Postfix + Auth + SSL + pop3s/imaps

Erik Norgaard norgaard at locolomo.org
Tue Feb 15 01:26:57 GMT 2005 

BSD Mail wrote:
> On Mon, 14 Feb 2005 11:00:57 +0100, Erik Norgaard <norgaard at locolomo.org> wrote:

>>You don't _need_ to separate them from the system password file, just
>>give them shell /usr/sbin/nologin, set homedir to /nonexistent, they can
>>still authenticate to fetch mail. Secondly, if users should receive
>>mail, postfix must know about them. This is normally done by lookup in
>>the password file.
> 
> That's fine with me too. So with this method is PAM would be used for
> authentication ? Or I would still need SASL for smtp ? 

I use saslauthd only.

> If there is a way to not use SASL at all I would like to know the
> available options that I have. Because I'm going to use Dovecot
> for pop3s and imaps, I would probably want to get rid of SASL
> if it's possible throughtout the entire mail suite if possible and
> use an easier and still secure as an auth method.

well, don't ask me :-) as I wrote, I use sasl and it works for me. But, 
many servers, including postfix, comes with ldap support so instead of 
using sasl or the password file a lookup in the ldap directory is done.

Before you make your choice, you really need to decide if users will 
have a unix account or not (regardless if they can login) and then 
decide which mail servers (imap/pop) to run based on which supports that 
setup. All, AFAIK, support the unix account.

> So if SSL/TLS is tunneling clear text passwords and it's encrypting the 
> connection then why would I need SASL in the first place ? Shouldn't adding 
> user with nologin shell / nonexistent home and enabling TLS would suffice ?
> or I'm I missing something here?

The point of using sasl to separate privileges. The server that requires 
users to authenticate can run unprivileged and request saslauthd to 
authenticate. Otherwise the server must run as root in order to access 
the master passwd file and authenticate.

Running your server with root privileges may be required anyway if mail 
is stored as maildir/mailbox files, whereas cyrus-imap maintains it's 
own privilege control.

One of the cool features of cyrus-imap is that you can share folders 
among users. This is neat instead of mailinglist if you for example have 
a support@ address.

> I think I will go with Openwebmail there is a patch to make it work
> with Maildir and also it does support SSL login.

You will gain freedom if your webmail issues an imap connection, since 
you are going to support imap anyway. This means that you can move your 
webmail service independently of the mail server - be it openwebmail or 
squirrelmail.

> I thought if I want to use smtps I have to use port 465 instead of 25.
> I want all outgoing email to use smtps. In this case if all mail is
> sent via smpts would that work fine even if the second hop doesn't
> have smtps ? In other words, would a mail server that uses port
> 25 for send and receive have a problem receiving mail from my server ?

smtps on port 465 is depreciated. The way it works is that the client 
connects to port 25 and issues a "START_TLS" command. Then the server 
and client will exchange keys and an encrypted session is initiated. 
Same thing for imaps.

The only difference from smtps is that both encrypted and unencrypted 
connections goes on the same port, and the point is to avoid saturation 
of the port interval 1-1023. The only exception is https which is 
considered to be so wide spread that it will remain on port 443.

The cool thing is that you can configure postfix such that when the 
client requests which commands are available, "authenticate" is only 
available if an encrypted connection has been established.

>>The only reason not to use cyrus-imap is that you will have to
>>authenticate (again) if you read mail on the console, eg. using pine.
> 
> Is that behavior because of authentication / SSL ? Or it is specific
> to cyrus-imap ?

This is because the mail client opens an imap connection, where as if it 
used Mailbox it would just read from a file. So, it is not cyrus nor ssl.

My solution is that normally I don't use a text based client anyway. For 
vital accounts such as root, I dump mail into a file also, so I have 
access to that important mail if everything else just doesn't work.

Cheers, Erik

-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2

More information about the freebsd-questions mailing list