Hola lista, les escribo a ver si alguno de ustedes tiene la solución para mi problema, 1ro decirles que tengo un server de mail montado en debian etch, con postfix+Courier+usuarios virtuales en sql+squirrelmail, ahora aquí viene mi problema, resulta ser que los usuarios no se autentican para hacer SMTP y quiero que los usuarios para poder hacer SMTP se autentiquen en el server, a ver si alguno de la lista me puede ayudar, este es mi mail para me contacten igual por ahí si alguien tiene la solución para mi problema admin_dps@dps.cfg.sld.cu, bueno espero respuesta
Saludos
postfix+Courier+usuarios virtuales en sql+squirrelmail
Re: postfix+Courier+usuarios virtuales en sql+squirrelmail
bien amigos aquí esta la solución al problema. Les dejo además una config que uso en postfix.
Me trabaja Especial.
############################Inicio POSTFIX CONFIG##############################
#######SMTP authentication avec SASL (postfix et courier)
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = dps.cfg.sld.cu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = [herus.cfg.sld.cu]
mynetworks = 127.0.0.0/8,201.220.209.82/32
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
always_bcc = trazas@dps.cfg.sld.cu
##MYSQL
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_limit = 0
virtual_minimum_uid = 1001
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_mailbox_base = /home/vmail
virtual_transport = virtual
###QUOTA
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Lo sentimos, pero su Buzón esta lleno, por favor libere algo de espacio de su buzón, e inténtelo de nuevo.
virtual_overquota_bounce = yes
#####REStriccion Salida Internacional
smtpd_restriction_classes =inter, nac
smtpd_recipient_restrictions = permit_auth_destination, check_sender_access hash:/etc/postfix/usuarios, reject, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain reject_unauth_destination, check_policy_service inet:127.0.0.1:10023
inter = check_recipient_access regexp:/etc/postfix/filtro_nac, permit
nac = check_recipient_access regexp:/etc/postfix/filtro_nac, reject
#smtpd_sender_restrictions = permit_auth_destination, check_sender_access hash:/etc/postfix/usuarios, reject
#smtpd_sender_restrictions =
# permit_mynetworks
# #reject_authenticated_sender_login_mismatch
# reject_unknown_sender_domain
# permit
#smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
#smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
#smtpd_sasl_security_options = noanonymous
#smtpd_sasl_local_domain =
# The settings for the SASL authentication using the autdaemon.
#smtpd_enforce_tls=yes
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = no
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject
#smtpd_recipient_restrictions =
# reject_unauth_destination
# permit_sasl_authenticated,
# reject_invalid_hostname,
# permit
############################Fin POSTFIX CONFIG##############################
############################Inicio Manual##############################
onfigure the SMTP authentication with SASL
Create a directory in the chrooted directory of postfix to enable access to the authdaemon app :
cd /var/spool/postfix
mkdir courier-authdaemon-socket
first check where is installed the socket of the authdaemon. Usually on debian systems it's installed into the /var/run/courier/authdaemon directory. Adapt the tutorial if it's different for you.
Modify your /etc/fstab file so you can mount the right directory in the right place to access to the authdaemon socket from the chrooted directory. Add this line into /etc/fstab :
/var/run/courier/authdaemon /var/spool/postfix/courier-authdaemon-socket none bind 0 0
Now let's mount the directory into the right place and test if it works :
mount /var/spool/postfix/courier-authdaemon-socket
chown -R postfix.postfix /var/spool/postfix/courier-authdaemon-socket
Now we need to configure postfix to authenticate the SMTP requests on the same way as for the IMAP requests.
Therefore we will ask to postfix to use authdaemon to authenticate. The authentication system for postfix is called SASL. Let's install it.
apt-get install sasl2-bin libsasl2-modules
Activate SASL in the postfix configuration file /etc/postfix/sasl/smtpd.conf (be sure the directory to the authdaemon socket is right in a chrooted perspective):
pwcheck_method: authdaemond
mech_list: PLAIN LOGIN
authdaemond_path: /courier-authdaemon-socket/socket
log_level: 4
Append the following lines at the end the postfix configuration file /etc/postfix/main.cf :
#
# The settings for the SASL authentication using the autdaemon.
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = no
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
Step 5: Courier Imap and the rest
Configure courier-imap
Configuration is done into the file /etc/courier/imapd. We need to modify this line with the right directory :
MAILDIRPATH=/home/postfix/Maildir
The default configuration is ok for the rest.
Now let's reboot all your daemons in use to be sure every configuration is considered:
/etc/init.d/postfix restart && /etc/init.d/courier-imap restart && /etc/init.d/courier-authdaemon restart
Configure thunderbird
You can just try to add an account. The data you'll need is :
* IMAP server : your mail server IP
* SMTP server : same IP
* Username : greg@example.lan Cette adresse email est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir.
* Password : secret
* Use TLS/SSL : no
* Port : 143
Known errors
Note : if you get the following error in /var/log/mail.log :
postfix/trivial-rewrite[19109]: warning: do not list domain example.lan in BOTH mydestination and virtual_mailbox_domain
then it means you configured the "mydestination" variable in /etc/postfix/main.cf to the same domain name as your email server. Please remove "example.lan" from it and it should work now
Postfix configure anti spam with blacklist
Postfix is free and powerful MTA. You can easily configure Postfix to block spam. You need to add
following directives to /etc/postfix/main.cf file:
* disable_vrfy_command = yes : Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
* smtpd_delay_reject = yes : It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
* smtpd_helo_required = yes : Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. Many spam bot ignores HELO/EHLO command and you save yourself from spam. Following lines further restrictions on HELO command:
o smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, Reject email if remote hostname is not in fully-qualified domain form. Usually bots sending email don't have FQDN names.
o reject_invalid_hostname, Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname.
You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
* smtpd_recipient_restrictions =
o reject_invalid_hostname, - Reject email if it not valid hostname
o reject_non_fqdn_hostname, - Reject email if it not valid FQDN
o reject_non_fqdn_sender, - Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
o reject_non_fqdn_recipient, - Reject the request when the RCPT TO address is not in fully-qualified domain form
o reject_unknown_sender_domain, - Reject email, if sender domain does not exists
o reject_unknown_recipient_domain, Reject email, if recipient domain does not exists
o permit_mynetworks,
o reject_rbl_client list.dsbl.org, Configure spam black lists
o reject_rbl_client sbl.spamhaus.org,
o reject_rbl_client cbl.abuseat.org,
o reject_rbl_client dul.dnsbl.sorbs.net,
o permit
Open /etc/postfix/main.cf file :
vi /etc/postfix/main.cf
Set/modify configuration as follows
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
Also force (last lines) Postfix to limit incoming or receiving email rate to avoid spam.
Save and close the file. Restart postfix:
/etc/init.d/postfix restart
Watch out maillog file. Now you should see lots of spam email blocked by above configuration directive:
tail -f /var/log/mail.log
Output:
Jan 9 06:07:22 server postfix/smtpd[10308]: NOQUEUE: reject: RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]: 554 Service unavailable; Client host [81.183.12.81] blocked using dul.dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?81.183.12.81; from= to= proto=ESMTP helo=<183-12-230.ip.adsl.hu>
Jan 9 06:07:23 server postfix/smtpd[10308]: lost connection after RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan 9 06:07:23 server postfix/smtpd[10308]: disconnect from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max connection rate 1/60s for (smtp:81.183.12.81) at Jan 9 06:07:17
Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max connection count 1 for (smtp:81.183.12.81) at Jan 9 06:07:17
Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max cache size 1 at Jan 9 06:07:17
Jan 9 06:16:58 server postfix/smtpd[10358]: warning: 81.92.197.249: address not listed for hostname unassigned.or.unconfigured.reverse.nfsi-telecom.net
Jan 9 06:16:58 server postfix/smtpd[10358]: connect from unknown[81.92.197.249]
Jan 9 06:17:00 server postfix/smtpd[10358]: NOQUEUE: reject: RCPT from unknown[81.92.197.249]: 550 : Recipient address rejected: User unknown in virtual alias table; from=<> to= proto=ESMTP helo=
Jan 9 06:17:00 server postfix/smtpd[10358]: disconnect from unknown[81.92.197.249]
############################Fin Manual##############################
Espero Poder ayudar a muchos con esto.
Me trabaja Especial.
############################Inicio POSTFIX CONFIG##############################
#######SMTP authentication avec SASL (postfix et courier)
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = dps.cfg.sld.cu
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost = [herus.cfg.sld.cu]
mynetworks = 127.0.0.0/8,201.220.209.82/32
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
always_bcc = trazas@dps.cfg.sld.cu
##MYSQL
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_limit = 0
virtual_minimum_uid = 1001
virtual_uid_maps = static:1001
virtual_gid_maps = static:1001
virtual_mailbox_base = /home/vmail
virtual_transport = virtual
###QUOTA
virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Lo sentimos, pero su Buzón esta lleno, por favor libere algo de espacio de su buzón, e inténtelo de nuevo.
virtual_overquota_bounce = yes
#####REStriccion Salida Internacional
smtpd_restriction_classes =inter, nac
smtpd_recipient_restrictions = permit_auth_destination, check_sender_access hash:/etc/postfix/usuarios, reject, reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain reject_unauth_destination, check_policy_service inet:127.0.0.1:10023
inter = check_recipient_access regexp:/etc/postfix/filtro_nac, permit
nac = check_recipient_access regexp:/etc/postfix/filtro_nac, reject
#smtpd_sender_restrictions = permit_auth_destination, check_sender_access hash:/etc/postfix/usuarios, reject
#smtpd_sender_restrictions =
# permit_mynetworks
# #reject_authenticated_sender_login_mismatch
# reject_unknown_sender_domain
# permit
#smtpd_sasl_auth_enable = yes
#broken_sasl_auth_clients = yes
#smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
#smtpd_sasl_security_options = noanonymous
#smtpd_sasl_local_domain =
# The settings for the SASL authentication using the autdaemon.
#smtpd_enforce_tls=yes
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = no
smtpd_client_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject
#smtpd_recipient_restrictions =
# reject_unauth_destination
# permit_sasl_authenticated,
# reject_invalid_hostname,
# permit
############################Fin POSTFIX CONFIG##############################
############################Inicio Manual##############################
onfigure the SMTP authentication with SASL
Create a directory in the chrooted directory of postfix to enable access to the authdaemon app :
cd /var/spool/postfix
mkdir courier-authdaemon-socket
first check where is installed the socket of the authdaemon. Usually on debian systems it's installed into the /var/run/courier/authdaemon directory. Adapt the tutorial if it's different for you.
Modify your /etc/fstab file so you can mount the right directory in the right place to access to the authdaemon socket from the chrooted directory. Add this line into /etc/fstab :
/var/run/courier/authdaemon /var/spool/postfix/courier-authdaemon-socket none bind 0 0
Now let's mount the directory into the right place and test if it works :
mount /var/spool/postfix/courier-authdaemon-socket
chown -R postfix.postfix /var/spool/postfix/courier-authdaemon-socket
Now we need to configure postfix to authenticate the SMTP requests on the same way as for the IMAP requests.
Therefore we will ask to postfix to use authdaemon to authenticate. The authentication system for postfix is called SASL. Let's install it.
apt-get install sasl2-bin libsasl2-modules
Activate SASL in the postfix configuration file /etc/postfix/sasl/smtpd.conf (be sure the directory to the authdaemon socket is right in a chrooted perspective):
pwcheck_method: authdaemond
mech_list: PLAIN LOGIN
authdaemond_path: /courier-authdaemon-socket/socket
log_level: 4
Append the following lines at the end the postfix configuration file /etc/postfix/main.cf :
#
# The settings for the SASL authentication using the autdaemon.
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = no
smtpd_client_restrictions = permit_mynetworks
permit_sasl_authenticated
Step 5: Courier Imap and the rest
Configure courier-imap
Configuration is done into the file /etc/courier/imapd. We need to modify this line with the right directory :
MAILDIRPATH=/home/postfix/Maildir
The default configuration is ok for the rest.
Now let's reboot all your daemons in use to be sure every configuration is considered:
/etc/init.d/postfix restart && /etc/init.d/courier-imap restart && /etc/init.d/courier-authdaemon restart
Configure thunderbird
You can just try to add an account. The data you'll need is :
* IMAP server : your mail server IP
* SMTP server : same IP
* Username : greg@example.lan Cette adresse email est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir.
* Password : secret
* Use TLS/SSL : no
* Port : 143
Known errors
Note : if you get the following error in /var/log/mail.log :
postfix/trivial-rewrite[19109]: warning: do not list domain example.lan in BOTH mydestination and virtual_mailbox_domain
then it means you configured the "mydestination" variable in /etc/postfix/main.cf to the same domain name as your email server. Please remove "example.lan" from it and it should work now
Postfix configure anti spam with blacklist
Postfix is free and powerful MTA. You can easily configure Postfix to block spam. You need to add
following directives to /etc/postfix/main.cf file:
* disable_vrfy_command = yes : Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.
* smtpd_delay_reject = yes : It allows Postfix to log recipient address information when rejecting a client name/address or sender address, so that it is possible to find out whose mail is being rejected.
* smtpd_helo_required = yes : Require that a remote SMTP client introduces itself at the beginning of an SMTP session with the HELO or EHLO command. Many spam bot ignores HELO/EHLO command and you save yourself from spam. Following lines further restrictions on HELO command:
o smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, Reject email if remote hostname is not in fully-qualified domain form. Usually bots sending email don't have FQDN names.
o reject_invalid_hostname, Reject all bots sending email from computers connected via DSL/ADSL computers. They don't have valid internet hostname.
You can put the following access restrictions that the Postfix SMTP server applies in the context of the RCPT TO command.
* smtpd_recipient_restrictions =
o reject_invalid_hostname, - Reject email if it not valid hostname
o reject_non_fqdn_hostname, - Reject email if it not valid FQDN
o reject_non_fqdn_sender, - Reject the request when the MAIL FROM address is not in fully-qualified domain form. For example email send from xyz or abc is rejected.
o reject_non_fqdn_recipient, - Reject the request when the RCPT TO address is not in fully-qualified domain form
o reject_unknown_sender_domain, - Reject email, if sender domain does not exists
o reject_unknown_recipient_domain, Reject email, if recipient domain does not exists
o permit_mynetworks,
o reject_rbl_client list.dsbl.org, Configure spam black lists
o reject_rbl_client sbl.spamhaus.org,
o reject_rbl_client cbl.abuseat.org,
o reject_rbl_client dul.dnsbl.sorbs.net,
o permit
Open /etc/postfix/main.cf file :
vi /etc/postfix/main.cf
Set/modify configuration as follows
disable_vrfy_command = yes
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_hostname,
reject_invalid_hostname,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
permit
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
Also force (last lines) Postfix to limit incoming or receiving email rate to avoid spam.
Save and close the file. Restart postfix:
/etc/init.d/postfix restart
Watch out maillog file. Now you should see lots of spam email blocked by above configuration directive:
tail -f /var/log/mail.log
Output:
Jan 9 06:07:22 server postfix/smtpd[10308]: NOQUEUE: reject: RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]: 554 Service unavailable; Client host [81.183.12.81] blocked using dul.dnsbl.sorbs.net; Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?81.183.12.81; from= to= proto=ESMTP helo=<183-12-230.ip.adsl.hu>
Jan 9 06:07:23 server postfix/smtpd[10308]: lost connection after RCPT from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan 9 06:07:23 server postfix/smtpd[10308]: disconnect from 183-12-81.ip.adsl.hu[81.183.12.81]
Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max connection rate 1/60s for (smtp:81.183.12.81) at Jan 9 06:07:17
Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max connection count 1 for (smtp:81.183.12.81) at Jan 9 06:07:17
Jan 9 06:10:43 server postfix/anvil[10310]: statistics: max cache size 1 at Jan 9 06:07:17
Jan 9 06:16:58 server postfix/smtpd[10358]: warning: 81.92.197.249: address not listed for hostname unassigned.or.unconfigured.reverse.nfsi-telecom.net
Jan 9 06:16:58 server postfix/smtpd[10358]: connect from unknown[81.92.197.249]
Jan 9 06:17:00 server postfix/smtpd[10358]: NOQUEUE: reject: RCPT from unknown[81.92.197.249]: 550 : Recipient address rejected: User unknown in virtual alias table; from=<> to= proto=ESMTP helo=
Jan 9 06:17:00 server postfix/smtpd[10358]: disconnect from unknown[81.92.197.249]
############################Fin Manual##############################
Espero Poder ayudar a muchos con esto.