Hideki A. Ikeda (HidekiAI) [池田英紀] ["Tony" Ikeda] – BLog

When setting up Postfix’s authentications, if you are setting up fresh install and/or do not have Cyrus-SASL working, my recommendations are to use Dovecot instead.

If on the other hand, you’ve been persistent and have Cyrus/SASL working, leave it alone, you’ve probably got one of the few systems that are rare but functional and you don’t want to break and/or disturb what is not broken.

Setting up Courier (IMAP and POP3) authentications through MySQL was trivial for PLAIN password schema.  The only hard part I’d imagine is writing your own authmysqlrc in your /etc/courier/authlib folder to query the username/password/uid/gid correctly.  But if you know your way around SQL queries, sooner or later you’ll get it right (if you need help, e-mail me and I’ll help you out – if I don’t respond, it’s most likely because my SASL is broken and I cannot get authenticated to send out *grin* what an irony – just kidding).

It used to be that you would guard your mailbox from prying eyes because back then, e-mails were more authentic.  Sort of like when you receive an hand-written letter from somebody important.  Today, you’d receive e-mails for just about anything, to a point where they aren’t so genuine anymore…  Or there are so much SPAMs in your INBOX that you’d rather just delete all the mails than to read it.  In any case, you want to protect your server so at least you’re not responsible to participate in these SPAMs (make sure to run SMTP relay testers), or at least to admit that you’ve done all you can to avoid issues.

In any case the whole point of that story is that you want to make sure your out-going mails are authenticated (password protected) as well as in-coming.  With Postfix + Courier, you can make an assumptions that if you logged on with POP3 and have been authenticated, you are most likely the same person thus SMTP should not require any password on the same session. Similarly, you can argue the same point for IMAP sesssion.

This is where SASL comes into play.  Just because Carnegie Mellon University was the origin of the SASL RFC and they are the one who maintains Cyrus, it doesn’t mean it’s the best.  To me, Dovecot is better than Cyrus for one simple reason.  Dovecot has documentations and wiki pages…  A damned good wiki, I might add…  It’s so good that I’ve been able to get SASL based authentications for Postfix in less than a day!

With Dovecot, it is (currently) authenticating in the following order:

1. PAM – I have PAM look-up for both LDAP and password, and in that respective order of look-up priorities.
2. MySQL – this is so other accounts that may be on LDAP but is using PLAIN can get authenticated from the Postfix database and/or other users who do not have LDAP account but have virtual mail accounts.

As mentioned, because I’m using PAM to authenticate, I don’t need to have Dovecot integrate with LDAP.  Whenever you can have PAM do the authentications, let it do so rather than adding another link.  By the way, PAM can only be plaintext auth, so do try to make sure you get SSL working.

Meaning, you have PAM linking to your LDAP server for example for SSH and session login, you’ve got it functional and you have a centralized location (single poing of authentications) for all your domain accounts.  Now, if you enable LDAP for Dovecot, that’s another management you’d have to debug (or alter if the server gets moved to another hostname).

Let PAM be your middle-layer between all your services and LDAP (and shadow), the beauty of it all (and it’s a common sense) is that you get PAM working and the rest just fits in.  If something goes wrong with your LDAP server, you only have to deal with PAM.  The converse to that of course is that if PAM breaks, all breaks.  But I prefer to take that chance for management of Linux services can be a nightmare compared to Microsoft services (if you’ve installed Active Directory and OpenLDAP, you’d know which is easier/quicker to setup and what I mean).

I’ve learned a lot from Cyrus, but I wish I wasn’t stubborn about it and gave in to Dovecot earlier.  I wouldn’t have been able to construct my own opinions about how difficult it is to setup Cyrus (but if you’d Google’d for Cyrus, I’d imagine you’d find quite a few that complains about Cyrus), but if you have found this BLog and is in the midst or about to setup SASL authentications for Postfix, try Dovecot first because you should be spending your time on something more productive…

Related posts

• Testing Postfix + Courier (authlib and imap) + MySQL (0)
• Postfix + Courier + SquirrelMail:configtest.php (0)
• Serving SVN repositories (0)
• Networking: AD + Linux (0)
• Compiling Apache on Gentoo (0)

Ever get the following error when you run SquirrelMail’s configtest.php?

Warning: fsockopen() [function.fsockopen]: SSL operation failed with code 1.
 OpenSSL Error messages: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
 version number in /var/www/webmail/htdocs/squirrelmail/src/configtest.php on line 396
 
Warning: fsockopen() [function.fsockopen]: Failed to enable crypto in
 /var/www/webmail/htdocs/squirrelmail/src/configtest.php on line 396
 
Warning: fsockopen() [function.fsockopen]: unable to connect to
 tls://imap.yourdomain.com:<strong>143 </strong>(Unknown error) in
 /var/www/webmail/htdocs/squirrelmail/src/configtest.php on line 396
 
    ERROR: Error connecting to IMAP server "imap.yourdomain.com:143".Server error: (0)

If you do get this error, take a look at your “use_map_tls” variable in your config.php, most likely it is set to true. It’s because you’re telling it to use port 143 (IMAP) rather than 993 (IMAPS).

Related posts

• Postfix + Dovecot – (Cyrus + Courier) (0)
• Testing Postfix + Courier (authlib and imap) + MySQL (0)
• SquirrelMail + gpg Plugin + pecl-gnupg (GnuPG) (0)
• Why KeepAlive Heartbeats should be on Dedicated Socket Stream (0)
• Syslog-ng + syslog-server (Kiwi) = network slowdown (0)

My quick journal on testing postfix MTA for “user” experiences…  This is not a how-to, nor is it about what to install.  It is for testing and verifying once all the software services has been installed.

POP Test

First, we test the POP3.  In most cases, when users sets up their client viewer, they like to use plain text login rather than TLS and/or SSL, which I’d assume is because Outlook Express defaults this way…

hidekiai@kusari ~ $ telnet pop.yourdomain.com 110
Trying xxx.yyy.zzz.xxx...
Connected to pop.yourdomain.com
Escape character is '^]'.
+OK Hello there.
USER yourusername
+OK Password required.
PASS yourSuperSecretPassword
+OK logged in.
LIST
+OK POP3 clients that break here, they violate STD53.
1 9109
2 3636
-- snip --
.
RETR 1
+OK 9109 octets follow.                              
 
-- snip --
.
QUIT
+OK Bye-bye.
Connection closed by foreign host.

That pretty much verifies that you have PLAIN LOGIN connection functional.  This will at least keep your users happy until you get TLS and/or SSL connection functional.

The commands for plain login are:

• USER <username>
• PASS <password>
• LIST
• RETR <message_index_number>
• DELE <message_index_number>
• QUIT

These commands should be case-insensitive but for the sake of clarity, the example shows in upper-case.

Things to note:

• If you are using MySQL for authentications, while testing, edit /etc/courier/authlib/authdaemonrc and set DEBUG_LOGIN=2 so that you can verify password verifications are valid.
• The MYSQL_USER_TABLE (in /etc/courier/authlib/authmysqlrc) can be a dynamically generated table if you want, but there is a limitation the length of the SELECT statement.  I’ve had issues where my SELECT statement would cut off due to long query statements, thus when joining multiple tables, try to use single character for table name (i.e. … JOIN myOtherTable AS t1 …) so that the query will fit within fixed length.
• The UID and GID is very important to access the Maildir (or .maildir), especially when migrating from one server to another, the UID and GID will change.  The annoyance of course is that there are multiple (at least two) config files you’d need to alter them.  Because of this issue, I’ve decided to have my table have columns for GID and UID for flexibilities.
• Pay attention to your log files.  The -v in your /etc/postfix/master.cf will come in very handy, so use it.

IMAP Test

Now that you’ve verified that POP3 works, it’s time to verify for IMAP4 so that we can use SquierrelMail or in case the user wants to connect via IMAP using Outlook or Thunderbird (I like IMAP better than POP because it leaves the folder management on the server side, meaning you never have to have your saved e-mail local to your harddrive).

hidekiai@kusari ~ $ telnet imap.yourdomain.name imap
Trying xxx.yyy.zzz.xxx
Connected to imap.yourdomain.name.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 
IDLEACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 
Double Precision, Inc.  See COPYING for distribution information.
. LOGIN yourUserName yourSuperSecretPassword
. OK LOGIN Ok.
. LIST "" "*"
* LIST (\HasNoChildren) "." "INBOX.Trash"
* LIST (\Marked \HasChildren) "." "INBOX"
* LIST (\HasNoChildren) "." "INBOX.Drafts"
* LIST (\HasNoChildren) "." "INBOX.Sent Items"
* LIST (\HasNoChildren) "." "INBOX.Sent"
. OK LIST completed
. SELECT "INBOX"
* FLAGS (\Draft \Answered \Flagged \Deleted \Seen \Recent)
* OK [PERMANENTFLAGS (\* \Draft \Answered \Flagged \Deleted \Seen)] Limited
* 182 EXISTS
* 4 RECENT
* OK [UIDVALIDITY xxxxx] Ok
* OK [MYRIGHTS "acdilrsw"] ACL
. OK [READ-WRITE] Ok
. FETCH 1 BODY
* 1 FETCH (BODY ("text" "plain" ("charset" "us-ascii") NIL NIL "7bit" 7340 237))
. OK FETCH completed.
. FETCH 1 ALL
* 1 FETCH (FLAGS (\Seen) INTERNALDATE "27-Nov-2008 15:09:59 -0600" RFC822.SIZE 9109
ENVELOPE ("Thu, 27 Nov 2008 13:09:34 -0800" -- snip --))
. OK FETCH completed.
. LOGOUT
* BYE Courier-IMAP server shutting down
. OK LOGOUT completed
Connection closed by foreign host.

NOTES:

• Don’t forget to use the “. ” (period + space) before the commands (i.e. “. LOGIN username password“).  Some MTA’s uses the “?” rather than “.”
• Again, similar to POP3 test, this method is for PLAIN LOGIN.  TLS is another story and you’ll need to use “openssl s_client” method to test.

Once you get these two working (assuming you’ve got your smtpd side already working), then you’ve got the basics of being able to have your users retrieve e-mails from Postfix. By the way, did you notice that rather than using the port #143, I used “imap” on the telnet command? You can substitute all the ports defined in your /etc/services file.

Commands for IMAP testing (plain text) are:

• . LOGIN <username> <password>
• . LIST “<folder>” “<folder>”
• . SELECT “<foldername>”
• . FETCH <message_index_number> BODY
• . FETCH <message_index_number> ALL
• . LOGOUT

SMTP Send
Next comes the test to verify that your users can reply/send e-mails.

Related posts

• Postfix + Dovecot – (Cyrus + Courier) (0)
• Postfix + Courier + SquirrelMail:configtest.php (0)
• MySQL + DNS Lookup = Slowdown (0)
• Compiling Apache on Gentoo (0)
• Why KeepAlive Heartbeats should be on Dedicated Socket Stream (0)