aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-13 21:47:58 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-13 21:48:04 +0200
commitf9127856478b1d5fd216bb4578a746258e9537cf (patch)
tree4a31d301c01789b728336cd6f9f82f6608791951
parent96cdf431400f5d60646ba10df8751252e75fce73 (diff)
LDAP: fine-tuning the schema
-rw-r--r--fripost-docs.org437
1 files changed, 259 insertions, 178 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 91c2122..f6198ee 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -2,16 +2,16 @@
#+TITLE: Systems documentation
#+AUTHOR: Fripost -- the Free E-mail Association
#+DESCRIPTION: Systems documentation for Fripost, the Free E-mail Association
-#+KEYWORDS:
+#+KEYWORDS:
#+LANGUAGE: en
#+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t
#+OPTIONS: TeX:t LaTeX:nil skip:nil d:nil todo:t pri:nil tags:not-in-toc
#+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js
#+EXPORT_SELECT_TAGS: export
#+EXPORT_EXCLUDE_TAGS: noexport
-#+LINK_UP:
-#+LINK_HOME:
-#+XSLT:
+#+LINK_UP:
+#+LINK_HOME:
+#+XSLT:
#+DRAWERS: HIDDEN STATE PROPERTIES CONTENT
#+STARTUP: indent
@@ -86,7 +86,7 @@ sudo aptitude install harden-clients
# something else, use the EDITOR environment variable.
sudo update-alternatives --config editor
-
+
** Configure sudo
# If you disabled root account during installation, the default account is
@@ -106,18 +106,18 @@ Make sure your private key is in ~/.ssh/authorized_keys2
# Add relevant users here
AllowUsers xx yy zz
-
+
# Change these settings
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
-
+
sudo /etc/init.d/ssh restart
-
+
# Without closing the current connection, try to connect to the server,
# verifying that you can still connect.
-** Forward root email
+** Forward root email
:: /etc/aliases
@@ -186,7 +186,7 @@ sudo aptitude install logcheck syslog-summary
Unattended-Upgrade "1";
}
};
-
+
Aptitude
{
UI
@@ -347,7 +347,7 @@ ORIGIN_PORT="1917"
sudo aptitude install openbsd-inetd
:: /etc/inetd.conf
-
+
127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com
sudo service openbsd-inetd restart
@@ -365,15 +365,15 @@ telnet localhost $ORIGIN_PORT
**** Overview
We will use four tables `alias', `domain', `log' and `mailbox'.
-
+
***** mysql> show tables;
+----------------+
| Tables_in_mail |
+----------------+
-| alias |
-| domain |
-| log |
-| mailbox |
+| alias |
+| domain |
+| log |
+| mailbox |
+----------------+
4 rows in set (0.00 sec)
@@ -381,12 +381,12 @@ We will use four tables `alias', `domain', `log' and `mailbox'.
+-------------+--------------+------+-----+---------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------+
-| address | varchar(255) | NO | PRI | | |
-| goto | text | NO | | NULL | |
-| domain | varchar(255) | NO | | | |
-| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
-| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
-| active | tinyint(4) | NO | | 1 | |
+| address | varchar(255) | NO | PRI | | |
+| goto | text | NO | | NULL | |
+| domain | varchar(255) | NO | | | |
+| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
+| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
+| active | tinyint(4) | NO | | 1 | |
+-------------+--------------+------+-----+---------------------+-------+
6 rows in set (0.00 sec)
@@ -394,11 +394,11 @@ We will use four tables `alias', `domain', `log' and `mailbox'.
+-------------+--------------+------+-----+---------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------+
-| domain | varchar(255) | NO | PRI | | |
-| description | varchar(255) | NO | | | |
-| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
-| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
-| active | tinyint(4) | NO | | 1 | |
+| domain | varchar(255) | NO | PRI | | |
+| description | varchar(255) | NO | | | |
+| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
+| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
+| active | tinyint(4) | NO | | 1 | |
+-------------+--------------+------+-----+---------------------+-------+
5 rows in set (0.00 sec)
@@ -406,10 +406,10 @@ We will use four tables `alias', `domain', `log' and `mailbox'.
+-------+-------------+------+-----+-------------------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------+-------------+------+-----+-------------------+----------------+
-| id | int(11) | NO | PRI | NULL | auto_increment |
-| user | varchar(20) | NO | | | |
-| event | text | NO | | NULL | |
-| date | timestamp | NO | | CURRENT_TIMESTAMP | |
+| id | int(11) | NO | PRI | NULL | auto_increment |
+| user | varchar(20) | NO | | | |
+| event | text | NO | | NULL | |
+| date | timestamp | NO | | CURRENT_TIMESTAMP | |
+-------+-------------+------+-----+-------------------+----------------+
4 rows in set (0.00 sec)
@@ -417,14 +417,14 @@ We will use four tables `alias', `domain', `log' and `mailbox'.
+-------------+--------------+------+-----+---------------------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------------------+-------+
-| username | varchar(255) | NO | PRI | | |
-| password | varchar(255) | NO | | | |
-| name | varchar(255) | NO | | | |
-| maildir | varchar(255) | NO | | | |
-| domain | varchar(255) | NO | | | |
-| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
-| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
-| active | tinyint(4) | NO | | 1 | |
+| username | varchar(255) | NO | PRI | | |
+| password | varchar(255) | NO | | | |
+| name | varchar(255) | NO | | | |
+| maildir | varchar(255) | NO | | | |
+| domain | varchar(255) | NO | | | |
+| create_date | datetime | NO | | 0000-00-00 00:00:00 | |
+| change_date | timestamp | NO | | CURRENT_TIMESTAMP | |
+| active | tinyint(4) | NO | | 1 | |
+-------------+--------------+------+-----+---------------------+-------+
8 rows in set (0.00 sec)
@@ -503,10 +503,10 @@ mysql -u root -p
for each row begin set new.create_date = current_timestamp; end$$
CREATE TRIGGER domain_set_created_on_insert before insert on domain
for each row begin set new.create_date = current_timestamp; end$$
- CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox
+ CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox
for each row begin set new.create_date = current_timestamp; end$$
DELIMITER ;
-
+
# Create mail user
CREATE USER 'mail'@'localhost' IDENTIFIED BY '<password>';
@@ -541,9 +541,9 @@ mysql -u root -p
GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>';
FLUSH PRIVILEGES;
-
+
***** Configure the slave
-****** Set up an SSH tunnel
+****** Set up an SSH tunnel
We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]].
@@ -573,7 +573,7 @@ mysql -u root -p
# Create a new temporary directory.
# NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage.
-
+
TMP_DIR=/var/lib/mysql/tmp
sudo mkdir $TMP_DIR
sudo chown mysql:mysql $TMP_DIR
@@ -594,9 +594,9 @@ mysql -u root -p
CREATE DATABASE mail;
quit;
-
+
mysql -u root -p --database=mail < mydump.sql
-
+
# [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]]
# NOTE: fill in these values using output from SHOW MASTER STATUS; above
# NOTE: filling this in my.cnf is deprecated
@@ -633,7 +633,7 @@ rewritten/compressed in a couple of months. /Guilhem, 2012-04-03.]
Here is a basic installation tutorial for Debian Squeeze:
http://www.rjsystems.nl/en/2100-d6-openldap-provider.php
-sudo apt-get install slapd ldap-utils
+sudo apt-get install slapd ldap-utils
If it does not prompt for your domain, admin password, etc., run
`dpkg-reconfigure -plow slapd'. Here is how we answer the questions:
@@ -650,16 +650,16 @@ Allow LDAPv2 protocol? No
We do not want to listen all the Internet: in `/etc/default/slapd', change
`SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and
-unix sockets, specify
+UNIX sockets, specify
SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"
-(This should be enough if the connection from the IMAP/SASL services are
+(This should be enough if the connection from the IMAP/SMTP services are
wrapped into SSH or SSL/TLS tunnels.)
We can check the configuration with
- ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
+ ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
and modify a .ldif file with
@@ -670,6 +670,37 @@ and modify a .ldif file with
We base our schema on qmail's (http://dhits.nl/download/qmail.new.schema) and
Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
+ dc=mail, dc=fripost, dc=org
+ |- ou=mailboxes
+ | |- mail=user1@fripost.org
+ | | mail: user1@fripost.org
+ | | maildir: user1/
+ | | mailLocalAddress: user1-alias@fripost.org
+ | | isActive: TRUE
+ | |
+ | `- mail=user2@fripost.org
+ |
+ |- ou=domains
+ | |- dc=fripost.org
+ | | dc: fripost.org
+ | | isActive: TRUE
+ | |
+ | `- dc=example.org
+ | dc: example.org
+ | owner: mail=user1@fripost.org, ou=mailboxes, dc=mail, dc=fripost, dc=org
+ | mailLocalAddress: user1@example.org
+ | isActive: TRUE
+ |
+ |- ou=managers
+ | |- cn=admin1
+ | | cn: admin1
+ | | userPassword: xxxxxx
+ | `- cn=admin2
+ |
+ `- ou=services
+ `- cn=SMTP
+ cn: SMTP
+ userPassword: xxxxxx
:: /etc/ldap/local/mail.fripost.org.ldif
@@ -692,13 +723,13 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
SUP top STRUCTURAL
DESC 'Virtual Domains'
MUST ( dc $ isActive )
- MAY ( description ) )
+ MAY ( owner $ mailLocalAddress $ description ) )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualMailbox'
SUP top STRUCTURAL
DESC 'Virtual Mailboxes'
- MUST ( mail $ userPassword $ dc $ maildir $ isActive )
+ MUST ( mail $ userPassword $ maildir $ isActive )
MAY ( mailLocalAddress $ gn $ sn $ quota ) )
-
+
Note: For the meaning of the sequences of digits above, grep the output of
`ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"'
(For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces
@@ -712,16 +743,20 @@ We can now add it to the schema list:
`/etc/ldap/slapd.d/cn=config/cn=schema/' and to restart slapd.)
-Note: Aliases have been inlined in the `virtualMailbox', and the column `alias.domain'
-of the MySQL schema has been dropped. If we want to let users manage their aliases (for
-the domains they manage), a possible solution is to add these managed virtual domains as
-childrens of their owner. A suitable ACL would then define the rights properly:
+Note: If the LDIF files our schema depends on are not in loaded (in `/etc/ldap/slapd.d/cn=config/cn=schema/'),
+you may have to do it yourself. A dirty way is to create a file `/tmp/upgrade.conf' with the
+following:
+
+ include /etc/ldap/schema/core.schema
+ include /etc/ldap/schema/cosine.schema
+ include /etc/ldap/schema/nis.schema
+ include /etc/ldap/schema/misc.schema
+
+and a directory `/tmp/upgrade', then to run `slaptest -f /tmp/upgrade.conf -F /tmp/upgrade'.
+It creates a bunch of LDIF files that you need to clean (cf. https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html)
+and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'.
+[TODO: that's just ugly. Find a better way.]
- olcAccess: to dn.regex="dc=[^,]+,mail=([^,]+),o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress
- by self write
- by dn.expand="mail=$1,o=mailboxes,dc=mail,dc=fripost,dc=org" write
- by dn="cn=admin,dc=fripost,dc=org" write
- by * read
***** Add custom indexes
@@ -731,7 +766,6 @@ be looking for e.g., the `mail' attribute.
:: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcDbIndex: objectClass eq
- olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
@@ -742,31 +776,34 @@ be looking for e.g., the `mail' attribute.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
delete: olcDbIndex
- olcDbIndex: objectClass eq
+ olcDbIndex: objectClass eq
-
add: olcDbIndex
- olcDbIndex: objectClass pres,eq
+ olcDbIndex: objectClass pres,eq
-
delete: olcDbIndex
- olcDbIndex: dc eq
+ olcDbIndex: dc eq
-
add: olcDbIndex
- olcDbIndex: dc eq,sub
+ olcDbIndex: dc eq,sub
+ -
+ add: olcDbIndex
+ olcDbIndex: mail eq,sub
-
add: olcDbIndex
- olcDbIndex: mail eq,sub
+ olcDbIndex: mailLocalAddress eq
ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-index.ldif
:: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
- olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
- olcDbIndex: objectClass pres,eq
+ olcDbIndex: objectClass pres,eq
olcDbIndex: dc eq,sub
- olcDbIndex: mail eq,sub
+ olcDbIndex: mail eq,sub
+ olcDbIndex: mailLocalAddress eq
***** Restrict the access
@@ -789,45 +826,55 @@ first.
add: olcAccess
olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword
by self write
- by dn="cn=admin,dc=fripost,dc=org" write
+ by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write
by anonymous auth
- by * none
-
add: olcAccess
- olcAccess: {1}to dn.children="o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn
+ olcAccess: {1}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn
by self write
- by dn="cn=admin,dc=fripost,dc=org" write
- by * none
+ by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write
+ -
+ add: olcAccess
+ olcAccess: {2}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress
+ by dnattr=owner write
+ by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write
+ by * break
+ -
+ add: olcAccess
+ olcAccess: {3}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org"
+ by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read
+ by * break
+ -
+ add: olcAccess
+ olcAccess: {4}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org"
+ by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read
+ by * break
-
add: olcAccess
- olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org"
- by dn="cn=admin,dc=fripost,dc=org" write
- by * read
+ olcAccess: {5}to dn.subtree="dc=mail,dc=fripost,dc=org"
+ by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write
+ by self read
+ by * search
ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-acl.ldif
:: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
- olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword by self write by dn="cn=admin,dc=fripost,dc=org" write by anonymous auth by * none
- olcAccess: {1}to dn.children="o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn by self write by dn="cn=admin,dc=fripost,dc=org" write by * none
- olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org" by dn="cn=admin,dc=fripost,dc=org" write by * read
- olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
- olcAccess: {4}to dn.base="" by * read
- olcAccess: {5}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
+ olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write by anonymous auth
+ olcAccess: {1}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write
+ olcAccess: {2}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress by dnattr=owner write by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write
+ olcAccess: {3}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org" by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read by * break
+ olcAccess: {4}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org" by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read by * break
+ olcAccess: {5}to dn.subtree="dc=mail,dc=fripost,dc=org" by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write by * search
+ olcAccess: {6}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
+ olcAccess: {7}to dn.base="" by * read
+ olcAccess: {8}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
[...]
-[TODO: The proper way to define admin rights would be to make a group "Admin".]
-
-Note: Attributes and entries here are world-readable (beside `userPassword' and names).
-An other solution, more restrictive, would be to bind Postfix and Dovecots requests
-to either `self' or a new dn "cn=mta,dc=mail,dc=fripost,dc=org" with a new ACL e.g.,
-
- olcAccess: to dn.children="dc=mail,dc=fripost,dc=org"
- by dn="cn=admin,dc=fripost,dc=org" write
- by dn="cn=mta,dc=mail,dc=fripost,dc=org" read
- by self read
- by * none
+Note: Users are here able to manage their aliases themselves. Before inserting, we should
+ensure that aliases are fully qualified with the domain they own! Otherwise it'd be easy
+to steal aliases and probably even spy on other users...
**** Create the base tree
@@ -836,75 +883,90 @@ to either `self' or a new dn "cn=mta,dc=mail,dc=fripost,dc=org" with a new ACL e
dn: dc=mail,dc=fripost,dc=org
objectClass: domain
dc: mail
-
- dn: o=mailboxes,dc=mail,dc=fripost,dc=org
- objectClass: organization
- o: mailboxes
+
+ dn: ou=mailboxes,dc=mail,dc=fripost,dc=org
+ objectClass: organizationalUnit
+ ou: mailboxes
description: Virtual mailboxes
-
- dn: o=domains,dc=mail,dc=fripost,dc=org
- objectClass: organization
- o: domains
+
+ dn: ou=domains,dc=mail,dc=fripost,dc=org
+ objectClass: organizationalUnit
+ ou: domains
description: Virtual domains
+ dn: ou=managers,dc=mail,dc=fripost,dc=org
+ objectClass: organizationalUnit
+ ou: managers
+ description: Postmasters
+
+ dn: ou=services,dc=mail,dc=fripost,dc=org
+ objectClass: organizationalUnit
+ ou: services
+ description: E-mail services
+
ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/local/mail.fripost.org-base.ldif
To delete a leaf or a sub-tree:
- ldapdelete -D cn=admin,dc=fripost,dc=org 'o=mailboxes,dc=mail,dc=fripost,dc=org' -W
+ ldapdelete -D cn=admin,dc=fripost,dc=org 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W
**** Populate the tree
:: /tmp/populate.ldif
-
- dn: dc=fripost.org,o=domains,dc=mail,dc=fripost,dc=org
- objectClass: top
- objectClass: virtualDomain
- dc: fripost.org
- isActive: TRUE
-
- dn: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org
+ dn: cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org
+ cn: SMTP
+ objectClass: simpleSecurityObject
+ objectClass: organizationalRole
+ userPassword: {SSHA}xxxxxxx
+
+ dn: cn=admin1,ou=managers,dc=mail,dc=fripost,dc=org
+ cn: admin1
+ objectClass: simpleSecurityObject
+ objectClass: organizationalRole
+ userPassword: {SSHA}xxxxxxx
+
+ dn: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org
+ mail: user@fripost.org
objectClass: top
objectClass: inetLocalMailRecipient
objectClass: virtualMailbox
- mail: user@fripost.org
gn: First Name
sn: Last Name
- userPassword: {SSHA}epZKWD1SiSe/dwL0to+jjnwFzxVUbFvg
- dc: fripost.org
+ userPassword: {SSHA}xxxxxxx
maildir: fripost.org/user/
isActive: TRUE
mailLocalAddress: user-alias@fripost.org
+
+ dn: dc=fripost.org,ou=domains,dc=mail,dc=fripost,dc=org
+ objectClass: top
+ objectClass: virtualDomain
+ dc: fripost.org
+ isActive: TRUE
+
+ dn: dc=example.org,ou=domains,dc=mail,dc=fripost,dc=org
+ objectClass: top
+ objectClass: inetLocalMailRecipient
+ objectClass: virtualDomain
+ dc: example.org
+ isActive: TRUE
+ owner: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org
mailLocalAddress: user@example.org
+ mailLocalAddress: user-alias@example.org
ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif
Note: This should obviously be wrapped in a script; `ldapadd' reads the standard
-input, so there's no need to write on disk. The password here is a the S-SHA1 hash
-of "hackme", created with `slappasswd -s "{SSHA}"'.
-
-Note: If the LDIF files our schema depends on are not in loaded (in `/etc/ldap/slapd.d/cn=config/cn=schema/'),
-you may have to do it yourself. A dirty way is to create a file `/tmp/upgrade.conf' with the
-following:
-
- include /etc/ldap/schema/core.schema
- include /etc/ldap/schema/cosine.schema
- include /etc/ldap/schema/nis.schema
- include /etc/ldap/schema/misc.schema
-
-and a directory `/tmp/upgrade', then to run `slaptest -f /tmp/upgrade.conf -F /tmp/upgrade'.
-It creates a bunch of LDIF files that you need to clean (cf. https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html)
-and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'.
-[TODO: that's just ugly. Find a better way.]
+input, so there's no need to write on disk. The salted SHA-1 can be created with
+e.g., `slappasswd -h "{SSHA}"'.
**** Check the SASL binds (authentication)
-ldapwhoami -xD "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" -W
+ldapwhoami -xD "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" -W
should return the whole dn:
-"mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org"
+"mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org"
**** Check the ACL
@@ -913,41 +975,53 @@ should return the whole dn:
`slpacat' (run as root) dumps everything in the tree, including the (hashed)
passwords. So should
- ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'o=mailboxes,dc=mail,dc=fripost,dc=org' -W
+ ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W
+
+and
+
+ ldapsearch -xLLL -D "cn=admin1,ou=managers,dc=mail,dc=fripost,dc=org" -b 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W
***** Anonymous user
-`ldapsearch -xLLL' should not return the user's name, or the (hashed) password.
+`ldapsearch -xLLL -b "ou=mailboxes,dc=mail,dc=fripost,dc=org"' should not return anything.
***** Self
-ldapsearch -xLLL -D "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" -b 'o=mailboxes,dc=mail,dc=fripost,dc=org' -W
+ldapsearch -xLLL -D "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" -b 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W
should return all the information for this very user, but not e.g., the password of the other users.
-The user should be able to change his/her password:
+The user should be able to change his/her password, and aliases in his/her own domain:
:: /tmp/usermod.ldif
- dn: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org
+ dn: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org
changetype: modify
replace: userPassword
userPassword: hop
-ldapmodify -D "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" -W -f /tmp/usermod.ldif
+ dn: dc=example.org,ou=domains,dc=mail,dc=fripost,dc=org
+ changetype: modify
+ add: mailLocalAddress
+ mailLocalAddress: user-alias2@example.org
+
+ldapmodify -D "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" -W -f /tmp/usermod.ldif
[Note: Still that should be wrapped up in a script, and there is no need to write on
disk since the data is read from the standard input.]
[Note: If the task is merely to change the password, there is also `ldappasswd'.]
+Note: This not a safe way to let the user choose his/her aliases! Nothing prevents
+from having "mailLocalAddress: admin@fripost.org" for example!
+
We now ensure that the leaf has been updated:
- :: slapcat -s "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org"
+ :: slapcat -s "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org"
[...]
userPassword:: aG9w
entryCSN: 20120404215647.957317Z#000000#000#000000
- modifiersName: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org
+ modifiersName: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org
modifyTimestamp: 20120404215647Z
@@ -981,22 +1055,22 @@ sudo aptitude install dovecot-imapd
protocol lda {
# Address to use when sending rejection mails.
postmaster_address = postmaster@fripost.org
-
+
# Hostname to use in various parts of sent mails, eg. in Message-Id.
# Default is the system's real hostname.
hostname = imap.fripost.org
-
+
# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
#mail_plugin_dir = /usr/lib/dovecot/modules/lda
-
+
# Binary to use for sending mails.
sendmail_path = /usr/lib/sendmail
-
+
# UNIX socket path to master authentication server to find users.
auth_socket_path = /var/run/dovecot/auth-master
-
+
# Enabling Sieve plugin for server-side mail filtering
mail_plugins = cmusieve
}
@@ -1018,7 +1092,7 @@ sudo aptitude install dovecot-imapd
dovecot unix - n n - - pipe
flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n
-
+
:: /etc/postfix/main.cf
@@ -1039,8 +1113,10 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules
server_host = ldap://localhost/
version = 3
- search_base = o=domains,dc=mail,dc=fripost,dc=org
- bind = no
+ search_base = ou=domains,dc=mail,dc=fripost,dc=org
+ bind = yes
+ bind_dn = cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org
+ bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
result_attribute = dc
@@ -1053,25 +1129,30 @@ Test it:
server_host = ldap://localhost/
version = 3
- search_base = o=mailboxes,dc=mail,dc=fripost,dc=org
- bind = no
+ search_base = ou=mailboxes,dc=mail,dc=fripost,dc=org
+ bind = yes
+ bind_dn = cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org
+ bind_pw = xxxxxx
query_filter = (&(ObjectClass=virtualMailbox)(mail=%s)(isActive=TRUE))
result_attribute = maildir
-Test it:
- postmap -q user@fripost.org ldap:/etc/ldap/local/ldap_virtual_mailbox_maps.cf
+Test it:
+ postmap -q user@fripost.org ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
:: /etc/postfix/ldap_virtual_alias_maps.cf
server_host = ldap://localhost/
version = 3
- search_base = o=mailboxes,dc=mail,dc=fripost,dc=org
- bind = no
- query_filter = (&(ObjectClass=virtualMailbox)(mailLocalAddress=%s)(isActive=TRUE))
+ search_base = dc=mail,dc=fripost,dc=org
+ bind = yes
+ bind_dn = cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org
+ bind_pw = xxxxxx
+ query_filter = (&(|(ObjectClass=virtualMailbox)(ObjectClass=virtualDomain))(mailLocalAddress=%s)(isActive=TRUE))
result_attribute = mail
+ special_result_attribute = owner
-Test it:
+Test it:
postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
@@ -1175,8 +1256,8 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
hosts = localhost # Or wherever is our LDAP server
ldap_version = 3
auth_bind = yes
- auth_bind_userdn = mail=%u,o=mailboxes,dc=mail,dc=fripost,dc=org
- base = o=mailboxes,dc=mail,dc=fripost,dc=org
+ auth_bind_userdn = mail=%u,ou=mailboxes,dc=mail,dc=fripost,dc=org
+ base = ou=mailboxes,dc=mail,dc=fripost,dc=org
deref = never
scope = subtree
user_attrs = maildir=home=/home/mail/virtual/%$
@@ -1185,7 +1266,7 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE))
(And the TLS-related lines in case we are not using a tunnel.) The "base" is the root
-of our tree structure, in our case dn="o=mailboxes,dc=mail,dc=fripost,dc=org".
+of our tree structure, in our case dn="ou=mailboxes,dc=mail,dc=fripost,dc=org".
[Note: the `user_attrs' and `user_filter' are only relevant if the result of the query is
used in the `dovecot.conf', for instance with mail_location = maildir:~. Otherwise, the
@@ -1215,7 +1296,7 @@ This is to avoid having a single poin of failure and to separate concerns. The
IMAP server then only needs to deal with authenticated clients and the
smarthosts.
-**** Prerequisites
+**** Prerequisites
Before this can work we must make sure that:
- the MySQL replication is working
@@ -1254,7 +1335,7 @@ test our installation.)
ldap_servers: ldap://localhost
ldap_version: 3
ldap_auth_method: bind
- ldap_search_base: o=mailboxes,dc=mail,dc=fripost,dc=org
+ ldap_search_base: ou=mailboxes,dc=mail,dc=fripost,dc=org
ldap_scope: sub
ldap_filter: (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE))
@@ -1300,7 +1381,7 @@ Finally, we can add the submission service to our master.cf, with customized pol
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-
+
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
[...]
@@ -1329,7 +1410,7 @@ to track the sender.
(SquirrelMail authenticated user username)
by webmail.fripost.org with HTTP;
Thu, 22 Mar 2012 16:27:56 +0100
-
+
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id 2D1098243D
for <recipient@example.org>; Thu, 22 Mar 2012 16:36:36 +0100 (CET)
@@ -1344,7 +1425,7 @@ to track the sender.
for <recipient@example.org>; Thu, 22 Mar 2012 16:36:35 +0100 (CET)
Received: (nullmailer pid 5057 invoked by uid 0);
Thu, 22 Mar 2012 15:36:34 -0000
-
+
Received: from localhost (smtp.fripost.org [127.0.0.1])
by fripost.org (Postfix) with ESMTP id DBAFE816BB
for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET)
@@ -1477,7 +1558,7 @@ sudo apt-get install roundcube
# timezone
$rcmail_config['timezone'] = 'CET';
-
+
# compose html formatted messages by default
$rcmail_config['htmleditor'] = TRUE;
@@ -1494,26 +1575,26 @@ sudo chmod 0644 /var/lib/roundcube/skins/default/images/roundcube_logo.png
Before this
-: <roundcube:object name="preloader" images="
+: <roundcube:object name="preloader" images="
-in
+in
:: /usr/share/roundcube/skins/default/templates/login.html
<div style="margin: 20px;"/>
<div style="max-width: 45em; margin: 0px auto; border: dotted 3px red; padding:1em;">
-
+
<h3>Important message</h3>
-
+
<p align="left"><strong>Mon Feb 13 12:55:30 CET 2012</strong> </p>
<p>
Lorem ipsum dolor sit amet, consectetur adipiscing
elit. Pellentesque molestie, velit vel tristique iaculis, massa diam viverra
arcu, sit amet pellentesque dui enim vitae ipsum.</p>
-
+
<p>J. Random Hacker</p>
-
+
</div>
*** ikiwiki
@@ -1583,17 +1664,17 @@ mv hooks/post-update.sample hooks/post-update
:: /etc/apache2/sites-available/default
- AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2
+ AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2
:: /usr/share/gitweb/indextext.html
För att klona ett av dessa träd, installera <a href="http:///">git</a> och kör:
-
+
<blockquote><code>git clone http://git.fripost.org/pub/</code> + projektets sökväg</blockquote>
-
+
<p>
För mer information om <a href="http://www.kernel.org/pub/software/scm/git/">git</a>, se en
- <a href="http://git.or.cz/">överblick</a>, en
+ <a href="http://git.or.cz/">överblick</a>, en
<a href="http://www.kernel.org/pub/software/scm/git/docs/gittutorial.html">tutorial</a>
eller
<a href="http://www.kernel.org/pub/software/scm/git/docs">manualsidorna</a>.
@@ -1684,7 +1765,7 @@ sudo rkhunter -c --nomow --rwo
# something like: (adapt port as needed)
INETD_ALLOWED_SVC=127.0.0.1:2000
-
+
# in case whitelisting is needed, use something like:
# (whitespace important)
APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 "