From 4be540b3ff4451046d6a9b759d80e1fa39ace47e Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Thu, 3 May 2012 14:55:02 +0200
Subject: [LDAP] Post-migration modifications.

---
 fripost-docs.org | 87 ++++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 59 insertions(+), 28 deletions(-)

diff --git a/fripost-docs.org b/fripost-docs.org
index ff5fe1b..ec340fd 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -891,13 +891,14 @@ http://www.openldap.org/doc/admin24/access-control.html for details.
     -
     # Admins have writing rights on the branch. Authenticated users can read
     # their entry. The SMTP and SASLauthd servervices can read entries on the
-    # branch (but not the passwords). Other cannot access the branch.
+    # branch (but not the passwords). Others can only search.
     add: olcAccess
     olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org"
         by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
         by self read
         by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
         by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
+        by * search
 
 ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
 
@@ -908,7 +909,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
     olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
     olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
     olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
-    olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
+    olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read by * search
     olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
     olcAccess: {6}to dn.base="" by * read
     olcAccess: {7}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
@@ -1094,10 +1095,14 @@ Cf. installation of the master LDAP server.
 (We also need to install fripost's schema and indexes.)
 
 The slave may only listen on the UNIX socket; To specify that, in
-`/etc/defauld/slapd', change `SLAPD_SERVICES' to
+`/etc/default/slapd', change `SLAPD_SERVICES' to
 
 SLAPD_SERVICES="ldapi:///"
 
+[TODO: *Ideally*, Postfix's should perform the LDAP lookups on a UNIX socket. However,
+while it `postmap -q' worked fine, Postfix itself couldn't query the LDAP server.
+A quick fix was to query the network instead: SLAPD_SERVICES="ldapi:///127.0.0.1:389/".]
+
 In the rest of this section, we assume there is a tunnel from the master
 LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
 speaks to the master).
@@ -1223,9 +1228,9 @@ sudo aptitude install dovecot-imapd
 
 :: /etc/postfix/main.cf
 
-    virtual_mailbox_domains = ldap:$config_directory/ldap_virtual_mailbox_domains.cf
-    virtual_mailbox_maps    = ldap:$config_directory/ldap_virtual_mailbox_maps.cf
-    virtual_alias_maps      = ldap:$config_directory/ldap_virtual_alias_maps.cf
+    virtual_mailbox_domains = ldap:$config_directory/ldap/ldap_virtual_mailbox_domains.cf
+    virtual_mailbox_maps    = ldap:$config_directory/ldap/ldap_virtual_mailbox_maps.cf
+    virtual_alias_maps      = ldap:$config_directory/ldap/ldap_virtual_alias_maps.cf
 
     [...]
 
@@ -1236,49 +1241,56 @@ http://wiki.dovecot.org/LDA/Postfix
 http://www.tehinterweb.co.uk/roundcube/#pisieverules
 
 
-:: /etc/postfix/ldap_virtual_mailbox_domains.cf
+:: /etc/postfix/ldap/ldap_virtual_mailbox_domains.cf
 
-    server_host = ldapi://
+    server_host = ldap://127.0.0.1:389/
     version = 3
     search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
     scope = base
-    bind = no
+    bind = yes
+    bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
+    bind_pw = xxxxxx
     query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
     result_attribute = dc
 
 Test it:
-    postmap -q fripost.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'
-    postmap -q example.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'
-    postmap -q fake.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!'
+    postmap -q fripost.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
+    postmap -q example.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
+    postmap -q fake.org ldap:/etc/postfix/ldap/ldap_virtual_domains_maps.cf || echo 'failed!'
+
 
+:: /etc/postfix/ldap/ldap_virtual_mailbox_maps.cf
 
-:: /etc/postfix/ldap_virtual_mailbox_maps.cf
-    server_host = ldapi://
+    server_host = ldap://127.0.0.1:389/
     version = 3
     search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
     scope = base
-    bind = no
+    bind = yes
+    bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
+    bind_pw = xxxxxx
     query_filter = (&(ObjectClass=virtualMailbox)(uid=%u)(isActive=TRUE))
     result_attribute = uid
 
 Test it:
-    postmap -q user@fripost.org ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf || echo 'failed!'
-    postmap -q fake@fake.org ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf || echo 'failed!'
+    postmap -q user@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_mailbox_maps.cf || echo 'failed!'
+    postmap -q fake@fake.org ldap:/etc/postfix/ldap/ldap_virtual_mailbox_maps.cf || echo 'failed!'
 
 
-:: /etc/postfix/ldap_virtual_alias_maps.cf
+:: /etc/postfix/ldap/ldap_virtual_alias_maps.cf
 
-    server_host = ldapi://
+    server_host = ldap://127.0.0.1:389/
     version = 3
     search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
     scope = one
-    bind = no
+    bind = yes
+    bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
+    bind_pw = xxxxxx
     query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE))
     result_attribute = mailTarget
 
 Test it:
-    postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
-    postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
+    postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
+    postmap -q user@example.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
 
 
 (The main LDAP server is partly replicated on a UNIX socket on the MX's.)
@@ -1379,13 +1391,14 @@ http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds
 Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf .
 Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
 
-    hosts = localhost    # Or wherever is our LDAP server
+    hosts = localhost
     ldap_version = 3
     auth_bind = yes
     auth_bind_userdn = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
     base = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
     deref = never
     scope = base
+    pass_attrs = uid=user
     pass_filter = (&(objectClass=virtualMailbox)(uid=%n)(isActive=TRUE))
 
 (And the TLS-related lines in case we are not using a tunnel.)
@@ -1397,13 +1410,14 @@ blocks, and uncomment
         args = /etc/dovecot/dovecot-ldap.conf
       }
       # and
-      userdb ldap {
-        args = /etc/dovecot/dovecot-ldap-userdb.conf
+      userdb static {
+        args = uid=115 gid=8 home=/home/mail/virtual/%d/%n/ allow_all_users=yes
       }
 
-Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds, `dovecot-ldap-userdb.conf'
-can simply be a symlink to `dovecot-ldap.conf'. The names have to differ for Dovecot to send
-asynchronous request to the LDAP server.
+We are not making use of the User Database (to ensure that Dovecot's `deliver' checks
+that the recipient exists) here, since `deliver' should only be called by Postfix which
+takes care of that (cf. `ldap_virtual_mailbox_maps.cf'). Hence the `allow_all_users=yes'
+above.
 
 *** Configuring a new smarthost to relay e-mail to the main IMAP server
 **** Overview
@@ -1513,6 +1527,23 @@ Finally, we can add the submission service to our master.cf, with customized pol
 We now have to restart Postfix: `/etc/init.d/postfix restart'. (Maybe `postfix reload'
 is enough actually.)
 
+**** Test it
+
+(desactivate smtpd_sasl_exceptions_networks for localhost first)
+
+openssl s_client -connect localhost:25 -starttls smtp -CApath /etc/ssl/
+
+echo -ne '\000user@fripost.org\000user' | openssl base64
+
+EHLO localhost
+AUTH PLAIN AHVzZXJAZnJpcG9zdC5vcmcAdXNlcg==
+
+mail from:<user@fripost.org>
+rcpt to:<me@guilhem.org>
+
+
+
+
 **** Anonymize the senders
 If RoudCube automatically anonymize the sender (by simply shortening the
 trace), it's not the case (by default) for SquirrelMail, or when clients
-- 
cgit v1.2.3