[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: postfix with SASL over PAM

Hi Jose,

> Postfix is not in a chroot jail, and (I forgot to mention this) the
> user posftix is in the shadow group.

I recommend running postfix chrooted and use pwcheck for
authentication.

Here is a quick guide how I did it:

Make sure the following packages are installed...

postfix-tls sasl-bin libsasl-modules-plain libsasl2 libsasl-gssapi-mit
libsasl-digestmd5-des

I´m using pwcheck so since we´re running postfix chrooted we have to
link /var/spool/postfix/var/run/pwcheck to /var/run/pwcheck and of
course create it.

mkdir -p /var/spool/postfix/var/run/pwcheck
chown postfix.root /var/spool/postfix/var/run/pwcheck/
chmod 700  /var/spool/postfix/var/run/pwcheck/
ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck

launch /usr/sbin/pwcheck - you may want to write a little start/stop
script for /etc/init.d/pwcheck (don´t forget to include the symlink in
it!)

Use 'pwcheck_method: pwcheck' in /etc/postfix/sasl/smtpd.conf

In main.cf I have:

smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
smtpd_recipient_restrictions = reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        reject_maps_rbl,
        reject_unauth_pipelining,
        check_relay_domains

That should be all...

-- 
Regards
Thomas Kramer
mailto:newsletter@tmkis.com
Reply to: