Mandriva Directory Server On Debian Etch - Page 3

Labels: Posted by EdGe on Monday, February 18, 2008 at 10:49 PM

8 SASL Configuration

Postfix will use SASL to authenticate users against the LDAP server.

mkdir -p /var/spool/postfix/var/run/saslauthd/

Adjust the default settings.

vi /etc/default/saslauthd

It should look like this:

START=yes
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

vi /etc/saslauthd.conf

It should look like this:

ldap_servers: ldap://127.0.0.1
ldap_search_base: ou=Users,dc=example,dc=com
ldap_filter: (&(objectClass=mailAccount)(mail=%u@%r)(mailenable=OK))

vi /etc/postfix/sasl/smtpd.conf

It should look like this:

pwcheck_method: saslauthd

mech_list: plain login

Add Postfix to the SASL group ...

adduser postfix sasl

... and restart SASL.

/etc/init.d/saslauthd restart

9 Postfix Configuration

9.1 Example Configuration

For this setup I chose the configuration without virtual domains - maybe I'll add the needed steps for a virtual domain setup in the near future. First copy the example configuration file into the postfix directory. It's the base for the following configuration.

cp /usr/share/doc/python-mmc-base/contrib/postfix/no-virtual-domain/* /etc/postfix/

9.2 Main Configuration

First adjust the main configuration file.

vi /etc/postfix/main.cf

Edit the file that it fits to your domain and additionally add some restrictions and the authentication settings - the content should look like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = yes
append_at_myorigin = yes

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = server1.example.com
mydomain = example.com
alias_maps = ldap:/etc/postfix/ldap-aliases.cf,  hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = server1.example.com,example.com,localhost.localdomain,localhost
mail_destination_recipient_limit = 1
mailbox_command = /usr/lib/dovecot/deliver -d "$USER"@"$DOMAIN"
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# Use Maildir
home_mailbox = Maildir/

# Wait until the RCPT TO command before evaluating restrictions
smtpd_delay_reject = yes

# Basics Restrictions
smtpd_helo_required = yes
strict_rfc821_envelopes = yes

# Requirements for the connecting server
smtpd_client_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_rbl_client bl.spamcop.net,
  reject_rbl_client dnsbl.njabl.org,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client sbl-xbl.spamhaus.org,
  reject_rbl_client list.dsbl.org,
  permit

# Requirements for the HELO statement
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_hostname,
  reject_invalid_hostname,
  permit

# Requirements for the sender address
smtpd_sender_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit

# Requirement for the recipient address
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  permit

# Enable SASL authentication for the smtpd daemon
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

# Fix for outlook
broken_sasl_auth_clients = yes

# Reject anonymous connections
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =

# SSL/TLS
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

# Amavis
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings

9.3 LDAP Aliases Configuration

Now you have to edit the aliases configuration.

vi /etc/postfix/ldap-aliases.cf

Edit the file that it fits to your domain - it should look like this:

server_host = 127.0.0.1
search_base = ou=Users,dc=example,dc=com
query_filter = (&(objectClass=mailAccount)(mailalias=%s)(mailenable=OK))
result_attribute = maildrop
version = 3

9.4 Master Configuration

The master configuration is the last part of the postfix configuration.

vi /etc/postfix/master.cf

Add the following lines:

# SMTPS
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes

# Dovecot
dovecot unix - n n - - pipe
flags=DRhu user=dovecot:mail argv=/usr/lib/dovecot/deliver -d $recipient

# Mail to Amavis
amavis unix - - - - 10 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20

# Mail from Amavis
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

Restart Postfix:

/etc/init.d/postfix restart

10 Dovecot

Dovecot will provide POP3- (SSL/TLS), IMAP- (SSL/TLS) and quota-support to the mailserver.

10.1 Main Configuration

echo "" > /etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf

The content should look like this:

protocols = imap imaps pop3 pop3s
listen = 0.0.0.0
login_greeting = example.com mailserver ready.
mail_location = maildir:~/Maildir
disable_plaintext_auth = no
ssl_cert_file = /etc/ssl/certs/mail.pem
ssl_key_file = /etc/ssl/private/mail.key
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.log

# IMAP configuration
protocol imap {
  mail_plugins = quota imap_quota
}

# POP3 configuration
protocol pop3 {
  pop3_uidl_format = %08Xu%08Xv
  mail_plugins = quota
}
         
# LDA configuration
protocol lda {
  postmaster_address = postmaster
  auth_socket_path = /var/run/dovecot/auth-master
  mail_plugins = quota
}
                                     
# LDAP authentication

auth default {
  mechanisms = plain login

  passdb ldap {
      args = /etc/dovecot/dovecot-ldap.conf
  }
 
  userdb ldap {
      args = /etc/dovecot/dovecot-ldap.conf
  }
 
  socket listen {
      master {
          path = /var/run/dovecot/auth-master
          mode = 0660
          user = dovecot
          group = mail
      }

      client {
          path = /var/spool/postfix/private/auth
          mode = 0660
          user = postfix
          group = postfix
      }
  }
}

10.2 LDAP Configuration

echo "" > /etc/dovecot/dovecot-ldap.conf
vi /etc/dovecot/dovecot-ldap.conf

The content should look like this:

hosts = 127.0.0.1
auth_bind = yes
ldap_version = 3
base = dc=example,dc=com
scope = subtree
user_attrs = homeDirectory=home,uidNumber=uid,mailbox=mail,mailuserquota=quota=maildir:storage
user_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK))
default_pass_scheme = CRYPT
user_global_gid = mail

10.3 Deliver

Next adjust the rights for the dovecot deliver - so dovecot will use the right uid and gid when it stores messages in the maildirs.

dpkg-statoverride --update --add root dovecot 4755 /usr/lib/dovecot/deliver

Afterwards restart Dovecot.

/etc/init.d/dovecot restart