Категорії
FreeBSD Mail systems

[exim] Авторизация через dovecot (+cram-md5, digest-md5)

Захотел обновить в памяти настройку exim+dovecot, заодно сделать авторизацию по digest-md5 cram-md5. Приведу лишь настройки exim, dovecot и дамп БД, с тестовыми юзерами. Причём, если хотите использовать авторизацию cram-md5 (если только digest-md5, то вроде бы не нужно) через dovecot, exim нужно пропатчить!

Для того, что бы включить в exim возможность авторизации через dovecot и авторизировать через cram-md5 добавляем в /etc/make.conf следующее (привожу только те директивы, которые отвечают именно за авторизацию; остальные директивы, например, поддержку mysqlнужно добавить самостоятельно):

PORTSDIR?= /usr/ports
.if ${.CURDIR} == ${PORTSDIR}/mail/exim
WITH_AUTH_DOVECOT=YES
WITH_AUTH_PLAINTEXT=YES
WITH_AUTH_CRAM_MD5=YES
WITH_AUTH_LOGIN=YES
WITH_PWCHECK=YES
.endif

Хочу заметить, что dovecot от версии к версии некоторые параметры меняет! Поэтому, будьте внимательны, если у вас версии различаются.

router2# pkg_info | grep dovecot
dovecot-1.2.4       Secure and compact IMAP and POP3 servers
router2# pkg_info | grep exim
exim-4.69_4         High performance MTA for Unix systems on the Internet

Конфиг dovecot.conf:

base_dir = /var/run/dovecot/
protocols = imap imaps pop3 pop3s
listen = 10.0.3.132
disable_plaintext_auth = no
log_path = /var/log/maillog
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
info_log_path = /var/log/maillog
mail_debug = no
auth_debug_passwords = no
ssl=no
mail_location = maildir:%h
mail_privileged_group = mail
dotlock_use_excl = yes
verbose_proctitle = yes
first_valid_uid = 26
first_valid_gid = 6
maildir_copy_with_hardlinks = yes
protocol imap {
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh  tb-extra-mailbox-sep
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
postmaster_address = postmaster@example.com
auth_socket_path = /var/run/dovecot/auth-master
}
auth_default_realm = router2.tld
auth_username_format = %Lu
auth_verbose = no
auth_debug = no
auth default {
mechanisms = plain login cram-md5 digest-md5
passdb sql {
args = /usr/local/etc/dovecot-sql.conf
}
userdb passwd {
args = blocking=yes
}
userdb sql {
args = /usr/local/etc/dovecot-sql.conf
}
user = root
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0600
user = mailnull
group = mail
}
client {
path = /var/run/dovecot/auth-client
mode = 0660
user = mailnull
group = mail
}
}
}
dict {
}
plugin {
}

Конфиг dovecot-sql.conf:

router2# less dovecot-sql.conf
driver = mysql
connect = host=localhost user=dovecot password=dovecot dbname=maildb
default_pass_scheme = MD5
user_query = SELECT CONCAT('/var/mail/exim/',maildir) AS home, uid AS uid, gid AS gid FROM users WHERE address = '%n@%d'
password_query = SELECT pw_encrypted AS password FROM users WHERE address = '%n@%d' AND ok = 'Y'

Конфиг exim:

primary_hostname = mail.router2.tld
#hide mysql_servers = localhost/maildb/dovecot/dovecot
hide mysql_servers = localhost::(/tmp/mysql.sock)/maildb/dovecot/dovecot
domainlist local_domains = ${lookup mysql{SELECT `destination` \
FROM `transport` WHERE \
`domain`='${domain}' }}
domainlist relay_to_domains = ${lookup mysql{SELECT `destination` \
FROM `transport` WHERE \
`domain`='${domain}' }}
hostlist   relay_from_hosts = localhost:127.0.0.0/8:192.168.0.0/16
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
daemon_smtp_ports = 25
qualify_domain = mail.router2.tld
qualify_recipient = mail.router2.tld
disable_ipv6 = true
exim_user = mailnull
exim_group = mail
never_users = root
rfc1413_query_timeout = 5s
host_lookup = *
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
log_selector = +all \
syslog_timestamp = no
begin acl
acl_check_rcpt:
accept  hosts = :
deny    message       = Restricted characters in address
domains       = !+local_domains
local_parts   = ^[.] : ^.*[@%!/|]
deny    message       = Restricted characters in address
domains       = !+local_domains
local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
accept  local_parts   = postmaster
domains       = +local_domains
require verify        = sender
accept  domains       = +local_domains : +relay_to_domains
control       = submission
accept  authenticated = *
control       = submission
require message = relay not permitted
domains = +local_domains : +relay_to_domains
require verify = recipient
accept
acl_check_data:
accept
begin routers
dovecot_user:
driver = accept
transport = dovecot_delivery
condition = ${lookup mysql{SELECT `address` FROM \
`users` WHERE \
`address`='${quote_mysql:$local_part@$domain}' OR \
`address`='${quote_mysql:@$domain}'}{yes}{no}}
dnslookup:
driver = dnslookup
domains = !+local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 10.0.3.132/32
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = mailnull
group = mail
file_transport = address_file
pipe_transport = address_pipe
userforward:
driver = redirect
check_local_user
file = $home/.forward
no_verify
no_expn
check_ancestor
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
condition = ${if exists{$home/.forward} {yes} {no} }
begin transports
remote_smtp:
driver = smtp
dovecot_delivery:
driver = pipe
command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
address_pipe:
driver = pipe
return_output
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
begin retry
*                      *           F,2h,15m; G,16h,1h,1.5; F,4d,6h
begin rewrite
begin authenticators
auth_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
auth_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1
auth_cram_md5:
driver = dovecot
public_name = CRAM-MD5
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1

Если после отправки письма будет вылазить ошибка

Unable to authenticate at present: authentication socket read error or premature eof

значит нужно будет пропатчить авторизацию dovecot в exim’e. Исправленный файл dovecot.c можно взять по адресу http://vcs.exim.org/viewvc/exim/exim-src/src/auths/dovecot.c?r1=1.10&view=log , начиная с версии 1.7. Я брал 1.10. Как патчить: просто ложим скачанный файл в замен имеющегося,  exim-src/src/auths/dovecot.c и пересобираем exim

Как создавать пароли:

– cram-md5

Тут просто: в комплекте с dovecot’ом идёт утилита dovecotpw. Для генерации пароля просто запускаем её, и потом вводим пароль:

# dovecotpw
Enter new password: password
Retype new password: password
{CRAM-MD5}26b633ec8bf9dd526293c5897400bddeef9299fad

В БД нужно вставлять именно с фигурными скобками и словом.

– digest-md5

Выполняем команду:

router2# echo -n "password" | md5
5f4dcc3b5aa765d61d8327deb882cf99

Вставляем полученный хешь в БД.

Привожу дамп БД maildb с тестовыми юзерами и доменами:

-- MySQL dump 10.11
--
-- Host: localhost    Database: maildb
-- ------------------------------------------------------
-- Server version       5.0.84
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
--
-- Table structure for table `transport`
--
DROP TABLE IF EXISTS `transport`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `transport` (
`id` int(10) unsigned NOT NULL auto_increment,
`domain` varchar(128) NOT NULL default '',
`destination` varchar(128) NOT NULL default '',
PRIMARY KEY  (`id`),
UNIQUE KEY `domain` (`domain`)
) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `transport`
--
LOCK TABLES `transport` WRITE;
/*!40000 ALTER TABLE `transport` DISABLE KEYS */;
INSERT INTO `transport` VALUES (1,'router2.tld','virtual:'),(2,'mail.router2.tld','local:'),(3,'domain.ru','virtual:');
/*!40000 ALTER TABLE `transport` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `users`
--
DROP TABLE IF EXISTS `users`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `users` (
`id` int(10) unsigned NOT NULL auto_increment,
`address` varchar(128) NOT NULL default '',
`pw_clear` varchar(32) NOT NULL default '',
`pw_encrypted` varchar(200) default NULL,
`name` varchar(128) NOT NULL default '',
`uid` int(11) unsigned NOT NULL default '26',
`gid` int(11) unsigned NOT NULL default '26',
`maildir` varchar(128) NOT NULL default '',
`quota` int(10) unsigned NOT NULL default '0',
`ok` enum('Y','N') NOT NULL default 'Y',
PRIMARY KEY  (`id`),
UNIQUE KEY `address` (`address`)
) ENGINE=MyISAM AUTO_INCREMENT=4 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `users`
--
LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
INSERT INTO `users` VALUES (1,'admin@router2.tld','12345','{CRAM-MD5}365ea5b640cf5bc3d3c7ebeeb3194c4f46a2c30fd8a7b017b5cecb0c3501459c','Admin Admin',26,26,'router2.tld/admin@router2.tld/',0,'Y'),(2,'root@router2.tld','12345','{CRAM-MD5}365ea5b640cf5bc3d3c7ebeeb3194c4f46a2c30fd8a7b017b5cecb0c3501459c','',26,26,'router2.tld/root@router2.tld/',0,'Y'),(3,'user@domain.ru','7TN4ogHs','92f3f6276b2c024aa23c0203d9c40dff','',26,26,'domain.ru/user@domain.ru/',0,'Y');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
--
-- Table structure for table `virtual`
--
DROP TABLE IF EXISTS `virtual`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `virtual` (
`id` int(10) unsigned NOT NULL auto_increment,
`address` varchar(128) NOT NULL default '',
`destination` text NOT NULL,
PRIMARY KEY  (`id`),
UNIQUE KEY `domain` (`address`)
) ENGINE=MyISAM AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
--
-- Dumping data for table `virtual`
--
LOCK TABLES `virtual` WRITE;
/*!40000 ALTER TABLE `virtual` DISABLE KEYS */;
INSERT INTO `virtual` VALUES (1,'admin.admin@router2.tld','admin@router2.tld');
/*!40000 ALTER TABLE `virtual` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

Залишити відповідь

Ваша e-mail адреса не оприлюднюватиметься. Обов’язкові поля позначені *

Домашняя страничка Andy
Записки молодого админа
Самостоятельная подготовка к Cisco CCNA
Самостоятельная подготовка к Cisco CCNP
Powered by Muff