Dovecot postfix ldap: Difference between revisions

From DWIKI
mNo edit summary
 
(31 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Project Goal=
A mailserver handling virtual mail accounts in multiple domains.
=Implementation=
A mailserver running dovecot, postfix, ldap and squirrelmail, with virtual domains and users.
=Global variables and paths used=
=Global variables and paths used=
==Variables==
===Primary domain===
example.com


==Primary domain==
===Second domain===
  example.com
  acme.com


==Mail storage==
===Hostname===
  /vmail
  mail.example.com


==/etc/passwd==
==Files and paths==
===/etc/passwd===
(on debian 101 is already taken by postfix!)
  vmail:*:101:101:vmail user:/vmail:/bin/sh
  vmail:*:101:101:vmail user:/vmail:/bin/sh


==/etc/group==
===Mail storage===
mkdir -p /vmail/domains/
chown vmail /vmail/domains/
chmod 700 /vmail/domains/
 
===/etc/group===
  vmail:*:101:
  vmail:*:101:


===/var/run/dovecot/===
owned by root


=LDAP=
=LDAP=
For the per use mail quota and aliases i added schema qmail.schema to slapd.conf, with some small alterations:
For the per user mail quota and aliases i added schema qmail.schema to slapd.conf, with some small alterations:
http://dhits.nl/download/qmail.new.schema
http://dhits.nl/download/qmail.new.schema
==dn's used==
===ldap root===
o=ldap
===ldap admin===
dc=root,o=ldap
===domain root===
  o=users,dc=example,dc=com,o=ldap


==slapd.conf==
==slapd.conf==
#this one is needed by qmail schema
include        /usr/local/etc/openldap/schema/misc.schema
  include        /usr/local/etc/openldap/schema/qmail.new.schema
  include        /usr/local/etc/openldap/schema/qmail.new.schema
   
   
Line 32: Line 66:
         by * read
         by * read


???
 
  access to attrs=entry
  access to attrs=entry
         by self write
         by self write
Line 43: Line 77:
  ldap_version = 3
  ldap_version = 3
  base = o=ldap
  base = o=ldap
  user_attrs = %n,%Dd=user,mailQuota=quota_rule=*:storage=%$,=home=/data/vmail/domains/%d/%n/Maildir
#http://wiki.dovecot.org/Variables
  user_attrs = %n,%Dd=user,mailQuota=quota_rule=*:storage=%$,=home=/vmail/domains/%d/%n/Maildir
  user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
  user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
  pass_attrs = mail=user,userPassword=password,mailQuota=userdb_quota_rule=*:bytes=%$,=userdb_home=/data/vmail/domains/%d/%n/Maildir,mail=userdb_user
  pass_attrs = mail=user,userPassword=password,mailQuota=userdb_quota_rule=*:bytes=%$,=userdb_home=/vmail/domains/%d/%n/Maildir,mail=userdb_user
  pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
  pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
  default_pass_scheme = SSHA
  default_pass_scheme = SSHA
Line 51: Line 86:
==dovecot.conf==
==dovecot.conf==
  base_dir = /var/run/dovecot/
  base_dir = /var/run/dovecot/
login_dir = /var/run/dovecot/login
#the protocols used
  protocols = imap imaps pop3 managesieve
  protocols = imap imaps pop3 managesieve
  mail_uid = 101
  mail_uid = 101
Line 58: Line 95:
  ssl_cert_file = /etc/ssl/certs/dovecot.pem
  ssl_cert_file = /etc/ssl/certs/dovecot.pem
  ssl_key_file = /etc/ssl/private/dovecot.pem
  ssl_key_file = /etc/ssl/private/dovecot.pem
  mail_location = maildir:/data/vmail/domains/%d/%n/Maildir
  mail_location = maildir:/vmail/domains/%d/%n/Maildir
  mail_privileged_group = mail
  mail_privileged_group = mail
  mail_debug = yes
  mail_debug = yes
Line 66: Line 103:
  first_valid_gid = 101
  first_valid_gid = 101
  last_valid_gid = 101
  last_valid_gid = 101
  protocol imap {
  protocol imap {
     mail_plugins = quota imap_quota
     mail_plugins = quota imap_quota
Line 80: Line 118:
   plugins = quota
   plugins = quota
   mail_plugins = cmusieve quota
   mail_plugins = cmusieve quota
   sieve_global_path = /data/vmail/domains/.dovecot.sieve
   sieve_global_path = /data/vmail/domains/.dovecot.sieve
   mail_plugin_dir = /usr/local/lib/dovecot/imap
   mail_plugin_dir = /usr/local/lib/dovecot/imap
Line 98: Line 135:
  #for users logging in without @domain.tld
  #for users logging in without @domain.tld
  auth_default_realm = example.com
  auth_default_realm = example.com
  auth_verbose = no
  auth_verbose = no
  auth_debug = no
  auth_debug = no
Line 106: Line 142:
   mechanisms = plain login
   mechanisms = plain login
   socket listen {
   socket listen {
  #it looks like the user 'vmail' is also the user postfix has to call deliver as
         master {
         master {
             path = /var/run/dovecot/auth-master
             path = /var/run/dovecot/auth-master
             mode = 0666
             mode = 0600
             user = vmail
             user = vmail
         }
         }
  # socket used by postfix smtp auth/sasl, in queue_directory
         client {
         client {
             path = /var/spool/postfix/private/auth
             path = /var/spool/postfix/private/auth
Line 121: Line 159:
     args = /usr/local/etc/dovecot-ldap.conf
     args = /usr/local/etc/dovecot-ldap.conf
   }
   }
   userdb prefetch {
   userdb prefetch {
   }
   }
Line 137: Line 174:
     quota_rule = *:storage=100M
     quota_rule = *:storage=100M
     quota_rule2 = Trash:storage=10M
     quota_rule2 = Trash:storage=10M
     quota_warning = storage=80%% /usr/local/bin/quota-warning.sh 80
   
     quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95
     quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90
     quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90
     quota_warning3 = storage=95%% /usr/local/bin/quota-warning.sh 95
     quota_warning3 = storage=80%% /usr/local/bin/quota-warning.sh 80   
    sieve = /data/vmail/domains/%d/%n/.dovecot.sieve
sieve = /data/vmail/domains/%d/%n/.dovecot.sieve
  }
  }
==quota-warning.sh==
dovecot-nowarning.conf is same as dovecot.conf, without the quota_warning* lines
#!/bin/sh
PERCENT=$1
cat << EOF | /usr/local/libexec/dovecot/deliver -d $USER -c /usr/local/etc/dovecot-nowarning.conf
From: postmaster@domain.com
Subject: quota warning
Your mailbox is now $PERCENT% full.
EOF


=Postfix=
=Postfix=
==main.cf==
==main.cf==
#generic postfix config skipped
disable_vrfy_command  = yes
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com
#milters
milter_connect_macros = b j _ {daemon_name} {if_name} {if_addr}
#first one is called first, assuming all these milters have been installed
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock, unix:/var/run/milter-regex/sock, unix:/var/run/clamav/clmilter.sock, unix:/var/run/spamass-milter.sock
milter_default_action = accept
#probably not needed when ldap is running
mydestination = $myhostname, acme.com, localhost.$mydomain, localhost.localdomain
virtual_mailbox_domains = example.com, acme.com
virtual_mailbox_base = /vmail
virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-users.cf
dovecot_destination_concurrency_limit = 1
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot
#this makes sure alias gets rewritten even before passed to milter
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-aliases.cf
virtual_create_maildirsize = yes
#
#local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps
local_recipient_maps = $alias_maps $virtual_mailbox_maps
unknown_local_recipient_reject_code = 550
#i'm behind a NAT :)
mynetworks_style = subnet
alias_maps = hash:/etc/aliases,ldap:/usr/local/etc/postfix/ldap-aliases.cf
#this is not needed
#home_mailbox = Maildir/
#don't think this will be used when all's well
mail_spool_directory = /var/mail
debug_peer_level = 1
message_size_limit = 5000000
==ldap-users.cf==
#maybe part of this is redundant, but at least clear
bind = no
version = 3
timeout = 20
debuglevel = 0
size_limit = 1
expansion_limit = 0
start_tls = no
tls_require_cert = no
server_host = ldap://localhost
scope = sub
search_base = o=ldap
query_filter = (|(mail=%s)(mailAlternateAddress=%s))
  result_attribute = mail
==ldap-aliases.cf==
bind = no
version = 3
timeout = 20
size_limit = 1
expansion_limit = 1
start_tls = no
tls_require_cert = no
scope = sub
query_filter = mailAlternateAddress=%s
result_attribute = mail
server_host = ldap://localhost
search_base = o=ldap
==master.cf==
#the entire master.cf can be left as is, just add:
dovecot  unix  -      n      n      -      -      pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}
=Squirrelmail=
See [[squirrelmail and dovecot]]
=Tips & tricks=
==Disallow imap==
Use authldap.schema, 'disableimap'
=Notes=
*Check out authldap.schema!!!
=Useful reading=
*http://jamm.sourceforge.net/howto/html/implementation.html

Latest revision as of 17:35, 16 October 2011

Project Goal

A mailserver handling virtual mail accounts in multiple domains.


Implementation

A mailserver running dovecot, postfix, ldap and squirrelmail, with virtual domains and users.

Global variables and paths used

Variables

Primary domain

example.com

Second domain

acme.com

Hostname

mail.example.com

Files and paths

/etc/passwd

(on debian 101 is already taken by postfix!)

vmail:*:101:101:vmail user:/vmail:/bin/sh

Mail storage

mkdir -p /vmail/domains/
chown vmail /vmail/domains/
chmod 700 /vmail/domains/

/etc/group

vmail:*:101:

/var/run/dovecot/

owned by root

LDAP

For the per user mail quota and aliases i added schema qmail.schema to slapd.conf, with some small alterations: http://dhits.nl/download/qmail.new.schema

dn's used

ldap root

o=ldap

ldap admin

dc=root,o=ldap

domain root

 o=users,dc=example,dc=com,o=ldap


slapd.conf

#this one is needed by qmail schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/qmail.new.schema

#users will be allowed to change password via squirrelmail
access to attrs=userPassword
       by self write
       by anonymous auth
       by * read

To allow users to maintain mail aliases via squirrelmail

access to attrs=mailAlternateAddress
       by self write
       by * read


access to attrs=entry
       by self write
       by * read
access to * by * read

Dovecot

dovecot-ldap.conf

ldap_version = 3
base = o=ldap
#http://wiki.dovecot.org/Variables
user_attrs = %n,%Dd=user,mailQuota=quota_rule=*:storage=%$,=home=/vmail/domains/%d/%n/Maildir
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
pass_attrs = mail=user,userPassword=password,mailQuota=userdb_quota_rule=*:bytes=%$,=userdb_home=/vmail/domains/%d/%n/Maildir,mail=userdb_user
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
default_pass_scheme = SSHA

dovecot.conf

base_dir = /var/run/dovecot/
login_dir = /var/run/dovecot/login
#the protocols used
protocols = imap imaps pop3 managesieve
mail_uid = 101
mail_gid = 101
disable_plaintext_auth = no
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
mail_location = maildir:/vmail/domains/%d/%n/Maildir
mail_privileged_group = mail
mail_debug = yes
verbose_proctitle = no
first_valid_uid = 101
last_valid_uid = 101
first_valid_gid = 101
last_valid_gid = 101
protocol imap {
   mail_plugins = quota imap_quota
   imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep
}
protocol pop3 {
   mail_plugins = quota
   pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
 postmaster_address = postmaster@example.com
 plugins = quota
 mail_plugins = cmusieve quota
 sieve_global_path = /data/vmail/domains/.dovecot.sieve
 mail_plugin_dir = /usr/local/lib/dovecot/imap
 sendmail_path = /usr/local/sbin/sendmail
 log_path = /var/log/dovecot-deliver.log
 info_log_path = /var/log/dovecot-deliver.log
 rejection_reason = Your message to<%t> was automatically rejected:%n%r
}
protocol managesieve {
  sieve = /data/vmail/domains/%d/%n/.dovecot.sieve
  sieve_storage = /data/vmail/domains/%d/%n/sieve
  login_executable = /usr/local/libexec/dovecot/managesieve-login
  mail_executable = /usr/local/libexec/dovecot/managesieve
}
#for users logging in without @domain.tld
auth_default_realm = example.com
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
auth default {
 mechanisms = plain login
 socket listen {
 #it looks like the user 'vmail' is also the user postfix has to call deliver as
       master {
           path = /var/run/dovecot/auth-master
           mode = 0600
           user = vmail
       }
 # socket used by postfix smtp auth/sasl, in queue_directory 
       client {
           path = /var/spool/postfix/private/auth
           mode = 0660
           user = postfix
           group = postfix
       }
 } 
 passdb ldap {
    args = /usr/local/etc/dovecot-ldap.conf
 }
 userdb prefetch {
 }
 userdb ldap {
     args = /usr/local/etc/dovecot-ldap.conf
 }
 user = vmail
}
dict {
 #quota = mysql:/usr/local/etc/dovecot-dict-quota.conf
}
plugin {
   quota = maildir:User quota
   quota_rule = *:storage=100M
   quota_rule2 = Trash:storage=10M
   
   quota_warning = storage=95%% /usr/local/bin/quota-warning.sh 95
   quota_warning2 = storage=90%% /usr/local/bin/quota-warning.sh 90
   quota_warning3 = storage=80%% /usr/local/bin/quota-warning.sh 80    

sieve = /data/vmail/domains/%d/%n/.dovecot.sieve

}

quota-warning.sh

dovecot-nowarning.conf is same as dovecot.conf, without the quota_warning* lines

#!/bin/sh
PERCENT=$1
cat << EOF | /usr/local/libexec/dovecot/deliver -d $USER -c /usr/local/etc/dovecot-nowarning.conf
From: postmaster@domain.com 
Subject: quota warning
Your mailbox is now $PERCENT% full.
EOF

Postfix

main.cf

#generic postfix config skipped
disable_vrfy_command  = yes
mail_owner = postfix
myhostname = mail.example.com
mydomain = example.com

#milters
milter_connect_macros = b j _ {daemon_name} {if_name} {if_addr}
#first one is called first, assuming all these milters have been installed
smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock, unix:/var/run/milter-regex/sock, unix:/var/run/clamav/clmilter.sock, unix:/var/run/spamass-milter.sock
milter_default_action = accept
#probably not needed when ldap is running 
mydestination = $myhostname, acme.com, localhost.$mydomain, localhost.localdomain
virtual_mailbox_domains = example.com, acme.com
virtual_mailbox_base = /vmail
virtual_mailbox_maps = ldap:/usr/local/etc/postfix/ldap-users.cf

dovecot_destination_concurrency_limit = 1
dovecot_destination_recipient_limit = 1
virtual_transport = dovecot
#this makes sure alias gets rewritten even before passed to milter
virtual_alias_maps = ldap:/usr/local/etc/postfix/ldap-aliases.cf
virtual_create_maildirsize = yes
#
#local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps
local_recipient_maps = $alias_maps $virtual_mailbox_maps
unknown_local_recipient_reject_code = 550
#i'm behind a NAT :)
mynetworks_style = subnet
alias_maps = hash:/etc/aliases,ldap:/usr/local/etc/postfix/ldap-aliases.cf
#this is not needed
#home_mailbox = Maildir/
#don't think this will be used when all's well
mail_spool_directory = /var/mail
debug_peer_level = 1
message_size_limit = 5000000

ldap-users.cf

#maybe part of this is redundant, but at least clear
bind = no
version = 3
timeout = 20
debuglevel = 0
size_limit = 1
expansion_limit = 0
start_tls = no
tls_require_cert = no
server_host = ldap://localhost
scope = sub
search_base = o=ldap
query_filter = (|(mail=%s)(mailAlternateAddress=%s))
 result_attribute = mail

ldap-aliases.cf

bind = no
version = 3
timeout = 20
size_limit = 1
expansion_limit = 1
start_tls = no
tls_require_cert = no
scope = sub
query_filter = mailAlternateAddress=%s
result_attribute = mail
server_host = ldap://localhost
search_base = o=ldap

master.cf

#the entire master.cf can be left as is, just add:
dovecot   unix  -       n       n       -       -       pipe
 flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/deliver -f ${sender} -d ${recipient}

Squirrelmail

See squirrelmail and dovecot


Tips & tricks

Disallow imap

Use authldap.schema, 'disableimap'


Notes

  • Check out authldap.schema!!!


Useful reading