Difference between revisions of "Mailutils:HOWTO:Sendmail MU LDAP"
(44 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''Task''' | '''Task''' | ||
− | + | We have two domains: '''foo.bar''' and '''foo.com''', and want to provide email service for separate users like '''testuser@foo.bar''' and '''testuser@foo.com'''. | |
− | |||
− | + | For that we need: | |
+ | * to get users database in LDAP DB (OpenLDAP as LDAP server) | ||
+ | * to get multidomain (multi domains with separate (if needed) users for each domain) support in sendmail via mailutils | ||
+ | all described was deployed on FreeBSD | ||
+ | |||
+ | == OpenLDAP == | ||
+ | |||
+ | The important decision have to be made on account of the directory topology: flat namespace or a hierarchical one | ||
+ | |||
+ | look at | ||
+ | * "LDAP System Administration" By Gerald Carter; ISBN: 1-56592-491-6 | ||
+ | * "Understanding and Deploying LDAP Directory Services", Second Edition By Timothy A. Howes Ph.D., Mark C. Smith, Gordon S. Good; ISBN: 0-672-32316-8. | ||
=== slapd.conf === | === slapd.conf === | ||
+ | <pre> | ||
+ | include /usr/local/etc/openldap/schema/core.schema | ||
+ | include /usr/local/etc/openldap/schema/cosine.schema | ||
+ | include /usr/local/etc/openldap/schema/inetorgperson.schema | ||
+ | include /usr/local/etc/openldap/schema/nis.schema | ||
+ | include /usr/local/etc/openldap/schema/openldap.schema | ||
+ | include /usr/local/etc/openldap/schema/misc.schema | ||
+ | include /usr/local/etc/openldap/schema/ldapns.schema | ||
+ | include /usr/local/etc/openldap/schema/asterisk.schema | ||
+ | include /usr/local/etc/openldap/schema/sendmail.schema | ||
+ | |||
+ | loglevel stats | ||
+ | |||
+ | pidfile /var/run/openldap/slapd.pid | ||
+ | argsfile /var/run/openldap/slapd.args | ||
+ | |||
+ | modulepath /usr/local/libexec/openldap | ||
+ | moduleload back_bdb | ||
+ | moduleload back_hdb | ||
+ | moduleload back_monitor | ||
+ | moduleload syncprov | ||
+ | |||
+ | TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem | ||
+ | TLSCertificateFile /usr/local/etc/openldap/ssl/srv1cert.pem | ||
+ | TLSCertificateKeyFile /usr/local/etc/openldap/ssl/srv1key.pem | ||
+ | TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 | ||
+ | TLSVerifyClient never | ||
+ | security ssf=128 | ||
+ | |||
+ | access to dn.exact="" by * read | ||
+ | access to * | ||
+ | by peername.ip=127.0.0.1 break | ||
+ | by peername.ip=X.X.X.X break | ||
+ | access to * | ||
+ | by set="[cn=bind,ou=group,dc=ibs]/memberUid & user/uid" read | ||
+ | by set="[cn=admin,ou=group,dc=ibs]/memberUid & user/uid" write | ||
+ | by self read | ||
+ | by * search | ||
+ | |||
+ | database bdb | ||
+ | suffix "dc=foo,dc=bar" | ||
+ | rootdn "cn=ldapmaster,dc=foo,dc=bar" | ||
+ | rootpw {SSHA}Osdfkjwh89974500sdfjhjhLKJHKLJLKJlLKJljlj | ||
+ | directory /var/db/openldap-data/foo.bar | ||
+ | monitoring on | ||
+ | |||
+ | index default eq,sub | ||
+ | index objectClass eq | ||
+ | index uidNumber eq | ||
+ | index gidNumber eq | ||
+ | index memberUid eq | ||
+ | index cn,sn,uid,displayName pres,sub,eq | ||
+ | index authorizedService eq | ||
+ | index sendmailMTAAliasGrouping eq | ||
+ | index sendmailMTACluster eq | ||
+ | index sendmailMTAHost eq | ||
+ | index sendmailMTAKey eq | ||
+ | index sendmailMTAMapName eq | ||
+ | |||
+ | overlay memberof | ||
+ | |||
+ | overlay unique | ||
+ | unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.bar) | ||
+ | unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.com) | ||
+ | </pre> | ||
+ | |||
+ | === ldap.conf === | ||
+ | <pre> | ||
+ | BASE dc=foo,dc=bar | ||
+ | URI ldap://ldap.foo.bar:389 | ||
+ | SIZELIMIT 0 | ||
+ | TLS_REQCERT allow | ||
+ | TLS_CACERT /usr/local/etc/openldap/cacert.pem | ||
+ | </pre> | ||
+ | |||
+ | === .ldif === | ||
+ | |||
+ | <pre> | ||
+ | dn: uid=officeX-testuser,ou=People,dc=foo,dc=bar | ||
+ | cn: testuser@foo.bar | ||
+ | description: unique user across whole user database | ||
+ | gidnumber: 12345 | ||
+ | homedirectory: /nonexistent | ||
+ | loginshell: /sbin/nologin | ||
+ | objectclass: top | ||
+ | objectclass: posixAccount | ||
+ | objectclass: inetOrgPerson | ||
+ | objectclass: organizationalPerson | ||
+ | objectclass: person | ||
+ | objectclass: inetLocalMailRecipient | ||
+ | sn: test user | ||
+ | uid: officeX-testuser | ||
+ | uidnumber: 10001 | ||
+ | userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ | ||
+ | |||
+ | dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar | ||
+ | associateddomain: foo.bar | ||
+ | authorizedservice: mail@foo.bar | ||
+ | cn: testuser@foo.bar | ||
+ | description: auxiliary service/s account (like email, web, e.t.c. access) | ||
+ | gidnumber: 10106 | ||
+ | homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar | ||
+ | loginshell: /sbin/nologin | ||
+ | mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar | ||
+ | objectclass: posixAccount | ||
+ | objectclass: shadowAccount | ||
+ | objectclass: inetOrgPerson | ||
+ | objectclass: authorizedServiceObject | ||
+ | objectclass: domainRelatedObject | ||
+ | objectclass: mailutilsAccount | ||
+ | sn: testuser@foo.bar | ||
+ | uid: testuser@foo.bar | ||
+ | uidnumber: 10001 | ||
+ | userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ | ||
+ | |||
+ | dn: authorizedService=mail@foo.com,uid=officeX-testuser,ou=People,dc=foo,dc=bar | ||
+ | associateddomain: foo.com | ||
+ | authorizedservice: mail@foo.com | ||
+ | cn: testuser@foo.com | ||
+ | description: auxiliary service/s account (like email, web, e.t.c. access) | ||
+ | gidnumber: 10106 | ||
+ | homedirectory: /var/mail/IMAP_HOMES/foo.com/testuser@foo.com | ||
+ | loginshell: /sbin/nologin | ||
+ | mu-mailbox: maildir:/var/mail/foo.com/testuser@foo.com | ||
+ | objectclass: posixAccount | ||
+ | objectclass: shadowAccount | ||
+ | objectclass: inetOrgPerson | ||
+ | objectclass: authorizedServiceObject | ||
+ | objectclass: domainRelatedObject | ||
+ | objectclass: mailutilsAccount | ||
+ | sn: testuser@foo.com | ||
+ | uid: testuser@foo.com | ||
+ | uidnumber: 10001 | ||
+ | userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ | ||
+ | </pre> | ||
+ | |||
+ | === test === | ||
+ | <pre> | ||
+ | # ldapsearch -xZZ -D uid=bind@mail.foo.bar,ou=people,dc=foo,dc=bar -w ***** -b ou=people,dc=foo,dc=bar -v "(&(authorizedService=mail@foo.bar)(uid=testuser))" | ||
+ | ldap_initialize( <DEFAULT> ) | ||
+ | filter: (&(authorizedService=mail@foo.bar)(uid=testuser)) | ||
+ | requesting: All userApplication attributes | ||
+ | # extended LDIF | ||
+ | # | ||
+ | # LDAPv3 | ||
+ | # base <ou=people,dc=foo,dc=bar> with scope subtree | ||
+ | # filter: (&(authorizedService=mail@foo.bar)(uid=testuser)) | ||
+ | # requesting: ALL | ||
+ | # | ||
+ | |||
+ | # mail@foo.bar, officeX-testuser, People, foo, bar | ||
+ | dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar | ||
+ | associateddomain: foo.bar | ||
+ | authorizedservice: mail@foo.bar | ||
+ | cn: testuser@foo.bar | ||
+ | description: auxiliary service/s account (like email, web, e.t.c. access) | ||
+ | gidnumber: 10106 | ||
+ | homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar | ||
+ | loginshell: /sbin/nologin | ||
+ | mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar | ||
+ | objectclass: posixAccount | ||
+ | objectclass: shadowAccount | ||
+ | objectclass: inetOrgPerson | ||
+ | objectclass: authorizedServiceObject | ||
+ | objectclass: domainRelatedObject | ||
+ | objectclass: mailutilsAccount | ||
+ | sn: testuser@foo.bar | ||
+ | uid: testuser@foo.bar | ||
+ | uidnumber: 10001 | ||
+ | userPassword:: ***************************************** | ||
+ | |||
+ | # search result | ||
+ | search: 3 | ||
+ | result: 0 Success | ||
+ | |||
+ | # numResponses: 2 | ||
+ | # numEntries: 1 | ||
+ | </pre> | ||
+ | |||
+ | == sendmail with [http://www.sendmail.com/sm/open_source/docs/m4/starttls.html STARTTLS], [http://www.sendmail.org/~ca/email/auth.html SMTPAUTH], [http://www.sendmail.com/sm/open_source/docs/m4/ldap.html LDAP] and db44 support == | ||
+ | |||
+ | === cyrus-sasl2 === | ||
+ | build cyrus-sasl2 with ldap and saslauthd | ||
+ | |||
+ | <pre> | ||
+ | saslauthd.conf | ||
+ | |||
+ | ldap_servers: ldap://ldap.foo.bar/ | ||
+ | ldap_start_tls: yes | ||
+ | ldap_tls_cacert_file: /usr/local/etc/openldap/cacert.pem | ||
+ | ldap_auth_method: bind | ||
+ | ldap_bind_dn: uid=bind@mail.foo.bar,ou=people,dc=foo,dc=bar | ||
+ | ldap_password: ****** | ||
+ | ldap_search_base: dc=foo,dc=bar | ||
+ | ldap_filter: (&(uid=%U)(authorizedService=mail@foo.bar)) | ||
+ | </pre> | ||
+ | ==== Sendmail.conf ==== | ||
+ | in FreeBSD it is /usr/local/lib/sasl2/Sendmail.conf | ||
− | + | <pre> | |
+ | pwcheck_method: saslauthd | ||
+ | log_level: 5 | ||
+ | </pre> | ||
− | == | + | ==== test ==== |
− | + | <pre> | |
+ | # testsaslauthd -u testuser@foo.bar -p theverypassword | ||
+ | 0: OK "Success." | ||
+ | </pre> | ||
− | === build config === | + | === sendmail === |
+ | ==== build config ==== | ||
site.config.m4 | site.config.m4 | ||
<pre> | <pre> | ||
Line 45: | Line 260: | ||
</pre> | </pre> | ||
− | === sendmail.mc === | + | ==== DNS PTR ==== |
+ | |||
+ | '''IMPORTANT:''' PTR '''''is not looked at mailertable''''' and considered as '''''local''''' | ||
+ | |||
+ | ==== sendmail.mc ==== | ||
<pre> | <pre> | ||
dnl * Sendmail configuration | dnl * Sendmail configuration | ||
Line 96: | Line 315: | ||
# Maps | # Maps | ||
define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl | define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl | ||
− | define(`confLDAP_CLUSTER', ` | + | define(`confLDAP_CLUSTER', `SMTPCLUSTER') |
LOCAL_CONFIG | LOCAL_CONFIG | ||
Line 126: | Line 345: | ||
</pre> | </pre> | ||
− | === | + | ==== submit.mc ==== |
<pre> | <pre> | ||
− | + | divert(-1) | |
+ | # | ||
+ | |||
+ | divert(0)dnl | ||
+ | VERSIONID(`$Id: submit.mc,v 8.14 2006/04/05 05:54:41 ca Exp $') | ||
+ | define(`confCF_VERSION', `Submit')dnl | ||
+ | define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining | ||
+ | define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet | ||
+ | define(`confTIME_ZONE', `USE_TZ')dnl | ||
+ | define(`confDONT_INIT_GROUPS', `True')dnl | ||
+ | define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo') | ||
+ | |||
+ | FEATURE(`msp', `[127.0.0.1]')dnl | ||
+ | |||
+ | dnl * do STARTTLS | ||
+ | define(`confCACERT_PATH', `/etc/mail/certs')dnl | ||
+ | define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl | ||
+ | define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl | ||
+ | define(`confSERVER_CERT', `localCERT')dnl | ||
+ | define(`confSERVER_KEY', `localCERT')dnl | ||
+ | define(`confCLIENT_CERT', `localCERT')dnl | ||
+ | define(`confCLIENT_KEY', `localCERT')dnl | ||
+ | |||
+ | dnl * do SMTPAUTH | ||
+ | define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl | ||
+ | TRUST_AUTH_MECH(`LOGIN PLAIN')dnl | ||
+ | |||
+ | dnl * look for AuthOptions @ op.ps | ||
+ | define(`confAUTH_OPTIONS', `A p y')dnl | ||
+ | |||
+ | DAEMON_OPTIONS(`Family=inet,Name=MTA-TLS,M=Eab') | ||
</pre> | </pre> | ||
+ | |||
+ | ==== mailertable ==== | ||
+ | in case to leave it as file, then in /etc/mail/mailertable put | ||
+ | <pre> | ||
+ | foo.bar local-ldap:foo.bar | ||
+ | foo.com local-ldap:foo.com | ||
+ | </pre> | ||
+ | |||
+ | in case to put it in LDAP we need: | ||
+ | |||
+ | <pre> | ||
+ | dn: sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar | ||
+ | objectclass: sendmailMTA | ||
+ | objectclass: sendmailMTAMap | ||
+ | sendmailmtacluster: SMTPCLUSTER | ||
+ | sendmailmtamapname: mailer | ||
+ | |||
+ | dn: sendmailMTAKey=foo.bar,sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar | ||
+ | objectclass: sendmailMTA | ||
+ | objectclass: sendmailMTAMap | ||
+ | objectclass: sendmailMTAMapObject | ||
+ | sendmailmtacluster: SMTPCLUSTER | ||
+ | sendmailmtakey: foo.bar | ||
+ | sendmailmtamapname: mailer | ||
+ | sendmailmtamapvalue: local-ldap:foo.bar | ||
+ | |||
+ | dn: sendmailMTAKey=foo.com,sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar | ||
+ | objectclass: sendmailMTA | ||
+ | objectclass: sendmailMTAMap | ||
+ | objectclass: sendmailMTAMapObject | ||
+ | sendmailmtacluster: SMTPCLUSTER | ||
+ | sendmailmtakey: foo.com | ||
+ | sendmailmtamapname: mailer | ||
+ | sendmailmtamapvalue: local-ldap:foo.com | ||
+ | </pre> | ||
+ | |||
+ | ==== test ==== | ||
+ | <pre> | ||
+ | #> ldd /usr/sbin/sendmail | ||
+ | /usr/sbin/sendmail: | ||
+ | libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8008cd000) | ||
+ | libssl.so.6 => /usr/lib/libssl.so.6 (0x800ae8000) | ||
+ | libcrypto.so.6 => /lib/libcrypto.so.6 (0x800d3b000) | ||
+ | libdb-4.4.so.0 => /usr/local/lib/libdb-4.4.so.0 (0x8010dc000) | ||
+ | libldap-2.4.so.8 => /usr/local/lib/libldap-2.4.so.8 (0x8015f8000) | ||
+ | </pre> | ||
+ | |||
+ | <pre> | ||
+ | #> openssl s_client -connect relay.foo.bar:25 -starttls smtp | ||
+ | CONNECTED(00000004) | ||
+ | depth=0 /C=AU/ST=WS/L=Sidney/O=FooBar llc/OU=IT/CN=relay.foo.bar/emailAddress=security@foo.bar | ||
+ | ... | ||
+ | --- | ||
+ | SSL handshake has read 2486 bytes and written 384 bytes | ||
+ | --- | ||
+ | New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA | ||
+ | ... | ||
+ | SSL-Session: | ||
+ | Protocol : TLSv1 | ||
+ | ... | ||
+ | --- | ||
+ | 250 HELP | ||
+ | ehlo test | ||
+ | 250-relay.foo.bar Hello [A.A.A.A], pleased to meet you | ||
+ | ... | ||
+ | 250-AUTH LOGIN PLAIN | ||
+ | ... | ||
+ | 250 HELP | ||
+ | quit | ||
+ | 221 2.0.0 relay.foo.bar closing connection | ||
+ | </pre> | ||
+ | |||
+ | <pre> | ||
+ | sendmail -bt | ||
+ | > 3,0 testuser@foo.bar | ||
+ | canonify input: testuser @ foo . bar | ||
+ | Canonify2 input: testuser < @ foo . bar > | ||
+ | Canonify2 returns: testuser < @ foo . bar . > | ||
+ | canonify returns: testuser < @ foo . bar . > | ||
+ | parse input: testuser < @ foo . bar . > | ||
+ | Parse0 input: testuser < @ foo . bar . > | ||
+ | Parse0 returns: testuser < @ foo . bar . > | ||
+ | ParseLocal input: testuser < @ foo . bar . > | ||
+ | ParseLocal returns: testuser < @ foo . bar . > | ||
+ | Parse1 input: testuser < @ foo . bar . > | ||
+ | MailerToTriple input: < local-ldap : foo . bar > testuser < @ foo . bar . > | ||
+ | MailerToTriple returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > | ||
+ | Parse1 returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > | ||
+ | parse returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > | ||
+ | </pre> | ||
+ | |||
+ | ==== aliases ==== | ||
+ | |||
+ | native, sendmail aliases db supports only one domain and one users db | ||
+ | |||
+ | smap doesn't working with LDAP yet | ||
+ | |||
+ | the only way to do aliases this time it is to create separate, dedicated alias user and to do all need manipulations via it's .sieve script | ||
+ | |||
== mu == | == mu == | ||
=== config === | === config === | ||
+ | <pre> | ||
+ | configure \ | ||
+ | CPPFLAGS='-I/usr/local/include/ -I/usr/local/include/db44/ -I/usr/local/include/postgresql/ -I/usr/local/include/gnutls' \ | ||
+ | LDFLAGS='-L/usr/local/lib/ -L/usr/local/lib/postgresql/ -L/usr/local/lib/db44' \ | ||
+ | --enable-debug \ | ||
+ | --with-berkeley-db \ | ||
+ | --enable-pam \ | ||
+ | --with-gnutls \ | ||
+ | --with-postgres \ | ||
+ | --with-ldap \ | ||
+ | --disable-nls \ | ||
+ | --disable-nntp \ | ||
+ | --disable-radius | ||
+ | </pre> | ||
=== mailutils.rc === | === mailutils.rc === | ||
+ | <pre> | ||
+ | mailutils.rc | ||
+ | |||
+ | ldap { | ||
+ | enable yes; | ||
+ | url "ldap://ldap.foo.bar:389/"; | ||
+ | base "ou=people,dc=ibs"; | ||
+ | binddn "uid=bind@mai.foo.bar,ou=people,dc=foo,dc=bar"; | ||
+ | passwd "*****"; | ||
+ | tls yes; | ||
+ | debug 1; | ||
+ | |||
+ | field-map "" | ||
+ | "name=uid:" | ||
+ | "passwd=userPassword:" | ||
+ | "uid=uidNumber:" | ||
+ | "gid=gidNumber:" | ||
+ | "gecos=gecos:" | ||
+ | "dir=homeDirectory:" | ||
+ | "shell=loginShell:" | ||
+ | "mailbox=mu-mailBox"; | ||
+ | |||
+ | getpwnam "(|" | ||
+ | "(&(authorizedService=mail@foo.bar)(uid=${user}))" | ||
+ | "(&(authorizedService=mail@foo.bar)(cn=${user}))" | ||
+ | "(&(authorizedService=mail@foo.com)(cn=${user})))"; | ||
+ | |||
+ | getpwuid "(|" | ||
+ | "(&(authorizedService=mail@foo.bar)(uid=${user}))" | ||
+ | "(&(authorizedService=mail@foo.bar)(cn=${user}))" | ||
+ | "(&(authorizedService=mail@foo.com)(cn=${user})))"; | ||
+ | }; | ||
+ | |||
+ | auth { | ||
+ | authorization generic:ldap:system; | ||
+ | authentication generic:ldap:system; | ||
+ | }; | ||
+ | |||
+ | mailbox { | ||
+ | mailbox-type "maildir"; | ||
+ | mailbox-pattern "maildir:/var/mail;type=index;param=2;user=${user}"; | ||
+ | }; | ||
+ | |||
+ | locking { | ||
+ | retry-count 400; | ||
+ | }; | ||
+ | |||
+ | include /usr/local/etc/mailutils; | ||
+ | </pre> | ||
=== pop3d === | === pop3d === | ||
+ | <pre> | ||
+ | tls { | ||
+ | enable yes; | ||
+ | ssl-cert /usr/local/etc/mailutils/ssl/mu.pem; | ||
+ | ssl-key /usr/local/etc/mailutils/ssl/mu.pem; | ||
+ | }; | ||
+ | |||
+ | logging { | ||
+ | facility local3; | ||
+ | }; | ||
+ | |||
+ | debug { | ||
+ | level "server.trace0"; | ||
+ | line-info yes; | ||
+ | }; | ||
+ | |||
+ | #bulletin-source /var/spool/bulletin/bulletin.mbox; | ||
+ | #bulletin-db /var/spool/bulletin/bulletin; | ||
+ | max-children 30; | ||
+ | mode daemon; | ||
+ | pidfile /var/run/pop3d.pid; | ||
+ | timeout 180; | ||
+ | |||
+ | server X.X.X.X { | ||
+ | transcript no; | ||
+ | tls ondemand; | ||
+ | }; | ||
+ | |||
+ | server Y.Y.Y.Y { | ||
+ | transcript no; | ||
+ | tls required; | ||
+ | }; | ||
+ | |||
+ | server Y.Y.Y.Y:995 { | ||
+ | transcript no; | ||
+ | tls connection; | ||
+ | }; | ||
+ | |||
+ | |||
+ | acl { | ||
+ | log from any "Connect from ${address}"; | ||
+ | }; | ||
+ | </pre> | ||
=== imap4d === | === imap4d === | ||
+ | <pre> | ||
+ | tls { | ||
+ | enable yes; | ||
+ | ssl-cert /usr/local/etc/mailutils/ssl/mu.pem; | ||
+ | ssl-key /usr/local/etc/mailutils/ssl/mu.pem; | ||
+ | }; | ||
+ | |||
+ | logging { | ||
+ | facility local2; | ||
+ | }; | ||
+ | |||
+ | mandatory-locking { | ||
+ | enable 1; | ||
+ | lock-directory /tmp; | ||
+ | }; | ||
+ | |||
+ | debug { | ||
+ | level "server.trace0"; | ||
+ | line-info yes; | ||
+ | }; | ||
+ | |||
+ | create-home-dir 1; | ||
+ | shared-namespace "/var/mail/IMAP_SHARE"; | ||
+ | shared-mailbox-mode g=rw; | ||
+ | |||
+ | max-children 50; | ||
+ | mode daemon; | ||
+ | pidfile /var/run/imap4d.pid; | ||
+ | timeout 300; | ||
+ | |||
+ | server X.X.X.X { | ||
+ | transcript yes; | ||
+ | tls ondemand; | ||
+ | }; | ||
+ | |||
+ | server Y.Y.Y.Y { | ||
+ | transcript no; | ||
+ | tls required; | ||
+ | }; | ||
+ | |||
+ | server Y.Y.Y.Y:993 { | ||
+ | transcript no; | ||
+ | tls connection; | ||
+ | }; | ||
+ | |||
+ | acl { | ||
+ | log from any "Connect from ${address}"; | ||
+ | # allow Z.Z.Z.Z; | ||
+ | # deny any; | ||
+ | }; | ||
+ | </pre> | ||
=== maidag === | === maidag === | ||
+ | <pre> | ||
+ | debug { | ||
+ | line-info yes; | ||
+ | }; | ||
+ | |||
+ | logging { | ||
+ | tag "maidag"; | ||
+ | }; | ||
+ | |||
+ | filter { | ||
+ | language "sieve"; | ||
+ | # pattern "/usr/local/etc/mailutils/scripts/%u"; # this time %u contains no domain part | ||
+ | pattern "%h/.sieve"; | ||
+ | }; | ||
+ | </pre> | ||
+ | |||
+ | === test === | ||
+ | <pre> | ||
+ | #> telnet pop.foo.bar 110 | ||
+ | Trying X.X.X.X... | ||
+ | Connected to pop.foo.bar. | ||
+ | Escape character is '^]'. | ||
+ | +OK POP3 Ready <24289.1377897169@relay.foo.bar> | ||
+ | user testuser@foo.bar | ||
+ | +OK | ||
+ | pass ***** | ||
+ | +OK opened mailbox for testuser | ||
+ | quit | ||
+ | +OK | ||
+ | Connection closed by foreign host. | ||
+ | |||
+ | #> telnet imap.foo.bar 143 | ||
+ | Trying X.X.X.X... | ||
+ | Connected to imap.foo.bar. | ||
+ | Escape character is '^]'. | ||
+ | * OK IMAP4rev1 | ||
+ | 00 login testuser@foo.bar ***** | ||
+ | 00 OK LOGIN Completed | ||
+ | 11 logout | ||
+ | * BYE Session terminating. | ||
+ | 11 OK LOGOUT Completed | ||
+ | Connection closed by foreign host. | ||
+ | </pre> | ||
+ | |||
+ | == External links == | ||
+ | * [http://forums.fedoraforum.org/showthread.php?t=80057 About cyrus-sasl and openldap - FedoraForum.org] | ||
+ | * [http://www.openldap.org/faq/data/cache/544.html OpenLDAP Faq-O-Matic: How can OpenLDAP, Cyrus-SASL, OpenSSL and KerberosV be combined?] | ||
+ | * [http://www.sendmail.org/~ca/email/cyrus2/options.html Options for Cyrus SASL] | ||
+ | * [http://p-o.co.uk/tech-articles/63-howto-svnserve-sasl-and-ldap.html HOW-TO svnserve SASL and LDAP] | ||
+ | * [http://www.redhat.com/archives/redhat-list/2002-November/msg02807.html Re: sendmail, SMTP Authentication & LDAP] | ||
+ | * [http://docs.snake.de/smtp-auth.html SMTP-AUTH for sendmail 8.12.x] | ||
+ | * [http://www.sendmail.org/~gshapiro/8.10.Training/schema.html sendmail 8.10.0: FEATURE(ldap_routing) Schema] | ||
+ | * [http://www.sendmail.com/sm/open_source/docs/m4/ldap.html cf/README - LDAP For Aliases, Maps, And Classes] | ||
+ | * [http://www.ltrr.arizona.edu/~mmunro/ldapmail/ OpenLDAP, SASL, and Sendmail] | ||
+ | * [http://seriousbirder.com/blogs/openldap-sendmail-configuration-schema-sample/ OpenLDAP Sendmail Configuration Schema Sample] | ||
+ | * [http://ftp.ofloo.net/pub/howtos/mail/sendmail-ldap.html Sendmail+LDAP HOWTO] | ||
+ | * [http://logout.sh/computers/sendmail/ sendmail with LDAP, TLS and AUTH] | ||
+ | * [http://kaivanov.blogspot.com/2010/09/routing-and-alias-management-with.html Linux Administration: Routing and Alias Management with OpenLDAP and Sendmail] |
Latest revision as of 04:28, 9 May 2014
Task
We have two domains: foo.bar and foo.com, and want to provide email service for separate users like testuser@foo.bar and testuser@foo.com.
For that we need:
- to get users database in LDAP DB (OpenLDAP as LDAP server)
- to get multidomain (multi domains with separate (if needed) users for each domain) support in sendmail via mailutils
all described was deployed on FreeBSD
OpenLDAP
The important decision have to be made on account of the directory topology: flat namespace or a hierarchical one
look at
- "LDAP System Administration" By Gerald Carter; ISBN: 1-56592-491-6
- "Understanding and Deploying LDAP Directory Services", Second Edition By Timothy A. Howes Ph.D., Mark C. Smith, Gordon S. Good; ISBN: 0-672-32316-8.
slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/asterisk.schema include /usr/local/etc/openldap/schema/sendmail.schema loglevel stats pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_hdb moduleload back_monitor moduleload syncprov TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/srv1cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/srv1key.pem TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSVerifyClient never security ssf=128 access to dn.exact="" by * read access to * by peername.ip=127.0.0.1 break by peername.ip=X.X.X.X break access to * by set="[cn=bind,ou=group,dc=ibs]/memberUid & user/uid" read by set="[cn=admin,ou=group,dc=ibs]/memberUid & user/uid" write by self read by * search database bdb suffix "dc=foo,dc=bar" rootdn "cn=ldapmaster,dc=foo,dc=bar" rootpw {SSHA}Osdfkjwh89974500sdfjhjhLKJHKLJLKJlLKJljlj directory /var/db/openldap-data/foo.bar monitoring on index default eq,sub index objectClass eq index uidNumber eq index gidNumber eq index memberUid eq index cn,sn,uid,displayName pres,sub,eq index authorizedService eq index sendmailMTAAliasGrouping eq index sendmailMTACluster eq index sendmailMTAHost eq index sendmailMTAKey eq index sendmailMTAMapName eq overlay memberof overlay unique unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.bar) unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.com)
ldap.conf
BASE dc=foo,dc=bar URI ldap://ldap.foo.bar:389 SIZELIMIT 0 TLS_REQCERT allow TLS_CACERT /usr/local/etc/openldap/cacert.pem
.ldif
dn: uid=officeX-testuser,ou=People,dc=foo,dc=bar cn: testuser@foo.bar description: unique user across whole user database gidnumber: 12345 homedirectory: /nonexistent loginshell: /sbin/nologin objectclass: top objectclass: posixAccount objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: inetLocalMailRecipient sn: test user uid: officeX-testuser uidnumber: 10001 userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar associateddomain: foo.bar authorizedservice: mail@foo.bar cn: testuser@foo.bar description: auxiliary service/s account (like email, web, e.t.c. access) gidnumber: 10106 homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar loginshell: /sbin/nologin mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar objectclass: posixAccount objectclass: shadowAccount objectclass: inetOrgPerson objectclass: authorizedServiceObject objectclass: domainRelatedObject objectclass: mailutilsAccount sn: testuser@foo.bar uid: testuser@foo.bar uidnumber: 10001 userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ dn: authorizedService=mail@foo.com,uid=officeX-testuser,ou=People,dc=foo,dc=bar associateddomain: foo.com authorizedservice: mail@foo.com cn: testuser@foo.com description: auxiliary service/s account (like email, web, e.t.c. access) gidnumber: 10106 homedirectory: /var/mail/IMAP_HOMES/foo.com/testuser@foo.com loginshell: /sbin/nologin mu-mailbox: maildir:/var/mail/foo.com/testuser@foo.com objectclass: posixAccount objectclass: shadowAccount objectclass: inetOrgPerson objectclass: authorizedServiceObject objectclass: domainRelatedObject objectclass: mailutilsAccount sn: testuser@foo.com uid: testuser@foo.com uidnumber: 10001 userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/
test
# ldapsearch -xZZ -D uid=bind@mail.foo.bar,ou=people,dc=foo,dc=bar -w ***** -b ou=people,dc=foo,dc=bar -v "(&(authorizedService=mail@foo.bar)(uid=testuser))" ldap_initialize( <DEFAULT> ) filter: (&(authorizedService=mail@foo.bar)(uid=testuser)) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=people,dc=foo,dc=bar> with scope subtree # filter: (&(authorizedService=mail@foo.bar)(uid=testuser)) # requesting: ALL # # mail@foo.bar, officeX-testuser, People, foo, bar dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar associateddomain: foo.bar authorizedservice: mail@foo.bar cn: testuser@foo.bar description: auxiliary service/s account (like email, web, e.t.c. access) gidnumber: 10106 homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar loginshell: /sbin/nologin mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar objectclass: posixAccount objectclass: shadowAccount objectclass: inetOrgPerson objectclass: authorizedServiceObject objectclass: domainRelatedObject objectclass: mailutilsAccount sn: testuser@foo.bar uid: testuser@foo.bar uidnumber: 10001 userPassword:: ***************************************** # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1
sendmail with STARTTLS, SMTPAUTH, LDAP and db44 support
cyrus-sasl2
build cyrus-sasl2 with ldap and saslauthd
saslauthd.conf ldap_servers: ldap://ldap.foo.bar/ ldap_start_tls: yes ldap_tls_cacert_file: /usr/local/etc/openldap/cacert.pem ldap_auth_method: bind ldap_bind_dn: uid=bind@mail.foo.bar,ou=people,dc=foo,dc=bar ldap_password: ****** ldap_search_base: dc=foo,dc=bar ldap_filter: (&(uid=%U)(authorizedService=mail@foo.bar))
Sendmail.conf
in FreeBSD it is /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd log_level: 5
test
# testsaslauthd -u testuser@foo.bar -p theverypassword 0: OK "Success."
sendmail
build config
site.config.m4
## # general APPENDDEF(`confINCDIRS', `-I/usr/local/include -I/usr/local/include/db44') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/local/lib/db44') ## DB44 #APPENDDEF(`confENVDEF', `-I/usr/local/include -I/usr/local/include/db44') #APPENDDEF(`conf_sendmail_LIBS', `-L/usr/local/lib -L/usr/local/lib/db44') # SASL2 (smtp authentication) APPENDDEF(`confENVDEF', `-DSASL=2') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') # LDAP APPENDDEF(`confMAPDEF', `-DLDAPMAP') APPENDDEF(`confLIBS', `-lldap -llber') # STARTTLS (smtp + tls/ssl) APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -D_FFR_TLS_1') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') # rest APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSOCKETMAP -DMAP_REGEX -DNEWDB')
DNS PTR
IMPORTANT: PTR is not looked at mailertable and considered as local
sendmail.mc
dnl * Sendmail configuration divert(-1) OSTYPE(freebsd6) dnl * To eliminate 8->7 bit base64 enconding define(`SMTP_MAILER_FLAGS',`8') dnl * Do not reveal my version number define(`confRECEIVED_HEADER',`$?sfrom $s $.$?_($?s$|from $.$_) $. by $j$?r with $r$. id $i$?u for $u$.; $b') dnl * Also, disable VRFY,EXPN define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo') dnl * do STARTTLS define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl define(`confSERVER_CERT', `localCERT')dnl define(`confSERVER_KEY', `localCERT')dnl define(`confCLIENT_CERT', `localCERT')dnl define(`confCLIENT_KEY', `localCERT')dnl dnl * do SMTPAUTH define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl dnl * look for AuthOptions @ op.ps define(`confAUTH_OPTIONS', `A p y')dnl define(`confSAVE_FROM_LINES', `True')dnl define(`HELP_FILE',`none')dnl define(`confDELIVERY_MODE', `background')dnl dnl * define(`confMAX_MESSAGE_SIZE',`31457280') define(`confERROR_MESSAGE',`/etc/mail/error-header')dnl define(`confREJECT_MSG',`550 Access denied. For our users call IT dpt 911')dnl define(`confRELAY_MSG', `550 Relaying denied. For our users call IT dpt 911')dnl dnl define(`confSMTP_LOGIN_MSG',`$j server; $b') define(`confSMTP_LOGIN_MSG',`$j server ready.\nWelcome to us.\nSending UBE is forbidden.\nViolators will be severely prosecuted.') dnl * DAEMON_OPTIONS(`Name=MTA,Addr=0.0.0.0') DAEMON_OPTIONS(`Name=MTA,Addr=X.X.X.X') DAEMON_OPTIONS(`Name=MTA-local0,Addr=127.0.0.1') DAEMON_OPTIONS(`Name=MTA-local3,Addr=Y.Y.Y.Y') DAEMON_OPTIONS(`Family=inet,Name=MTA-SSL,Port=465,M=abs') # Maps define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl define(`confLDAP_CLUSTER', `SMTPCLUSTER') LOCAL_CONFIG Klocal_alias hash -T<TMPF> -o /etc/mail/aliases Kldap_alias ldap -k (&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAKey=%0)) -v sendmailMTAAliasValue define(`ALIAS_FILE',`sequence: local_alias ldap_alias') FEATURE(`access_db', `LDAP') FEATURE(`mailertable', `LDAP') FEATURE(use_cw_file) FEATURE(use_ct_file) FEATURE(redirect) FEATURE(always_add_domain) FEATURE(blacklist_recipients) FEATURE(relay_entire_domain) # Milter define(`confMILTER_LOG_LEVEL',4) INPUT_MAIL_FILTER(`mailfrom', `S=unix:/var/run/mailfromd/mailfromd.sock, F=T, T=S:120s;R:360s') # Mailers MAILER_DEFINITIONS Mlocal-ldap, P=/usr/local/sbin/maidag, F=lsDFMA5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix, A=maidag $u@$h MAILER(smtp)
submit.mc
divert(-1) # divert(0)dnl VERSIONID(`$Id: submit.mc,v 8.14 2006/04/05 05:54:41 ca Exp $') define(`confCF_VERSION', `Submit')dnl define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet define(`confTIME_ZONE', `USE_TZ')dnl define(`confDONT_INIT_GROUPS', `True')dnl define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo') FEATURE(`msp', `[127.0.0.1]')dnl dnl * do STARTTLS define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl define(`confSERVER_CERT', `localCERT')dnl define(`confSERVER_KEY', `localCERT')dnl define(`confCLIENT_CERT', `localCERT')dnl define(`confCLIENT_KEY', `localCERT')dnl dnl * do SMTPAUTH define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl dnl * look for AuthOptions @ op.ps define(`confAUTH_OPTIONS', `A p y')dnl DAEMON_OPTIONS(`Family=inet,Name=MTA-TLS,M=Eab')
mailertable
in case to leave it as file, then in /etc/mail/mailertable put
foo.bar local-ldap:foo.bar foo.com local-ldap:foo.com
in case to put it in LDAP we need:
dn: sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar objectclass: sendmailMTA objectclass: sendmailMTAMap sendmailmtacluster: SMTPCLUSTER sendmailmtamapname: mailer dn: sendmailMTAKey=foo.bar,sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar objectclass: sendmailMTA objectclass: sendmailMTAMap objectclass: sendmailMTAMapObject sendmailmtacluster: SMTPCLUSTER sendmailmtakey: foo.bar sendmailmtamapname: mailer sendmailmtamapvalue: local-ldap:foo.bar dn: sendmailMTAKey=foo.com,sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar objectclass: sendmailMTA objectclass: sendmailMTAMap objectclass: sendmailMTAMapObject sendmailmtacluster: SMTPCLUSTER sendmailmtakey: foo.com sendmailmtamapname: mailer sendmailmtamapvalue: local-ldap:foo.com
test
#> ldd /usr/sbin/sendmail /usr/sbin/sendmail: libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8008cd000) libssl.so.6 => /usr/lib/libssl.so.6 (0x800ae8000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x800d3b000) libdb-4.4.so.0 => /usr/local/lib/libdb-4.4.so.0 (0x8010dc000) libldap-2.4.so.8 => /usr/local/lib/libldap-2.4.so.8 (0x8015f8000)
#> openssl s_client -connect relay.foo.bar:25 -starttls smtp CONNECTED(00000004) depth=0 /C=AU/ST=WS/L=Sidney/O=FooBar llc/OU=IT/CN=relay.foo.bar/emailAddress=security@foo.bar ... --- SSL handshake has read 2486 bytes and written 384 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA ... SSL-Session: Protocol : TLSv1 ... --- 250 HELP ehlo test 250-relay.foo.bar Hello [A.A.A.A], pleased to meet you ... 250-AUTH LOGIN PLAIN ... 250 HELP quit 221 2.0.0 relay.foo.bar closing connection
sendmail -bt > 3,0 testuser@foo.bar canonify input: testuser @ foo . bar Canonify2 input: testuser < @ foo . bar > Canonify2 returns: testuser < @ foo . bar . > canonify returns: testuser < @ foo . bar . > parse input: testuser < @ foo . bar . > Parse0 input: testuser < @ foo . bar . > Parse0 returns: testuser < @ foo . bar . > ParseLocal input: testuser < @ foo . bar . > ParseLocal returns: testuser < @ foo . bar . > Parse1 input: testuser < @ foo . bar . > MailerToTriple input: < local-ldap : foo . bar > testuser < @ foo . bar . > MailerToTriple returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > Parse1 returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > parse returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . >
aliases
native, sendmail aliases db supports only one domain and one users db
smap doesn't working with LDAP yet
the only way to do aliases this time it is to create separate, dedicated alias user and to do all need manipulations via it's .sieve script
mu
config
configure \ CPPFLAGS='-I/usr/local/include/ -I/usr/local/include/db44/ -I/usr/local/include/postgresql/ -I/usr/local/include/gnutls' \ LDFLAGS='-L/usr/local/lib/ -L/usr/local/lib/postgresql/ -L/usr/local/lib/db44' \ --enable-debug \ --with-berkeley-db \ --enable-pam \ --with-gnutls \ --with-postgres \ --with-ldap \ --disable-nls \ --disable-nntp \ --disable-radius
mailutils.rc
mailutils.rc ldap { enable yes; url "ldap://ldap.foo.bar:389/"; base "ou=people,dc=ibs"; binddn "uid=bind@mai.foo.bar,ou=people,dc=foo,dc=bar"; passwd "*****"; tls yes; debug 1; field-map "" "name=uid:" "passwd=userPassword:" "uid=uidNumber:" "gid=gidNumber:" "gecos=gecos:" "dir=homeDirectory:" "shell=loginShell:" "mailbox=mu-mailBox"; getpwnam "(|" "(&(authorizedService=mail@foo.bar)(uid=${user}))" "(&(authorizedService=mail@foo.bar)(cn=${user}))" "(&(authorizedService=mail@foo.com)(cn=${user})))"; getpwuid "(|" "(&(authorizedService=mail@foo.bar)(uid=${user}))" "(&(authorizedService=mail@foo.bar)(cn=${user}))" "(&(authorizedService=mail@foo.com)(cn=${user})))"; }; auth { authorization generic:ldap:system; authentication generic:ldap:system; }; mailbox { mailbox-type "maildir"; mailbox-pattern "maildir:/var/mail;type=index;param=2;user=${user}"; }; locking { retry-count 400; }; include /usr/local/etc/mailutils;
pop3d
tls { enable yes; ssl-cert /usr/local/etc/mailutils/ssl/mu.pem; ssl-key /usr/local/etc/mailutils/ssl/mu.pem; }; logging { facility local3; }; debug { level "server.trace0"; line-info yes; }; #bulletin-source /var/spool/bulletin/bulletin.mbox; #bulletin-db /var/spool/bulletin/bulletin; max-children 30; mode daemon; pidfile /var/run/pop3d.pid; timeout 180; server X.X.X.X { transcript no; tls ondemand; }; server Y.Y.Y.Y { transcript no; tls required; }; server Y.Y.Y.Y:995 { transcript no; tls connection; }; acl { log from any "Connect from ${address}"; };
imap4d
tls { enable yes; ssl-cert /usr/local/etc/mailutils/ssl/mu.pem; ssl-key /usr/local/etc/mailutils/ssl/mu.pem; }; logging { facility local2; }; mandatory-locking { enable 1; lock-directory /tmp; }; debug { level "server.trace0"; line-info yes; }; create-home-dir 1; shared-namespace "/var/mail/IMAP_SHARE"; shared-mailbox-mode g=rw; max-children 50; mode daemon; pidfile /var/run/imap4d.pid; timeout 300; server X.X.X.X { transcript yes; tls ondemand; }; server Y.Y.Y.Y { transcript no; tls required; }; server Y.Y.Y.Y:993 { transcript no; tls connection; }; acl { log from any "Connect from ${address}"; # allow Z.Z.Z.Z; # deny any; };
maidag
debug { line-info yes; }; logging { tag "maidag"; }; filter { language "sieve"; # pattern "/usr/local/etc/mailutils/scripts/%u"; # this time %u contains no domain part pattern "%h/.sieve"; };
test
#> telnet pop.foo.bar 110 Trying X.X.X.X... Connected to pop.foo.bar. Escape character is '^]'. +OK POP3 Ready <24289.1377897169@relay.foo.bar> user testuser@foo.bar +OK pass ***** +OK opened mailbox for testuser quit +OK Connection closed by foreign host. #> telnet imap.foo.bar 143 Trying X.X.X.X... Connected to imap.foo.bar. Escape character is '^]'. * OK IMAP4rev1 00 login testuser@foo.bar ***** 00 OK LOGIN Completed 11 logout * BYE Session terminating. 11 OK LOGOUT Completed Connection closed by foreign host.
External links
- About cyrus-sasl and openldap - FedoraForum.org
- OpenLDAP Faq-O-Matic: How can OpenLDAP, Cyrus-SASL, OpenSSL and KerberosV be combined?
- Options for Cyrus SASL
- HOW-TO svnserve SASL and LDAP
- Re: sendmail, SMTP Authentication & LDAP
- SMTP-AUTH for sendmail 8.12.x
- sendmail 8.10.0: FEATURE(ldap_routing) Schema
- cf/README - LDAP For Aliases, Maps, And Classes
- OpenLDAP, SASL, and Sendmail
- OpenLDAP Sendmail Configuration Schema Sample
- Sendmail+LDAP HOWTO
- sendmail with LDAP, TLS and AUTH
- Linux Administration: Routing and Alias Management with OpenLDAP and Sendmail