This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 28 and 29
Revision 28 as of 2005-09-06 18:00:06
Size: 20087
Editor: TimoSirainen
Comment:
Revision 29 as of 2006-08-18 13:53:50
Size: 22989
Comment: Add Ubuntu setup
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Line 5: Line 4:
== OS ==
Line 7: Line 6:
 * Ubuntu 6.06 LTS
== LDAP ==
Line 8: Line 9:
 * slapd 2.2.26 (Ubuntu)
== dovecot ==
Line 9: Line 12:
 * dovecot 1.0-beta3-3ubuntu5.3
Line 11: Line 14:

This sets up mail accounts for people who don't have accounts on
the FBSD box; e.g. there is a mail account for ole_wobble in the LDAP
registry, but no matching account in the Unix passwd file. However, each
mail account does require its own directory in /var/mail; e.g. for user
Ole Wobble Olson, you need the directory /var/mail/ole_wobble. There is a
Unix account named postoffice which handles all administrative tasks and
owns the directories and files set up for mail accounts in /var/mail. The
group for files in /var/mail is mail. Using ole_wobble as an example:
{{{
 # ls -l /var/mail | grep ole_wobble
 drwx--x--x 3 postoffice mail - 1024 Aug 23 04:15 ole_wobble
}}}
Mail storage is mbox, but these instructions should work fine with Maildir
directories. The UID number for the postoffice account is 3000 and the GID
number is 8. Change the ID numbers to match your system.

In each user directory in /var/mail, I create three files: inbox, outbox,
and Trash. These are needed for the MUAs (mail clients) we use. Eudora
requires the inbox to be "inbox", all lower case; mutt requires the outbox
to be "outbox", all lower case, and Eudora uses a trash box named "Trash". 

If you want to use raw logging, you will need to add a directory named
"dovecot.rawlog" to /home/postoffice. 
This sets up mail accounts for people who don't have accounts on  the FBSD box; e.g. there is a mail account for ole_wobble in the LDAP  registry, but no matching account in the Unix passwd file. However, each  mail account does require its own directory in /var/mail; e.g. for user  Ole Wobble Olson, you need the directory /var/mail/ole_wobble. There is a  Unix account named postoffice which handles all administrative tasks and  owns the directories and files set up for mail accounts in /var/mail. The  group for files in /var/mail is mail. Using ole_wobble as an example:

{{{
        # ls -l /var/mail | grep ole_wobble
        drwx--x--x 3 postoffice mail - 1024 Aug 23 04:15 ole_wobble
}}}
Mail storage is mbox, but these instructions should work fine with Maildir  directories. The UID number for the postoffice account is 3000 and the GID  number is 8. Change the ID numbers to match your system.

In each user directory in /var/mail, I create three files: inbox, outbox,  and Trash. These are needed for the MUAs (mail clients) we use. Eudora  requires the inbox to be "inbox", all lower case; mutt requires the outbox  to be "outbox", all lower case, and Eudora uses a trash box named "Trash".

Alternatively, an appropriately set up SMTP server (like exim4) will create the boxes on the first email to the account.


If you want to use raw logging, you will need to add a directory named  "dovecot.rawlog" to /home/postoffice.
Line 37: Line 29:
The OpenLDAP instructions are ''extremely'' sketchy and are intended only
to supplement the instructions at the OpenLDAP web site. They give
information specific to a Dovecot setup that is missing from the
OpenLDAP manual. 
The OpenLDAP instructions are ''extremely'' sketchy and are intended only  to supplement the instructions at the OpenLDAP web site. They give  information specific to a Dovecot setup that is missing from the  OpenLDAP manual.
Line 43: Line 32:
If you are going to use CRYPT password hashing as the default in OpenLDAP
(this is compatible with Dovecot), then you will need to add the
--enable-crypt option to the CONFIGRE_ARGS variable in the Makefile so
that OpenLDAP will compile with CRYPT support. If you don't do this,
OpenLDAP may actually work for a while, but then one day you'll restart
the server and OpenLDAP will refuse to run until you remove the CRYPT
setting from slapd.comf, which means the user passwords won't work.

If you have portupgrade installed, the simplest way to install OpenLDAP
is by using the portinstall tool.
{{{
 # portinstall openldap21
}}}
The instructions for configuring OpenLDAP, including a Quick Install
Guide, are at
 http://www.openldap.org
OpenLDAP appears to be difficult to install properly. My first two
attempts were unsuccessful. The FreeBSD port includes Pearl scripts
that run tests to ensure that the installation succeeded. Even though
the installation passed the tests, it couldn't be configured to work
properly. On my third attempt, OpenLDAP worked but attempts to limit
access to specified attributes caused OpenLDAP to refuse access to all
attributes. On my fourth attempt, OpenLDAP ignored any attempts to limit
access to specified attributes. While searching for information, I found
a posting that commented that every installation of OpenLDAP on FreeBSD
4.8 requires its own config file; each installation behaves differently and
the config file has to be tuned to the individual installation. You may need
to install a few times before you get a usable installation of OpenLDAP. 
If you are going to use CRYPT password hashing as the default in OpenLDAP (this is compatible with Dovecot), then you will need to add the  --enable-crypt option to the CONFIGRE_ARGS variable in the Makefile so  that OpenLDAP will compile with CRYPT support. If you don't do this,  OpenLDAP may actually work for a while, but then one day you'll restart  the server and OpenLDAP will refuse to run until you remove the CRYPT  setting from slapd.conf, which means the user passwords won't work.

On BSD, if you have portupgrade installed, the simplest way to install OpenLDAP is by using the portinstall tool.

{{{
        # portinstall openldap21
}}}

On Ubuntu, use apt-get (or aptitude).
{{{
        % sudo apt-get install slapd
}}}

The instructions for configuring OpenLDAP, including a Quick Install  Guide, are at

 .
http://www.openldap.org

On BSD,
OpenLDAP appears to be difficult to install properly. My first two  attempts were unsuccessful. The FreeBSD port includes Perl scripts that run tests to ensure that the installation succeeded. Even though  the installation passed the tests, it couldn't be configured to work  properly. On my third attempt, OpenLDAP worked but attempts to limit  access to specified attributes caused OpenLDAP to refuse access to all  attributes. On my fourth attempt, OpenLDAP ignored any attempts to limit  access to specified attributes. While searching for information, I found  a posting that commented that every installation of OpenLDAP on FreeBSD  4.8 requires its own config file; each installation behaves differently and  the config file has to be tuned to the individual installation. You may need  to install a few times before you get a usable installation of OpenLDAP.

On Ubuntu, it worked fine.
Line 73: Line 54:

On Ubuntu, installing slapd is sufficient to start it, and have it start on reboot. It runs as root. Proceed to Configuration.
Line 74: Line 58:
This is the simplest set up. I recommed this for your initial set up and
testing. Running as root is a security risk, so you probably want to change
this before making the the server available to users.
This is the simplest set up. I recommed this for your initial set up and  testing. Running as root is a security risk, so you probably want to change  this before making the the server available to users.
Line 79: Line 61:
Line 84: Line 67:
Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes,
Virginia, there is a slap daemon.) Open the file in a text editor. If
you have the following line

{{{
 # Uncomment one of the following: 
Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes, Virginia, there is a slap daemon.) Open the file in a text editor. If you have the following line

{{{
        # Uncomment one of the following:
Line 91: Line 73:
{{{
 slapd_args="-u ldap -g ldap"
}}}
Save your changes and close the text editor. 

{{{
        slapd_args="-u ldap -g ldap"
}}}
Save your changes and close the text editor.
Line 97: Line 80:
Create a new user and group named "ldap". ldap needs access to the
configuration file and the database.
Create a new user and group named "ldap". ldap needs access to the  configuration file and the database.
Line 104: Line 87:
Line 107: Line 91:
By default, slapd listens on all interfaces. On very small LANS,
the mail and directory services often run on the box that functions
as the Internet gateway. In that case you don't want slapd listening
at the external interface, so you need to specify which interfaces you
do want it to listen on. In the following, the LDAP host name can be
substituted for the internal IP address, if the host name is not
exposed outside the LAN.
By default, slapd listens on all interfaces. On very small LANS,  the mail and directory services often run on the box that functions  as the Internet gateway. In that case you don't want slapd listening  at the external interface, so you need to specify which interfaces you  do want it to listen on. In the following, the LDAP host name can be  substituted for the internal IP address, if the host name is not  exposed outside the LAN.
Line 120: Line 99:
Go to the directory containing the OpenLDAP configuration files.
{{{
 # cd /usr/local/etc/openldap
}}}
Make a copy of slapd.conf.default and name it slapd.conf. Open slapd.conf
in a text editor. You will need the the following lines to reference
the schemas you need:
{{{
 include /usr/local/etc/openldap/schema/core.schema
 include /usr/local/etc/openldap/schema/cosine.schema
 
include /usr/local/etc/openldap/schema/nis.schema
}}}
The following line will set the default password hashing method to the CRYPT
algorithm, which is compatible with Dovecot:
{{{
 password-hash {CRYPT}
}}}
The Quick Install Guide at the OpenLDAP explains how to set up an
administrator with global rights on the LDAP registry, and how to add
entries.
Go to the directory containing the OpenLDAP configuration files. On Ubuntu, this is `/etc/ldap`, on BSD it is `/usr/local/etc/openldap`. ''Make the appropriate substitutions below''.

Make a copy of `slapd.conf.default` and name it `slapd.conf`. Open `slapd.conf` in a text editor. You will need the the following lines to reference the schemas you need:

{{{
        include /usr/local/etc/openldap/schema/core.schema
        include /usr/local/etc/openldap/schema/cosine.schema
        
include /usr/local/etc/openldap/schema/nis.schema
}}}
The following line will set the default password hashing method to the CRYPT  algorithm, which is compatible with Dovecot:

{{{
        password-hash {CRYPT}
}}}
The Quick Install Guide at the OpenLDAP explains how to set up an  administrator with global rights on the LDAP registry, and how to add  entries.
Line 142: Line 116:
Here is a data hierarchy in ldif format that can be used to
provide Dovecot mail accounts. You should be able to copy it into an
ldif file, modify it for your own use, and install it all at once. 
{{{
 dn: dc=wibble,dc=net
  objectClass: top
  objectClass: dcObject
  objectClass: organization
  o: Wibble Corp.
  dc: wibble
  description: Wibble, with Ole Wobble and Ole Wubble

 
dn: ou=accounts,dc=wibble,dc=net
  objectClass: top
  objectClass: organizationalUnit
  ou: accounts

 
dn: cn=dovecot,ou=accounts,dc=wibble,dc=net
  objectClass: top
  objectclass: person
  cn: dovecot
  sn: dovecot

 dn: uid=ole_wobble,ou=accounts,dc=wibble,dc=net
  objectClass: top
  objectclass: person
  objectClass: posixAccount
  cn: Ole Wobble Olson
  sn: Olson
  uid: ole_wobble
  uidNumber: 3000
  gidNumber: 8
  
homeDirectory: /usr/home/postoffice

 dn: uid=
ole_wubble,ou=accounts,dc=wibble,dc=net
  
objectClass: top
  objectclass: person
  objectClass: posixAccount
  cn: Ole Wubble Olson
  sn: Olson
  uid: ole_wubble
  uidNumber: 3000
  gidNumber: 8
  
homeDirectory: /usr/home/postoffice
}}}
The expression "dc=wibble,dc=net" should match the suffix setting
in slapd.conf. 

If you plan to install this by copying it to a file and running
ldapadd, you must retain the blank lines.

The uidNumber is set to the uid number of the postoffice account. The
gidNumber is set to the gid number of the mail grou
p. The homeDirectory
is set to the home directory o
f the postoffice account. This allows the
raw log function to write to that directory
. If you don't include the
homeDirectory attribute, you will have to apply a patch to Dovecot. The
patch is described below, in the Installing Dovecot section. The use of
the posixAccount object class requires that you use the uid, cn, uidNumber,
gidNumber, and homeDirectory attributes (and therefore shouldn
't need
the patch).

The home directory is always set to the home directory of the postoffice
account. This allows writing raw logs to the postoffice home directory.

To insert the entries above, save them in a file named wibble.ldif.
Run ldapadd from the command line:

{{{
 ldapadd -W -D "cn=Manager,dc=krig,dc=net" -f /usr/local/etc/openldap/wibble.ldif
}}}
Returning to slap.conf, the following will give dovecot read access to
the entries in the ou=accounts section, but no write access and no access
to other parts of the registry.
{{{
 access to dn.children="ou=accounts,dc=wibble,dc=net"
         by dn="cn=dovecot,ou=accounts,dc=wibble,dc=net" read
  by anonymous auth
Here is a data hierarchy in ldif format that can be used to  provide Dovecot mail accounts. You should be able to copy it into an  ldif file, modify it for your own use, and install it all at once.

{{{
        dn: dc=wibble,dc=net
                objectClass: top
                objectClass: dcObject
                objectClass: organization
                o: Wibble Corp.
                dc: wibble
                description: Wibble, with Ole Wobble and Ole Wubble
        dn: ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectClass: organizationalUnit
                ou: accounts

        # only necessary if you are NOT using 'bind' authentication
        
dn: cn=dovecot,ou=accounts,dc=wibble,dc=net
                objectClass: top
         objectclass: person
                cn: dovecot
                sn: dovecot

        dn: uid=ole_wobble,ou=accounts,dc=wibble,dc=net
                objectClass: top
         objectclass: person
                objectClass: posixAccount
                cn: Ole Wobble Olson
                sn: Olson
                uid: ole_wobble
                uidNumber: 1002
                gidNumber: 1
00
                
homeDirectory: /usr/home/ole_wobble

        dn: uid=ole_
wubble,ou=accounts,dc=wibble,dc=net
                
objectClass: top
         objectclass: person
                objectClass: posixAccount
                cn: Ole Wubble Olson
                sn: Olson
                uid: ole_wubble
                uidNumber: 1003
                gidNumber: 1
00
                
homeDirectory: /usr/home/ole_wubble
}}}

The expression `dc=wibble,dc=net` should match the suffix setting  in slapd.conf.

If you plan to install this by copying it to a file and running  ldapadd, you must retain the blank lines.

`uidNumber` and `gidNumber` are only significant if mentioned in the `user_attrs` item in `/etc/dovecot/dovecot-ldap.conf`. If these are virtual accounts (authentication, including `homeDirectory, uidNumber, gidNumber` are used elsewhere), I recommend you leave these '''unset''' in `user_attrs`, and instead use

{{{
    user_global_uid = dovecot
    user_global_gid = mail
}}}

To insert the entries above, save them in a file named wibble.ldif. Run ldapadd from the command line:

{{{
        
ldapadd -W -D "cn=Manager,dc=krig,dc=net" -f /usr/local/etc/openldap/wibble.ldif
}}}
Returning to slap.conf, the following will give dovecot read access to  the entries in the ou=accounts section, but no write access and no access  to other parts of the registry.

{{{
        access to dn.children="ou=accounts,dc=wibble,dc=net"
                by dn="cn=dovecot,ou=accounts,dc=wibble,dc=net" read
         by anonymous auth
Line 221: Line 186:
The final step in setting up your LDAP registry is to add the passwords.
Every account in the ou=accounts section will need one. Assuming that
you've slavishly imitated the example in the Quick Install Guide at
the OpenLDAP site and called your LDAP administrator "Manager", you can add
passwords from the command line with
{{{
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "cn=dovecot,ou=accounts,dc=wibble,dc=net" 
}}}
for the dovecot user and 
{{{
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=ole_wobble,ou=accounts,dc=wibble,dc=net" 
}}}
for mail accounts. The -S option prompts you for the new password, and
the -W option prompts you for the LDAP Manager password.
The final step in setting up your LDAP registry is to add the passwords.  Every account in the ou=accounts section will need one. Assuming that  you've slavishly imitated the example in the Quick Install Guide at  the OpenLDAP site and called your LDAP administrator "Manager", you can add  passwords from the command line with

{{{
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "cn=dovecot,ou=accounts,dc=wibble,dc=net"
}}}
for the dovecot user and

{{{
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=ole_wobble,ou=accounts,dc=wibble,dc=net"
}}}
for mail accounts. The -S option prompts you for the new password, and  the -W option prompts you for the LDAP Manager password. Many LDAP front ends will do the same.
Line 237: Line 199:
Line 240: Line 203:
Line 242: Line 204:

Again, the simplest approach is the portinstall tool. If you don't
include homeDirectory info with your all your LDAP entries, you will
need a patch. Download the patch from   http://dovecot.procontrol.fi/patches/auth-no-homedir.patch 
To apply the patch, go to /usr/ports/mail/dovecot. If you've previously
installed dovecot and still have the work directory, you need to
remove it.

{{{
 # make distclean
Again, the simplest approach is the portinstall tool (on BSD) or apt-get (on Ubuntu).

== BSD ==
If you don't  include homeDirectory info with your all your LDAP entries, you will  need a patch. Download the patch from

 .
http://dovecot.procontrol.fi/patches/auth-no-homedir.patch
To apply the patch, go to /usr/ports/mail/dovecot. If you've previously  installed dovecot and still have the work directory, you need to  remove it.

{{{
        # make distclean
Line 254: Line 216:
{{{
 # make patch

{{{
        # make patch
Line 258: Line 221:
{{{
 # cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth
}}}
Copy auth-no-homedir.patch (the patch file you downloaded) to this
directory. Now run patch.
{{{
 # patch -p0 < auth-no-homedir.patch
}}}
If you get no error messages, you can proceed with the installation.
If you do get error messages, you will need to apply the patch by hand.
Open auth-no-homedir.patch in a text viewer. The file you need to patch
is listed in the first line of auth-no-homedir.patch. Open that file
in a text editor in another ttyv or xterm. 

The path file contains two contiguous lines, the first beginning with a
"-" and the second beginning with a "+". The first is the line you will
delete from the file to be patched, and the second is the line that will
replace it; i.e. subtract the "-" line and add the "+" line. Immediately
surrounding the two lines are the context lines; three above and three
below. Search for the line in the file to be patched that matches the "-"
line *and* has the same context lines above and below. When you find
this line, delete it and replace it with the "+" line in the patch file.
(Do not include the "+" marker.) Double check that you have deleted only
what needs to be deleted and added only what needs to be added. Save
the file and close the text editor and text viewer. Delete
auth-no-homedir.patch.


Once you have successfully run patch or patched by hand, return to
/usr/ports/mail/dovecot. Open the Makefile in a text editor. Find the
line that begins with "CONFIGURE_ARGS+=". If you don't have the
following two arguments, add them.
{{{
 --with-rawlog --with-ldap
}}}
Raw logging isn't necessary, but it can be useful. You have to have the
--with-ldap argument to enable Dovecot to work with LDAP.

If you remove support for alternative authentication methods (PAM, PGSQL,
etc), you should leave support for passwd. When I was debugging my
configuration, I found it helpful to switch between passwd and LDAP
authentication. If my setup worked with passwd and not with LDAP, then
I knew that I needed to look at Dovecot's LDAP configuration, or at
OpenLDAP.

Save your changes to Makefile, and close the editor. 

{{{
        # cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth
}}}
Copy auth-no-homedir.patch (the patch file you downloaded) to this directory. Now run patch.

{{{
        # patch -p0 < auth-no-homedir.patch
}}}
If you get no error messages, you can proceed with the installation. If you do get error messages, you will need to apply the patch by hand.  Open auth-no-homedir.patch in a text viewer. The file you need to patch  is listed in the first line of auth-no-homedir.patch. Open that file  in a text editor in another ttyv or xterm.

The path file contains two contiguous lines, the first beginning with a  "-" and the second beginning with a "+". The first is the line you will  delete from the file to be patched, and the second is the line that will  replace it; i.e. subtract the "-" line and add the "+" line. Immediately  surrounding the two lines are the context lines; three above and three  below. Search for the line in the file to be patched that matches the "-"  line *and* has the same context lines above and below. When you find  this line, delete it and replace it with the "+" line in the patch file.  (Do not include the "+" marker.) Double check that you have deleted only  what needs to be deleted and added only what needs to be added. Save  the file and close the text editor and text viewer. Delete  auth-no-homedir.patch.

Once you have successfully run patch or patched by hand, return to  /usr/ports/mail/dovecot. Open the Makefile in a text editor. Find the  line that begins with "CONFIGURE_ARGS+=". If you don't have the  following two arguments, add them.

{{{
        --with-rawlog --with-ldap
}}}
Raw logging isn't necessary, but it can be useful. You have to have the  --with-ldap argument to enable Dovecot to work with LDAP.

If you remove support for alternative authentication methods (PAM, PGSQL,  etc), you should leave support for passwd. When I was debugging my  configuration, I found it helpful to switch between passwd and LDAP  authentication. If my setup worked with passwd and not with LDAP, then  I knew that I needed to look at Dovecot's LDAP configuration, or at  OpenLDAP.

Save your changes to Makefile, and close the editor.
Line 305: Line 246:
{{{
 # make install
}}}
If make completes and registers Dovecot without giving error messages,
then your installation was successful. 

{{{
        # make install
}}}
If make completes and registers Dovecot without giving error messages,  then your installation was successful.
Line 313: Line 254:
To start Dovecot automatically when you boot, go to /usr/local/etc/rc.d
and copy dovecot.sh.sample to dovecot.sh.


Go to /usr/local/share/doc/dovecot and copy dovecot-ldap.conf to
the /usr/local/etc directory. Go to the /usr/local/etc directory and open
dovecot-ldap.conf in a text editor.

The first setting is  {{{
 
hosts = localhost
}}}
If Dovecot and OpenLDAP are running on the same machine, then this is
fine. If you have OpenLDAP running on a different machine, you will
need to set this to the name of the LDAP machine.
----
{{{
 
dn = uid=dovecot,ou=accounts,dc=wibble,dc=net
}}}
This is set to the Distinguished Name that identifies the Dovecot
entry in your LDAP registry.
----
{{{
 
dnpass = flop
}}}
Set this to the password you assigned dovecot using the ldappasswd
command.
----
{{{
 
ldap_version = 3
To start Dovecot automatically when you boot, go to /usr/local/etc/rc.d  and copy dovecot.sh.sample to dovecot.sh.

Go to /usr/local/share/doc/dovecot and copy dovecot-ldap.conf to  the /usr/local/etc directory. Go to the /usr/local/etc directory and open  dovecot-ldap.conf in a text editor.

The first setting is

{{{
        
hosts = localhost
}}}
If Dovecot and OpenLDAP are running on the same machine, then this is  fine. If you have OpenLDAP running on a different machine, you will  need to set this to the name of the LDAP machine.

----
I recommend bind authentication - dovecot will attempt to 'log in' with the username/password combination. You can then skip all this.

{{{
        
dn = uid=dovecot,ou=accounts,dc=wibble,dc=net
}}}
This is set to the Distinguished Name that identifies the Dovecot  entry in your LDAP registry.

----
{{{
        
dnpass = flop
}}}
Set this to the password you assigned dovecot using the ldappasswd  command.

----
{{{
        
ldap_version = 3
Line 344: Line 284:
----
{{{
 
base = ou=accounts,dc=wibble,dc=net
}}}
This tells Dovecot where to search in your LDAP registry. Dovecot will
search for passwords and UIDs in the entries that fall below ou=accounts
in the data hierarchy.
----
{{{
 
deref = never
}}}
If you are referencing and dereferencing aliases, then you know a lot
more about LDAP than I do.
----
{{{
 
scope = subtree
}}}
This tells Dovecot to search all entries that fall below the base
entry. If it were set to "onelevel", Dovecot would search only
entries one level below the base entry. If it were set to "base",
Dovecot would search only the base entry.  ----
{{{
 
user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber

----
{{{
        
base = ou=accounts,dc=wibble,dc=net
}}}
This tells Dovecot where to search in your LDAP registry. Dovecot will  search for passwords and UIDs in the entries that fall below ou=accounts  in the data hierarchy.

----
{{{
        
deref = never
}}}
If you are referencing and dereferencing aliases, then you know a lot  more about LDAP than I do.

----
{{{
        
scope = subtree
}}}
This tells Dovecot to search all entries that fall below the base  entry. If it were set to "onelevel", Dovecot would search only  entries one level below the base entry. If it were set to "base",  Dovecot would search only the base entry.

----
{{{
        
user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber
Line 370: Line 308:
 The first uid is the virtual user name that you log in with. For
 example user@domain.com. The second uid is the system user id
 
which is used to lookup groups from /etc/groups file...You
 
really don't want to have it if you have only virtual users.
 
Two commas mean simply that the value in the middle of them doesn't
 
exist. That'd be the MAIL environment which you can use to override
 
config file's default_mail_env. By default it doesn't exist in LDAP
 
so it's empty.
If you have set up your LDAP registry so that it doesn't supply homeDirectory,
uidNumber, and gidNumber (which means that you've applied the homeDirectory
patch, you're not using raw logging, you've set default values for uid and
gid in this config file, and your LDAP entries don't use the posixAccount
object class), you can try the following:
{{{
 user_attrs = uid,,,uid,,
}}}
I haven't tried it, so I can't promise that it works. If you change the
default setting, don't remove any of the commas.
----
{{{
 user_filter = (&(objectClass=posixAccount)(uid=%u))
}}}
Specifies which class to search in a given entry, and to find the
uid that matches the user name passed by the mail client. 
----
{{{
 pass_attrs = uid,userPassword
}}}
Which attributes to use when matching passwords.
----
{{{
 pass_filter = (&(objectClass=posixAccount)(uid=%u))
}}}
Specifies which class to search in a given entry, and to find the
uid that matches the user name passed by the mail client.
----
{{{
 default_pass_scheme = CRYPT
}}}
If you leave this commented out, Dovecot will automatically detect that
OpenLDAP is using CRYPT.
----
{{{
 user_global_uid = 3000
}}}
This provides a default UID num
ber for LDAP entries that lack the
uidNumber attribute. If you use the posixAccount object class in your
LDAP registry, you can't enter data for an account without providing
a uidNumber and gidNumber, so this and the next setting aren't
necessary.
----
{{{
 user
_global_gid = 8

 .
The first uid is the virtual user name that you log in with. For
 example user@domain.com . The second uid is the system user id  which is used to lookup groups from /etc/groups file...You  really don't want to have it if you have only virtual users. Two commas mean simply that the value in the middle of them doesn't exist. That'd be the MAIL environment which you can use to override config file's default_mail_env. By default it doesn't exist in LDAP  so it's empty.
If you have set up your LDAP registry so that it doesn't supply homeDirectory, uidNumber, and gidNumber (which means that you've applied the homeDirectory patch, you're not using raw logging, you've set default values for uid and  gid in this config file, and your LDAP entries don't use the posixAccount  object class), you can try the following:

{{{
        user_attrs = uid,,,uid,,
}}}
I haven't tried it, so I can't promise that it works. If you change the  default setting, don't remove any of the commas.

Alternatively, there is now a new (named) format for this. Virtual users (uidNumber not appropriate, using globals)

{{{
        user_attrs = homeDirectory=home
}}}

----
{{{
        user_filter = (&(objectClass=posixAccount)(uid=%u))
}}}
Specifies which class to search in a given entry, and to find the  uid that matches the user name passed by the mail client.

----
{{{
        pass_attrs = uid,userPassword
}}}
Which attributes to use when matching passwords. Using bind authentication, this is not necessary.

----
{{{
        pass_filter = (&(objectClass=posixAccount)(uid=%u))
}}}
Specifies which class to search in a given entry, and to find the uid that matches the user name passed by the mail client.

----
{{{
        default_pass_scheme = CRYPT
}}}
If you leave this commented out, Dovecot will automatically detect that  OpenLDAP is using CRYPT.

----
This provides a default UID number for LDAP entries that lack the uidNumber attribute. If you use the posixAccount object class in your LDAP registry, you can't enter data for an account without providing a uidNumber and gidNumber, so this and the next setting aren't necessary. If you have '''not''' mentioned uidNumber and gidNumber in `user_attrs`, these are assumed for all entries. '''Make sure''' `first_valid_uid` in `/etc/dovecot/dovecot.conf` is less than this number.

{{{
        user_global_uid = 3000
        user_global_gid = 8
Line 425: Line 356:

While still in /usr/local/etc, open dovecot.conf in a text editor. 
{{{
 base_dir = /var/dovecot/
While still in /usr/local/etc, open dovecot.conf in a text editor.

{{{
        base_dir = /var/dovecot/
Line 431: Line 362:
----
{{{
 protocols = imap

----
{{{
        protocols = imap
Line 436: Line 368:
----
{{{
 imap_listen = *:143
}}}
Dovecot listens on port 143 by default, so the port setting isn't
necessary unless you want to use a different port.
According to the documentation, * causes Dovecot to listen on all
available IP4 interfaces. If your IMAP box is also your Internet
gateway, and you're not offering mail services externally, then you
probably don't want that. If you specify your LAN interface, Dovecot
may continue to listen at localhost, but you can't count on it. If your
host name isn't exposed externally, then you can use
{{{
 imap_listen = wibblemailhost:143

----
{{{
        imap_listen = *:143
}}}
Dovecot listens on port 143 by default, so the port setting isn't  necessary unless you want to use a different port.  According to the documentation, * causes Dovecot to listen on all  available IP4 interfaces. If your IMAP box is also your Internet  gateway, and you're not offering mail services externally, then you  probably don't want that. If you specify your LAN interface, Dovecot  may continue to listen at localhost, but you can't count on it. If your  host name isn't exposed externally, then you can use

{{{
        imap_listen = wibblemailhost:143
Line 452: Line 379:
{{{
 
imap_listen = 192.168.15.23:143
}}}
----
{{{
 ssl_disable = yes
}}}
If you have this set to yes, you can ignore the SSL settings that follow
in dovecot.conf.
----
{{{
 login_dir = /var/dovecot/login
 
login_chroot = yes
 login = imap
 login_executable = /usr/local/libexec/dovecot/imap-login
 login_user = dovecot
 verbose_proctitle = yes

{{{
        
imap_listen = 192.168.15.23:143
}}}
----
{{{
        ssl_disable = yes
}}}
If you have this set to yes, you can ignore the SSL settings that follow  in dovecot.conf.

----
{{{
        login_dir = /var/dovecot/login
        
login_chroot = yes
        login = imap
        login_executable = /usr/local/libexec/dovecot/imap-login
        login_user = dovecot
        verbose_proctitle = yes
Line 471: Line 399:
----
{{{
 
first_valid_uid = 3000
 last_valid_uid = 3000
}}}
If you are assigning the postoffice UID number to all mail accounts,
you can restrict access to only that UID number.
----
{{{
 
first_valid_gid = 8
 last_valid_gid = 8

----
{{{
        
first_valid_uid = 3000
        last_valid_uid = 3000
}}}
If you are assigning the postoffice UID number to all mail accounts,  you can restrict access to only that UID number. See mention of `user_global_uid` above.

----
{{{
        
first_valid_gid = 8
        last_valid_gid = 8
Line 484: Line 413:
----
{{{
 valid_chroot_dirs = /var/mail

----
{{{
        valid_chroot_dirs = /var/mail
Line 489: Line 419:
----
{{{
 default_mail_env = mbox:/var/mail/%u

----
{{{
        default_mail_env = mbox:/var/mail/%u
Line 494: Line 425:
{{{
 
default_mail_env = maildir:/var/mail/%u
}}}
This tells Dovecot where the mail for a given account is located. Dovecot
replaces "%u" with the account name. For the two user accounts in the
ldif data hierarchy given above, "%u" would expand to ole_wobble and
ole_wubble.
----
{{{
 
client_workarounds = oe6-fetch-no-newmail outlook-idle
}}}
We don't use Outlook or Outlook Express. However, someone may decide
to use an MS mail client in the future, and leaving this in place does
no harm.
----
{{{
 
mail_save_crlf = yes
}}}
My IMAP box really doesn't work very hard, so I don't think it matters
how this is set. If your mail server gets hammered regularly, you may
want to play with this and see if it makes a difference in speed.
----
{{{
 
maildir_copy_with_hardlinks = yes

{{{
        
default_mail_env = maildir:/var/mail/%u
}}}
This tells Dovecot where the mail for a given account is located. Dovecot  replaces "%u" with the account name. For the two user accounts in the  ldif data hierarchy given above, "%u" would expand to ole_wobble and  ole_wubble.

----
{{{
        
client_workarounds = oe6-fetch-no-newmail outlook-idle
}}}
We don't use Outlook or Outlook Express. However, someone may decide  to use an MS mail client in the future, and leaving this in place does  no harm.

----
{{{
        
mail_save_crlf = yes
}}}
My IMAP box really doesn't work very hard, so I don't think it matters  how this is set. If your mail server gets hammered regularly, you may  want to play with this and see if it makes a difference in speed.

----
{{{
        
maildir_copy_with_hardlinks = yes
Line 520: Line 448:
----
{{{
 
mbox_locks = fcntl
}}}
I also tried flock and dotlock, and they work FBSD. This is the
preferred setting, if it works on your system.
----
{{{
 
imap_executable = /usr/local/libexec/dovecot/imap
 auth = default

----
{{{
        
mbox_locks = fcntl
}}}
I also tried flock and dotlock, and they work FBSD. This is the  preferred setting, if it works on your system. Locking should not be necessary for Maildir setups.

----
{{{
        
imap_executable = /usr/local/libexec/dovecot/imap
        auth = default
Line 532: Line 461:
----
{{{
 auth_mechanisms = plain

----
{{{
        auth_mechanisms = plain
Line 537: Line 467:
----
{{{
 
auth_userdb = ldap /usr/local/etc/dovecot-ldap.conf
 auth_passdb = ldap /usr/local/etc/dovecot-ldap.conf
}}}
If you need to switch to passwd authentication for testing, change
this to
{{{
 
auth_userdb = passwd
 auth_passdb = passwd /etc/master.passwd
}}}
The comments in dovecot.conf make it look like there's supposed to be a
colon in there, but this is the correct form.  ----
{{{
 
auth_executable = /usr/local/libexec/dovecot/dovecot-auth

----
{{{
        
auth_userdb = ldap /usr/local/etc/dovecot-ldap.conf
        auth_passdb = ldap /usr/local/etc/dovecot-ldap.conf
}}}
If you need to switch to passwd authentication for testing, change  this to

{{{
        
auth_userdb = passwd
        auth_passdb = passwd /etc/master.passwd
}}}
The comments in dovecot.conf make it look like there's supposed to be a  colon in there, but this is the correct form.

----
{{{
        
auth_executable = /usr/local/libexec/dovecot/dovecot-auth
Line 555: Line 486:
----
{{{
 auth_user = dovecot-auth
}}}
If you need to switch to passwd authentication for testing, change
this to
{{{
 auth_user = root
}}}
----
{{{
 auth_verbose = yes
}}}
If you have to debug your configuration, you'll want as much information
as possible.

----
{{{
        auth_user = dovecot-auth
}}}
If you need to switch to passwd authentication for testing, change this to

{{{
        auth_user = root
}}}
----
{{{
        auth_verbose = yes
}}}
If you have to debug your configuration, you'll want as much information as possible.

= Ubuntu config files =

These are two full config files used on Ubuntu -

{{{
        # /etc/dovecot/dovecot.conf
        protocols = imap imaps
        log_timestamp = "%Y-%m-%d %H:%M:%S "
        first_valid_uid = 100
        mail_extra_groups = mail
        mail_debug = yes
        default_mail_env = /var/mail/%u/Maildir

        auth default {
            mechanisms = plain
            passdb ldap {
                args = /etc/dovecot/dovecot-ldap.conf
            }
            userdb ldap {
                args = /etc/dovecot/dovecot-ldap.conf
            }
        }
}}}

For LDAP configuration,
{{{
        auth_bind = yes
        auth_bind_userdn = uid=%u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
        ldap_version = 3
        base = ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
        scope = subtree
        user_attrs = homeDirectory=home
        user_filter = (&(objectClass=posixAccount)(uid=%u))
        user_global_uid = dovecot
        user_global_gid = mail
}}}

TableOfContents

Software

OS

  • FreeBSD 4.8
  • Ubuntu 6.06 LTS

LDAP

  • openldap-2.1.22
  • slapd 2.2.26 (Ubuntu)

dovecot

  • dovecot-0.99.10
  • dovecot 1.0-beta3-3ubuntu5.3

Environment

This sets up mail accounts for people who don't have accounts on the FBSD box; e.g. there is a mail account for ole_wobble in the LDAP registry, but no matching account in the Unix passwd file. However, each mail account does require its own directory in /var/mail; e.g. for user Ole Wobble Olson, you need the directory /var/mail/ole_wobble. There is a Unix account named postoffice which handles all administrative tasks and owns the directories and files set up for mail accounts in /var/mail. The group for files in /var/mail is mail. Using ole_wobble as an example:

        # ls -l /var/mail | grep ole_wobble
        drwx--x--x  3 postoffice  mail  - 1024 Aug 23 04:15 ole_wobble

Mail storage is mbox, but these instructions should work fine with Maildir directories. The UID number for the postoffice account is 3000 and the GID number is 8. Change the ID numbers to match your system.

In each user directory in /var/mail, I create three files: inbox, outbox, and Trash. These are needed for the MUAs (mail clients) we use. Eudora requires the inbox to be "inbox", all lower case; mutt requires the outbox to be "outbox", all lower case, and Eudora uses a trash box named "Trash".

Alternatively, an appropriately set up SMTP server (like exim4) will create the boxes on the first email to the account.

If you want to use raw logging, you will need to add a directory named "dovecot.rawlog" to /home/postoffice.

OpenLDAP

The OpenLDAP instructions are extremely sketchy and are intended only to supplement the instructions at the OpenLDAP web site. They give information specific to a Dovecot setup that is missing from the OpenLDAP manual.

Install

If you are going to use CRYPT password hashing as the default in OpenLDAP (this is compatible with Dovecot), then you will need to add the --enable-crypt option to the CONFIGRE_ARGS variable in the Makefile so that OpenLDAP will compile with CRYPT support. If you don't do this, OpenLDAP may actually work for a while, but then one day you'll restart the server and OpenLDAP will refuse to run until you remove the CRYPT setting from slapd.conf, which means the user passwords won't work.

On BSD, if you have portupgrade installed, the simplest way to install OpenLDAP is by using the portinstall tool.

        # portinstall openldap21

On Ubuntu, use apt-get (or aptitude).

        % sudo apt-get install slapd

The instructions for configuring OpenLDAP, including a Quick Install Guide, are at

On BSD, OpenLDAP appears to be difficult to install properly. My first two attempts were unsuccessful. The FreeBSD port includes Perl scripts that run tests to ensure that the installation succeeded. Even though the installation passed the tests, it couldn't be configured to work properly. On my third attempt, OpenLDAP worked but attempts to limit access to specified attributes caused OpenLDAP to refuse access to all attributes. On my fourth attempt, OpenLDAP ignored any attempts to limit access to specified attributes. While searching for information, I found a posting that commented that every installation of OpenLDAP on FreeBSD 4.8 requires its own config file; each installation behaves differently and the config file has to be tuned to the individual installation. You may need to install a few times before you get a usable installation of OpenLDAP.

On Ubuntu, it worked fine.

Configure startup

On Ubuntu, installing slapd is sufficient to start it, and have it start on reboot. It runs as root. Proceed to Configuration.

Run as root, listen on all interfaces

This is the simplest set up. I recommed this for your initial set up and testing. Running as root is a security risk, so you probably want to change this before making the the server available to users.

The first step is to go to /etc/rc.conf and add the following line.

slapd_enable="YES"

This will cause the OS to look for slapd.sh and run it at bootup.

Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes, Virginia, there is a slap daemon.) Open the file in a text editor. If you have the following line

        # Uncomment one of the following:

ignore it. Comment out the following line if you have it.

        slapd_args="-u ldap -g ldap"

Save your changes and close the text editor.

Run as normal user, listen at specified sockets

Create a new user and group named "ldap". ldap needs access to the configuration file and the database.

chown ldap:ldap /usr/local/etc/openldap/slapd.conf
chown -R ldap:ldap /var/db/openldap-data

Add the following to /etc/rc.conf.

slapd_args="-u ldap -g ldap"

By default, slapd listens on all interfaces. On very small LANS, the mail and directory services often run on the box that functions as the Internet gateway. In that case you don't want slapd listening at the external interface, so you need to specify which interfaces you do want it to listen on. In the following, the LDAP host name can be substituted for the internal IP address, if the host name is not exposed outside the LAN.

slapd_args='-u ldap -g ldap -h "ldap://localhost/ ldap://<Internal IP address>/ ldapi://%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"'

The ldapi specification is for Unix domain sockets. See the slapd man page.

slapd configuration

Go to the directory containing the OpenLDAP configuration files. On Ubuntu, this is /etc/ldap, on BSD it is /usr/local/etc/openldap. Make the appropriate substitutions below.

Make a copy of slapd.conf.default and name it slapd.conf. Open slapd.conf in a text editor. You will need the the following lines to reference the schemas you need:

        include         /usr/local/etc/openldap/schema/core.schema
        include         /usr/local/etc/openldap/schema/cosine.schema
        include         /usr/local/etc/openldap/schema/nis.schema

The following line will set the default password hashing method to the CRYPT algorithm, which is compatible with Dovecot:

        password-hash {CRYPT}

The Quick Install Guide at the OpenLDAP explains how to set up an administrator with global rights on the LDAP registry, and how to add entries.

Creating the database

Here is a data hierarchy in ldif format that can be used to provide Dovecot mail accounts. You should be able to copy it into an ldif file, modify it for your own use, and install it all at once.

        dn: dc=wibble,dc=net
                objectClass: top
                objectClass: dcObject
                objectClass: organization
                o: Wibble Corp.
                dc: wibble
                description: Wibble, with Ole Wobble and Ole Wubble
        dn: ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectClass: organizationalUnit
                ou: accounts

        # only necessary if you are NOT using 'bind' authentication
        dn: cn=dovecot,ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectclass: person
                cn: dovecot
                sn: dovecot

        dn: uid=ole_wobble,ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectclass: person
                objectClass: posixAccount
                cn: Ole Wobble Olson
                sn: Olson
                uid: ole_wobble
                uidNumber: 1002
                gidNumber: 100
                homeDirectory: /usr/home/ole_wobble

        dn: uid=ole_wubble,ou=accounts,dc=wibble,dc=net
                objectClass: top
                objectclass: person
                objectClass: posixAccount
                cn: Ole Wubble Olson
                sn: Olson
                uid: ole_wubble
                uidNumber: 1003
                gidNumber: 100
                homeDirectory: /usr/home/ole_wubble

The expression dc=wibble,dc=net should match the suffix setting in slapd.conf.

If you plan to install this by copying it to a file and running ldapadd, you must retain the blank lines.

uidNumber and gidNumber are only significant if mentioned in the user_attrs item in /etc/dovecot/dovecot-ldap.conf. If these are virtual accounts (authentication, including homeDirectory, uidNumber, gidNumber are used elsewhere), I recommend you leave these unset in user_attrs, and instead use

    user_global_uid = dovecot
    user_global_gid = mail

To insert the entries above, save them in a file named wibble.ldif. Run ldapadd from the command line:

        ldapadd -W -D "cn=Manager,dc=krig,dc=net" -f /usr/local/etc/openldap/wibble.ldif

Returning to slap.conf, the following will give dovecot read access to the entries in the ou=accounts section, but no write access and no access to other parts of the registry.

        access to dn.children="ou=accounts,dc=wibble,dc=net"
                by dn="cn=dovecot,ou=accounts,dc=wibble,dc=net" read
                by anonymous auth

This is enough to allow Dovecot to authenticate mail users and itself.

The final step in setting up your LDAP registry is to add the passwords. Every account in the ou=accounts section will need one. Assuming that you've slavishly imitated the example in the Quick Install Guide at the OpenLDAP site and called your LDAP administrator "Manager", you can add passwords from the command line with

$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "cn=dovecot,ou=accounts,dc=wibble,dc=net"

for the dovecot user and

$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=ole_wobble,ou=accounts,dc=wibble,dc=net"

for mail accounts. The -S option prompts you for the new password, and the -W option prompts you for the LDAP Manager password. Many LDAP front ends will do the same.

You can view the finished registry with

$ ldapsearch -LLL -W -D "cn=Manager,dc=krig,dc=net" -b "dc=krig,dc=net" "(objectclass=*)"

Installing Dovecot

Again, the simplest approach is the portinstall tool (on BSD) or apt-get (on Ubuntu).

BSD

If you don't include homeDirectory info with your all your LDAP entries, you will need a patch. Download the patch from

To apply the patch, go to /usr/ports/mail/dovecot. If you've previously installed dovecot and still have the work directory, you need to remove it.

        # make distclean

Then you need to recreate the work directory.

        # make patch

Go to the directory containing the file you need to patch.

        # cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth

Copy auth-no-homedir.patch (the patch file you downloaded) to this directory. Now run patch.

        # patch -p0 < auth-no-homedir.patch

If you get no error messages, you can proceed with the installation. If you do get error messages, you will need to apply the patch by hand. Open auth-no-homedir.patch in a text viewer. The file you need to patch is listed in the first line of auth-no-homedir.patch. Open that file in a text editor in another ttyv or xterm.

The path file contains two contiguous lines, the first beginning with a "-" and the second beginning with a "+". The first is the line you will delete from the file to be patched, and the second is the line that will replace it; i.e. subtract the "-" line and add the "+" line. Immediately surrounding the two lines are the context lines; three above and three below. Search for the line in the file to be patched that matches the "-" line *and* has the same context lines above and below. When you find this line, delete it and replace it with the "+" line in the patch file. (Do not include the "+" marker.) Double check that you have deleted only what needs to be deleted and added only what needs to be added. Save the file and close the text editor and text viewer. Delete auth-no-homedir.patch.

Once you have successfully run patch or patched by hand, return to /usr/ports/mail/dovecot. Open the Makefile in a text editor. Find the line that begins with "CONFIGURE_ARGS+=". If you don't have the following two arguments, add them.

        --with-rawlog --with-ldap

Raw logging isn't necessary, but it can be useful. You have to have the --with-ldap argument to enable Dovecot to work with LDAP.

If you remove support for alternative authentication methods (PAM, PGSQL, etc), you should leave support for passwd. When I was debugging my configuration, I found it helpful to switch between passwd and LDAP authentication. If my setup worked with passwd and not with LDAP, then I knew that I needed to look at Dovecot's LDAP configuration, or at OpenLDAP.

Save your changes to Makefile, and close the editor.

Now you're ready to install.

        # make install

If make completes and registers Dovecot without giving error messages, then your installation was successful.

Configure Dovecot

dovecot-ldap.conf

To start Dovecot automatically when you boot, go to /usr/local/etc/rc.d and copy dovecot.sh.sample to dovecot.sh.

Go to /usr/local/share/doc/dovecot and copy dovecot-ldap.conf to the /usr/local/etc directory. Go to the /usr/local/etc directory and open dovecot-ldap.conf in a text editor.

The first setting is

        hosts = localhost

If Dovecot and OpenLDAP are running on the same machine, then this is fine. If you have OpenLDAP running on a different machine, you will need to set this to the name of the LDAP machine.


I recommend bind authentication - dovecot will attempt to 'log in' with the username/password combination. You can then skip all this.

        dn = uid=dovecot,ou=accounts,dc=wibble,dc=net

This is set to the Distinguished Name that identifies the Dovecot entry in your LDAP registry.


        dnpass = flop

Set this to the password you assigned dovecot using the ldappasswd command.


        ldap_version = 3

'Nuff said.


        base = ou=accounts,dc=wibble,dc=net

This tells Dovecot where to search in your LDAP registry. Dovecot will search for passwords and UIDs in the entries that fall below ou=accounts in the data hierarchy.


        deref = never

If you are referencing and dereferencing aliases, then you know a lot more about LDAP than I do.


        scope = subtree

This tells Dovecot to search all entries that fall below the base entry. If it were set to "onelevel", Dovecot would search only entries one level below the base entry. If it were set to "base", Dovecot would search only the base entry.


        user_attrs = uid,homeDirectory,,uid,uidNumber,gidNumber

From an e-mail that Timo sent to the list:

  • The first uid is the virtual user name that you log in with. For

    example user@domain.com . The second uid is the system user id which is used to lookup groups from /etc/groups file...You really don't want to have it if you have only virtual users. Two commas mean simply that the value in the middle of them doesn't exist. That'd be the MAIL environment which you can use to override config file's default_mail_env. By default it doesn't exist in LDAP so it's empty.

If you have set up your LDAP registry so that it doesn't supply homeDirectory, uidNumber, and gidNumber (which means that you've applied the homeDirectory patch, you're not using raw logging, you've set default values for uid and gid in this config file, and your LDAP entries don't use the posixAccount object class), you can try the following:

        user_attrs = uid,,,uid,,

I haven't tried it, so I can't promise that it works. If you change the default setting, don't remove any of the commas.

Alternatively, there is now a new (named) format for this. Virtual users (uidNumber not appropriate, using globals)

        user_attrs = homeDirectory=home


        user_filter = (&(objectClass=posixAccount)(uid=%u))

Specifies which class to search in a given entry, and to find the uid that matches the user name passed by the mail client.


        pass_attrs = uid,userPassword

Which attributes to use when matching passwords. Using bind authentication, this is not necessary.


        pass_filter = (&(objectClass=posixAccount)(uid=%u))

Specifies which class to search in a given entry, and to find the uid that matches the user name passed by the mail client.


        default_pass_scheme = CRYPT

If you leave this commented out, Dovecot will automatically detect that OpenLDAP is using CRYPT.


This provides a default UID number for LDAP entries that lack the uidNumber attribute. If you use the posixAccount object class in your LDAP registry, you can't enter data for an account without providing a uidNumber and gidNumber, so this and the next setting aren't necessary. If you have not mentioned uidNumber and gidNumber in user_attrs, these are assumed for all entries. Make sure first_valid_uid in /etc/dovecot/dovecot.conf is less than this number.

        user_global_uid = 3000
        user_global_gid = 8

dovecot.conf

While still in /usr/local/etc, open dovecot.conf in a text editor.

        base_dir = /var/dovecot/

This was created for you during installation.


        protocols = imap

You can add other protocols if you want. This setup only uses IMAP.


        imap_listen = *:143

Dovecot listens on port 143 by default, so the port setting isn't necessary unless you want to use a different port. According to the documentation, * causes Dovecot to listen on all available IP4 interfaces. If your IMAP box is also your Internet gateway, and you're not offering mail services externally, then you probably don't want that. If you specify your LAN interface, Dovecot may continue to listen at localhost, but you can't count on it. If your host name isn't exposed externally, then you can use

        imap_listen = wibblemailhost:143

Otherwise use

        imap_listen = 192.168.15.23:143


        ssl_disable = yes

If you have this set to yes, you can ignore the SSL settings that follow in dovecot.conf.


        login_dir = /var/dovecot/login
        login_chroot = yes
        login = imap
        login_executable = /usr/local/libexec/dovecot/imap-login
        login_user = dovecot
        verbose_proctitle = yes

The above are all part of the default conf file.


        first_valid_uid = 3000
        last_valid_uid = 3000

If you are assigning the postoffice UID number to all mail accounts, you can restrict access to only that UID number. See mention of user_global_uid above.


        first_valid_gid = 8
        last_valid_gid = 8

Since all mail accounts are assigned the mail group's number...


        valid_chroot_dirs = /var/mail

Another default conf file setting.


        default_mail_env = mbox:/var/mail/%u

or

        default_mail_env = maildir:/var/mail/%u

This tells Dovecot where the mail for a given account is located. Dovecot replaces "%u" with the account name. For the two user accounts in the ldif data hierarchy given above, "%u" would expand to ole_wobble and ole_wubble.


        client_workarounds = oe6-fetch-no-newmail outlook-idle

We don't use Outlook or Outlook Express. However, someone may decide to use an MS mail client in the future, and leaving this in place does no harm.


        mail_save_crlf = yes

My IMAP box really doesn't work very hard, so I don't think it matters how this is set. If your mail server gets hammered regularly, you may want to play with this and see if it makes a difference in speed.


        maildir_copy_with_hardlinks = yes

"yes" is supposed to be faster. See the comments in the config file for the tradeoffs.


        mbox_locks = fcntl

I also tried flock and dotlock, and they work FBSD. This is the preferred setting, if it works on your system. Locking should not be necessary for Maildir setups.


        imap_executable = /usr/local/libexec/dovecot/imap
        auth = default

More default conf file settings.


        auth_mechanisms = plain

"plain" seems more likely to work under more circumstances.


        auth_userdb = ldap /usr/local/etc/dovecot-ldap.conf
        auth_passdb = ldap /usr/local/etc/dovecot-ldap.conf

If you need to switch to passwd authentication for testing, change this to

        auth_userdb = passwd
        auth_passdb = passwd /etc/master.passwd

The comments in dovecot.conf make it look like there's supposed to be a colon in there, but this is the correct form.


        auth_executable = /usr/local/libexec/dovecot/dovecot-auth

More default conf file settings.


        auth_user = dovecot-auth

If you need to switch to passwd authentication for testing, change this to

        auth_user = root


        auth_verbose = yes

If you have to debug your configuration, you'll want as much information as possible.

Ubuntu config files

These are two full config files used on Ubuntu -

        # /etc/dovecot/dovecot.conf
        protocols = imap imaps
        log_timestamp = "%Y-%m-%d %H:%M:%S "
        first_valid_uid = 100
        mail_extra_groups = mail
        mail_debug = yes
        default_mail_env = /var/mail/%u/Maildir

        auth default {
            mechanisms = plain
            passdb ldap {
                args = /etc/dovecot/dovecot-ldap.conf
            }
            userdb ldap {
                args = /etc/dovecot/dovecot-ldap.conf
            }
        }

For LDAP configuration,

        auth_bind = yes
        auth_bind_userdn = uid=%u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
        ldap_version = 3
        base = ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
        scope = subtree
        user_attrs = homeDirectory=home
        user_filter = (&(objectClass=posixAccount)(uid=%u))
        user_global_uid = dovecot
        user_global_gid = mail

None: HowTo/DovecotOpenLdap (last edited 2019-06-12 17:12:37 by 62)