Mandriva Directory Server On Debian Etch - Page 3
8 SASL Configuration
Postfix will use SASL to authenticate users against the LDAP server.
mkdir -p /var/spool/postfix/var/run/saslauthd/
Adjust the default settings.
vi /etc/default/saslauthd
It should look like this:
START=yes MECHANISMS="ldap" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
vi /etc/saslauthd.conf
It should look like this:
ldap_servers: ldap://127.0.0.1 ldap_search_base: ou=Users,dc=example,dc=com ldap_filter: (&(objectClass=mailAccount)(mail=%u@%r)(mailenable=OK))
vi /etc/postfix/sasl/smtpd.conf
It should look like this:
pwcheck_method: saslauthd mech_list: plain login
Add Postfix to the SASL group ...
adduser postfix sasl
... and restart SASL.
/etc/init.d/saslauthd restart
9 Postfix Configuration
9.1 Example Configuration
For this setup I chose the configuration without virtual domains - maybe I'll add the needed steps for a virtual domain setup in the near future. First copy the example configuration file into the postfix directory. It's the base for the following configuration.
cp /usr/share/doc/python-mmc-base/contrib/postfix/no-virtual-domain/* /etc/postfix/
9.2 Main Configuration
First adjust the main configuration file.
vi /etc/postfix/main.cf
Edit the file that it fits to your domain and additionally add some restrictions and the authentication settings - the content should look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no
# appending .domain is the MUA's job. append_dot_mydomain = yes append_at_myorigin = yes
# Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h
myhostname = server1.example.com mydomain = example.com alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = server1.example.com,example.com,localhost.localdomain,localhost mail_destination_recipient_limit = 1 mailbox_command = /usr/lib/dovecot/deliver -d "$USER"@"$DOMAIN" relayhost = mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all
# Use Maildir home_mailbox = Maildir/
# Wait until the RCPT TO command before evaluating restrictions smtpd_delay_reject = yes
# Basics Restrictions smtpd_helo_required = yes strict_rfc821_envelopes = yes
# Requirements for the connecting server smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client list.dsbl.org, permit
# Requirements for the HELO statement smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit
# Requirements for the sender address smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
# Requirement for the recipient address smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit
# Enable SASL authentication for the smtpd daemon smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
# Fix for outlook broken_sasl_auth_clients = yes
# Reject anonymous connections smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain =
# SSL/TLS smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_cert_file = /etc/ssl/certs/mail.pem smtpd_tls_key_file = /etc/ssl/private/mail.key smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# Amavis content_filter = amavis:[127.0.0.1]:10024 receive_override_options = no_address_mappings
9.3 LDAP Aliases Configuration
Now you have to edit the aliases configuration.
vi /etc/postfix/ldap-aliases.cf
Edit the file that it fits to your domain - it should look like this:
server_host = 127.0.0.1 search_base = ou=Users,dc=example,dc=com query_filter = (&(objectClass=mailAccount)(mailalias=%s)(mailenable=OK)) result_attribute = maildrop version = 3
9.4 Master Configuration
The master configuration is the last part of the postfix configuration.
vi /etc/postfix/master.cf
Add the following lines:
# SMTPS
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
# Dovecot
dovecot unix - n n - - pipe
flags=DRhu user=dovecot:mail argv=/usr/lib/dovecot/deliver -d $recipient
# Mail to Amavis
amavis unix - - - - 10 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
# Mail from Amavis
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
Restart Postfix:
/etc/init.d/postfix restart
10 Dovecot
Dovecot will provide POP3- (SSL/TLS), IMAP- (SSL/TLS) and quota-support to the mailserver.
10.1 Main Configuration
echo "" > /etc/dovecot/dovecot.conf
vi /etc/dovecot/dovecot.conf
The content should look like this:
protocols = imap imaps pop3 pop3s listen = 0.0.0.0 login_greeting = example.com mailserver ready. mail_location = maildir:~/Maildir disable_plaintext_auth = no ssl_cert_file = /etc/ssl/certs/mail.pem ssl_key_file = /etc/ssl/private/mail.key log_path = /var/log/dovecot.log info_log_path = /var/log/dovecot.log
# IMAP configuration protocol imap { mail_plugins = quota imap_quota }
# POP3 configuration protocol pop3 { pop3_uidl_format = %08Xu%08Xv mail_plugins = quota } # LDA configuration protocol lda { postmaster_address = postmaster auth_socket_path = /var/run/dovecot/auth-master mail_plugins = quota } # LDAP authentication auth default { mechanisms = plain login passdb ldap { args = /etc/dovecot/dovecot-ldap.conf } userdb ldap { args = /etc/dovecot/dovecot-ldap.conf } socket listen { master { path = /var/run/dovecot/auth-master mode = 0660 user = dovecot group = mail }
client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } }
10.2 LDAP Configuration
echo "" > /etc/dovecot/dovecot-ldap.conf
vi /etc/dovecot/dovecot-ldap.conf
The content should look like this:
hosts = 127.0.0.1 auth_bind = yes ldap_version = 3 base = dc=example,dc=com scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,mailbox=mail,mailuserquota=quota=maildir:storage user_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK)) pass_attrs = mail=user,userPassword=password pass_filter = (&(objectClass=mailAccount)(mail=%u)(mailenable=OK)) default_pass_scheme = CRYPT user_global_gid = mail
10.3 Deliver
Next adjust the rights for the dovecot deliver - so dovecot will use the right uid and gid when it stores messages in the maildirs.
dpkg-statoverride --update --add root dovecot 4755 /usr/lib/dovecot/deliver
Afterwards restart Dovecot.
/etc/init.d/dovecot restart