Benutzer-Werkzeuge

Webseiten-Werkzeuge


users:werner:mailserver

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

users:werner:mailserver [2006-02-06 1750] (aktuell)
Zeile 1: Zeile 1:
 +====== Setting up postfix+ldap+courier+squirrelmail ======
  
 +===== Preparations =====
 +
 +First of all, my believe that to successfully manage a system, you must use rpm to distribute software - compiling and installing from source may work at the beginning, and in small scale, but you quickly get bogged down and the system becomes unmanageable.
 +
 +At this document i will guide you how to install postfix+ldap+courier+squirrelmail on a RedHat 7.3 system. I will provide additional detaild for doing the same on RH 9, since the sasl configuration will be different due to version used in each distro. And TRUST ME, if you are using 7.3 distro, DO NOT try to include your own, updated openldap or sasl packages - this will give you such a headache, that after 2 days of work you will say that it is not worth it - these libs are deeply embedded into redhat's base, you have to recompile half the distro to use them successfully. 
 +
 +To build my postfix package, i get the src.rpm from http://postfix.wl0.org/, and rebuild it's spec file to include ''ldap=1'', ''sasl=1'', ''tls=1'', ''pcre=1''. To do that, you will need to install the src.rpm, cd into ///usr/src/redhat/SOURCE//,
 +<code bash>
 +export POSTFIX_LDAP=1
 +export POSTFIX_SASL=1
 +export POSTFIX_TLS=1
 +export POSTFIX_PCRE=1
 +</code>
 +then run ''sh make-postfix.spec''.
 +you also need to install //libtool// and //gcc-c++// before building the package (''rpm -ba SPECS/postfix.spec'').
 +
 +To build my CourierImap packages, get the tar.gz from http://www.courier-mta.org/download.php. To build the rpm from the tar gz, some magic is needed, since //you need to build it as a non-root user//. i usually choose a non-root user, ''chown $1 -R /usr/src/redhat'', and then ''rpm -ta filename''
 +
 +All these packages are available here : TODO !!! FIXME
 +
 +===== Installation =====
 +
 +Now, install the //openldap-servers//, //openldap-clients// and //nss_ldap// packages from your RedHat distro.
 +
 +==== OpenLDAP ====
 +
 +Your server configuration starts with setting up your LDAP server with initial schema. Copy the authldap.schema and qmail.schema files to /etc/openldap/schema. Now edit your /etc/openldap/slapd.conf to include the following lines (sample full file is also available) :
 +<code bash>
 +# Postfix / Qmail
 +include         /etc/openldap/schema/qmail.schema
 +# courier IMAP
 +include         /etc/openldap/schema/authldap.schema
 +
 +# default permissions on the database
 +access to dn="" by * read
 +access to *
 +       by self write
 +       by users read
 +       by anonymous read
 +
 +access to attr=userpassword,clearpassword,ldappassword
 +        by self write
 +        by anonymous auth
 +        by * none
 +
 +# You may want to enable debuggind while setting up the server. 
 +# The messages are .info level, so change the default syslog settings to see them       
 +# loglevel 4
 +
 +suffix         "dc=example,dc=com"
 +rootdn         "cn=Manager,dc=example,dc=com"
 +rootpw         alex
 +
 +index cn eq
 +#faster mail queries I hope
 +index mail eq
 +index givenname eq
 +index uid eq
 +#address book lookups
 +index sn eq
 +#squirrelmail LDAP plug-in uses this
 +index objectClass eq
 +</code>
 +
 +Start the ldap server.
 +
 +Create an initial schema ldif file, ''ldap-initial.ldif'' :
 +<code bash>
 +# example, com
 +dn: dc=example, dc=com
 +objectClass: top
 +objectClass: organization
 +o: my company
 +description: top level of directory
 +
 +# mailaccounts, example, com
 +dn: ou=mailaccounts, dc=example, dc=com
 +objectClass: top
 +objectClass: organizationalunit
 +ou: mailaccounts
 +description: people with mailaccounts at my company.
 +</code>
 +Add it's contents to the server :
 +<code bash>
 +ldapadd -D "cn=manager,dc=example,dc=com" -w alex -x -f ldap-initial.ldif
 +</code>
 +the output should be :
 +<code bash>
 +adding new entry "dc=example, dc=com"
 +
 +adding new entry "ou=mailaccounts, dc=example, dc=com"
 +</code>
 +Create a user template file, ''user_template.ldif'':
 +<code bash>
 +dn: uid=UID,ou=mailaccounts,dc=example,dc=com
 +uid: UID
 +cn:  UID
 +uidNumber: 1001
 +gidNumber: 1001
 +mail: UID@example.com
 +mailHost: mail.example.com
 +homeDirectory: /var/imap/example.com/UID
 +mailMessageStore: /var/imap/example.com/UID/Maildir
 +mailbox: UID/Maildir/
 +objectClass: qmailuser
 +objectClass: couriermailaccount
 +accountStatus: active
 +</code>
 +Create preprocessing script for user creation, process_user :
 +<code perl>
 +#!/usr/bin/perl
 +($userid)=@ARGV;
 +while ($line=<STDIN>){ $line =~s/UID/$userid/; print $line;}
 +chmod +x process_user
 +</code>
 +this script will read input from STDIN, and replace UID with the first parameter given to it.
 +
 +Let's add a test user:
 +<code bash>
 +cat user_template.ldif  | ./process_user test | ldapadd -D "cn=Manager,dc=example,dc=com" -w alex -x
 +</code>
 +the output should be :
 +<code bash>
 +adding new entry "uid=test,ou=mailaccounts,dc=example,dc=com"
 +</code>
 +Set the password for the user:
 +<code bash>
 +ldappasswd -D "cn=Manager,dc=example,dc=com" -w alex -s testpass -x uid=test,ou=mailaccounts,dc=example,dc=com
 +</code>
 +The output should be :
 +<code bash>
 +Result: Success (0)
 +</code>
 +Now, install postfix and courier rpms you have compiled :
 +
 +==== Postfix ====
 +
 +''rpm -i postfix-2.0.6-3.pcre.sasl1.tls.rh73.i386.rpm /mnt/atlas/misc/postfix/courier-imap-ldap-1.7.1-1.7.3.i386.rpm /mnt/atlas/misc/postfix/courier-imap-1.7.1-1.7.3.i386.rpm''
 +
 +Let's see if the default config we got is different from postfix default :
 +<code ini>
 +# postconf  -n
 +alias_database = hash:/etc/postfix/aliases
 +alias_maps = hash:/etc/postfix/aliases
 +command_directory = /usr/sbin
 +config_directory = /etc/postfix
 +daemon_directory = /usr/libexec/postfix
 +debug_peer_level = 2
 +mail_owner = postfix
 +mailq_path = /usr/bin/mailq.postfix
 +manpage_directory = /usr/share/man
 +newaliases_path = /usr/bin/newaliases.postfix
 +queue_directory = /var/spool/postfix
 +readme_directory = /etc/postfix/README_FILES
 +sample_directory = /etc/postfix/samples
 +sendmail_path = /usr/sbin/sendmail.postfix
 +setgid_group = postdrop
 +unknown_local_recipient_reject_code = 450
 +</code>
 +we see that some stuff is customised to redhat's distro, but the only thing that is important is that unknown_local_recipient_reject_code is set to 450 - after we get everything working, we will need to comment out this setting - the default is 550.
 +
 +Now, we are going to configure postfix to deliver to virtual mailboxes using ldap. The delivery will be done to maildirs, under the user vmail.
 +
 +Create user vmail:
 +<code bash>
 +useradd vmail -d /var/lib/courier
 +</code>
 +Create the store directory, and the domain directory :
 +<code bash>
 +mkdir /var/imap/example.com -p
 +chown vmail:vmail /var/imap/example.com -R
 +</code>
 +set postfix to deliver under user vmail, and set it to query ldap for local deliveries
 +<code bash>
 +postconf -e myhostname=mail.example.com mydomain=example.com default_privs=vmail
 +</code>
 +add by hand to ''/etc/postfix/main.cf'':
 +<code ini>
 +virtual_mailbox_base = /var/imap/example.com
 +virtual_mailbox_maps = ldap:ldapsource
 +virtual_gid_maps = static:<UID OF VMAIL USER>
 +virtual_uid_maps = static:<GID OF VMAIL USER>
 +virtual_minimum_uid = 500
 +virtual_mailbox_domains = example.com
 +virtual_result_attribute = mailbox
 +virtual_maildir_extended = yes
 +
 +ldapsource_timeout = 10
 +ldapsource_server_host = localhost
 +ldapsource_search_base = ou=mailaccounts,dc=example,dc=com
 +ldapsource_server_port = 389
 +ldapsource_domain = example.com
 +ldapsource_query_filter = (&(mail=%s)(accountstatus=active))
 +ldapsource_result_attribute = mailbox
 +ldapsource_bind = no
 +</code>
 +Start postfix, and try to send an email to the ''test@example.com'' user :
 +<code bash>
 +echo test | sendmail test@example.com
 +</code>
 +check the ''/var/log/maillog'' for errors.
 +
 +If you get ldap-related errors, set loglevel to 4 in ''/etc/openldap/slapd.conf'', change - to
 +<code bash>
 +#*.info;mail.none;authpriv.none;cron.none               /var/log/messages
 +*.*;mail.none;authpriv.none;cron.none               /var/log/messages
 +</code>
 +and restart syslog, and look at ''/var/log/messages'' for ldap errors
 +
 +==== Courier-IMAP ====
 +
 +Let's configure courier for pop3 and imap access now :
 +
 +Install the ''courier'' and ''courier-ldap'' rpms.
 +
 +edit ''/usr/lib/courier-imap/etc/authdaemonrc''
 +<code ini>
 +authmodulelist="authldap"
 +</code>
 +enter this to  ''/usr/lib/courier-imap/etc/authldaprc'' - delete all the rest
 +<code bash>
 +LDAP_SERVER             localhost
 +LDAP_PORT               389
 +LDAP_BASEDN             ou=mailaccounts,dc=example,dc=com
 +LDAP_AUTHBIND           1
 +LDAP_TIMEOUT            5
 +LDAP_MAIL               mail
 +LDAP_DOMAIN             example.com
 +LDAP_GLOB_GID           vmail
 +LDAP_GLOB_UID           vmail
 +LDAP_HOMEDIR            homeDirectory
 +LDAP_MAILDIR            mailDir
 +LDAP_FULLNAME           cn
 +LDAP_DEREF              never
 +LDAP_TLS                0
 +</code>
 +start courier, and telnet to port 110. type "user test", "pass testpass" - this should produce no error.
 +
 +=== Setting up SMTP authentication: ===
 +
 +Because on redhat 7.3 the ''sasl'' version is 1.5, and it doesn't support ''authdaemon'' which is available at version 2.0, we will have to setup a less secure configuration - meaning, to un-chroot the smtp daemon.
 +<code bash>
 +vi /etc/postfix/master.cf :
 +</code>
 +on the line of 
 +<code bash>
 +smtp    inet
 +</code>
 +set chroot to "n"
 +
 +activate sasl authentication for postfix in ''/etc/postfix/main.cf'':
 +<code ini>
 +smtpd_sasl_auth_enable = yes
 +smtpd_sasl_security_options = noanonymous
 +</code>
 +the default relaying blocking is:
 +<code ini>
 +smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
 +</code>
 +this will only allow users from mynetworks to send mail outside the domains postfix is aware of. my config is as follows :
 +<code ini>
 +smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
 + check_recipient_access hash:/etc/postfix/protect-accounts, reject_unauth_destination
 +</code>
 +I permit also sasl authenticated users. I also protect my mailinglist accounts inside my mail server (for example, all@example.com), so people not on my network, or authenticated with sasl, will not be able to send mail to the protected address. The protect-accounts should look like this:
 +<code bash>
 +all@example.com     REJECT
 +another_address@example.com     REJECT
 +</code>
 +If you do not need this functionality, you can remove ''check_recipient_access hash:/etc/postfix/protect-accounts''
 +
 +=== let's configure sasl ===
 +
 +Now, let's configure sasl, so it would do the authentication:
 +
 +configure your ''/etc/ldap.conf'':
 +<code bash>
 +host 127.0.0.1
 +base dc=example,dc=com
 +</code>
 +create a file ''/usr/lib/sasl/smtpd.conf'', containing :
 +<code bash>
 +pwcheck_method: PAM
 +</code>
 +create a file ''/etc/pam.d/smtp'' :
 +<code bash>
 +#%PAM-1.0
 +auth       required     /lib/security/pam_ldap.so
 +account    required     /lib/security/pam_ldap.so
 +</code>
 +
 +===== Miscellaneous =====
 +
 +to delete an account, use 
 +<code bash>
 +ldapdelete -D "cn=Manager,dc=example,dc=com" -w alex -x uid=testuser,ou=mailaccounts,dc=example,dc=com
 +</code>
users/werner/mailserver.txt · Zuletzt geändert: 2006-02-06 1750 (Externe Bearbeitung)