[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] cyrus-SASL - need help



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Hi!

As this is too complicated I give you a copy of all important config
settings.

Milan Milosevic schrieb:

> Hello Andreas,
>
>
>> # saslauthd -da pam Try it with testsaslauthd and check the
>> Output in the other Window. Show the Complete Messages.
>
>
> seenet-mtp:~ # saslauthd -da pam saslauthd[5273] :main :
> num_procs : 5 saslauthd[5273] :main : mech_option: NULL
> saslauthd[5273] :main : run_path : /var/run/sasl2/
> saslauthd[5273] :main : auth_mech : pam saslauthd[5273]
> :ipc_init : using accept lock file:
> /var/run/sasl2//mux.accept saslauthd[5273] :detach_tty :
> master pid is: 0 saslauthd[5273] :ipc_init : listening on
> socket: /var/run/sasl2//mux saslauthd[5273] :main :
> using process model saslauthd[5274] :get_accept_lock : acquired
> accept lock saslauthd[5273] :have_baby : forked child: 5274
> saslauthd[5273] :have_baby : forked child: 5275
> saslauthd[5273] :have_baby : forked child: 5276
> saslauthd[5273] :have_baby : forked child: 5277
> saslauthd[5274] :rel_accept_lock : released accept lock
> saslauthd[5275] :get_accept_lock : acquired accept lock
> saslauthd[5274] :do_auth : auth failure: [user=mmilan]
> [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>
>
> I tried same for saslauthd -da shadow (method I used) and result
> is:
>
> seenet-mtp:~ # saslauthd -da shadow saslauthd[5319] :main
> : num_procs : 5 saslauthd[5319] :main : mech_option:
> NULL saslauthd[5319] :main : run_path :
> /var/run/sasl2/ saslauthd[5319] :main : auth_mech :
> shadow saslauthd[5319] :ipc_init : using accept lock file:
> /var/run/sasl2//mux.accept saslauthd[5319] :detach_tty :
> master pid is: 0 saslauthd[5319] :ipc_init : listening on
> socket: /var/run/sasl2//mux saslauthd[5319] :main :
> using process model saslauthd[5320] :get_accept_lock : acquired
> accept lock saslauthd[5319] :have_baby : forked child: 5320
> saslauthd[5319] :have_baby : forked child: 5321
> saslauthd[5319] :have_baby : forked child: 5322
> saslauthd[5319] :have_baby : forked child: 5323
> saslauthd[5320] :rel_accept_lock : released accept lock
> saslauthd[5321] :get_accept_lock : acquired accept lock
> saslauthd[5319] :handle_sigchld : child exited: 5320

Here are some configs helping to setup stuff. To not get to
complicated turn off chroot environment in /etc/sysconfig/postfix
(later you may do so if no error occurs, because this is mostly the
problem and finding errors within chroot is more complicated than
finding the error in your config).

Due to the complexity of this theme I can't give guarantee for
correctness or completeness of my settings!

This is how I did with postifx + tls (protocols: pop3, imap, smtp,
tls: pop3s, smtps, imaps) + cyrus + sasl + smtp-auth + amavids_new +
spamassassin (incl. with amavisd_new):

1)

Make a backup of your mailsetup!

2)

make shure you have following required packets installed:

postfix, cyrus, cyrus sasl, amavisd_new, spamassassin, spamd, razor
agents, openssl, perl, perl modules needed (don't exactly know all of
them right now)

3)

Use your editor of choice and configure stuff:

less /etc/cyrus.conf

# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/socket
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=0
  imaps         cmd="imapd -s" listen="imaps" prefork=0
  pop3          cmd="pop3d" listen="pop3" prefork=0
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=0
  sieve         cmd="timsieved" listen="sieve" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/spool/postfix/public/lmtp"
prefork=1
  refork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" at=0400
}

less /etc/postfix/main.cf

[...]
unknown_local_recipient_reject_code = 450
[...]
readme_directory = /usr/share/doc/packages/postfix/README_FILES
mail_spool_directory = /var/spool/mail
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = #put your fdqn here!
program_directory = /usr/lib/postfix
inet_interfaces = all
masquerade_domains =
mydestination = # put all your destinations here!
defer_transports =
disable_dns_lookups = no
relayhost =
content_filter = vscan:
mailbox_command =
mailbox_transport = lmtp:unix:public/lmtp
fallback_transport = cyrus
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_helo_required = no
smtpd_helo_restrictions =
strict_rfc821_envelopes = no
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/ssl/certs/cert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/certs/cert.crt
smtpd_tls_key_file = /etc/postfix/ssl/certs/cert.key
smtpd_tls_capath = /etc/postfix/ssl/certs
smtpd_tls_received_header = yes
tls_daemon_random_source = dev:/dev/urandom
tls_random_source = dev:/dev/urandom
relay_clientcerts = hash:/etc/postfix/relay_ccerts
smtpd_tls_ask_ccert = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, permit_mynetworks,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_unauth_destinationsmtp_use_tls = yes
#SMTP-Auth for relaying
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = $smtp_sasl_security_options
broken_sasl_auth_clients = yes
#SMTP-Auth for relaying
alias_maps = hash:/etc/aliases
#setup your limits to your desire, this is what our users wanted ;)
mailbox_size_limit = 409600000
message_size_limit = 102400000
html_directory = /usr/share/doc/packages/postfix/html
virtual_alias_maps = hash:/etc/postfix/virtual

#Don't forget to make certificates for postfix!

less /etc/postfix/master.cf

[...]
smtp      inet  n       -       y       -       2       smtpd -o
content_filter=
smtp:[localhost]:10024
smtps     inet  n       -       y       -       2       smtpd -o
smtpd_tls_wrapp
ermode=yes -o content_filter=smtp:[localhost]:10024
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission     inet    n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      fifo  n       -       y       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
local     unix  -       n       n       -       -       local
virtual   unix  -       n       y       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
localhost:10025 inet    n       -       y       -       -       smtpd
- -o content
_filter=
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${u
ser}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
vscan     unix  -       n       n       -       10       pipe
  user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail  unix  -       n       n       -       -       pipe
  flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${r
ecipient}

/etc/amavisd.conf

only important settings are highlighted:

Section I:

#_Enter name for $mydomain, this is used for a lot 'o' config settings!!!_

Section III:
# log spam to see if false positives are found for later finding problems
$log_level = 2;

Section IV:
# prevent spam through notification of sender!
$warnvirussender = 0;
$warnspamsender = 0;
$warnbannedsender = 0;
$warnbadhsender = 0;
$warnvirusrecip = 1;
$warnbannedrecip = 0;
$warn_offsite = 0;
$virus_quarantine_to = undef;
$spam_quarantine_to = undef;
$remove_existing_x_scanned_headers = 1;
$remove_existing_spam_headers = 1;
under banned_filename_re = [...] uncommend (or commend) lines for
extensions you don't want (you want)!

Section V:
# spare time and don't lookup mailadresses
$localpart_is_case_sensitive = 0;

Section VI:
# dos-prevention, don't scan inside multiple recursive attachements
like 42.zip
$MAXLEVELS = 14;
$MAXFILES = 1500;

Section VII:
# spam handling
sa_local_test_only = 1;
$sa_timeout = 30;
# limit size to 150kB per mail for spam scanning
$sa_mail_body_size_limit = 150*1024;
$sa_tag_level_deflt = 3.0;
$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = $sa_tag_level_deflt;
$sa_dsn_cutoff_level = 8;
$sa_spam_subject_tag = '***SPAM***'; # or whatever name you like!
$sa_spam_modifies_subj = 1;

4)

restart daemons to take changes affect:

amavis, cyrus, postfix, spamd

5)

Send test-mail with spam, virus and normal one to test your setup!

For errors look in /var/log/mail* for messages (less /var/log/mail* |
grep EXPRESSION).

If there are no errors enjoy your setup!

Take care of new updates and restart them after updating!

Regards

Philippe

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
 
iQD1AwUBQ4B4q0Ng1DRVIGjBAQLAagcAkop+sw1zw8sR6nPbGgLoYGGq7r1w1V8G
z87ATahYwPqTFw6q3advPBLkAcxuiS53RcrbuD0gDLCVCi48rKO7Y7BD/iZ7lGrq
LFrzSRX4UVCOnzSq3PoPml4bJKt0KS0p4u29l0LKLxLXnMhjZY7NDw4Fx2s/aAPZ
qtzdugKXMbpat/QkltRunbgu0vEK8JuwIpWGh1x4T1Avvb9e9W5bAZUamVjY8aaW
LZSbNwSzzBnqfx2tgWxuhrr+l1bn7Kj7oim5FWRRWdva/XsS0kNZyQIf6NIrswiI
ucR1XQawRiQ=
=GDKj
-----END PGP SIGNATURE-----


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here