Dovecot postfix ldap: Difference between revisions
From DWIKI
m (→Dovecot) |
m (→dovecot.conf) |
||
(33 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Project Goal= | |||
A mailserver handling virtual mail accounts in multiple domains. | |||
=Implementation= | |||
A mailserver running dovecot, postfix, ldap and squirrelmail, with virtual domains and users. | |||
=Global variables and paths used= | |||
==Variables== | |||
===Primary domain=== | |||
example.com | |||
===Second domain=== | |||
acme.com | |||
===Hostname=== | |||
mail.example.com | |||
==Files and paths== | |||
===/etc/passwd=== | |||
(on debian 101 is already taken by postfix!) | |||
vmail:*:101:101:vmail user:/vmail:/bin/sh | |||
===Mail storage=== | |||
mkdir -p /vmail/domains/ | |||
chown vmail /vmail/domains/ | |||
chmod 700 /vmail/domains/ | |||
===/etc/group=== | |||
vmail:*:101: | |||
===/var/run/dovecot/=== | |||
owned by root | |||
=LDAP= | =LDAP= | ||
For the per | For the per user mail quota and aliases i added schema qmail.schema to slapd.conf, with some small alterations: | ||
http://dhits.nl/download/qmail.new.schema | http://dhits.nl/download/qmail.new.schema | ||
==dn's used== | |||
===ldap root=== | |||
o=ldap | |||
===ldap admin=== | |||
dc=root,o=ldap | |||
===domain root=== | |||
o=users,dc=example,dc=com,o=ldap | |||
==slapd.conf== | |||
#this one is needed by qmail schema | |||
include /usr/local/etc/openldap/schema/misc.schema | |||
include /usr/local/etc/openldap/schema/qmail.new.schema | include /usr/local/etc/openldap/schema/qmail.new.schema | ||
Line 16: | Line 66: | ||
by * read | by * read | ||
access to attrs=entry | access to attrs=entry | ||
by self write | by self write | ||
Line 24: | Line 74: | ||
=Dovecot= | =Dovecot= | ||
dovecot-ldap.conf | ==dovecot-ldap.conf== | ||
ldap_version = 3 | ldap_version = 3 | ||
base = o=ldap | base = o=ldap | ||
user_attrs = %n,%Dd=user,mailQuota=quota_rule=*:storage=%$,=home= | #http://wiki.dovecot.org/Variables | ||
user_attrs = %n,%Dd=user,mailQuota=quota_rule=*:storage=%$,=home=/vmail/domains/%d/%n/Maildir | |||
user_filter = (&(objectClass=inetOrgPerson)(mail=%u)) | user_filter = (&(objectClass=inetOrgPerson)(mail=%u)) | ||
pass_attrs = mail=user,userPassword=password,mailQuota=userdb_quota_rule=*:bytes=%$,=userdb_home= | pass_attrs = mail=user,userPassword=password,mailQuota=userdb_quota_rule=*:bytes=%$,=userdb_home=/vmail/domains/%d/%n/Maildir,mail=userdb_user | ||
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u)) | pass_filter = (&(objectClass=inetOrgPerson)(mail=%u)) | ||
default_pass_scheme = SSHA | default_pass_scheme = SSHA | ||
dovecot.conf | ==dovecot.conf== | ||
base_dir = /var/run/dovecot/ | base_dir = /var/run/dovecot/ | ||
login_dir = /var/run/dovecot/login | |||
#the protocols used | |||
protocols = imap imaps pop3 managesieve | protocols = imap imaps pop3 managesieve | ||
mail_uid = 101 | mail_uid = 101 | ||
Line 42: | Line 95: | ||
ssl_cert_file = /etc/ssl/certs/dovecot.pem | ssl_cert_file = /etc/ssl/certs/dovecot.pem | ||
ssl_key_file = /etc/ssl/private/dovecot.pem | ssl_key_file = /etc/ssl/private/dovecot.pem | ||
mail_location = maildir: | mail_location = maildir:/vmail/domains/%d/%n/Maildir | ||
mail_privileged_group = mail | mail_privileged_group = mail | ||
mail_debug = yes | mail_debug = yes | ||
Line 50: | Line 103: | ||
first_valid_gid = 101 | first_valid_gid = 101 | ||
last_valid_gid = 101 | last_valid_gid = 101 | ||
protocol imap { | protocol imap { | ||
mail_plugins = quota imap_quota | mail_plugins = quota imap_quota | ||
Line 64: | Line 118: | ||
plugins = quota | plugins = quota | ||
mail_plugins = cmusieve quota | mail_plugins = cmusieve quota | ||
sieve_global_path = /data/vmail/domains/.dovecot.sieve | sieve_global_path = /data/vmail/domains/.dovecot.sieve | ||
mail_plugin_dir = /usr/local/lib/dovecot/imap | mail_plugin_dir = /usr/local/lib/dovecot/imap | ||
Line 82: | Line 135: | ||
#for users logging in without @domain.tld | #for users logging in without @domain.tld | ||
auth_default_realm = example.com | auth_default_realm = example.com | ||
auth_verbose = no | auth_verbose = no | ||
auth_debug = no | auth_debug = no | ||
Line 90: | Line 142: | ||
mechanisms = plain login | mechanisms = plain login | ||
socket listen { | socket listen { | ||
#it looks like the user 'vmail' is also the user postfix has to call deliver as | |||
master { | master { | ||
path = /var/run/dovecot/auth-master | path = /var/run/dovecot/auth-master | ||
mode = | mode = 0600 | ||
user = vmail | user = vmail | ||
} | } | ||
# socket used by postfix smtp auth/sasl, in queue_directory | |||
client { | client { | ||
path = /var/spool/postfix/private/auth | path = /var/spool/postfix/private/auth | ||
Line 105: | Line 159: | ||
args = /usr/local/etc/dovecot-ldap.conf | args = /usr/local/etc/dovecot-ldap.conf | ||
} | } | ||
userdb prefetch { | userdb prefetch { | ||
} | } | ||
Line 121: | Line 174: | ||
quota_rule = *:storage=100M | quota_rule = *:storage=100M | ||
quota_rule2 = Trash:storage=10M | quota_rule2 = Trash:storage=10M | ||
quota_warning = storage= | |||
quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95 | |||
quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90 | quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90 | ||
quota_warning3 = storage= | quota_warning3 = storage=80%% /usr/local/bin/quota-warning.sh 80 | ||
sieve = /data/vmail/domains/%d/%n/.dovecot.sieve | |||
} | } | ||
==quota-warning.sh== | |||
dovecot-nowarning.conf is same as dovecot.conf, without the quota_warning* lines | |||
#!/bin/sh | |||
PERCENT=$1 | |||
cat << EOF | /usr/local/libexec/dovecot/deliver -d $USER -c /usr/local/etc/dovecot-nowarning.conf | |||
From: postmaster@domain.com | |||
Subject: quota warning | |||
Your mailbox is now $PERCENT% full. | |||
EOF | |||
=Postfix= | =Postfix= | ||
==main.cf== | |||
#generic postfix config skipped | |||
disable_vrfy_command = yes | |||
mail_owner = postfix | |||
myhostname = mail.example.com | |||
mydomain = example.com | |||
#milters | |||
milter_connect_macros = b j _ {daemon_name} {if_name} {if_addr} | |||
#first one is called first, assuming all these milters have been installed | |||
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock, unix:/var/run/milter-regex/sock, unix:/var/run/clamav/clmilter.sock, unix:/var/run/spamass-milter.sock | |||
milter_default_action = accept | |||
#probably not needed when ldap is running | |||
mydestination = $myhostname, acme.com, localhost.$mydomain, localhost.localdomain | |||
virtual_mailbox_domains = example.com, acme.com | |||
virtual_mailbox_base = /vmail | |||
virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-users.cf | |||
dovecot_destination_concurrency_limit = 1 | |||
dovecot_destination_recipient_limit = 1 | |||
virtual_transport = dovecot | |||
#this makes sure alias gets rewritten even before passed to milter | |||
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-aliases.cf | |||
virtual_create_maildirsize = yes | |||
# | |||
#local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps | |||
local_recipient_maps = $alias_maps $virtual_mailbox_maps | |||
unknown_local_recipient_reject_code = 550 | |||
#i'm behind a NAT :) | |||
mynetworks_style = subnet | |||
alias_maps = hash:/etc/aliases,ldap:/usr/local/etc/postfix/ldap-aliases.cf | |||
#this is not needed | |||
#home_mailbox = Maildir/ | |||
#don't think this will be used when all's well | |||
mail_spool_directory = /var/mail | |||
debug_peer_level = 1 | |||
message_size_limit = 5000000 | |||
==ldap-users.cf== | |||
#maybe part of this is redundant, but at least clear | |||
bind = no | |||
version = 3 | |||
timeout = 20 | |||
debuglevel = 0 | |||
size_limit = 1 | |||
expansion_limit = 0 | |||
start_tls = no | |||
tls_require_cert = no | |||
server_host = ldap://localhost | |||
scope = sub | |||
search_base = o=ldap | |||
query_filter = (|(mail=%s)(mailAlternateAddress=%s)) | |||
result_attribute = mail | |||
==ldap-aliases.cf== | |||
bind = no | |||
version = 3 | |||
timeout = 20 | |||
size_limit = 1 | |||
expansion_limit = 1 | |||
start_tls = no | |||
tls_require_cert = no | |||
scope = sub | |||
query_filter = mailAlternateAddress=%s | |||
result_attribute = mail | |||
server_host = ldap://localhost | |||
search_base = o=ldap | |||
==master.cf== | |||
#the entire master.cf can be left as is, just add: | |||
dovecot unix - n n - - pipe | |||
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient} | |||
=Squirrelmail= | |||
See [[squirrelmail and dovecot]] | |||
=Tips & tricks= | |||
==Disallow imap== | |||
Use authldap.schema, 'disableimap' | |||
=Notes= | |||
*Check out authldap.schema!!! | |||
=Useful reading= | |||
*http://jamm.sourceforge.net/howto/html/implementation.html |
Latest revision as of 17:35, 16 October 2011
Project Goal
A mailserver handling virtual mail accounts in multiple domains.
Implementation
A mailserver running dovecot, postfix, ldap and squirrelmail, with virtual domains and users.
Global variables and paths used
Variables
Primary domain
example.com
Second domain
acme.com
Hostname
mail.example.com
Files and paths
/etc/passwd
(on debian 101 is already taken by postfix!)
vmail:*:101:101:vmail user:/vmail:/bin/sh
Mail storage
mkdir -p /vmail/domains/ chown vmail /vmail/domains/ chmod 700 /vmail/domains/
/etc/group
vmail:*:101:
/var/run/dovecot/
owned by root
LDAP
For the per user mail quota and aliases i added schema qmail.schema to slapd.conf, with some small alterations: http://dhits.nl/download/qmail.new.schema
dn's used
ldap root
o=ldap
ldap admin
dc=root,o=ldap
domain root
o=users,dc=example,dc=com,o=ldap
slapd.conf
#this one is needed by qmail schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/qmail.new.schema #users will be allowed to change password via squirrelmail access to attrs=userPassword by self write by anonymous auth by * read
To allow users to maintain mail aliases via squirrelmail
access to attrs=mailAlternateAddress by self write by * read
access to attrs=entry by self write by * read
access to * by * read
Dovecot
dovecot-ldap.conf
ldap_version = 3 base = o=ldap #http://wiki.dovecot.org/Variables user_attrs = %n,%Dd=user,mailQuota=quota_rule=*:storage=%$,=home=/vmail/domains/%d/%n/Maildir user_filter = (&(objectClass=inetOrgPerson)(mail=%u)) pass_attrs = mail=user,userPassword=password,mailQuota=userdb_quota_rule=*:bytes=%$,=userdb_home=/vmail/domains/%d/%n/Maildir,mail=userdb_user pass_filter = (&(objectClass=inetOrgPerson)(mail=%u)) default_pass_scheme = SSHA
dovecot.conf
base_dir = /var/run/dovecot/ login_dir = /var/run/dovecot/login #the protocols used protocols = imap imaps pop3 managesieve mail_uid = 101 mail_gid = 101 disable_plaintext_auth = no ssl_disable = no ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem mail_location = maildir:/vmail/domains/%d/%n/Maildir mail_privileged_group = mail mail_debug = yes verbose_proctitle = no first_valid_uid = 101 last_valid_uid = 101 first_valid_gid = 101 last_valid_gid = 101
protocol imap { mail_plugins = quota imap_quota imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep }
protocol pop3 { mail_plugins = quota pop3_client_workarounds = outlook-no-nuls oe-ns-eoh }
protocol lda { postmaster_address = postmaster@example.com plugins = quota mail_plugins = cmusieve quota sieve_global_path = /data/vmail/domains/.dovecot.sieve mail_plugin_dir = /usr/local/lib/dovecot/imap sendmail_path = /usr/local/sbin/sendmail log_path = /var/log/dovecot-deliver.log info_log_path = /var/log/dovecot-deliver.log rejection_reason = Your message to<%t> was automatically rejected:%n%r }
protocol managesieve { sieve = /data/vmail/domains/%d/%n/.dovecot.sieve sieve_storage = /data/vmail/domains/%d/%n/sieve login_executable = /usr/local/libexec/dovecot/managesieve-login mail_executable = /usr/local/libexec/dovecot/managesieve }
#for users logging in without @domain.tld auth_default_realm = example.com auth_verbose = no auth_debug = no auth_debug_passwords = no
auth default { mechanisms = plain login socket listen { #it looks like the user 'vmail' is also the user postfix has to call deliver as master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail } # socket used by postfix smtp auth/sasl, in queue_directory client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } passdb ldap { args = /usr/local/etc/dovecot-ldap.conf } userdb prefetch { } userdb ldap { args = /usr/local/etc/dovecot-ldap.conf } user = vmail }
dict { #quota = mysql:/usr/local/etc/dovecot-dict-quota.conf } plugin { quota = maildir:User quota quota_rule = *:storage=100M quota_rule2 = Trash:storage=10M quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95 quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90 quota_warning3 = storage=80%% /usr/local/bin/quota-warning.sh 80
sieve = /data/vmail/domains/%d/%n/.dovecot.sieve
}
quota-warning.sh
dovecot-nowarning.conf is same as dovecot.conf, without the quota_warning* lines
#!/bin/sh PERCENT=$1 cat << EOF | /usr/local/libexec/dovecot/deliver -d $USER -c /usr/local/etc/dovecot-nowarning.conf From: postmaster@domain.com Subject: quota warning
Your mailbox is now $PERCENT% full. EOF
Postfix
main.cf
#generic postfix config skipped disable_vrfy_command = yes mail_owner = postfix myhostname = mail.example.com mydomain = example.com #milters milter_connect_macros = b j _ {daemon_name} {if_name} {if_addr} #first one is called first, assuming all these milters have been installed smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock, unix:/var/run/milter-regex/sock, unix:/var/run/clamav/clmilter.sock, unix:/var/run/spamass-milter.sock milter_default_action = accept
#probably not needed when ldap is running mydestination = $myhostname, acme.com, localhost.$mydomain, localhost.localdomain
virtual_mailbox_domains = example.com, acme.com virtual_mailbox_base = /vmail virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-users.cf dovecot_destination_concurrency_limit = 1 dovecot_destination_recipient_limit = 1 virtual_transport = dovecot #this makes sure alias gets rewritten even before passed to milter virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-aliases.cf
virtual_create_maildirsize = yes # #local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps local_recipient_maps = $alias_maps $virtual_mailbox_maps unknown_local_recipient_reject_code = 550
#i'm behind a NAT :) mynetworks_style = subnet alias_maps = hash:/etc/aliases,ldap:/usr/local/etc/postfix/ldap-aliases.cf #this is not needed #home_mailbox = Maildir/ #don't think this will be used when all's well mail_spool_directory = /var/mail
debug_peer_level = 1 message_size_limit = 5000000
ldap-users.cf
#maybe part of this is redundant, but at least clear bind = no version = 3 timeout = 20
debuglevel = 0 size_limit = 1 expansion_limit = 0
start_tls = no tls_require_cert = no
server_host = ldap://localhost scope = sub search_base = o=ldap query_filter = (|(mail=%s)(mailAlternateAddress=%s)) result_attribute = mail
ldap-aliases.cf
bind = no version = 3 timeout = 20 size_limit = 1 expansion_limit = 1
start_tls = no tls_require_cert = no scope = sub query_filter = mailAlternateAddress=%s result_attribute = mail server_host = ldap://localhost search_base = o=ldap
master.cf
#the entire master.cf can be left as is, just add: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}
Squirrelmail
Tips & tricks
Disallow imap
Use authldap.schema, 'disableimap'
Notes
- Check out authldap.schema!!!