Mailutils:HOWTO:Sendmail MU LDAP

From Mailutils
Revision as of 11:20, 30 August 2013 by Zeus Panchenko (talk | contribs)
Jump to navigationJump to search

Task

  • to get users database in accessible via LDAP
  • to get multidomain (multi domains with separate (if needed) users for each domain) support in sendmail

all described was deployed on FreeBSD

LDAP

slapd.conf

LDIF

dn: uid=officeX-testuser,ou=People,dc=foo,dc=bar
cn: testuser@foo.bar
gidnumber: 12345
homedirectory: /nonexistent
loginshell: /sbin/nologin
objectclass: top
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: inetLocalMailRecipient
sn: test user
uid: officeX-testuser
uidnumber: 10001
userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/

dn: authorizedService=mail@foo.bar,uid=officeX-testuser,ou=People,dc=foo,dc=bar
associateddomain: foo.bar
authorizedservice: mail@foo.bar
cn: testuser@foo.bar
gidnumber: 10106
homedirectory: /var/mail/IMAP_HOMES/foo.bar/testuser@foo.bar
loginshell: /sbin/nologin
mu-mailbox: maildir:/var/mail/foo.bar/testuser@foo.bar
objectclass: posixAccount
objectclass: shadowAccount
objectclass: inetOrgPerson
objectclass: authorizedServiceObject
objectclass: domainRelatedObject
objectclass: mailutilsAccount
sn: testuser@foo.bar
uid: testuser@foo.bar
uidnumber: 10001
userpassword: {CRYPT}$1$dtyhERYdf$dfDGGsdHJKTIKT.34345DFSF/

sendmail

building sendmail with STARTTLS, SMTPAUTH, LDAP and db44 support

cyrus-sasl configured with:

./configure --includedir=/usr/local/include --enable-static --with-rc4=openssl --with-dblib=none --disable-anon --disable-cram --disable-digest --disable-gssapi --disable-krb4 --disable-ntlm --disable-otp --disable-plain --disable-scram --enable-ldapdb --with-ldap=/usr/local --with-openssl=yes

build config

site.config.m4

##
# general
APPENDDEF(`confINCDIRS', `-I/usr/local/include -I/usr/local/include/db44')
APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/local/lib/db44')

## DB44
#APPENDDEF(`confENVDEF', `-I/usr/local/include -I/usr/local/include/db44')
#APPENDDEF(`conf_sendmail_LIBS', `-L/usr/local/lib -L/usr/local/lib/db44')

# SASL2 (smtp authentication)
APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')

# LDAP
APPENDDEF(`confMAPDEF', `-DLDAPMAP')
APPENDDEF(`confLIBS', `-lldap -llber')

# STARTTLS (smtp + tls/ssl)
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS -D_FFR_TLS_1')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')

# rest
APPENDDEF(`conf_sendmail_ENVDEF', `-DMILTER -DSOCKETMAP -DMAP_REGEX -DNEWDB')

sendmail.mc

dnl * Sendmail configuration
divert(-1)
OSTYPE(freebsd6)
dnl * To eliminate 8->7 bit base64 enconding
define(`SMTP_MAILER_FLAGS',`8')
dnl * Do not reveal my version number
define(`confRECEIVED_HEADER',`$?sfrom $s $.$?_($?s$|from $.$_) $.
        by $j$?r with $r$. id $i$?u
        for $u$.; $b')
dnl * Also, disable VRFY,EXPN
define(`confPRIVACY_FLAGS',`authwarnings,novrfy,noexpn,noetrn,needmailhelo')

dnl * do STARTTLS
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/sendmail.pem')dnl
define(`localCERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_CERT', `localCERT')dnl
define(`confSERVER_KEY',  `localCERT')dnl
define(`confCLIENT_CERT', `localCERT')dnl
define(`confCLIENT_KEY',  `localCERT')dnl

dnl * do SMTPAUTH
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl

dnl * look for AuthOptions @ op.ps
define(`confAUTH_OPTIONS', `A p y')dnl


define(`confSAVE_FROM_LINES', `True')dnl
define(`HELP_FILE',`none')dnl
define(`confDELIVERY_MODE', `background')dnl

dnl * define(`confMAX_MESSAGE_SIZE',`31457280')
define(`confERROR_MESSAGE',`/etc/mail/error-header')dnl
define(`confREJECT_MSG',`550 Access denied. For our users call IT dpt 911')dnl
define(`confRELAY_MSG', `550 Relaying denied. For our users call IT dpt 911')dnl

dnl define(`confSMTP_LOGIN_MSG',`$j server; $b')
define(`confSMTP_LOGIN_MSG',`$j server ready.\nWelcome to us.\nSending UBE is forbidden.\nViolators will be severely prosecuted.')

dnl * DAEMON_OPTIONS(`Name=MTA,Addr=0.0.0.0')
DAEMON_OPTIONS(`Name=MTA,Addr=X.X.X.X')
DAEMON_OPTIONS(`Name=MTA-local0,Addr=127.0.0.1')
DAEMON_OPTIONS(`Name=MTA-local3,Addr=Y.Y.Y.Y')
DAEMON_OPTIONS(`Family=inet,Name=MTA-SSL,Port=465,M=abs')

# Maps
define(`confLDAP_DEFAULT_SPEC', `-H ldaps://ldap.foo.bar -b ou=foo.bar,ou=Sendmail,dc=foo,dc=bar -w3 -d uid=bind@mail.foo,ou=people,dc=foo,dc=bar -P /etc/mail/ldappass')dnl
define(`confLDAP_CLUSTER', `fo01')

LOCAL_CONFIG
Klocal_alias hash -T<TMPF> -o /etc/mail/aliases
Kldap_alias ldap -k (&(objectClass=sendmailMTAAliasObject)(sendmailMTAAliasGrouping=aliases)(|(sendmailMTACluster=${sendmailMTACluster})(sendmailMTAHost=$j))(sendmailMTAKey=%0)) -v sendmailMTAAliasValue
define(`ALIAS_FILE',`sequence: local_alias ldap_alias')

FEATURE(`access_db', `LDAP')
FEATURE(`mailertable', `LDAP')

FEATURE(use_cw_file)
FEATURE(use_ct_file)
FEATURE(redirect)
FEATURE(always_add_domain)
FEATURE(blacklist_recipients)
FEATURE(relay_entire_domain)

# Milter
define(`confMILTER_LOG_LEVEL',4)
INPUT_MAIL_FILTER(`mailfrom', `S=unix:/var/run/mailfromd/mailfromd.sock, F=T, T=S:120s;R:360s')

# Mailers
MAILER_DEFINITIONS
Mlocal-ldap,    P=/usr/local/sbin/maidag, F=lsDFMA5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
                T=DNS/RFC822/X-Unix,
                A=maidag $u@$h

MAILER(smtp)

mailertable

test.foo.bar    local-ldap:test.foo.bar

Test

sendmail -bt
> 3,0 blabla@foo.bar

mu

config

mailutils.rc

mailutils.rc

ldap {
  enable yes;
  url "ldap://ldap.foo.bar:389/";
  base "ou=people,dc=ibs";
  binddn "uid=bind@mai.foo.bar,ou=people,dc=foo,dc=bar";
  passwd "*****";
  tls yes;
  debug 1;
  field-map "name=uid:passwd=userPassword:uid=uidNumber:gid=gidNumber:gecos=gecos:dir=homeDirectory:shell=loginShell:mailbox=mu-mailBox";
  getpwnam "(|(&(authorizedService=mail@foo.bar)(uid=${user}))(&(authorizedService=mail@foo.bar)(cn=${user}))(&(authorizedService=mail@foo.com)(cn=${user})))";
  getpwuid "(|(&(authorizedService=mail@foo.bar)(uid=${user}))(&(authorizedService=mail@foo.bar)(cn=${user}))(&(authorizedService=mail@foo.com)(cn=${user})))";
};

auth {
  authorization generic:ldap:system;
  authentication generic:ldap:system;
};

mailbox {
  mailbox-type "maildir";
  mailbox-pattern "maildir:/var/mail;type=index;param=2;user=${user}";
};

locking {
  retry-count 400;
};

include /usr/local/etc/mailutils;


pop3d

imap4d

maidag