mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-31 06:05:37 +00:00
Code Issues Releases Wiki Activity

postfix-2.3-20051223

Browse Source
This commit is contained in:
Wietse Venema
2005-12-23 00:00:00 -05:00
committed by Viktor Dukhovni
parent 46ab025e8a
commit 51da02abb8
11 changed files with 226 additions and 173 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
postfix/HISTORY
View File

@@ -11657,6 +11657,9 @@ Apologies for any names omitted.
addresses with numeric domains instead of rejecting them as addresses with numeric domains instead of rejecting them as
invalid. Files: trivial-rewrite/resolve.c, util/vstring.c. invalid. Files: trivial-rewrite/resolve.c, util/vstring.c.
Bugfix: 20051219 "postconf -A" produced "postconf -a" output.
Andreas Winkelmann.
Open problems: Open problems:
"postsuper -r" no longer resets the message arrival time, "postsuper -r" no longer resets the message arrival time,

72
postfix/README_FILES/SASL_README
View File

@@ -7,7 +7,8 @@ WWAARRNNIINNGG
People who go to the trouble of installing Postfix may have the expectation People who go to the trouble of installing Postfix may have the expectation
that Postfix is more secure than some other mailers. The Cyrus SASL library is that Postfix is more secure than some other mailers. The Cyrus SASL library is
a lot of code. With this, Postfix becomes as secure as other mail systems that a lot of code. With this, Postfix becomes as secure as other mail systems that
use the Cyrus SASL library. use the Cyrus SASL library. Dovecot provides an alternative that may be worth
considering.
HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn iinnffoorrmmaattiioonn HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn iinnffoorrmmaattiioonn
@@ -27,7 +28,7 @@ search its SASL password table by the sender email address.
This document covers the following topics: This document covers the following topics:
* What SASL versions are supported * What SASL implementations are supported
* Building Postfix with Dovecot SASL support * Building Postfix with Dovecot SASL support
* Building the Cyrus SASL library * Building the Cyrus SASL library
* Building Postfix with Cyrus SASL support * Building Postfix with Cyrus SASL support
@@ -39,7 +40,7 @@ This document covers the following topics:
* Enabling SASL authentication in the Postfix SMTP client * Enabling SASL authentication in the Postfix SMTP client
* Credits * Credits
WWhhaatt SSAASSLL vveerrssiioonnss aarree ssuuppppoorrtteedd WWhhaatt SSAASSLL iimmpplleemmeennttaattiioonnss aarree ssuuppppoorrtteedd
This document describes Postfix with the following SASL implementations: This document describes Postfix with the following SASL implementations:
@@ -56,19 +57,23 @@ Postfix, use the following commands:
% postconf -a (SASL support in the SMTP server) % postconf -a (SASL support in the SMTP server)
% postconf -A (SASL support in the SMTP+LMTP client) % postconf -A (SASL support in the SMTP+LMTP client)
Needless to say, these commands are not available in Postfix versions before Needless to say, these commands are not available in earlier Postfix versions.
2.3.
BBuuiillddiinngg PPoossttffiixx wwiitthh DDoovveeccoott SSAASSLL ssuuppppoorrtt BBuuiillddiinngg PPoossttffiixx wwiitthh DDoovveeccoott SSAASSLL ssuuppppoorrtt
Dovecot is available via http://www.dovecot.org/. It uses its own daemon Dovecot SASL support is available in Postfix 2.3 and later. The Dovecot source
process for authentication. Building Postfix with Dovecot SASL support is code is available via http://www.dovecot.org/. At the time of writing, only
relatively easy, because there is no need to link extra libraries into Postfix. server-side SASL support is available, so you can't use it to authenticate to
your network provider's server. Dovecot uses its own daemon process for
authentication. This keeps the Postfix build process simple, because there is
no need to link extra libraries into Postfix.
To generate the necessary Makefiles, execute the following in the Postfix top- To generate the necessary Makefiles, execute the following in the Postfix top-
level directory: level directory:
% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"' % make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
After this, proceed with "make" as described in the INSTALL document.
Notes: Notes:
@@ -79,8 +84,6 @@ Notes:
* If you also want support for LDAP or TLS, you will have to merge their * If you also want support for LDAP or TLS, you will have to merge their
CCARGS and AUXLIBS into the above command line. CCARGS and AUXLIBS into the above command line.
* After this, proceed with "make" as described in the INSTALL document.
BBuuiillddiinngg tthhee CCyyrruuss SSAASSLL lliibbrraarryy BBuuiillddiinngg tthhee CCyyrruuss SSAASSLL lliibbrraarryy
Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, which are Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, which are
@@ -98,9 +101,8 @@ SASL LOGIN authentication method. To enable this authentication method, specify
BBuuiillddiinngg PPoossttffiixx wwiitthh CCyyrruuss SSAASSLL ssuuppppoorrtt BBuuiillddiinngg PPoossttffiixx wwiitthh CCyyrruuss SSAASSLL ssuuppppoorrtt
To build Postfix with SASL authentication support, the following assumes that The following assumes that the Cyrus SASL include files are in /usr/local/
the Cyrus SASL include files are in /usr/local/include, and that the Cyrus SASL include, and that the Cyrus SASL libraries are in /usr/local/lib.
libraries are in /usr/local/lib.
On some systems this generates the necessary Makefile definitions: On some systems this generates the necessary Makefile definitions:
@@ -154,11 +156,20 @@ and later):
Note: the SASL login names will be shared with the entire world. Note: the SASL login names will be shared with the entire world.
Older Microsoft SMTP client software implements a non-standard version of the
AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
"250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients (in
addition to conformant clients) use the following:
/etc/postfix/main.cf:
broken_sasl_auth_clients = yes
DDoovveeccoott SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr DDoovveeccoott SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
On the Postfix side you need to specify the location of the Dovecot Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side
authentication daemon socket. We use a pathname relative to the Postfix queue you need to specify the location of the Dovecot authentication daemon socket.
directory, so that it will work whether or not Postfix runs chrooted: We use a pathname relative to the Postfix queue directory, so that it will work
whether or not Postfix runs chrooted:
/etc/postfix/main.cf: /etc/postfix/main.cf:
smtpd_sasl_type = dovecot smtpd_sasl_type = dovecot
@@ -179,8 +190,8 @@ that the Postfix queue is under /var/spool/postfix/.
} }
} }
See the Dovecot documentation for how to configure the Dovecot authentication See the Dovecot documentation for how to configure and operate the Dovecot
server. authentication server.
CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
@@ -314,21 +325,15 @@ authentication.
To run software chrooted with SASL support is an interesting exercise. It To run software chrooted with SASL support is an interesting exercise. It
probably is not worth the trouble. probably is not worth the trouble.
Older Microsoft SMTP client software implements a non-standard version of the
AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
"250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients in
addition to conformant clients, set "broken_sasl_auth_clients = yes" in the
main.cf file.
TTeessttiinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr TTeessttiinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
To test the server side, connect to the SMTP server, and you should be able to To test the server side, connect to the SMTP server, and you should be able to
have a conversation as shown below. Information sent by the client is shown in have a conversation as shown below. Information sent by the client is shown in
bold font. bold font.
220 server.host.tld ESMTP Postfix 220 server.example.com ESMTP Postfix
EEHHLLOO cclliieenntt..hhoosstt..ttlldd EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
250-server.host.tld 250-server.example.com
250-PIPELINING 250-PIPELINING
250-SIZE 10240000 250-SIZE 10240000
250-ETRN 250-ETRN
@@ -352,9 +357,9 @@ of the following commands:
The mmencode command is part of the metamail software. MIME::Base64 is The mmencode command is part of the metamail software. MIME::Base64 is
available from http://www.cpan.org/. available from http://www.cpan.org/.
When posting logs of the SASL negotiations to public lists, please keep in mind Caution: when posting logs of the SASL negotiations to public lists, please
that username/password information is trivial to recover from the base64- keep in mind that username/password information is trivial to recover from the
encoded form. base64-encoded form.
TTrroouubbllee sshhoooottiinngg tthhee SSAASSLL iinntteerrnnaallss TTrroouubbllee sshhoooottiinngg tthhee SSAASSLL iinntteerrnnaallss
@@ -381,6 +386,7 @@ that is specified with the relayhost parameter or with a transport(5) table.
/etc/postfix/main.cf: /etc/postfix/main.cf:
smtp_sasl_auth_enable = yes smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
/etc/postfix/sasl_passwd: /etc/postfix/sasl_passwd:
foo.com username:password foo.com username:password
@@ -442,6 +448,6 @@ CCrreeddiittss
reject_unauthenticated_sender_login_mismatch, and revised the docs. reject_unauthenticated_sender_login_mismatch, and revised the docs.
* Wietse made another iteration through the code to add plug-in support for * Wietse made another iteration through the code to add plug-in support for
multiple implementations. multiple implementations.
* The Dovecot plug-in was originally implemented by Timo Sirainen of * The Dovecot SMTP server plug-in was originally implemented by Timo Sirainen
Procontrol, Finland. of Procontrol, Finland.

72
postfix/html/SASL_README.html
View File

@@ -23,6 +23,7 @@
expectation that Postfix is more secure than some other mailers. expectation that Postfix is more secure than some other mailers.
The Cyrus SASL library is a lot of code. With this, Postfix becomes The Cyrus SASL library is a lot of code. With this, Postfix becomes
as secure as other mail systems that use the Cyrus SASL library. as secure as other mail systems that use the Cyrus SASL library.
Dovecot provides an alternative that may be worth considering.
</p> </p>
<h2><a name="intro">How Postfix uses SASL authentication information</a></h2> <h2><a name="intro">How Postfix uses SASL authentication information</a></h2>
@@ -47,7 +48,7 @@ sender email address. </p>
<ul> <ul>
<li><a href="#versions">What SASL versions are supported</a> <li><a href="#versions">What SASL implementations are supported</a>
<li><a href="#build_dovecot">Building Postfix with Dovecot SASL <li><a href="#build_dovecot">Building Postfix with Dovecot SASL
support</a></li> support</a></li>
@@ -78,7 +79,7 @@ Postfix SMTP client</a></li>
</ul> </ul>
<h2><a name="versions">What SASL versions are supported</a></h2> <h2><a name="versions">What SASL implementations are supported</a></h2>
<p> This document describes Postfix with the following SASL <p> This document describes Postfix with the following SASL
implementations: </p> implementations: </p>
@@ -106,23 +107,32 @@ implementations are built into Postfix, use the following commands:
</pre> </pre>
</blockquote> </blockquote>
<p> Needless to say, these commands are not available in Postfix <p> Needless to say, these commands are not available in earlier
versions before 2.3. </p> Postfix versions. </p>
<h2><a name="build_dovecot">Building Postfix with Dovecot SASL <h2><a name="build_dovecot">Building Postfix with Dovecot SASL
support</a></h2> support</a></h2>
<p> Dovecot is available via <a href="http://www.dovecot.org/">http://www.dovecot.org/</a>. It uses its <p> Dovecot SASL support is available in Postfix 2.3 and later. The
own daemon process for authentication. Building Postfix with Dovecot Dovecot source code is available via <a href="http://www.dovecot.org/">http://www.dovecot.org/</a>. At
SASL support is relatively easy, because there is no need to link the time
extra libraries into Postfix. </p> of writing, only server-side SASL support is available, so you can't
use it to authenticate to your network provider's server. Dovecot
uses its own daemon process for authentication. This keeps the
Postfix build process simple, because there is no need to link extra
libraries into Postfix. </p>
<p> To generate the necessary Makefiles, execute the following <p> To generate the necessary Makefiles, execute the following
in the Postfix top-level directory: </p> in the Postfix top-level directory: </p>
<blockquote>
<pre> <pre>
% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"' % make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
</pre> </pre>
</blockquote>
<p> After this, proceed with "<tt>make</tt>" as described in the
<a href="INSTALL.html">INSTALL</a> document. </p>
<p> Notes: </p> <p> Notes: </p>
@@ -136,9 +146,6 @@ file. </p>
<li> <p> If you also want support for LDAP or TLS, you will have to merge <li> <p> If you also want support for LDAP or TLS, you will have to merge
their CCARGS and AUXLIBS into the above command line. </p> their CCARGS and AUXLIBS into the above command line. </p>
<li> <p> After this, proceed with "<tt>make</tt>" as described in the
<a href="INSTALL.html">INSTALL</a> document. </p>
</ul> </ul>
<h2><a name="build_sasl">Building the Cyrus SASL library</a></h2> <h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
@@ -163,7 +170,7 @@ authentication method, specify ``./configure --enable-login''. </p>
<h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2> <h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>
<p> To build Postfix with SASL authentication support, the following <p> The following
assumes that the Cyrus SASL include files are in /usr/local/include, assumes that the Cyrus SASL include files are in /usr/local/include,
and that the Cyrus SASL libraries are in /usr/local/lib. </p> and that the Cyrus SASL libraries are in /usr/local/lib. </p>
@@ -250,10 +257,24 @@ SMTP server</a></h2>
<p> Note: the SASL login names will be shared with the entire world. <p> Note: the SASL login names will be shared with the entire world.
</p> </p>
<p> Older Microsoft SMTP client software implements a non-standard
version of the AUTH protocol syntax, and expects that the SMTP
server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
stuff". To accommodate such clients (in addition to conformant
clients) use the following: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
<a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> = yes
</pre>
</blockquote>
<h2><a name="server_dovecot">Dovecot SASL configuration for the <h2><a name="server_dovecot">Dovecot SASL configuration for the
Postfix SMTP server</a></h2> Postfix SMTP server</a></h2>
<p> On the Postfix side you need to specify the location of the <p> Dovecot SASL support is available in Postfix 2.3 and later. On
the Postfix side you need to specify the location of the
Dovecot authentication daemon socket. We use a pathname relative Dovecot authentication daemon socket. We use a pathname relative
to the Postfix queue directory, so that it will work whether or not to the Postfix queue directory, so that it will work whether or not
Postfix runs chrooted: </p> Postfix runs chrooted: </p>
@@ -286,8 +307,8 @@ Postfix queue is under /var/spool/postfix/. </p>
</pre> </pre>
</blockquote> </blockquote>
<p> See the Dovecot documentation for how to configure the Dovecot <p> See the Dovecot documentation for how to configure and operate
authentication server. </p> the Dovecot authentication server. </p>
<h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix <h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
SMTP server</a></h2> SMTP server</a></h2>
@@ -489,13 +510,6 @@ directory. </p>
<p> To run software chrooted with SASL support is an interesting <p> To run software chrooted with SASL support is an interesting
exercise. It probably is not worth the trouble. </p> exercise. It probably is not worth the trouble. </p>
<p> Older Microsoft SMTP client software implements a non-standard
version of the AUTH protocol syntax, and expects that the SMTP
server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
stuff". To accommodate such clients in addition to conformant
clients, set "<a href="postconf.5.html#broken_sasl_auth_clients">broken_sasl_auth_clients</a> = yes" in the main.cf file.
</p>
<h2><a name="server_test">Testing SASL authentication in the Postfix <h2><a name="server_test">Testing SASL authentication in the Postfix
SMTP server</a></h2> SMTP server</a></h2>
@@ -505,9 +519,9 @@ client is shown in bold font. </p>
<blockquote> <blockquote>
<pre> <pre>
220 server.host.tld ESMTP Postfix 220 server.example.com ESMTP Postfix
<b>EHLO client.host.tld</b> <b>EHLO client.example.com</b>
250-server.host.tld 250-server.example.com
250-PIPELINING 250-PIPELINING
250-SIZE 10240000 250-SIZE 10240000
250-ETRN 250-ETRN
@@ -542,7 +556,8 @@ you can use one of the following commands: </p>
<p> The mmencode command is part of the metamail software. <p> The mmencode command is part of the metamail software.
MIME::Base64 is available from <a href="http://www.cpan.org/">http://www.cpan.org/</a>. </p> MIME::Base64 is available from <a href="http://www.cpan.org/">http://www.cpan.org/</a>. </p>
<p> When posting logs of the SASL negotiations to public lists, <p> Caution: when posting logs of the SASL negotiations to public
lists,
please keep in mind that username/password information is trivial please keep in mind that username/password information is trivial
to recover from the base64-encoded form. </p> to recover from the base64-encoded form. </p>
@@ -581,6 +596,7 @@ table. </p>
/etc/postfix/main.cf: /etc/postfix/main.cf:
<a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes <a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> = yes
<a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> = hash:/etc/postfix/sasl_passwd
<a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> = cyrus
/etc/postfix/sasl_passwd: /etc/postfix/sasl_passwd:
foo.com username:password foo.com username:password
@@ -668,8 +684,8 @@ of SuSE Rhein/Main AG.
<li> Wietse made another iteration through the code to add <li> Wietse made another iteration through the code to add
plug-in support for multiple implementations. plug-in support for multiple implementations.
<li> The Dovecot plug-in was originally implemented by Timo Sirainen <li> The Dovecot SMTP server plug-in was originally implemented by
of Procontrol, Finland. Timo Sirainen of Procontrol, Finland.
</ul> </ul>

12
postfix/html/postconf.1.html
View File

@@ -31,9 +31,6 @@ POSTCONF(1) POSTCONF(1)
<b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b> configuration parameter by specify- <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b> configuration parameter by specify-
ing one of the names listed below. ing one of the names listed below.
This feature is available with Postfix 2.3 and
later.
<b>cyrus</b> This server plug-in is available when Post- <b>cyrus</b> This server plug-in is available when Post-
fix is built with Cyrus SASL support. fix is built with Cyrus SASL support.
@@ -41,18 +38,21 @@ POSTCONF(1) POSTCONF(1)
This server plug-in requires the Dovecot This server plug-in requires the Dovecot
authentication server. authentication server.
This feature is available with Postfix 2.3 and
later.
<b>-A</b> List the available SASL client plug-in types. The <b>-A</b> List the available SASL client plug-in types. The
SASL plug-in type is selected with the SASL plug-in type is selected with the
<b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b> or <b><a href="postconf.5.html#lmtp_sasl_type">lmtp_sasl_type</a></b> configuration <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b> or <b><a href="postconf.5.html#lmtp_sasl_type">lmtp_sasl_type</a></b> configuration
parameters by specifying one of the names listed parameters by specifying one of the names listed
below. below.
This feature is available with Postfix 2.3 and
later.
<b>cyrus</b> This client plug-in is available when Post- <b>cyrus</b> This client plug-in is available when Post-
fix is built with Cyrus SASL support. fix is built with Cyrus SASL support.
This feature is available with Postfix 2.3 and
later.
<b>-b</b> [<i>template</i><b>_</b><i>file</i>] <b>-b</b> [<i>template</i><b>_</b><i>file</i>]
Display the message text that appears at the begin- Display the message text that appears at the begin-
ning of delivery status notification (DSN) mes- ning of delivery status notification (DSN) mes-

8
postfix/man/man1/postconf.1
View File

@@ -32,8 +32,6 @@ List the available SASL server plug-in types. The SASL
plug-in type is selected with the \fBsmtpd_sasl_type\fR plug-in type is selected with the \fBsmtpd_sasl_type\fR
configuration parameter by specifying one of the names configuration parameter by specifying one of the names
listed below. listed below.
This feature is available with Postfix 2.3 and later.
.RS .RS
.IP \fBcyrus\fR .IP \fBcyrus\fR
This server plug-in is available when Postfix is built with This server plug-in is available when Postfix is built with
@@ -42,18 +40,20 @@ Cyrus SASL support.
This server plug-in requires the Dovecot authentication This server plug-in requires the Dovecot authentication
server. server.
.RE .RE
.IP
This feature is available with Postfix 2.3 and later.
.IP \fB-A\fR .IP \fB-A\fR
List the available SASL client plug-in types. The SASL List the available SASL client plug-in types. The SASL
plug-in type is selected with the \fBsmtp_sasl_type\fR or plug-in type is selected with the \fBsmtp_sasl_type\fR or
\fBlmtp_sasl_type\fR configuration parameters by specifying \fBlmtp_sasl_type\fR configuration parameters by specifying
one of the names listed below. one of the names listed below.
This feature is available with Postfix 2.3 and later.
.RS .RS
.IP \fBcyrus\fR .IP \fBcyrus\fR
This client plug-in is available when Postfix is built with This client plug-in is available when Postfix is built with
Cyrus SASL support. Cyrus SASL support.
.RE .RE
.IP
This feature is available with Postfix 2.3 and later.
.IP "\fB-b\fR [\fItemplate_file\fR]" .IP "\fB-b\fR [\fItemplate_file\fR]"
Display the message text that appears at the beginning of Display the message text that appears at the beginning of
delivery status notification (DSN) messages, with $\fBname\fR delivery status notification (DSN) messages, with $\fBname\fR

72
postfix/proto/SASL_README.html
View File

@@ -23,6 +23,7 @@
expectation that Postfix is more secure than some other mailers. expectation that Postfix is more secure than some other mailers.
The Cyrus SASL library is a lot of code. With this, Postfix becomes The Cyrus SASL library is a lot of code. With this, Postfix becomes
as secure as other mail systems that use the Cyrus SASL library. as secure as other mail systems that use the Cyrus SASL library.
Dovecot provides an alternative that may be worth considering.
</p> </p>
<h2><a name="intro">How Postfix uses SASL authentication information</a></h2> <h2><a name="intro">How Postfix uses SASL authentication information</a></h2>
@@ -47,7 +48,7 @@ sender email address. </p>
<ul> <ul>
<li><a href="#versions">What SASL versions are supported</a> <li><a href="#versions">What SASL implementations are supported</a>
<li><a href="#build_dovecot">Building Postfix with Dovecot SASL <li><a href="#build_dovecot">Building Postfix with Dovecot SASL
support</a></li> support</a></li>
@@ -78,7 +79,7 @@ Postfix SMTP client</a></li>
</ul> </ul>
<h2><a name="versions">What SASL versions are supported</a></h2> <h2><a name="versions">What SASL implementations are supported</a></h2>
<p> This document describes Postfix with the following SASL <p> This document describes Postfix with the following SASL
implementations: </p> implementations: </p>
@@ -106,23 +107,32 @@ implementations are built into Postfix, use the following commands:
</pre> </pre>
</blockquote> </blockquote>
<p> Needless to say, these commands are not available in Postfix <p> Needless to say, these commands are not available in earlier
versions before 2.3. </p> Postfix versions. </p>
<h2><a name="build_dovecot">Building Postfix with Dovecot SASL <h2><a name="build_dovecot">Building Postfix with Dovecot SASL
support</a></h2> support</a></h2>
<p> Dovecot is available via http://www.dovecot.org/. It uses its <p> Dovecot SASL support is available in Postfix 2.3 and later. The
own daemon process for authentication. Building Postfix with Dovecot Dovecot source code is available via http://www.dovecot.org/. At
SASL support is relatively easy, because there is no need to link the time
extra libraries into Postfix. </p> of writing, only server-side SASL support is available, so you can't
use it to authenticate to your network provider's server. Dovecot
uses its own daemon process for authentication. This keeps the
Postfix build process simple, because there is no need to link extra
libraries into Postfix. </p>
<p> To generate the necessary Makefiles, execute the following <p> To generate the necessary Makefiles, execute the following
in the Postfix top-level directory: </p> in the Postfix top-level directory: </p>
<blockquote>
<pre> <pre>
% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"' % make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER=\"dovecot\"'
</pre> </pre>
</blockquote>
<p> After this, proceed with "<tt>make</tt>" as described in the
INSTALL document. </p>
<p> Notes: </p> <p> Notes: </p>
@@ -136,9 +146,6 @@ file. </p>
<li> <p> If you also want support for LDAP or TLS, you will have to merge <li> <p> If you also want support for LDAP or TLS, you will have to merge
their CCARGS and AUXLIBS into the above command line. </p> their CCARGS and AUXLIBS into the above command line. </p>
<li> <p> After this, proceed with "<tt>make</tt>" as described in the
INSTALL document. </p>
</ul> </ul>
<h2><a name="build_sasl">Building the Cyrus SASL library</a></h2> <h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
@@ -163,7 +170,7 @@ authentication method, specify ``./configure --enable-login''. </p>
<h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2> <h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>
<p> To build Postfix with SASL authentication support, the following <p> The following
assumes that the Cyrus SASL include files are in /usr/local/include, assumes that the Cyrus SASL include files are in /usr/local/include,
and that the Cyrus SASL libraries are in /usr/local/lib. </p> and that the Cyrus SASL libraries are in /usr/local/lib. </p>
@@ -250,10 +257,24 @@ SMTP server</a></h2>
<p> Note: the SASL login names will be shared with the entire world. <p> Note: the SASL login names will be shared with the entire world.
</p> </p>
<p> Older Microsoft SMTP client software implements a non-standard
version of the AUTH protocol syntax, and expects that the SMTP
server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
stuff". To accommodate such clients (in addition to conformant
clients) use the following: </p>
<blockquote>
<pre>
/etc/postfix/main.cf:
broken_sasl_auth_clients = yes
</pre>
</blockquote>
<h2><a name="server_dovecot">Dovecot SASL configuration for the <h2><a name="server_dovecot">Dovecot SASL configuration for the
Postfix SMTP server</a></h2> Postfix SMTP server</a></h2>
<p> On the Postfix side you need to specify the location of the <p> Dovecot SASL support is available in Postfix 2.3 and later. On
the Postfix side you need to specify the location of the
Dovecot authentication daemon socket. We use a pathname relative Dovecot authentication daemon socket. We use a pathname relative
to the Postfix queue directory, so that it will work whether or not to the Postfix queue directory, so that it will work whether or not
Postfix runs chrooted: </p> Postfix runs chrooted: </p>
@@ -286,8 +307,8 @@ Postfix queue is under /var/spool/postfix/. </p>
</pre> </pre>
</blockquote> </blockquote>
<p> See the Dovecot documentation for how to configure the Dovecot <p> See the Dovecot documentation for how to configure and operate
authentication server. </p> the Dovecot authentication server. </p>
<h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix <h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
SMTP server</a></h2> SMTP server</a></h2>
@@ -489,13 +510,6 @@ directory. </p>
<p> To run software chrooted with SASL support is an interesting <p> To run software chrooted with SASL support is an interesting
exercise. It probably is not worth the trouble. </p> exercise. It probably is not worth the trouble. </p>
<p> Older Microsoft SMTP client software implements a non-standard
version of the AUTH protocol syntax, and expects that the SMTP
server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
stuff". To accommodate such clients in addition to conformant
clients, set "broken_sasl_auth_clients = yes" in the main.cf file.
</p>
<h2><a name="server_test">Testing SASL authentication in the Postfix <h2><a name="server_test">Testing SASL authentication in the Postfix
SMTP server</a></h2> SMTP server</a></h2>
@@ -505,9 +519,9 @@ client is shown in bold font. </p>
<blockquote> <blockquote>
<pre> <pre>
220 server.host.tld ESMTP Postfix 220 server.example.com ESMTP Postfix
<b>EHLO client.host.tld</b> <b>EHLO client.example.com</b>
250-server.host.tld 250-server.example.com
250-PIPELINING 250-PIPELINING
250-SIZE 10240000 250-SIZE 10240000
250-ETRN 250-ETRN
@@ -542,7 +556,8 @@ you can use one of the following commands: </p>
<p> The mmencode command is part of the metamail software. <p> The mmencode command is part of the metamail software.
MIME::Base64 is available from http://www.cpan.org/. </p> MIME::Base64 is available from http://www.cpan.org/. </p>
<p> When posting logs of the SASL negotiations to public lists, <p> Caution: when posting logs of the SASL negotiations to public
lists,
please keep in mind that username/password information is trivial please keep in mind that username/password information is trivial
to recover from the base64-encoded form. </p> to recover from the base64-encoded form. </p>
@@ -581,6 +596,7 @@ table. </p>
/etc/postfix/main.cf: /etc/postfix/main.cf:
smtp_sasl_auth_enable = yes smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
/etc/postfix/sasl_passwd: /etc/postfix/sasl_passwd:
foo.com username:password foo.com username:password
@@ -668,8 +684,8 @@ reject_unauthenticated_sender_login_mismatch, and revised the docs.
<li> Wietse made another iteration through the code to add <li> Wietse made another iteration through the code to add
plug-in support for multiple implementations. plug-in support for multiple implementations.
<li> The Dovecot plug-in was originally implemented by Timo Sirainen <li> The Dovecot SMTP server plug-in was originally implemented by
of Procontrol, Finland. Timo Sirainen of Procontrol, Finland.
</ul> </ul>

90
postfix/src/bounce/bounce_templates.c
View File

@@ -92,21 +92,6 @@
/* /*
* The fail template is for permanent failure. * The fail template is for permanent failure.
*/ */
static const char *def_bounce_failure_body[];
static const BOUNCE_TEMPLATE def_bounce_failure_template = {
0,
BOUNCE_TMPL_CLASS_FAILURE,
"[built-in]",
"us-ascii",
MAIL_ATTR_ENC_7BIT,
MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)",
"Undelivered Mail Returned to Sender",
"Postmaster Copy: Undelivered Mail",
def_bounce_failure_body,
&def_bounce_failure_template,
};
static const char *def_bounce_failure_body[] = { static const char *def_bounce_failure_body[] = {
"This is the $mail_name program at host $myhostname.", "This is the $mail_name program at host $myhostname.",
"", "",
@@ -122,24 +107,22 @@ static const char *def_bounce_failure_body[] = {
0, 0,
}; };
/* static const BOUNCE_TEMPLATE def_bounce_failure_template = {
* The delay template is for delayed mail notifications.
*/
static const char *def_bounce_delay_body[];
static const BOUNCE_TEMPLATE def_bounce_delay_template = {
0, 0,
BOUNCE_TMPL_CLASS_DELAY, BOUNCE_TMPL_CLASS_FAILURE,
"[built-in]", "[built-in]",
"us-ascii", "us-ascii",
MAIL_ATTR_ENC_7BIT, MAIL_ATTR_ENC_7BIT,
MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)", MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)",
"Delayed Mail (still being retried)", "Undelivered Mail Returned to Sender",
"Postmaster Warning: Delayed Mail", "Postmaster Copy: Undelivered Mail",
def_bounce_delay_body, def_bounce_failure_body,
&def_bounce_delay_template &def_bounce_failure_template,
}; };
/*
* The delay template is for delayed mail notifications.
*/
static const char *def_bounce_delay_body[] = { static const char *def_bounce_delay_body[] = {
"This is the $mail_name program at host $myhostname.", "This is the $mail_name program at host $myhostname.",
"", "",
@@ -160,11 +143,34 @@ static const char *def_bounce_delay_body[] = {
0, 0,
}; };
static const BOUNCE_TEMPLATE def_bounce_delay_template = {
0,
BOUNCE_TMPL_CLASS_DELAY,
"[built-in]",
"us-ascii",
MAIL_ATTR_ENC_7BIT,
MAIL_ADDR_MAIL_DAEMON " (Mail Delivery System)",
"Delayed Mail (still being retried)",
"Postmaster Warning: Delayed Mail",
def_bounce_delay_body,
&def_bounce_delay_template
};
/* /*
* The success template is for "delivered", "expanded" and "relayed" success * The success template is for "delivered", "expanded" and "relayed" success
* notifications. * notifications.
*/ */
static const char *def_bounce_success_body[]; static const char *def_bounce_success_body[] = {
"This is the $mail_name program at host $myhostname.",
"",
"Your message was successfully delivered to the destination(s)",
"listed below. If the message was delivered to mailbox you will",
"receive no further notifications. Otherwise you may still receive",
"notifications of mail delivery errors from other systems.",
"",
" The $mail_name program",
0,
};
static const BOUNCE_TEMPLATE def_bounce_success_template = { static const BOUNCE_TEMPLATE def_bounce_success_template = {
0, 0,
@@ -179,23 +185,18 @@ static const BOUNCE_TEMPLATE def_bounce_success_template = {
&def_bounce_success_template, &def_bounce_success_template,
}; };
static const char *def_bounce_success_body[] = {
"This is the $mail_name program at host $myhostname.",
"",
"Your message was successfully delivered to the destination(s)",
"listed below. If the message was delivered to mailbox you will",
"receive no further notifications. Otherwise you may still receive",
"notifications of mail delivery errors from other systems.",
"",
" The $mail_name program",
0,
};
/* /*
* The "verify" template is for verbose delivery (sendmail -v) and for * The "verify" template is for verbose delivery (sendmail -v) and for
* address verification (sendmail -bv). * address verification (sendmail -bv).
*/ */
static const char *def_bounce_verify_body[]; static const char *def_bounce_verify_body[] = {
"This is the $mail_name program at host $myhostname.",
"",
"Enclosed is the mail delivery report that you requested.",
"",
" The $mail_name program",
0,
};
static const BOUNCE_TEMPLATE def_bounce_verify_template = { static const BOUNCE_TEMPLATE def_bounce_verify_template = {
0, 0,
@@ -210,15 +211,6 @@ static const BOUNCE_TEMPLATE def_bounce_verify_template = {
&def_bounce_verify_template, &def_bounce_verify_template,
}; };
static const char *def_bounce_verify_body[] = {
"This is the $mail_name program at host $myhostname.",
"",
"Enclosed is the mail delivery report that you requested.",
"",
" The $mail_name program",
0,
};
/* /*
* SLMs. * SLMs.
*/ */

2
postfix/src/global/mail_version.h
View File

@@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20051222" #define MAIL_RELEASE_DATE "20051223"
#define MAIL_VERSION_NUMBER "2.3" #define MAIL_VERSION_NUMBER "2.3"
#ifdef SNAPSHOT #ifdef SNAPSHOT

10
postfix/src/postconf/postconf.c
View File

@@ -26,8 +26,6 @@
/* plug-in type is selected with the \fBsmtpd_sasl_type\fR /* plug-in type is selected with the \fBsmtpd_sasl_type\fR
/* configuration parameter by specifying one of the names /* configuration parameter by specifying one of the names
/* listed below. /* listed below.
/*
/* This feature is available with Postfix 2.3 and later.
/* .RS /* .RS
/* .IP \fBcyrus\fR /* .IP \fBcyrus\fR
/* This server plug-in is available when Postfix is built with /* This server plug-in is available when Postfix is built with
@@ -36,18 +34,20 @@
/* This server plug-in requires the Dovecot authentication /* This server plug-in requires the Dovecot authentication
/* server. /* server.
/* .RE /* .RE
/* .IP
/* This feature is available with Postfix 2.3 and later.
/* .IP \fB-A\fR /* .IP \fB-A\fR
/* List the available SASL client plug-in types. The SASL /* List the available SASL client plug-in types. The SASL
/* plug-in type is selected with the \fBsmtp_sasl_type\fR or /* plug-in type is selected with the \fBsmtp_sasl_type\fR or
/* \fBlmtp_sasl_type\fR configuration parameters by specifying /* \fBlmtp_sasl_type\fR configuration parameters by specifying
/* one of the names listed below. /* one of the names listed below.
/*
/* This feature is available with Postfix 2.3 and later.
/* .RS /* .RS
/* .IP \fBcyrus\fR /* .IP \fBcyrus\fR
/* This client plug-in is available when Postfix is built with /* This client plug-in is available when Postfix is built with
/* Cyrus SASL support. /* Cyrus SASL support.
/* .RE /* .RE
/* .IP
/* This feature is available with Postfix 2.3 and later.
/* .IP "\fB-b\fR [\fItemplate_file\fR]" /* .IP "\fB-b\fR [\fItemplate_file\fR]"
/* Display the message text that appears at the beginning of /* Display the message text that appears at the beginning of
/* delivery status notification (DSN) messages, with $\fBname\fR /* delivery status notification (DSN) messages, with $\fBname\fR
@@ -281,7 +281,7 @@
#define SHOW_LOCKS (1<<5) /* show mailbox lock methods */ #define SHOW_LOCKS (1<<5) /* show mailbox lock methods */
#define SHOW_EVAL (1<<6) /* expand right-hand sides */ #define SHOW_EVAL (1<<6) /* expand right-hand sides */
#define SHOW_SASL_SERV (1<<7) /* show server auth plugin types */ #define SHOW_SASL_SERV (1<<7) /* show server auth plugin types */
#define SHOW_SASL_CLNT (1<<7) /* show client auth plugin types */ #define SHOW_SASL_CLNT (1<<8) /* show client auth plugin types */
/* /*
* Lookup table for in-core parameter info. * Lookup table for in-core parameter info.

2
postfix/src/util/name_code.c
View File

@@ -36,7 +36,7 @@
/* For convenience the constant NAME_CODE_FLAG_NONE requests /* For convenience the constant NAME_CODE_FLAG_NONE requests
/* no special processing. /* no special processing.
/* /*
/* str_name_code() translates a number to its equivalend string. /* str_name_code() translates a number to its equivalent string.
/* DIAGNOSTICS /* DIAGNOSTICS
/* When the search fails, the result is the "name not found" code /* When the search fails, the result is the "name not found" code
/* or the null pointer, respectively. /* or the null pointer, respectively.

26
postfix/src/xsasl/xsasl_dovecot_server.c
View File

@@ -11,6 +11,14 @@
/* This module implements the Dovecot SASL server-side authentication /* This module implements the Dovecot SASL server-side authentication
/* plug-in. /* plug-in.
/* /*
/* .IP server_type
/* The plug-in type that was specified to xsasl_server_init().
/* The argument is ignored, because the Dovecot plug-in
/* implements only one plug-in type.
/* .IP path_info
/* The location of the Dovecot authentication server's UNIX-domain
/* socket. Note: the Dovecot plug-in uses late binding, therefore
/* all connect operations are done with Postfix privileges.
/* DIAGNOSTICS /* DIAGNOSTICS
/* Fatal: out of memory. /* Fatal: out of memory.
/* /*
@@ -68,6 +76,12 @@
#define AUTH_PROTOCOL_MAJOR_VERSION 1 #define AUTH_PROTOCOL_MAJOR_VERSION 1
#define AUTH_PROTOCOL_MINOR_VERSION 0 #define AUTH_PROTOCOL_MINOR_VERSION 0
/*
* Encorce read/write time limits, so that we can produce accurate
* diagnostics instead of getting killed by the watchdog timer.
*/
#define AUTH_TIMEOUT 10
/* /*
* Class variables. * Class variables.
*/ */
@@ -108,6 +122,8 @@ static int xsasl_dovecot_server_next(XSASL_SERVER *, const char *, VSTRING *);
static const char *xsasl_dovecot_server_get_mechanism_list(XSASL_SERVER *); static const char *xsasl_dovecot_server_get_mechanism_list(XSASL_SERVER *);
static const char *xsasl_dovecot_server_get_username(XSASL_SERVER *); static const char *xsasl_dovecot_server_get_username(XSASL_SERVER *);
/* xsasl_dovecot_server_connect - initial auth server handshake */
static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp) static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
{ {
const char *myname = "xsasl_dovecot_server_connect"; const char *myname = "xsasl_dovecot_server_connect";
@@ -120,13 +136,15 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
if (msg_verbose) if (msg_verbose)
msg_info("%s: Connecting", myname); msg_info("%s: Connecting", myname);
if ((fd = unix_connect(xp->socket_path, BLOCKING, 0)) < 0) { if ((fd = unix_connect(xp->socket_path, BLOCKING, AUTH_TIMEOUT)) < 0) {
msg_warn("SASL: Connect to %s failed: %m", xp->socket_path); msg_warn("SASL: Connect to %s failed: %m", xp->socket_path);
return (-1); return (-1);
} }
sasl_stream = vstream_fdopen(fd, O_RDWR); sasl_stream = vstream_fdopen(fd, O_RDWR);
vstream_control(sasl_stream, VSTREAM_CTL_PATH, vstream_control(sasl_stream,
xp->socket_path, VSTREAM_CTL_END); VSTREAM_CTL_PATH, xp->socket_path,
VSTREAM_CTL_TIMEOUT, AUTH_TIMEOUT,
VSTREAM_CTL_END);
vstream_fprintf(sasl_stream, vstream_fprintf(sasl_stream,
"VERSION\t%u\t%u\n" "VERSION\t%u\t%u\n"
@@ -192,6 +210,8 @@ static int xsasl_dovecot_server_connect(XSASL_DOVECOT_SERVER_IMPL *xp)
return (0); return (0);
} }
/* xsasl_dovecot_server_disconnect - dispose of server connection state */
static void xsasl_dovecot_server_disconnect(XSASL_DOVECOT_SERVER_IMPL *xp) static void xsasl_dovecot_server_disconnect(XSASL_DOVECOT_SERVER_IMPL *xp)
{ {
if (xp->sasl_stream) { if (xp->sasl_stream) {