zini2001
21.02.05, 11:33
mit der anleitung von www.debianforum.de (http://www.debianforum.de/forum/viewtopic.php?t=18805&highlight=postfix+sasl)
hat es nach langen nächten geklappt!
jedoch versteh ich folgendes nicht:
die user authentifizierung eines mailclients am smtp-server ist doch dafür gedacht, das nur derjenige user mails verschicken kann der sich anmeldet, und sonst keiner. stichwort "OpenRelay"!!??
gebe ich die nutzerdaten, die in der sasldb2 stehen, in z.B. kmail(unter versand/ändern/server verlangt autorisierung)ein wird die zuverschickende mail versendet.
folgende meldung erhalte ich dann in der /var/log/mail.info:
Feb 21 11:47:54 server postfix/smtpd[13477]: connect from unknown[192.168.1.6]
Feb 21 11:47:54 server postfix/smtpd[13477]: 591675901F: client=unknown[192.168.1.6], sasl_method=PLAIN, sasl_username=user
Feb 21 11:47:54 server postfix/cleanup[13480]: 591675901F: message-id=<200502211148.24008.user@ewart.de>
Feb 21 11:47:54 server postfix/qmgr[13475]: 591675901F: from=<user@ewart.de>, size=511, nrcpt=1 (queue active)
Feb 21 11:47:54 server postfix/smtpd[13477]: disconnect from unknown[192.168.1.6]
Feb 21 11:47:55 server postfix/smtp[13481]: 591675901F: to=<user@web.de>, relay=mail.terralink.de[217.9.16.16], delay=1, status=sent (250 Ok: queued as 0B790B8F2)
Feb 21 11:47:55 server postfix/qmgr[13475]: 591675901F: removed
wunderbar!mails ist wech und kommt am ziel auch an.
geb ich stattdessen nix in den zeilen der autorisation für den smtpserver an, werden die mails genauso gut verschickt.
nur mit dem unterschied, das in der log datei nicht der hinweis auftaucht, das "sasl_method=PLAIN, sasl_username=" genutzt wurde.
Feb 21 11:47:22 server postfix/smtpd[13477]: connect from unknown[192.168.1.6]
Feb 21 11:47:22 server postfix/smtpd[13477]: 7F1E55901F: client=unknown[192.168.1.6]
Feb 21 11:47:22 server postfix/cleanup[13480]: 7F1E55901F: message-id=<200502211147.52147.user@ewart.de>
Feb 21 11:47:22 server postfix/qmgr[13475]: 7F1E55901F: from=<user@ewart.de>, size=513, nrcpt=1 (queue active)
Feb 21 11:47:22 server postfix/smtpd[13477]: disconnect from unknown[192.168.1.6]
Feb 21 11:47:23 server postfix/smtp[13481]: 7F1E55901F: to=<user@web.de>, relay=mail.terralink.de[217.9.16.16], delay=1, status=sent (250 Ok: queued as 2A830B912)
Feb 21 11:47:23 server postfix/qmgr[13475]: 7F1E55901F: removed
das system ist ein debian sarge von der c't server cd.
postfix-sasl-cyrus_imapd.
hier meine configs:
server:~# cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
deamon_directory = /usr/lib/postfix
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server.zuhause.xx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server.zuhause.xx, localhost.zuhause.xx, , localhost
mynetworks = 127.0.0.0/8, 192.168.1.0/24
inet_interfaces = all
mailbox_command =
mailbox_transport = lmtp:unix:public/lmtp
mailbox_size_limit = 0
recipient_delimiter = +
#RELAY_AUTH
relayhost = mail.terralink.de
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = no
#SASL_CLIENT_AUTH
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sender_restrictions = hash:/etc/postfix/access
strict_rfc821_envelops = no
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_local_domain =
server:~# cat /etc/postfix/master.cf
#================================================= =========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
# only used by postfix-tls
#tlsmgr fifo - - n 300 1 tlsmgr
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
#auxprop_plugin: sasldb
#allowplaintext: yes
mech_list: plain login
#log_level: 3
saslauthd_path: /var/run/saslauthd/mux
server:~# cat /etc/pam.d/smtp
@include common-password
@include common-auth
@include common-account
@include common-session
server:~# cat /etc/pam.d/common-auth
auth required pam_unix.so nullok_secure
server:~# cat /etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
server:~# cat /etc/pam.d/common-session
session required pam_unix.so
server:~# cat /etc/pam.d/common-account
account required pam_unix.so
hat es nach langen nächten geklappt!
jedoch versteh ich folgendes nicht:
die user authentifizierung eines mailclients am smtp-server ist doch dafür gedacht, das nur derjenige user mails verschicken kann der sich anmeldet, und sonst keiner. stichwort "OpenRelay"!!??
gebe ich die nutzerdaten, die in der sasldb2 stehen, in z.B. kmail(unter versand/ändern/server verlangt autorisierung)ein wird die zuverschickende mail versendet.
folgende meldung erhalte ich dann in der /var/log/mail.info:
Feb 21 11:47:54 server postfix/smtpd[13477]: connect from unknown[192.168.1.6]
Feb 21 11:47:54 server postfix/smtpd[13477]: 591675901F: client=unknown[192.168.1.6], sasl_method=PLAIN, sasl_username=user
Feb 21 11:47:54 server postfix/cleanup[13480]: 591675901F: message-id=<200502211148.24008.user@ewart.de>
Feb 21 11:47:54 server postfix/qmgr[13475]: 591675901F: from=<user@ewart.de>, size=511, nrcpt=1 (queue active)
Feb 21 11:47:54 server postfix/smtpd[13477]: disconnect from unknown[192.168.1.6]
Feb 21 11:47:55 server postfix/smtp[13481]: 591675901F: to=<user@web.de>, relay=mail.terralink.de[217.9.16.16], delay=1, status=sent (250 Ok: queued as 0B790B8F2)
Feb 21 11:47:55 server postfix/qmgr[13475]: 591675901F: removed
wunderbar!mails ist wech und kommt am ziel auch an.
geb ich stattdessen nix in den zeilen der autorisation für den smtpserver an, werden die mails genauso gut verschickt.
nur mit dem unterschied, das in der log datei nicht der hinweis auftaucht, das "sasl_method=PLAIN, sasl_username=" genutzt wurde.
Feb 21 11:47:22 server postfix/smtpd[13477]: connect from unknown[192.168.1.6]
Feb 21 11:47:22 server postfix/smtpd[13477]: 7F1E55901F: client=unknown[192.168.1.6]
Feb 21 11:47:22 server postfix/cleanup[13480]: 7F1E55901F: message-id=<200502211147.52147.user@ewart.de>
Feb 21 11:47:22 server postfix/qmgr[13475]: 7F1E55901F: from=<user@ewart.de>, size=513, nrcpt=1 (queue active)
Feb 21 11:47:22 server postfix/smtpd[13477]: disconnect from unknown[192.168.1.6]
Feb 21 11:47:23 server postfix/smtp[13481]: 7F1E55901F: to=<user@web.de>, relay=mail.terralink.de[217.9.16.16], delay=1, status=sent (250 Ok: queued as 2A830B912)
Feb 21 11:47:23 server postfix/qmgr[13475]: 7F1E55901F: removed
das system ist ein debian sarge von der c't server cd.
postfix-sasl-cyrus_imapd.
hier meine configs:
server:~# cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
deamon_directory = /usr/lib/postfix
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server.zuhause.xx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server.zuhause.xx, localhost.zuhause.xx, , localhost
mynetworks = 127.0.0.0/8, 192.168.1.0/24
inet_interfaces = all
mailbox_command =
mailbox_transport = lmtp:unix:public/lmtp
mailbox_size_limit = 0
recipient_delimiter = +
#RELAY_AUTH
relayhost = mail.terralink.de
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = no
#SASL_CLIENT_AUTH
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sender_restrictions = hash:/etc/postfix/access
strict_rfc821_envelops = no
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_local_domain =
server:~# cat /etc/postfix/master.cf
#================================================= =========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
# only used by postfix-tls
#tlsmgr fifo - - n 300 1 tlsmgr
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
#auxprop_plugin: sasldb
#allowplaintext: yes
mech_list: plain login
#log_level: 3
saslauthd_path: /var/run/saslauthd/mux
server:~# cat /etc/pam.d/smtp
@include common-password
@include common-auth
@include common-account
@include common-session
server:~# cat /etc/pam.d/common-auth
auth required pam_unix.so nullok_secure
server:~# cat /etc/pam.d/common-password
password required pam_unix.so nullok obscure min=4 max=8 md5
server:~# cat /etc/pam.d/common-session
session required pam_unix.so
server:~# cat /etc/pam.d/common-account
account required pam_unix.so