Use LDAP's authenticate binds with Postfix and Dovecot.

1 files changed, 176 insertions, 0 deletions

diff --git a/fripost-docs.org b/fripost-docs.org
index 686e39b..91c8943 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -256,6 +256,18 @@ This server should be referred to as the main `IMAP server'. We will have two or
 more mail gateways that will relay e-mail to the main server over secure
 connections.  These are called `smarthosts'.
 
+Credentials are managed by a LDAP server. For the users to be able to
+authenticate to e.g., the IMAP server or the outgoing SMTP (via SASL), we will
+use the so called "authenticate binds": services simply forward the login
+information of the user to the LDAP server, that in turn hashes the password and
+checks wheter it maches the stored copy; if it does, the LDAP server answers back
+the query. See http://wanderingbarque.com/howtos/mailserver/big_picture.gif .
+This way, if the IMAP or SMTP server is compromised, the attacker will NOT have
+access to all credentials. Of course the LDAP server should only be listening to
+the machines hosting these services and ideally, should not be directly facing the
+internet.
+
+[TODO: Find a suitable LDAP schema, and drop the MySQL database]
 The main server will also be responsible for keeping all users in an MySQL
 database that will be replicated using MySQL.
 
@@ -263,8 +275,12 @@ database that will be replicated using MySQL.
 
 IMAP server = the main storage server
 
+LDAP server = the server that stores users credentials and various other informations.
+
 smarthost = the server receiving email from the internet (configured as MX)
 
+outgoing SMTP = a SMTP server that can relay mails of authenticated users (via SASL).
+
 *** Configuring an SSH tunnel between two hosts
 
 # Definitions:
@@ -601,6 +617,52 @@ mysql -u root -p
 
     quit;
 
+*** Configuring the LDAP server
+
+On Debian Squeeze, OpenLDAP's configuration no longer uses `/etc/ldap/slapd.conf'
+(by default, but may completely igore it in the future), but the
+`/etc/ldap/slapd.d' directory instead. Unfortunately most of the online
+tutorials are describing methods using `/etc/ldap/slapd.conf'.
+
+**** Install packages
+
+Here is a basic installation tutorial for Debian Squeeze:
+http://www.rjsystems.nl/en/2100-d6-openldap-provider.php
+
+sudo apt-get install slapd ldap-utils 
+
+If it does not prompt for your domain, admin password, etc., run
+`dpkg-reconfigure -plow slapd'.
+
+We do not want to listen all the Internet: in `/etc/default/slapd', change
+`SLAPD_SERVICES' accordingly. E.g., to only listen to localhost (non SSL) and
+unix sockets, specify
+
+SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"
+
+(This should be enough if the connection from the IMAP/SASL services are
+wrapped into SSH or SSL tunnels.)
+
+We can check the configuration with
+
+  ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" 
+
+and modify a .ldif file with
+
+  ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>"
+
+**** Our schema
+
+[TODO: find something suitable to subsume the MySQL databases; we could find some
+inspiration here: http://dhits.nl/download/qmail.new.schema]
+
+If the task is only to provide a secure way to authenticate, the "basic tree" of
+http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree is good enough.
+
+After adding an user, we can check that the authentication works properly:
+
+ldapwhoami -xD uid=myuserid,ou=account,dc=fripost,dc=org -W
+
 *** Configuring the main IMAP server
 **** Install packages
 
@@ -751,6 +813,47 @@ sudo /etc/init.d/dovecot restart
 **** Making sure the services are not started at boot [might not be needed]
 sudo update-rc.d -n dovecot stop 2 3 4 5 .
 sudo update-rc.d -n postfix stop 2 3 4 5 .
+
+**** Use LDAP authenticate binds.
+
+Instead of making a SQL query to fetch the (hashed) passwords, which implies to
+expose all credentials to Dovecot, an other approach is to forward the login
+information to our LDAP server, that will match it against the hashed copy contained
+in its database. This way if your IMAP server is compromised, the attacker will not
+have access to all the e-mails and user credentials.
+
+Documentation:
+http://wiki2.dovecot.org/HowTo/DovecotOpenLdap
+http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
+
+Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf .
+Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
+
+hosts = localhost    # Or wherever is our LDAP server
+auth_bind = yes
+auth_bind_userdn = uid=%u,ou=accounts,dc=fripost,dc=org
+ldap_version = 3
+base = ou=accounts,dc=fripost,dc=org
+pass_filter = (&(objectClass=posixAccount)(uid=%u))
+
+(And the TLS-related lines in case we are not using a tunnel.) The "base" is the root
+of our tree structure, in our case dn="ou=accounts,dc=fripost,dc=org".
+
+We can now amend the `dovecot.conf': Comment the "passwd sql {...}" and "userdb sql {...}"
+blocks, and uncomment
+
+  passdb ldap {
+    args = /etc/dovecot/dovecot-ldap.conf
+  }
+# and
+  userdb ldap {
+    args = /etc/dovecot/dovecot-ldap-userdb.conf
+  }
+
+Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds, `dovecot-ldap-userdb.conf'
+can simply be a symlink to `dovecot-ldap.conf'. The names have to differ for Dovecot to send
+asynchronous request to the LDAP server.
+
 *** Configuring a new smarthost to relay e-mail to the main IMAP server
 **** Overview
 
@@ -774,6 +877,79 @@ emails through the tunnel.
 TODO: add the necessary configuration files
 
 *** Configuring the outgoing SMTP
+We will offer a SMTP relay for authenticated users (via SASL).
+
+**** Install packages
+
+sudo apt-get install sasl2-bin libsasl2-modules-ldap
+
+(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
+test our installation.)
+
+**** Configure saslauthd
+
+Customize `/etc/default/saslauthd' as follows:
+
+START=yes
+MECHANISMS=ldap
+OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
+
+(The socket has to be readable by postfix.)
+
+Now, in the `/etc/saslauthd.conf':
+
+ldap_servers: ldap://localhost
+ldap_version: 3
+ldap_search_base: ou=accounts,dc=fripost,dc=org
+ldap_scope: sub
+ldap_filter: uid=%u
+ldap_auth_method: bind
+
+After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
+authentication: testsaslauthd -u userid -p password. (The password cannot be
+prompted, so you may want to create a dummy user.)
+
+**** Configure Postfix
+
+If everything goes through, it is now time to modify Postfix's main.cf:
+(Documentation: http://www.postfix.org/SASL_README.htm)
+
+smtpd_sasl_authenticated_header = yes
+smtpd_sasl_auth_enable          = yes
+smtpd_sasl_local_domain         =
+smtpd_sasl_exceptions_networks  = $mynetworks
+smtpd_sasl_security_options     = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+broken_sasl_auth_clients        = yes
+smtpd_sasl_type                 = cyrus
+smtpd_sasl_path                 = smtpd
+
+smtp_sasl_auth_enable           = yes
+smtp_sasl_password_maps         = hash:$config_directory/sasl_passwd
+smtp_sasl_security_options      = noanonymous, noplaintext
+smtp_sasl_tls_security_options  = noanonymous
+
+# `sasl_passwd' may be empty but Postfix complains if it doesn't exist
+
+And still in the main.cf, add a policy stating that authenticate users are
+allowed to connect and send mail:
+
+smtpd_recipient_restrictions =
+        permit_mynetworks
+        permit_sasl_authenticated
+        [...]
+
+Finally, we can add the submission service to our master.cf, with customized policy:
+
+submission inet n       -       -       -       -       smtpd
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
+
+We can now restart Postfix: `/etc/init.d/postfix restart'.
+
+
 **** Anonymize the senders
 If RoudCube automatically anonymize the sender (by simply shortening the
 trace), it's not the case (by default) for SquirrelMail, or when clients