1.启动SASL服务
1.1 SASL服务的启动脚本为/etc/init.d/saslauthd但是服务默认没有启动;
1.2 显示当前的saslauthd服务支持的认证方式,默认为pam,但是默认并没有配置pam:
[root@www ~]# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
1.3 SASL的配置文件为/etc/sysconfig/saslauthd 内容是:
SOCKETDIR=/var/run/saslauthd
MECH=shadow #将认证方式改为shadow表示从/etc/shadow中验证用户身份因为创建的lw用户有密码
# DAEMONOPTS=--user saslauth
FLAGS=
1.4 修改后启动saslauthd服务
[root@www ~]# service saslauthd start
Starting saslauthd: [ OK ]
设置开机启动:
[root@www ~]# chkconfig --list saslauthd
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
1.5 testsaslauthd 命令测试能否实现用户认证
[root@www ~]# testsaslauthd -u lw -p lw
0: OK "Success."
1.6 postconf命令查看postfix是否支持SASL认证
[root@www ~]# postconf -a
cyrus #支持
dovecot
2. 此时服务器端支持SASL认证,但是还要配置
编辑/etc/postfix/main.cf文件,添加如下几行
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_path = smtpd
smtpd_banner = Welcome to my $myhostname ESMTP!
2.1 要理解上述配置的功能之前最好先理解postfix基于客户端的访问控制
附地址:http://blog.chinaunix.net/uid-30212356-id-5175898.html
回到2,配置main.cf让postfix支持SASL认证功能
2.2 编辑/etc/postfix/main.cf文件,添加如下几行
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_sasl_application_name = smtpd
smtpd_banner = Welcome to my $myhostname ESMTP!
其中:
broken_sasl_auth_clients = yes #是否通过SASl来检查客户端发送的邮件以及验证客户端身份
smtpd_recipient_restrictions= #定义收件人限制;
permit_mynetworks允许本地的网络接收;
permit_sasl_authenticated允许通过SASL验证的用户;
reject_invalid_hostname拒绝不合法的用户接收;
reject_non_fqdn_hostname拒绝主机名不是fqdn格式的;
reject_unknown_sender_domain拒绝无法识别的发件人域;
reject_non_fqdn_sender拒绝没有fqdn格式的发件人;
reject_non_fqdn_recipient拒绝没有fqdn格式的收件人
reject_unknown_recipient_domain拒绝无法识别的收件人域;
reject_unauth_pipelining拒绝无法认证的管道;
reject_unauth_destination拒绝无法认证的目的地;
smtpd_sasl_auth_enable = yes #启用SASL认证功能;
smtpd_sasl_local_domain = $myhostname #指定本地域,只识别本地主机的;
smtpd_sasl_security_options = noanonymous #SASL的安全选项,不支持匿名用户;
smtpd_sasl_application_path = smtpd #指定smtpd服务器程序使用SASL;
smtpd_banner = Welcome to my $myhostname ESMTP! #定义欢迎信息;
2.3 编辑sasl2支持的smtpd程序文件(此文件或许不存在或为空),添加
[root@www postfix]# vim /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd #密码检查方法为saslauthd
mech_list: LOGIN PLAIN #认证机制为LOGIN和PLAIN,Outlook使用的就是LOGIN的认证机制
为了验证效果,将main.cf文件中的mynetworks改为mynetworks = 127.0.0.0/8虽然只为本机中继,
但是permit_sasl_authenticated定义的通过认证的用户也能为其中继邮件,这样做要好一点;
重新加载postfix服务和saslauthd:
[root@www postfix]# service saslauthd reload
Stopping saslauthd: [ OK ]
Starting saslauthd: [ OK ]
[root@www postfix]# service postfix reload
Reloading postfix: [ OK ]
测试:
[root@www postfix]# telnet 192.168.85.128 25
Trying 192.168.85.128...
Connected to 192.168.85.128.
Escape character is '^]'.
220 Welcome to my mail.a.com ESMTP!
ehlo mail.a.com
250-mail.a.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN #出现两行AUTH表示已经支持SASL认证了
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: lw@a.com
250 2.1.0 Ok
mail from:root@a.com
250 2.1.0 Ok
rcpt to:1099649040@qq.com
454 4.7.1 <1099649040@qq.com>: Relay access denied #不为其中继
rcpt to:lw@a.com #本地的用户可以发送
250 2.1.5 Ok
想要中继那么必须通过认证以lw为例:
[root@www postfix]# telnet 192.168.85.128 25
Trying 192.168.85.128...
Connected to 192.168.85.128.
Escape character is '^]'.
220 Welcome to my mail.a.com ESMTP!
auth login
334 VXNlcm5hbWU6
bHc=
334 UGFzc3dvcmQ6
bHc=
235 2.7.0 Authentication successful #lw用户认证成功
mail from:lw@a.com
250 2.1.0 Ok
rcpt to:1099649040@qq.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
SASL test!
.
250 2.0.0 Ok: queued as 11C4964B7C
quit
221 2.0.0 Bye
Connection closed by foreign host.
查看日志:邮件确实中继了只不过发不过去
[root@www postfix]# tail /var/log/maillog
Aug 27 14:42:59 www postfix/qmgr[18871]: 11C4964B7C: from=<lw@a.com>, size=297, nrcpt=1 (queue active)
Aug 27 14:43:02 www postfix/smtp[18935]: 11C4964B7C: to=<1099649040@qq.com>, relay=mx3.qq.com[112.90.83.115]:25, delay=33, delays=31/0.05/0.42/1.6, dsn=5.0.0, status=bounced (host mx3.qq.com[112.90.83.115] said: 550 Mail content denied. (in reply to end of DATA command))
关于用户认证auth login:
[root@www ~]# echo -n "lw" | openssl base64 #要加上-n表示去掉echo后的空格
bHc=
如果不去掉空格:
[root@www ~]# echo "lw" | openssl base64
bHcK
[root@www postfix]# telnet 192.168.85.128 25
Trying 192.168.85.128...
Connected to 192.168.85.128.
Escape character is '^]'.
220 Welcome to my mail.a.com ESMTP!
auth login
auth login
334 VXNlcm5hbWU6
bHcK
334 UGFzc3dvcmQ6
bHcK
535 5.7.8 Error: authentication failed: authentication failure
注意:如果你的配置都正确,身份验证也成功了,但就是中继时显示Relay access denied可能你的postfix版本过低,换个新版本试试看!