Date: Tue, 15 Feb 2005 02:26:50 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: BSD Mail <bsdmail@gmail.com> Cc: FreeBSD-questions@freebsd.org Subject: Re: Postfix + Auth + SSL + pop3s/imaps Message-ID: <42114FDA.9040701@locolomo.org> In-Reply-To: <8be663db0502141337b874381@mail.gmail.com> References: <8be663db0502140056105c9196@mail.gmail.com> <421076D9.40908@locolomo.org> <8be663db0502141337b874381@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
BSD Mail wrote: > On Mon, 14 Feb 2005 11:00:57 +0100, Erik Norgaard <norgaard@locolomo.org> wrote: >>You don't _need_ to separate them from the system password file, just >>give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can >>still authenticate to fetch mail. Secondly, if users should receive >>mail, postfix must know about them. This is normally done by lookup in >>the password file. > > That's fine with me too. So with this method is PAM would be used for > authentication ? Or I would still need SASL for smtp ? I use saslauthd only. > If there is a way to not use SASL at all I would like to know the > available options that I have. Because I'm going to use Dovecot > for pop3s and imaps, I would probably want to get rid of SASL > if it's possible throughtout the entire mail suite if possible and > use an easier and still secure as an auth method. well, don't ask me :-) as I wrote, I use sasl and it works for me. But, many servers, including postfix, comes with ldap support so instead of using sasl or the password file a lookup in the ldap directory is done. Before you make your choice, you really need to decide if users will have a unix account or not (regardless if they can login) and then decide which mail servers (imap/pop) to run based on which supports that setup. All, AFAIK, support the unix account. > So if SSL/TLS is tunneling clear text passwords and it's encrypting the > connection then why would I need SASL in the first place ? Shouldn't adding > user with nologin shell / nonexistent home and enabling TLS would suffice ? > or I'm I missing something here? The point of using sasl to separate privileges. The server that requires users to authenticate can run unprivileged and request saslauthd to authenticate. Otherwise the server must run as root in order to access the master passwd file and authenticate. Running your server with root privileges may be required anyway if mail is stored as maildir/mailbox files, whereas cyrus-imap maintains it's own privilege control. One of the cool features of cyrus-imap is that you can share folders among users. This is neat instead of mailinglist if you for example have a support@ address. > I think I will go with Openwebmail there is a patch to make it work > with Maildir and also it does support SSL login. You will gain freedom if your webmail issues an imap connection, since you are going to support imap anyway. This means that you can move your webmail service independently of the mail server - be it openwebmail or squirrelmail. > I thought if I want to use smtps I have to use port 465 instead of 25. > I want all outgoing email to use smtps. In this case if all mail is > sent via smpts would that work fine even if the second hop doesn't > have smtps ? In other words, would a mail server that uses port > 25 for send and receive have a problem receiving mail from my server ? smtps on port 465 is depreciated. The way it works is that the client connects to port 25 and issues a "START_TLS" command. Then the server and client will exchange keys and an encrypted session is initiated. Same thing for imaps. The only difference from smtps is that both encrypted and unencrypted connections goes on the same port, and the point is to avoid saturation of the port interval 1-1023. The only exception is https which is considered to be so wide spread that it will remain on port 443. The cool thing is that you can configure postfix such that when the client requests which commands are available, "authenticate" is only available if an encrypted connection has been established. >>The only reason not to use cyrus-imap is that you will have to >>authenticate (again) if you read mail on the console, eg. using pine. > > Is that behavior because of authentication / SSL ? Or it is specific > to cyrus-imap ? This is because the mail client opens an imap connection, where as if it used Mailbox it would just read from a file. So, it is not cyrus nor ssl. My solution is that normally I don't use a text based client anyway. For vital accounts such as root, I dump mail into a file also, so I have access to that important mail if everything else just doesn't work. Cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42114FDA.9040701>