Moya's Blog

About

慈濟大陸賑災、緬甸風災捐款: External link mark
郵政劃撥帳號-06692433
戶名-佛教慈濟基金會賑災專戶
(註明四川震災或緬甸風災)
慈濟捐款網站請按此 External link mark

處順境若能慈悲,則後福自在,仆逆境倘得智慧,則遺禍自消,於順境若能不喜,則後患不至,當逆境或能捨得,則福自踵來。此慈悲喜捨,便是大般涅槃無上妙法,入世行者或能三思。

《既然清淨,何必有網?》
《譬如大日,遍照不爽。》
《上下十方,無為自在;》
《因陀羅手,去曼達礙。》

靜思晨語系列 獅子吼大德 慈濟的好友 雅虎的好友 老骨頭級的朋友

最新文章

RSS

« 《人間菩提》愛心接力新里程 (7/16) 《人間菩提》千手萬足留丹青 (7/15) »

建立架構在 dovecot 上的 SMTP AUTH 驗證機制

16 Jul 2008 - 16:54 in tagged , , , by MoyaTseng
傳統上,大家都會採用 Cyrus-SASL2 來支援 SMTP AUTH 驗證,不過,這個 library 真的是太過臃腫了,而且每需要多一個功能就要再多掛程式上去,維護起來滿痛苦的。

所以經過調查後,確認 dovecot 是個相當不錯的替代方案。況且,dovecot 也同時支援 imap, pop3,所以只要裝一個 dovecot 就天下太平了,不需要和以往還要加裝一堆有的沒有的程式,也不用被一堆雜亂的設定整得死去活來。

在 2008/07/18 增加了,介紹 dovecot 的 imap/imaps 與 pop3/pop3s 的設定方式。

本文還不會涉及 Virtual Account 的建立的部分,這些部分,等到下次有機會在介紹吧!

安裝過程以架設在 FreeBSD 7 上為例。如果有需要裝在任何一個 linux 或早期 FreeBSD 版本的話,請自行發揮舉一反三的精神。設定方式其實都大同小異,應該不會很難理解。況且 dovecot 就有附上相當完整的說明文件,我也是直接看說明文件就架設起來的。

安裝

dovecot

  1. cd /usr/ports/mail/dovecot
  2. make config 
    [X] KQUEUE    kqueue(2) support
[X] SSL       SSL support
[X] IPV6      IPv6 support
[X] POP3      POP3 support
[X] LDA       LDA support
[ ] GSSAPI    GSSAPI support
[ ] VPOPMAIL  VPopMail support
[ ] LDAP      OpenLDAP support
[X] PGSQL     PostgreSQL support
[ ] MYSQL     MySQL support
[ ] SQLITE    SQLite support
  3. make install clean

安裝 Postfix

  1. /usr/ports/mail/postfix
  2. make config 
    [X] PCRE      Perl Compatible Regular Expressions
[ ] SASL2     Cyrus SASLv2 (Simple Auth. and Sec. Layer)
[X] DOVECOT   Dovecot SASL authentication method
[ ] SASLKRB   If your SASL req. Kerberos select this option
[ ] SASLKRB5  If your SASL req. Kerberos5 select this option
[ ] SASLKMIT  If your SASL req. MIT Kerberos5 select this option
[X] TLS       Enable SSL and TLS support
[X] BDB       Berkeley DB (choose version with WITH_BDB_VER)
[ ] MYSQL     MySQL maps (choose version with WITH_MYSQL_VER)
[X] PGSQL     PostgreSQL maps (choose with DEFAULT_PGSQL_VER)
[ ] OPENLDAP  OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)
[X] CDB       CDB maps lookups
[ ] NIS       NIS maps lookups
[X] VDA       VDA (Virtual Delivery Agent)
[ ] TEST      SMTP/LMTP test server and generator
  3. make install clean

設定

Dovecot

  1. 建立 Cert/Key File
    1. 編輯 /usr/local/share/dovecot/dovecot-openssl.cnf 
      [ req ]
default_bits = 1024
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
# country (2 letter code)
C=TW

# State or Province Name (full name)
ST=Taiwan

# Locality Name (eg. city)
L=Taipei

# Organization (eg. company)
O=D-Life

# Organizational Unit Name (eg. section)
OU=IMAP server

# Common Name (*.example.com is also possible)
CN=[hostname]

# E-mail contact
emailAddress=postmaster@[hostname]

[ cert_type ]
nsCertType = server
    2. 修改 keygen script 
      SSLDIR=/usr/local/etc/dovecot/
OPENSSLCONFIG=/usr/local/share/dovecot/dovecot-openssl.cnf
OPENSSL=/usr/local/bin/openssl
    3. 產生 Keys 
      /usr/local/share/dovecot/mkcert.sh
    4. 更改檔案目錄讀取權限 
      chmod og-rwx /usr/local/etc/dovecot/* /usr/local/etc/dovecot
  2. 設定檔:/usr/local/etc/dovecot.conf 
    ## Dovecot configuration file

base_dir=/var/run/dovecot
listen=127.0.0.1
disable_plaintext_auth = no
mail_location = maildir:~/Maildir
pop3_uidl_format=%08Xu%08Xv

log_path = /var/log/dovecot/error.log
info_log_path = /var/log/dovecot/info.log
log_timestamp = "%b %d %H:%M:%S "
#syslog_facility = mail

auth default {
  mechanisms = PLAIN LOGIN

  auth_cache_size = 1024
  passdb pam {
    args = cache_key=%u%r%l session=yes dovecot
  }
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }
}

# 與 IMAP/POP3 相關設定
ssl_disable = no
protocols = imap imaps pop3 pop3s

ssl_cert_file = /usr/local/etc/dovecot/certs/dovecot.pem
ssl_key_file = /usr/local/etc/dovecot/private/dovecot.pem

Postfix

  1. 檔案: /usr/local/etc/postfix/main.cf
  2. 設定支援的 SASL 套件,採用 dovecot 
    smtpd_sasl_type = dovecot
  3. 設定與 dovecot 認證通連的 unix socket 
    # Can be an absolute path, or relative to $queue_directory
smtpd_sasl_path = private/auth
  4. 設定啟用 SASL 
    # and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
  5. 在收信確認的時候,加上通過 SASL 驗證的可以收信,並禁止未通過認證的人發信 
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

啟動設定

Dovecot

  1. 設定檔為: /etc/rc.conf 
    # Dovecot
dovecot_enable="YES"
  2. 啟動程序 
    /usr/local/etc/rc.d/dovecot start

Postfix

  1. 設定檔為: /etc/rc.conf 
    sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

postfix_enable="YES"
  2. 啟動程序 
    /usr/local/etc/rc.d/postfix start

驗證測試

  1. 產生 PLAIN 認證要用到的驗證字串 
    perl -MMIME::Base64 -e 'print encode_base64("\0使用者帳號\0密碼");'
  2. 驗證程序
    1. 連線到 SMTP port 25 
      telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 cbs.ntu.edu.tw ESMTP Postfix
    2. 檢視是否有支援 PLAIN 的 AUTH 認證機制,有出現 250-AUTH PLAIN 即表示有支援 
      ehlo localhost
250-localhost
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
    3. 輸入驗證字串,如果出現 235 2.7.0 即表示成功,若出現 535 5.7.8 表示驗證失敗。最好是成功和失敗的狀況都要確認一下。 
      AUTH PLAIN [剛才利用 perl 指令所產生的字串]
      1. 驗證成功結果 
        235 2.7.0 Authentication successful
      2. 驗證失敗結果 
        535 5.7.8 Error: authentication failed:
    4. 結束程序 
      quit
221 2.0.0 Bye


« 《人間菩提》愛心接力新里程 (7/16) 《人間菩提》千手萬足留丹青 (7/15) »
RSSATOM

Leave a Reply

You may have to login or register to comment if you haven't already.

訪客統計: 3990 人次



請按此訂閱每日人間菩提。靜思晨語 External link mark
本站所有言論均不代表慈濟基金會 External link mark

我為你祝福
我也要許願
r2 – 18 Jul 2008 – 17:47:50 – Main.MoyaTseng
Copyright © 1999-2009 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Moya's Blog? Send feedback.
Syndicate this site RSSRSS COMMENTSATOMATOM COMMENTS