分类:
2005-08-05 00:02:40
>
> i am a bit confused. pls explain. i thought, i have to add this since
> many of the resources in the internet keep mentioning it.
> perhaps, i should go for this???
> smtpd_sasl_local_domain=
What value you provide with smtpd_sasl_local_domain or not depends on
the format of your usernames:
SASL understands the concept of REALMS; you can define different
contexts for the same user and allow or restrict the use of certain
features. In combination with a username the REALM shows up as
domainpart e.g. mail.example.com.
Postfix supports this concept with limitations: It will only allow you
to provide one, identical REALM to all usernames that are transmitted to
SASL.
Now, if and what you send as REALM depends on the format of the
usernames in your "authentication backend" i.e. the source where you
store all usernames/passwords.
1. username (smtpd_sasl_local_domain = )
If your authentication backend doesn't have a REALMS attached to
usernames, you configure Postfix not to append anything to the
username. If, for example, you had a user "yohiu" in passwd/shadow
and had smtpd_sasl_local_domain = shinyang.com.my Postfix would
always append shinyang.com.my to usernames that got sent.
Authenticatio would fail because SASL would look for a user
yohiushinyang.com.my in passwd, which does not exist.
2. usernamedomain (smtpd_sasl_local_domain = foo.bar.baz )
If your authentication backend has stored usernames with a REALM e.g.
yohiushinyang.com.my as username in, lets say an LDAP tree, then you
have to configure Postfix to append the REALM (here: shinyang.com.my)
to every username that is sent to SASL.
And now for something completely different: SASL
There's two ways to access an LDAP server as an authentication backend
through SASL: "saslauthd -m LDAP -O /path/to/saslauthd.conf" and ldapdb.
saslauthd
This gives you plaintext mechs i(PLAIN, LOGIN) only. LDAP configuration
to access and query the right tree for the right attributes has to be
written to a separate saslauthd.conf. By default SASL will look for it
in /usr/local/etc/saslauthd.conf (you might want to look this up. I
haven't had a coffee yet...).
ldapdb
ldapdb is an auxprop plugin - you need to use it in combination with
pwcheck_method: auxprop. ldapdb gets you plaintext _and_ shared-secret
mechanisms (CRAM-MD5, DIGEST-MD5) and it requires configuration in
Postfix, SASL and OpenLDAP.
This plugin comes within the contrib tree of OpenLDAP source and has
been contributed to the SASL sources. It has been scheduled to be part
of future SASL versions, but its low priority. Writing no documentation
seems to be of higher priority ;)
I recommend you use saslauthd. If you use saslauthd you must be aware
that this daemon strips REALMS unless you configure it not to do so with
the command line option "-r". This option is available for
Cyrus-SASL.2.x newer than 2.1.19.
> >>smtpd_sasl_security_options = noanomymous
> >>broken_sasl_auth_clients = yes
> >>
> >>smtpd_recipient_restrictions = permit_sasl_authenticated,
> >>permit_mynetworks, reject_invalid_hostname
> >>
> >>file: /usr/lib/sasl2/smtpd.conf
> >>---------------------------------------
> >>pwcheck_method: saslauthd
> >Add:
> >
> >mech_list: PLAIN LOGIN
> i added this.
>
> >>file: /etc/pam.d/smtp.postfix
> >>--------------------------------------
> >>auth required pam_ldap.so
> >>account required pam_ldap.so
> >>session required pam_ldap.so
> >>
> >>file: /etc/saslauthd.conf (initially, i dont have this file in my Redhat
> >>AS 3, but, i created it)
> >>--------------------------------------------------------------------------------------------------
> >>ldap_server: ldap://192.168.1.1
> >>ldap_bind_dn: ou=**,cn=**,dc=**,dc=**
> >>ldap_bind_pw: 123
> >>ldap_filter: uid=%u,ou=**,cn=**,dc=**,dc=**
> >>ldap_auth_method: bind
> >>ldap_search_base: cn=**,dc=**,dc=**
> >>
> >>
> >>my problem is that, i cant get authenticated from the ldap. how
> >>should i do next? what should i troubleshoot? pls advise.....
> >>thanks.....
> >
> >Use testsaslauthd to test SASL in itself. Only when you can
> >authenticate successfully turn to Postfix.
> >
> i dun have testsaslauthd in my redhat linux as3. how should i get this out?
> this is my sasl packages. does it compactible?
> [rootmail local]# rpm -qa | egrep 'sasl'
> cyrus-sasl-gssapi-2.1.15-3
> cyrus-sasl-md5-2.1.15-3
> cyrus-sasl-2.1.15-3
> cyrus-sasl-plain-2.1.15-3
> cyrus-sasl-devel-2.1.15-3
I don't know the RPMs for redhat linux as3. As an alternative you can
search the RPMs for "server" and "client". Those are two sample apps
that come with SASL. IIRC they are in cyrus-sasl-devel, but RH has
renamed them to cyrus-sasl2-server and cyrus-sasl2-client.
They need some configuration, which you should be able to find in the
SASL docs.
> another question, where is my saslauthd.conf??? how come i cant find
> it? have i missed anything? pls advise...thanks???
saslauthd.conf has to be created. It's not there by default.
prick
--
SMTP AUTH howto:
<
SMTP AUTH debug utility:
<