Postfix mailbox (iv): Install CYRUS-SASL enable postfix to support SMTP authentication

Source: Internet
Author: User
Tags email account mx record

Note: Postfix SMTP authentication needs to be connected to Authdaemon to obtain authentication information through CYRUS-SASL;

The limitations and filtering capabilities of Postfix are explained later in this section.


First, installation configuration CYRUS-SASL

1, the system has been installed by default CYRUS-SASL:

[Email protected] ~]# Rpm-aq|grep cyrus-saslcyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_ 64cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64cyrus-sasl-2.1.23-13.el6_ 3.1.x86_64cyrus-sasl-md5-2.1.23-13.el6_3.1.x86_64


2, Configuration Cyrus-sasl

[Email protected] ~]# Vi/etc/sasl2/smtpd.conf#pwcheck_method:saslauthd#mech_list:plain Loginpwcheck_method: Authdaemond log_level:3 mech_list:plain LOGIN authdaemond_path:/usr/local/var/spool/authdaemon/socket[[email Protected] ~]# chmod 755/usr/local/var/spool/authdaemon

Description: Some system authdaemond path is/var/spool/authdaemon/socket.


3, configuration Postfix

[[email protected] ~]# vi /etc/postfix/main.cf# smtp  Recipient Limit Smtpd_recipient_ restrictions =        permit_mynetworks,                permit_sasl_authenticated,                reject_non_fqdn_hostname,         reject_non_fqdn_sender,         reject_non_fqdn_recipient,        reject_unauth_destination,         reject_unauth_pipelining,         reject_invalid_hostname       # SMTP  Sender-Side Restrictions        smtpd_sender_restrictions =        permit _mynetworks,   &Nbsp;            reject_sender_login_mismatch,                reject_authenticated _sender_login_mismatch,        reject_unauthenticated_sender_login_ mismatch# smtp  User Login Limit smtpd_sender_login_maps =         mysql:/etc/postfix/mysql_virtual_sender_maps.cf,        mysql:/etc/ postfix/mysql_virtual_alias_maps.cf# smtp  Authentication Configuration Broken_sasl_auth_clients = yessmtpd_sasl_ auth_enable = yessmtpd_sasl_local_domain =  $myhostnamesmtpd _sasl_security_options =  noanonymous
[Email protected] ~]# service postfix restart

Note: The above limitation is an access restriction method that Postfix comes with, which is explained in detail below.


4. Test SMTP Authentication

Use Mime::base64 to encode your email account and password Base64:

[Email protected] ~]# perl-e ' use mime::base64; Print Encode_base64 ("postmaster\ @yourmail. com") ' Cg9zdg1hc3rlckb5b3vybwfpbc5jb20=[[email protected] ~]# perl-e ' use Mime::base64; Print encode_base64 ("Extmail") ' zxh0bwfpba==

Local testing requires the installation of the Telnet tool:

[[email protected] ~]# yum install -y telnet[[email protected] ~]#  telnet localhost 25trying ::1...connected to localhost. escape character is  ' ^] '. 220 mail.eplantstore.com esmtp postfix - by  eplantstore.comehlo localhost                         # Enter Hello content 250-mail.eplantstore.com250-pipelining250-size 10485760250-vrfy250-etrn250-auth plain  login                    #显示认证登陆表示Postfix成功250-auth=plain login                    #调用Cyrus-SASL for SMTP authentication 250-enhancedstatuscodes250-8bitmime250  dsnauth login                             #输入认证登陆命令334  vxnlcm5hbwu6cg9zdg1hc3rlckb5b3vybwfpbc5jb20=      # Enter the BASE64 code of the account 334 ugfzc3dvcmq6zxh0bwfpba==                           # Enter the BASE64 encoding of the password 235 2.7.0 authentication successful    #显示认证成功quit221  2.0.0  byeconnection closed by foreign host.


Conclusion: The above information indicates that postfix successfully used and passed SMTP authentication (CYRUS-SASL)



Second, the postfix itself mail filtering

1. Accessing the table

(1) Access table type

    • Check_client_access Maptype:mapname

Check host name and subordinate domain

192.168.1.100

10.188

    • Check_helo_access Maptype:mapname

Check the host name shown in the HELO command

    • Check_recipient_access Maptype:mapname

Check your pickup address

[Email protected]

example.com

[Email protected]

    • Check_sender_access Maptype:mapname

Check the sending address

[Email protected]

example.com

[Email protected]

(2) Handling actions

    • Ok

Pass

    • REJECT

Refused

    • REJECT Message-text

Messsage-text used to set a message;

The message is sent to the client along with the rejected message and is recorded in log (same as below)

    • Dunno

Pause Check

    • Hold Message-text

remain in the queue

    • DISCARD Message-text

Postfix drops the message, but makes the client mistakenly send it for success

    • 4.xx Message-text

Returns the specified deny code and information to the client, temporarily rejecting

    • 5.xx Message-text

Returns the specified deny code and information to the client, completely rejects

(3) Examples of use

To set Access table limits:

[Email protected] ~]# vi/etc/postfix/main.cfsmtpd_client_restrictions = check_client_access hash:/etc/postfix/ Client_accesssmtpd_sender_restrictions = check_sender_access Hash:/etc/postfix/sender_accesssmtpd_recipien_ Restrictions = Check_recipien_access hash:/etc/postfix/recipien_access

Create an Access table

[Email protected] ~]# vi/etc/postfix/client_access10.188 REJECT 192.168.1.100 REJECT [[email protected] ~]# Vi/etc/pos Tfix/sender_access[email protected] [email protected] abc.example.com

Convert to database format (conversions are needed as long as the Access table is modified)

[Email protected] ~]# postmap/etc/postfix/client_access[[email protected] ~]# postmap/etc/postfix/sender_access


2. Built-in restriction conditions

    • Permit_auth_destination

Release Mydestination\inet_interfaces\virtual_alias_maps\virtual_mailbox_maps\relay_domain

Set the range, non-conforming when returning dunno

    • Permit_mynetworks

Release client IP in the range of Mynetworks settings

    • Reject_unauth_destination

In contrast to the first one, deny the above range

    • Reject_invalid_hostname

Returns 501 if the host name in the HELO command is invalid

    • Reject_non_fqdn_hostname

The host name in the HELO command is not in the form of FQDN and returns 504

    • Reject_non_fqdn_recipient

The pickup address is not an FQDN and returns 504

    • Reject_non_fqdn_sender

Return 504 If the sender address is not an FQDN

    • Reject_unauth_pipelining

Refuse to obey the specified line operation

    • Reject_unknown_client

DNS does not detect PTR records for client IPs when rejecting

    • Reject_unknown_hostname

The host name in the HELO command is denied when a and MX records are not

    • Reject_unknown_recipient_domain

Deny when a valid A or MX record is not found in the domain portion of the recipient address

    • Reject_unknown_sender_domain

Rejected when a valid A or MX record is not found in the domain portion of the sender address


3, RBL Real-time blacklist

    • Reject_rbl_client Rblprovider.domain

Client IP Address blacklist library

    • Reject_rhsbl_client Rblprovider.domain

Client Host name Blacklist library

    • Reject_rhsbl_sender Rblprovider.domain

Sender Blacklist Library


4. Content filtering

(1) Type

    • Header_checks =/etc/postfix/header_checks

      Check the title

    • Body_checks =/etc/postfix/body_checks

      Check body

    • Nested_header_checks

      Check the attachment title

    • Mime_header Checks

      Check the MIME field of the title

(2) Action

    • REJECT Message-text

Reject

    • WARN Message-text

Do not reject, record message to log, can be used for testing

    • IGNORE

Delete content that conforms to the pattern

    • Hold Message-text

Keep in the queue

    • DISCARD Message-text

Secretly Discard messages

(3) Examples

Use header_checks for simple virus filtering

/name? = "?". *\. (Bat|scr|com|dll|exe|hta|pif|vbs) "?/REJECT

Use Body_checks for content filtering

/increase your Sales by/reject/in compliance (with|of) strict/reject/lowest rates.*!/reject/[:alpha:]<!--. *-- >[:alpha:]/REJECT

The third pattern picks out any strings that contain lowest rates words and then follow any text and!

The last pattern checks to see if any HTML comments are embedded in the middle of the sentence

It is best to use an external content filter SpamAssassin or Dspam

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/57/06/wKiom1SPicPDPNe8AAINEKfDH4M829.jpg "title=" Qq20141216092342.png "alt=" Wkiom1spicpdpne8aainekfdh4m829.jpg "/>

is the SMTP dialog process and the corresponding restrictions for each stage.

This article is from the "Moon Ching Xing Fei" blog, please be sure to keep this source http://ywzhou.blog.51cto.com/2785388/1590342

Postfix mailbox (iv): Install CYRUS-SASL enable postfix to support SMTP authentication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.