From 7dbac18ed15f419790bc33dec6a3f5f7b4346c8e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 5 Apr 2012 02:45:55 +0200 Subject: LDAP: Integration with Postfix & Dovecot. --- fripost-docs.org | 105 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 83 insertions(+), 22 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 5e7367b..172c1fe 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -676,8 +676,8 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). dn: cn=mail.fripost.org,cn=schema,cn=config objectClass: olcSchemaConfig cn: mail.fripost.org - olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.1 NAME 'mailbox' - DESC 'The path to the mailbox.' + olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.1 NAME 'maildir' + DESC 'The path to the maildir.' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.3 NAME 'quota' @@ -696,7 +696,7 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualMailbox' SUP top STRUCTURAL DESC 'Mail Account Object' - MUST ( mail $ userPassword $ dc $ mailbox $ isActive ) + MUST ( mail $ userPassword $ dc $ maildir $ isActive ) MAY ( mailLocalAddress $ gn $ sn $ quota ) ) @@ -851,7 +851,7 @@ To delete a leaf or a sub-tree: sn: Last Name userPassword: {SSHA}epZKWD1SiSe/dwL0to+jjnwFzxVUbFvg dc: fripost.org - mailbox: fripost.org/user/ + maildir: fripost.org/user/ isActive: TRUE mailLocalAddress: user-alias@fripost.org mailLocalAddress: user@example.org @@ -926,11 +926,11 @@ We now ensure that the leaf has been updated: [...] userPassword:: aG9w entryCSN: 20120404215647.957317Z#000000#000#000000 - modifiersName: mail=fripost@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org + modifiersName: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org modifyTimestamp: 20120404215647Z -Doing the same thing with eg, trying to change the `mailbox', `ldapmodify' +Doing the same thing with eg, trying to change the `maildir', `ldapmodify' refuses with `Insufficient access (50)'. *** Configuring the main IMAP server @@ -1001,11 +1001,60 @@ sudo aptitude install dovecot-imapd :: /etc/postfix/main.cf + virtual_mailbox_domains = ldap:$config_directory/ldap_virtual_mailbox_domains.cf + virtual_mailbox_maps = ldap:$config_directory/ldap_virtual_mailbox_maps.cf + virtual_alias_maps = ldap:$config_directory/ldap_virtual_alias_maps.cf + + [...] + virtual_transport = dovecot dovecot_destination_recipient_limit = 1 http://wiki.dovecot.org/LDA/Postfix http://www.tehinterweb.co.uk/roundcube/#pisieverules + + +:: /etc/postfix/ldap_virtual_mailbox_domains.cf + + server_host = ldap://localhost/ + version = 3 + search_base = o=domains,dc=mail,dc=fripost,dc=org + bind = no + query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE)) + result_attribute = dc + +Test it: + postmap -q fripost.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!' + postmap -q fake.org ldap:/etc/postfix/ldap_virtual_domains_maps.cf || echo 'failed!' + + +:: /etc/postfix/ldap_virtual_mailbox_maps.cf + + server_host = ldap://localhost/ + version = 3 + search_base = o=mailboxes,dc=mail,dc=fripost,dc=org + bind = no + query_filter = (&(ObjectClass=virtualMailbox)(mail=%s)(isActive=TRUE)) + result_attribute = maildir + +Test it: + postmap -q user@fripost.org ldap:/etc/ldap/local/ldap_virtual_mailbox_maps.cf + + +:: /etc/postfix/ldap_virtual_alias_maps.cf + + server_host = ldap://localhost/ + version = 3 + search_base = o=mailboxes,dc=mail,dc=fripost,dc=org + bind = no + query_filter = (&(ObjectClass=virtualMailbox)(mailLocalAddress=%s)(isActive=TRUE)) + result_attribute = mail + +Test it: + postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf + postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf + + **** Test delivery sudo mkdir -p /home/mail/virtual/fripost.org/ @@ -1084,7 +1133,10 @@ sudo /etc/init.d/dovecot restart sudo update-rc.d -n dovecot stop 2 3 4 5 . sudo update-rc.d -n postfix stop 2 3 4 5 . -**** Use LDAP authenticate binds. +**** Use LDAP authenticate binds, and LDAP user queries. + +[TODO: The following handle the dialog the LDAP server. It should replace +the MySQL bits above.] Instead of making a SQL query to fetch the (hashed) passwords, which implies to expose all credentials to Dovecot, an other approach is to forward the login @@ -1099,26 +1151,35 @@ http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds Debian provides a squeleton configuration in /usr/share/dovecot/dovecot-ldap.conf . Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines: -hosts = localhost # Or wherever is our LDAP server -auth_bind = yes -auth_bind_userdn = uid=%u,ou=accounts,dc=fripost,dc=org -ldap_version = 3 -base = ou=accounts,dc=fripost,dc=org -pass_filter = (&(objectClass=posixAccount)(uid=%u)) + hosts = localhost # Or wherever is our LDAP server + ldap_version = 3 + auth_bind = yes + auth_bind_userdn = mail=%u,o=mailboxes,dc=mail,dc=fripost,dc=org + base = o=mailboxes,dc=mail,dc=fripost,dc=org + deref = never + scope = subtree + user_attrs = maildir=home=/home/mail/virtual/%$ + user_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE)) + pass_attrs = mail=user + pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE)) (And the TLS-related lines in case we are not using a tunnel.) The "base" is the root -of our tree structure, in our case dn="ou=accounts,dc=fripost,dc=org". +of our tree structure, in our case dn="o=mailboxes,dc=mail,dc=fripost,dc=org". + +[Note: the `user_attrs' and `user_filter' are only relevant if the result of the query is +used in the `dovecot.conf', for instance with mail_location = maildir:~. Otherwise, the +userdb would better be dropped.] We can now amend the `dovecot.conf': Comment the "passwd sql {...}" and "userdb sql {...}" blocks, and uncomment - passdb ldap { - args = /etc/dovecot/dovecot-ldap.conf - } -# and - userdb ldap { - args = /etc/dovecot/dovecot-ldap-userdb.conf - } + passdb ldap { + args = /etc/dovecot/dovecot-ldap.conf + } + # and + userdb ldap { + args = /etc/dovecot/dovecot-ldap-userdb.conf + } Following http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds, `dovecot-ldap-userdb.conf' can simply be a symlink to `dovecot-ldap.conf'. The names have to differ for Dovecot to send @@ -1173,7 +1234,7 @@ test our installation.) ldap_version: 3 ldap_search_base: o=mailboxes,dc=mail,dc=fripost,dc=org ldap_scope: sub - ldap_filter: uid=%u + ldap_filter: mail=%u ldap_auth_method: bind After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the -- cgit v1.2.3