This document describes Postfix with the following SASL implementations:
@@ -106,23 +107,32 @@ implementations are built into Postfix, use the following commands: -Needless to say, these commands are not available in Postfix -versions before 2.3.
+Needless to say, these commands are not available in earlier +Postfix versions.
Dovecot is available via http://www.dovecot.org/. It uses its -own daemon process for authentication. Building Postfix with Dovecot -SASL support is relatively easy, because there is no need to link -extra libraries into Postfix.
+Dovecot SASL support is available in Postfix 2.3 and later. The +Dovecot source code is available via http://www.dovecot.org/. At +the time +of writing, only server-side SASL support is available, so you can't +use it to authenticate to your network provider's server. Dovecot +uses its own daemon process for authentication. This keeps the +Postfix build process simple, because there is no need to link extra +libraries into Postfix.
To generate the necessary Makefiles, execute the following in the Postfix top-level directory:
++ +% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'+
After this, proceed with "make" as described in the +INSTALL document.
Notes:
@@ -136,9 +146,6 @@ file.If you also want support for LDAP or TLS, you will have to merge their CCARGS and AUXLIBS into the above command line.
-After this, proceed with "make" as described in the -INSTALL document.
-To build Postfix with SASL authentication support, the following +
The following assumes that the Cyrus SASL include files are in /usr/local/include, and that the Cyrus SASL libraries are in /usr/local/lib.
@@ -250,10 +257,24 @@ SMTP serverNote: the SASL login names will be shared with the entire world.
+Older Microsoft SMTP client software implements a non-standard +version of the AUTH protocol syntax, and expects that the SMTP +server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH +stuff". To accommodate such clients (in addition to conformant +clients) use the following:
+ ++++/etc/postfix/main.cf: + broken_sasl_auth_clients = yes ++
On the Postfix side you need to specify the location of the +
Dovecot SASL support is available in Postfix 2.3 and later. On +the Postfix side you need to specify the location of the Dovecot authentication daemon socket. We use a pathname relative to the Postfix queue directory, so that it will work whether or not Postfix runs chrooted:
@@ -277,17 +298,17 @@ Postfix queue is under /var/spool/postfix/. auth default { .. socket listen { - client { - path = /var/spool/postfix/private/auth - mode = 0666 - } + client { + path = /var/spool/postfix/private/auth + mode = 0666 + } } } -See the Dovecot documentation for how to configure the Dovecot -authentication server.
+See the Dovecot documentation for how to configure and operate +the Dovecot authentication server.
To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble.
-Older Microsoft SMTP client software implements a non-standard -version of the AUTH protocol syntax, and expects that the SMTP -server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH -stuff". To accommodate such clients in addition to conformant -clients, set "broken_sasl_auth_clients = yes" in the main.cf file. -
---220 server.host.tld ESMTP Postfix -EHLO client.host.tld -250-server.host.tld +220 server.example.com ESMTP Postfix +EHLO client.example.com +250-server.example.com 250-PIPELINING 250-SIZE 10240000 250-ETRN @@ -542,7 +556,8 @@ you can use one of the following commands:The mmencode command is part of the metamail software. MIME::Base64 is available from http://www.cpan.org/.
-When posting logs of the SASL negotiations to public lists, +
Caution: when posting logs of the SASL negotiations to public +lists, please keep in mind that username/password information is trivial to recover from the base64-encoded form.
@@ -581,6 +596,7 @@ table. /etc/postfix/main.cf: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_type = cyrus /etc/postfix/sasl_passwd: foo.com username:password @@ -668,8 +684,8 @@ of SuSE Rhein/Main AG.Wietse made another iteration through the code to add plug-in support for multiple implementations. - The Dovecot plug-in was originally implemented by Timo Sirainen -of Procontrol, Finland. + The Dovecot SMTP server plug-in was originally implemented by +Timo Sirainen of Procontrol, Finland. diff --git a/postfix/html/postconf.1.html b/postfix/html/postconf.1.html index 48139eb90..f8046d421 100644 --- a/postfix/html/postconf.1.html +++ b/postfix/html/postconf.1.html @@ -31,28 +31,28 @@ POSTCONF(1) POSTCONF(1) smtpd_sasl_type configuration parameter by specify- ing one of the names listed below. - This feature is available with Postfix 2.3 and - later. - - cyrus This server plug-in is available when Post- + cyrus This server plug-in is available when Post- fix is built with Cyrus SASL support. dovecot - This server plug-in requires the Dovecot + This server plug-in requires the Dovecot authentication server. + This feature is available with Postfix 2.3 and + later. + -A List the available SASL client plug-in types. The SASL plug-in type is selected with the smtp_sasl_type or lmtp_sasl_type configuration parameters by specifying one of the names listed below. - This feature is available with Postfix 2.3 and - later. - - cyrus This client plug-in is available when Post- + cyrus This client plug-in is available when Post- fix is built with Cyrus SASL support. + This feature is available with Postfix 2.3 and + later. + -b [template_file] Display the message text that appears at the begin- ning of delivery status notification (DSN) mes- diff --git a/postfix/man/man1/postconf.1 b/postfix/man/man1/postconf.1 index 06d43b7f7..f53403163 100644 --- a/postfix/man/man1/postconf.1 +++ b/postfix/man/man1/postconf.1 @@ -32,8 +32,6 @@ List the available SASL server plug-in types. The SASL plug-in type is selected with the \fBsmtpd_sasl_type\fR configuration parameter by specifying one of the names listed below. - -This feature is available with Postfix 2.3 and later. .RS .IP \fBcyrus\fR This server plug-in is available when Postfix is built with @@ -42,18 +40,20 @@ Cyrus SASL support. This server plug-in requires the Dovecot authentication server. .RE +.IP +This feature is available with Postfix 2.3 and later. .IP \fB-A\fR List the available SASL client plug-in types. The SASL plug-in type is selected with the \fBsmtp_sasl_type\fR or \fBlmtp_sasl_type\fR configuration parameters by specifying one of the names listed below. - -This feature is available with Postfix 2.3 and later. .RS .IP \fBcyrus\fR This client plug-in is available when Postfix is built with Cyrus SASL support. .RE +.IP +This feature is available with Postfix 2.3 and later. .IP "\fB-b\fR [\fItemplate_file\fR]" Display the message text that appears at the beginning of delivery status notification (DSN) messages, with $\fBname\fR diff --git a/postfix/proto/SASL_README.html b/postfix/proto/SASL_README.html index a651a1ac8..591b61b0b 100644 --- a/postfix/proto/SASL_README.html +++ b/postfix/proto/SASL_README.html @@ -23,6 +23,7 @@ expectation that Postfix is more secure than some other mailers. The Cyrus SASL library is a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. +Dovecot provides an alternative that may be worth considering. -How Postfix uses SASL authentication information
@@ -47,7 +48,7 @@ sender email address.-
- What SASL versions are supported +
- What SASL implementations are supported
- Building Postfix with Dovecot SASL support
@@ -78,7 +79,7 @@ Postfix SMTP clientWhat SASL versions are supported
+What SASL implementations are supported
This document describes Postfix with the following SASL implementations:
@@ -106,23 +107,32 @@ implementations are built into Postfix, use the following commands:
Needless to say, these commands are not available in Postfix -versions before 2.3.
+Needless to say, these commands are not available in earlier +Postfix versions.
Dovecot is available via http://www.dovecot.org/. It uses its -own daemon process for authentication. Building Postfix with Dovecot -SASL support is relatively easy, because there is no need to link -extra libraries into Postfix.
+Dovecot SASL support is available in Postfix 2.3 and later. The +Dovecot source code is available via http://www.dovecot.org/. At +the time +of writing, only server-side SASL support is available, so you can't +use it to authenticate to your network provider's server. Dovecot +uses its own daemon process for authentication. This keeps the +Postfix build process simple, because there is no need to link extra +libraries into Postfix.
To generate the necessary Makefiles, execute the following in the Postfix top-level directory:
++ +% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'+
After this, proceed with "make" as described in the +INSTALL document.
Notes:
@@ -136,9 +146,6 @@ file.If you also want support for LDAP or TLS, you will have to merge their CCARGS and AUXLIBS into the above command line.
-After this, proceed with "make" as described in the -INSTALL document.
-To build Postfix with SASL authentication support, the following +
The following assumes that the Cyrus SASL include files are in /usr/local/include, and that the Cyrus SASL libraries are in /usr/local/lib.
@@ -250,10 +257,24 @@ SMTP serverNote: the SASL login names will be shared with the entire world.
+Older Microsoft SMTP client software implements a non-standard +version of the AUTH protocol syntax, and expects that the SMTP +server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH +stuff". To accommodate such clients (in addition to conformant +clients) use the following:
+ ++++/etc/postfix/main.cf: + broken_sasl_auth_clients = yes ++
On the Postfix side you need to specify the location of the +
Dovecot SASL support is available in Postfix 2.3 and later. On +the Postfix side you need to specify the location of the Dovecot authentication daemon socket. We use a pathname relative to the Postfix queue directory, so that it will work whether or not Postfix runs chrooted:
@@ -277,17 +298,17 @@ Postfix queue is under /var/spool/postfix/. auth default { .. socket listen { - client { - path = /var/spool/postfix/private/auth - mode = 0666 - } + client { + path = /var/spool/postfix/private/auth + mode = 0666 + } } } -See the Dovecot documentation for how to configure the Dovecot -authentication server.
+See the Dovecot documentation for how to configure and operate +the Dovecot authentication server.
To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble.
-Older Microsoft SMTP client software implements a non-standard -version of the AUTH protocol syntax, and expects that the SMTP -server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH -stuff". To accommodate such clients in addition to conformant -clients, set "broken_sasl_auth_clients = yes" in the main.cf file. -
--220 server.host.tld ESMTP Postfix -EHLO client.host.tld -250-server.host.tld +220 server.example.com ESMTP Postfix +EHLO client.example.com +250-server.example.com 250-PIPELINING 250-SIZE 10240000 250-ETRN @@ -542,7 +556,8 @@ you can use one of the following commands:The mmencode command is part of the metamail software. MIME::Base64 is available from http://www.cpan.org/.
-When posting logs of the SASL negotiations to public lists, +
Caution: when posting logs of the SASL negotiations to public +lists, please keep in mind that username/password information is trivial to recover from the base64-encoded form.
@@ -581,6 +596,7 @@ table. /etc/postfix/main.cf: smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd + smtp_sasl_type = cyrus /etc/postfix/sasl_passwd: foo.com username:password @@ -668,8 +684,8 @@ reject_unauthenticated_sender_login_mismatch, and revised the docs.Wietse made another iteration through the code to add plug-in support for multiple implementations. - The Dovecot plug-in was originally implemented by Timo Sirainen -of Procontrol, Finland. + The Dovecot SMTP server plug-in was originally implemented by +Timo Sirainen of Procontrol, Finland. diff --git a/postfix/src/bounce/bounce_templates.c b/postfix/src/bounce/bounce_templates.c index 18b0bb34c..381763429 100644 --- a/postfix/src/bounce/bounce_templates.c +++ b/postfix/src/bounce/bounce_templates.c @@ -92,21 +92,6 @@ /* * The fail template is for permanent failure. */ -static const char *def_bounce_failure_body[]; - -static const BOUNCE_TEMPLATE def_bounce_failure_template = { - 0, - BOUNCE_TMPL_CLASS_FAILURE, - "[built-in]", - "us-ascii", - MAIL_ATTR_ENC_7BIT, - MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)", - "Undelivered Mail Returned to Sender", - "Postmaster Copy: Undelivered Mail", - def_bounce_failure_body, - &def_bounce_failure_template, -}; - static const char *def_bounce_failure_body[] = { "This is the $mail_name program at host $myhostname.", "", @@ -122,24 +107,22 @@ static const char *def_bounce_failure_body[] = { 0, }; - /* - * The delay template is for delayed mail notifications. - */ -static const char *def_bounce_delay_body[]; - -static const BOUNCE_TEMPLATE def_bounce_delay_template = { +static const BOUNCE_TEMPLATE def_bounce_failure_template = { 0, - BOUNCE_TMPL_CLASS_DELAY, + BOUNCE_TMPL_CLASS_FAILURE, "[built-in]", "us-ascii", MAIL_ATTR_ENC_7BIT, MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)", - "Delayed Mail (still being retried)", - "Postmaster Warning: Delayed Mail", - def_bounce_delay_body, - &def_bounce_delay_template + "Undelivered Mail Returned to Sender", + "Postmaster Copy: Undelivered Mail", + def_bounce_failure_body, + &def_bounce_failure_template, }; + /* + * The delay template is for delayed mail notifications. + */ static const char *def_bounce_delay_body[] = { "This is the $mail_name program at host $myhostname.", "", @@ -160,11 +143,34 @@ static const char *def_bounce_delay_body[] = { 0, }; +static const BOUNCE_TEMPLATE def_bounce_delay_template = { + 0, + BOUNCE_TMPL_CLASS_DELAY, + "[built-in]", + "us-ascii", + MAIL_ATTR_ENC_7BIT, + MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)", + "Delayed Mail (still being retried)", + "Postmaster Warning: Delayed Mail", + def_bounce_delay_body, + &def_bounce_delay_template +}; + /* * The success template is for "delivered", "expanded" and "relayed" success * notifications. */ -static const char *def_bounce_success_body[]; +static const char *def_bounce_success_body[] = { + "This is the $mail_name program at host $myhostname.", + "", + "Your message was successfully delivered to the destination(s)", + "listed below. If the message was delivered to mailbox you will", + "receive no further notifications. Otherwise you may still receive", + "notifications of mail delivery errors from other systems.", + "", + " The $mail_name program", + 0, +}; static const BOUNCE_TEMPLATE def_bounce_success_template = { 0, @@ -179,23 +185,18 @@ static const BOUNCE_TEMPLATE def_bounce_success_template = { &def_bounce_success_template, }; -static const char *def_bounce_success_body[] = { - "This is the $mail_name program at host $myhostname.", - "", - "Your message was successfully delivered to the destination(s)", - "listed below. If the message was delivered to mailbox you will", - "receive no further notifications. Otherwise you may still receive", - "notifications of mail delivery errors from other systems.", - "", - " The $mail_name program", - 0, -}; - /* * The "verify" template is for verbose delivery (sendmail -v) and for * address verification (sendmail -bv). */ -static const char *def_bounce_verify_body[]; +static const char *def_bounce_verify_body[] = { + "This is the $mail_name program at host $myhostname.", + "", + "Enclosed is the mail delivery report that you requested.", + "", + " The $mail_name program", + 0, +}; static const BOUNCE_TEMPLATE def_bounce_verify_template = { 0, @@ -210,15 +211,6 @@ static const BOUNCE_TEMPLATE def_bounce_verify_template = { &def_bounce_verify_template, }; -static const char *def_bounce_verify_body[] = { - "This is the $mail_name program at host $myhostname.", - "", - "Enclosed is the mail delivery report that you requested.", - "", - " The $mail_name program", - 0, -}; - /* * SLMs. */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index ede017197..361b4bff1 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20051222" +#define MAIL_RELEASE_DATE "20051223" #define MAIL_VERSION_NUMBER "2.3" #ifdef SNAPSHOT diff --git a/postfix/src/postconf/postconf.c b/postfix/src/postconf/postconf.c index ad1c2a726..8d4a3621e 100644 --- a/postfix/src/postconf/postconf.c +++ b/postfix/src/postconf/postconf.c @@ -26,8 +26,6 @@ /* plug-in type is selected with the \fBsmtpd_sasl_type\fR /* configuration parameter by specifying one of the names /* listed below. -/* -/* This feature is available with Postfix 2.3 and later. /* .RS /* .IP \fBcyrus\fR /* This server plug-in is available when Postfix is built with @@ -36,18 +34,20 @@ /* This server plug-in requires the Dovecot authentication /* server. /* .RE +/* .IP +/* This feature is available with Postfix 2.3 and later. /* .IP \fB-A\fR /* List the available SASL client plug-in types. The SASL /* plug-in type is selected with the \fBsmtp_sasl_type\fR or /* \fBlmtp_sasl_type\fR configuration parameters by specifying /* one of the names listed below. -/* -/* This feature is available with Postfix 2.3 and later. /* .RS /* .IP \fBcyrus\fR /* This client plug-in is available when Postfix is built with /* Cyrus SASL support. /* .RE +/* .IP +/* This feature is available with Postfix 2.3 and later. /* .IP "\fB-b\fR [\fItemplate_file\fR]" /* Display the message text that appears at the beginning of /* delivery status notification (DSN) messages, with $\fBname\fR @@ -281,7 +281,7 @@ #define SHOW_LOCKS (1<<5) /* show mailbox lock methods */ #define SHOW_EVAL (1<<6) /* expand right-hand sides */ #define SHOW_SASL_SERV (1<<7) /* show server auth plugin types */ -#define SHOW_SASL_CLNT (1<<7) /* show client auth plugin types */ +#define SHOW_SASL_CLNT (1<<8) /* show client auth plugin types */ /* * Lookup table for in-core parameter info. diff --git a/postfix/src/util/name_code.c b/postfix/src/util/name_code.c index cf32cc6e9..dce373bbb 100644 --- a/postfix/src/util/name_code.c +++ b/postfix/src/util/name_code.c @@ -36,7 +36,7 @@ /* For convenience the constant NAME_CODE_FLAG_NONE requests /* no special processing. /* -/* str_name_code() translates a number to its equivalend string. +/* str_name_code() translates a number to its equivalent string. /* DIAGNOSTICS /* When the search fails, the result is the "name not found" code /* or the null pointer, respectively. diff --git a/postfix/src/xsasl/xsasl_dovecot_server.c b/postfix/src/xsasl/xsasl_dovecot_server.c index af2f0cedb..75b02a00c 100644 --- a/postfix/src/xsasl/xsasl_dovecot_server.c +++ b/postfix/src/xsasl/xsasl_dovecot_server.c @@ -11,6 +11,14 @@ /* This module implements the Dovecot SASL server-side authentication /* plug-in. /* +/* .IP server_type +/* The plug-in type that was specified to xsasl_server_init(). +/* The argument is ignored, because the Dovecot plug-in +/* implements only one plug-in type. +/* .IP path_info +/* The location of the Dovecot authentication server's UNIX-domain +/* socket. Note: the Dovecot plug-in uses late binding, therefore +/* all connect operations are done with Postfix privileges. /* DIAGNOSTICS /* Fatal: out of memory. /* @@ -68,6 +76,12 @@ #define AUTH_PROTOCOL_MAJOR_VERSION 1 #define AUTH_PROTOCOL_MINOR_VERSION 0 + /* + * Encorce read/write time limits, so that we can produce accurate + * diagnostics instead of getting killed by the watchdog timer. + */ +#define AUTH_TIMEOUT 10 + /* * Class variables. */ @@ -108,6 +122,8 @@ static int xsasl_dovecot_server_next(XSASL_SERVER *, const char *, VSTRING *); static const char *xsasl_dovecot_server_get_mechanism_list(XSASL_SERVER *); static const char *xsasl_dovecot_server_get_username(XSASL_SERVER *); +/* xsasl_dovecot_server_connect - initial auth server handshake */ + static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) { const char *myname = "xsasl_dovecot_server_connect"; @@ -120,13 +136,15 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) if (msg_verbose) msg_info("%s: Connecting", myname); - if ((fd = unix_connect(xp->socket_path, BLOCKING, 0)) < 0) { + if ((fd = unix_connect(xp->socket_path, BLOCKING, AUTH_TIMEOUT)) < 0) { msg_warn("SASL: Connect to %s failed: %m", xp->socket_path); return (-1); } sasl_stream = vstream_fdopen(fd, O_RDWR); - vstream_control(sasl_stream, VSTREAM_CTL_PATH, - xp->socket_path, VSTREAM_CTL_END); + vstream_control(sasl_stream, + VSTREAM_CTL_PATH, xp->socket_path, + VSTREAM_CTL_TIMEOUT, AUTH_TIMEOUT, + VSTREAM_CTL_END); vstream_fprintf(sasl_stream, "VERSION\t%u\t%u\n" @@ -192,6 +210,8 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) return (0); } +/* xsasl_dovecot_server_disconnect - dispose of server connection state */ + static void xsasl_dovecot_server_disconnect(XSASL_DOVECOT_SERVER_IMPL *xp) { if (xp->sasl_stream) {