Mail Server (iii)--centos6.5 installation configuration Dovecot and implement SASL authentication function

I. Installation Configuration Dovecot

1.dovecot Introduction

Dovecot is an open source IMAP and POP3 mail server that supports four protocols: POP3 (110/TCP), IMAP4 (143/TCP), pop3s, Imaps. Pop/imap is the protocol that MUA uses when it reads messages from the mail server. Where, with POP3 is downloaded from the mail server to save the message, IMAP4 is to leave the message on the server side directly to the mail management, operation.

2. Installing Dovecot

# yum Install Dovecot-y

3. Configure Dovecot

# vim/etc/dovecot.conf

Enable and modify the following parameters

protocols = IMAP POP3

4. Start the service and let it boot

# service Dovecot start# chkconfig dovecot on

Two. Enable CYRUS-SASL-based authentication for Postfix
1. Start the SASL service and let it boot

# VIM/ETC/SYSCONFIG/SASLAUTHD

Modify the SASL service configuration file to modify the SASL authentication mechanism to Shadow

Mech=shadow

Note: saslauthd-v: Displays the authentication mechanism supported by the current host SASLAUTHD service, the default is Pam

# service SASLAUTHD start# chkconfig SASLAUTHD on

2. Test whether user authentication can be achieved

# testsaslauthd-u username-p Password

3. Implement Postfix client-based access control
1), client-based access control overview
Postfix includes a variety of anti-spam mechanisms, including "clients" to send mail restrictions. Client identification mechanism can set a series of customer information criteria:
Smtpd_client_restrictions: Defining Client Connection Qualification
Smtpd_data_restrictions: Defines whether data is allowed to be sent (that is, the database phase)
Smtpd_helo_restrictions: Defines whether to allow the sending of Hello information (that is, the helo phase)
Smtpd_recipient_restrictions: Defines whether to allow messages to be sent to (that is, rcpt to stage)
Smtpd_sender_restrictions: Defines whether to allow outgoing mail (that is, the mail from stage)

Each of the above parameters is used to examine a specific stage in the SMTP session, which is the stage where the client provides the appropriate information, such as when a client initiates a connection request, Postfix can be based on the Smtpd_client_ defined in the configuration file The restrictions parameter to determine the access rights for this client IP. Accordingly, Smtpd_helo_restrictions is used to discriminate the client's access ability according to the user's helo information and so on.

If everything before the data command is accepted, the client can then start transmitting the message content. The message content usually consists of two parts, the first half is the title (header), it can be filtered by Header_check, the second part is the message body (body), which can be filtered by check_body. These two implementations are the message "content check".

The default configuration for Postfix is as follows:
Smtpd_client_restrictions =
Smtpd_data_restrictions =
Smtpd_end_of_data_restrictions =
Smtpd_etrn_restrictions =
Smtpd_helo_restrictions =
Smtpd_recipient_restrictions = Permit_mynetworks, reject_unauth_destination
Smtpd_sender_restrictions =
This limits the ability of the open relay (open relay) to be turned off for clients in the local network that are defined in the Mynetworks parameter to forward messages through Postfix, while others are not allowed.

Postfix has several built-in restrictions, such as the Permit_mynetworks and reject_unauth_destination above, but administrators can also use Access maps to customize restrictions. The conditions for customizing access tables are usually performed using Check_client_access, Check_helo_access, Check_sender_access, check_recipient_access, followed by the type: The Access table type and name in the mapname format. Check_sender_access and check_recipient_access are used to check the email address provided by the client, so the full email address can be used in the Access table, such as [email protected], or only the domain name can be used. such as magedu.com, can also only the user name of the part, such as [email protected].

2), implementation Example 1
Here to prohibit 172.16.100.200 this host by working on 172.16.100.1 on the Postfix service to send mail as an example demonstrates its implementation process. The Access table uses a hash format.

(1) First, edit the/etc/postfix/access file as the control file for the client check, and define the following line in it:
172.16.100.200 REJECT

(2) Convert this file to hash format

# postmap/etc/postfix/access

(3) configuration postfix Use this file to check the client
To edit the/etc/postfix/main.cf file, add the following parameters:
Smtpd_client_restrictions = check_client_access hash:/etc/postfix/access

(4) Let postfix reload the configuration file can be sent to control the effect of testing.

3), implementation Example 2
The implementation process is demonstrated here as an example of a ban on sending mail to the Microsoft.com domain through this server. The Access table uses a hash format.
(1) First, the establishment of the/etc/postfix/denydstdomains file (file name), in the definition of the following line:
Microsoft.com REJECT

(2) Convert this file to hash format

# Postmap/etc/postfix/denydstdomains

(3) configuration postfix Use this file to check the client
To edit the/etc/postfix/main.cf file, add the following parameters:
Smtpd_recipient_restrictions = Check_recipient_access hash:/etc/postfix/denydstdomains, Permit_mynetworks, reject_ Unauth_destination (order will have an effect on the result)

(4) Let postfix reload the configuration file can be sent to control the effect of testing.

4), check the table format description
The hash class checklist uses a format similar to the following:
Pattern action

In the Check table file, blank lines, only white space characters closest, and lines beginning with # are ignored. Rows preceded by whitespace characters followed by other non-whitespace characters are considered continuations of the previous row and are part of a row.

(1) About pattern
The pattern usually has two types of addresses: Mail address and host name/address.

The pattern format for the e-mail address is as follows:
[email protected] to match the specified email address;
Domain.tld is used to match all email addresses with this domain name as part of the domain name in the mail address;
[email protected] is used to match all email addresses as part of the user name in the email address;

The pattern format of the host name/address is as follows:
Domain.tld is used to match all hosts within the specified domain and its sub-domains;
. Domain.tld is used to match all hosts within the subdomain of the specified domain;
Net.work.addr.ess
Net.work.addr
Net.work
NET is used to match a specific IP address or all hosts within the network;
Network/mask CIDR format to match all hosts within a specified network;

(2) About action
To accept the action of a class:
OK to accept the e-mail address or host name/address of the pattern match;
An action that consists entirely of numbers implicitly indicates OK;

Reject the action of the Class (part):
4NN text
5NN text
Where the 4NN class represents a retry after a while, the 5NN class represents a critical error, the retry message is stopped, and 421 and 521 have special meanings for postfix, so try not to customize the two codes;
REJECT Optional Text ... Reject; text is optional information;
DEFER Optional Text ... Reject; text is optional information;

4. Enable CYRUS-SASL-based authentication for Postfix
Use the following command to verify that the postfix supports Cyrus-style SASL authentication, which is supported if your output is the following:
#/usr/local/postfix/sbin/postconf-a
Cyrus
Dovecot

# VIM/ETC/POSTFIX/MAIN.CF

Add the following content:
########################### #CYRUS-sasl############################
Broken_sasl_auth_clients = yes: Verify client identity through SASL
Smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_invalid_hostname,reject_non_ Fqdn_hostname,reject_unknown_sender_domain,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unknown_ Recipient_domain,reject_unauth_pipelining,reject_unauth_destination
Smtpd_sasl_auth_enable = yes: Enable SASL authentication feature
Smtpd_sasl_local_domain = $myhostname
Smtpd_sasl_security_options = noanonymous: Anonymous user not supported
Smtpd_sasl_application_name = smtpd: Which application uses SASL functionality (obsolete after 2.3 version, instead of Smtpd_sasl_path = smtpd)
Smtpd_banner = Welcome to We $myhostname esmtp,warning:version not available!:telnet display information when connected

# vim/usr/lib/sasl2/smtpd.conf

Add the following content:
Pwcheck_method:saslauthd
Mech_list:plain LOGIN

Let postfix reload the configuration file

#/usr/sbin/postfix reload# telnet localhost 25Trying 127.0.0.1...Connected to Localhost.localdomain (127.0.0.1). Escape character is ' ^] '. Welcome to our mail.magedu.com esmtp,warning:version not Available!ehlo mail.magedu.com250-m Ail.magedu.com250-pipelining250-size 10240000250-vrfy250-etrn250-auth PLAIN login250-auth=plain LOGIN (make sure that your Output to resemble two lines) 250-enhancedstatuscodes250-8bitmime250 DSN

Mail Server (iii)--centos6.5 installation configuration Dovecot and implement SASL authentication function