Berkeley CSUA MOTD:Entry 31168
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/05/25 [General] UID:1000 Activity:popular
5/25    

2004/7/5-6 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:31168 Activity:nil
05/07   A while ago I was having a lot of trouble getting Postfix to use
        SASL2 auth for sending mail on FreeBSD.  This link (including the
        errata at the bottom!) shows how to do it painlessly:
        http://ezine.daemonnews.org/200306/postfix-sasl.html  -John
2025/05/25 [General] UID:1000 Activity:popular
5/25    

You may also be interested in these entries...
2012/9/20-11/7 [Computer/SW/Unix, Finance/Investment] UID:54482 Activity:nil
9/20    How do I change my shell? chsh says "Cannot change ID to root."
        \_ /usr/bin/chsh does not have the SUID permission set. Without
           being set, it does not successfully change a user's shell.
           Typical newbie sys admin (on soda)
           \_ Actually, it does: -rwsr-xr-x 1 root root 37552 Feb 15  2011 /usr/bin/chsh
	...
2012/9/24-11/7 [Computer/SW/Languages, Computer/SW/Unix] UID:54484 Activity:nil
9/24    How come changing my shell using ldapmodify (chsh doesn't work) doesn't
        work either? ldapsearch and getent show the new shell but I still get
        the old shell on login.
        \_ Scratch that, it magically took my new shell now. WTF?
           \_ probably nscd(8)
	...
2012/5/8-6/4 [Computer/SW/Unix] UID:54383 Activity:nil
5/8     Hello everyone!  This is Josh Hawn, CSUA Tech VP for Spring 2012.
        About 2 weeks ago, someone brought to my attention that our script
        to periodically merge /etc/motd.public into /etc/motd wasn't
        running.  When I looked into it, the cron daemon was running, but
        there hadn't been any root activity in the log since April 7th.  I
        looked into it for a while, but got lost in other things I was
	...
2012/2/9-3/26 [Computer/SW/Security, Computer/SW/Unix] UID:54305 Activity:nil
2/9     Reminder: support for mail services has been deprecated for *several
        years*. Mail forwarding, specifically .forward mail forwarding, is
        officially supported and was never deprecated.
        \_ There is no .forward under ~root.  How do we mail root and how do
           we get responses?
           \_ root@csua.berkeley.edu is and always has been an alias.
	...
2011/9/14-12/28 [Computer/SW/Unix] UID:54172 Activity:nil
9/12    We've restored CSUA NFS to something vaguely resembling normal
        functionality -- plus, with some luck, we should now have something
        vaguely resembling normal uptime, too!  Ping root@csua.org if you
        notice any problems.  --jordan
--------------------------------------------------------------------------------
        \_  Oh, and http://irc.CSUA.Berkeley.EDU is online again.
	...
2011/6/5-8/27 [Computer/HW/Memory] UID:54127 Activity:nil
6/5     In an effort to stabilize our services, we'll be rebuilding parts of
        the CSUA infrastructure over the course of this summer.  To give us
        some wiggle room, I've temporarily decreased soda's allocated RAM from
        8GB to 2GB.  If you need to run something that requires large amounts
        of memory, please send mail to root@csua.org and we'll try to
        accommodate your request.  --jordan
	...
2011/4/27-7/30 [Computer/SW/Security, Computer/SW/Unix] UID:54096 Activity:nil
4/28    Will wall be fixed?   - jsl
        \_ What's wall?
           \_ An anachronism from a bygone era, when computers were hard to
              comeby, the dorms didn't have net, there was no airbears, and
              when phones didn't come standard with twitter or sms.
           \_ A non useful implementation of twitter.
	...
2011/5/19-7/30 [Computer/SW/Security] UID:54110 Activity:nil
5/19    Uh, is anyone still using this? Please mark here if you post and
        haven't added this yet. I'll start:
        \_ person k
        \_ ausman, I check in about once a week.
        \_ erikred, twice a week or so.
        \_ mehlhaff, I login when I actually own my home directory instead of
	...
2010/12/13-2011/2/19 [Computer/SW/Unix] UID:53978 Activity:nil
12/21   Help, all my files are owned by nobody! -ausman
        (yes I emailed root)
        \_ Things should be fine now. As usual, the NFS server caused a cascade
           of errors.
	...
Cache (4594 bytes)
ezine.daemonnews.org/200306/postfix-sasl.html
pl> In today's internet there is a lot of spam, forged mails and people who make use of this. It is importatnt to be secure, secure your users and the rest of the community from your users as well. It's better to be secure than to be sorry if an accident happens. You may not know that your users send spam until you get on the spamming list. I hope I don't have to explain why mechanisms such as: identification, authentication and authorization have to be implemented. In this article I will show you how to force users to authenticate before sending mail through Postfix. Postfix installation To install postfix-current, go to /usr/ports/mail/postfix. You should get a "Postfix configuration options" screen. If you need any other options just mark them with "X" by pressing space. If your system is 50-RELEASE, remember there is no PERL installed by default. The installation will take a while so sit back and relax but don't go away. Before the installation of cyrus-sasl your system will prompt you to set "Additional SASL options". If the build process finished without any problems type make install. The installation script will add postfix user and group. All configuration files you will find in the /usr/local/etc/postfix directory. tahoe# ln -s /usr/local/etc/postfix /etc/postfix To make aliases work correctly, create a link from /etc/aliases to /usr/local/etc/postfix/aliases. tahoe# ln -s /usr/local/etc/postfix/aliases /etc/aliases Change aliases as appropriate to your site and type newaliases. Set: myhostname, myorigin equal to the output of the hostname command. byname mail_spool_directory = /var/mail - That is default. Remember that your configuration may need different options. Check the config Send a test mail to yourself to check that everything is OK before we start SASL configuration. Now connect to port 25 on your machine and see if ESMTP is working. pl 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-XVERP 250 8BITMIME If you see similar output, it's okay. sh and change sasl_saslauthd_flags variable from "-a pam" to "-a getpwent". The correct line will now look like: sasl_saslauthd_flags="-a getpwent" stop and start saslauthd again. Change the smtp line to look like: smtp inet n n n - - smtpd Yes, we don't chroot smtpd. Test Postfix with SASL Before testing SASL authentication we have to encode our credentials with Base64. Reload your new Postfix configuration and telnet again to port 25. pl 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-XVERP 250 8BITMIME AUTH PLAIN Z3JlZ29yeQBncmVnb3J5AHRlc3Q= 235 Authentication successful quit 221 Bye Connection closed by foreign host. Not so fast, all of the credentials are sent in cleartext which means they can be sniffed out from the wire. Either you get it from a Certificate Authority whom you have to pay, or you create it for yourself. I will not describe how to become a Certificate Authority; TLS configuration OpenSSL is installed by default, so these are the steps you have to take to put TLS to work. tahoe# mkdir /usr/local/etc/postfix/ssl tahoe# chmod 700 /usr/local/etc/postfix/ssl Because /etc/postfix is a symlink to /usr/local/etc/postfix I will use shorter names here. pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom Save the file, reload postfix and enjoy SASL authentication over TLS. No one can relay through your Postfix unless you allow so. The problem occurs when a spammer obtains a valid list of usernames and aliases on your server. For example he may know there are accounts for root and user gregory. It is enough for him to telnet to your Postfix, issue helo instead of ehlo and forge mail from gregory to root. And root might be disappointed with gregory especially when he is a BOFH. cf and add: smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch smtpd_sender_login_maps = hash:/usr/local/etc/postfix/sender_login_maps /usr/local/etc/postfix/sender_login_maps is a hash map which consists of valid usernames and aliases. If my login is gregory and I have an alias GCzaplinski I have put both values into the map. It might be like this: gregory gregory GCzaplinski gregory The second column in the map is a username you are logged in via SASL. Remember to consult the manual or howto on UCE controls. I hope someone will find this article useful and the hints given here will save you time. After the publication, several questions were asked and also I came up with some useful conclusions.