Postfix Integrated Solution
<<< Previous	Postfix + OpenLDAP (Debian) 已完成 2004-9-28	Next >>>

Postfix Integrated Solution

Postfix + OpenLDAP (Debian) 已完成 2004-9-28

POP3,IMAP

courier 认证守护进程

其实SMTP SASL认证进程是可以与courier 认证守护进程使用同一个进程的．因为笔者使用了apt-get 方式安装所以不能实现这样功能．如果你兴趣，可以采用原码安装 [1]

配置　courier

debian:~# cd /etc/courier/
debian:/etc/courier#

authdaemonrc

debian:/etc/courier# vi authdaemonrc

authmodulelist="authldap"
version="authdaemond.ldap"

authldaprc

debian:/etc/courier# cp authldaprc authldaprc.old
debian:/etc/courier# vi authldaprc

LDAP_SERVER             localhost
LDAP_PORT               389
LDAP_PROTOCOL_VERSION   3
LDAP_BASEDN             ou=postfix, dc=example, dc=net
LDAP_BINDDN             cn=admin,dc=example, dc=net
LDAP_BINDPW             chen
LDAP_GLOB_UID           postfix
LDAP_GLOB_GID           postfix
LDAP_HOMEDIR            homeDirectory
LDAP_MAILDIR            mailbox
LDAP_DEFAULTDELIVERY    defaultDelivery
LDAP_MAILDIRQUOTA       quota
LDAP_FULLNAME           cn
#LDAP_CLEARPW           clearPassword
LDAP_CRYPTPW            userPassword
LDAP_DEREF              never
LDAP_TLS                0
注:LDAP_TLS 与Postfix 没关系.它是OpenLDAP认证TLS.

重新启动 courier-authdaemon

debian:/etc/courier# /etc/init.d/courier-authdaemon start
Starting Courier authdaemon: done.
debian:/etc/courier#

配置 POP

debian:/etc/courier# vi pop3d
AUTHMODULES="authdaemon"
AUTHMODULES_ORIG="authdaemon"
DEBUG_LOGIN=3
POP3AUTH="LOGIN CRAM-MD5 CRAM-SHA1"
POP3AUTH_ORIG="LOGIN CRAM-MD5 CRAM-SHA1"
POP3AUTH_TLS=""
POP3AUTH_TLS_ORIG="LOGIN PLAIN"
PORT=110
ADDRESS=0
TCPDOPTS="-nodnslookup -noidentlookup"
POP3DSTART=YES
MAILDIRPATH=Maildir

配置 IMAP

####sarge注意：由于系统中默认带有libsasl2，必须将其卸载： apt-get --purge remove libsasl2 #### mail:~# apt-get --purge remove libsasl2 Reading Package Lists... Done Building Dependency Tree... Done The following packages will be REMOVED: apache2-common* at* exim* gnupg* libldap2* libsasl2* mailx* mutt* samba* samba-common* squid* squid-common* swat* 0 upgraded, 0 newly installed, 13 to remove and 0 not upgraded. Need to get 0B of archives. After unpacking 40.8MB disk space will be freed. Do you want to continue? [Y/n] n Abort. mail:~# ##################################### ###ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ #http://www.jonfullmer.com/smtpauth/ #sasl-authd #### mkdir -p /data/distfiles/src cd /data/distfiles wget -c ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.19.tar.gz tar xfz cyrus-sasl-2.1.19.tar.gz -C src cd src/cyrus-sasl-2.1.19 ./configure --help ### --enable-sample compile sample code yes --enable-otp enable OTP authentication yes --enable-gssapi=<DIR> enable GSSAPI authentication yes --enable-plain enable PLAIN authentication yes --enable-anon enable ANONYMOUS authentication yes --enable-login enable unsupported LOGIN authentication no --enable-sql enable SQL auxprop [no] --with-dbpath=PATH set the DB path to use /etc/sasldb2 --with-dblib=DBLIB set the DB library to use berkeley --with-bdb-libdir=DIR Berkeley DB lib files are in DIR --with-bdb-incdir=DIR Berkeley DB include files are in DIR --with-gdbm=PATH use gdbm from PATH --with-devrandom=PATH set the path to /dev/random /dev/random --with-pam=DIR use PAM (rooted in DIR) yes --with-saslauthd=DIR enable use of the saslauth daemon using state dir DIR --with-authdaemond=PATH enable use of authdaemon with default socket=PATH [no] --with-openssl=PATH use OpenSSL from PATH --with-mysql=PATH use MySQL from PATH --with-plugindir=DIR set the directory where plugins will be found /usr/lib/sasl2 --with-rc4 use internal rc4 routines yes ### #添加对authdaemon的支持 make clean ./configure --prefix=/usr --sysconfdir=/etc --infodir=/usr/share/info --mandir=/usr/share/man \ --with-authdaemon=/data/modules/public/courier-imap/var/authdaemon/socket \ --enable-login \ --enable-plain \ --with-pam \ --enable-sample \ --with-plugindir=/usr/lib/sasl2 \ --with-saslauthd=/var/run/saslauthd \ --disable-otp \ --disable-sql \ --disable-pwcheck \ --disable-cram \ --disable-digest \ --disable-krb4 \ --disable-gssapi \ --disable-anon \ --without-des \ --without-openssl \ --with-dblib=berkeley \ --with-bdb-libdir=/usr/lib \ --with-bdb-incdir=/usr/include ##补丁 cat >realmpatch <<MYGOD --- checkpw.c.org Sun Apr 4 16:24:55 2004 +++ checkpw.c Sun Apr 4 16:26:32 2004 @@ -572,6 +572,8 @@ } /* Split out username/realm if necessary */ + /* disable for e-mail address login for virtual domain user. */ + /* if(strrchr(userid,'@') != NULL) { char *rtmp; @@ -583,6 +585,7 @@ *rtmp = '\0'; user_realm = rtmp + 1; } + */ /* * build request of the form: MYGOD cd lib patch -p0< ../realmpatch cd - make && make install ############ # telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 bugfix.kingsoft.net ESMTP Postfix ehlo mail.163.com 250-bugfix.kingsoft.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN #必须保证系统中sasl的lib和系统中sasl.h的一致性，也就是说，必须是同一源码同一编译参数生成的； 250-AUTH=LOGIN PLAIN #这里支持的LOGIN PLAIN验证方式是由上面的configure --enable-login决定的。 250 8BITMIME #还要注意上述enable的验证参数的顺序也是有要求的，如果某个验证方式编译错误，虽然能编译出so文件，但在 quit #调用时只要一个出错，后面的方式将都失效。 221 Bye Connection closed by foreign host. ##################################################### ##注意/data/modules/public/courier-imap/var/authdaemon/目录得权限默认不允许其他用户访问 chmod +x /data/modules/public/courier-imap/var/authdaemon/ #2.1.18才支持--with-authdaemon参数 #### #使用 --with-authdaemon=/data/modules/public/courier-imap/var/authdaemon/socket 支持最大的好处是authdaemon在单一连接中 #支持多种验证方式 ### #vi /usr/local/sbin/sasl-server #!/bin/sh prefix=/usr saslauthd_flags=${saslauthd_flags:-"-a pam"} # Flags to saslauthd program saslauthd_runpath="/var/run/saslauthd" # Working directory saslauthd_program="${prefix}/sbin/saslauthd" # Location of saslauthd name="saslauthd" mkdir -p ${saslauthd_runpath} pidfile="${saslauthd_runpath}/${name}.pid" flags="${saslauthd_flags} -m ${saslauthd_runpath}" case $1 in start) ${saslauthd_program} ${saslauthd_flags} & if [ $? -ne 0 ] then echo "Error:start fail." fi ;; stop) kill `cat ${pidfile}` if [ $? -ne 0 ] then echo "Error:stop fail." fi ;; restart) $0 stop sleep 3 $0 start ;; *) echo "$0 <start|stop>" exit 1 ;; esac exit 0 ##end of sasl2-authd chmod +x /usr/local/sbin/sasl-server #system start up ln -s /usr/local/sbin/sasl-server /etc/init.d/ #update-rc.d sasl-server start 98 2 3 4 5 . stop 10 0 1 6 . #注意：使用authdaemond方式无需启动saslauthd,只需postfix中编译sasl2支持即可。 ## ##SASL配置; cat <<EOF> /usr/lib/sasl2/smtpd.conf pwcheck_method: authdaemond authdaemond_path: /data/modules/public/courier-imap/var/authdaemon/socket mech_list: PLAIN LOGIN log_level: 3 #pwcheck_method: saslauthd #end EOF #注意：使用authdaemond方式无需启动saslauthd,只需postfix中编译sasl2支持即可。 chmod +x /data/modules/public/courier-imap/var/authdaemon/ ################## Jun 3 03:30:01 f5mail postfix/smtpd[1381]: warning: SASL authentication failure: cannot connect to Courier authdaemond: Permission denied ################## root->root@f5mail.oss4e.net % /var/log>ls -al /data/modules/public/courier-imap/var/authdaemon/socket srwxrwxrwx 1 root wheel 0 Jun 3 03:28 /data/modules/public/courier-imap/var/authdaemon/socket root->root@f5mail.oss4e.net % /var/log>ls -al /data/modules/public/courier-imap/var/authdaemon/ total 6 drwx------ 2 root wheel 512 Jun 3 03:28 . --------->>>>> 注意这个 drwxr-xr-x 3 root wheel 512 Jun 2 22:50 .. -rw------- 1 root wheel 0 Jun 2 23:51 lock -rw-r--r-- 1 root wheel 5 Jun 3 03:28 pid srwxrwxrwx 1 root wheel 0 Jun 3 03:28 socket root->root@f5mail.oss4e.net % /var/log>chmod +x /data/modules/public/courier-imap/var/authdaemon/ #############问题解决 ##################### Jun 3 03:29:19 f5mail postfix/smtpd[1381]: sql_select option missing Jun 3 03:29:19 f5mail postfix/smtpd[1381]: auxpropfunc error no mechanism available Jun 3 03:32:59 f5mail postfix/smtpd[1398]: sql_select option missing Jun 3 03:32:59 f5mail postfix/smtpd[1398]: auxpropfunc error no mechanism available ########################这个提示不影响smtp auth 的发挥 #############

<<< Previous	Home	Next >>>
配置 Postfix	Up	amavis (anti-virus, anti-spam)

POP3,IMAP

courier 认证守护进程

配置 POP

配置 IMAP

Notes