Difference between revisions of "Mailutils:HOWTO:Sendmail MU LDAP"
From Mailutils
Jump to navigationJump to search| Line 9: | Line 9: | ||
=== slapd.conf === | === slapd.conf === | ||
| + | <pre> | ||
| + | include /usr/local/etc/openldap/schema/core.schema | ||
| + | include /usr/local/etc/openldap/schema/cosine.schema | ||
| + | include /usr/local/etc/openldap/schema/inetorgperson.schema | ||
| + | include /usr/local/etc/openldap/schema/nis.schema | ||
| + | include /usr/local/etc/openldap/schema/openldap.schema | ||
| + | include /usr/local/etc/openldap/schema/misc.schema | ||
| + | include /usr/local/etc/openldap/schema/ldapns.schema | ||
| + | include /usr/local/etc/openldap/schema/asterisk.schema | ||
| + | include /usr/local/etc/openldap/schema/sendmail.schema | ||
| + | |||
| + | loglevel stats | ||
| + | |||
| + | pidfile /var/run/openldap/slapd.pid | ||
| + | argsfile /var/run/openldap/slapd.args | ||
| + | |||
| + | modulepath /usr/local/libexec/openldap | ||
| + | moduleload back_bdb | ||
| + | moduleload back_hdb | ||
| + | moduleload back_monitor | ||
| + | moduleload syncprov | ||
| + | |||
| + | TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem | ||
| + | TLSCertificateFile /usr/local/etc/openldap/ssl/srv1cert.pem | ||
| + | TLSCertificateKeyFile /usr/local/etc/openldap/ssl/srv1key.pem | ||
| + | TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 | ||
| + | TLSVerifyClient never | ||
| + | security ssf=128 | ||
| + | |||
| + | access to dn.exact="" by * read | ||
| + | access to * | ||
| + | by peername.ip=127.0.0.1 break | ||
| + | by peername.ip=X.X.X.X break | ||
| + | access to * | ||
| + | by set="[cn=bind,ou=group,dc=ibs]/memberUid & user/uid" read | ||
| + | by set="[cn=admin,ou=group,dc=ibs]/memberUid & user/uid" write | ||
| + | by self read | ||
| + | by * search | ||
| + | database bdb | ||
| + | suffix "dc=foo,dc=bar" | ||
| + | rootdn "cn=ldapmaster,dc=foo,dc=bar" | ||
| + | rootpw {SSHA}Osdfkjwh89974500sdfjhjhLKJHKLJLKJlLKJljlj | ||
| + | directory /var/db/openldap-data/foo.bar | ||
| + | monitoring on | ||
| + | |||
| + | index default eq,sub | ||
| + | index objectClass eq | ||
| + | index uidNumber eq | ||
| + | index gidNumber eq | ||
| + | index memberUid eq | ||
| + | index cn,sn,uid,displayName pres,sub,eq | ||
| + | index authorizedService eq | ||
| + | index sendmailMTAAliasGrouping eq | ||
| + | index sendmailMTACluster eq | ||
| + | index sendmailMTAHost eq | ||
| + | index sendmailMTAKey eq | ||
| + | index sendmailMTAMapName eq | ||
| + | |||
| + | overlay memberof | ||
| + | |||
| + | overlay unique | ||
| + | unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.bar) | ||
| + | unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.com) | ||
| + | </pre> | ||
=== LDIF === | === LDIF === | ||
| Line 15: | Line 79: | ||
dn: uid=officeX-testuser,ou=People,dc=foo,dc=bar | dn: uid=officeX-testuser,ou=People,dc=foo,dc=bar | ||
cn: testuser@foo.bar | cn: testuser@foo.bar | ||
| + | description: unique user across whole user database | ||
gidnumber: 12345 | gidnumber: 12345 | ||
homedirectory: /nonexistent | homedirectory: /nonexistent | ||
| Line 33: | Line 98: | ||
authorizedservice: mail@foo.bar | authorizedservice: mail@foo.bar | ||
cn: testuser@foo.bar | cn: testuser@foo.bar | ||
| + | description: auxiliary service/s account (like email, web, e.t.c. access) | ||
gidnumber: 10106 | gidnumber: 10106 | ||
homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar | homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar | ||
| Line 45: | Line 111: | ||
sn: testuser@foo.bar | sn: testuser@foo.bar | ||
uid: testuser@foo.bar | uid: testuser@foo.bar | ||
| + | uidnumber: 10001 | ||
| + | userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ | ||
| + | |||
| + | dn: authorizedService=mail@foo.com,uid=officeX-testuser,ou=People,dc=foo,dc=bar | ||
| + | associateddomain: foo.com | ||
| + | authorizedservice: mail@foo.com | ||
| + | cn: testuser@foo.com | ||
| + | description: auxiliary service/s account (like email, web, e.t.c. access) | ||
| + | gidnumber: 10106 | ||
| + | homedirectory: /var/mail/IMAP_HOMES/foo.com/testuser@foo.com | ||
| + | loginshell: /sbin/nologin | ||
| + | mu-mailbox: maildir:/var/mail/foo.com/testuser@foo.com | ||
| + | objectclass: posixAccount | ||
| + | objectclass: shadowAccount | ||
| + | objectclass: inetOrgPerson | ||
| + | objectclass: authorizedServiceObject | ||
| + | objectclass: domainRelatedObject | ||
| + | objectclass: mailutilsAccount | ||
| + | sn: testuser@foo.com | ||
| + | uid: testuser@foo.com | ||
uidnumber: 10001 | uidnumber: 10001 | ||
userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ | userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/ | ||
Revision as of 11:40, 30 August 2013
Task
- to get users database in accessible via LDAP
- to get multidomain (multi domains with separate (if needed) users for each domain) support in sendmail
all described was deployed on FreeBSD
LDAP
slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/ldapns.schema
include /usr/local/etc/openldap/schema/asterisk.schema
include /usr/local/etc/openldap/schema/sendmail.schema
loglevel stats
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/local/libexec/openldap
moduleload back_bdb
moduleload back_hdb
moduleload back_monitor
moduleload syncprov
TLSCACertificateFile /usr/local/etc/openldap/ssl/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/ssl/srv1cert.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ssl/srv1key.pem
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
TLSVerifyClient never
security ssf=128
access to dn.exact="" by * read
access to *
by peername.ip=127.0.0.1 break
by peername.ip=X.X.X.X break
access to *
by set="[cn=bind,ou=group,dc=ibs]/memberUid & user/uid" read
by set="[cn=admin,ou=group,dc=ibs]/memberUid & user/uid" write
by self read
by * search
database bdb
suffix "dc=foo,dc=bar"
rootdn "cn=ldapmaster,dc=foo,dc=bar"
rootpw {SSHA}Osdfkjwh89974500sdfjhjhLKJHKLJLKJlLKJljlj
directory /var/db/openldap-data/foo.bar
monitoring on
index default eq,sub
index objectClass eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index cn,sn,uid,displayName pres,sub,eq
index authorizedService eq
index sendmailMTAAliasGrouping eq
index sendmailMTACluster eq
index sendmailMTAHost eq
index sendmailMTAKey eq
index sendmailMTAMapName eq
overlay memberof
overlay unique
unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.bar)
unique_uri ldap:///ou=People,dc=foo,dc=bar?uid?sub?(authorizedService=mail@foo.com)
LDIF
dn: uid=officeX-testuser,ou=People,dc=foo,dc=bar
cn: testuser@foo.bar
description: unique user across whole user database
gidnumber: 12345
homedirectory: /nonexistent
loginshell: /sbin/nologin
objectclass: top
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: inetLocalMailRecipient
sn: test user
uid: officeX-testuser
uidnumber: 10001
userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/
dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar
associateddomain: foo.bar
authorizedservice: mail@foo.bar
cn: testuser@foo.bar
description: auxiliary service/s account (like email, web, e.t.c. access)
gidnumber: 10106
homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar
loginshell: /sbin/nologin
mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar
objectclass: posixAccount
objectclass: shadowAccount
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
objectclass: domainRelatedObject
objectclass: mailutilsAccount
sn: testuser@foo.bar
uid: testuser@foo.bar
uidnumber: 10001
userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/
dn: authorizedService=mail@foo.com,uid=officeX-testuser,ou=People,dc=foo,dc=bar
associateddomain: foo.com
authorizedservice: mail@foo.com
cn: testuser@foo.com
description: auxiliary service/s account (like email, web, e.t.c. access)
gidnumber: 10106
homedirectory: /var/mail/IMAP_HOMES/foo.com/testuser@foo.com
loginshell: /sbin/nologin
mu-mailbox: maildir:/var/mail/foo.com/testuser@foo.com
objectclass: posixAccount
objectclass: shadowAccount
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
objectclass: domainRelatedObject
objectclass: mailutilsAccount
sn: testuser@foo.com
uid: testuser@foo.com
uidnumber: 10001
userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/
sendmail
building sendmail with STARTTLS, SMTPAUTH, LDAP and db44 support
cyrus-sasl configured with:
./configure --includedir=/usr/local/include --enable-static --with-rc4=openssl --with-dblib=none --disable-anon --disable-cram --disable-digest --disable-gssapi --disable-krb4 --disable-ntlm --disable-otp --disable-plain --disable-scram --enable-ldapdb --with-ldap=/usr/local --with-openssl=yes
build config
site.config.m4
## # general APPENDDEF(`confINCDIRS', `-I/usr/local/include -I/usr/local/include/db44') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/local/lib/db44') ## DB44 #APPENDDEF(`confENVDEF', `-I/usr/local/include -I/usr/local/include/db44') #APPENDDEF(`conf_sendmail_LIBS', `-L/usr/local/lib -L/usr/local/lib/db44') # SASL2 (smtp authentication) APPENDDEF(`confENVDEF', `-DSASL=2') APPENDDEF(`conf_sendmail_LIBS', `-lsasl2') # LDAP APPENDDEF(`confMAPDEF', `-DLDAPMAP') APPENDDEF(`confLIBS', `-lldap -llber') # STARTTLS (smtp + tls/ssl) APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -D_FFR_TLS_1') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') # rest APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSOCKETMAP -DMAP_REGEX -DNEWDB')
sendmail.mc
dnl * Sendmail configuration
divert(-1)
OSTYPE(freebsd6)
dnl * To eliminate 8->7 bit base64 enconding
define(`SMTP_MAILER_FLAGS',`8')
dnl * Do not reveal my version number
define(`confRECEIVED_HEADER',`$?sfrom $s $.$?_($?s$|from $.$_) $.
by $j$?r with $r$. id $i$?u
for $u$.; $b')
dnl * Also, disable VRFY,EXPN
define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo')
dnl * do STARTTLS
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl
define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_CERT', `localCERT')dnl
define(`confSERVER_KEY', `localCERT')dnl
define(`confCLIENT_CERT', `localCERT')dnl
define(`confCLIENT_KEY', `localCERT')dnl
dnl * do SMTPAUTH
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
dnl * look for AuthOptions @ op.ps
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confSAVE_FROM_LINES', `True')dnl
define(`HELP_FILE',`none')dnl
define(`confDELIVERY_MODE', `background')dnl
dnl * define(`confMAX_MESSAGE_SIZE',`31457280')
define(`confERROR_MESSAGE',`/etc/mail/error-header')dnl
define(`confREJECT_MSG',`550 Access denied. For our users call IT dpt 911')dnl
define(`confRELAY_MSG', `550 Relaying denied. For our users call IT dpt 911')dnl
dnl define(`confSMTP_LOGIN_MSG',`$j server; $b')
define(`confSMTP_LOGIN_MSG',`$j server ready.\nWelcome to us.\nSending UBE is forbidden.\nViolators will be severely prosecuted.')
dnl * DAEMON_OPTIONS(`Name=MTA,Addr=0.0.0.0')
DAEMON_OPTIONS(`Name=MTA,Addr=X.X.X.X')
DAEMON_OPTIONS(`Name=MTA-local0,Addr=127.0.0.1')
DAEMON_OPTIONS(`Name=MTA-local3,Addr=Y.Y.Y.Y')
DAEMON_OPTIONS(`Family=inet,Name=MTA-SSL,Port=465,M=abs')
# Maps
define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl
define(`confLDAP_CLUSTER', `fo01')
LOCAL_CONFIG
Klocal_alias hash -T<TMPF> -o /etc/mail/aliases
Kldap_alias ldap -k (&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAKey=%0)) -v sendmailMTAAliasValue
define(`ALIAS_FILE',`sequence: local_alias ldap_alias')
FEATURE(`access_db', `LDAP')
FEATURE(`mailertable', `LDAP')
FEATURE(use_cw_file)
FEATURE(use_ct_file)
FEATURE(redirect)
FEATURE(always_add_domain)
FEATURE(blacklist_recipients)
FEATURE(relay_entire_domain)
# Milter
define(`confMILTER_LOG_LEVEL',4)
INPUT_MAIL_FILTER(`mailfrom', `S=unix:/var/run/mailfromd/mailfromd.sock, F=T, T=S:120s;R:360s')
# Mailers
MAILER_DEFINITIONS
Mlocal-ldap, P=/usr/local/sbin/maidag, F=lsDFMA5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
T=DNS/RFC822/X-Unix,
A=maidag $u@$h
MAILER(smtp)
mailertable
test.foo.bar local-ldap:test.foo.bar
Test
sendmail -bt > 3,0 blabla@foo.bar
mu
config
mailutils.rc
mailutils.rc
ldap {
enable yes;
url "ldap://ldap.foo.bar:389/";
base "ou=people,dc=ibs";
binddn "uid=bind@mai.foo.bar,ou=people,dc=foo,dc=bar";
passwd "*****";
tls yes;
debug 1;
field-map "name=uid:passwd=userPassword:uid=uidNumber:gid=gidNumber:gecos=gecos:dir=homeDirectory:shell=loginShell:mailbox=mu-mailBox";
getpwnam "(|(&(authorizedService=mail@foo.bar)(uid=${user}))(&(authorizedService=mail@foo.bar)(cn=${user}))(&(authorizedService=mail@foo.com)(cn=${user})))";
getpwuid "(|(&(authorizedService=mail@foo.bar)(uid=${user}))(&(authorizedService=mail@foo.bar)(cn=${user}))(&(authorizedService=mail@foo.com)(cn=${user})))";
};
auth {
authorization generic:ldap:system;
authentication generic:ldap:system;
};
mailbox {
mailbox-type "maildir";
mailbox-pattern "maildir:/var/mail;type=index;param=2;user=${user}";
};
locking {
retry-count 400;
};
include /usr/local/etc/mailutils;
