[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] cyrus-SASL - need help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
As this is too complicated I give you a copy of all important config
settings.
Milan Milosevic schrieb:
> Hello Andreas,
>
>
>> # saslauthd -da pam Try it with testsaslauthd and check the
>> Output in the other Window. Show the Complete Messages.
>
>
> seenet-mtp:~ # saslauthd -da pam saslauthd[5273] :main :
> num_procs : 5 saslauthd[5273] :main : mech_option: NULL
> saslauthd[5273] :main : run_path : /var/run/sasl2/
> saslauthd[5273] :main : auth_mech : pam saslauthd[5273]
> :ipc_init : using accept lock file:
> /var/run/sasl2//mux.accept saslauthd[5273] :detach_tty :
> master pid is: 0 saslauthd[5273] :ipc_init : listening on
> socket: /var/run/sasl2//mux saslauthd[5273] :main :
> using process model saslauthd[5274] :get_accept_lock : acquired
> accept lock saslauthd[5273] :have_baby : forked child: 5274
> saslauthd[5273] :have_baby : forked child: 5275
> saslauthd[5273] :have_baby : forked child: 5276
> saslauthd[5273] :have_baby : forked child: 5277
> saslauthd[5274] :rel_accept_lock : released accept lock
> saslauthd[5275] :get_accept_lock : acquired accept lock
> saslauthd[5274] :do_auth : auth failure: [user=mmilan]
> [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>
>
> I tried same for saslauthd -da shadow (method I used) and result
> is:
>
> seenet-mtp:~ # saslauthd -da shadow saslauthd[5319] :main
> : num_procs : 5 saslauthd[5319] :main : mech_option:
> NULL saslauthd[5319] :main : run_path :
> /var/run/sasl2/ saslauthd[5319] :main : auth_mech :
> shadow saslauthd[5319] :ipc_init : using accept lock file:
> /var/run/sasl2//mux.accept saslauthd[5319] :detach_tty :
> master pid is: 0 saslauthd[5319] :ipc_init : listening on
> socket: /var/run/sasl2//mux saslauthd[5319] :main :
> using process model saslauthd[5320] :get_accept_lock : acquired
> accept lock saslauthd[5319] :have_baby : forked child: 5320
> saslauthd[5319] :have_baby : forked child: 5321
> saslauthd[5319] :have_baby : forked child: 5322
> saslauthd[5319] :have_baby : forked child: 5323
> saslauthd[5320] :rel_accept_lock : released accept lock
> saslauthd[5321] :get_accept_lock : acquired accept lock
> saslauthd[5319] :handle_sigchld : child exited: 5320
Here are some configs helping to setup stuff. To not get to
complicated turn off chroot environment in /etc/sysconfig/postfix
(later you may do so if no error occurs, because this is mostly the
problem and finding errors within chroot is more complicated than
finding the error in your config).
Due to the complexity of this theme I can't give guarantee for
correctness or completeness of my settings!
This is how I did with postifx + tls (protocols: pop3, imap, smtp,
tls: pop3s, smtps, imaps) + cyrus + sasl + smtp-auth + amavids_new +
spamassassin (incl. with amavisd_new):
1)
Make a backup of your mailsetup!
2)
make shure you have following required packets installed:
postfix, cyrus, cyrus sasl, amavisd_new, spamassassin, spamd, razor
agents, openssl, perl, perl modules needed (don't exactly know all of
them right now)
3)
Use your editor of choice and configure stuff:
less /etc/cyrus.conf
# standard standalone server implementation
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/socket
SERVICES {
# add or remove based on preferences
imap cmd="imapd" listen="imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=0
pop3 cmd="pop3d" listen="pop3" prefork=0
pop3s cmd="pop3d -s" listen="pop3s" prefork=0
sieve cmd="timsieved" listen="sieve" prefork=0
lmtpunix cmd="lmtpd" listen="/var/spool/postfix/public/lmtp"
prefork=1
refork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression
delprune cmd="cyr_expire -E 3" at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
less /etc/postfix/main.cf
[...]
unknown_local_recipient_reject_code = 450
[...]
readme_directory = /usr/share/doc/packages/postfix/README_FILES
mail_spool_directory = /var/spool/mail
canonical_maps = hash:/etc/postfix/canonical
virtual_maps = hash:/etc/postfix/virtual
relocated_maps = hash:/etc/postfix/relocated
transport_maps = hash:/etc/postfix/transport
sender_canonical_maps = hash:/etc/postfix/sender_canonical
masquerade_exceptions = root
masquerade_classes = envelope_sender, header_sender, header_recipient
myhostname = #put your fdqn here!
program_directory = /usr/lib/postfix
inet_interfaces = all
masquerade_domains =
mydestination = # put all your destinations here!
defer_transports =
disable_dns_lookups = no
relayhost =
content_filter = vscan:
mailbox_command =
mailbox_transport = lmtp:unix:public/lmtp
fallback_transport = cyrus
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_helo_required = no
smtpd_helo_restrictions =
strict_rfc821_envelopes = no
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/ssl/certs/cert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/certs/cert.crt
smtpd_tls_key_file = /etc/postfix/ssl/certs/cert.key
smtpd_tls_capath = /etc/postfix/ssl/certs
smtpd_tls_received_header = yes
tls_daemon_random_source = dev:/dev/urandom
tls_random_source = dev:/dev/urandom
relay_clientcerts = hash:/etc/postfix/relay_ccerts
smtpd_tls_ask_ccert = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, permit_mynetworks,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_unauth_destinationsmtp_use_tls = yes
#SMTP-Auth for relaying
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = $smtp_sasl_security_options
broken_sasl_auth_clients = yes
#SMTP-Auth for relaying
alias_maps = hash:/etc/aliases
#setup your limits to your desire, this is what our users wanted ;)
mailbox_size_limit = 409600000
message_size_limit = 102400000
html_directory = /usr/share/doc/packages/postfix/html
virtual_alias_maps = hash:/etc/postfix/virtual
#Don't forget to make certificates for postfix!
less /etc/postfix/master.cf
[...]
smtp inet n - y - 2 smtpd -o
content_filter=
smtp:[localhost]:10024
smtps inet n - y - 2 smtpd -o
smtpd_tls_wrapp
ermode=yes -o content_filter=smtp:[localhost]:10024
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - n - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#628 inet n - n - - qmqpd
pickup fifo n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr fifo n - y 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - y - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
local unix - n n - - local
virtual unix - n y - - virtual
lmtp unix - - y - - lmtp
anvil unix - - n - 1 anvil
localhost:10025 inet n - y - - smtpd
- -o content
_filter=
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${u
ser}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
vscan unix - n n - 10 pipe
user=vscan argv=/usr/sbin/amavis ${sender} ${recipient}
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${r
ecipient}
/etc/amavisd.conf
only important settings are highlighted:
Section I:
#_Enter name for $mydomain, this is used for a lot 'o' config settings!!!_
Section III:
# log spam to see if false positives are found for later finding problems
$log_level = 2;
Section IV:
# prevent spam through notification of sender!
$warnvirussender = 0;
$warnspamsender = 0;
$warnbannedsender = 0;
$warnbadhsender = 0;
$warnvirusrecip = 1;
$warnbannedrecip = 0;
$warn_offsite = 0;
$virus_quarantine_to = undef;
$spam_quarantine_to = undef;
$remove_existing_x_scanned_headers = 1;
$remove_existing_spam_headers = 1;
under banned_filename_re = [...] uncommend (or commend) lines for
extensions you don't want (you want)!
Section V:
# spare time and don't lookup mailadresses
$localpart_is_case_sensitive = 0;
Section VI:
# dos-prevention, don't scan inside multiple recursive attachements
like 42.zip
$MAXLEVELS = 14;
$MAXFILES = 1500;
Section VII:
# spam handling
sa_local_test_only = 1;
$sa_timeout = 30;
# limit size to 150kB per mail for spam scanning
$sa_mail_body_size_limit = 150*1024;
$sa_tag_level_deflt = 3.0;
$sa_tag2_level_deflt = 4.0;
$sa_kill_level_deflt = $sa_tag_level_deflt;
$sa_dsn_cutoff_level = 8;
$sa_spam_subject_tag = '***SPAM***'; # or whatever name you like!
$sa_spam_modifies_subj = 1;
4)
restart daemons to take changes affect:
amavis, cyrus, postfix, spamd
5)
Send test-mail with spam, virus and normal one to test your setup!
For errors look in /var/log/mail* for messages (less /var/log/mail* |
grep EXPRESSION).
If there are no errors enjoy your setup!
Take care of new updates and restart them after updating!
Regards
Philippe
- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQD1AwUBQ4B4q0Ng1DRVIGjBAQLAagcAkop+sw1zw8sR6nPbGgLoYGGq7r1w1V8G
z87ATahYwPqTFw6q3advPBLkAcxuiS53RcrbuD0gDLCVCi48rKO7Y7BD/iZ7lGrq
LFrzSRX4UVCOnzSq3PoPml4bJKt0KS0p4u29l0LKLxLXnMhjZY7NDw4Fx2s/aAPZ
qtzdugKXMbpat/QkltRunbgu0vEK8JuwIpWGh1x4T1Avvb9e9W5bAZUamVjY8aaW
LZSbNwSzzBnqfx2tgWxuhrr+l1bn7Kj7oim5FWRRWdva/XsS0kNZyQIf6NIrswiI
ucR1XQawRiQ=
=GDKj
-----END PGP SIGNATURE-----
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here