From owner-freebsd-questions@FreeBSD.ORG Mon Feb 14 10:01:06 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AEBC16A4CF for ; Mon, 14 Feb 2005 10:01:06 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id C03AF43D5E for ; Mon, 14 Feb 2005 10:01:04 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [IPv6???1] (localhost.daemonsecurity.com [127.0.0.1]) by top.daemonsecurity.com (Postfix) with ESMTP id 449B1FD020; Mon, 14 Feb 2005 11:01:03 +0100 (CET) Message-ID: <421076D9.40908@locolomo.org> Date: Mon, 14 Feb 2005 11:00:57 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050127 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: BSD Mail References: <8be663db0502140056105c9196@mail.gmail.com> In-Reply-To: <8be663db0502140056105c9196@mail.gmail.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: FreeBSD-questions@freebsd.org Subject: Re: Postfix + Auth + SSL + pop3s/imaps X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 10:01:06 -0000 BSD Mail wrote: > I have a 5.3 Server. I'm planning to install Postfix. > I'm planning to use the Maildir format. > > I'm going to generate my own SSL certificates for mail > and use it for smpts/imaps/pop3s. But I'm not sure what > to use for authentication. I need to have the mail > users/password seperated from the system user/password. > Because some users will only have mail accounts and they > won't have any shell access. You don't _need_ to separate them from the system password file, just give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can still authenticate to fetch mail. Secondly, if users should receive mail, postfix must know about them. This is normally done by lookup in the password file. > I read about different auth mechanism and I know for sure that > Plain Login is not what I want. I need DIGEST-MD5. I'm looking > for something easier than SASL to configure. On my test server > I tried to configure SASL and couldn't get DIGEST-MD5 to work. > Any suggestion ? SASL isn't difficult too if you use the system password file. Just set pwcheck_method: saslauthd mech_list: plain login in /usr/local/lib/sasl2/smtpd.conf, remember to start saslauthd. Sasl supports different schemes, I have only been able to make plain work, maybe the others require use of sasldb. > Someone mentioned that I shouldn't worry about the authentication > if it's Plain or Login because I'm going to use SSL and that would > encrypt both Login and the data channel. I'm not sure if this is > 100% true. Any idea ? First, your users don't have shell access, a compromise is a compromise of their privacy not your system - ofcourse their privacy should be protected, but it makes their account less interesting. Using ssl/tls you are tunnelling clear text passwords through an encrypted connection. This protects against sniffing. > Last but not least, I'm going to add on top of all that a webmail. > probably Openwebmail or squirrelmail. Which one of them > would work better with all what I mentioned earlier: I use squirrelmail, don't worry too much about that, squirrelmail connects through imap, so you server must support imap. The web interface must be setup with ssl also. > I was checking one of squirrelmail password plugins and I read this sentence: > "Cyrus SASL includes a shell utility called "saslpasswd" for manipulating user > passwords in the "sasldb" database. This patch attempts to use this utility to > perform password manipulations required by your squirrelmail users without any > administrative interaction. Unfortunately, this scheme requires that the > "saslpasswd" utility be run as the "cyrus" user - a horrible security problem > since we have chosen to SUID a small script which will allow this to happen." You will always have a security concern when letting some program mess with passwords. Ofcourse this is particularly important if it messes with system password file. An alternative is to employ eg. a ldap server - same problem, but at least you get things separated. > I'm pretty confused about the authentication method to use. I'm trying to run > everything as secure as possible. I configured Postfix to run chrooted. > and I'm going to use SSL for sure. What auth should I choose for smtp ? Ok, I have pretty much the setup you want, except that I use cyrus-imap which does not use Maildir nor Mailbox. Postfix can be setup to use saslauth, it can be configured only to accept authentication through encrypted connection using ssl. postfix supports the recommended use of start_tls to start an encrypted connection on the default port 25 instead of smtps. I am not clear on how cyrus-imap supports this, or it's my mail program. The only reason not to use cyrus-imap is that you will have to authenticate (again) if you read mail on the console, eg. using pine. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2