Ȼ/09

Top / Ȼ / 09

ǧڥƥˤĤưŪ

unix Ф˸¤餺ԥ塼̤ˡǧڡפȤȤߤԲķǤ.
ŪˡΰǤ륤󥿡ͥåȾѥɤɤΤ褦ˤȤꤹ뤫ѥɤȥ桼̾ʤɤξȹɤΤ褦˹ԤΤˤĤ͡ˡꡤ٤褦ˤʤäƤΤ¿.
Τ˽ؼԤˤϺ𤬤뤫ȻפºݤϤ󥫽Ȥޤʬʬ䤹.
ºݡޤˤϡunix ǤΥեȥ̾ϰʲοޤΤ褦ʹ¤򤷤ƤΤǡιޤƬˤưʲäɤФ狼.

authentication-structure_ss.png

ǧڤΰŪʻȤ

󤫤³

SMTP Auth (postfix)

ơSMTP Auth Ȥʤȥޥ˥奢ˤä˵ҤʤȤ򤭤Ĵ٤ƤԤʤ.
SMTP Auth ˴ؤƤϤޤޤѹĤǤ褦ʤΤǡȤϤޤܲ http://www.postfix.org/ dzǧ
Ūˤ http://www.postfix.org/SASL_README.html å뤳Ȥˤʤ. ȡޤϼΤ褦˽񤤤ƤȤͤˤʤ.

 Enabling SASL authentication in the Postfix SMTP server
 
 In order to enable SASL support in the Postfix SMTP server:
 
   /etc/postfix/main.cf:
       smtpd_sasl_auth_enable = yes
 
 In order to allow mail relaying by authenticated remote SMTP clients:
 
   /etc/postfix/main.cf:
       smtpd_recipient_restrictions = 
           permit_mynetworks 
           permit_sasl_authenticated 
           reject_unauth_destination
 
 To report SASL login names in Received: message headers (Postfix version 2.3 and later):
 
   /etc/postfix/main.cf:
       smtpd_sasl_authenticated_header = yes
 
 Note: the SASL login names will be shared with the entire world.
 
 Older Microsoft SMTP client software implements a non-standard version 
 of the AUTH protocol syntax, and expects that the SMTP server replies to 
 EHLO with "250 AUTH=mechanism-list" instead of "250 AUTH mechanism-list". 
 To accommodate such clients (in addition to conformant clients) use the following:
 
   /etc/postfix/main.cf:
       broken_sasl_auth_clients = yes

ޤϤλؼˤä main.cf 褦. ʸ/etc/postfix FreeBSD Ǥ /usr/local/etc/postfix ѹƤΤǾѴʤɤ⤦. ޤ"smtp" "smtpd" (Ǹ "d" ĤƤ)ȤǤϰ̣äƤΤǡץߥ򤷤ƤʤտҤ褦. Ǥ 4ĤεҤä뤳Ȥˤʤ. main.cf κǸ˸ǤƵҤƤʤϤ.

˾嵭ɤ߿ʤȡ

 Cyrus SASL configuration for the Postfix SMTP server

ǻϤޤʬΤǤޤɤޤʤȤʤ. ɤǤɤʬʤʬ¿齤ս񤤤Ƥȡmain.cf ˤȤꤢʲĤεҤäƤФ褤.

 smtpd_sasl_path = smtpd
 smtpd_sasl_local_domain = $myhostname

ɤФʤɤ. ȤΤ⡤SMTP auth ˻Ȥѥɤκǫ˽񤤤ƤΤ.
Ūˤϡ

 saslpasswd2 -c -u `postconf -h myhostname` exampleuser

Ȥ衤Ƚ񤤤Ƥ(Ǹ "exampleuser" ȤΤϥ桼֤̾ɤ٤)*1.

SMTP Auth ưǧ

桼Ͽ(SMTP Auth Ѥ)

SMTP Auth Ԥݡ桼ȥѥɤξȹɤǡ˴ŤƹԤˤ褬ʣ.
äʣꤷƤʤ*2ΤǻȤΤϥǥեȤ pwcheck_method ΤߡĤޤꡤSMTP Auth Ѥ SASL ѤΥ桼/ѥɽѤ뤳Ȥˤʤ.

ȤȤϡSMTP Auth ȤˡѼԤϿɬפȤȤǤ.
Ūˤϡˤ褦 saslpasswd2 ޥɤȤȤˤʤ.

ʤߤˡ桼(SMTP Auth Ѥ)ѥɤϿ줿γǧϡ

 sasldblistusers2

Ȥ

 桼̾@ۥ̾: userPassword

ʤɤȤɽФΤdzǧǤ.

½

桼 SMTP Auth ѤϿ褦.
ޤȻ˺ܤäƤåˤ SMTP Auth ˻Ȥ "桼ȥѥɤξȹˡ" ˤ /etc/passwd, PAM, LDAP ʤɤȽ񤫤Ƥ.
ϲĴ٤Ƥߤ.

ºݤ˼³Ƥߤ.

SMTP Auth ³ݤǧˡˤ⤤Ĥꡤͳ֤ȤǤ.
Υ󥹥ȡǤääʤ NTLMǧڡloginǧ, plainǧڡGSSAPIǧ, Digest-MD5ǧ, CRAM-MD5ǧڤȤ褦ˤʤäƤ

ǡΤδñѤǤ뤬Ź沽ʥ plainǧڤȡȻȤʤ֤ CRAM-MD5ǧڤƤߤ褦.

ˡѤ륳ޥɤǤ mmencode Ȥƥ󥹥ȡ뤷Ƥ.
Ūˤϡports 쥯򿷤ƤƤ顤

 portinstall mmencode

ȤФ褤.

SMTP Auth  : Plain ǧڤξ

Plain ǧڤϤڤʥΤǡSMTP Auth ʸ "\0桼̾\0ѥ"*3 base64 ǥ󥳡ɤΤ򥵡ФϤȤñʻȤߤ.
ʤߤˡbase 64 ϰŹ沽ǤϤʤ(ԥ塼ǰΤˤʤ褦)ñʤѴ*4ʤΤǡƥݤʤȤդɬפ.
Ĥޤꡤѥ base64 󥳡ɤ(Ҥ mmencode 򤫤)ͤ˶ꤷƤϤʤ.

ơ³³ɬפʸäƤޤ.
Ūˤϡޥɥ饤

 printf '\0000桼̾\0000ѥ' | mmencode 

ȤФ褤*5.
桼̾ȥѥɤϤۤ SMTP Auth Ѥ saslpasswd2 ޥɤꤷΤǤ.

ȡ'\0桼̾\0ѥ' base64 󥳡ɤ줿ʸ󤬽Ϥ*6Τǡɤ¸Ƥ*7.

ȤϤĤΤ褦 telnet localhost 25 Ǽ MTA ³Ƥߤ.
ĤΤ褦 "EHLO localhost" ȤƱʤȡΤ褦 SMTP AUTH ǤȤɽߤDZʤϤ*8.

 250-(ۥ̾)
 250-PIPELINING
 250-SIZE 10240000
 250-VRFY
 250-ETRN
 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250 DSN

ʳ SMTP Auth Plain ǧڤƤߤ褦.
Ūˤϡ

 AUTH PLAIN ۤbase64󥳡ɤƺäʸ

ϤФ褤. Plain ǧڤϤǺѤ.

 235 2.0.0 Authentication successful

ʤɤ "success" ΰդå֤äƤСǧڤ̤äȤȤ OK Ǥ.
ޤʤͤǫˤޤǤκȤ򿶤֤.

½

ޤǽ񤤤Ƥ뤳Ȥ¹Ԥ褦.

SMTP Auth  : CRAM-MD5 ǧڤξ

CRAM-MD5ǧڤ PlainǧڤȰäơѥɤʿʸʤǤ. plain ǧڤȰۤʤꡤͥåȥİƤޤȤ褦.
Ūˤϡ³ȥФŬʸäƤΤǡѥɤ򥭡ˤ hmac-md5 ǥϥå(줬ѥɤ򰵽, Ź沽Ȥ), 桼̾Ȥ碌 base64 󥳡ɤ֤ФƱͤ˺äϥåƱʤǧ OK Ȥˤʤ.

䤳¤ CRAM-MD5 ƥȤ뤿Υץ "userdb-test-cram-md5" ( imap 󥹥ȡκݤ)󥹥ȡ뤵ΤǡѤФ褤.
äơκȤϸҤ courier-imap 򥤥󥹥ȡ뤷˹Ԥʤ.
courier-imap ϤʤäƤƤ褤.

ʲκȤˤϥ󥽡뤬İʾ夢äʤΤǡX Ŭʸüߥ졼ĵưƤԤ.
ʬ䤹뤿ˡ줫ơΥߥ졼ưĤΥơ Shell-A, Shell-B Ȥƽ񤤤Ƥ.

ޤShell-A telnet localhost 25 Ʊ褦

 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250 DSN

ȤȤޤǤ. Ƥ

 auth cram-md5

Ϥ. ȡ

 334 PG5hbmlrYW5vLXNlcnZlcj4=

ʤɤȽϤ֤äƤ.
PG5hbmlrYW5vLXNlcnZlcj4= Ф base64 äƤʸ*9ǤΤǡ桼Υѥɤ򥭡ˤ hmac-md5 ǥϥå׻ƥ桼̾Ȥ碌 base64 ֤Ф褤. ʸݤˤߤ뤬ʤΤȤϤʤΥޥɤȤФ褤.

Ūˤ Shell-B userdb-test-cram-md5 ¹ԤơʲΤ褦бФ褤.

 Username? testuser  (SMTP Auth ˻Ȥ)桼̾Ϥ
 Password?  password  (SMTP Auth ˻Ȥ)ѥɤϤ
 Send: AUTH CRAM-MD5 (or for imap, A AUTHENTICATE CRAM-MD5)
 Paste the challenge here:
 + PG5hbmlrYW5vLXNlcnZlcj4=  Shell-A ǥФäƤʸϤ.
 Send this response:
 dGVzdHVzZXIgY2NiNjc4YmZjZGY1YWRlMGUyYmE2MmM3ODA3OTA1NGI=

ȡΤ褦˺Ǹ٤ʸƤ.

Ǥʸ(ξ dGVzdHVzZXIgY2NiNjc4YmZjZGY1YWRlMGUyYmE2MmM3ODA3OTA1NGI=)
򤵤ä Shell-A ǤκȤ³ Ϥ.
ǧڤ̤ФΤ

 235 2.0.0 Authentication successful

ʤɤȤޤ.

SMTP over TLS ưǧ

SMTP over TLS

TLS ѤˤĤƤϡΤޤ˸ȾѰդʤȤʤ.
web server λ˺äȾ /etc/ssl (Ū̾ľ)ưƻȤ褷*10äƤ褤.

ϸȾ򿷤ä*11 /usr/local/etc/postfix ֤Ȥˤ褦. ƥե̾㤨() postfix.key, () postfix.crt ȤƤ.

Υե뤬¾οͤɤƤޤȺΤǡä夹

 chmod 400 postfix.key
 chmod 400 postfix.crt

ȤƤ.

ơPostfix ϡܲȤΥɥ(http://www.postfix.org/TLS_README.html)ɤǼʬʤ˼򤹤뤳Ȥˤʤ.
Ф饤Ȥǧڤɤ뤫ʤ¿䤳Ƥ褯狼ʤȻפΤǡ񤤤Ƥޤ.
Ȥꤢ /usr/local/etc/postfix/main.cf

 smtpd_tls_cert_file = /usr/local/etc/postfix/postfix.crt
 smtpd_tls_key_file = /usr/local/etc/postfix/postfix.key
 smtpd_tls_received_header = yes
 smtpd_tls_security_level = may
 
 smtp_tls_security_level = may
 smtp_tls_note_starttls = yes

ʤɤȲäɤ*12. ϷϩΰŹ沽Ǥ褤ȤʤΤǡǧڤޤǤȤͤϥɥȤ򤭤ɤ⤦.

Խä顤postfix öߤƤƵư.

 /usr/local/etc/rc.d/postfix stop
 /usr/local/etc/rc.d/postfix start

Ƶư˲顼ٹ𤬽ФƤʤդƤ.

SMTP over TLS ưǧ

ޤäƤ褦äƤ telnet localhost 25 dzǧƤߤ.
ޤǤƱͤ( EHLO localhost )

 250-(ۥ̾)
 250-PIPELINING
 250-SIZE 10240000
 250-VRFY
 250-ETRN
 250-STARTTLS
 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 250-ENHANCEDSTATUSCODES
 250-8BITMIME
 250 DSN

ʤɤȤʤ( quit Ϥȴ).
ɤߤ "250-STARTTLS" ȤʬꡤȤꤢ TLS бư򤷤Ƥ뤳Ȥ狼.
줬Фʤ褦ʤ鲿ΤǤޤǤκȤ򿶤֤.

ơTLS ưγǧ SMTP ưåʥġƳ褦.
swaks (Swiss Army Knife SMTP) ȤФΤǤꡤޤǤ telnet localhost 25 ȤϢκȤưŪˤäƤʤΤǤ.

Ȥ櫓Ǥޤ ports쥯 portsnap ǿƤ swaks 򥤥󥹥ȡ뤷褦.

 portinstall swaks

ȤФ褤. 󥹥ȡ˥ץ
swaks-install_s.png
Ф顤ʤȤ "MX lookup support" "TLS support" Ȥ ON ˤƤƤ饤󥹥ȡ뤷褦(NTLM ϤμȤǤϴطʤ). Ȥϥࡼ˥󥹥ȡǤϤ. 󥹥ȡ뤬äǰΰ٤ rehash Ƥ.

, swaks λȤ swaks --help Ȥȥޥ˥奢뤬ɤΤǤߤƤ餦ȤơޤϤ餤ͤƤޤǤΥƥȤƸƤߤ褦.

ޤñ MTA ưƤ뤫γǧ.

 swaks --server localhost

Ȥȡƥȥ᡼ΰʹƤΤ, ʬΥ̾褦.

 === Trying localhost:25...
 === Connected to localhost.
 <-  220 ̾ ESMTP Postfix
  -> EHLO ̾
 <-  250-̾
 <-  250-PIPELINING
 <-  250-SIZE 10240000
 <-  250-VRFY
 <-  250-ETRN
 <-  250-STARTTLS
 <-  250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 <-  250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
 <-  250-ENHANCEDSTATUSCODES
 <-  250-8BITMIME
 <-  250 DSN
  -> MAIL FROM:<пͥɥ쥹>
 <-  250 2.1.0 Ok
  -> RCPT TO:<>
 <-  250 2.1.5 Ok
  -> DATA
 <-  354 End data with <CR><LF>.<CR><LF>
  -> Date: 
  -> To: 
  -> From: п
  -> Subject: test 
  -> X-Mailer: swaks v20061116.0 jetmore.org/john/code/#swaks
  ->
  -> This is a test mailing
  ->
  -> .
 <-  250 2.0.0 Ok: queued as D6E7C11430
  -> QUIT
 <-  221 2.0.0 Bye

MTA Ȥꤷơв򤭤ȽϤƤ. ޤϥƥȥ᡼ºݤäϤʤΤǡȤΥۡǥ쥯ȥ Maildir/new ˥᡼뤬ϤƤϤǤ. ǧƤߤ褦.

ˡSMTP Auth plainǧڤƤߤ褦. ᡼뤬Ϥɬפ⤦ʤΤǡưǧΤߤǥ᡼ʤ褦ˤ褦. ˤϼΤ褦ˤФ褤.

 swaks --auth PLAIN --server localhost --quit RCPT

Ⱥǽ(ºݤˤʤ)ƥȥ᡼ΰʹƤơθ SMTP Auth ǧڤɬפʥ桼̾ȥѥɤʹƤΤ褦. θ塤Ϥ褯ơΤ SMTP Auth PlainǧڤޤäƤ뤳Ȥǧ褦.

SMTP Auth CRAM-MD5 ǧڤƤߤ. ˤ

 swaks --auth CRAM-MD5 --server localhost --quit RCPT

ȤФ褤. ϤäΤƱǤ.

ơäȴο SMTP over TLS ƥȤ褦. ȤäƤ⤳ޤǤХƥȤϤ⤦ñǡ

 swaks -tls --server localhost

ȤФ褤. ǰΰ٤˥ƥȥ᡼ºݤȤƤ.
¹Ԥơswaks νϤɤ꤬ʤ OK . , Maildir/new ˼ºݤ˥᡼뤬ϤƤ뤫åƤ.

ǸˡSMTP Auth SMTP over TLS Ȥ߹碌Ƥߤ褦. SMTP Auth ǧڤϤʤǤ褤. ʤΤȤäƤäƤߤ褦.
Ūˤ㤨мΤ褦ˤФ褤(SMTP Auth ϼưŪǤ餦).

 swaks --auth -tls --server localhost --quit RCPT

ǽϤǫɤǤߤ褦. starttls Ƥ SMTP AuthƤ , ĤޤꡤְŹ沽Ƥѥɤꤹ׽֤ˤʤäƤ뤳Ȥդߤ.
SMTP over TLS Ȥ߹碌ʤǧ(ѥɤΤ)ʿʸǤʤϤȤȤǤ*13.

½

SMTP over TLS/SSL ˤϾ嵭 StartTLS ¾ˤ⤦ҤȤ SMTPS ȸƤФΤꡤ꼡ǤϤưȤǤ.
ǤϡSMTPS ȤϲStartTLS ٤Ƥ/ϲĴ٤.
;Ϥ褦ä鲿긵 MUA starttls б褦ꤷưǧƤߤ.

IMAP/POP ФΥ󥹥ȡ롤

ơ桼Ϥ᡼ MUA ϤΤ˹ȤƤ POP/IMAP ΥФˤĤƤ⿨褦.
ޤȤƤ POP桼ˤȤäƤФؤôΤ˾ȥ١ǤϤʤʤѤʤ IMAPޤ˸.
ǤϡŪʤȤͤ IMAP ФˤĤƳؽƤߤ褦. ʤߤˡPOP Ф IMAP Ф٤ñʤΤǡIMAP ФPOP ФˤĤƤϺʤ.

ơIMAP ФȤƤ courier-imap ȤƤΤǼȤǤ⤳Ѥ褦.
ʤcourier-imap 򥤥󥹥ȡ뤹Ȱ courier-pop ⥤󥹥ȡ뤵ΤǡPOP Ф򥤥󥹥ȡ뤷ȤȤ courier-imap 򤷤Ƥ褤.

courier-imap Υ󥹥ȡ

ơĤΤ褦 ports 쥯󤫤饤󥹥ȡ뤷褦.
imap ФΥ󥹥ȡ courier-authlib(courier-imap ǧڴطȴФmeta ports) Υ󥹥ȡԤäƤ*14.
ĤΤ褦

 portinstall courier-authlib

Ȥ. ǽ˽Ф륪ץ̤Ǥ
courierauth-install.png
Τ褦˾ʤȤ userdb Ǥ. Ȥϥࡼ˿ʤ.

 portinstall courier-imap

Ȥ courier-imap Τ򥤥󥹥ȡ뤹. ǽ˥ץ
courierimap-install.png
Ф뤬¿ʬǥեȤ OpenSSL IPv6 ФƤ. äʤΤǡΤޤ OK Ǥ褤.

Ф餯ԤäƤ(Ĥ¾ɬפʥեȥ򥤥󥹥ȡ뤷Ƥ)󥹥ȡ뤬.
ǤϤꤤĤåФ뤬Ͼʤǡ¼ŪˤϼΤΤǤ.

 In case you use authpam, you should put the following lines
 in your /etc/pam.d/imap
 auth    required    pam_unix.so         try_first_pass
 account required    pam_unix.so         try_first_pass
 session required    pam_permit.so
 
 You will have to run /usr/local/share/courier-imap/mkimapdcert to create
 a self-signed certificate if you want to use imapd-ssl.
 And you will have to copy and edit the *.dist files to *
 in /usr/local/etc/courier-imap.

ϡIMAP ǧˡȤ¾ˡǤ PAM ȤФȤȤȡIMAP over TLS/SSL Ȥݤμǧھκ񤤤Ƥ.
빽פʥåʤΤǡɤФʤ褦ˤ褦.

courier-imap

ơ󥹥ȡ뤬Ѥ /usr/local/etc/authlib ǧڴط꤬/usr/local/etc/courier-imap imap/pop طե֤.

ޤǧڴط褦.
ǧڵΤΤˤĤƤ /usr/local/etc/authlib եѰդƱĤȤʤΤ userdb ǤʤΤפʾ֤Ǥ. ʤΤǤΥǥ쥯ȥǤ뤳ȤϤʤ.

ˡover TLS/SSL ǻȤǧھ(courier-imap Ϥפ).
˺äȾȤϰ㤦ǽΤΤʤΤǡ˺ʤȤʤ.

ˡϴñǡ/usr/local/etc/courier-imap ˥ץȤƤƤ imapd.cnf.dist pop3d.cnf.dist 򥳥ԡ imapd.cnf pop3d.cnf ȤեꡤߤŬԽ.
줫顤

 cd /usr/local/share/courier-imap/
 mkimapdcert
 mkpop3dcert

Ȥȡ/usr/local/share/courier-imap/ imapd.pem, pop3d.pem Ȥǧھ񤬤Ǥ.
ե̾äѹפʤΤǡǾκϤ.

ˡIMAP ΤԤ. /usr/local/etc/courier-imap ǡimapd ȤեԽ*15.
Ūˤϡ

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"

IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN AUTH=LOGIN"

󥫽(̤Թޤ֤Ƥ뤬ơ 1ԤĤʤΤ)Ф褤.
ơǥեͤѤäʬ򸫤в򤷤Ϥ狼. ʤߤܤκǸ AUTH=LOGIN (Ŭ) MS кǤ.

ȡPOP ФȤʤСȤꤢƱͤ pop3d Ȥե2ս

 POP3AUTH="CRAM-MD5 CRAM-SHA1"
 POP3AUTH_TLS="LOGIN PLAIN"

ȽƤФ褤.

ơȤ IMAP ФεưǤ뤬ϥҥȤʤ.
ʤΤǡcourier-imap 󥹥ȡΥåƤɤȡǸ

     This port has installed the following startup scripts which may cause
     these network services to be started at boot time.
 /usr/local/etc/rc.d/courier-imap-pop3d-ssl.sh
 /usr/local/etc/rc.d/courier-imap-imapd-ssl.sh
 /usr/local/etc/rc.d/courier-imap-imapd.sh
 /usr/local/etc/rc.d/courier-imap-pop3d.sh  

ȤΤǡºݤϤΥץȤưԤΤȤȤϤ狼.
ǰΰ٤ /usr/local/etc/rc.d ǥ쥯ȥƤߤȡϳΤˤꡤġ¾ courier-authdaemond Ȥե⤢, ƱͤôȤ¬Ǥ.

ǤΥեΤIMAP Фεư˴Ϣʥץ "courier-authdaemond", "courier-imap-imapd.sh", "courier-imap-imapd-ssl.sh" 3ĤľɤǤߤ褦.
ȡ㤨 courier-imap-imapd.sh ˤ

 # Define these courier_imap_imapd_* variables in one of these files:
 #       /etc/rc.conf
 #       /etc/rc.conf.local
 #       /etc/rc.conf.d/courier_imap_imapd
 #
 # DO NOT CHANGE THESE DEFAULT VALUES HERE
 
 courier_imap_imapd_enable=${courier_imap_imapd_enable-"NO"}

Ƚ񤤤Ƥꡤɤ /etc/rc.conf courier_imap_imapd_enable Ƥ򵭽ҤɤȤȤ¬Ǥ.
Ʊͤ¾ĤΥץȥեˤ⵭Ҥꡤ礹 /etc/rc.conf

 # for IMAP
 courier_authdaemond_enable="YES"
 courier_imap_imapd_enable="YES"
 courier_imap_imapd_ssl_enable="YES"

ʤɤȽ񤭹ΤɤȤȤ¬Ǥ. Ǥ񤭹ߡǰΰ٤˥֡ȤƤ*16.

IMAP ѤΥ桼Ͽ

userdb ǥѥɾȹԤ褦˥󥹥ȡ뤷Τ, IMAP Ѥ˥桼ϿƤʤȤʤ.
Ūˤϼν֤ǺȤԤФ褤.

  1. ޤΥǥ쥯ȥ /usr/local/etc/userdb .
       cd /usr/local/etc
       mkdir userdb
       chmod 700 ./userdb
    ʤɤȤФ褤.
  2. (ѥɰʳ)桼Ͽ
    • /etc/passwd ˡ
      ˥ƥΥ桼Ǥ⤢ʤдñǤ.
      pw2userdb ޥɤѤ
       cd /usr/local/etc/userdb/
       pw2userdb | grep 桼̾ >> ./users
      ȤФ褤.
    • ˡ.
      userdb ޥɤľܤꤹˡ. 礤.
       userdb "john@example.com" set home=/home/vmail \
       mail=/home/vmail/Maildir-john-example  uid=UUU gid=GGG"
      ʤɤȤˡ.
  3. ѥɤꤹ.
     cd /usr/local/etc/userdb
     userdbpw -hmac-md5|userdb users/桼̾ set hmac-md5pw
    ȤФ褤. hmac-md5 ȤΤ CRAM-MD5 Ѥ.
    ޤäƤ뤫ɤusers եɤdzǧƤ.
  4. ɲáѹսͭˤ.
     makeuserdb
    ȤФ褤.

ǤϤǾμˤä IMAP ѤΥ桼ϿƤ.

courier-imap ưǧ

SMTP Auth λƱͤˡ2Ĥʸüߥ졼ѰդưǧԤ.

ưǧǤ⤿ĤƤ courier-imap Ф³ڤäƤޤΤǡ;͵Ƥ.
ΤνˤƤ. Ūˤϡ/usr/local/etc/courier-imap/imapd ե

 IMAP_IDLE_TIMEOUT=60

Ȥʬ60ȿʤǡפȤ̣ʤΤǡ 60 Ŭ䤷ƤФ褤.
㤨 180 餤ˤʤ.

ʤΥեԽ courier-imap ФöƺưʤȤʤΤǤƤ.
Ūˤ

 /usr/local/etc/rc.d/courier-imap-imapd.sh stop
 /usr/local/etc/rc.d/courier-imap-imapd.sh start

ȤƤФ褤.

ơǤ SMTP Auth λƱ褦ˤäƤߤ.
Shell-A ǡtelnet localhost 143 Ȥ

 Connected to localhost.
 Escape character is '^]'.
 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2005 Double Precision, Inc.  See COPYING for distribution information.

ʤɤȸäƤ. ǡ

 a authenticate cram-md5

Ϥ

 + PG5hbmlrYS1pbWFwQHNlcnZlcj4=

ʤɤȥФʸƤ.

ʸ PG5hbmlrYS1pbWFwQHNlcnZlcj4= ФơۤɤƱͤ Shell-B userdb-test-cram-md5 ޥɤȤäʸ.
㤨мΤ褦ˤʤ.

 Username? testuser  IMAP ѤϿ桼̾
 Password? password  IMAP ѤϿѥ
 Send: AUTH CRAM-MD5 (or for imap, A AUTHENTICATE CRAM-MD5)
 Paste the challenge here:
 + PG5hbmlrYS1pbWFwQHNlcnZlcj4=  ʸ
 Send this response:
 dGVzdHVzZXIgYjlkMDA5MzQ4YmVjMzlkNzcwMWU4MWRiZWE3NmZhN2M=

κǸʸ dGVzdHVzZXIgYjlkMDA5MzQ4YmVjMzlkNzcwMWU4MWRiZWE3NmZhN2M= IMAP Ф˽Ф٤ֻˤʤΤǡ Shell-A ǤκȤ³ĥդȤ.

 a OK LOGIN Ok.

ȤʤСIMAP Фǧڤ̤äȤȤˤʤꡤưǧǤȤˤʤ*17.

ʤPOP ФΩ夲ʤƱͤ˥ƥȤǽǤ.
κݤ

 telnet localhost 110
 (Фα)
 capa
 (Фα)
 auth cram-md5
 (ФʸäƤ)
 (бʸѰդơ)
 ʸĥդ

Ȥήˤʤ.

½

ޤǤκȤԤ.
ޤ;͵Ŭ MUA IMAP Ф³Ƥߤ褦.
;͵СIMAP over TLS/SSL ǥФ³Ƥߤ褦.

ݡ

ǡĴ٤פȻؼ줿ˤĤĴԤ𤻤.
ޤޤǤμ½Ԥ𤻤.


*1 פϥꤻȤȤʤƤдְ㤨;Ϥ͡ȤȤ
*2 ܤμȻˤ "You can use sasldb2 ..." ǻϤޤåʬɤʬ
*3 \0 ϥ̥Х
*4 ʤߤˡbase64 󥳡ɤƥȤϡ"mmencode -u" Ǹ᤹ȤǤ.
*5 \0000 ȤʤäƤȤ \0 Ǥ褤Τѥɤ1ʸܤäꤹȤޤʤΤǡǰΰ٤ˤƤ.
*6 㤨 '\0test\0password' mmencode "AHRlc3QAcGFzc3dvcmQ=" Ȥʸ󤬽Ϥ.
*7 ʸüߥ졼˳ФƤޤгڤ
*8 250-AUTH ǻϤޤۤƱԤФƤΤ Microsoft MUA кǤ.
*9 "mmencode -u" ˤȼºݤʸ󤬤狼
*10 ξϤ apache ľʤȤʤ
*11 ϼ07 SSL ιܤ˽񤤤Ƥ
*12 Postfix ˡǶѤäᡤweb ǻȤǤ¿ϴ˸Ťޤ侩ǤʤΤαդ뤳.
*13 դ˸Сover TLS ƤʤʤХͥåȥ𤷤 PlainǧڤȤȴʤȤȤˤʤ
*14 ʤȼ¼Ū˻Ȥʤ.
*15 ⤷ imapd Ȥե뤬ʤСimapd.dist ץʤΤǤ򥳥ԡƺ.
*16 Ѥ˥ڡ줿ꤷʤ褦
*17 Ǥ ^] ȤƤ quit Ȥȴ