Linux (CentOS) postfix server SASL authentication and CYRUS-SASL-based access control

First, the CYRUS-SASL-based authentication function is opened for postfix.

Modify the/etc/sysconfig/saslauthd file in the

Mech=pam

Switch

Mech=shadow

Start SASLAUTHD

Service SASLAUTHD Start

Verify that you can use the account password on the system to authenticate

Testsaslauthd-u user-p passwd

If authentication passes, then prompt: 0,ok, "Success",

Authentication failure will prompt: 0,no, "Authentication failed", at this time check the cause

There may be two, one is the option in the configuration file is wrong, check the configuration file again

The other is the SELinux limit, which sets the SELinux to permissive

or setsebool-p Allow_saslauthd_read_shadow 1 , the SELinux limit can be lifted

2. Use the following command to verify that the postfix supports Cyrus-style SASL authentication, which is supported if your output is the following:

# postconf-a

Cyrus

Dovecot

if the output is not Cyrus, the possible cause is postfix compile-time CYRUS-SASL not installed, or SASL lib file path is wrong, the 64-bit system lib file path is /USR/LIB64/SASL2

3. #vim/ETC/POSTFIX/MAIN.CF

Add the following content:

########################### #CYRUS-sasl############################

Broken_sasl_auth_clients = yes

Smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_ Fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_ Recipient_domain,reject_unauth_pipelining,reject_unauth_destination

Smtpd_sasl_auth_enable = yes

Smtpd_sasl_local_domain = $myhostname

Smtpd_sasl_security_options = noanonymous

#smtpd_sasl_application_name = smtpd

Smtpd_sasl_path = smtpd

Smtpd_banner = Welcome to our $myhostname esmtp,warning:version not available!

Note: The new version of the smtpd.conf file is in the/etc/sasl2/directory,

Vim/etc/sasl2/smtpd.conf

Add the following content:

Pwcheck_method:saslauthd

Mech_list:plain LOGIN

Let postfix reload the configuration file

#/usr/sbin/postfix Reload

# telnet localhost 25

Trying 127.0.0.1 ...

Connected to Localhost.localdomain (127.0.0.1).

Escape character is ' ^] '.

Welcome to our mail.fei.com esmtp,warning:version not available!

EHLO mail.fei.com

250-mail.example.com

250-pipelining

250-size 10240000

250-vrfy

250-etrn

250-auth PLAIN LOGIN

250-auth=plain LOGIN (make sure your output is similar to two lines to indicate that you have started to support SASL seriously)

250-enhancedstatuscodes

250-8bitmime

DSN

Auth Login (login using password Authentication)

334 Vxnlcm5hbwu6

ZMVP (base64 user name after encryption)

334 Ugfzc3dvcmq6

Otewmziz (base64 password after encryption)

235 2.7.0 Authentication Successful

Mail From:[email protected]

2.1.0 Ok

RCPT To:[email protected]

2.1.5 Ok

Data

354 END data with <CR><LF>.<CR><LF>

This is a test mail.

.

2.0.0 ok:queued as 7b0ea1a0b42

The test can send the message normally.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s4.51cto.com/wyfs02/m00/78/8e/wkiom1z_tyaqjav-aabenjhtfbm931.png "title=" 4.png "alt=" wKiom1Z_ Tyaqjav-aabenjhtfbm931.png "/>

Ii. implement Postfix client-based access control

1. Client-based access control overview

Postfix includes a variety of anti-spam mechanisms, including "clients" to send mail restrictions. Client identification mechanism can set a series of customer information criteria:

Smtpd_client_restrictions

Smtpd_data_restrictions

Smtpd_helo_restrictions

Smtpd_recipient_restrictions

Smtpd_sender_restrictions

Each of the above parameters is used to examine a specific stage in the SMTP session, which is the stage where the client provides the appropriate information, such as when a client initiates a connection request, Postfix can be based on the Smtpd_client_ defined in the configuration file The restrictions parameter to determine the access rights for this client IP. Accordingly, Smtpd_helo_restrictions is used to discriminate the client's access ability according to the user's helo information and so on.

If everything before the data command is accepted, the client can then start transmitting the message content. The message content usually consists of two parts, the first half is the title (header), it can be filtered by Header_check, the second part is the message body (body), which can be filtered by check_body. These two implementations are the message "content check".

The/ETC/MAIN.CF default configuration for Postfix is as follows:

Smtpd_client_restrictions =

Smtpd_data_restrictions =

Smtpd_end_of_data_restrictions =

Smtpd_etrn_restrictions =

Smtpd_helo_restrictions =

Smtpd_recipient_restrictions = Permit_mynetworks, reject_unauth_destination

Smtpd_sender_restrictions =

This limits the ability of the open relay (open relay) to be turned off for clients in the local network that are defined in the Mynetworks parameter to forward messages through Postfix, while others are not allowed.

Postfix has several built-in restrictions, such as the Permit_mynetworks and reject_unauth_destination above, but administrators can also use Access maps to customize restrictions. The conditions for customizing access tables usually make check_client_access, check_helo_access, Check_sender_access, check_recipient_access, followed by the type: The Access table type and name in the mapname format. Check_sender_access and check_recipient_access are used to check the email address provided by the client, so the full email address can be used in the Access table, such as [email protected], or only the domain name can be used. such as magedu.com, can also only the user name of the part, such as [email protected].

Access table:/etc/postfix/access

2. Implementation Example 1

Here to prohibit 192.168.10.11 this host by working on 192.168.10.1 on the Postfix service to send mail as an example demonstrates its implementation process. The Access table uses a hash format.

(1) First, edit the/etc/postfix/access file as the control file for the client check, and define the following line in it:

192.168.10.11 REJECT

(2) Convert this file to hash format

# postmap/etc/postfix/access

(3) configuration postfix Use this file to check the client

To edit the/etc/postfix/main.cf file, add the following parameters:

Smtpd_client_restrictions = check_client_access hash:/etc/postfix/access

(4) Let postfix reload the configuration file for the effect of sending control test, you can see that the client was refused to send mail.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650; src=/e/ U261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") No-repeat center;border:1px solid #ddd; "alt=" Spacer.gif "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/78/8D/wKioL1Z_t5Px9cKyAAAZTKQ001A208.png "style=" float: none; "title=" 5.png "alt=" Wkiol1z_t5px9ckyaaaztkq001a208.png "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/78/8E/wKiom1Z_t3vClisTAABGlJwj5tI612.png "style=" float: none; "title=" 6.png "alt=" Wkiom1z_t3vclistaabgljwj5ti612.png "/>

3. Implementation Example 2

The implementation process is demonstrated here as an example of a ban on sending mail to the Microsoft.com domain through this server. The Access table uses a hash format.

(1) First, the establishment of the/etc/postfix/denydstdomains file (file name), in the definition of the following line:

Microsoft.com REJECT

(2) Convert this file to hash format

# Postmap/etc/postfix/denydstdomains

(3) configuration postfix Use this file to check the client

To edit the/etc/postfix/main.cf file, add the following parameters:

Smtpd_recipient_restrictions = Check_recipient_access hash:/etc/postfix/denydstdomains, Permit_mynetworks, reject_ Unauth_destination

(4) Let postfix reload the configuration file can be sent to control the effect of testing, from which you can see that the recipient is the Microsoft.com domain when it is indeed refused to send.

650) this.width=650; "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/ Images/localimage.png ") no-repeat center;border:1px solid #ddd;" alt= "Spacer.gif"/>650 "this.width=650;" src= "http ://s2.51cto.com/wyfs02/m02/78/8d/wkiol1z_t7ysx6kbaaakjbssk80120.png "title=" 7.png "alt=" wKioL1Z_ T7ysx6kbaaakjbssk80120.png "/>

4, check the table format description

The hash class checklist uses a format similar to the following:

Pattern action

In the Check table file, blank lines, only white space characters closest, and lines beginning with # are ignored. Rows preceded by whitespace characters followed by other non-whitespace characters are considered continuations of the previous row and are part of a row.

(1) About pattern

The pattern usually has two types of addresses: Mail address and host name/address.

The pattern format for the e-mail address is as follows:

[email protected] to match the specified email address;

Domain.tld is used to match all email addresses with this domain name as part of the domain name in the mail address;

[email protected] is used to match all email addresses as part of the user name in the email address;

The pattern format of the host name/address is as follows:

Domain.tld is used to match all hosts within the specified domain and its sub-domains;

. Domain.tld is used to match all hosts within the subdomain of the specified domain;

Net.work.addr.ess

Net.work.addr

Net.work

NET is used to match a specific IP address or all hosts within the network;

Network/mask CIDR format to match all hosts within a specified network;

(2) About action

To accept the action of a class:

OK to accept the e-mail address or host name/address of the pattern match;

An action that consists entirely of numbers implicitly indicates OK;

Reject the action of the Class (part):

4NN text

5NN text

Where the 4NN class represents a retry after a while, the 5NN class represents a critical error, the retry message is stopped, and 421 and 521 have special meanings for postfix, so try not to customize the two codes;

REJECT Optional Text ... Reject; text is optional information;

DEFER Optional Text ... Reject; text is optional information;

This article is from the "No Flying World" blog, please be sure to keep this source http://hf1208.blog.51cto.com/8957433/1728832

Linux (CentOS) postfix server SASL authentication and CYRUS-SASL-based access control