-
Notifications
You must be signed in to change notification settings - Fork 75
Install.Authentication
If you can do encode and decode base64 in your head, you may attempt authentication using just openssl, as described on the Install.Starttls page. For the rest of us, download swaks from http://jetmore.org/john/code/swaks/.
fetch http://jetmore.org/john/code/swaks/files/swaks-20130209.0/swaks
chmod 755 swaks
Substite fetch with whatever command line URL fetching tool you use (curl, wget, etc).
./swaks -server mail.example.com -port 2500 \
-protocol esmtpsa -au good@example.com -ap good_pass
Do not alter the -au or -ap values, those are pre-defined 'examples.' Swaks will make a secure (esmtpSa) connection to mail.example.com, attempt to authenticate (esmtpsA) as good@example.com, and then deliver a test message to whomever you specify.
The results should look like this:
=== Trying mail.example.com:2500...
=== Connected to mail.example.com.
<- 220 mail.example.com ESMTP qpsmtpd 0.92 ready; send us your mail, but not your spam.
-> EHLO mypc.example.com
<- 250-mail.example.com Hi mypc.example.com [192.nn.nn.nn]
<- 250-PIPELINING
<- 250-8BITMIME
<- 250 STARTTLS
-> STARTTLS
<- 220 Go ahead with TLS
=== TLS started with cipher TLSv1:AES256-SHA:256
=== TLS no local certificate set
=== TLS peer DN="/description=LadCSTKc6G1csX16/C=US/CN=mail.example.com/emailAddress=admin@example.com"
~> EHLO mypc.example.com
<~ 250-mail.example.com Hi mypc.example.com [192.nn.nn.nn]
<~ 250-PIPELINING
<~ 250-8BITMIME
<~ 250 AUTH PLAIN LOGIN CRAM-MD5
~> AUTH CRAM-MD5
<~ 334 PDczNDM1LjUxN2VkZGRkQGRvYXIucmZjLWhvbGRpbmdzLmNvbT4=
~> Z29vZEBleGFtcGxlLmNvbSBjNWNkMmExMmVmOTE5ZmQyYTQyMDZjMjAxYjgyNmViZg==
<~ 235 CRAM-MD5 authentication successful for good@example.com - auth_flat_file
~> MAIL FROM:<user@example.com>
<~ 250 <user@example.com>, sender OK - how exciting to get mail from you!
~> RCPT TO:<user@example.com>
<~ 250 <user@example.com>, recipient ok
~> DATA
<~ 354 go ahead
~> Date: Mon, 29 Apr 2013 13:53:42 -0700
~> To: user@example.com
~> From: user@example.com
~> Subject: test Mon, 29 Apr 2013 13:53:42 -0700
~> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/
~>
~> This is a test mailing
~>
~> .
<~ 250 Queued! 1367268829 qp 92789 <>
~> QUIT
<~ 221 mail.example.com closing connection. Have a wonderful day.
=== Connection closed with remote host.
If you got a similar result, then authentication is already working, via the auth_flat_file plugin, which you see mentioned in the line that says, "authentication successful." More than likely, you'll want to employ another means of authentication.
Most likely, you will want to to disable the auth_flat_file plugin and auth_deny plugins by commenting them out in config/plugins.
At the very least, you will need to change the usernames and passwords in config/flat_auth_pw.
There is a selection of authentication plugins to choose from:
# ls plugins/auth/
auth_checkpassword auth_ldap_bind auth_vpopmaild
auth_cvm_unix_local auth_vpopmail authdeny
auth_flat_file auth_vpopmail_sql
Each of the plugins has instructions within, which can be read by with perldoc (ie: perldoc plugins/auth/auth_checkpassword). There is even more documentation in docs/authentication.pod, which can be read similarly: perldoc docs/authentication.pod. Since many of the readers of this HOWTO are likely to have a qmail based server with vpopmail, we're going to enable auth_vpopmaild.
Vpopmaild is a server application that comes with vpopmail. When enabled, it runs as a network service, allowing SMTP applications to connect and validate vpopmail credentials. The QP plugin uses that service.
mkdir -p /var/qmail/supervise/vpopmaild
cd /var/qmail/supervise/vpopmaild
cat >> run <<EORUN
#!/bin/sh
exec 1>/dev/null 2>&1
exec env - PATH="/usr/bin:/bin:/usr/local/bin" \
tcpserver -vHRD 127.0.0.1 89 /usr/local/vpopmail/bin/vpopmaild
EORUN
chmod 755 run
chmod +t ../vpopmaild
ln -s /var/qmail/supervise/vpopmaild /var/service/
The last command creates a symbolic link in the service directory, which should cause vpopmaild to immediately start up. You can confirm it's running with sockstat:
# sockstat | grep :89
root tcpserver 10975 3 tcp4 127.0.0.1:89 *:*
Or netstat:
# netstat -an | grep '.89' | grep LISTEN
tcp4 0 0 127.0.0.1.89 *.* LISTEN
cd ~smtpd/smtpd
sed -I .bak -E -e 's/#auth\/auth_vpopmaild/auth\/auth_vpopmaild/' config/plugins
Restart QP for your change to take effect.
./swaks -server mail.example.com -port 2500 -protocol esmtpsa
Attempt to authenticate using a valid vpopmail user, and it should just work.