Difference between revisions of "Mailutils:HOWTO:Sendmail MU LDAP"
(→mu) |
|||
(23 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
'''Task''' | '''Task''' | ||
− | * to get users database | + | We have two domains: '''foo.bar''' and '''foo.com''', and want to provide email service for separate users like '''testuser@foo.bar''' and '''testuser@foo.com'''. |
+ | |||
+ | For that we need: | ||
+ | |||
+ | * to get users database in LDAP DB (OpenLDAP as LDAP server) | ||
* to get multidomain (multi domains with separate (if needed) users for each domain) support in sendmail via mailutils | * to get multidomain (multi domains with separate (if needed) users for each domain) support in sendmail via mailutils | ||
Line 7: | Line 11: | ||
== OpenLDAP == | == OpenLDAP == | ||
+ | |||
+ | The important decision have to be made on account of the directory topology: flat namespace or a hierarchical one | ||
+ | |||
+ | look at | ||
+ | * "LDAP System Administration" By Gerald Carter; ISBN: 1-56592-491-6 | ||
+ | * "Understanding and Deploying LDAP Directory Services", Second Edition By Timothy A. Howes Ph.D., Mark C. Smith, Gordon S. Good; ISBN: 0-672-32316-8. | ||
=== slapd.conf === | === slapd.conf === | ||
Line 188: | Line 198: | ||
</pre> | </pre> | ||
− | == sendmail with STARTTLS, SMTPAUTH, LDAP and db44 support == | + | == sendmail with [http://www.sendmail.com/sm/open_source/docs/m4/starttls.html STARTTLS], [http://www.sendmail.org/~ca/email/auth.html SMTPAUTH], [http://www.sendmail.com/sm/open_source/docs/m4/ldap.html LDAP] and db44 support == |
=== cyrus-sasl2 === | === cyrus-sasl2 === | ||
− | + | build cyrus-sasl2 with ldap and saslauthd | |
<pre> | <pre> | ||
Line 204: | Line 214: | ||
ldap_search_base: dc=foo,dc=bar | ldap_search_base: dc=foo,dc=bar | ||
ldap_filter: (&(uid=%U)(authorizedService=mail@foo.bar)) | ldap_filter: (&(uid=%U)(authorizedService=mail@foo.bar)) | ||
+ | </pre> | ||
+ | |||
+ | ==== Sendmail.conf ==== | ||
+ | |||
+ | in FreeBSD it is /usr/local/lib/sasl2/Sendmail.conf | ||
+ | |||
+ | <pre> | ||
+ | pwcheck_method: saslauthd | ||
+ | log_level: 5 | ||
</pre> | </pre> | ||
Line 240: | Line 259: | ||
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSOCKETMAP -DMAP_REGEX -DNEWDB') | APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSOCKETMAP -DMAP_REGEX -DNEWDB') | ||
</pre> | </pre> | ||
+ | |||
+ | ==== DNS PTR ==== | ||
+ | |||
+ | '''IMPORTANT:''' PTR '''''is not looked at mailertable''''' and considered as '''''local''''' | ||
==== sendmail.mc ==== | ==== sendmail.mc ==== | ||
Line 292: | Line 315: | ||
# Maps | # Maps | ||
define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl | define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl | ||
− | define(`confLDAP_CLUSTER', ` | + | define(`confLDAP_CLUSTER', `SMTPCLUSTER') |
LOCAL_CONFIG | LOCAL_CONFIG | ||
Line 320: | Line 343: | ||
MAILER(smtp) | MAILER(smtp) | ||
+ | </pre> | ||
+ | |||
+ | ==== submit.mc ==== | ||
+ | <pre> | ||
+ | divert(-1) | ||
+ | # | ||
+ | |||
+ | divert(0)dnl | ||
+ | VERSIONID(`$Id: submit.mc,v 8.14 2006/04/05 05:54:41 ca Exp $') | ||
+ | define(`confCF_VERSION', `Submit')dnl | ||
+ | define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining | ||
+ | define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet | ||
+ | define(`confTIME_ZONE', `USE_TZ')dnl | ||
+ | define(`confDONT_INIT_GROUPS', `True')dnl | ||
+ | define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo') | ||
+ | |||
+ | FEATURE(`msp', `[127.0.0.1]')dnl | ||
+ | |||
+ | dnl * do STARTTLS | ||
+ | define(`confCACERT_PATH', `/etc/mail/certs')dnl | ||
+ | define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl | ||
+ | define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl | ||
+ | define(`confSERVER_CERT', `localCERT')dnl | ||
+ | define(`confSERVER_KEY', `localCERT')dnl | ||
+ | define(`confCLIENT_CERT', `localCERT')dnl | ||
+ | define(`confCLIENT_KEY', `localCERT')dnl | ||
+ | |||
+ | dnl * do SMTPAUTH | ||
+ | define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl | ||
+ | TRUST_AUTH_MECH(`LOGIN PLAIN')dnl | ||
+ | |||
+ | dnl * look for AuthOptions @ op.ps | ||
+ | define(`confAUTH_OPTIONS', `A p y')dnl | ||
+ | |||
+ | DAEMON_OPTIONS(`Family=inet,Name=MTA-TLS,M=Eab') | ||
</pre> | </pre> | ||
Line 329: | Line 387: | ||
</pre> | </pre> | ||
− | in case to put | + | in case to put it in LDAP we need: |
<pre> | <pre> | ||
Line 335: | Line 393: | ||
objectclass: sendmailMTA | objectclass: sendmailMTA | ||
objectclass: sendmailMTAMap | objectclass: sendmailMTAMap | ||
− | sendmailmtacluster: | + | sendmailmtacluster: SMTPCLUSTER |
sendmailmtamapname: mailer | sendmailmtamapname: mailer | ||
Line 342: | Line 400: | ||
objectclass: sendmailMTAMap | objectclass: sendmailMTAMap | ||
objectclass: sendmailMTAMapObject | objectclass: sendmailMTAMapObject | ||
− | sendmailmtacluster: | + | sendmailmtacluster: SMTPCLUSTER |
sendmailmtakey: foo.bar | sendmailmtakey: foo.bar | ||
sendmailmtamapname: mailer | sendmailmtamapname: mailer | ||
Line 351: | Line 409: | ||
objectclass: sendmailMTAMap | objectclass: sendmailMTAMap | ||
objectclass: sendmailMTAMapObject | objectclass: sendmailMTAMapObject | ||
− | sendmailmtacluster: | + | sendmailmtacluster: SMTPCLUSTER |
sendmailmtakey: foo.com | sendmailmtakey: foo.com | ||
sendmailmtamapname: mailer | sendmailmtamapname: mailer | ||
Line 358: | Line 416: | ||
==== test ==== | ==== test ==== | ||
+ | <pre> | ||
+ | #> ldd /usr/sbin/sendmail | ||
+ | /usr/sbin/sendmail: | ||
+ | libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8008cd000) | ||
+ | libssl.so.6 => /usr/lib/libssl.so.6 (0x800ae8000) | ||
+ | libcrypto.so.6 => /lib/libcrypto.so.6 (0x800d3b000) | ||
+ | libdb-4.4.so.0 => /usr/local/lib/libdb-4.4.so.0 (0x8010dc000) | ||
+ | libldap-2.4.so.8 => /usr/local/lib/libldap-2.4.so.8 (0x8015f8000) | ||
+ | </pre> | ||
+ | |||
+ | <pre> | ||
+ | #> openssl s_client -connect relay.foo.bar:25 -starttls smtp | ||
+ | CONNECTED(00000004) | ||
+ | depth=0 /C=AU/ST=WS/L=Sidney/O=FooBar llc/OU=IT/CN=relay.foo.bar/emailAddress=security@foo.bar | ||
+ | ... | ||
+ | --- | ||
+ | SSL handshake has read 2486 bytes and written 384 bytes | ||
+ | --- | ||
+ | New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA | ||
+ | ... | ||
+ | SSL-Session: | ||
+ | Protocol : TLSv1 | ||
+ | ... | ||
+ | --- | ||
+ | 250 HELP | ||
+ | ehlo test | ||
+ | 250-relay.foo.bar Hello [A.A.A.A], pleased to meet you | ||
+ | ... | ||
+ | 250-AUTH LOGIN PLAIN | ||
+ | ... | ||
+ | 250 HELP | ||
+ | quit | ||
+ | 221 2.0.0 relay.foo.bar closing connection | ||
+ | </pre> | ||
+ | |||
<pre> | <pre> | ||
sendmail -bt | sendmail -bt | ||
Line 376: | Line 469: | ||
parse returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > | parse returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > | ||
</pre> | </pre> | ||
+ | |||
+ | ==== aliases ==== | ||
+ | |||
+ | native, sendmail aliases db supports only one domain and one users db | ||
+ | |||
+ | smap doesn't working with LDAP yet | ||
+ | |||
+ | the only way to do aliases this time it is to create separate, dedicated alias user and to do all need manipulations via it's .sieve script | ||
== mu == | == mu == | ||
Line 407: | Line 508: | ||
tls yes; | tls yes; | ||
debug 1; | debug 1; | ||
− | field-map "name=uid:passwd=userPassword:uid=uidNumber:gid=gidNumber:gecos=gecos:dir=homeDirectory:shell=loginShell:mailbox=mu-mailBox"; | + | |
− | getpwnam "(|(&(authorizedService=mail@foo.bar)(uid=${user}))(&(authorizedService=mail@foo.bar)(cn=${user}))(&(authorizedService=mail@foo.com)(cn=${user})))"; | + | field-map "" |
− | getpwuid "(|(&(authorizedService=mail@foo.bar)(uid=${user}))(&(authorizedService=mail@foo.bar)(cn=${user}))(&(authorizedService=mail@foo.com)(cn=${user})))"; | + | "name=uid:" |
+ | "passwd=userPassword:" | ||
+ | "uid=uidNumber:" | ||
+ | "gid=gidNumber:" | ||
+ | "gecos=gecos:" | ||
+ | "dir=homeDirectory:" | ||
+ | "shell=loginShell:" | ||
+ | "mailbox=mu-mailBox"; | ||
+ | |||
+ | getpwnam "(|" | ||
+ | "(&(authorizedService=mail@foo.bar)(uid=${user}))" | ||
+ | "(&(authorizedService=mail@foo.bar)(cn=${user}))" | ||
+ | "(&(authorizedService=mail@foo.com)(cn=${user})))"; | ||
+ | |||
+ | getpwuid "(|" | ||
+ | "(&(authorizedService=mail@foo.bar)(uid=${user}))" | ||
+ | "(&(authorizedService=mail@foo.bar)(cn=${user}))" | ||
+ | "(&(authorizedService=mail@foo.com)(cn=${user})))"; | ||
}; | }; | ||
Line 428: | Line 546: | ||
include /usr/local/etc/mailutils; | include /usr/local/etc/mailutils; | ||
</pre> | </pre> | ||
− | |||
=== pop3d === | === pop3d === | ||
Line 540: | Line 657: | ||
filter { | filter { | ||
language "sieve"; | language "sieve"; | ||
− | pattern "/usr/local/etc/mailutils/scripts/%u"; | + | # pattern "/usr/local/etc/mailutils/scripts/%u"; # this time %u contains no domain part |
+ | pattern "%h/.sieve"; | ||
}; | }; | ||
</pre> | </pre> | ||
Line 571: | Line 689: | ||
Connection closed by foreign host. | Connection closed by foreign host. | ||
</pre> | </pre> | ||
+ | |||
+ | == External links == | ||
+ | * [http://forums.fedoraforum.org/showthread.php?t=80057 About cyrus-sasl and openldap - FedoraForum.org] | ||
+ | * [http://www.openldap.org/faq/data/cache/544.html OpenLDAP Faq-O-Matic: How can OpenLDAP, Cyrus-SASL, OpenSSL and KerberosV be combined?] | ||
+ | * [http://www.sendmail.org/~ca/email/cyrus2/options.html Options for Cyrus SASL] | ||
+ | * [http://p-o.co.uk/tech-articles/63-howto-svnserve-sasl-and-ldap.html HOW-TO svnserve SASL and LDAP] | ||
+ | * [http://www.redhat.com/archives/redhat-list/2002-November/msg02807.html Re: sendmail, SMTP Authentication & LDAP] | ||
+ | * [http://docs.snake.de/smtp-auth.html SMTP-AUTH for sendmail 8.12.x] | ||
+ | * [http://www.sendmail.org/~gshapiro/8.10.Training/schema.html sendmail 8.10.0: FEATURE(ldap_routing) Schema] | ||
+ | * [http://www.sendmail.com/sm/open_source/docs/m4/ldap.html cf/README - LDAP For Aliases, Maps, And Classes] | ||
+ | * [http://www.ltrr.arizona.edu/~mmunro/ldapmail/ OpenLDAP, SASL, and Sendmail] | ||
+ | * [http://seriousbirder.com/blogs/openldap-sendmail-configuration-schema-sample/ OpenLDAP Sendmail Configuration Schema Sample] | ||
+ | * [http://ftp.ofloo.net/pub/howtos/mail/sendmail-ldap.html Sendmail+LDAP HOWTO] | ||
+ | * [http://logout.sh/computers/sendmail/ sendmail with LDAP, TLS and AUTH] | ||
+ | * [http://kaivanov.blogspot.com/2010/09/routing-and-alias-management-with.html Linux Administration: Routing and Alias Management with OpenLDAP and Sendmail] |
Latest revision as of 04:28, 9 May 2014
Task
We have two domains: foo.bar and foo.com, and want to provide email service for separate users like testuser@foo.bar and testuser@foo.com.
For that we need:
- to get users database in LDAP DB (OpenLDAP as LDAP server)
- to get multidomain (multi domains with separate (if needed) users for each domain) support in sendmail via mailutils
all described was deployed on FreeBSD
OpenLDAP
The important decision have to be made on account of the directory topology: flat namespace or a hierarchical one
look at
- "LDAP System Administration" By Gerald Carter; ISBN: 1-56592-491-6
- "Understanding and Deploying LDAP Directory Services", Second Edition By Timothy A. Howes Ph.D., Mark C. Smith, Gordon S. Good; ISBN: 0-672-32316-8.
slapd.conf
include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/ldapns.schema include /usr/local/etc/openldap/schema/asterisk.schema include /usr/local/etc/openldap/schema/sendmail.schema loglevel stats pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_hdb moduleload back_monitor moduleload syncprov TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem TLSCertificateFile /usr/local/etc/openldap/ssl/srv1cert.pem TLSCertificateKeyFile /usr/local/etc/openldap/ssl/srv1key.pem TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 TLSVerifyClient never security ssf=128 access to dn.exact="" by * read access to * by peername.ip=127.0.0.1 break by peername.ip=X.X.X.X break access to * by set="[cn=bind,ou=group,dc=ibs]/memberUid & user/uid" read by set="[cn=admin,ou=group,dc=ibs]/memberUid & user/uid" write by self read by * search database bdb suffix "dc=foo,dc=bar" rootdn "cn=ldapmaster,dc=foo,dc=bar" rootpw {SSHA}Osdfkjwh89974500sdfjhjhLKJHKLJLKJlLKJljlj directory /var/db/openldap-data/foo.bar monitoring on index default eq,sub index objectClass eq index uidNumber eq index gidNumber eq index memberUid eq index cn,sn,uid,displayName pres,sub,eq index authorizedService eq index sendmailMTAAliasGrouping eq index sendmailMTACluster eq index sendmailMTAHost eq index sendmailMTAKey eq index sendmailMTAMapName eq overlay memberof overlay unique unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.bar) unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.com)
ldap.conf
BASE dc=foo,dc=bar URI ldap://ldap.foo.bar:389 SIZELIMIT 0 TLS_REQCERT allow TLS_CACERT /usr/local/etc/openldap/cacert.pem
.ldif
dn: uid=officeX-testuser,ou=People,dc=foo,dc=bar cn: testuser@foo.bar description: unique user across whole user database gidnumber: 12345 homedirectory: /nonexistent loginshell: /sbin/nologin objectclass: top objectclass: posixAccount objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: inetLocalMailRecipient sn: test user uid: officeX-testuser uidnumber: 10001 userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar associateddomain: foo.bar authorizedservice: mail@foo.bar cn: testuser@foo.bar description: auxiliary service/s account (like email, web, e.t.c. access) gidnumber: 10106 homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar loginshell: /sbin/nologin mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar objectclass: posixAccount objectclass: shadowAccount objectclass: inetOrgPerson objectclass: authorizedServiceObject objectclass: domainRelatedObject objectclass: mailutilsAccount sn: testuser@foo.bar uid: testuser@foo.bar uidnumber: 10001 userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ dn: authorizedService=mail@foo.com,uid=officeX-testuser,ou=People,dc=foo,dc=bar associateddomain: foo.com authorizedservice: mail@foo.com cn: testuser@foo.com description: auxiliary service/s account (like email, web, e.t.c. access) gidnumber: 10106 homedirectory: /var/mail/IMAP_HOMES/foo.com/testuser@foo.com loginshell: /sbin/nologin mu-mailbox: maildir:/var/mail/foo.com/testuser@foo.com objectclass: posixAccount objectclass: shadowAccount objectclass: inetOrgPerson objectclass: authorizedServiceObject objectclass: domainRelatedObject objectclass: mailutilsAccount sn: testuser@foo.com uid: testuser@foo.com uidnumber: 10001 userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/
test
# ldapsearch -xZZ -D uid=bind@mail.foo.bar,ou=people,dc=foo,dc=bar -w ***** -b ou=people,dc=foo,dc=bar -v "(&(authorizedService=mail@foo.bar)(uid=testuser))" ldap_initialize( <DEFAULT> ) filter: (&(authorizedService=mail@foo.bar)(uid=testuser)) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <ou=people,dc=foo,dc=bar> with scope subtree # filter: (&(authorizedService=mail@foo.bar)(uid=testuser)) # requesting: ALL # # mail@foo.bar, officeX-testuser, People, foo, bar dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar associateddomain: foo.bar authorizedservice: mail@foo.bar cn: testuser@foo.bar description: auxiliary service/s account (like email, web, e.t.c. access) gidnumber: 10106 homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar loginshell: /sbin/nologin mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar objectclass: posixAccount objectclass: shadowAccount objectclass: inetOrgPerson objectclass: authorizedServiceObject objectclass: domainRelatedObject objectclass: mailutilsAccount sn: testuser@foo.bar uid: testuser@foo.bar uidnumber: 10001 userPassword:: ***************************************** # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1
sendmail with STARTTLS, SMTPAUTH, LDAP and db44 support
cyrus-sasl2
build cyrus-sasl2 with ldap and saslauthd
saslauthd.conf ldap_servers: ldap://ldap.foo.bar/ ldap_start_tls: yes ldap_tls_cacert_file: /usr/local/etc/openldap/cacert.pem ldap_auth_method: bind ldap_bind_dn: uid=bind@mail.foo.bar,ou=people,dc=foo,dc=bar ldap_password: ****** ldap_search_base: dc=foo,dc=bar ldap_filter: (&(uid=%U)(authorizedService=mail@foo.bar))
Sendmail.conf
in FreeBSD it is /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd log_level: 5
test
# testsaslauthd -u testuser@foo.bar -p theverypassword 0: OK "Success."
sendmail
build config
site.config.m4
## # general APPENDDEF(`confINCDIRS', `-I/usr/local/include -I/usr/local/include/db44') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/local/lib/db44') ## DB44 #APPENDDEF(`confENVDEF', `-I/usr/local/include -I/usr/local/include/db44') #APPENDDEF(`conf_sendmail_LIBS', `-L/usr/local/lib -L/usr/local/lib/db44') # SASL2 (smtp authentication) APPENDDEF(`confENVDEF', `-DSASL=2') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') # LDAP APPENDDEF(`confMAPDEF', `-DLDAPMAP') APPENDDEF(`confLIBS', `-lldap -llber') # STARTTLS (smtp + tls/ssl) APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -D_FFR_TLS_1') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') # rest APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSOCKETMAP -DMAP_REGEX -DNEWDB')
DNS PTR
IMPORTANT: PTR is not looked at mailertable and considered as local
sendmail.mc
dnl * Sendmail configuration divert(-1) OSTYPE(freebsd6) dnl * To eliminate 8->7 bit base64 enconding define(`SMTP_MAILER_FLAGS',`8') dnl * Do not reveal my version number define(`confRECEIVED_HEADER',`$?sfrom $s $.$?_($?s$|from $.$_) $. by $j$?r with $r$. id $i$?u for $u$.; $b') dnl * Also, disable VRFY,EXPN define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo') dnl * do STARTTLS define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl define(`confSERVER_CERT', `localCERT')dnl define(`confSERVER_KEY', `localCERT')dnl define(`confCLIENT_CERT', `localCERT')dnl define(`confCLIENT_KEY', `localCERT')dnl dnl * do SMTPAUTH define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl dnl * look for AuthOptions @ op.ps define(`confAUTH_OPTIONS', `A p y')dnl define(`confSAVE_FROM_LINES', `True')dnl define(`HELP_FILE',`none')dnl define(`confDELIVERY_MODE', `background')dnl dnl * define(`confMAX_MESSAGE_SIZE',`31457280') define(`confERROR_MESSAGE',`/etc/mail/error-header')dnl define(`confREJECT_MSG',`550 Access denied. For our users call IT dpt 911')dnl define(`confRELAY_MSG', `550 Relaying denied. For our users call IT dpt 911')dnl dnl define(`confSMTP_LOGIN_MSG',`$j server; $b') define(`confSMTP_LOGIN_MSG',`$j server ready.\nWelcome to us.\nSending UBE is forbidden.\nViolators will be severely prosecuted.') dnl * DAEMON_OPTIONS(`Name=MTA,Addr=0.0.0.0') DAEMON_OPTIONS(`Name=MTA,Addr=X.X.X.X') DAEMON_OPTIONS(`Name=MTA-local0,Addr=127.0.0.1') DAEMON_OPTIONS(`Name=MTA-local3,Addr=Y.Y.Y.Y') DAEMON_OPTIONS(`Family=inet,Name=MTA-SSL,Port=465,M=abs') # Maps define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl define(`confLDAP_CLUSTER', `SMTPCLUSTER') LOCAL_CONFIG Klocal_alias hash -T<TMPF> -o /etc/mail/aliases Kldap_alias ldap -k (&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAKey=%0)) -v sendmailMTAAliasValue define(`ALIAS_FILE',`sequence: local_alias ldap_alias') FEATURE(`access_db', `LDAP') FEATURE(`mailertable', `LDAP') FEATURE(use_cw_file) FEATURE(use_ct_file) FEATURE(redirect) FEATURE(always_add_domain) FEATURE(blacklist_recipients) FEATURE(relay_entire_domain) # Milter define(`confMILTER_LOG_LEVEL',4) INPUT_MAIL_FILTER(`mailfrom', `S=unix:/var/run/mailfromd/mailfromd.sock, F=T, T=S:120s;R:360s') # Mailers MAILER_DEFINITIONS Mlocal-ldap, P=/usr/local/sbin/maidag, F=lsDFMA5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, T=DNS/RFC822/X-Unix, A=maidag $u@$h MAILER(smtp)
submit.mc
divert(-1) # divert(0)dnl VERSIONID(`$Id: submit.mc,v 8.14 2006/04/05 05:54:41 ca Exp $') define(`confCF_VERSION', `Submit')dnl define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet define(`confTIME_ZONE', `USE_TZ')dnl define(`confDONT_INIT_GROUPS', `True')dnl define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo') FEATURE(`msp', `[127.0.0.1]')dnl dnl * do STARTTLS define(`confCACERT_PATH', `/etc/mail/certs')dnl define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl define(`confSERVER_CERT', `localCERT')dnl define(`confSERVER_KEY', `localCERT')dnl define(`confCLIENT_CERT', `localCERT')dnl define(`confCLIENT_KEY', `localCERT')dnl dnl * do SMTPAUTH define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl dnl * look for AuthOptions @ op.ps define(`confAUTH_OPTIONS', `A p y')dnl DAEMON_OPTIONS(`Family=inet,Name=MTA-TLS,M=Eab')
mailertable
in case to leave it as file, then in /etc/mail/mailertable put
foo.bar local-ldap:foo.bar foo.com local-ldap:foo.com
in case to put it in LDAP we need:
dn: sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar objectclass: sendmailMTA objectclass: sendmailMTAMap sendmailmtacluster: SMTPCLUSTER sendmailmtamapname: mailer dn: sendmailMTAKey=foo.bar,sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar objectclass: sendmailMTA objectclass: sendmailMTAMap objectclass: sendmailMTAMapObject sendmailmtacluster: SMTPCLUSTER sendmailmtakey: foo.bar sendmailmtamapname: mailer sendmailmtamapvalue: local-ldap:foo.bar dn: sendmailMTAKey=foo.com,sendmailMTAMapName=mailer,ou=core.relay.foo.bar,ou=Sendmail,dc=foo,dc=bar objectclass: sendmailMTA objectclass: sendmailMTAMap objectclass: sendmailMTAMapObject sendmailmtacluster: SMTPCLUSTER sendmailmtakey: foo.com sendmailmtamapname: mailer sendmailmtamapvalue: local-ldap:foo.com
test
#> ldd /usr/sbin/sendmail /usr/sbin/sendmail: libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x8008cd000) libssl.so.6 => /usr/lib/libssl.so.6 (0x800ae8000) libcrypto.so.6 => /lib/libcrypto.so.6 (0x800d3b000) libdb-4.4.so.0 => /usr/local/lib/libdb-4.4.so.0 (0x8010dc000) libldap-2.4.so.8 => /usr/local/lib/libldap-2.4.so.8 (0x8015f8000)
#> openssl s_client -connect relay.foo.bar:25 -starttls smtp CONNECTED(00000004) depth=0 /C=AU/ST=WS/L=Sidney/O=FooBar llc/OU=IT/CN=relay.foo.bar/emailAddress=security@foo.bar ... --- SSL handshake has read 2486 bytes and written 384 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA ... SSL-Session: Protocol : TLSv1 ... --- 250 HELP ehlo test 250-relay.foo.bar Hello [A.A.A.A], pleased to meet you ... 250-AUTH LOGIN PLAIN ... 250 HELP quit 221 2.0.0 relay.foo.bar closing connection
sendmail -bt > 3,0 testuser@foo.bar canonify input: testuser @ foo . bar Canonify2 input: testuser < @ foo . bar > Canonify2 returns: testuser < @ foo . bar . > canonify returns: testuser < @ foo . bar . > parse input: testuser < @ foo . bar . > Parse0 input: testuser < @ foo . bar . > Parse0 returns: testuser < @ foo . bar . > ParseLocal input: testuser < @ foo . bar . > ParseLocal returns: testuser < @ foo . bar . > Parse1 input: testuser < @ foo . bar . > MailerToTriple input: < local-ldap : foo . bar > testuser < @ foo . bar . > MailerToTriple returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > Parse1 returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . > parse returns: $# local-ldap $@ foo . bar $: testuser < @ foo . bar . >
aliases
native, sendmail aliases db supports only one domain and one users db
smap doesn't working with LDAP yet
the only way to do aliases this time it is to create separate, dedicated alias user and to do all need manipulations via it's .sieve script
mu
config
configure \ CPPFLAGS='-I/usr/local/include/ -I/usr/local/include/db44/ -I/usr/local/include/postgresql/ -I/usr/local/include/gnutls' \ LDFLAGS='-L/usr/local/lib/ -L/usr/local/lib/postgresql/ -L/usr/local/lib/db44' \ --enable-debug \ --with-berkeley-db \ --enable-pam \ --with-gnutls \ --with-postgres \ --with-ldap \ --disable-nls \ --disable-nntp \ --disable-radius
mailutils.rc
mailutils.rc ldap { enable yes; url "ldap://ldap.foo.bar:389/"; base "ou=people,dc=ibs"; binddn "uid=bind@mai.foo.bar,ou=people,dc=foo,dc=bar"; passwd "*****"; tls yes; debug 1; field-map "" "name=uid:" "passwd=userPassword:" "uid=uidNumber:" "gid=gidNumber:" "gecos=gecos:" "dir=homeDirectory:" "shell=loginShell:" "mailbox=mu-mailBox"; getpwnam "(|" "(&(authorizedService=mail@foo.bar)(uid=${user}))" "(&(authorizedService=mail@foo.bar)(cn=${user}))" "(&(authorizedService=mail@foo.com)(cn=${user})))"; getpwuid "(|" "(&(authorizedService=mail@foo.bar)(uid=${user}))" "(&(authorizedService=mail@foo.bar)(cn=${user}))" "(&(authorizedService=mail@foo.com)(cn=${user})))"; }; auth { authorization generic:ldap:system; authentication generic:ldap:system; }; mailbox { mailbox-type "maildir"; mailbox-pattern "maildir:/var/mail;type=index;param=2;user=${user}"; }; locking { retry-count 400; }; include /usr/local/etc/mailutils;
pop3d
tls { enable yes; ssl-cert /usr/local/etc/mailutils/ssl/mu.pem; ssl-key /usr/local/etc/mailutils/ssl/mu.pem; }; logging { facility local3; }; debug { level "server.trace0"; line-info yes; }; #bulletin-source /var/spool/bulletin/bulletin.mbox; #bulletin-db /var/spool/bulletin/bulletin; max-children 30; mode daemon; pidfile /var/run/pop3d.pid; timeout 180; server X.X.X.X { transcript no; tls ondemand; }; server Y.Y.Y.Y { transcript no; tls required; }; server Y.Y.Y.Y:995 { transcript no; tls connection; }; acl { log from any "Connect from ${address}"; };
imap4d
tls { enable yes; ssl-cert /usr/local/etc/mailutils/ssl/mu.pem; ssl-key /usr/local/etc/mailutils/ssl/mu.pem; }; logging { facility local2; }; mandatory-locking { enable 1; lock-directory /tmp; }; debug { level "server.trace0"; line-info yes; }; create-home-dir 1; shared-namespace "/var/mail/IMAP_SHARE"; shared-mailbox-mode g=rw; max-children 50; mode daemon; pidfile /var/run/imap4d.pid; timeout 300; server X.X.X.X { transcript yes; tls ondemand; }; server Y.Y.Y.Y { transcript no; tls required; }; server Y.Y.Y.Y:993 { transcript no; tls connection; }; acl { log from any "Connect from ${address}"; # allow Z.Z.Z.Z; # deny any; };
maidag
debug { line-info yes; }; logging { tag "maidag"; }; filter { language "sieve"; # pattern "/usr/local/etc/mailutils/scripts/%u"; # this time %u contains no domain part pattern "%h/.sieve"; };
test
#> telnet pop.foo.bar 110 Trying X.X.X.X... Connected to pop.foo.bar. Escape character is '^]'. +OK POP3 Ready <24289.1377897169@relay.foo.bar> user testuser@foo.bar +OK pass ***** +OK opened mailbox for testuser quit +OK Connection closed by foreign host. #> telnet imap.foo.bar 143 Trying X.X.X.X... Connected to imap.foo.bar. Escape character is '^]'. * OK IMAP4rev1 00 login testuser@foo.bar ***** 00 OK LOGIN Completed 11 logout * BYE Session terminating. 11 OK LOGOUT Completed Connection closed by foreign host.
External links
- About cyrus-sasl and openldap - FedoraForum.org
- OpenLDAP Faq-O-Matic: How can OpenLDAP, Cyrus-SASL, OpenSSL and KerberosV be combined?
- Options for Cyrus SASL
- HOW-TO svnserve SASL and LDAP
- Re: sendmail, SMTP Authentication & LDAP
- SMTP-AUTH for sendmail 8.12.x
- sendmail 8.10.0: FEATURE(ldap_routing) Schema
- cf/README - LDAP For Aliases, Maps, And Classes
- OpenLDAP, SASL, and Sendmail
- OpenLDAP Sendmail Configuration Schema Sample
- Sendmail+LDAP HOWTO
- sendmail with LDAP, TLS and AUTH
- Linux Administration: Routing and Alias Management with OpenLDAP and Sendmail