PPoossttffiixx SSAASSLL HHoowwttoo

-------------------------------------------------------------------------------

ٹ

虜虜 Postfix 򥤥󥹥ȡ뤹ͤϡPostfix ¾Υ᡼
奢ǤȻפäƤ뤳ȤǤ礦Cyrus SASL 饤֥̤Υɤ
ΩäƤޤPostfix SMTP 饤Ȥ SMTP Ф SASL ǧڤͭ
Ƥ⡢ Postfix  Cyrus SASL 饤֥Ȥ¾Υ᡼륷ƥƱ٤ˤ
奢ˤʤޤ

ɤΤ褦 PPoossttffiixx  SSAASSLL ǧǧھȤ

Postfix SASL ݡ (RFC 2554)  Postfix SMTP ФФƥ⡼Ȥ SMTP
饤Ȥǧڤ뤿䡢⡼Ȥ SMTP ФФ Postfix SMTP
饤Ȥǧڤ뤿˻Ȥޤ

᡼ݡPostfix ϥ饤Ȥ󶡤桼̾ǧˡ
ɥ쥹᡼ե˵Ͽץ permit_sasl_authenticated
UCE ¤Ȥäƥ᡼륢Ĥޤ

饤ȤΥ桼̾ǧˡ¾ͤΤɬפϤʤᡢPostfix 
饤Ȥ SASL ǧھåإåˤϵϿ᡼ž
Ȥ SMTP ޥɤϤȤ⤢ޤ󡣤ξΤɬפϡ
 Postfix ᡼եǸĤǤ礦Ĥ Postfix
᡼إåǽˤʤä顢C ɤ񤭴 SASL 桼̾
ϿǤ褦ˤʤǤ礦

ΥɥȤϰʲ򥫥СƤޤ:

  * ݡȤƤ SASL С
  * SASL 饤֥ι
  * SASL ǧڥݡդ Postfix ι
  * Postfix SMTP Ф SASL ǧڤͭˤ
  * Postfix SMTP Ф SASL ǧڤƥȤ
  * SASL Υȥ֥륷塼ƥ
  * Postfix SMTP 饤Ȥ SASL ǧڤͭˤ
  * 쥸å

᡼ˡPostfix ϥơ֥뤫饵ФΥۥ̾Υɥᥤ
(ɥ쥹α¦ʬ) 򸡺桼̾ȥѥɤĤä顢Фؤ
ǧڤˤΥ桼̾ȥѥɤȤޤ

ݡȤƤ SSAASSLL С

Postfix+SASL 1.5.5  RedHat 6.1 (pwcheck_method  shadow ޤ sasldb 
)Solaris 2.7 (pwcheck_method  shadow ޤ sasldb )FreeBSD 3.4
(pwcheck_method  sasldb ) ưƤ褦ǤRedHat 6.1 ǤϡSASL
1.5.5 /etc/sasldb ؤν񤭹ߥ׵ᤷޤ SASL 
auto_transition å˴ط褦˸뤳ȤդƤCyrus
SASL ΥɥȤϡ"pwcheck_method"  "sasldb" Ȥˡͭ
ΤΤʤȤˤդƤSASL 1.5.x ꡼ΰʹߤ
СǤưǤ礦

Postfix+SASL 2.1.1  Mandrake Linux 8.1 (pwcheck_method  saslauthd ޤ
auxprop ) ưƤ褦Ǥ'auxprop' pwcheck_method  SASL 1.5.x 
'sasldb' method ֤ΤǤ뤳ȤդƤauto_transition
ǽȤOTP (one-time passwords) Τ褦˥ǡ١ secrets 򹹿
ɬפǧڥᥫ˥ȤΤǤСPostfix  /etc/sasldb2 ؤν񤭹
ɬפȤʤǤ礦

SSAASSLL 饤֥ι

Postfix ϰʲξ꤫Ǥ cyrus-sasl-1.5.5 ޤ cyrus-sasl-2.1.1 
Ȥư褦Ǥ:

    ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/.

: ǥեȤΤ褦 Cyrus SASL 饤֥򥤥󥹥ȡ뤹ΤǤС
С 1.5.5 ФƤ /usr/lib/sasl -> /usr/local/lib/saslС
2.1.1 ФƤ /usr/lib/sasl2 -> /usr/local/lib/sasl2 Τ褦 symlink 
ĥɬפǤ礦

ˤȡMicrosoft Internet Explorer С 5 ɸ SASL LOGIN
ǧˡɬפȤޤǧˡͭˤˤϡ
``./configure --enable-login'' ꤷޤ

SSAASSLL ǧǧڥݡդ PPoossttffiixx ι

Postfix  SASL ǧڥݡդǥӥɤ뤿ˡCyrus SASL 󥯥롼
ե뤬 /usr/local/include ˡ Cyrus SASL 饤֥꤬ /usr/local/lib
ˤꤷޤ


륷ƥǤϡ뤳Ȥɬפ Makefile ޤ:

(for SASL version 1.5.5):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -I/usr/local/include" \
        AUXLIBS="-L/usr/local/lib -lsasl"

(for SASL version 2.1.1):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -I/usr/local/include/sasl" \
        AUXLIBS="-L/usr/local/lib -lsasl2"

Solaris 2.x Ǥϥ󥿥󥯾ꤹɬפޤʤȡ
ld.so  SASL ɥ饤֥򸫤Ĥޤ:

(for SASL version 1.5.5):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -I/usr/local/include" \
        AUXLIBS="-L/usr/local/lib -R/usr/local/lib -lsasl"

(for SASL version 2.1.1):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -I/usr/local/include/sasl" \
        AUXLIBS="-L/usr/local/lib -R/usr/local/lib -lsasl2"

PPoossttffiixx SSMMTTPP Ф SSAASSLL ǧǧڤͭͭˤ


SMTP Ф SASL ݡȤͭˤˤ:

    /etc/postfix/main.cf:
        smtpd_sasl_auth_enable = yes

ǧڤ줿饤Ȥˤ᡼Υ졼Ĥˤ:

    /etc/postfix/main.cf:
        smtpd_recipient_restrictions =
            permit_mynetworks permit_sasl_authenticated ...


/usr/local/lib/sasl/smtpd.conf (SASL С 1.5.5) ޤ
/usr/local/lib/sasl2/smtpd.conf (SASL С 2.1.1) ǡ饤Ȥ
ѥɤ򥵡Фͭˤˡꤹɬפޤ

UNIX ѥɥǡ١ФƤǧڤͭˤˤϡʲƤ:

(SASL version 1.5.5)

    /usr/local/lib/sasl/smtpd.conf:
        pwcheck_method: pwcheck

(SASL version 2.1.1)

    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method: pwcheck

SASL 饤֥꤬Ȥ/usr/local/lib/sasl (SASL version 1.5.5) ޤ
/usr/local/lib/sasl2 (SASL version 2.1.1) ʲե̾ϼΤ褦
Ǥޤ:

    /etc/postfix/main.cf:
        smtpd_sasl_application_name = smtpd

pwcheck ǡ cyrus-sasl  tarball ˴ޤޤޤ

: postfix ץ /var/pwcheck ǥ쥯ȥɤ߹+¹Ը
ɬפޤ줬ʤǧڤλԤ˼Ԥޤ

ˡSASL 1.5.26 ʹ (2.1.1.ޤ) ǤϡʲƤ:

(SASL version 1.5.26)

    /usr/local/lib/sasl/smtpd.conf:
        pwcheck_method: saslauthd

(SASL version 2.1.1)

    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method: saslauthd

saslauthd ǡ cyrus-sasl  tarball ˴ޤޤƤޤ PAM 
¾ΤޤޤʥФǧڤǤȤǡpwcheck ǡ
ͳ٤ޤPAM Ȥˤϡ"-a pam" դ saslauthd ư



SASL ȤΥѥɥǡ١Фǧڤ򤹤ˤ:

(SASL version 1.5.5)

    /usr/local/lib/sasl/smtpd.conf:
        pwcheck_method:  sasldb

(SASL version 2.1.1)

    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method:  auxprop

 (Cyrus SASL եȥΰ) saslpasswd ޤ saslpasswd2
ޥɤˤäƴ롢SASL ѥɥեȤޤ (ǥե:
С 1.5.5 Ǥ /etc/sasldbС 2.1.1 Ǥ /etc/sasldb2)
ޤꥵݡȤɤʤƥǤϡʸʤʤޤǲ saslpasswd
ޥɤ¹Ԥɬפ뤫⤷ޤPostfix SMTP Ф sasldb
եɤ߹߸ɬפȤޤ - 롼ץѡߥͷǤߤ
ɬפǤ礦OTP ǧڥᥫ˥ȤˤϡSMTP Ф /etc/sasldb2
ޤ /etc/sasldb (⤷ϡȤäƤʤХå SQL ǡ١) 
񤭹߸ɬפȤʤޤ

: Postfix ΤƤΡǧڥᥫ˥ȤäƤΥ桼ǧ
ǤʤФޤ󡣤ʤȡͥ󤬥ݡȤƤʤ
ᥫ˥Ȥʤäǧڤ˼Ԥ뤳Ȥˤʤ뤫⤷ޤ㤨СPAM (pluggable
authentication modules) ФǧڤΤ saslauthd Ȥ褦ꤷ顢
PLAIN  LOGIN ᥫ˥ݡȤǽޤ
SASL 饤֥ DIGEST-MD5 Τ褦¾Υᥫ˥ޤ
Τ褦ʥᥫ˥ब¾Υץ饰ˤäƻȤ褦ˤʤäƤơSASL
饤֥ͣѲǽǧڤΥ PAM ǤȤȤΤˡ
ʤǤäơPostfix Τᥫ˥ΥꥹȤ¤ɬפ
뤫⤷ޤ󡣤 SASL С 2.1.1 ʹߤǤΤ߲ǽǤ

    /usr/local/lib/sasl2/smtpd.conf:
        mech_list: plain login

Ʊͳǡǧڤ˻Ȥץ饰ΥꥹȤ¤ʤ뤫⤷ޤ
SASL С 1.5.5 Ǥб饤֥ /usr/local/lib/sasl 
ǤSASL С 2.1.1 Ǥ:

    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method:  auxprop
        auxprop_plugin:  sql

: sasldb ưˤϡSASL ɥᥤ (realm)  fully qualified domain name
(FQDN) 򥻥åȤƤ뤳ȤǧƤ

:

(SASL version 1.5.5)

    % saslpasswd -c -u `postconf -h myhostname` exampleuser

(SASL version 2.1.1)

    % saslpasswd2 -c -u `postconf -h myhostname` exampleuser

sasldb ˤ桼ΥˤĤƤ SASL ιͤϡsasldblistusers
(SASL С 1.5.5) ޤ sasldblistusers2 (SASL С 2.1.1) 
狼Ǥ礦

Postfix ¦Ǥϡsmtpd 󥹥󥹤Ȥ1ĤΥĤȤǤ
Υ°桼ǧڤ뤳ȤǤޤPostfix ѿ
smtpd_sasl_local_domain  smtpd ˤäƻȤ椷ޤ:

    /etc/postfix/main.cf:
        smtpd_sasl_local_domain = $myhostname

SASL ݡդΥեȥ chroot ưΤ
̣Ǥ餯ϫͤϤޤ󤬡

Ť Microsoft SMTP 饤ȥեȥɸŪʥС AUTH
ץȥʸˡƤꡢEHLO ФSMTP Фα "250 AUTH
stuff" ǤϤʤ "250 AUTH=stuff" Ǥ뤳ȤԤޤʤŬ礹
饤Ȥ˲äƤΤ褦ʥ饤Ȥб뤿ˤϡmain.cf ե
"broken_sasl_auth_clients = yes" 򥻥åȤޤ

PPoossttffiixx SSMMTTPP Ф SSAASSLL ǧǧڤƥȤ

¦ƥȤˤϡSMTP Ф³ȡΤ褦˲äǤ
褦ˤʤޤ饤ȤǼƤޤ

    220 server.host.tld ESMTP Postfix
    EEHHLLOO cclliieenntt..hhoosstt..ttlldd
    250-server.host.tld
    250-PIPELINING
    250-SIZE 10240000
    250-ETRN
    250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
    250 8BITMIME
    AAUUTTHH PPLLAAIINN ddGGVVzzddAABB00ZZXXNN00AAHHRRllcc33RRwwYYXXNNzz
    235 Authentication successful

dGVzdAB0ZXN0AHRlc3RwYXNz ˡusername\0username\0password (\0  null
Х)  base64 󥳡ɷꤷƤϥ桼̾ `test'
ѥɤ `testpass' ξǤ

base64 ǥ󥳡ɤ줿ǧھˤϡΥޥɤΤ줫
Ȥޤ:

    % printf 'username\0username\0password' | mmencode

    % perl -MMIME::Base64 -e \
        'print encode_base64("username\0username\0password");'

mmencode  metamail եȥΰǤMIME::Base64 
http://www.cpan.org/ ޤ

ꥹȤ SASL ͥΥƤȤϡ桼̾/ѥ
 base64 󥳡ɷΤϼ­ʤȤȤ
αƤƤ

SSAASSLL Υȥ֥륷塼ƥ

Cyrus SASL  "sample" Ȥ̾Υ֥ǥ쥯ȥ꤬ޤ
make ¹Ԥ桼 postfix (ޤ mail_owner ǥ쥯ƥ֤ꤷ)
 "su" ޤ:

    % su postfix

ƤǤäץ륵Фӥ饤Ȥ̡ΥߥʥǼ¹
ޤǤϤʤƤΤ򸫤Ĥ뤿˥Ф strace / ktrace /
truss ơƤץ륯饤Ȥǧڤ褦
ʤޤΥƥåפ򷫤֤ƤPostfix ΤϤθǤ

PPoossttffiixx SSMMTTPP 饤Ȥ SSAASSLL ǧǧڤͭͭˤ

饤¦ SASL ǧڤͭˤơۥޤΥ桼̾
桼̾ѥɾĥơ֥ꤷޤPostfix ϤޤФ
ۥ̾򸡺ޤ; ȥ꤬ĤʤȡΥɥᥤ̾ (̾
E᡼륢ɥ쥹α¦ʬǤ) 򸡺ޤ

    /etc/postfix/main.cf:
        smtp_sasl_auth_enable = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

    /etc/postfix/sasl_passwd:
        foo.com             username:password
        bar.com             username

: SMTP Фˤ PLAIN  LOGIN ǧڤ򥵥ݡȤΤ⤢ޤ
ǥեȤǤϡPostfix SMTP 饤Ȥʿʸѥɤǧˡ
Ȥ鷺Υ顼åդٱ䤷ޤ:
"Authentication failed: cannot SASL authenticate to server" ("ǧڼ:
Фؤ SASL ǧڤǤޤ")ʿʸǧڤͭˤˤϡ㤨мΤ褦
ꤷޤ:

    /etc/postfix/main.cf:
        smtp_sasl_security_options =

SASL 饤ȥѥɥեϡSMTP Ф chroot ƹ
˳Τǡե /etc/postfix ֤ޤޤˤǤޤ

: 饤ȥƥ¦ǤѲǽǤ⡢ºݤˤưʤä
ФǧڤŬڤʾäƤʤǧڥᥫ˥򥵥ݡȤƤ
SMTPФ⤢ޤХᥫ˥Τsmtp(8) 饤Ȥ
ѤθꥹȤϡsmtp_sasl_mechanism_filter ѥ᡼Ȥ
¤Ǥޤ

Postfix SMTP 饤Ȥ EHLO ޥɤαɸǤϤʤ "AUTH=stuff..."
ʸˡ֤ SMTP ФФƸߴäƤޤ; 򤹤뤿
Postfix 饤ȤꤹɬפϤޤ

쥸å

  * Postfix SASL ݡȤϸ SuSE Rhein/Main AG  Till Franke ˤä
    ޤ
  * Wietse ɬפʥɤڤͤޤ
  * SASL С 2 ΥݡȤ Jason Hoos ˤΤǤ
  * Liviu Daia  smtpd_sasl_application_name ä
    reject_sender_login_mismatch  reject_authenticated_sender_login_mismatch
     reject_unauthenticated_sender_login_mismatch ʬ䤷ޤɥȤ
    ޤ

