From 2e41eb3c10282d87eab6b3a2f9fa9d16ed3b480a Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 10 May 2012 10:03:47 +0200 Subject: Note on Postfix and SASL EXTERNAL binds on UNIX sockets. --- fripost-docs.org | 94 +++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 59 insertions(+), 35 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index f3fecc3..7c58c19 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -773,7 +773,7 @@ and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f '. The default indexes below are not enough for our purpose, since we will heavily be looking for e.g., the `uid' attribute. - :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" + :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" [...] olcDbIndex: objectClass eq @@ -813,10 +813,10 @@ be looking for e.g., the `uid' attribute. add: olcDbIndex olcDbIndex: owner eq -ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif +ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif - :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" + :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" [...] olcDbIndex: entryUUID eq olcDbIndex: objectClass pres,eq @@ -844,7 +844,7 @@ We are using the so-called "Sets" to let the users manage their domain themselve See section 8.5 "Sets - Granting rights based on relationships" in LDAP's manual http://www.openldap.org/doc/admin24/access-control.html for details. - :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" + :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" [...] olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none olcAccess: {1}to dn.base="" by * read @@ -900,10 +900,10 @@ http://www.openldap.org/doc/admin24/access-control.html for details. by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read by * search -ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif +ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif - :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" + :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" [...] olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth @@ -941,11 +941,11 @@ a new ACL with writable [ou=virtual,...]/children, and [dc=...,ou=virtual,...]/e objectClass: organizationalUnit description: E-mail services -ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif +ldapadd -xWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif To delete a leaf (`-r' to delete the whole sub-tree): - ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -W + ldapdelete -r -xWD cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' **** Populate the tree @@ -997,7 +997,7 @@ To delete a leaf (`-r' to delete the whole sub-tree): mailLocalAddress: user-alias isActive: TRUE -ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif +ldapadd -xWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif Note: This should obviously be wrapped in a script; `ldapadd' reads the standard @@ -1012,7 +1012,7 @@ the rights of user@fripost.org on the domain example.org, we can run: We can also check ACLs with concrete examples: -ldapwhoami -xD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W +ldapwhoami -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" should return the whole dn: @@ -1025,26 +1025,26 @@ should return the whole dn: `slpacat' (run as root) dumps everything in the tree, including the (hashed) passwords. So should - ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W + ldapsearch -xWD "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' and - ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W + ldapsearch -xWD "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' ***** Anonymous user -`ldapsearch -xLLL -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit +`ldapsearch -x -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit with return status 0, but shouldn't print anything. ***** Services -ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W +ldapsearch -xWD "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' should not disclose the passwords. ***** Self -ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W +ldapsearch -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' should return all the information for this very user, but not e.g., the password of the other users. @@ -1063,7 +1063,7 @@ The user should be able to change his/her password, and aliases in his/her own d add: mailLocalAddress mailLocalAddress: user-alias2@example.org -ldapmodify -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif +ldapmodify -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -f /tmp/usermod.ldif [Note: Still that should be wrapped up in a script, and there is no need to write on disk since the data is read from the standard input.] @@ -1094,15 +1094,6 @@ Documentation: http://www.openldap.org/doc/admin22/syncrepl.html Cf. installation of the master LDAP server. (We also need to install fripost's schema and indexes.) -The slave may only listen on the UNIX socket; To specify that, in -`/etc/default/slapd', change `SLAPD_SERVICES' to - -SLAPD_SERVICES="ldapi:///" - -[TODO: *Ideally*, Postfix's should perform the LDAP lookups on a UNIX socket. However, -while it `postmap -q' worked fine, Postfix itself couldn't query the LDAP server. -A quick fix was to query the network instead: SLAPD_SERVICES="ldapi:///127.0.0.1:389/".] - In the rest of this section, we assume there is a tunnel from the master LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually speaks to the master). @@ -1121,7 +1112,7 @@ We first need to load the module `syncprov.la'. add: olcModuleLoad olcModuleLoad: syncprov.la -ldapmodify -QY EXTERNAL -H ldapi:/// -f modules.ldif +ldapmodify -Y EXTERNAL -H ldapi:/// -f modules.ldif The master can now define itself as the provider. @@ -1155,7 +1146,7 @@ ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" credentials="xxxxxx" -ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif +ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif (Since we in our case we have several slaves, we may want to increment the rid.) @@ -1241,8 +1232,41 @@ http://wiki.dovecot.org/LDA/Postfix http://www.tehinterweb.co.uk/roundcube/#pisieverules +On the MX's, the slave (a partial replicate of the main LDAP server server) +may only listen on a UNIX socket in Postfix's chroot jail; To specify that, +in `/etc/default/slapd', change `SLAPD_SERVICES' to + +SLAPD_SERVICES="ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/????x-mod=0777" + +Note that in the configuration files below, the `server_host' is relative +to Postfix's jail, hence one should drop the prefix "%2Fvar%2Fspool%2Fpostfix". +On the other hand, to test the files with `postmap' one has to put back +the prefix. + + +TODO: Postfix 2.7 does not support SASL binds. Hence one cannot SASL bind on +the socket with the EXTERNAL mechanism, which leads to a flood of warnings +"connection_read(XX): no connection!" in the syslog. One can also reproduce the +flood with + ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -x -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org' +instead of + ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -Y EXTERNAL -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org' +(The first one performs a simple bind and does not unbind properly, while +the second one is safe and performs a SASL bind with the EXTERNAL mechanism.) + +TODO: With Postfix 2.8, one could do [Not tested] + bind = sasl + sasl_mechs = EXTERNAL + +See also + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643970 + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660223 + http://www.openldap.org/lists/openldap-software/200811/msg00078.html + + :: /etc/postfix/ldap/ldap_virtual_mailbox_domains.cf + #server_host = ldapi://%2Fvar%2Frun%2Fldapi/ server_host = ldap://127.0.0.1:389/ version = 3 search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org @@ -1261,8 +1285,10 @@ Test it: :: /etc/postfix/ldap/ldap_virtual_mailbox_maps.cf + #server_host = ldapi://%2Fvar%2Frun%2Fldapi/ server_host = ldap://127.0.0.1:389/ version = 3 + version = 3 search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = yes @@ -1278,6 +1304,7 @@ Test it: :: /etc/postfix/ldap/ldap_virtual_alias_maps.cf + #server_host = ldapi://%2Fvar%2Frun%2Fldapi/ server_host = ldap://127.0.0.1:389/ version = 3 search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org @@ -1292,9 +1319,6 @@ Test it: postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf postmap -q user@example.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf - -(The main LDAP server is partly replicated on a UNIX socket on the MX's.) - **** Test delivery sudo mkdir -p /home/mail/virtual/fripost.org/ @@ -1464,7 +1488,7 @@ this machine actually speaks to the master). OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -O /etc/saslauthd.conf" [...] -(Note: The socket has to be readable by postfix.) +(Note: The socket has to be in Postfix's chroot jail.) :: /etc/saslauthd.conf @@ -1482,11 +1506,11 @@ before binding to the user (unlike Dovecot). Hence it needs to have read access on the user's entry (except his/her password, of course). After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the -authentication: `testsaslauthd -u user@fripost.org -p password'. (The password -cannot be prompted, so you may want to create a dummy user.) +authentication: + + testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password -[Note: for `testsaslauthd' to work, you have to set OPTIONS="-c -m /var/run/saslauthd" -in `/etc/default/saslauthd'.] +(The password cannot be prompted, so you may want to create a dummy user.) **** Configure Postfix -- cgit v1.2.3