Date: Mon, 14 Feb 2005 13:37:59 -0800 From: BSD Mail <bsdmail@gmail.com> To: Erik Norgaard <norgaard@locolomo.org> Cc: FreeBSD-questions@freebsd.org Subject: Re: Postfix + Auth + SSL + pop3s/imaps Message-ID: <8be663db0502141337b874381@mail.gmail.com> In-Reply-To: <421076D9.40908@locolomo.org> References: <8be663db0502140056105c9196@mail.gmail.com> <421076D9.40908@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 14 Feb 2005 11:00:57 +0100, Erik Norgaard <norgaard@locolomo.org> wrote: > BSD Mail wrote: > > I have a 5.3 Server. I'm planning to install Postfix. > > I'm planning to use the Maildir format. > > > > I'm going to generate my own SSL certificates for mail > > and use it for smpts/imaps/pop3s. But I'm not sure what > > to use for authentication. I need to have the mail > > users/password seperated from the system user/password. > > Because some users will only have mail accounts and they > > won't have any shell access. > > You don't _need_ to separate them from the system password file, just > give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can > still authenticate to fetch mail. Secondly, if users should receive > mail, postfix must know about them. This is normally done by lookup in > the password file. That's fine with me too. So with this method is PAM would be used for authentication ? Or I would still need SASL for smtp ? If there is a way to not use SASL at all I would like to know the available options that I have. Because I'm going to use Dovecot for pop3s and imaps, I would probably want to get rid of SASL if it's possible throughtout the entire mail suite if possible and use an easier and still secure as an auth method. > > I read about different auth mechanism and I know for sure that > > Plain Login is not what I want. I need DIGEST-MD5. I'm looking > > for something easier than SASL to configure. On my test server > > I tried to configure SASL and couldn't get DIGEST-MD5 to work. > > Any suggestion ? > > SASL isn't difficult too if you use the system password file. Just set > > pwcheck_method: saslauthd > mech_list: plain login > > in /usr/local/lib/sasl2/smtpd.conf, remember to start saslauthd. Sasl > supports different schemes, I have only been able to make plain work, > maybe the others require use of sasldb. > > > Someone mentioned that I shouldn't worry about the authentication > > if it's Plain or Login because I'm going to use SSL and that would > > encrypt both Login and the data channel. I'm not sure if this is > > 100% true. Any idea ? > > First, your users don't have shell access, a compromise is a compromise > of their privacy not your system - ofcourse their privacy should be > protected, but it makes their account less interesting. > > Using ssl/tls you are tunnelling clear text passwords through an > encrypted connection. This protects against sniffing. So if SSL/TLS is tunneling clear text passwords and it's encrypting the connection then why would I need SASL in the first place ? Shouldn't adding user with nologin shell / nonexistent home and enabling TLS would suffice ? or I'm I missing something here? > > Last but not least, I'm going to add on top of all that a webmail. > > probably Openwebmail or squirrelmail. Which one of them > > would work better with all what I mentioned earlier: > > I use squirrelmail, don't worry too much about that, squirrelmail > connects through imap, so you server must support imap. The web > interface must be setup with ssl also. I think I will go with Openwebmail there is a patch to make it work with Maildir and also it does support SSL login. > > I was checking one of squirrelmail password plugins and I read this sentence: > > "Cyrus SASL includes a shell utility called "saslpasswd" for manipulating user > > passwords in the "sasldb" database. This patch attempts to use this utility to > > perform password manipulations required by your squirrelmail users without any > > administrative interaction. Unfortunately, this scheme requires that the > > "saslpasswd" utility be run as the "cyrus" user - a horrible security problem > > since we have chosen to SUID a small script which will allow this to happen." > > You will always have a security concern when letting some program mess > with passwords. Ofcourse this is particularly important if it messes > with system password file. > > An alternative is to employ eg. a ldap server - same problem, but at > least you get things separated. > > > I'm pretty confused about the authentication method to use. I'm trying to run > > everything as secure as possible. I configured Postfix to run chrooted. > > and I'm going to use SSL for sure. What auth should I choose for smtp ? > > Ok, I have pretty much the setup you want, except that I use cyrus-imap > which does not use Maildir nor Mailbox. Postfix can be setup to use > saslauth, it can be configured only to accept authentication through > encrypted connection using ssl. > > postfix supports the recommended use of start_tls to start an encrypted > connection on the default port 25 instead of smtps. I thought if I want to use smtps I have to use port 465 instead of 25. I want all outgoing email to use smtps. In this case if all mail is sent via smpts would that work fine even if the second hop doesn't have smtps ? In other words, would a mail server that uses port 25 for send and receive have a problem receiving mail from my server ? > I am not clear on how cyrus-imap supports this, or it's my mail program. > > The only reason not to use cyrus-imap is that you will have to > authenticate (again) if you read mail on the console, eg. using pine. Is that behavior because of authentication / SSL ? Or it is specific to cyrus-imap ? > Cheers, Erik > -- > Ph: +34.666334818 web: http://www.locolomo.org > S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt > Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 > Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 > -- Regards,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8be663db0502141337b874381>