Ȼ/09

Top / Ȼ / 09

ǧڥƥˤĤưŪ

unix Ф˸¤餺ԥ塼̤ˡǧڡפȤȤߤԲķǤ.
ŪˡΰǤ륤󥿡ͥåȾѥɤɤΤ褦ˤȤꤹ뤫ѥɤȥ桼̾ʤɤξȹɤΤ褦˹ԤΤˤĤ͡ˡꡤ٤褦ˤʤäƤΤ¿.
Τ˽ؼԤˤϺ𤬤뤫ȻפºݤϤ󥫽Ȥޤʬʬ䤹.
ºݡޤˤϡunix ǤΥեȥ̾ϰʲοޤΤ褦ʹ¤򤷤ƤΤǡιޤƬˤưʲäɤФ狼.

authentication-structure_s.png

ǧڤΰŪʻȤ

SMTP Auth Ȥ

SMTP Auth (postfix, cyrus sasl2)

꼫ͳ MTA Ȥ SMTP Auth Ѥ뤳Ȥꤷ褦.
ơޤ postfix 򥤥󥹥ȡ뤷ȤΥˤ smtp auth ˴ؤåƥå.
ʬƷǤȡ

You can use sasldb2 for authentication, to add users use:


saslpasswd2 -c username


If you want to enable SMTP AUTH with the system Sendmail, read

Sendmail.README


NOTE: This port has been compiled with a default pwcheck_method of

auxprop. If you want to authenticate your user by /etc/passwd,

PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and

set sasl_pwcheck_method to saslauthd after installing the

Cyrus-IMAPd 2.X port. You should also check the

/usr/local/lib/sasl2/*.conf files for the correct

pwcheck_method.

ȤʤäƤꡤȤϽ񤤤Ƥʤ.

  • smtp auth ĤʤС桼ѥɤ saslpasswd2 ޥɤɲä
  • port ϥѥɾȹȤ pwcheck_method (ѥեˤȹ)ǽ󶡤뤬¾ξȹˡȤФб port ⥤󥹥ȡ뤻

ȤȤ鷺ˤ狼ΤߤǤ*1.

ơǤϤɤäƻȤäƤ褤狼ʤΤǡ򤭤Ĵ٤褦.
ޤϰ켡󸻤ȤȤǡܲ http://www.postfix.org/ dzǧ
Documentation 򸫤ȡʤΤĤ.

Ūˤ http://www.postfix.org/SASL_README.html å뤳Ȥˤʤ.
ȡޤϼΤ褦˽񤤤ƤȤͤˤʤ.

Enabling SASL authentication in the Postfix SMTP server


In order to enable SASL support in the Postfix SMTP server:


/etc/postfix/main.cf:

smtpd_sasl_auth_enable = yes


In order to allow mail relaying by authenticated remote SMTP clients:


/etc/postfix/main.cf:

smtpd_recipient_restrictions =

       permit_mynetworks

       permit_sasl_authenticated

       reject_unauth_destination


To report SASL login names in Received: message headers (Postfix version 2.3 and later):


/etc/postfix/main.cf:

smtpd_sasl_authenticated_header = yes


Note: the SASL login names will be shared with the entire world.


Older Microsoft SMTP client software implements a non-standard version of the AUTH protocol syntax, and expects that the SMTP server replies to EHLO with "250 AUTH=mechanism-list" instead of "250 AUTH mechanism-list". To accommodate such clients (in addition to conformant clients) use the following:


/etc/postfix/main.cf:

broken_sasl_auth_clients = yes

ɤȡpostfix եǤ main.cf 񤭴Ǥ褤褦ȤȤޤ狼.
礶äѤˤ

  • SASL ȤС.
  • ǧڤ줿⡼ȥ饤Ȥˤ᡼졼ĤС.
  • ᡼ΤȤΥإå SASL桼̾ܤС.
  • Microsoft θŤ᡼ˤǧڥץȥʸˡΰΤ뤬ƤꤿС.

Ȥ4ĤΤȤ񤤤Ƥ.
ɤä˰ϤʤƤʤΤǡΤޤ޽äƤ褤.

notes.png
ȤȤǡλؼˤä main.cf 褦.
Ǥ 4ĤεҤä뤳Ȥˤʤ. main.cf κǸ˸ǤƵҤƤʤϤ.
ʸ/etc/postfix FreeBSD Ǥ /usr/local/etc/postfix ѹƤΤǾѴʤɤ⤦.
warning.png "smtp" "smtpd" (Ǹ "d" ĤƤ)ȤǤϰ̣äƤΤǡץߥ򤷤ƤʤտҤ褦.

˾嵭ɤ߿ʤȡ "Cyrus SASL configuration for the Postfix SMTP server" ǻϤޤʬطƤΤɤ⤦.
postfix (ver.2.5.5,1) cyrus sasl (ver. 2.1.22_2)ΥСˤäƾ櫓ƤΤǡطʬȴФŬȴ褹ȰʲΤ褦ˤʤ.

ޤ

Cyrus SASL configuration for the Postfix SMTP server


You need to configure how the Cyrus SASL library should authenticate a remote SMTP client's username and password. These settings must be stored in a separate configuration file.


The name of the configuration file (default: smtpd.conf) will be constructed from a value that the Postfix SMTP server sends to the Cyrus SASL library, which adds the suffix .conf. The value is configured using one of the following variables:


/etc/postfix/main.cf:

smtpd_sasl_path = smtpd


Cyrus SASL searches for the configuration file in /usr/local/lib/sasl2/.


Note: some Postfix distributions are modified and look for the smtpd.conf file in /etc/postfix/sasl.


Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.

ȤȤǡcyrus sasl2 ե /usr/local/lib/sasl2/smtpd.conf ǡޤեͭˤ뤿 postfix ե1Խ񤭤Ǥɬפꤽ.
notes.png ޤϾλؼ˽ä postfix ե main.cf 1Խ񤭤⤦.

줫顤ѥɾȹˡˤĤƤ³ƽ񤫤Ƥ.

* To authenticate against the UNIX password database, use: ѥɤǧڤ˻Ȥ. ϰ㤦Τά.


* To authenticate against Cyrus SASL's own password database: ѥեȤ. ϤȤ.


/usr/local/lib/sasl2/smtpd.conf:

pwcheck_method: auxprop

auxprop_plugin: sasldb

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

notes.png ȤΤǡΤ褦 smptd.conf Խ褦(֤󿷵뤳Ȥˤʤ).
warning.png mech_list Ƽ¤ϤϥǥեȤΤ褦ʤΤǡsmtpd.conf ̵Ǥ줫κȤϲǽϤ꤭ȺäƤ.

줫³ơ

This will use the Cyrus SASL password file (default: /etc/sasldb2), which is maintained with the saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On some poorly-supported systems the saslpasswd command needs to be run multiple times before it stops complaining. The Postfix SMTP server needs read access to the sasldb file - you may have to play games with group access permissions. With the OTP authentication mechanism, the Postfix SMTP server also needs WRITE access to /etc/sasldb2 or /etc/sasldb (or the back end SQL database, if used).


IMPORTANT: To get sasldb running, make sure that you set the SASL domain (realm) to a fully qualified domain name.


EXAMPLE:


% saslpasswd2 -c -u `postconf -h myhostname` exampleuser


You can find out SASL's idea about the realms of the users in sasldb with sasldblistusers2.

Ȥꡤ桼ΥѥɤϿݤ realm(ѥɤǧͭΰȤǤ⤤)򤭤ȤäƻꤷȤäʤɤ.

notes.png λؼ˽Ĥġsmtp auth ѤΥ桼ѥϿ򤷤褦(Ǹ "exampleuser" ȤΤϥ桼֤̾).

notes.png Ͽ줿sasldblistusers2 Ȥޥɤdzǧ褦.

Ͽ桼̾@ۥ̾ userPassword

ȤϤФСϿƤ뤳ȤǧǤȤȤˤʤ.

ˡ

On the Postfix side, you can have only one realm per smtpd(8) instance, and only the users belonging to that realm would be able to authenticate. The Postfix variable smtpd_sasl_local_domain controls the realm used by smtpd(8):


/etc/postfix/main.cf:

smtpd_sasl_local_domain = $myhostname

ȤΤǡrealm ˴ؤ postfix ޤɬפ.
notes.png λؼ˽ä postfix ե main.cf 1Խ񤭤⤦.

ȤϡΤ褦դ.

IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus SASL library doesn't know this, and will happily advertise other authentication mechanisms that the SASL library implements, such as DIGEST-MD5. As a result, if a remote SMTP client chooses any mechanism other than PLAIN or LOGIN while pwcheck or saslauthd are used, authentication will fail. Thus you may need to limit the list of mechanisms advertised by the Postfix SMTP server.


* With Cyrus SASL version 2.1.x or later the mech_list variable can specify a list of authentication mechanisms that Cyrus SASL may offer:


/usr/local/lib/sasl2/smtpd.conf:

mech_list: plain login


For the same reasons you might want to limit the list of plugins used for authentication.


/usr/local/lib/sasl2/smtpd.conf:

pwcheck_method: auxprop

auxprop_plugin: sql

ϥѥɤãˡȾȹˡȤȤ߹碌ΤȤʤΤΤǤǥȥ֤ʤ褦˻ȤʤȤ߹碌եǤȳƤ褦ʤȤ򤷤ФȤƤ. ä˴طʤ.

ƺǸ

To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble.

Ȥ. ޤäƤȤꡤ֤ˤʤ麣ϴطʤȤƤ.
warning.png FreeBSD ˤ chroot ʲǽǤ jail . chroot, jail ˤĤΤʤͤĴ٤ƤȤ褤.

SMTP Auth ưǧ

Ѥ륳ޥ mmencode 򡤺Τ˥󥹥ȡ뤷Ƥ.
ŪˤϡĤΤ褦 ports 쥯򿷤ƤƤ顤portinstall
ȤʤΤǡ

 portsnap fetch
 portsnap update
 portinstall mmencode

ȤФ褤.

ºݤ˼³Ƥߤ.

SMTP Auth ³ݤǧˡˤ⤤Ĥꡤͳ֤ȤǤ.
Υ󥹥ȡǤϾꤷ褦 loginǧ, plainǧڡDigest-MD5ǧ, CRAM-MD5ǧ Ȥ褦ˤʤäƤϤ.
(ǥեȤǤϤ NTLMǧڤ GSSAPIǧڤȤ褦ˤʤ褦)

ǡΤ plainǧڤ CRAM-MD5ǧڤƤߤ褦.
ʤߤˡplainǧڤϴñѤǤ뤬Ź沽ƤʤΤǡCRAM-MD5ǧڤϤεդȻפФ褤.

SMTP Auth  : Plain ǧڤξ

Plain ǧڤϤڤʥΤǡSMTP Auth ʸ "\0桼̾\0ѥ"*2 base64 ǥ󥳡ɤΤ򥵡ФϤȤñʻȤߤ.
warning.png base 64 ϰŹ沽ǤϤʤ(ԥ塼ǰΤˤʤ褦)ñʤѴ*3ʤΤǡƥݤʤ. Ĥޤꡤѥ base64 󥳡ɤ(Ҥ mmencode 򤫤)ͤ˶ꤷƤϤʤ.

notes.png
ơ³³ɬפʸäƤޤ.
Ūˤϡޥɥ饤

 printf '\0000桼̾\0000ѥ' | mmencode 

ȤФ褤*4.
桼̾ȥѥɤϤۤ SMTP Auth Ѥ saslpasswd2 ޥɤꤷΤǤ.

ȡ'\0桼̾\0ѥ' base64 󥳡ɤ줿ʸ󤬽ϤΤǡɤ¸Ƥ*5.
ʤߤˡ㤨 '\0test\0password' mmencode "AHRlc3QAcGFzc3dvcmQ=" Ȥʤ.

notes.png ȤϤĤΤ褦 telnet localhost 25 Ǽ MTA ³Ƥߤ.
ˤä褦 "EHLO localhost" ȤƱʤȡΤ褦 SMTP AUTH ǤȤɽߤDZʤϤ(250-AUTH ǻϤޤۤƱԤФƤΤ Microsoft MUA кǤ).

250-ۥ̾

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

ʳ SMTP Auth Plain ǧڤƤߤ褦.
Ūˤϡ

AUTH PLAIN ۤbase64󥳡ɤƺäʸ

ϤФ褤. Plain ǧڤϤǺѤ.

235 2.7.0 Authentication successful

ʤɤ "success" ΰդå֤äƤСǧڤ̤äȤȤ OK Ǥ.
ȤƱͤ ^], quit ȴ褦.

ޤʤͤǫˤޤǤκȤ򿶤֤.

SMTP Auth  : CRAM-MD5 ǧڤξ

CRAM-MD5ǧڤ PlainǧڤȰäơѥɤʿʸʤǤ. plain ǧڤȰۤʤꡤͥåȥİƤޤȤ褦.
Ūˤϡ³ȥФŬʸäƤΤǡѥɤ򥭡ˤ hmac-md5 ǥϥå(줬ѥɤ򰵽, Ź沽Ȥ), 桼̾Ȥ碌 base64 󥳡ɤ֤ФƱͤ˺äϥåƱʤǧ OK Ȥˤʤ.

䤳¤ CRAM-MD5 ƥȤ뤿Υץ "userdb-test-cram-md5" ¸ߤΤǡ򥤥󥹥ȡ뤷ѤФ褤.
ΥץȤϸҤ courier-imap Υ󥹥ȡˤäƥ󥹥ȡ뤵ΤǡκȤ򤷤ƤäƤʤȤʤ.
warning.png Ȥ櫓ǡƤɤϡҤ courier-imap Υ󥹥ȡޤǥפ󥹥ȡ뤷äƤ뤳. courier-imap ϤʤäƤƤ褤.

ʲκȤˤϥ󥽡뤬İʾ夢äʤΤǡX Ŭʸüߥ졼ĵưʤɡפƺȤ褦.
󥽡뤬1ĤѰդǤʤǤ⡤ޥǥԡ(å) and ڡ(楯å)ǽʾ礬¿ΤǡޥߤƤߤȤ褤.

ʹߡʬ䤹뤿 2Ĥʸüߥ졼Ѱդꤷγơüươ Shell-A, Shell-B Ȥäʤ褦.

notes.png ޤShell-A telnet localhost 25 ơEHLO localhost бƱ褦

250-ۥ̾

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

ޤǤ褦. Ƥ

auth cram-md5

Ϥ. ȡ

334 PG5hbmlrYW5vLXNlcnZlcj4=

ʤɤȽϤ֤äƤ.
PG5hbmlrYW5vLXNlcnZlcj4= Ф base64 äƤʸ*6ǤΤǡ桼Υѥɤ򥭡ˤ hmac-md5 ǥϥå׻ƥ桼̾Ȥ碌 base64 ֤Ф褤. ʸݤˤߤ뤬ʤΤȤϤʤΥޥɤȤФ褤.

Ūˤ Shell-B userdb-test-cram-md5 ¹ԤơʲΤ褦бФ褤.

Username? testuser (SMTP Auth ˻Ȥ)桼̾Ϥ

Password? password (SMTP Auth ˻Ȥ)ѥɤϤ

Send: AUTH CRAM-MD5 (or for imap, A AUTHENTICATE CRAM-MD5)

Paste the challenge here:

+ PG5hbmlrYW5vLXNlcnZlcj4= Shell-A ǥФäƤʸϤ

Send this response:

dGVzdHVzZXIgY2NiNjc4YmZjZGY1YWRlMGUyYmE2MmM3ODA3OTA1NGI= ֤٤ʸ󤬽Ϥ

ȤʤꡤǸ٤ʸƤ.

Ǥʸ(ξ dGVzdHVzZXIgY2NiNjc4YmZjZGY1YWRlMGUyYmE2MmM3ODA3OTA1NGI=)򤵤ä Shell-A ǤκȤ³ Ϥ.
ǧڤ̤ФΤ

235 2.7.0 Authentication successful

ʤɤ "success" ΰդå֤äƤСǧڤ̤äȤȤ OK Ǥ.
ȤƱͤ ^], quit ȴ褦.

ޤʤͤǫˤޤǤκȤ򿶤֤.

SMTP over TLS Ȥ

SMTP over TLS

TLS ѤˤĤƤϡΤޤ˸ȾѰդʤȤʤ.
web server λ˺äȾ /etc/ssl (Ū̾ľ)ưƻȤ褷*7äƤ褤.

ϸȾ򿷤˺ä( Web ФμȤβ TLS/SSL ιܤ˽񤤤Ƥ) /usr/local/etc/postfix ֤Ȥˤ褦. ƥե̾㤨() postfix.key, () postfix.crt ȤƤ.
Υե뤬¾οͤɤƤޤȺΤǡä夹 chmod ɤ߽Ф¤򤷤ʤȤʤ.
notes.png ʲκȤԤ.

 cd /usr/local/etc/postfix
 openssl genrsa -out postfix.key 1024
 openssl req -new -x509 -days 365 -key postfix.key -out postfix.crt

ʹαˤĤƤϰƱǤ褤.
ƾǤ顤

 chmod 400 postfix.key
 chmod 400 postfix.crt

ȤƤ.

ơPostfix ϡܲȤΥɥ(http://www.postfix.org/TLS_README.html)ɤǼʬʤ˼򤹤뤳Ȥˤʤ.
Ф饤Ȥǧڤɤ뤫ʤ¿䤳Ƥ褯狼ʤȻפΤǡ񤤤Ƥޤ.
notes.png ϡ /usr/local/etc/postfix/main.cf

smtpd_tls_cert_file = /usr/local/etc/postfix/postfix.crt

smtpd_tls_key_file = /usr/local/etc/postfix/postfix.key

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_security_level = may


smtp_tls_loglevel = 1

smtp_tls_security_level = may

smtp_tls_note_starttls_offer = yes

ʤɤȲäɤ.
ϷϩΰŹ沽Ǥ褤ȤʤΤǡǧڤޤǤȤͤϥɥȤ򤭤ɤ⤦.
warning.png Postfix ˡǯѤäᡤweb ǻȤǤ¿ϴ˸Ťޤ侩ǤʤΤαդ뤳.

Խä顤postfix öߤƤƵư.

 /usr/local/etc/rc.d/postfix stop
 /usr/local/etc/rc.d/postfix start

Ƶư˲顼ٹ𤬽ФƤʤդƤ.

SMTP over TLS ưǧ

notes.png telnet localhost 25 dzǧƤߤ褦.
ޤǤƱͤ EHLO localhost ,

250-ۥ̾

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS б TLS/SSL ѤΤ

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

ʤɤȤʤ.
Τ褦 "250-STARTTLS" ȤʬСȤꤢ TLS бư򤷤Ƥ뤳Ȥ狼.
ȤƱͤ ^], quit ȴ褦.

줬Фʤ褦ʤ鲿ΤǤޤǤκȤ򿶤֤.

notes.png
ơ SMTP ưåʥġƳ褦. ʹߤγǧȤڤˤʤ.
swaks (Swiss Army Knife SMTP) ȤФΤǤꡤޤǤ telnet localhost 25 ȤϢκȤưŪˤäƤʤΤǤ.

Ȥ櫓ǤĤΤ褦 swaks 򥤥󥹥ȡ뤷褦.

 portinstall swaks

ȤФ褤. 󥹥ȡ˥ץ
swaks-install.png
Ф顤ʤȤ "MX lookup support" "TLS support" Ȥ ON ˤƤƤ饤󥹥ȡ뤷褦.
NTLM ϺϴطʤΤdzޤޤǤ褤.
ؿʤȡưŪ p5-Net-SSLeay Υ󥹥ȡ˥ƥȤ򤹤뤫ɤʹ뤳Ȥ뤬 "n" Τޤޤǹʤ.
Ȥϥ󥹥ȡ뤬ΤޤȤ.

, swaks λȤ swaks --help Ȥȥޥ˥奢뤬ɤΤǤߤƤ餦ȤơޤϤ餤ͤƤޤǤΥƥȤƸƤߤ褦.

notes.png ޤñ MTA ưƤ뤫γǧ򤷤褦.

 swaks --server localhost

Ȥȡƥȥ᡼ΰʹƤΤ, ʬΥ̾褦.

=== Trying localhost:25...

=== Connected to localhost.

<- 220 ۥ̾ ESMTP Postfix

-> EHLO freebsd7

<- 250-ۥ̾

<- 250-PIPELINING

<- 250-SIZE 10240000

<- 250-VRFY

<- 250-ETRN

<- 250-STARTTLS

<- 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

<- 250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

<- 250-ENHANCEDSTATUSCODES

<- 250-8BITMIME

<- 250 DSN

-> MAIL FROM:<п>

<- 250 2.1.0 Ok

-> RCPT TO:<桼̾>

<- 250 2.1.5 Ok

-> DATA

<- 354 End data with <CR><LF>.<CR><LF>

-> Date: Tue, 16 Dec 2008 20:17:54 +0900

-> To: 桼̾

-> From: п

-> Subject: test Tue, 16 Dec 2008 20:17:54 +0900

-> X-Mailer: swaks v20061116.0 jetmore.org/john/code/#swaks

->

-> This is a test mailing

->

-> .

<- 250 2.0.0 Ok: queued as B56D41D19C

-> QUIT

<- 221 2.0.0 Bye

=== Connection closed with remote host.

MTA Ȥꤷơв򤭤ȽϤƤ.
ޤϥƥȥ᡼ºݤäϤʤΤǡȤΥۡǥ쥯ȥ Maildir/new ˥᡼뤬ϤƤϤǤ. ǧƤߤ褦.

ˡSMTP Auth plainǧڤƤߤ褦.
᡼뤬Ϥɬפ⤦ʤΤǡưǧΤߤǥ᡼ʤ褦ˤ褦.
ˤϼΤ褦ˤФ褤.

 swaks --auth PLAIN --server localhost --quit RCPT

Ⱥǽ(ºݤˤʤ)ƥȥ᡼ΰʹƤơθ SMTP Auth ǧڤɬפʥ桼̾ȥѥɤʹƤΤ褦.
ơθΤȤ

ά

-> AUTH PLAIN ѥɤbase64

<- 235 2.7.0 Authentication successful

ά

Ȥ褦 Auth plain Ǥ SMTP Auth ޤäȤȤǧǤ OK .

SMTP Auth CRAM-MD5 ǧڤƤߤ. ˤ

 swaks --auth CRAM-MD5 --server localhost --quit RCPT

ȤФ褤. ϤϾƱͤ.
ơθΤȤ

ά

-> AUTH CRAM-MD5

<- 334 PDI3NTg4NzIyNTMuNDY4OTgzOUBGcmVlQlNENy5jYXMuY21jLm9zYWthLXUuYWMuanA+

-> cGFvb24gMTgyODJmNzRhNjZhOWMwY2FjN2YzZTliNDQ2NzQ3Y2Y=

<- 235 2.7.0 Authentication successful

ά

Ȥ褦 Auth CRAM-MD5 Ǥ SMTP Auth ޤäȤȤǧǤ OK .

ơäȴο SMTP over TLS ƥȤ褦. ȤäƤ⤳ޤǤХƥȤϤ⤦ñǡ

 swaks -tls --server localhost

ȤФ褤. ǰΰ٤˥ƥȥ᡼ºݤȤƤ.
¹Ԥơswaks νϤ

ά

-> STARTTLS

<- 220 2.0.0 Ready to start TLS

=== TLS started w/ cipher DHE-RSA-AES256-SHA

ά

Ȥ褦 TLS Ȥä̵ưƤ褦ʤפ.
, Maildir/new ˼ºݤ˥᡼뤬ϤƤ뤫åΥ᡼Υإåʬ

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

ȤҤ뤳ȤǧƤ.

ǸˡSMTP Auth SMTP over TLS Ȥ߹碌Ƥߤ褦. SMTP Auth ǧڤϤʤǤ褤. ʤΤȤäƤäƤߤ褦.
Ūˤϡ㤨мΤ褦ˤФ褤(SMTP Auth ϼưŪǤ餦).

 swaks --auth -tls --server localhost --quit RCPT

ǽϤǫɤǤߤ褦.
warning.png νϤɤ starttls Ƥ SMTP AuthƤ , ĤޤꡤְŹ沽ϤƤѥɤꤹ׽֤ˤʤäƤ뤳Ȥܤ.
SMTP over TLS Ȥ߹碌ʤǧ(ѥɤΤ)ʿʸǤʤϤȤȤǤ.
դ˸Сover TLS ƤʤʤХͥåȥ𤷤 PlainǧڤȤȴʤȤȤˤʤ

notes.png ;Ϥ褦ä鲿긵 MUA starttls б褦ꤷưǧƤߤ.

IMAP/POP Ȥ

ơ桼Ϥ᡼ MUA ϤΤ˹ȤƤ POP/IMAP ΥФˤĤƤ⿨褦.
ޤȤƤ POP桼ˤȤäƤФؤôΤ˾ȥ١ǤϤʤʤѤʤ IMAPޤ˸.
ǤϡŪʤȤͤ IMAP ФˤĤƳؽƤߤ褦. ʤߤˡPOP Ф IMAP Ф٤ñʤΤǡIMAP ФPOP ФˤĤƤϺʤ.

ơIMAP ФȤƤ courier-imap ȤƤΤǼȤǤ⤳Ѥ褦.
ʤcourier-imap 򥤥󥹥ȡ뤹Ȱ courier-pop ⥤󥹥ȡ뤵ΤǡPOP Ф򥤥󥹥ȡ뤷ȤȤ courier-imap 򤷤Ƥ褤.

courier-imap Υ󥹥ȡ

notes.png ơĤΤ褦 ports 쥯󤫤饤󥹥ȡ뤷褦.
imap ФΥ󥹥ȡ courier-authlib(courier-imap ǧڴطȴФmeta ports) Υ󥹥ȡԤäƤ(ʤȼ¼Ū˻Ȥʤ).
ĤΤ褦

 portsnap fetch  
 portsnap update
 portinstall courier-authlib

Ȥ. ɬפ¾Υġ˥󥹥ȡ뤵ΤǡФ餯ԤȤ.
ޤ courier-authlib Υ󥹥ȡʳǽФ륪ץ
courierauth-install.png
ǤϤȤꤢ "Userdb support" Ǥ. Ȥϥࡼ˿ʤ.

 portinstall courier-imap

Ȥ courier-imap Τ򥤥󥹥ȡ뤹. ǽ˥ץ
courierimap-install.png
Ф뤬¿ʬǥեȤ IPv6 ФƤ.
IPv6 ϻȤʤΤdzդƱͤ "Userdb support" 򤷤˿ʤ⤦.
Ф餯ԤäƤȥ󥹥ȡ뤬.

ơǰΰ٤ˤĤΤ褦˺󥤥󥹥ȡ뤵줿ʣΥեȤΥ /var/log/ports βõƤߤơåȴФȡ

(security::courier-authlib-base.log )

configure: WARNING: -----------------------------------------------------

configure: WARNING: expect not found - will not be able to change passwds

configure: WARNING: in webmail

configure: WARNING: -----------------------------------------------------

Added group "courier".

Added user "courier".

This port has installed the following files which may act as network

servers and may therefore pose a remote security risk to the system.

/usr/local/libexec/courier-authlib/authdaemond


This port has installed the following startup scripts which may cause

these network services to be started at boot time.

/usr/local/etc/rc.d/courier-authdaemond


If there are vulnerabilities in these programs there may be a security

risk to the system. FreeBSD makes no guarantee about the security of

ports included in the Ports Collection. Please type 'make deinstall'

to deinstall the port if this is a concern.


For more information, and contact details about the security

status of this software, see the following webpage:

http://www.Courier-MTA.org/authlib/

(mail::courier-imap.log )

In case you use authpam, you should put the following lines

in your /etc/pam.d/imap

auth required pam_unix.so try_first_pass

account required pam_unix.so try_first_pass

session required pam_permit.so


You will have to run /usr/local/share/courier-imap/mkimapdcert to create

a self-signed certificate if you want to use imapd-ssl.

And you will have to copy and edit the *.dist files to *

in /usr/local/etc/courier-imap.

This port has installed the following files which may act as network

servers and may therefore pose a remote security risk to the system.

/usr/local/libexec/courier-imap/couriertcpd

/usr/local/bin/couriertls


This port has installed the following startup scripts which may cause

these network services to be started at boot time.

/usr/local/etc/rc.d/courier-imap-imapd

/usr/local/etc/rc.d/courier-imap-pop3d

/usr/local/etc/rc.d/courier-imap-pop3d-ssl

/usr/local/etc/rc.d/courier-imap-imapd-ssl


If there are vulnerabilities in these programs there may be a security

risk to the system. FreeBSD makes no guarantee about the security of

ports included in the Ports Collection. Please type 'make deinstall'

to deinstall the port if this is a concern.


For more information, and contact details about the security

status of this software, see the following webpage:

http://www.courier-mta.org/imap/

ȤåĤ.

ԤΥեƤäʤ.
Ԥ˴ؤʬΤǽפ(ܤϸҤ).

warning.png SMTP Auth 椫 courier-imap Υ󥹥ȡ١ȸƤ褿ϡΤȤ.

courier-imap

ơ󥹥ȡ뤬Ѥ /usr/local/etc/authlib ǧڴط꤬/usr/local/etc/courier-imap imap/pop طե֤.

ޤǧڴط褦.
ǧڵΤΤˤĤƤ /usr/local/etc/authlib եѰդƱĤȤʤΤ userdb ǤʤȤ⤢ääפʾ֤Ǥ.

notes.png ˡover TLS/SSL ǻȤǧھ(courier-imap Ϥפ).
˺äȾȤϰ㤦ǽΤΤʤΤǡ˺(ѴǽȤϻפ).

ˡϴñǡޤ /usr/local/etc/courier-imap ˥ץȤƤƤimapd.cnf.dist pop3d.cnf.dist 򥳥ԡ imapd.cnf pop3d.cnf Ȥեꡤߤ [ req_dn ] ʲʬʬΥФˤ碌ŬڤԽ.
Ūˤ

 cd /usr/local/etc/courier-imap
 cp imapd.cnf.dist imapd.cnf
 cp pop3d.cnf.dist pop3d.cnf
 chmod u+w *.cnf
 emacs imapd.cnf
 emacs pop3d.cnf

Ȥ. 줫顤

 cd /usr/local/share/courier-imap/
 ./mkimapdcert
 ./mkpop3dcert

Ȥȡ/usr/local/share/courier-imap/ imapd.pem, pop3d.pem Ȥǧھ񤬤Ǥ.
ե̾äѹפʤΤǡǾκϤ.

ˡIMAP ΤԤ.
warning.pngĤΤ褦ǰΰ٥ХååפȤäƤ.
/usr/local/etc/courier-imap imapd ȤեԽơܤ "IMAP_CAPABILITY" "IMAP_CAPABILITY_TLS" ǧڤ˽.
Ūˤϡ

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"

IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN AUTH=LOGIN"

󥫽(̤Թޤ֤Ƥ뤬ơ 1ԤĤʤΤ)Ф褤.
ơǥեͤѤäʬ򸫤в򤷤Ϥ狼. ʤߤܤκǸ AUTH=LOGIN (Ŭ) MS кǤ.

ȡPOP ФȤʤСȤꤢƱͤ pop3d Ȥե(ԽʤХååפƤ)2ս

POP3AUTH="CRAM-MD5 CRAM-SHA1"

POP3AUTH_TLS="LOGIN PLAIN"

ȽƤФ褤.

ơȤ IMAP ФεưǤ뤬Ͼ󤬤ɤˤ⾯ʤ.
ʤΤǡcourier-imap 󥹥ȡΥåɤȡǸ

This port has installed the following startup scripts which may cause

ά

ȤΤǡºݤϤΥץȤưԤΤȤȤϤ狼.
ǰΰ٤ /usr/local/etc/rc.d ǥ쥯ȥƤߤȡϳΤˤꡤġ¾ courier-authdaemond Ȥե⤢, ƱͤôȤ¬Ǥ.

ǤΥեΤIMAP Фεư˴Ϣʥץ "courier-authdaemond", "courier-imap-imapd", "courier-imap-imapd-ssl" 3ĤľɤǤߤ褦.
ȡ㤨 courier-imap-imapd ˤ

# Define these courier_imap_imapd_* variables in one of these files:

# /etc/rc.conf

# /etc/rc.conf.local

# /etc/rc.conf.d/courier_imap_imapd

#

# DO NOT CHANGE THESE DEFAULT VALUES HERE


courier_imap_imapd_enable=${courier_imap_imapd_enable-"NO"}

Ƚ񤤤Ƥꡤɤ /etc/rc.conf courier_imap_imapd_enable Ƥ򵭽ҤɤȤȤ¬Ǥ.
Ʊͤ¾ĤΥץȥեˤ⵭Ҥꡤ礹 /etc/rc.conf

# for IMAP

courier_authdaemond_enable="YES"

courier_imap_imapd_enable="YES"

courier_imap_imapd_ssl_enable="YES"

ʤɤȽ񤭹ΤɤȤȤ¬Ǥ.

notes.png Τ褦˽񤭹ߡǰΰ٤˥֡ȤƤ.
θ塤lsof ʤɤѤ imapd ưƤ뤳Ȥǧ褦. 㤨

 lsof -i4 | grep -i imap

ȤƽϤߤ롤ʤɤǤ.

imapd ưƤʤ褦ʤФ⤦ľ.

IMAP ѤΥ桼Ͽ

userdb ǥѥɾȹԤ褦˥󥹥ȡ뤷Τ, IMAP Ѥ˥桼ϿƤʤȤʤ.
notes.png
Ūˤϼν֤ǺȤԤФ褤.
ܤΤꤿԤϡhttp://www.courier-mta.org/FAQ.html ʤɤ򻲾ȤΤ.

  1. ޤΥǥ쥯ȥ /usr/local/etc/userdb .
       cd /usr/local/etc
       mkdir userdb
       chmod 700 ./userdb
    ʤɤȤФ褤.
  2. (ѥɰʳ)桼Ͽ
    • /etc/passwd ˡ
      ˥ƥΥ桼Ǥ⤢ʤдñǤ. Ǥ.
      pw2userdb ޥɤѤ
       cd /usr/local/etc/userdb/
       pw2userdb | grep 桼̾ >> ./users
      ȤФ褤.
    • ˡ.
      userdb ޥɤľܤꤹˡ. 礤.
       userdb "john@example.com" set home=/home/vmail \
       mail=/home/vmail/Maildir-john-example  uid=UUU gid=GGG"
      ʤɤȤˡ.
  3. ѥɤꤹ.
     cd /usr/local/etc/userdb
     userdbpw -hmac-md5 | userdb users/桼̾ set hmac-md5pw
    ȤФ褤. hmac-md5 ȤΤ CRAM-MD5 Ѥ.
    ޤäƤ뤫ɤusers եɤdzǧƤ.
  4. ɲáѹսͭˤ.
     makeuserdb
    ȤФ褤.

ǤϤǾμˤä IMAP ѤΥ桼ϿƤ.

warning.png μϤˤݤְ㤨䤹ǿۤ.
ǡºݤ courier-imap Ȥˤ ports courierpasswd 򥤥󥹥ȡ뤷ƤѤ褤.

courier-imap ưǧ

SMTP Auth λƱͤˡ2Ĥʸüߥ졼ѰդưǧԤ.

ưǧǤ⤿ĤƤ courier-imap Ф³ڤäƤޤΤǡ;͵Ƥ.
notes.png ΤνˤƤ. Ūˤϡ/usr/local/etc/courier-imap/imapd ե

IMAP_IDLE_TIMEOUT=60

Ȥʬ60ȿʤǡפȤ̣ʤΤǡ 60 Ŭ䤷ƤФ褤.
㤨 180 餤ˤʤ.

ʤΥեԽ courier-imap ФöƺưʤȤʤΤǤƤ.
Ūˤ

 /usr/local/etc/rc.d/courier-imap-imapd stop
 /usr/local/etc/rc.d/courier-imap-imapd start

ȤƤФ褤.

notes.png ơǤ SMTP Auth λƱ褦˥ƥȤƤߤ褦.
Shell-A ǡtelnet localhost 143 Ȥ

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.

ʤɤȸäƤ. ǡ

a authenticate cram-md5

Ϥ

+ PG5hbmlrYS1pbWFwQHNlcnZlcj4=

ʤɤȥФʸƤ.

ʸ PG5hbmlrYS1pbWFwQHNlcnZlcj4= ФơۤɤƱͤ Shell-B userdb-test-cram-md5 ޥɤȤäʸ.
㤨мΤ褦ˤʤ.

Username? testuser IMAP ѤϿ桼̾

Password? password IMAP ѤϿѥ

Send: AUTH CRAM-MD5 (or for imap, A AUTHENTICATE CRAM-MD5)

Paste the challenge here:

+ PG5hbmlrYS1pbWFwQHNlcnZlcj4= ʸĥդ

Send this response:

dGVzdHVzZXIgYjlkMDA5MzQ4YmVjMzlkNzcwMWU4MWRiZWE3NmZhN2M= ̤֤äƤ

κǸʸ dGVzdHVzZXIgYjlkMDA5MzQ4YmVjMzlkNzcwMWU4MWRiZWE3NmZhN2M= IMAP Ф˽Ф٤ֻˤʤΤǡ Shell-A ǤκȤ³ĥդȤ.

a OK LOGIN Ok.

ȤʤСIMAP Фǧڤ̤äȤȤˤʤꡤưǧǤȤˤʤ*8.

ʤPOP ФΩ夲ʤƱͤ˥ƥȤǽǤ.
κݤ

 telnet localhost 110

Ȥȡ

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

+OK Hello there.

ȤʤΤǡ

capa

Ϥ

SASL CRAM-MD5 CRAM-SHA

STLS

TOP

USER

LOGIN-DELAY 10

PIPELINING

UIDL

IMPLEMENTATION Courier Mail Server

.

ȱ֤äƤ.

auth cram-md5

Ϥ

+ PG5hbmlrYS1pbWFwQHNlcnZlcj4=

ʤɤȥФʸƤΤǡ
userdb-test-cram-md5 ޥɤʸĥդ

+OK logged in.

ǧڤȤήˤʤ.

notes.png ;͵Ŭ MUA IMAP Ф³Ƥߤ褦.
;͵СIMAP over TLS/SSL ǥФ³Ƥߤ褦.

ݡ

ǡĴ٤פȻؼ줿ˤĤĴԤ𤻤.
ޤԤäȤˤĤ𤻤.
Ƽ

  1. °(ز)
  2. ֹ
  3. ǯ
  4. ̾
  5. οΥݡ(θȤˤĤƵŤ)

񤯤Τ˺ʤ褦.

about Icons

Some icons in this page are downloadable at ICONFINDER.
The "note" icon designed by Marco Martin is distributed with the LGPL licence
and the "warning" icon designed by Alexandre Moore with the GPL licence.


*1 ǰΰ٤ saslpasswd2 ޥɤΥޥ˥奢򸫤ȡ¾ sasldblistusers2 Ȥޥɤ롤ȤȤ¾ʬ뤰餤.
*2 \0 ϥ̥Х
*3 ʤߤˡbase64 󥳡ɤƥȤϡ"mmencode -u" Ǹ᤹ȤǤ.
*4 \0000 ȤʤäƤȤ \0 Ǥ褤Τѥɤ1ʸܤäꤹȤޤʤΤǡǰΰ٤ˤƤ.
*5 ʸüߥ졼˳ФƤޤгڤ
*6 "mmencode -u" ˤȼºݤʸ󤬤狼
*7 ξϤ apache ľʤȤʤ
*8 Ǥ ^] ȤƤ quit Ȥȴ