0

So I am trying to get my head around how this works in relation to how people can send credentials to authenticate via smtp and send mail. With a typical default set up of postfix and dovecot (with something like http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL), am I right to understand that this will auth users against /etc/passwd or similar? As such, what is the process or users getting created or is it just done through useradd/adduser? (this would mean that there is no immediate linking of username to email alias, and any forwarding of aliases to a mailbox location would have to somehow be linked to a username successfully).

I also have the issue in that even though I set up a unix account, I am unable to make an SMTP connection to the server and authenticate successfully to send an email (tried via telnet). So what could be a possible limitation there? I know postfix has a concept of a trusted relay node (using the variable "mynetworks"), so the place I am sending from wouldn't need to be in there, right? (otherwise there could almost be no point in doing the auth because "mynetworks" provides you with full relay access).

Sorry if I haven't explained this well but the Postfix/Dovecot documentation is a tad tricky to read.

sebix
  • 4,313
  • 2
  • 29
  • 47
Peter
  • 1,450
  • 2
  • 17
  • 27
  • Blury, very blury. You mix minimum two topics where. And you provide no details, do we have to watch our magic balls? – jirib Oct 15 '13 at 11:47
  • For postfix, you can use postconf -n to see your modifications of postfix configuration. 'mynetworks' is for relaying, not accepting incoming mails (inbound mail server) for your domain. Accepting mails is related to 'inet_interfaces' and 'mydestination'. Basically for postfix there are 5 main options - inet_interfaces, myorigin, relayhost, mydestination, mynetworks - which have to be taken care of. Also, if your users do not need shell (ssh access), do not create local users. Use virtual users in dovecot, so leaked password won't mean direct shell access on your server. – jirib Oct 15 '13 at 12:04

2 Answers2

1

Okay, so in the dovecot.conf file, the following section is where your auth is setup to use Linux PAM, and the /etc/passwd file as the authentication source. If you want to use something else, it will require some configuration of PAM. Some of the modules in /etc/pam.d may help here:

  passdb pam {
  }
  userdb passwd {
  }

Adding users under the current configuration is indeed done via 'useradd' as normal. Your aliases can be configured in /etc/aliases (don't forget to run 'newaliases' after updating), or in /etc/postfix/virtual in the format 'user@virtualdomain.com'[tab]'localuser' (don't forget to run 'postmap /etc/postfix/virtual' after updating.

As regards inability to connect, I'm assuming you mean remotely. If you can't connect to port 25 locally, then postfix probably isn't running. If you can't connect remotely, postfix is probably only listening on the loopback interface. In this case, edit /etc/postfix/main.cf and change the 'inet_interfaces' directive to be 'inet_interfaces = all', the restart postfix. This will make it listen on all interfaces. For test purposes, flush your iptables filter rules also with '/sbin/iptables -F' as root.

Ruairí N.
  • 645
  • 4
  • 8
  • You are correct in assuming I am connecting remotely and I will certainly check to see what interfaces postfix is listening on. Thanks for your comment, this is actually a great explanation. – Peter Oct 15 '13 at 11:57
  • Happy to help. Do let us know how you get on :) – Ruairí N. Oct 15 '13 at 11:58
0

You are correct. Authentication is provided through PAM (Pluggable Authentication Modules) which "looks" for users in /etc/passwd (/etc/shadow). You can create users via adduser as you say. If you want aliases you can use /etc/aliases and then run the "newaliases" command to make it work.

What is the configuration of your /etc/postfix/main.cf file? If you want you can post it avoiding pasting the comments of the file. Note that the "mynetworks" needs either an ip address or a network range allowed to connect.

Tomas
  • 106
  • 3