From owner-freebsd-questions@FreeBSD.ORG Mon Feb 14 21:38:01 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E6C916A4CE for ; Mon, 14 Feb 2005 21:38:01 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8700D43D54 for ; Mon, 14 Feb 2005 21:38:00 +0000 (GMT) (envelope-from bsdmail@gmail.com) Received: by wproxy.gmail.com with SMTP id 37so3699973wra for ; Mon, 14 Feb 2005 13:38:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=jW9Ih8srulmLe6XwvlJd+7K6UantZN6Lxv0ALq9lFyySNnmu1lAdiG1lNt7rNT8khobibC4QBpMfDwhrdfhJoG3Q4cdfV3QGrTcwuGJrlOl/wg1dSbhFfA5JWYUz/KwdomH2isag8JJbsNDm5F2XWO0qEMmefNQvaEQHDioYLxM= Received: by 10.54.27.76 with SMTP id a76mr198954wra; Mon, 14 Feb 2005 13:37:59 -0800 (PST) Received: by 10.54.3.62 with HTTP; Mon, 14 Feb 2005 13:37:59 -0800 (PST) Message-ID: <8be663db0502141337b874381@mail.gmail.com> Date: Mon, 14 Feb 2005 13:37:59 -0800 From: BSD Mail To: Erik Norgaard In-Reply-To: <421076D9.40908@locolomo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <8be663db0502140056105c9196@mail.gmail.com> <421076D9.40908@locolomo.org> cc: FreeBSD-questions@freebsd.org Subject: Re: Postfix + Auth + SSL + pop3s/imaps X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: BSD Mail List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2005 21:38:01 -0000 On Mon, 14 Feb 2005 11:00:57 +0100, Erik Norgaard wrote: > BSD Mail wrote: > > I have a 5.3 Server. I'm planning to install Postfix. > > I'm planning to use the Maildir format. > > > > I'm going to generate my own SSL certificates for mail > > and use it for smpts/imaps/pop3s. But I'm not sure what > > to use for authentication. I need to have the mail > > users/password seperated from the system user/password. > > Because some users will only have mail accounts and they > > won't have any shell access. > > You don't _need_ to separate them from the system password file, just > give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can > still authenticate to fetch mail. Secondly, if users should receive > mail, postfix must know about them. This is normally done by lookup in > the password file. That's fine with me too. So with this method is PAM would be used for authentication ? Or I would still need SASL for smtp ? If there is a way to not use SASL at all I would like to know the available options that I have. Because I'm going to use Dovecot for pop3s and imaps, I would probably want to get rid of SASL if it's possible throughtout the entire mail suite if possible and use an easier and still secure as an auth method. > > I read about different auth mechanism and I know for sure that > > Plain Login is not what I want. I need DIGEST-MD5. I'm looking > > for something easier than SASL to configure. On my test server > > I tried to configure SASL and couldn't get DIGEST-MD5 to work. > > Any suggestion ? > > SASL isn't difficult too if you use the system password file. Just set > > pwcheck_method: saslauthd > mech_list: plain login > > in /usr/local/lib/sasl2/smtpd.conf, remember to start saslauthd. Sasl > supports different schemes, I have only been able to make plain work, > maybe the others require use of sasldb. > > > Someone mentioned that I shouldn't worry about the authentication > > if it's Plain or Login because I'm going to use SSL and that would > > encrypt both Login and the data channel. I'm not sure if this is > > 100% true. Any idea ? > > First, your users don't have shell access, a compromise is a compromise > of their privacy not your system - ofcourse their privacy should be > protected, but it makes their account less interesting. > > Using ssl/tls you are tunnelling clear text passwords through an > encrypted connection. This protects against sniffing. So if SSL/TLS is tunneling clear text passwords and it's encrypting the connection then why would I need SASL in the first place ? Shouldn't adding user with nologin shell / nonexistent home and enabling TLS would suffice ? or I'm I missing something here? > > Last but not least, I'm going to add on top of all that a webmail. > > probably Openwebmail or squirrelmail. Which one of them > > would work better with all what I mentioned earlier: > > I use squirrelmail, don't worry too much about that, squirrelmail > connects through imap, so you server must support imap. The web > interface must be setup with ssl also. I think I will go with Openwebmail there is a patch to make it work with Maildir and also it does support SSL login. > > I was checking one of squirrelmail password plugins and I read this sentence: > > "Cyrus SASL includes a shell utility called "saslpasswd" for manipulating user > > passwords in the "sasldb" database. This patch attempts to use this utility to > > perform password manipulations required by your squirrelmail users without any > > administrative interaction. Unfortunately, this scheme requires that the > > "saslpasswd" utility be run as the "cyrus" user - a horrible security problem > > since we have chosen to SUID a small script which will allow this to happen." > > You will always have a security concern when letting some program mess > with passwords. Ofcourse this is particularly important if it messes > with system password file. > > An alternative is to employ eg. a ldap server - same problem, but at > least you get things separated. > > > I'm pretty confused about the authentication method to use. I'm trying to run > > everything as secure as possible. I configured Postfix to run chrooted. > > and I'm going to use SSL for sure. What auth should I choose for smtp ? > > Ok, I have pretty much the setup you want, except that I use cyrus-imap > which does not use Maildir nor Mailbox. Postfix can be setup to use > saslauth, it can be configured only to accept authentication through > encrypted connection using ssl. > > postfix supports the recommended use of start_tls to start an encrypted > connection on the default port 25 instead of smtps. I thought if I want to use smtps I have to use port 465 instead of 25. I want all outgoing email to use smtps. In this case if all mail is sent via smpts would that work fine even if the second hop doesn't have smtps ? In other words, would a mail server that uses port 25 for send and receive have a problem receiving mail from my server ? > I am not clear on how cyrus-imap supports this, or it's my mail program. > > The only reason not to use cyrus-imap is that you will have to > authenticate (again) if you read mail on the console, eg. using pine. Is that behavior because of authentication / SSL ? Or it is specific to cyrus-imap ? > Cheers, Erik > -- > Ph: +34.666334818 web: http://www.locolomo.org > S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt > Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 > Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 > -- Regards,