Ȼ/09

Top / Ȼ / 09

ǧڥƥˤĤưŪ

unix Ф˸¤餺ԥ塼̤ˡǧڡפȤȤߤԲķǤ.
ŪˡΰǤ륤󥿡ͥåȾѥɤɤΤ褦ˤȤꤹ뤫ѥɤȥ桼̾ʤɤξȹɤΤ褦˹ԤΤˤĤ͡ˡꡤ٤褦ˤʤäƤΤ¿.
Τ˽ؼԤˤϺ𤬤뤫ȻפºݤϤ󥫽Ȥޤʬʬ䤹.
ºݡޤˤϡunix ǤΥեȥ̾ϰʲοޤΤ褦ʹ¤򤷤ƤΤǡιޤƬˤưʲäɤФ狼.

authentication-structure_s.png

ǧڤΰŪʻȤ

SMTP Auth Ȥ

SMTP Auth ȤĤν

꼫ͳ MTA Ȥ SMTP Auth Ѥ뤳Ȥꤷ褦.
ơޤ postfix smtp auth ȤȤƤ cyrus-sasl2 Ǥ뤬ǽ餫饤󥹥ȡ뤵ƤΤϾŤ(2.3.1)С󥢥åפƤ(2.3.1_1 ˤʤϤ)
ĤΤ褦

 portsnap fetch; portsnap update

ports 򹹿ƤƤ顤

 portupgrade cyrus-sasl

ȤФ褤

ơޤϤΥ󥹥ȡĴ٤褦
/var/log/ports/security::cyrus-sasl2.log 󥹥ȡΥΤϤʤΤǤɤȡ

----------------------------------------------------------------------

Libraries have been installed in:

/usr/local/lib/sasl2

If you ever happen to want to link against installed libraries

in a given directory, LIBDIR, you must either use libtool, and

specify the full pathname of the library, or use the `-LLIBDIR'

flag during linking and do at least one of the following:

- add LIBDIR to the `LD_LIBRARY_PATH' environment variable

during execution

- add LIBDIR to the `LD_RUN_PATH' environment variable

during linking

- use the `-Wl,-rpath -Wl,LIBDIR' linker flag

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

----------------------------------------------------------------------

Ȥ饤֥˴ؤ뤤ĤεҤ󤫤ä塤

You can use sasldb2 for authentication, to add users use:

saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read

Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of

auxprop. If you want to authenticate your user by /etc/passwd,

PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and

set sasl_pwcheck_method to saslauthd after installing the

Cyrus-IMAPd 2.X port. You should also check the

/usr/local/lib/sasl2/*.conf files for the correct

pwcheck_method.

ȤåĤ롥
ϡ

  • smtp auth ĤʤС桼ѥɤ saslpasswd2 ޥɤɲä
  • port ϥѥɾȹȤ pwcheck_method (ѥեˤȹ)ǽ󶡤뤬¾ξȹˡȤФб port ⥤󥹥ȡ뤻.
  • cyrus sasl ե /usr/local/lib/sasl2/ ʲˤ(Ȥ)

ʤɤΤȤ񤤤Ƥ롥
ǤͻҤޤϤʤΤǡ򤵤Ĵ٤褦

ޤϰ켡󸻤ȤȤǡܲ http://www.postfix.org/ dzǧ
Documentation 򸫤ȡʤΤĤ.

Ūˤ http://www.postfix.org/SASL_README.html å뤳Ȥˤʤ.
warning.png ʤ web ϰ̸˽񤤤ƤΤ FreeBSD ξ /etc ϤΤޤޤ /usr/local/etc ɤؤ/usr/lib /usr/local/lib ɤؤ뤳Ȥˤʤ롥αդ褦

ȡޤϥȥȤơ

How Postfix uses SASL authentication

SMTP servers need to decide whether an SMTP client is authorized to send mail to remote destinations, or only to destinations that the server itself is responsible for. Usually, SMTP servers allow mail to remote destinations when the client's IP address is in the "same network" as the server's IP address.

SMTP clients outside the SMTP server's network need a different way to get "same network" privileges. To address this need, Postfix supports SASL authentication (RFC 4954, formerly RFC 2554). With this a remote SMTP client can authenticate to the Postfix SMTP server, and the Postfix SMTP client can authenticate to a remote SMTP server. Once a client is authenticated, a server can give it "same network" privileges.

Postfix does not implement SASL itself, but instead uses existing implementations as building blocks. This means that some SASL-related configuration files will belong to Postfix, while other configuration files belong to the specific SASL implementation that Postfix will use. This document covers both the Postfix and non-Postfix configuration.

You can read more about the following topics:

* Configuring SASL authentication in the Postfix SMTP server

* Configuring SASL authentication in the Postfix SMTP/LMTP client

* Building Postfix with SASL support

* Using Cyrus SASL version 1.5.x

* Credits

Ȥ롥Ȥꤢǽ

* Configuring SASL authentication in the Postfix SMTP server

ɤФ褵Ȥ狼롥
Ǥɤ߻Ϥ褦ȡ

Configuring SASL authentication in the Postfix SMTP server

As mentioned earlier, SASL is implemented separately from Postfix. For this reason, configuring SASL authentication in the Postfix SMTP server involves two different steps:

* Configuring the SASL implementation to offer a list of mechanisms that are suitable for SASL authentication and, depending on the SASL implementation used, configuring authentication backends that verify the remote SMTP client's authentication data against the system password file or some other database.

* Configuring the Postfix SMTP server to enable SASL authentication, and to authorize clients to relay mail or to control what envelope sender addresses the client may use.

Successful authentication in the Postfix SMTP server requires a functional SASL framework. Configuring SASL should therefore always be the first step.

Ȥꡤʳ(cyrus sasl postfix)꤬ɬפǡcyrus sasl ˤȸäƤ롥
ơܺ٤ʹܤϰʲ̤ꡥ

You can read more about the following topics:

* Which SASL Implementations are supported?

* Configuring Dovecot SASL

   o Postfix to Dovecot SASL communication

* Configuring Cyrus SASL

   o Cyrus SASL configuration file name

   o Cyrus SASL configuration file location

   o Postfix to Cyrus SASL communication

* Enabling SASL authentication and authorization in the Postfix SMTP server

   o Enabling SASL authentication in the Postfix SMTP server

   o Postfix SMTP Server policy - SASL mechanism properties

   o Enabling SASL authorization in the Postfix SMTP server

   o Additional SMTP Server SASL options

* Testing SASL authentication in the Postfix SMTP server

Cyrus SASL

餷Ф餯 Cyrus sasl Ȥʤ롥ɤ߿ʤ褦ޤϤɤʥեȥ saslѤ˻ȤΤȤȡ

Which SASL Implementations are supported?

Currently the Postfix SMTP server supports the Cyrus SASL and Dovecot SASL implementations.

Note

Before Postfix version 2.3, Postfix had support only for Cyrus SASL. Current Postfix versions have a plug-in architecture that can support multiple SASL implementations.

To find out what SASL implementations are compiled into Postfix, use the following commands:

% postconf -a (SASL support in the SMTP server)

% postconf -A (SASL support in the SMTP+LMTP client)

These commands are available only with Postfix version 2.3 and later.

Ȥ롥ºݤ postconf -a ȤƤߤ(ϥФäʤΤǤΤ߹ͤ)

cyrus

dovecot

ȽϤΤǡpostfix Ф cyrus-sasl dovecot-sasl ξбƤ뤳Ȥ狼롥
notes.png ǧƤ

ˡط cyrus-sasl ܤޤǤɤȡ

Configuring Cyrus SASL

The Cyrus SASL framework supports a wide variety of applications (POP, IMAP, SMTP, etc.). Different applications may require different configurations. As a consequence each application may have its own configuration file.

The first step configuring Cyrus SASL is to determine name and location of a configuration file that describes how the Postfix SMTP server will use the SASL framework.

Ȥäơcyrus sasl Ϥʥץꥱ󤫤Ȥ뤫顤ƥץꥱե뤬ɬפ顤ޤ postfix ե̾ȾꤷȸäƤ롥
ơξܺ٤ˤĤƤϰʲΤȤꡥ
ޤ̾ˤĤƤ

Cyrus SASL configuration file name

The name of the configuration file (default: smtpd.conf) is configurable. It is a concatenation from a value that the Postfix SMTP server sends to the Cyrus SASL library, and the suffix .conf, added by Cyrus SASL.

The value sent by Postfix is the name of the server component that will use Cyrus SASL. It defaults to smtpd and is configured with one of the following variables:

/etc/postfix/main.cf:

# Postfix 2.3 and later

smtpd_sasl_path = smtpd

# Postfix < 2.3

smtpd_sasl_application_name = smtpd

postfix ̾ϥǥեȤǤ smtpd.conf ȸäƤ롥
ܤ postfix С cyrus sasl 饤֥Τ̾פ .conf ȤĥҤĤΤǤꡤΡ̾פ /usr/local/etc/postfix/main.cf (⤷ϥǥեȤ)ꤵƤ롥
äѤɬפϤʤ餳ϥǥեȤΤޤޤǤ

ˤΥե smtpd.conf ֤ƤˤĤƤ

Cyrus SASL configuration file location

The location where Cyrus SASL searches for the named file depends on the Cyrus SASL version and the OS/distribution used.

You can read more about the following topics:

* Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/.

* Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/.

* Some Postfix distributions are modified and look for the Cyrus SASL configuration file in /etc/postfix/sasl/, /var/lib/sasl2/ etc. See the distribution-specific documentation to determine the expected location.

Note

Cyrus SASL searches /usr/lib/sasl2/ first. If it finds the specified configuration file there, it will not examine other locations.

ȡִĶˤäư㤦补ޤŪˤϤʤȤ¿ɡפȤä񤤤Ƥ롥
ˤĤƤ sasl2 󥹥ȡäȹ碌ơ
/usr/local/lib/sasl2
smtpd.conf ֤ȤȤ狼롥

/usr/local/lib/sasl2 Ƥߤȡsmtpd.conf Ȥե̵ΤǡʬǺʤȤʤȤ狼롥
notes.png äƤäݤǤ褱Сեִñˡ touch ޥɤȤΤ

 cd /usr/local/lib/sasl2
 touch smtpd.conf

ȤФ褤

ơιܤؿʤ⤦

Postfix to Cyrus SASL communication

As the Postfix SMTP server is linked with the Cyrus SASL library libsasl, communication between Postfix and Cyrus SASL takes place by calling functions in the SASL library.

The SASL library may use an external password verification service, or an internal plugin to connect to authentication backends and verify the SMTP client's authentication data against the system password file or other databases.

The following table shows typical combinations discussed in this document:

authentication backend password verification service / plugin

/etc/shadow saslauthd

PAM saslauthd

IMAP server saslauthd

sasldb sasldb

MySQL, PostgreSQL, SQLite sql

LDAP ldapdb

Note

Read the Cyrus SASL documentation for other backends it can use.

Ȥäơǧڥƥ sasl Ȥơ֥桼̾ȥѥɤξȹɤԤפˡˤĤबȤȤˤĤƽҤ٤Ƥ롥
ϰִñʡsasl ѤΥѥɳǼեäƻȤˡѤ롥
Ͼ sasldb ȤˡǤ(Υץ饰̾ sasldb )

ΤȤϺϴطʤ saslauthd ³Τǥåפơطʹܤɤ߿ʤ褦ȼιܤˤ椭롥

Cyrus SASL Plugins - auxiliary property plugins

Cyrus SASL uses a plugin infrastructure (called auxprop) to expand libsasl's capabilities. Currently Cyrus SASL sources provide three authentication plugins.

Plugin Description

sasldb Accounts are stored stored in a Cyrus SASL Berkeley DB database

sql Accounts are stored in a SQL database

ldapdb Accounts are stored stored in an LDAP database

Important

These three plugins support shared-secret mechanisms i.e. CRAM-MD5, DIGEST-MD5 and NTLM. These mechanisms send credentials encrypted but their verification process requires the password to be available in plaintext. Consequently passwords cannot (!) be stored in encrypted form.

ɤ顤sasldb, sql, ldapdb 3ĤΥץ饰 auxprop ȤȤߤǤ«ͤƤ褦
warning.png Important ȤƤȤƤս񤭤񤤤ƤΤǤɤǤ

ơ줬Ȥ sasldb ץ饰³

The sasldb plugin

The sasldb auxprop plugin authenticates SASL clients against credentials that are stored in a Berkeley DB database. The database schema is specific to Cyrus SASL. The database is usually located at /etc/sasldb2.

Note

The sasldb2 file contains passwords in plaintext, and should have read+write access only to user postfix or a group that postfix is member of.

ξϽפ
notes.png ѥɳǼե뤬ɤʤäƤ뤫ǧƤ
Υեϴ˺Ƥäơ/usr/local/etc/sasldb2.db Ȥ֤̾Ƥ롥ǤΡֻȥѡߥåפ

 ls -lg /usr/local/etc/sasldb2.db

ȤƳǧ롥

-rw-r----- 1 cyrus mail 16384 11 29 21:59 /usr/local/etc/sasldb2.db

ʤɤȤʤꡤ

  • : cyrus
  • 롼: mail

ǡѡߥå

  • : ɤ߽񤭲
  • 롼: ɤ߲
  • ¾: ɤ߽Բ

ȤʤäƤ롥

/etc/group ե򸫤Ȥ狼뤬mail 롼פˤ postfix °ƤΤǡpostfix ϤΥեɤΤưˤϻپ㤬ʤȤ狼롥
ޤʳμԤϤΥեɤळȤǤѥϳʤȤ狼롥

notes.png Τ褦ʻȥѡߥåˤʤäƤʤϽƤȤޥɤ chown chmod ȤΤʤͤ web 򸡺ʤɤĴ٤褦

ơ sasl ѤΥѥɤˡ񤤤Ƥ롥

The saslpasswd2 command-line utility creates and maintains the database:

% saslpasswd2 -c -u example.com username

Password:

Again (for verification):

This command creates an account username@example.com.

Important

users must specify username@example.com as login name, not username.

Run the following command to reuse the Postfix mydomain parameter value as the login domain:

% saslpasswd2 -c -u `postconf -h mydomain` username

Password:

Again (for verification):

Note

Run saslpasswd2 without any options for further help on how to use the command.

̾ϥѥɤ realm mydomain ͡餳褦͡ȸäƤ롥
realm postfix ¦ǤϥǥեȤǤϥۥ̾ǤΤǡʸϤϾƤ롥

warning.png ᡼륵ФϥɥᥤΥ᡼򰷤Τ̾ǤΤǡϾʸϤΤ֤ۤ˶ᤤ
postfix ΥǥեͤϤ餯ְִäꤷƤ¾ΥޥǤ򤫤ʤפȤտޤΤǤ⤷Ϥʤ
ΤμȤǤϡƥޥǥ᡼򰷤Τ realm ϥۥ̾(ǥե)ˤƤȤˤ褦

notes.png ǥ桼ȥѥɤꤷƤ
ϥѥɤ realm ۥ̾ˤΤǡ㤨Х桼̾ testѥ password ꤹʤ

 saslpasswd2 -c -u `postconf -h myhostname` test

ȤФ褤ȤѥɤϤ׵ᤵΤǤǥѥɤ롥
warning.png mydomain ǤϤʤ myhostname ѤƤ뤳Ȥդ补

ʤߤ˥桼ϿޤäɤΤˡˤĤƤϤҤꡤ

The sasldblistusers2 command lists all existing users in the sasldb database:

% sasldblistusers2

username1@example.com: password1

username2@example.com: password2

Ƚ񤫤Ƥ롥
notes.png ® sasldblistusers2 ¹ԤƤߤ褦㤨

Ͽ桼̾@ۥ̾ userPassword

ȤϤФСϿƤ뤳ȤǧǤȤȤˤʤ.

ơƺä桼̾ȥѥɤǼեȤsasl ˻ؼɬפ롥
ΤεҤ³

Configure libsasl to use sasldb with the following instructions:

/etc/sasl2/smtpd.conf:

pwcheck_method: auxprop

auxprop_plugin: sasldb

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM

Note

In the above example adjust mech_list to the mechanisms that are applicable for your environment.

notes.png ս񤭤ˤ⤢褦ˡǧڥᥫ˥ȤƻȤΤꥹȤ٤ʤΤǡNTLM (Ť Windows Ѥǧڤˡ)ϳơ/usr/local/lib/sasl2/smtpd.conf ˼Τ褦˽񤭤Ǥ

pwcheck_method: auxprop

auxprop_plugin: sasldb

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

Ȥ cyrus sasl ˤĤƤϴطʤҤ³Τǡ cyrus sasl ¦Ͻλ
(ɡեҤȤĺä3Խ񤭹Ȥȡ桼ϿȤΤߤä)

Postfix smtp auth Ȥν

ˡpostfix ¦꤬ɬפweb ³ɤȡ

Enabling SASL authentication and authorization in the Postfix SMTP server

By default the Postfix SMTP server uses the Cyrus SASL implementation. If the Dovecot SASL implementation should be used, specify an smtpd_sasl_type value of dovecot instead of cyrus:

/etc/postfix/main.cf:

smtpd_sasl_type = dovecot

Additionally set the path where the Postfix SMTP server can find the Dovecot SASL socket:

/etc/postfix/main.cf:

smtpd_sasl_path = private/auth

Note

This example uses a pathname relative to the Postfix queue directory, so that it will work whether or not the Postfix SMTP server runs chrooted.

Ȥ뤬ϥǥեȤ cyrus sasl ȤΤǤϴطʤ

Enabling SASL authentication in the Postfix SMTP server

Regardless of the SASL implementation type, enabling SMTP authentication in the Postfix SMTP server always requires setting the smtpd_sasl_auth_enable option:

/etc/postfix/main.cf:

smtpd_sasl_auth_enable = yes

After a "postfix reload", SMTP clients will see the additional capability AUTH in an SMTP session, followed by a list of authentication mechanisms the server supports:

% telnet server.example.com 25

...

220 server.example.com ESMTP Postfix

EHLO client.example.com

250-server.example.com

250-PIPELINING

250-SIZE 10240000

250-AUTH DIGEST-MD5 PLAIN CRAM-MD5

...

However not all clients recognize the AUTH capability as defined by the SASL authentication RFC. Some historical implementations expect the server to send an "=" as separator between the AUTH verb and the list of mechanisms that follows it.

The broken_sasl_auth_clients configuration option lets Postfix repeat the AUTH statement in a form that these broken clients understand:

/etc/postfix/main.cf:

broken_sasl_auth_clients = yes

Note

Enable this option for Outlook up to and including version 2003 and Outlook Express up to version 6. This option does not hurt other clients.

After "postfix reload", the Postfix SMTP server will propagate the AUTH capability twice - once for compliant and once for broken clients:

% telnet server.example.com 25

...

220 server.example.com ESMTP Postfix

EHLO client.example.com

250-server.example.com

250-PIPELINING

250-SIZE 10240000

250-AUTH DIGEST-MD5 PLAIN CRAM-MD5

250-AUTH=DIGEST-MD5 PLAIN CRAM-MD5

Ȥ롥
ˤȡsmtpd_sasl_auth_enable yes ˤǻȤ褦ˤʤ뤬˿ޥեȤΥ᡼顼Τޤޤ smtp auth 򤭤ȰʤΤ broken_sasl_auth_clients yes ˤƤɤȤȤ񤤤Ƥ롥
ơpostfix ɹߤƤ telnet 25 ͻҤȤȤ񤤤Ƥ롥

notes.png ǡޤϤ

smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

postfix main.cf ˽񤭤Ǥ
θ塤postfix ɹߤ褦Ūˤ

 /usr/local/etc/rc.d/postfix reload

ȤФ褤
ΤƱͤ

 telnet localhost 25

Ȥ

 EHLO localhost

Ȥ

250-ۥ̾

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

Ȥʤꡤ250-AUTH ǻϤޤԤƤ뤳Ȥ狼롥
ǡpostfix smtp auth бˤʤäȤ狼롥

notes.png ⤷ޤäƤʤ褦ʤФޤǤκȤ򸫤ʤ

ˡƥΥݥꥷˤĤƤ롥

Postfix SMTP Server policy - SASL mechanism properties

The Postfix SMTP server supports policies that limit the SASL mechanisms that it makes available to clients, based on the properties of those mechanisms. The next two sections give examples of how these policies are used.

Property Description

noanonymous Don't use mechanisms that permit anonymous authentication.

noplaintext Don't use mechanisms that transmit unencrypted username and password information.

nodictionary Don't use mechanisms that are vulnerable to dictionary attacks.

forward_secrecy Require forward secrecy between sessions (breaking one session does not break earlier sessions).

mutual_auth Use only mechanisms that authenticate both the client and the server to each other.

Unencrypted SMTP session

The default policy is to allow any mechanism in the Postfix SMTP server except for those based on anonymous authentication:

/etc/postfix/main.cf:

# Specify a list of properties separated by comma or whitespace

smtpd_sasl_security_options = noanonymous

Important

Always set at least the noanonymous option. Otherwise, the Postfix SMTP server can give strangers the same authorization as a properly-authenticated client.

ǥեȤѤˤƤ⾯ʤȤ noanonymous ꤷƤȸäƤ롥
/usr/local/etc/postfix/main.cf.default 򸫤ƥǥեͤǧȳΤ

smtpd_sasl_security_options = noanonymous

Ƚ񤤤ƤΤǡȤꤢϲ⤷ʤǤ¤ϽƤ뤳Ȥˤʤ롥

TLS/SSL ȤΤƤˤĤƽ񤤤Ƥ롥

Encrypted SMTP session (TLS)

A separate parameter controls Postfix SASL mechanism policy during a TLS-encrypted SMTP session. The default is to copy the settings from the unencrypted session:

/etc/postfix/main.cf:

smtpd_sasl_tls_security_options = $smtpd_sasl_security_options

A more sophisticated policy allows plaintext mechanisms, but only over a TLS-encrypted connection:

/etc/postfix/main.cf:

smtpd_sasl_security_options = noanonymous, noplaintext

smtpd_sasl_tls_security_options = noanonymous

To offer SASL authentication only after a TLS-encrypted session has been established specify this:

/etc/postfix/main.cf:

smtpd_tls_auth_only = yes

ǥեȤǤ褱в⤷ʤƤɤ¾ˤСĤȤ㤬Ľ񤤤Ƥ롥
ޤϤǥեȤǤ褫

Enabling SASL authorization in the Postfix SMTP server

After the client has authenticated with SASL, the Postfix SMTP server decides what the remote SMTP client will be authorized for. Examples of possible SMTP clients authorizations are:

* Send a message to a remote recipient.

* Use a specific envelope sender in the MAIL FROM command.

These permissions are not enabled by default.

Ȥꡤ¾ؤΥ᡼žп̾ͳˤ뤫ɤˤĤ꤬ɬפʤȤ狼롥
ޤ

Mail relay authorization

The permit_sasl_authenticated restriction allows SASL-authenticated SMTP clients to send mail to remote destinations. Add it to the list of smtpd_recipient_restrictions as follows:

/etc/postfix/main.cf:

smtpd_recipient_restrictions =

...

permit_mynetworks

permit_sasl_authenticated

reject_unauth_destination

...

Ȥꡤsmtp auth ǧڤ줿桼Υ᡼¾ΥФ(ž, relay)ȤĤˤ permit_sasl_authenticated Ȥ1Ԥ postfix main.cf smtpd_recipient_restrictions ˴ޤȤȤ狼롥
notes.png ϵĤƤΤ̾λȤ顤­Ȥˤʤ롥
Ūˤϡǥեͤ main.cf.default main.cf ˥ԡƤ˽­ȤˤʤΤ

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Ȥ1(ԤʤˤƤ̵ۤ񤫤)񤭹ळȤˤʤ롥

ˡ

Envelope sender address authorization

By default an SMTP client may specify any envelope sender address in the MAIL FROM command. That is because the Postfix SMTP server only knows the remote SMTP client hostname and IP address, but not the user who controls the remote SMTP client.

This changes the moment an SMTP client uses SASL authentication. Now, the Postfix SMTP server knows who the sender is. Given a table of envelope sender addresses and SASL login names, the Postfix SMTP server can decide if the SASL authenticated client is allowed to use a particular envelope sender address:

/etc/postfix/main.cf:

smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

smtpd_recipient_restrictions =

...

reject_sender_login_mismatch

permit_sasl_authenticated

permit_mynetworks

reject_unauth_destination

...

The controlled_envelope_senders table specifies the binding between a sender envelope address and the SASL login names that own that address:

/etc/postfix/controlled_envelope_senders

# envelope sender owners (SASL login names)

john@example.com john@example.com

helpdesk@example.com john@example.com, mary@example.com

postmaster admin@example.com

@example.net barney, fred, john@example.com, mary@example.com

With this, the reject_sender_login_mismatch restriction above will reject the sender address in the MAIL FROM command if smtpd_sender_login_maps does not specify the SMTP client's login name as an owner of that address.

See also reject_authenticated_sender_login_mismatch and reject_unauthenticated_sender_login_mismatch for additional control over the SASL login name and the envelope sender.

Ȥ smtp auth Υ桼̾ȼºݤ˽Ф᡼κп̾פ뤫ɤå뤫ʤɤˤĤƽ񤤤Ƥ롥
ޤˤĤƤϺϤޤǸʤǤ褤Τǡϥåפ褦

ˡ٤ץ3ĤˤĤ롥

Additional SMTP Server SASL options

Postfix provides a wide range of SASL authentication configuration options. The next section lists a few that are discussed frequently. See postconf(5) for a complete list.

Default authentication domain

Postfix can append a domain name (or any other string) to a SASL login name that does not have a domain part, e.g. "john" instead of "john@example.com":

/etc/postfix/main.cf:

smtpd_sasl_local_domain = example.com

This is useful as a default setting and safety net for misconfigured clients, or during a migration to an authentication method/backend that requires an authentication REALM or domain name, before all SMTP clients are configured to send such information.

Hiding SASL authentication from clients or networks

Some clients insist on using SASL authentication if it is offered, even when they are not configured to send credentials - and therefore they will always fail and disconnect.

Postfix can hide the AUTH capability from these clients/networks:

/etc/postfix/main.cf:

smtpd_sasl_exceptions_networks = !192.0.2.171/32, 192.0.2.0/24

Adding the SASL login name to mail headers

To report SASL login names in Received: message headers (Postfix version 2.3 and later):

/etc/postfix/main.cf:

smtpd_sasl_authenticated_header = yes

Note

The SASL login names will be shared with the entire world.

notes.png ܤϤʤʤꤷƤ
postfix Ȥ sasl ѥɤ realm ΤΤꤹΤǡְ㤨ǧڤޤʤʤΤդ褦
Ūˤϡ

 smtpd_sasl_local_domain = qۤۤ.cl.math.sci.osaka-u.ac.jp

ȥۥ̾ꤹ뤳Ȥˤʤ롥

ϽλΤϤ
notes.png postfix ɹߤƤ

SMTP Auth ưǧ

Ѥ륳ޥ mmencode 򡤺Τ˥󥹥ȡ뤷Ƥ.
ŪˤϡĤΤ褦 portsnap ports 쥯򿷤ƤƤ顤
psearch & portinstall ǥ󥹥ȡ뤹Ȥ

ºݤ˼³Ƥߤ.

SMTP Auth ³ݤǧˡˤ⤤Ĥꡤͳ֤ȤǤ.
Υ󥹥ȡǤϾꤷ褦 loginǧ, plainǧڡDigest-MD5ǧ, CRAM-MD5ǧ Ȥ褦ˤʤäƤϤ.

ǡΤ plainǧڤ CRAM-MD5ǧڤƤߤ褦.
ʤߤˡplainǧڤϴñѤǤ뤬Ź沽ƤʤΤǡCRAM-MD5ǧڤϤεդȻפФ褤.

SMTP Auth  : Plain ǧڤξ

Plain ǧڤϤڤʥΤǡSMTP Auth ʸ "\0桼̾\0ѥ"*1 base64 ǥ󥳡ɤΤ򥵡ФϤȤñʻȤߤ.
warning.png base 64 ϰŹ沽ǤϤʤ(ԥ塼ǰΤˤʤ褦)ñʤѴ*2ʤΤǡƥݤʤ. Ĥޤꡤѥ base64 󥳡ɤ(Ҥ mmencode 򤫤)ͤ˶ꤷƤϤʤ.

notes.png
ơ³³ɬפʸäƤޤ.
Ūˤϡޥɥ饤

 printf '\0桼̾\0ѥ' | mmencode 

ȤФ褤.
桼̾ȥѥɤϤۤ SMTP Auth Ѥ saslpasswd2 ޥɤꤷΤǤ.

ȡ'\0桼̾\0ѥ' base64 󥳡ɤ줿ʸ󤬽ϤΤǡɤ¸Ƥ*3.
ʤߤˡ㤨 '\0test\0password' mmencode "AHRlc3QAcGFzc3dvcmQ=" Ȥʤ.

notes.png ȤϤĤΤ褦 telnet localhost 25 Ǽ MTA ³Ƥߤ.
ˤä褦 "EHLO localhost" ȤƱʤᡤ

250-ۥ̾

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

ʳ SMTP Auth Plain ǧڤƤߤ褦.
Ūˤϡ

AUTH PLAIN ۤbase64󥳡ɤƺäʸ

ϤФ褤. Plain ǧڤϤǺѤ.

235 2.7.0 Authentication successful

ʤɤ "success" ΰդå֤äƤСǧڤ̤äȤȤ OK Ǥ.
ȤƱͤ ^], quit ȴ褦.

ޤʤͤǫˤޤǤκȤ򿶤֤.

SMTP Auth  : CRAM-MD5 ǧڤξ

CRAM-MD5ǧڤ PlainǧڤȰäơѥɤʿʸʤǤ. plain ǧڤȰۤʤꡤͥåȥİƤޤȤ褦.
Ūˤϡ³ȥФŬʸäƤΤǡѥɤ򥭡ˤ hmac-md5 ǥϥå(줬ѥɤ򰵽, Ź沽Ȥ), 桼̾Ȥ碌 base64 󥳡ɤ֤ФƱͤ˺äϥåƱʤǧ OK Ȥˤʤ.

䤳¤ CRAM-MD5 ƥȤ뤿Υץ "userdb-test-cram-md5" ¸ߤΤǡ򥤥󥹥ȡ뤷ѤФ褤.
ΥץȤϸҤ courier-imap Υ󥹥ȡˤäƥ󥹥ȡ뤵ΤǡκȤ򤷤ƤäƤʤȤʤ.
warning.png Ȥ櫓ǡƤɤϡҤ courier-imap Υ󥹥ȡޤǥפ󥹥ȡ뤷äƤ뤳.

ʲκȤˤϥ󥽡뤬İʾ夢äʤΤǡX Ŭʸüߥ졼ĵưʤɡפƺȤ褦.
󥽡뤬1ĤѰդǤʤǤ⡤ޥǥԡ(å) and ڡ(楯å)ǽʾ礬¿ΤǡޥߤƤߤȤ褤.

ʹߡʬ䤹뤿 2Ĥʸüߥ졼Ѱդꤷγơüươ Shell-A, Shell-B Ȥäʤ褦.

notes.png ޤShell-A telnet localhost 25 ơEHLO localhost бƱ褦

250-ۥ̾

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

ޤǤ褦. Ƥ

auth cram-md5

Ϥ. ȡ

334 PG5hbmlrYW5vLXNlcnZlcj4=

ʤɤȽϤ֤äƤ.
PG5hbmlrYW5vLXNlcnZlcj4= Ф base64 äƤʸ*4ǤΤǡ桼Υѥɤ򥭡ˤ hmac-md5 ǥϥå׻ƥ桼̾Ȥ碌 base64 ֤Ф褤. ʸݤˤߤ뤬ʤΤȤϤʤΥޥɤȤФ褤.

Ūˤ Shell-B userdb-test-cram-md5 ¹ԤơʲΤ褦бФ褤.

Username? test (SMTP Auth ˻Ȥ)桼̾Ϥ

Password? password (SMTP Auth ˻Ȥ)ѥɤϤ

Send: AUTH CRAM-MD5 (or for imap, A AUTHENTICATE CRAM-MD5)

Paste the challenge here:

+ PG5hbmlrYW5vLXNlcnZlcj4= Shell-A ǥФäƤʸϤ

Send this response:

dGVzdHVzZXIgY2NiNjc4YmZjZGY1YWRlMGUyYmE2MmM3ODA3OTA1NGI= ֤٤ʸ󤬽Ϥ

ȤʤꡤǸ٤ʸƤ.

Ǥʸ(ξ dGVzdHVzZXIgY2NiNjc4YmZjZGY1YWRlMGUyYmE2MmM3ODA3OTA1NGI=)򤵤ä Shell-A ǤκȤ³ Ϥ.
ǧڤ̤ФΤ

235 2.7.0 Authentication successful

ʤɤ "success" ΰդå֤äƤСǧڤ̤äȤȤ OK Ǥ.
ȤƱͤ ^], quit ȴ褦.

ޤʤͤǫˤޤǤκȤ򿶤֤.

SMTP over TLS Ȥ

SMTP over TLS

notes.png TLS ѤˤĤƤϡΤޤ˸ȾѰդʤȤʤ.
ټ֤ʤΤǡweb server λ˺äȾ򤽤ΤޤޥԡƻȤ

 cd /usr/local/etc/postfix
 cp ../apache22/apache.key ./postfix.key
 cp ../apache22/apache.crt ./postfix.crt

ѡߥåˤⵤĤơ

 chmod 400 postfix.key
 chmod 400 postfix.crt

ȤƤ.

ơPostfix ϡܲȤΥɥ( http://www.postfix.org/TLS_README.html )ɤǼʬʤ˼򤹤뤳Ȥˤʤ.
Ф饤Ȥǧڤɤ뤫ʤ¿䤳Ƥ褯狼ʤȻפΤǡ񤤤Ƥޤ.
notes.png ϡ /usr/local/etc/postfix/main.cf

smtpd_tls_cert_file = /usr/local/etc/postfix/postfix.crt

smtpd_tls_key_file = /usr/local/etc/postfix/postfix.key

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_security_level = may

smtp_tls_loglevel = 1

smtp_tls_security_level = may

smtp_tls_note_starttls_offer = yes

ʤɤȲäɤ.
ϷϩΰŹ沽Ǥ褤ȤʤΤǡǧڤޤǤȤͤϥɥȤ򤭤ɤ⤦.
warning.png Postfix ˡǯѤäᡤweb ǻȤǤ¿ϴ˸Ťޤ侩ǤʤΤαդ뤳.

Խä顤postfix ɹɤ

SMTP over TLS ưǧ

notes.png telnet localhost 25 dzǧƤߤ褦.
ޤǤƱͤ EHLO localhost ,

250-ۥ̾

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS б TLS/SSL ѤΤ

250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

ʤɤȤʤ.
Τ褦 "250-STARTTLS" ȤʬСȤꤢ TLS бư򤷤Ƥ뤳Ȥ狼.
ȤƱͤ ^], quit ȴ褦.

줬Фʤ褦ʤ鲿ΤǤޤǤκȤ򿶤֤.

notes.png
ơ SMTP ưåʥġƳ褦. ʹߤγǧȤڤˤʤ.
swaks (Swiss Army Knife SMTP) ȤФΤǤꡤޤǤ telnet localhost 25 ȤϢκȤưŪˤäƤʤΤǤ.

Ȥ櫓ǤĤΤ褦(psearch õ) swaks 򥤥󥹥ȡ뤷褦.

 portinstall mail/swaks

ȤФ褤. 󥹥ȡ˥ץ
swaks-install.png
Ф顤ʤȤ "MX lookup support" "TLS support" Ȥ ON ˤƤƤ饤󥹥ȡ뤷褦.
NTLM ϺϴطʤΤdzޤޤǤ褤.
ؿʤȡp5-Net-DNS Υ󥹥ȡ IPv6 ͭˤ뤫Ȥץʹ뤬ϳƤ
ˡp5-Net-SSLeay Υ󥹥ȡ˥ƥȤ򤹤뤫ɤʹ뤳Ȥ뤬 "n" Τޤޤǹʤ.

Ȥϥ󥹥ȡ뤬ΤޤȤ.
󥹥ȡκǸˡڤˤ

Try

`swaks --help'

to list the available options and

`swaks --support'

for a list of capabilities.

ȶƤΤǡФƤ
,ޤϤ餤ͤƤޤǤΥƥȤƸƤߤ褦.

notes.png ޤñ MTA ưƤ뤫γǧ򤷤褦.

 swaks --server localhost

Ȥȡƥȥ᡼ΰʹƤΤ, ʬΥ̾褦.

=== Trying localhost:25...

=== Connected to localhost.

<- 220 ۥ̾ ESMTP Postfix

-> EHLO ۥ̾Ƭʬ

<- 250-ۥ̾

<- 250-PIPELINING

<- 250-SIZE 10240000

<- 250-VRFY

<- 250-ETRN

<- 250-STARTTLS

<- 250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5

<- 250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5

<- 250-ENHANCEDSTATUSCODES

<- 250-8BITMIME

<- 250 DSN

-> MAIL FROM:<п@ۥ̾Ƭʬ>

<- 250 2.1.0 Ok

-> RCPT TO:<桼̾>

<- 250 2.1.5 Ok

-> DATA

<- 354 End data with <CR><LF>.<CR><LF>

-> Date: Tue, 30 Nov 2010 20:19:53 +0900

-> To: 桼̾

-> From: п@ۥ̾Ƭʬ

-> Subject: test Tue, 30 Nov 2010 20:19:53 +0900

-> X-Mailer: swaks v20100211.0 jetmore.org/john/code/swaks/

->

-> This is a test mailing

->

-> .

<- 250 2.0.0 Ok: queued as B8D822865

-> QUIT

<- 221 2.0.0 Bye

=== Connection closed with remote host.

MTA Ȥꤷơв򤭤ȽϤƤ.
ޤϥƥȥ᡼ºݤäϤʤΤǡȤΥۡǥ쥯ȥ Maildir/new ˥᡼뤬ϤƤϤǤ. ǧƤߤ褦.

ˡSMTP Auth plainǧڤƤߤ褦.
᡼뤬Ϥɬפ⤦ʤΤǡưǧΤߤǥ᡼ʤ褦ˤ褦.
ˤϼΤ褦ˤФ褤.

 swaks --auth PLAIN --server localhost --quit RCPT

Ⱥǽ(ºݤˤʤ)ƥȥ᡼ΰʹƤơθ SMTP Auth ǧڤɬפʥ桼̾ȥѥɤʹƤΤ褦.
ơθΤȤ

ά

-> AUTH PLAIN ѥɤbase64

<- 235 2.7.0 Authentication successful

ά

Ȥ褦 Auth plain Ǥ SMTP Auth ޤäȤȤǧǤ OK .

SMTP Auth CRAM-MD5 ǧڤƤߤ. ˤ

 swaks --auth CRAM-MD5 --server localhost --quit RCPT

ȤФ褤. ϤϾƱͤ.
ơθΤȤ

ά

-> AUTH CRAM-MD5

<- 334 PDI3NTg4NzIyNTMuNDY4OTgzOUBGcmVlQlNENy5jYXMuY21jLm9zYWthLXUuYWMuanA+

-> cGFvb24gMTgyODJmNzRhNjZhOWMwY2FjN2YzZTliNDQ2NzQ3Y2Y=

<- 235 2.7.0 Authentication successful

ά

Ȥ褦 Auth CRAM-MD5 Ǥ SMTP Auth ޤäȤȤǧǤ OK .

ơäȴο SMTP over TLS ƥȤ褦. ȤäƤ⤳ޤǤХƥȤϤ⤦ñǡ

 swaks -tls --server localhost

ȤФ褤. ǰΰ٤˥ƥȥ᡼ºݤȤƤ.
¹Ԥơswaks νϤ

ά

-> STARTTLS

<- 220 2.0.0 Ready to start TLS

=== TLS started w/ cipher DHE-RSA-AES256-SHA

ά

Ȥ褦 TLS Ȥä̵ưƤ褦ʤפ.
, Maildir/new ˼ºݤ˥᡼뤬ϤƤ뤫åΥ᡼Υإåʬ

(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))

ȤҤ뤳ȤǧƤ.

ǸˡSMTP Auth SMTP over TLS Ȥ߹碌Ƥߤ褦. SMTP Auth ǧڤϤʤǤ褤. ʤΤȤäƤäƤߤ褦.
Ūˤϡ㤨мΤ褦ˤФ褤(SMTP Auth ϼưŪǤ餦).

 swaks --auth -tls --server localhost --quit RCPT

ǽϤǫɤǤߤ褦.
warning.png νϤɤ starttls Ƥ SMTP AuthƤ , ĤޤꡤְŹ沽ϤƤѥɤꤹ׽֤ˤʤäƤ뤳Ȥܤ.
SMTP over TLS Ȥ߹碌ʤǧ(ѥɤΤ)ʿʸǤʤϤȤȤǤ.
դ˸Сover TLS ƤʤʤХͥåȥ𤷤 PlainǧڤȤȴʤȤȤˤʤ

courier-imap Υ󥹥ȡ

桼Ϥ᡼ MUA ϤΤ˹ȤƤ POP/IMAP ΥФˤĤƤϼ˼Ȥǰġ򺣻Ȥɬפ뤿ᡤǥ󥹥ȡ뤷Ƥޤ
IMAP ФȤ courier-imap ȤƤΤǤѤ롥
ʤcourier-imap 򥤥󥹥ȡ뤹Ȱ courier-pop ⥤󥹥ȡ뤵ΤǡPOP Ф򥤥󥹥ȡ뤷ȤȤ courier-imap 򤷤Ƥ褤.

notes.png ơĤΤ褦 ports 쥯󤫤饤󥹥ȡ뤷褦.
imap ФΥ󥹥ȡ courier-authlib(courier-imap ǧڴطȴФmeta ports) Υ󥹥ȡԤäƤ(ʤȼ¼Ū˻Ȥʤ).
ĤΤ褦

 portsnap fetch; portsnap update

ȤƤ顤psearch courier-authlib õƤ portinstall Ȥäƥ󥹥ȡ뤷褦
ޤ񤤤ƤޤС

 portinstall security/courier-authlib

ȤȤβɬפ¾Υġ˥󥹥ȡ뤵ΤǡФ餯ԤȤ.
Ūˤϡ

  • devel/sysconftool
  • security/courier-authlib-base
  • security/courier-authlib

󥹥ȡ뤵(ϸǥݤɬפˤʤ뤳ȤΤǡʬǺȤȤϥ⤷Ƥ)
ޤ courier-authlib Υ󥹥ȡʳǽФ륪ץ
courier-authlib-install.png
ǤϤȤꤢ "Userdb support" Ǥ. Ȥϥࡼ˿ʤ.

courier-imap Τ(psearch õƤ)

 portinstall mail/courier-imap

Ȥ courier-imap Τ򥤥󥹥ȡ뤹. ǽ˥ץ
courier-imap-install.png
Ф뤬¿ʬǥեȤ IPv6 ФƤ.
IPv6 ϻȤʤΤdzդƱͤ "Userdb support" 򤷤˿ʤ⤦.
Ф餯ԤäƤȥ󥹥ȡ뤬.

ơǰΰ٤ˤĤΤ褦˺󥤥󥹥ȡ뤵줿ʣΥեȤΥ /var/log/ports βõƤߤơåȴФȡ

(devel::sysconftool ä̵)
(security::courier-authlib-base.log )

Set WITH_AUTHPIPE_PROG to a program you want to use instead of

authProg for libauthpipe

configure: WARNING: -----------------------------------------------------

configure: WARNING: expect not found - will not be able to change passwds

configure: WARNING: in webmail

configure: WARNING: -----------------------------------------------------

Added group "courier".

Added user "courier".

----------------------------------------------------------------------

Libraries have been installed in:

/usr/local/lib/courier-authlib

If you ever happen to want to link against installed libraries

in a given directory, LIBDIR, you must either use libtool, and

specify the full pathname of the library, or use the `-LLIBDIR'

flag during linking and do at least one of the following:

- add LIBDIR to the `LD_LIBRARY_PATH' environment variable

during execution

- add LIBDIR to the `LD_RUN_PATH' environment variable

during linking

- use the `-Wl,-rpath -Wl,LIBDIR' linker flag

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

----------------------------------------------------------------------

===> SECURITY REPORT:

This port has installed the following files which may act as network

servers and may therefore pose a remote security risk to the system.

/usr/local/libexec/courier-authlib/authdaemond

This port has installed the following startup scripts which may cause

these network services to be started at boot time.

/usr/local/etc/rc.d/courier-authdaemond

If there are vulnerabilities in these programs there may be a security

risk to the system. FreeBSD makes no guarantee about the security of

ports included in the Ports Collection. Please type 'make deinstall'

to deinstall the port if this is a concern.

For more information, and contact details about the security

status of this software, see the following webpage:

http://www.Courier-MTA.org/authlib/

(security::courier-authlib.log )

configure: WARNING: -----------------------------------------------------

configure: WARNING: expect not found - will not be able to change passwds

configure: WARNING: in webmail

configure: WARNING: -----------------------------------------------------

----------------------------------------------------------------------

Libraries have been installed in:

/usr/local/lib/courier-authlib

If you ever happen to want to link against installed libraries

in a given directory, LIBDIR, you must either use libtool, and

specify the full pathname of the library, or use the `-LLIBDIR'

flag during linking and do at least one of the following:

- add LIBDIR to the `LD_LIBRARY_PATH' environment variable

during execution

- add LIBDIR to the `LD_RUN_PATH' environment variable

during linking

- use the `-Wl,-rpath -Wl,LIBDIR' linker flag

See any operating system documentation about shared libraries for

more information, such as the ld(1) and ld.so(8) manual pages.

----------------------------------------------------------------------

(mail::courier-imap.log )

In case you use authpam, you should put the following lines

in your /etc/pam.d/imap

auth required pam_unix.so try_first_pass

account required pam_unix.so try_first_pass

session required pam_permit.so

You will have to run /usr/local/share/courier-imap/mkimapdcert to create

a self-signed certificate if you want to use imapd-ssl.

And you will have to copy and edit the *.dist files to *

in /usr/local/etc/courier-imap.

===> SECURITY REPORT:

This port has installed the following files which may act as network

servers and may therefore pose a remote security risk to the system.

/usr/local/libexec/courier-imap/couriertcpd

/usr/local/bin/couriertls

This port has installed the following startup scripts which may cause

these network services to be started at boot time.

/usr/local/etc/rc.d/courier-imap-imapd

/usr/local/etc/rc.d/courier-imap-pop3d

/usr/local/etc/rc.d/courier-imap-pop3d-ssl

/usr/local/etc/rc.d/courier-imap-imapd-ssl

If there are vulnerabilities in these programs there may be a security

risk to the system. FreeBSD makes no guarantee about the security of

ports included in the Ports Collection. Please type 'make deinstall'

to deinstall the port if this is a concern.

For more information, and contact details about the security

status of this software, see the following webpage:

http://www.courier-mta.org/imap/

ȤåĤ.

courier-authlib ϢΥեƤäʤ.
courier-imap Υեˤ˴ؤʬΤǽפ(ܤϼҤ).

warning.png SMTP Auth 椫 courier-imap Υ󥹥ȡ١ȸƤƤϡΤȤ.

ݡ

ǡĴ٤פȻؼ줿ˤĤĴԤ𤻤.
Ƽ

  1. °(ز)
  2. ֹ
  3. ǯ
  4. ̾
  5. οΥݡ(θȤˤĤƵŤ)

񤯤Τ˺ʤ褦.

about Icons, ClipArts

Some icons in this page are downloadable at ICONFINDER.

The "note" icon notes.png designed by Marco Martin is distributed with the LGPL licence,
the "warning" icon warning.png designed by Alexandre Moore with the GPL licence
and the "triangle" icon JNorth_arrow-right-sm.png designed by Joseph North is distributed with the Creative Commons (Attribution-Noncommercial-Share Alike 3.0 Unported) licence.

Some clip arts used in this page are downloadable at Open Clip Art Library.
We deeply appreciate their superb works. With licence, they describe that "the actual clipart content on open clipart library is Public domain" in the web.


*1 \0 ϥ̥Х
*2 ʤߤˡbase64 󥳡ɤƥȤϡ"mmencode -u" Ǹ᤹ȤǤ.
*3 ʸüߥ졼˳ФƤޤгڤ
*4 "mmencode -u" ˤȼºݤʸ󤬤狼