Postfix – Configuration de l’authentification SASL avec mysql

mars 30, 2016 3:45 Publié par Laissez vos commentaires

Bonjour à tous,

Dans ce tutoriel, nous allons apprendre à configurer l’authentification smtp avec SASL sur un serveur Postfix.
SASL : Simple Authentication and Security Layer

Installation des paquets :

apt-get install libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql

On ajoute ensuite l’utilisateur postfix au group sasl :

adduser postfix sasl

Modification des droits et création du lien:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
chown -R root:sasl /var/spool/postfix/var/run/saslauthd
chmod 710 /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd

Création du script de démarrage pour mapper le lien après reboot

nano /etc/init.d/monscript
#!/bin/sh

### BEGIN INIT INFO
# Provides:     monscript
# Required-Start:
# Required-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: chroot postfix sasl
# Description:       s
### END INIT INFO

ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Lancement du script au démarrage

update-rc.d monscripts defaults

Désactivation du chroot :

nano /etc/postfix/master.cf
smtp      inet  n       -       n       -       -       smtpd

Configuration de master.cf :

smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Configuration de postfix :

nano /etc/postfix/main.cf
# Support SASL

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_unauth_pipelining,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_invalid_hostname

smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous

Configuration de SASL :

nano /etc/default/saslauthd

START=yes
MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
nano /etc/pam.d/smtp

auth required pam_mysql.so user=root passwd=mot_de_passe host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=root passwd=mot_de_passe host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
nano /etc/postfix/sasl/smtpd.conf
wcheck_method: saslauthd
mech_list: CRAM-MD5 PLAIN LOGIN
auxprop_plugin: sql
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux


sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: postfix
sql_database: postfix
sql_passwd: monpass
sql_select: select password from mailbox where username = '%u@%r'

service saslauthd restart

Test de l’authentification :

testsaslauthd -u monadresse@mail.tld -p monmotdepasse -s smtp

debug

saslfinger -c
saslfinger -s

Voilà pour une installation express de SASL sur postfix

A+!

Classés dans :

Cet article a été écrit par admin

Laisser un commentaire