Dovecot + Postfix + OpenLDAP
Please Note: Until this message is removed, treat this as a draft and therefore may contain errors ore spooling mostakaes!
Here is an overview of what the configuration offers you:
- Full configurations tested and known to run that can be quickly setup
- Set of simple bash scripts to manage users, domains etc.
- A users account can be disabled / enabled by one LDAP attribute
- A domain can be disabled / enabled by one LDAP attribute
- Select if individual users have POP3 and / or IMAP support available to them
- Quotas
- Both domains and users are BASE, so everything is fast
- Postfix configuration with Dovecot's SASL for authentification
LDAP - Requirements
I use some attributes from the qmail ldap schema, which can be found under http://www.qmail-ldap.org/wiki/index.php/Qmail.schema
Each domain takes the following structure (eg: eldiablo.org) would look like this:
dn: ou=eldiablo.org,ou=domains,dc=ldap,dc=dit ou: eldiablo.org objectClass: top objectClass: organizationalUnit objectClass: qmailUser mail: eldiablo.org accountStatus: yes structuralObjectClass: organizationalUnit
Each user within a domain, takes the following structure (eg: dovecot@eldiablo.org ):
dn: cn=dovecot,ou=eldiablo.org,ou=domains,dc=ldap,dc=dit cn: dovecot mail: dovecot@eldiablo.org sn: dovecot objectClass: inetOrgPerson objectClass: qmailUser objectClass: top structuralObjectClass: inetOrgPerson accountStatus: yes mailMessageStore: /home/vmail/eldiablo.org/dovecot mailQuotaSize: 512 deliveryMode: pop3 deliveryMode: imap userPassword: SECRET
Using a deny db to control domains
As we want to be easily able to disable all service for any domain if required (For example a client who is very late paying), and yet be able to equally easily reestablish service, we use a deny db. All we actually do here is check the domain part of the login.
/etc/dovecot-ldap.deny
hosts = 127.0.0.1:389 sasl_bind = no auth_bind = no ldap_version = 3 deref = never base = ou=%d,ou=domains,dc=ldap,dc=dit scope = base pass_filter = (accountStatus=no) pass_attrs = (none)
Authing the logins
We (attempt) to bind with the username and password provided by the client. It additionally filters that the users account is enabled and their permitted services (ie: IMAP, POP3)
/etc/dovecot-ldap.pass
hosts = 127.0.0.1:389 sasl_bind = no auth_bind = yes ldap_version = 3 deref = never base = cn=%n,ou=%d,ou=domains,dc=ldap,dc=dit scope = base pass_filter = (&(accountStatus=yes)(deliveryMode=%Ls)) user_global_uid = 10000 user_global_gid = 10000
Users information
When we require information about a given user, we check that their account is active, and if so, get their quota size and home dir. Their uid and gui are fixed
/etc/dovecot-ldap.user
hosts = 127.0.0.1:389 sasl_bind = no auth_bind = no ldap_version = 3 deref = never base = cn=%n,ou=%d,ou=domains,dc=ldap,dc=dit scope = base user_filter = (accountStatus=yes) user_global_uid = 10000 user_global_gid = 10000 user_attrs = mailMessageStore=home,mailQuotaSize=quota=maildir:storage
/etc/dovecot.conf
shutdown_clients = yes
ssl_disable = yes
base_dir = /var/run/dovecot/
protocols = imap pop3
listen = [::]
protocol imap {
listen = 127.0.0.1:143
mail_plugins = quota imap_quota
login_executable = /usr/libexec/dovecot/imap-login
mail_executable = /usr/libexec/dovecot/imap
}
protocol pop3 {
mail_plugins = quota
login_executable = /usr/libexec/dovecot/pop3-login
mail_executable = /usr/libexec/dovecot/pop3
pop3_no_flag_updates = yes
pop3_reuse_xuidl = no
pop3_lock_session = no
pop3_uidl_format = %08Xu%08Xv
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
postmaster_address = postmaster@FQDN
hostname = FQDN
sendmail_path = /usr/sbin/sendmail
auth_socket_path = /var/run/dovecot/auth-master
mail_plugins = quota
}
disable_plaintext_auth = no
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 16
login_max_processes_count = 128
login_max_connections = 256
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> rip=%r %c
login_log_format = %$: %s
mail_location = maildir:/home/vmail/%d/%n/
mail_full_filesystem_access = no
mail_debug = no
mail_log_prefix = "%Us(%u): "
mail_read_mmaped = no
lock_method = fcntl
mail_drop_priv_before_exec = no
verbose_proctitle = no
first_valid_uid = 10000
last_valid_uid = 10000
first_valid_gid = 10000
last_valid_gid = 10000
max_mail_processes = 1024
mail_process_size = 256
mail_max_keyword_length = 50
umask = 0077
valid_chroot_dirs = /
mbox_read_locks = fcntl
mbox_write_locks = fcntl
mbox_lock_timeout = 300
mbox_dotlock_change_timeout = 120
mbox_dirty_syncs = yes
auth_executable = /usr/libexec/dovecot/dovecot-auth
auth_process_size = 256
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
auth default {
mechanisms = plain login
passdb ldap {
args = /etc/dovecot-ldap.deny
deny = yes
}
passdb ldap {
args = /etc/dovecot-ldap.pass
}
userdb ldap {
args = /etc/dovecot-ldap.user
}
auth_user = nobody
count = 1
ssl_require_client_cert = no
ssl_username_from_cert = no
socket listen {
master {
path = /var/run/dovecot/auth-master
mode = 0660
user = vmail
group = vmail
}
client {
path = /var/run/dovecot/auth-client
mode = 0666
user = postfix
group = postfix
}
}
}
plugin {
quota = maildir
}If you have any questions, feel free to ask [diablo] in #dovecot