Postfix Virtual Hosting With LDAP Backend With Dovecot As IMAP/POP3 Server On Ubuntu Hardy Heron 8.04 TLS 

I've been running with a MySQL backend for virtual hosting for some time, but when I discovered Phamm and the added FTP feature (amongst others) I decided to switch to LDAP as backend for Postfix with virtual hosting.

In view of the fact that the installation and configuration guide of Phamm is lacking some basic information it took me quite some time (including crying, swearing, getting depressed, ...) to put it all together and get it working. Long live google to find hints or explanations for problems and configuration issues. Piecing it all together wasn't simple so I would like to share how I configured it and got it all working toghether (as I like), but I think that it will benefit other users as well.

Software to be used in this how to:

Postfix (logical), Postfix-ldap, Dovecot IMAP / POP3, Openldap, Apache2, php5-ldap, phpldapadmin and gnarwl.

Note: this how to also uses dovecot deliver as maildrop agent and dovecot sasl for smtp sasl authentication. For one: postfix maildrop doesn't support ldap and I didn'd want to use courier (maildrop, authdaemon and sasl) if dovecot coud do the trick and also provide sieve support.

Assumtions:

This how to assumes the following configurations, if your installtion differs from this, than replace the entries below with your actual configuration.

Mail delivery (mailboxes) path:

/home/vmail/domains

User vmail:

UID:1000, GID:1000

User postfix:

UID: 108, GID:108

Openldap base dn:

dc=example,dc=tld

Openldap admin account:

cn=admin,dc=example,dc=tld

Phamm search dn:

o=hosting,dc=example,dc=tld

 

Step 1: Install and configure an ubuntu server

I recommend following one of the guides below for this (I do not need to rewrite or reinvent what others did bether than me):

The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server)

or my favourite:

The Perfect SpamSnake - Ubuntu 8.04 LTS

In both cases, skip the installtion of the courier packages.

So let's get started:

 

Step 2: Install postfix-ldap, php5-ldap, and openldap

apt-get install postfix-ldap php5-ldap slapd

When prompted provide a password for the openldap admin.

Install phpldapadmin for LDAP manipulation, we need to configure out ldap tree.

apt-get install phpldapadmin

Execute the above command after that you have installed openldap, then your openldap configuration will be taken into account eg base dn: dc=excample,dc=tld

Next we import the phamm schema's for openldap:

cd /etc/ldap/schema

wget  http://open.rhx.it/phamm/schema/ISPEnv2.schema

wget http://open.rhx.it/phamm/schema/amavis.schema

wget http://open.rhx.it/phamm/schema/dnsdomain2.schema

wget http://open.rhx.it/phamm/schema/pureftpd.schema

wget http://open.rhx.it/phamm/schema/radius.schema

wget http://open.rhx.it/phamm/schema/samba.schema

Now we download and extract phamm since we also need the phamm.schema

cd /usr/src

wget http://open.rhx.it/phamm/phamm-0.5.12.tar.gz

tar xvzf phamm0.5.12.tar.gz

Allwas look for new version before download!

cd /etc/ldap/schema

cp /usr/src/phamm0.5.12/schema/phamm.schema .

Next we edit the slapd.conf to include the schema's needed for phamm:

vi /etc/ldap/slapd.conf

Insert the following info the slapd.conf (after the last line that says include /etc/ldap/schema/..)

include         /etc/ldap/schema/phamm.schema
include         /etc/ldap/schema/ISPEnv2.schema
include         /etc/ldap/schema/amavis.schema
include         /etc/ldap/schema/pureftpd.schema

These only for mail and ftp account. Add the other schem's if you would like to use them, but the integration of these services is not covered in this tutorial.

Next we restart openldap in order to load the new schemas:

/etc/init.d/slapd restart

Next login to phpldapadmin and create and organisation named hosting.

Click on dc=example,dc=tld.

Click on 'Create new child entry'.

Choose 'Default'.

In the next screen choose organization from the scroll box.

Click create.

On the next sceen chose o from the RDN drop down box.

Enter hosting in the first field boxn scroll down and click create.

This concludes the first part of this how to.

Share this page:

19 Comment(s)

Add comment

Comments

From: at: 2008-09-18 18:32:04

You can add as many virtual domains as you want. The virtual users belong to the virtual domains you add in the phamm interface.

Only the admin account can add domains. Virtual users are managed either by admin, or by the account created when you add a virtual domain. 

From: at: 2008-09-02 17:34:27

This was exactly what I was looking for, until I notice this was set up for virtual users on a single domain and not multiple virtual domains. I don't think it stated in the article?

From: at: 2008-11-25 21:31:30

The schema files are missing, some of them are available in the openldap config, some don't.
I've been searching for some of them on google, some are still located in the catch. Is there someone with the full package or has the files available some where?

From: Anonymous at: 2008-12-03 21:02:50

In the next screen choose organization from the scroll box.

Click create.

On the next sceen chose o from the RDN drop down box.

Enter hosting in the first field boxn scroll down and click create.

 I do this, the first field being "o" required.

I enter hosting

click create,

and it returns

Error

The Rdn attribute () does not exist.

where, oh where, have I gone amiss?

 

From: dali at: 2011-05-29 05:46:10

I know that you may not need this info anymore , but let me post it for newbies that search for info :

you have to initialize you slapd with an ldif that contiains intitial domain , group or anything else : 

 like :

dn: dc=esprit,dc=tn
dc: esprit
objectClass: domain

dn: ou=People,dc=esprit,dc=tn
ou: People
objectClass: organizationalUnit

dn: ou=Groups,dc=esprit,dc=tn
ou: Groups
objectClass: organizationalUnit

# Engineering Department
dn: ou=Engineering,ou=People,dc=esprit,dc=tn
ou: Engineering
objectClass: organizationalUnit

# Admin Group
dn: cn=Admin,ou=Groups,dc=esprit,dc=tn
gidNumber: 502
memberUid: admin
memberUid: admin
cn: Admin
objectClass: posixGroup

# Admin User :
dn: uid=dali,ou=Engineering,ou=People,dc=esprit,dc=tn
sn: dali difallah
userPassword: BJsRlQT3MmAYL+HluuVVwkWX4UM96yXQ
objectClass: shadowAccount
objectClass: person
uid: dali
cn: dali difallah

# Admin User : admin
dn: uid=admin,ou=Engineering,ou=People,dc=esprit,dc=tn
sn: Admin User
userPassword: BJsRlQT3MmAYL+HluuVVwkWX4UM96yXQ
objectClass: shadowAccount
objectClass: person
uid: admin
cn: Administrator

 

you can refer to http://blog.javachap.com/index.php/installing-openldap-on-centos

 thats not the same thing but it give you better idea

also , a cummon problem , when using a used domain name : .com .net .fr .de .net .   ...... remember to disable name resolution to avoid : SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

 (comment your /etc/resolv.conf entries)

From: claytondus at: 2008-12-02 21:04:44

Until this guide is updated for Ibex, users need to know that the slapd.conf file has been supplanted by the cn=config database in Ibex.  This guide from the Ubuntu Server Guide should help you get the schemata imported.

OpenLDAP Server for Ubuntu 8.10 (Intrepid Ibex)

 The schemata must be converted to LDIF and then imported into the cn=config database before proceeding.

 

From: Julio del Aguila at: 2008-12-29 19:13:18

Take care with simbol ) replace it with } on the line:

flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient)

replace to

flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

You can save hours with this replace.

Julio.

From: weec at: 2009-09-11 13:04:26

need transport block

 open.rhx.it/doc/mailserver-howto/mailserver-howto.pdf

From: Julio del Aguila at: 2009-01-10 14:49:33

If you have some problems with not receiver autoreply check transport in this tutorial and change the line

.autoreply    :gnarwl

for

.autoreply    gnarwl:

 

It works for me.

From: Janusz at: 2009-04-15 21:37:46

Hi, this howto includes one mistake and some inaccuraties. Please take under consideration the following issues: - it is:

 dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient)

while it should be:

dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

- it is:

# the uid of your vmail user user_global_uid = 1000

# the guid of your vmail group user_global_gid = 1000

mine dovecot doesn't recognize those options, but those work:

mail_uid = 1000 mail_gid = 1000

- in /etc/dovecot/dovecot-ldap.conf it is:

dn = cn=admin,dc=example,dc=tld dnpass = secret

what for is it for? its not needed, in my opinion.

- you use Debian - once upon a time I've also used Debian. The problem with it was that postfix deb wasn't compiled with vda extension - quota need this to work. The howto is ok, but I would suggest writing also overall architecture

- there is no saslauthd and this is great as the setup is much more simple, but one don't have to know that postfix can use dovecot-sasl or even that dovecot provides one. The most important thing which wasn't written is that the phamm.org (or better - phamm package) includes most of examples provided here, so they are very good for reference. Regards.

From: willi at: 2009-06-28 00:06:31

sorry i'd like to say beam me up scotty I do not see the point I think those lines are equal: Hi, this howto includes one mistake and some inaccuraties. Please take under consideration the following issues: - it is:  dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient) while it should be: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -----------------------

From: Clayton Davis at: 2008-12-05 17:55:54

Dovecot requires you to replace "default_mail_env" with "mail_location" if you are using Dovecot > 1.0rc11.  This is applicable to the default version installed in Ibex (8.10).

 

From: willi at: 2009-06-28 00:22:42

Thank you for this howto - I do follow your explanations on an CentOS 5 System: With modifications I have dovecot working and accepting it. Phamm is implemented on another system and connects to the Mailserver with Openldap (I do want to go further moving it to another Server with Kerberos Ldap support isolating mail.lan.dom for security reasons) 1.) I got stuck with gnarwl getting compile errors - will contact the developer for this! BUT: I do have problems with postfix - accounts are verified against ldap - this is OK BUT: I think postfix is not able to create the mailbox path a postmap -q john.doe@lan.dom ldap:accounts retreats lan.dom/john.doe which seems to be perfect the maillog issues: fatal: pipe_command: execvp /usr/local/bin/maildrop: No such file or directory++ ps.: I'd built transport.db and virtual.db from empty files tks in advance IF - I'm through with this I will write it down and send you the implementation log - if you like

From: difallah at: 2011-05-29 13:25:29

to avoid :

root@mail:/etc/ssl/certs# tailf /var/log/dovecot.log 
dovecot: May 29 15:05:15 Error: pop3-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line
dovecot: May 29 15:05:15 Error: child 15890 (login) returned error 89
dovecot: May 29 15:05:15 Error: child 15891 (login) returned error 89
dovecot: May 29 15:05:15 Error: child 15892 (login) returned error 89
dovecot: May 29 15:05:15 Error: child 15893 (login) returned error 89
dovecot: May 29 15:05:15 Error: pop3-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line
dovecot: May 29 15:05:15 Error: imap-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line
dovecot: May 29 15:05:15 Error: imap-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line 

correct in /etc/dovecot/dovecot.conf : Replace

ssl_key_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

By ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

 and allow user devocot read right for .  /etc/ssl/private/ssl-cert-snakeoil.key by adding him to ssl-cert  as secondary group  :

usermod -a -G ssl-cert dovecot

From: Aydin KOCAK at: 2009-04-07 12:59:52

If you didn't insert samba.scheme in slapd.conf you gave the following error :

-------------------------------Output----------------------------------------------------------

line 162 (access to dn.regex=".+,vd=([^,]+),o=hosting,dc=turkom,dc=com,dc=tr" attrs=userPassword,sambaNTPassword,sambaLMPassword        by dn="cn=admin,dc=turkom,dc=com,dc=tr" write        by self write        by anonymous auth        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=turkom,dc=com,dc=tr" write        by set="user/vd & [$1]" write)
/etc/ldap/slapd.conf: line 162: unknown attr "sambaNTPassword" in to clause

-------------------------------------------------------------------------------------------------

when you add to samba.scheme problem can be solved.


 

From: Anonymous at: 2008-11-21 01:07:50

In your PHAMM hack, you say to edit 'plugins/mail.xml'... WAY OFF... How about 'www-data/main.php'?

From: zauaus at: 2009-01-21 18:03:23

really sorry, but at the end of this guide this my result:

postfix: 

postfix/pickup[1373]: warning: maildrop/D4E1xxxxxx: queue file write error

 postfix/trivial-rewrite[1460]: warning: dict_ldap_lookup: transport: Search base '' not found: 32: No such object

dovecot:

Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server

 Warning: Killed with signal 15

 dovecot can't connect to ldap server, postfix can't connect. where is content of /etc/postfix/virtual file?

 

sorry man, really thanks for your work.

zauaus 

 

 

From: at: 2009-08-24 06:55:15

Ny.

I modified main.xml in order to use dovecot accordingly to this line " Replace each entry with maildrop: with dovecot: ......"

but postfix continue to use maildrop instead of postfix.

Any idea please??

From: Matthew Cho at: 2008-09-29 16:58:01

i always try to read the whole tutorial before attempting to try it out on my test server.

So, I cannot confirm, but is gnarwl spelled wrong at the top of this page?

apt-get install gnawl