WIP: tweak settings

files/saslauthd-defaults

@@ -1,3 +1,62 @@
+#
+# Settings for saslauthd daemon
+# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
+#
+
+# Should saslauthd run automatically on startup? (default: no)
 START=yes
+
+# Description of this saslauthd instance. Recommended.
+# (suggestion: SASL Authentication Daemon)
+DESC="SASL Authentication Daemon"
+
+# Short name of this saslauthd instance. Strongly recommended.
+# (suggestion: saslauthd)
+NAME="saslauthd"
+
+# Which authentication mechanisms should saslauthd use? (default: pam)
+#
+# Available options in this Debian package:
+# getpwent  -- use the getpwent() library function
+# kerberos5 -- use Kerberos 5
+# pam       -- use PAM
+# rimap     -- use a remote IMAP server
+# shadow    -- use the local shadow password file
+# sasldb    -- use the local sasldb database file
+# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
+#
+# Only one option may be used at a time. See the saslauthd man page
+# for more information.
+#
+# Example: MECHANISMS="pam"
 MECHANISMS="ldap"
+
+# Additional options for this mechanism. (default: none)
+# See the saslauthd man page for information about mech-specific options.
+MECH_OPTIONS=""
+
+# How many saslauthd processes should we run? (default: 5)
+# A value of 0 will fork a new process for each connection.
+THREADS=5
+
+# Other options (default: -c -m /var/run/saslauthd)
+# Note: You MUST specify the -m option or saslauthd won't run!
+#
+# WARNING: DO NOT SPECIFY THE -d OPTION.
+# The -d option will cause saslauthd to run in the foreground instead of as
+# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
+# to run saslauthd in debug mode, please run it by hand to be safe.
+#
+# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
+# See the saslauthd man page and the output of 'saslauthd -h' for general
+# information about these options.
+#
+# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
+# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
+#
+# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
+# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
+# then your Postfix is running in a chroot.
+# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
+# running in a chroot.
 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

templates/main.cf.j2

@@ -89,11 +89,13 @@ virtual_mailbox_domains = {{ postfix.virtual_mailbox_domains|join(' ') }}
 # TODO: This is already enabled when using dovecot as transport
 smtpd_sasl_auth_enable = yes
 smtpd_sasl_security_options = noanonymous
+broken_sasl_auth_clients = yes
 
 # Restrictions
 smtpd_helo_required = yes
 strict_rfc821_envelopes = yes
 disable_vrfy_command = yes
+smtpd_delay_reject = yes
 
 smtpd_helo_restrictions = permit_mynetworks,
                           permit_sasl_authenticated,

templates/saslauthd.conf.j2

@@ -1,5 +1,5 @@
 {% if postfix.ldap.enable %}
-ldap_servers: {{ postfix.ldap.server.host }}
+ldap_servers: {{ postfix.ldap.server.host }}/
 ldap_version: 3
 ldap_search_base: {{ postfix.ldap.search_base }}
 ldap_scope: sub