From 9bcc691d9105b8a382f11498a22598caf06b31a5 Mon Sep 17 00:00:00 2001 From: Morre Date: Sun, 5 Jul 2020 19:04:03 +0200 Subject: [PATCH] WIP: tweak settings --- files/saslauthd-defaults | 59 +++++++++++++++++++++++++++++++++++++ templates/main.cf.j2 | 2 ++ templates/saslauthd.conf.j2 | 2 +- 3 files changed, 62 insertions(+), 1 deletion(-) diff --git a/files/saslauthd-defaults b/files/saslauthd-defaults index 62259cc..1e2d371 100644 --- a/files/saslauthd-defaults +++ b/files/saslauthd-defaults @@ -1,3 +1,62 @@ +# +# Settings for saslauthd daemon +# Please read /usr/share/doc/sasl2-bin/README.Debian for details. +# + +# Should saslauthd run automatically on startup? (default: no) START=yes + +# Description of this saslauthd instance. Recommended. +# (suggestion: SASL Authentication Daemon) +DESC="SASL Authentication Daemon" + +# Short name of this saslauthd instance. Strongly recommended. +# (suggestion: saslauthd) +NAME="saslauthd" + +# Which authentication mechanisms should saslauthd use? (default: pam) +# +# Available options in this Debian package: +# getpwent -- use the getpwent() library function +# kerberos5 -- use Kerberos 5 +# pam -- use PAM +# rimap -- use a remote IMAP server +# shadow -- use the local shadow password file +# sasldb -- use the local sasldb database file +# ldap -- use LDAP (configuration is in /etc/saslauthd.conf) +# +# Only one option may be used at a time. See the saslauthd man page +# for more information. +# +# Example: MECHANISMS="pam" MECHANISMS="ldap" + +# Additional options for this mechanism. (default: none) +# See the saslauthd man page for information about mech-specific options. +MECH_OPTIONS="" + +# How many saslauthd processes should we run? (default: 5) +# A value of 0 will fork a new process for each connection. +THREADS=5 + +# Other options (default: -c -m /var/run/saslauthd) +# Note: You MUST specify the -m option or saslauthd won't run! +# +# WARNING: DO NOT SPECIFY THE -d OPTION. +# The -d option will cause saslauthd to run in the foreground instead of as +# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish +# to run saslauthd in debug mode, please run it by hand to be safe. +# +# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. +# See the saslauthd man page and the output of 'saslauthd -h' for general +# information about these options. +# +# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" +# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd" +# +# To know if your Postfix is running chroot, check /etc/postfix/master.cf. +# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd" +# then your Postfix is running in a chroot. +# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT +# running in a chroot. OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" diff --git a/templates/main.cf.j2 b/templates/main.cf.j2 index 210f52f..795b088 100644 --- a/templates/main.cf.j2 +++ b/templates/main.cf.j2 @@ -89,11 +89,13 @@ virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }} # TODO: This is already enabled when using dovecot as transport smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous +broken_sasl_auth_clients = yes # Restrictions smtpd_helo_required = yes strict_rfc821_envelopes = yes disable_vrfy_command = yes +smtpd_delay_reject = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, diff --git a/templates/saslauthd.conf.j2 b/templates/saslauthd.conf.j2 index 6983faf..961babc 100644 --- a/templates/saslauthd.conf.j2 +++ b/templates/saslauthd.conf.j2 @@ -1,5 +1,5 @@ {% if postfix.ldap.enable %} -ldap_servers: {{ postfix.ldap.server.host }} +ldap_servers: {{ postfix.ldap.server.host }}/ ldap_version: 3 ldap_search_base: {{ postfix.ldap.search_base }} ldap_scope: sub