft. Com domain through this server as an example to demonstrate that the implementation process access table uses the format of hash.

(1) first create / etc/postfix/denydstdomains file (file name is optional) and define the following line in it: microsoft.com REJECT (2) convert this file to hash format postmap / etc/postfix/denydstdomains (3) configure postfix to use this file to check and edit the client / etc/postfix/main.cf file add the following parameters: smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/denydstdomains, permit_mynetworks Reject_unauth_destination (4) allows postfix to reload the configuration file to test the effect of sending control.

These are all the contents of this article entitled "how to install Postfix email Authentication configuration under Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.