Postfix Virtual Hosting With LDAP Backend With Dovecot As IMAP/POP3 Server On Ubuntu Hardy Heron 8.04 TLS - Page 4

Step 5: Installing and configuring phamm:

Since we downloaded and extracted the phamm archive before, we can directly begin with the installation  and configuration of the phamm interface.

Note: I hacked into the phamm configuration and .php script files to accomplish the following:

  • Maildrop to to postmaster@example.tld rather than postmaster wich is a unix account
  • Maildrop for abuse to postmaster@example.tld rather than postmaster
  • %domain% for the welcome message to reflect postmaster@domain.tld rather than postmaster
  • cc for the welcome message to postmaster@example.tld to have an idea of the number of mailboxes created by the virtual mail domain admins. ==> defoult maps to postmaster so your unix account will get the mails or rather root.

The other hacks are just to define other defaults:

  • Setting smtp auth to default
  • Setting the quota number form mail
  • Setting the default home directory for ftp
  • setting the default quota for ftp

In any case I believe that these changes are an improvement rather than customisation so I will list them here before we go into the actual installation and configuration of phamm. For those who do not care about these features can skip the following until the actual phamm configuration and installation.

My hacks:

The hacks are done on the source, not the actual (see later installation).

First we will do the welcome message part.

cd /usr/src/phammphamm-0.5.12
vi config.inc.php

Change (starting line 94):

// Welcome message
define ('SEND_WELCOME',0);
$welcome_msg = '../welcome_message.txt';
$welcome_subject = 'Welcome!';
$welcome_sender = 'root@localhost';
$welcome_bcc = 'root@localhost';

To

// Welcome message
define ('SEND_WELCOME',1);
$welcome_msg = '../welcome_message.txt';
$welcome_subject = 'Welcome!';
$welcome_sender = 'postmaster@%domain%';
$welcome_bcc = 'postmaster@example.tld';

This will send the welcome email as from postmaster@domain.tld (domain.tld being the mail domain (virtual) and send a bcc to postmaster@example.tld where example.tld represents the technical domain.

Next we will set the defaults for email and domain creation:

vi plugins/mail.xml

Change (line 288):

$entry["maildrop"] = "postmaster";

To

$entry["mail"] = "postmaster@".$domain_new;

And also (line  307) from:

$entry_abuse["maildrop"] = "postmaster";

To

$entry_abuse["maildrop"] = "postmaster@".$domain_new;

OK these were my cuntom hacks, now let's go to the installation and configuration of phamm.

mkdir /yourwwwroot/phamm
cp -R * /yourwwwroot/pham/.
chown -R www-data:www-data /yourwwwroot/pham
cd /yourwwwroot/phamm
rm -R examples
rm -R doc
rm -R DTD
rm -R schema

This in order to remove files that are not needed in the www directory.

Now we will configure phamm for actual use.

vi config.inc.php

Change the ldap connection parameters to fit your actual configuration.

// *============================*
// *=== LDAP Server Settings ===*
// *============================*

// The server address (IP or FQDN)
define ('LDAP_HOST_NAME','127.0.0.1');

// The protocol version [2,3]
define ('LDAP_PROTOCOL_VERSION','3');

// The server port
define ('LDAP_PORT','389');

// The container
define ('SUFFIX','dc=example,dc=tld');

// The admin bind dn (could be rootdn)
define ('BINDDN','cn=admin,dc=example,dc=tld');

// The Phamm container
define ('LDAP_BASE','o=hosting,dc=example,dc=tld');

Enable the fpt plugin (line  172) by removing the //

And on line 215 change  CRYPT to MD5. Most other software that use LDAP use MD5 hashing, so it is therefore a good thing to have phamm use MD5.

Since the transport maildrop: is hardcoded in phamm we need to change this in order to enable dovecot deliver.

vi plugins/mail.xml

Replace each entry with maildrop: with dovecot: (do no forget the semicolon). In ordinary situations, the commands in postfix's main.cf would do (that we added before), but ldap transport as used and implemented by phamm overrides this and implements maildrop.

This has to be done for line  62. This will substitute maildrop for dovecot deliver.

That's it for the configuration.

You can edit plugins/mail.xml to change the defaults for smtp and quota, modify them to your needs.

You can edit plugins/ftp.xml to change the defaults for default ftp (base) directory and quoata, modify them to your needs.

OK we're almost there.

Now execute the following commands:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

Next browse to http://yourdoamin.tld/phamm and log in with the account admin and your openldap password.

Add the email domain, next add a mailbox and you should be up and running.

Use the following command to see if there are any errors:

tail -f /var/log/mail.log

Hey we're up and runnung.

Well almost, one last thing to do if everything wotks is to add the acl for phamm to openldap in order for domain admins to administer their domains and users to change their passwords  and/or vacation, forwards.

vi /etc/ldap/slapd.conf

Comment the following entries:

# The admin dn has full write access, everyone else
# can read everything.
#access to *
#        by dn="cn=admin,dc=example,dc=tld" write
#        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=example,dc=tld" write
#        by dnattr=owner write

And add the following above (change if your configuration is different from the assumptions)

# acl specific for phamm

#  Copyright (c) 2005 Alessandro De Zorzi, Mirko Grava
#                  <phamm@rhx.it> http://phamm.rhx.it/
#
#  Permission is granted to copy, distribute and/or modify this document
#  under the terms of the GNU Free Documentation License, Version 1.2
#  or any later version published by the Free Software Foundation;
#  A copy of the license in DOCS.LICENSE file.

# First of all
# acl for pdns
access to dn.regex="^(.+,)?cn=([^,]+),ou=dns,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth
        by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write

access to dn.regex="^(.+,)?dc=([^,]+),ou=dns,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth
        by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write

access to dn.exact="ou=dns,dc=example,dc=tld"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth
        by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read

# now mail service
# account must edit his password, spam level, forward, vacation, his name
# postmaster with editAccounts=FALSE do the same thing for his domain
# postmaster with editAccounts=TRUE can add account/alias and edit also amavisBypassVirusChecks, quota and smtpAuth
# vadmin could do the same as postmaster with editAccounts=TRUE for some domains
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by set="user/editAccounts & [TRUE]" write
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$1]" write

access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by set="user/editAccounts & [TRUE]" write
        by * none

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous read
        by set="user/editAccounts & [TRUE]" write
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=FTPQuotaMBytes,FTPStatus,FTPQuotaFiles,uid,otherPath
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous read
        by self read
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=uidNumber,gidNumber,createMaildir,vdHome,mailbox,otherTransport
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by set="user/vd & [$1]" read

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$2]" write

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by set="user/editAccounts & [FALSE]" read
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$2]" write

access to dn.regex=".+,o=hosting,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth

access to dn.regex=".+,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd
        by dn="cn=admin,dc=example,dc=tld" write
        by self read

Restart slapd and if you don't get errors the acl is implemented.

/etc/init.d/slapd restart

To thest the acl you can log in to phamm usein as uid/pmd the credentials for the virtual mail domain you created, eg: example.tld pwd

If you can log in and add/change/delete mail accounts the acl is ok.

Share this page:

19 Comment(s)

Add comment

Comments

From: at: 2008-09-18 18:32:04

You can add as many virtual domains as you want. The virtual users belong to the virtual domains you add in the phamm interface.

Only the admin account can add domains. Virtual users are managed either by admin, or by the account created when you add a virtual domain. 

From: at: 2008-09-02 17:34:27

This was exactly what I was looking for, until I notice this was set up for virtual users on a single domain and not multiple virtual domains. I don't think it stated in the article?

From: at: 2008-11-25 21:31:30

The schema files are missing, some of them are available in the openldap config, some don't.
I've been searching for some of them on google, some are still located in the catch. Is there someone with the full package or has the files available some where?

From: Anonymous at: 2008-12-03 21:02:50

In the next screen choose organization from the scroll box.

Click create.

On the next sceen chose o from the RDN drop down box.

Enter hosting in the first field boxn scroll down and click create.

 I do this, the first field being "o" required.

I enter hosting

click create,

and it returns

Error

The Rdn attribute () does not exist.

where, oh where, have I gone amiss?

 

From: dali at: 2011-05-29 05:46:10

I know that you may not need this info anymore , but let me post it for newbies that search for info :

you have to initialize you slapd with an ldif that contiains intitial domain , group or anything else : 

 like :

dn: dc=esprit,dc=tn
dc: esprit
objectClass: domain

dn: ou=People,dc=esprit,dc=tn
ou: People
objectClass: organizationalUnit

dn: ou=Groups,dc=esprit,dc=tn
ou: Groups
objectClass: organizationalUnit

# Engineering Department
dn: ou=Engineering,ou=People,dc=esprit,dc=tn
ou: Engineering
objectClass: organizationalUnit

# Admin Group
dn: cn=Admin,ou=Groups,dc=esprit,dc=tn
gidNumber: 502
memberUid: admin
memberUid: admin
cn: Admin
objectClass: posixGroup

# Admin User :
dn: uid=dali,ou=Engineering,ou=People,dc=esprit,dc=tn
sn: dali difallah
userPassword: BJsRlQT3MmAYL+HluuVVwkWX4UM96yXQ
objectClass: shadowAccount
objectClass: person
uid: dali
cn: dali difallah

# Admin User : admin
dn: uid=admin,ou=Engineering,ou=People,dc=esprit,dc=tn
sn: Admin User
userPassword: BJsRlQT3MmAYL+HluuVVwkWX4UM96yXQ
objectClass: shadowAccount
objectClass: person
uid: admin
cn: Administrator

 

you can refer to http://blog.javachap.com/index.php/installing-openldap-on-centos

 thats not the same thing but it give you better idea

also , a cummon problem , when using a used domain name : .com .net .fr .de .net .   ...... remember to disable name resolution to avoid : SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)

 (comment your /etc/resolv.conf entries)

From: claytondus at: 2008-12-02 21:04:44

Until this guide is updated for Ibex, users need to know that the slapd.conf file has been supplanted by the cn=config database in Ibex.  This guide from the Ubuntu Server Guide should help you get the schemata imported.

OpenLDAP Server for Ubuntu 8.10 (Intrepid Ibex)

 The schemata must be converted to LDIF and then imported into the cn=config database before proceeding.

 

From: Julio del Aguila at: 2008-12-29 19:13:18

Take care with simbol ) replace it with } on the line:

flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient)

replace to

flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

You can save hours with this replace.

Julio.

From: weec at: 2009-09-11 13:04:26

need transport block

 open.rhx.it/doc/mailserver-howto/mailserver-howto.pdf

From: Julio del Aguila at: 2009-01-10 14:49:33

If you have some problems with not receiver autoreply check transport in this tutorial and change the line

.autoreply    :gnarwl

for

.autoreply    gnarwl:

 

It works for me.

From: Janusz at: 2009-04-15 21:37:46

Hi, this howto includes one mistake and some inaccuraties. Please take under consideration the following issues: - it is:

 dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient)

while it should be:

dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

- it is:

# the uid of your vmail user user_global_uid = 1000

# the guid of your vmail group user_global_gid = 1000

mine dovecot doesn't recognize those options, but those work:

mail_uid = 1000 mail_gid = 1000

- in /etc/dovecot/dovecot-ldap.conf it is:

dn = cn=admin,dc=example,dc=tld dnpass = secret

what for is it for? its not needed, in my opinion.

- you use Debian - once upon a time I've also used Debian. The problem with it was that postfix deb wasn't compiled with vda extension - quota need this to work. The howto is ok, but I would suggest writing also overall architecture

- there is no saslauthd and this is great as the setup is much more simple, but one don't have to know that postfix can use dovecot-sasl or even that dovecot provides one. The most important thing which wasn't written is that the phamm.org (or better - phamm package) includes most of examples provided here, so they are very good for reference. Regards.

From: willi at: 2009-06-28 00:06:31

sorry i'd like to say beam me up scotty I do not see the point I think those lines are equal: Hi, this howto includes one mistake and some inaccuraties. Please take under consideration the following issues: - it is:  dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient) while it should be: dovecot unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -----------------------

From: Clayton Davis at: 2008-12-05 17:55:54

Dovecot requires you to replace "default_mail_env" with "mail_location" if you are using Dovecot > 1.0rc11.  This is applicable to the default version installed in Ibex (8.10).

 

From: willi at: 2009-06-28 00:22:42

Thank you for this howto - I do follow your explanations on an CentOS 5 System: With modifications I have dovecot working and accepting it. Phamm is implemented on another system and connects to the Mailserver with Openldap (I do want to go further moving it to another Server with Kerberos Ldap support isolating mail.lan.dom for security reasons) 1.) I got stuck with gnarwl getting compile errors - will contact the developer for this! BUT: I do have problems with postfix - accounts are verified against ldap - this is OK BUT: I think postfix is not able to create the mailbox path a postmap -q john.doe@lan.dom ldap:accounts retreats lan.dom/john.doe which seems to be perfect the maillog issues: fatal: pipe_command: execvp /usr/local/bin/maildrop: No such file or directory++ ps.: I'd built transport.db and virtual.db from empty files tks in advance IF - I'm through with this I will write it down and send you the implementation log - if you like

From: difallah at: 2011-05-29 13:25:29

to avoid :

root@mail:/etc/ssl/certs# tailf /var/log/dovecot.log 
dovecot: May 29 15:05:15 Error: pop3-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line
dovecot: May 29 15:05:15 Error: child 15890 (login) returned error 89
dovecot: May 29 15:05:15 Error: child 15891 (login) returned error 89
dovecot: May 29 15:05:15 Error: child 15892 (login) returned error 89
dovecot: May 29 15:05:15 Error: child 15893 (login) returned error 89
dovecot: May 29 15:05:15 Error: pop3-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line
dovecot: May 29 15:05:15 Error: imap-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line
dovecot: May 29 15:05:15 Error: imap-login: Can't load private key file 
/etc/ssl/certs/ssl-cert-snakeoil.pem: error:0906D06C:PEM 
routines:PEM_read_bio:no start line 

correct in /etc/dovecot/dovecot.conf : Replace

ssl_key_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

By ssl_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

 and allow user devocot read right for .  /etc/ssl/private/ssl-cert-snakeoil.key by adding him to ssl-cert  as secondary group  :

usermod -a -G ssl-cert dovecot

From: Aydin KOCAK at: 2009-04-07 12:59:52

If you didn't insert samba.scheme in slapd.conf you gave the following error :

-------------------------------Output----------------------------------------------------------

line 162 (access to dn.regex=".+,vd=([^,]+),o=hosting,dc=turkom,dc=com,dc=tr" attrs=userPassword,sambaNTPassword,sambaLMPassword        by dn="cn=admin,dc=turkom,dc=com,dc=tr" write        by self write        by anonymous auth        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=turkom,dc=com,dc=tr" write        by set="user/vd & [$1]" write)
/etc/ldap/slapd.conf: line 162: unknown attr "sambaNTPassword" in to clause

-------------------------------------------------------------------------------------------------

when you add to samba.scheme problem can be solved.


 

From: Anonymous at: 2008-11-21 01:07:50

In your PHAMM hack, you say to edit 'plugins/mail.xml'... WAY OFF... How about 'www-data/main.php'?

From: zauaus at: 2009-01-21 18:03:23

really sorry, but at the end of this guide this my result:

postfix: 

postfix/pickup[1373]: warning: maildrop/D4E1xxxxxx: queue file write error

 postfix/trivial-rewrite[1460]: warning: dict_ldap_lookup: transport: Search base '' not found: 32: No such object

dovecot:

Error: auth(default): LDAP: ldap_result() failed: Can't contact LDAP server

 Warning: Killed with signal 15

 dovecot can't connect to ldap server, postfix can't connect. where is content of /etc/postfix/virtual file?

 

sorry man, really thanks for your work.

zauaus 

 

 

From: at: 2009-08-24 06:55:15

Ny.

I modified main.xml in order to use dovecot accordingly to this line " Replace each entry with maildrop: with dovecot: ......"

but postfix continue to use maildrop instead of postfix.

Any idea please??

From: Matthew Cho at: 2008-09-29 16:58:01

i always try to read the whole tutorial before attempting to try it out on my test server.

So, I cannot confirm, but is gnarwl spelled wrong at the top of this page?

apt-get install gnawl