Dovecot postfix ldap

From DWIKI
⧼monobook-jumptonavigation⧽⧼monobook-jumptosearch⧽

Project Goal

A mailserver handling virtual mail accounts in multiple domains.


Implementation

A mailserver running dovecot, postfix, ldap and squirrelmail, with virtual domains and users.

Global variables and paths used

Variables

Primary domain

example.com

Second domain

acme.com

Hostname

mail.example.com

Files and paths

/etc/passwd

(on debian 101 is already taken by postfix!)

vmail:*:101:101:vmail user:/vmail:/bin/sh

Mail storage

mkdir -p /vmail/domains/
chown vmail /vmail/domains/
chmod 700 /vmail/domains/

/etc/group

vmail:*:101:

/var/run/dovecot/

owned by root

LDAP

For the per user mail quota and aliases i added schema qmail.schema to slapd.conf, with some small alterations: http://dhits.nl/download/qmail.new.schema

dn's used

ldap root

o=ldap

ldap admin

dc=root,o=ldap

domain root

 o=users,dc=example,dc=com,o=ldap


slapd.conf

#this one is needed by qmail schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/qmail.new.schema

#users will be allowed to change password via squirrelmail
access to attrs=userPassword
       by self write
       by anonymous auth
       by * read

To allow users to maintain mail aliases via squirrelmail

access to attrs=mailAlternateAddress
       by self write
       by * read


access to attrs=entry
       by self write
       by * read
access to * by * read

Dovecot

dovecot-ldap.conf

ldap_version = 3
base = o=ldap
#http://wiki.dovecot.org/Variables
user_attrs = %n,%Dd=user,mailQuota=quota_rule=*:storage=%$,=home=/vmail/domains/%d/%n/Maildir
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
pass_attrs = mail=user,userPassword=password,mailQuota=userdb_quota_rule=*:bytes=%$,=userdb_home=/vmail/domains/%d/%n/Maildir,mail=userdb_user
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
default_pass_scheme = SSHA

dovecot.conf

base_dir = /var/run/dovecot/
login_dir = /var/run/dovecot/login
#the protocols used
protocols = imap imaps pop3 managesieve
mail_uid = 101
mail_gid = 101
disable_plaintext_auth = no
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
mail_location = maildir:/vmail/domains/%d/%n/Maildir
mail_privileged_group = mail
mail_debug = yes
verbose_proctitle = no
first_valid_uid = 101
last_valid_uid = 101
first_valid_gid = 101
last_valid_gid = 101
protocol imap {
   mail_plugins = quota imap_quota
   imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep
}
protocol pop3 {
   mail_plugins = quota
   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
 postmaster_address = postmaster@example.com
 plugins = quota
 mail_plugins = cmusieve quota
 sieve_global_path = /data/vmail/domains/.dovecot.sieve
 mail_plugin_dir = /usr/local/lib/dovecot/imap
 sendmail_path = /usr/local/sbin/sendmail
 log_path = /var/log/dovecot-deliver.log
 info_log_path = /var/log/dovecot-deliver.log
 rejection_reason = Your message to<%t> was automatically rejected:%n%r
}
protocol managesieve {
  sieve = /data/vmail/domains/%d/%n/.dovecot.sieve
  sieve_storage = /data/vmail/domains/%d/%n/sieve
  login_executable = /usr/local/libexec/dovecot/managesieve-login
  mail_executable = /usr/local/libexec/dovecot/managesieve
}
#for users logging in without @domain.tld
auth_default_realm = example.com
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
auth default {
 mechanisms = plain login
 socket listen {
 #it looks like the user 'vmail' is also the user postfix has to call deliver as
       master {
           path = /var/run/dovecot/auth-master
           mode = 0600
           user = vmail
       }
 # socket used by postfix smtp auth/sasl, in queue_directory 
       client {
           path = /var/spool/postfix/private/auth
           mode = 0660
           user = postfix
           group = postfix
       }
 } 
 passdb ldap {
    args = /usr/local/etc/dovecot-ldap.conf
 }
 userdb prefetch {
 }
 userdb ldap {
     args = /usr/local/etc/dovecot-ldap.conf
 }
 user = vmail
}
dict {
 #quota = mysql:/usr/local/etc/dovecot-dict-quota.conf
}
plugin {
   quota = maildir:User quota
   quota_rule = *:storage=100M
   quota_rule2 = Trash:storage=10M
   
   quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95
   quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90
   quota_warning3 = storage=80%% /usr/local/bin/quota-warning.sh 80    

sieve = /data/vmail/domains/%d/%n/.dovecot.sieve

}

quota-warning.sh

dovecot-nowarning.conf is same as dovecot.conf, without the quota_warning* lines

#!/bin/sh
PERCENT=$1
cat << EOF | /usr/local/libexec/dovecot/deliver -d $USER -c /usr/local/etc/dovecot-nowarning.conf
From: postmaster@domain.com 
Subject: quota warning
Your mailbox is now $PERCENT% full.
EOF

Postfix

main.cf

#generic postfix config skipped
disable_vrfy_command  = yes
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com

#milters
milter_connect_macros = b j _ {daemon_name} {if_name} {if_addr}
#first one is called first, assuming all these milters have been installed
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock, unix:/var/run/milter-regex/sock, unix:/var/run/clamav/clmilter.sock, unix:/var/run/spamass-milter.sock
milter_default_action = accept
#probably not needed when ldap is running 
mydestination = $myhostname, acme.com, localhost.$mydomain, localhost.localdomain
virtual_mailbox_domains = example.com, acme.com
virtual_mailbox_base = /vmail
virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-users.cf

dovecot_destination_concurrency_limit = 1
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot
#this makes sure alias gets rewritten even before passed to milter
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-aliases.cf
virtual_create_maildirsize = yes
#
#local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps
local_recipient_maps = $alias_maps $virtual_mailbox_maps
unknown_local_recipient_reject_code = 550
#i'm behind a NAT :)
mynetworks_style = subnet
alias_maps = hash:/etc/aliases,ldap:/usr/local/etc/postfix/ldap-aliases.cf
#this is not needed
#home_mailbox = Maildir/
#don't think this will be used when all's well
mail_spool_directory = /var/mail
debug_peer_level = 1
message_size_limit = 5000000

ldap-users.cf

#maybe part of this is redundant, but at least clear
bind = no
version = 3
timeout = 20
debuglevel = 0
size_limit = 1
expansion_limit = 0
start_tls = no
tls_require_cert = no
server_host = ldap://localhost
scope = sub
search_base = o=ldap
query_filter = (|(mail=%s)(mailAlternateAddress=%s))
 result_attribute = mail

ldap-aliases.cf

bind = no
version = 3
timeout = 20
size_limit = 1
expansion_limit = 1
start_tls = no
tls_require_cert = no
scope = sub
query_filter = mailAlternateAddress=%s
result_attribute = mail
server_host = ldap://localhost
search_base = o=ldap

master.cf

#the entire master.cf can be left as is, just add:
dovecot   unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}

Squirrelmail

See squirrelmail and dovecot


Tips & tricks

Disallow imap

Use authldap.schema, 'disableimap'


Notes

  • Check out authldap.schema!!!


Useful reading