Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to configure SASL authentication on postfix server". In daily operation, I believe many people have doubts about how to configure SASL authentication on postfix server. Xiaobian consulted all kinds of materials and sorted out simple and easy operation methods. I hope to answer your doubts about "how to configure SASL authentication on postfix server"! Next, please follow the small series to learn together!

If the client and postfix are not in the same network, authentication and authorization through SASL mechanism are required. After authorization, the client can have the same permissions as the client in the same network. Postfix itself does not implement SASL, but uses a third-party implementation as a module of postfix, so some of the sasl-related configurations belong to postfix and some belong to third-party modules.

To configure SASL authentication on the postfix server:

Sasl implementations can provide a range of authentication mechanisms that can be configured to select which authentication methods to use.

Configure postfix to enable sasl authentication and authorize clients to send mail or control the sender address on envelopes.

postfix supports a variety of different sasl implementations through plug-ins, such as Cyrus SASL and Dovecot SASL. You can check which implementations are currently compiled into postfix by using the following command:

% postconf -a (SASL support in the SMTP server)% postconf -A (SASL support in the SMTP+LMTP client)

Configure Dovecot SASL:

1 conf.d/10-master.conf: 2 service auth { 3 ... 4 unix_listener /var/spool/postfix/private/auth { 5 mode = 0660 6 # Assuming the default Postfix user and group 7 user = postfix 8 group = postfix 9 }10 ... 11 }12 13 conf.d/10-auth.conf14 auth_mechanisms = plain login

Line 4: Use unix-domain socket

Lines 5-8: configured to allow only postfix users and groups to have read and write permissions

Line 14: plain and login authentication mechanisms are provided

Cyrus SASL configuration:

The first step is to determine the name and location of the configuration file. The name of the configuration file is the value sent by the postfix smtp service to the Cyrus SASL library plus the.conf suffix. The value sent by the postfix is the component name using Cyrus SASL. The default is smtpd, so the configuration file name defaults to smtpd.conf:

/etc/postfix/main.cf: # Postfix 2.3 and later smtpd_sasl_path = smtpd # Postfix < 2.3 smtpd_sasl_application_name = smtpd

Cyrus SASL will search for the location of configuration files, depending on the version of Cyrus and some rules of the postfix distribution itself.

The postfix links cyrus sasl library libsasl, communicating with cyrus by calling the sasl library. The sasl library can authenticate clients using an external password verification service or an authentication service connected to the backend through an internal plug-in:

authentication backendpassword verification service / plugin/etc/shadowsaslauthdPAMsaslauthdIMAP serversaslauthdsasldbsasldbMySQL, PostgreSQL, SQLitesqlLDAPldapdb

saslauthd: postfix communicates with the saslauthd service via a unix-domain socket.

Enable sasl authentication in postfix:

postfix is implemented by Cyrus sasl by default. It can be changed to dovecot:

/etc/postfix/main.cf: smtpd_sasl_type = dovecot

Specify dovecot access unix-domain socket address:

/etc/postfix/main.cf: smtpd_sasl_path = private/auth

If TCP socket communication is used, it can be configured as follows:

/etc/postfix/main.cf: smtpd_sasl_path = inet:127.0.0.1:12345

Enable sasl authentication:

/etc/postfix/main.cf: smtpd_sasl_auth_enable = yes

After sasl is enabled, postfix will tell the client in the result of ehlo command which authentication mechanisms are not supported before, but some older clients cannot recognize these formats. In this case, you can configure postfix to repeat the output in a compatible format so that older clients can recognize:

/etc/postfix/main.cf: broken_sasl_auth_clients = yes

Postfix can configure some restriction policies and also allow or prohibit certain sasl mechanisms. Its options are as follows:

PropertyDescriptionnoanonymousDon't use mechanisms that permit anonymous authentication.noplaintextDon't use mechanisms that transmit unencrypted username and password information.nodictionaryDon't use mechanisms that are vulnerable to dictionary attacks.forward_secrecyRequire forward secrecy between sessions (breaking one session does not break earlier sessions).mutual_authUse only mechanisms that authenticate both the client and the server to each other.

The default policy configuration is as follows:

/etc/postfix/main.cf: # Specify a list of properties separated by comma or whitespace smtpd_sasl_security_options = noanonymous

Note: At a minimum, you should configure to prohibit anonymous authentication.

Encrypting TLS sessions:

When not using tls sessions, postfix configures the sasl mechanism with another set of parameters, copying the configuration of non-tls sessions by default:

/etc/postfix/main.cf: smtpd_sasl_tls_security_options = $smtpd_sasl_security_options

If you want to configure it separately, you can do this:

/etc/postfix/main.cf: smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous

Enable sasl authentication only after tls session is established:

/etc/postfix/main.cf: smtpd_tls_auth_only = yes

After the client is authenticated, postfix determines what the client is authorized to do, such as sending mail to a foreign user, using a specific envelope sender as the mail from directive value, which is not allowed by default.

Mail forwarding authorization:

# With Postfix 2.10 and later, the mail relay policy is# preferably specified under smtpd_relay_restrictions./ etc/postfix/main.cf: smtpd_relay_restrictions = permit_mynetworkspermit_sasl_authenticatedreject_unauth_destination# Older configurations combine relay control and spam control under# smtpd_recipient_restrictions. To use this example with Postfix ≥# 2.10 specify "smtpd_relay_restrictions="./ etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworkspermit_sasl_authenticatedreject_unauth_destination ... other rules... At this point, the study of "how to configure SASL authentication on postfix server" is over, hoping to solve everyone's doubts. Theory and practice can better match to help you learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.