Dovecot + Postfix + OpenLDAP
Please Note: Until this message is removed, treat this as a draft and therefore may contain errors ore spooling mostakaes!
Here is an overview of what the configuration offers you:
- Full configurations tested and known to run that can be quickly setup
- Set of simple bash scripts to manage users, domains etc.
- A users account can be disabled / enabled by one LDAP attribute
- A domain can be disabled / enabled by one LDAP attribute
- Select if individual users have POP3 and / or IMAP support available to them
- Quotas
- Both domains and users are BASE, so everything is fast
- Postfix configuration with Dovecot's SASL for authentification
LDAP - Requirements
I use some attributes from the qmail ldap schema, which can be found under http://www.qmail-ldap.org/wiki/index.php/Qmail.schema
Each domain takes the following structure (eg: eldiablo.org) would look like this:
dn: ou=eldiablo.org,ou=domains,dc=ldap,dc=dit ou: eldiablo.org objectClass: top objectClass: organizationalUnit objectClass: qmailUser mail: eldiablo.org accountStatus: yes structuralObjectClass: organizationalUnit
Each user within a domain, takes the following structure (eg: dovecot@eldiablo.org ):
dn: cn=dovecot,ou=eldiablo.org,ou=domains,dc=ldap,dc=dit cn: dovecot mail: dovecot@eldiablo.org sn: dovecot objectClass: inetOrgPerson objectClass: qmailUser objectClass: top structuralObjectClass: inetOrgPerson accountStatus: yes mailMessageStore: /home/vmail/eldiablo.org/dovecot mailQuotaSize: 512 deliveryMode: pop3 deliveryMode: imap userPassword: SECRET
Using a deny db to control domains
As we want to be easily able to disable all service for any domain if required (For example a client who is very late paying), and yet be able to equally easily reestablish service, we use a deny db. All we actually do here is check the domain part of the login.
/etc/dovecot-ldap.deny
hosts = 127.0.0.1:389 sasl_bind = no auth_bind = no ldap_version = 3 deref = never base = ou=%d,ou=domains,dc=ldap,dc=dit scope = base pass_filter = (accountStatus=no) pass_attrs = (none)
Authing the logins
We (attempt) to bind with the username and password provided by the client. It additionally filters that the users account is enabled and their permitted services (ie: IMAP, POP3)
/etc/dovecot-ldap.pass
hosts = 127.0.0.1:389 sasl_bind = no auth_bind = yes ldap_version = 3 deref = never base = cn=%n,ou=%d,ou=domains,dc=ldap,dc=dit scope = base pass_filter = (&(accountStatus=yes)(deliveryMode=%Ls)) user_global_uid = 10000 user_global_gid = 10000
Users information
When we require information about a given user, we check that their account is active, and if so, get their quota size and home dir. Their uid and gui are fixed
/etc/dovecot-ldap.user
hosts = 127.0.0.1:389 sasl_bind = no auth_bind = no ldap_version = 3 deref = never base = cn=%n,ou=%d,ou=domains,dc=ldap,dc=dit scope = base user_filter = (accountStatus=yes) user_global_uid = 10000 user_global_gid = 10000 user_attrs = mailMessageStore=home,mailQuotaSize=quota=maildir:storage
/etc/dovecot.conf
shutdown_clients = yes ssl_disable = yes base_dir = /var/run/dovecot/ protocols = imap pop3 listen = [::] protocol imap { listen = 127.0.0.1:143 mail_plugins = quota imap_quota login_executable = /usr/libexec/dovecot/imap-login mail_executable = /usr/libexec/dovecot/imap } protocol pop3 { mail_plugins = quota login_executable = /usr/libexec/dovecot/pop3-login mail_executable = /usr/libexec/dovecot/pop3 pop3_no_flag_updates = yes pop3_reuse_xuidl = no pop3_lock_session = no pop3_uidl_format = %08Xu%08Xv pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s pop3_client_workarounds = outlook-no-nuls oe-ns-eoh } protocol lda { postmaster_address = postmaster@FQDN hostname = FQDN sendmail_path = /usr/sbin/sendmail auth_socket_path = /var/run/dovecot/auth-master mail_plugins = quota } disable_plaintext_auth = no log_timestamp = "%b %d %H:%M:%S " syslog_facility = mail login_dir = /var/run/dovecot/login login_chroot = yes login_user = dovecot login_process_size = 64 login_process_per_connection = yes login_processes_count = 16 login_max_processes_count = 128 login_max_connections = 256 login_greeting = Dovecot ready. login_log_format_elements = user=<%u> rip=%r %c login_log_format = %$: %s mail_location = maildir:/home/vmail/%d/%n/ mail_full_filesystem_access = no mail_debug = no mail_log_prefix = "%Us(%u): " mail_read_mmaped = no lock_method = fcntl mail_drop_priv_before_exec = no verbose_proctitle = no first_valid_uid = 10000 last_valid_uid = 10000 first_valid_gid = 10000 last_valid_gid = 10000 max_mail_processes = 1024 mail_process_size = 256 mail_max_keyword_length = 50 umask = 0077 valid_chroot_dirs = / mbox_read_locks = fcntl mbox_write_locks = fcntl mbox_lock_timeout = 300 mbox_dotlock_change_timeout = 120 mbox_dirty_syncs = yes auth_executable = /usr/libexec/dovecot/dovecot-auth auth_process_size = 256 auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@ auth_username_format = %Lu auth_verbose = no auth_debug = no auth_debug_passwords = no auth default { mechanisms = plain login passdb ldap { args = /etc/dovecot-ldap.deny deny = yes } passdb ldap { args = /etc/dovecot-ldap.pass } userdb ldap { args = /etc/dovecot-ldap.user } auth_user = nobody count = 1 ssl_require_client_cert = no ssl_username_from_cert = no socket listen { master { path = /var/run/dovecot/auth-master mode = 0660 user = vmail group = vmail } client { path = /var/run/dovecot/auth-client mode = 0666 user = postfix group = postfix } } } plugin { quota = maildir }
If you have any questions, feel free to ask [diablo] in #dovecot