postfix使用sasl进行smtp验证

DEBIAN服务器上安装了postfix,为了防止垃圾邮件,安装了sasl进行smtp验证。原来好像是使用authdaemon进行认证的,现在使用了debian testing升级了以后,出现了问题。
pop3没有问题,IMAP也没有问题,但是不能smtp,提示认证失败。

Dec 26 20:08:16 debian postfix/smtpd[2696]: warning: unknown[210.77.68.211]: SASL LOGIN authentication failed: authentication failure
Dec 26 20:08:21 debian postfix/smtpd[2696]: warning: unknown[210.77.68.211]: SASL LOGIN authentication failed: authentication failure

为了搞定这个问题,又彻底检查了一遍postfix的各个配置参数,google了无数站点,最终在这个站点找到了解决方法。
我最初的安装方案应该是采用了这个站点的方法,但后来我也修改了不少地方。

现在将我这次的修改记录一下:

1. 修改/etc/postfix/sasl/smtpd.conf文件,内容如下:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 5

其中,log_level可以自己调整,若出现问题,可以调大,最大为7,然后到/var/log/mail.warn、/var/log/syslog、/var/log/auth.log等文件中查找相关信息。
2. 调整/etc/init.d/saslauthd文件,加入一个参数:

DAEMON_ARGS=” -r

这个参数本来的值是空的,我就是在这个地方给卡死了两天。
3. 调整saslauthd运行目录,令其可以运行在chroot环境下,因为在DEBIAN里,postfix是运行在chroot里的。

Move saslauthd’s socket dir inside Postfix’s chroot and create a link to keep everybody happy:

# mv /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
# ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Add the postfix user to the sasl group:

# adduser postfix sasl

4. 修改/etc/init.d/postfix文件,主要是修改FILES文件定义:

FILES=”etc/localtime etc/services etc/resolv.conf etc/hosts \
etc/nsswitch.conf etc/nss_mdns.config etc/postfix/sasl/smtpd.conf etc/sasldb2″

然后重新启动服务:

# /etc/init.d/postfix restart
# /etc/init.d/saslauthd start

这个网站的FAQ里提供的内容:

Q.: Can Postfix query the MySQL db directly?
A.: No.

Q.: Why do you use libpam-mysql? saslauthd natively supports SQL.
A.: Because saslauthd only supports unencrypted password if you use a sql db as an authentication backend. That’s the reason for interfacing saslauthd with PAM. PAM, in turn, can use just anything.

Q.: My friend told me that /etc/postfix/sasl/smtpd.conf should contain

“pwcheck_method: pam”

A.: That was true for SASL < 2.x. Now you have to use saslauthd. Q.: Why do you run saslauthd with the -r flag?
A.: Because my users authenticate as “user@domain”, not “user”. If you are in trouble check /var/log/auth.log .

Q.: Why did you move saslauthd’s socket to

/var/spool/postfix/var/run/saslauthd

?

A.: Because the smtp service runs chroot’ed.

Q.: Why did you add etc/postfix/sasl/smtpd.conf to the FILES variable?
A.: Because Postfix needs to access that file from inside the chroot. The init.d script copies the latest copy of that file inside the chroot at every restart.

Q.: How does the authentication chain work?
A.: Postfix connects to saslauthd via socket, which in turn asks PAM to authenticate the user which in turn queries the relevant MySQL table.

Q.: Are there any alternatives to libpam-mysql?
A.: Perhaps it’s possible to use authdaemon from the Courier package.

Q.: Why do you use 127.0.0.1 instead of localhost?
A.: In order to use a TCP socket instead of a unix socket. This way we don’t have to put MySQL’s unix socket inside Postfix’s chroot.

致谢:(Thanks to)
1. Luca Gibelli, http://www.nervous.it/txt/Postfix-SMTP-AUTH-4-DUMMIES.html
2. http://postfix.wiki.xs4all.nl/index.php


已发布

分类

来自

标签:

评论

《“postfix使用sasl进行smtp验证”》 有 1 条评论

  1. 转移邮件服务器:postfix…

    原邮件服务器硬盘损害,已经无法工作,需要转移到新服务器上。
    原来的服务器是debian etch,新服务器是ubuntu feisty。
    首先安装:
    sudo aptitude install postfix postfix-mysql courier-authdaemon courier-authlib-my…

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注