|
|
|
qmail-ldap [2016/04/16 19:40]
ian |
qmail-ldap [2020/02/13 22:55]
|
| |
| ====== qmail-ldap Installation ====== | |
| |
| You will need to get the following software: | |
| |
| * qmail http://cr.yp.to/software/qmail-1.03.tar.gz | |
| * qmail-ldap patch http://www.nrg4u.com/qmail | |
| |
| From your distro install slapd (openldap), phpldapadmin, daemontools-run, and ucspi-tcp-ipv6. | |
| |
| Optional: | |
| |
| * <uri strref="http://cr.yp.to/software/ezmlm-0.53.tar.gz"/> [ezmlm notes|#ezmlm] - mailing list manager ( Requires the dash-trick patch if you plan to set up LDAP users to have mailing lists, rather than just real users ) | |
| |
| Untar qmail, and apply the current qmail-ldap patch: | |
| <pre> | |
| tar xvzf qmail-1.03.tar.gz | |
| cd qmail-1.03; gzip -dc ../qmail-ldap-1.03-xxxxxxxx.patch.gz | patch -p1 | |
| </pre> | |
| You will need to edit the qmail-1.03/Makefile and make sure that the definitions at the top are correct. Especially make sure the entries for | |
| |
| <code> | |
| MDIRMAKE=-DAUTOMAILDIRMAKE | |
| HDIRMAKE=-DAUTOHOMEDIRMAKE | |
| </code> | |
| are uncommented! | |
| |
| <list><ul><li>Edit /etc/openldap/slapd.conf and replace where possible:<ul><li><tt>schemacheck</tt> - to on</li><li><tt>suffix</tt> - use either <tt>'dc=domianname, dc=com'</tt> -or- <tt>'o=~MrZesty, c=CA'</tt> (organization, country)</li><li><tt>rootdn</tt> - <tt>'cn=Manager, dc=mrzesty, dc=net'</tt> - must match suffix above</li><li><tt>rootpw</tt>- change your password from 'secret'</li><li><tt>index objectclass,mail,~mailAlternateAddress,uid eq</tt></li></ul></li></ul></list> | |
| Edit <tt>/usr/local/etc/openldap/ldap.conf</tt> and set your BASE dn: | |
| |
| * <tt>BASE dc=mrzesty, dc=net</tt> | |
| <p> Copy <tt>qmail-1.03/qmail.schema</tt> to <tt><em>usr/local/etc/openldap/schema</em></tt> and add the following 3 lines to <tt>/usr/local/etc/openldap/slapd.conf</tt> after the first include line</p> | |
| <code> | |
| include /etc/openldap/schema/cosine.schema | |
| include /etc/openldap/schema/nis.schema | |
| include /etc/openldap/schema/qmail.schema | |
| </code> | |
| |
| <list><ul><li>The idea here is that all email will be handled through virtual accounts, not <tt>/etc/passwd</tt> accounts. Create those now:<ul><li><tt>mkdir -p /var/qmail</tt></li><li>Add a group <tt>vmail</tt></li><li>Add a user <tt>vmail</tt>, home directory is <tt>/var/qmail/maildirs</tt>, and shell is <tt>/bin/true</tt></li></ul></li></ul></list> | |
| <code> | |
| /usr/sbin/groupadd -g 200 vmail | |
| /usr/sbin/useradd -u 200 -g vmail -d /var/qmail/maildirs -m -k /dev/null -s /bin/true -c 'qmail vmail user' vmail | |
| </code> | |
| <list><ul><li>Create the other users and groups needed for qmail to operate: Create 2 groups <tt>nofiles</tt> and <tt>qmail</tt>, then create these users:</li></ul></list> | |
| <table><tr valign="top"><td colspan="1"> User </td><td colspan="1"> Primary Group </td><td colspan="1"> Home Directory </td><td colspan="1"> Shell</td></tr><tr valign="top"><td colspan="1"> alias </td><td colspan="1"> nofiles </td><td colspan="1"> /var/qmail/alias </td><td colspan="1"> /usr/bin/true</td></tr><tr valign="top"><td colspan="1"> qmaild </td><td colspan="1"> nofiles </td><td colspan="1"> /var/qmail </td><td colspan="1"> /usr/bin/true</td></tr><tr valign="top"><td colspan="1"> qmaill </td><td colspan="1"> nofiles </td><td colspan="1"> /var/qmail </td><td colspan="1"> /usr/bin/true</td></tr><tr valign="top"><td colspan="1"> qmailp </td><td colspan="1"> nofiles </td><td colspan="1"> /var/qmail </td><td colspan="1"> /usr/bin/true</td></tr><tr valign="top"><td colspan="1"> qmailq </td><td colspan="1"> qmail </td><td colspan="1"> /var/qmail </td><td colspan="1"> /usr/bin/true</td></tr><tr valign="top"><td colspan="1"> qmailr </td><td colspan="1"> qmail </td><td colspan="1"> /var/qmail </td><td colspan="1"> /usr/bin/true</td></tr><tr valign="top"><td colspan="1"> qmails </td><td colspan="1"> qmail </td><td colspan="1"> /var/qmail </td><td colspan="1"> /usr/bin/true</td></tr></table> | |
| or you can look at the file INSTALL.ids for commands for your O/S. | |
| |
| For linux I use: | |
| |
| <code> | |
| /usr/sbin/groupadd -g 201 nofiles | |
| /usr/sbin/groupadd -g 202 qmail | |
| /usr/sbin/useradd -u 201 -g nofiles -d /var/qmail/alias -m -k /dev/null -s /bin/true -c 'qmail server' alias | |
| /usr/sbin/useradd -u 202 -g nofiles -d /var/qmail -s /bin/true -c 'qmail server' qmaild | |
| /usr/sbin/useradd -u 203 -g nofiles -d /var/qmail -s /bin/true -c 'qmail server' qmaill | |
| /usr/sbin/useradd -u 204 -g nofiles -d /var/qmail -s /bin/true -c 'qmail server' qmailp | |
| /usr/sbin/useradd -u 205 -g qmail -d /var/qmail -s /bin/true -c 'qmail server' qmailq | |
| /usr/sbin/useradd -u 206 -g qmail -d /var/qmail -s /bin/true -c 'qmail server' qmailr | |
| /usr/sbin/useradd -u 207 -g qmail -d /var/qmail -s /bin/true -c 'qmail server' qmails | |
| </code> | |
| <list><ul><li>Create the initial entries in the LDAP database for the qmail-ldap structure. Create a file <tt>qmail-ldap.ldif</tt> with the following contents, modified as needed for your setup:</li></ul></list> | |
| <code> | |
| dn: dc=MrZesty,dc=net | |
| objectclass: dcObject | |
| objectclass: organization | |
| o: MrZesty dot Net | |
| dc: MrZesty | |
| |
| dn: cn=Manager,dc=MrZesty,dc=net | |
| objectclass: organizationalRole | |
| cn: Manager | |
| |
| dn: ou=qmail, dc=MrZesty, dc=net | |
| objectclass: top | |
| objectclass: organizationalUnit | |
| ou: qmail | |
| </code> | |
| Now load the ldif file into the LDAP directory: | |
| |
| <tt>ldapadd -vxc -h localhost -D 'cn=manager,dc=mrzesty,dc=net' -w managers_password -f qmail-ldap.ldif</tt> | |
| |
| <list><ul><li>Make sure you are in your qmail-1.03 source directory, and run:</li></ul></list> | |
| <tt>make setup check</tt> | |
| |
| <list><ul><li>Configure qmail with default values (use the mail server name - not the machine name below):</li></ul></list> | |
| <code> | |
| ./config-fast mail.mrzesty.net | |
| echo 'localhost' > /var/qmail/control/ldapserver | |
| echo 'ou=qmail, dc=mrzesty, dc=net' > /var/qmail/control/ldapbasedn | |
| echo `id -u vmail` > /var/qmail/control/ldapuid | |
| echo `id -g vmail` > /var/qmail/control/ldapgid | |
| echo '/var/qmail/maildirs' > /var/qmail/control/ldapmessagestore | |
| echo '20000000' > /var/qmail/control/defaultquotasize | |
| echo 'You are near your quota for email. You will need to delete some messages from the server.' > /var/qmail/control/quotawarning | |
| echo 5 > /var/qmail/control/tarpitcount | |
| echo '/var/qmail/bin/dirmaker.sh' > /var/qmail/control/dirmaker | |
| echo 'mrzesty.net' > /var/qmail/control/defaulthost | |
| echo 0 > /var/qmail/control/ldaplocaldelivery | |
| </code> | |
| |
| <code> | |
| cp dirmaker /var/qmail/bin/ | |
| chmod 755 /var/qmail/bin/dirmaker | |
| </code> | |
| |
| <list><ul><li>Create default system aliases, and define who receives them:</li></ul></list> | |
| <code> | |
| echo '[email protected]' > ~alias/.qmail-postmaster; chmod 644 ~alias/.qmail-postmaster | |
| echo '|cat /dev/null' > ~alias/.qmail-mailer-daemon; chmod 644 ~alias/.qmail-mailer-daemon | |
| echo '[email protected]' > ~alias/.qmail-root; chmod 644 ~alias/.qmail-root | |
| echo '[email protected]' > ~alias/.qmail-abuse; chmod 644 ~alias/.qmail-abuse | |
| </code> | |
| |
| <code> | |
| cp qmail.run /var/qmail/rc | |
| chmod 755 /var/qmail/rc | |
| </code> | |
| |
| <list><ul><li>Download <uri strref="http://www.lifewithqmail.org/qmailctl-script-dt70"/> and install it as <tt>/var/qmail/bin/qmailctl</tt>.</li></ul></list> | |
| <code> | |
| cd /etc/rc.d/init.d; ln -s /var/qmail/bin/qmailctl qmail | |
| cd /etc/rc.d/rc0.d; ln -s ../init.d/qmail K30qmail | |
| cd /etc/rc.d/rc1.d; ln -s ../init.d/qmail K30qmail | |
| cd /etc/rc.d/rc2.d; ln -s ../init.d/qmail S30qmail | |
| cd /etc/rc.d/rc3.d; ln -s ../init.d/qmail S80qmail | |
| cd /etc/rc.d/rc6.d; ln -s ../init.d/qmail K30qmail | |
| </code> | |
| Remember to make it executable (755). | |
| |
| Now configure daemontools: | |
| |
| <code> | |
| mkdir -p /var/qmail/supervise/qmail-send/log | |
| mkdir -p /var/qmail/supervise/qmail-smtpd/log | |
| </code> | |
| |
| Create <tt>/var/qmail/supervise/qmail-send/run</tt>:</p> | |
| |
| <code> | |
| #!/bin/sh | |
| ulimit -n 4096 | |
| exec /var/qmail/rc | |
| </code> | |
| |
| Create <tt>/var/qmail/supervise/qmail-send/log/run</tt>: | |
| |
| <code> | |
| #!/bin/sh | |
| exec /usr/bin/setuidgid qmaill /usr/bin/multilog t s999999 /var/log/qmail | |
| </code> | |
| |
| <code> | |
| cp qmail-smtpd.run /var/qmail/supervise/qmail-smtpd/run | |
| </code> | |
| |
| Create <tt>/var/qmail/supervise/qmail-smtpd/log/run</tt>: | |
| |
| <code> | |
| #!/bin/sh | |
| exec /usr/bin/setuidgid qmaill /usr/bin/multilog t s999999 /var/log/qmail/smtpd | |
| </code> | |
| |
| Set the new scripts as executable: | |
| |
| <code> | |
| chmod 755 /var/qmail/supervise/qmail-send/run | |
| chmod 755 /var/qmail/supervise/qmail-send/log/run | |
| chmod 755 /var/qmail/supervise/qmail-smtpd/run | |
| chmod 755 /var/qmail/supervise/qmail-smtpd/log/run | |
| |
| mkdir -p /var/log/qmail/smtpd | |
| chown qmaill /var/log/qmail /var/log/qmail/smtpd | |
| ln -s /etc/service /service | |
| update-service --add /var/qmail/supervise/qmail-send | |
| update-service --add /var/qmail/supervise/qmail-smtpd | |
| start svscan | |
| /etc/init.d/qmail-ldap stop | |
| </code> | |
| |
| <list><ul><li>Set up relay permissions for certain IP's in <tt>/var/qmail/control/qmail-smtpd.cdb</tt>:</li></ul></list> | |
| <code> | |
| 127.0.0.1:allow,RELAYCLIENT='',RBLSMTPD='',SMTPAUTH='' | |
| 192.168.1.:allow,RELAYCLIENT='',RBLSMTPD='',SMTPAUTH='' | |
| :allow,DENYMAIL='DNSCHECK',SMTPAUTH='',RCPTCHECK='' | |
| </code> | |
| From <tt>/var/qmail/control</tt>, run: <tt>make</tt> | |
| |
| |
| Install phpQLAdmin. Make the necessary configuration changes to the config.inc file, including the following:</li></ul></list> | |
| <code> | |
| define('PQL_HOSTMASTER','[email protected]'); | |
| |
| define('PQL_LDAP_BASEDN','ou=qmail, dc=mrzesty, dc=net'); | |
| define('PQL_LDAP_ROOTDN', 'cn=manager, dc=mrzesty, dc=net'); | |
| define('PQL_LDAP_ROOTPW', 'your-manager-password'); | |
| |
| define('PQL_LDAP_CONTROL_USE', false); | |
| </code> | |
| Your PHP must have compiled in ldap support ( <tt>--with-ldap</tt> )! I would also suggest using --with-mhash in your PHP configure, and setting MD5 in define('PQL_PW_HASH','MD5'); so that passwords longer than 8 characters are recognized (and not just truncated to 8 characters). | |
| |
| <list><ul><li>If you're using ReiserFS partitions, you may want to optimze the performance of the partition containing your /var/qmail/queue directory.</li></ul></list> | |
| Add <tt>noatime,nodiratime</tt> to your <tt>/etc/fstab</tt> file. For example: | |
| |
| <pre> | |
| /dev/hda6 /var reiserfs defaults,noatime,nodiratime 0 0 | |
| </pre> | |
| (Of course you'll have to reboot before this takes effect...) You may want to read <uri strref="http://www.jedi.claranet.fr/reiserfs-tuning.html"/> for a more detailed explanation. | |
| |
| <list><ul><li>Unknown to me - you end up with TLS SMTP encryption installed - without even asking! qmail will advertise the capability of receiving encrypted SMTP messages, but it won't work until you set up a server certificate (This one is a self-signed certificate for 10 years - 3650 days):</li></ul></list> | |
| <tt>openssl req -new -x509 -nodes -out /var/qmail/control/cert.pem -days 3650 -keyout /var/qmail/control/cert.pem</tt> | |
| |
| <code> | |
| chmod 640 /var/qmail/control/cert.pem | |
| chown qmaild:qmail /var/qmail/control/cert.pem | |
| </code> | |
| |
| <list><ul><li>Start it up and see if it works! <tt>/etc/init.d/qmail start</tt> Test your TLS installation by sending a test message to [email protected] and look for the return header something like:</li></ul></list> | |
| Received: from unknown (HELO www.TBS-satellite.com) (213.186.35.102) (envelope-sender ) | |
| |
| by 0 (qmail-ldap-1.03) with RC4-SHA encrypted SMTP | |
| |
| ====== virtualdomains (wildcard domain aliasing): ====== | |
| I have an old domain pic.ab.ca - I wanted to set up [email protected] to be automatically rewritten to [email protected] | |
| |
| To do that you must add the domain to the control/rcpthosts file <strong>only!</strong> (not to locals like you would normally do), then create a file called virtualdomains in your qmail/control directory. | |
| <p>Assuming that you set ldaplocaldelivery to 0 (as above), then the line in your virtualdomains file would look like:</p> | |
| <code> | |
| pic.ab.ca:mrzesty | |
| </code> | |
| and create a file called ~alias/.qmail-mrzesty-default that contains: | |
| |
| <code> | |
| | forward ${DEFAULT}@mrzesty.net | |
| </code> | |
| If you left <tt>ldaplocaldelivery</tt> on (1 or no file), then you must specify the user to handle the email aliasing. Your virtualdomains line would be: | |
| |
| <tt>pic.ab.ca:alias-mrzesty</tt> | |
| <p>if you wanted the user 'alias' to handle the direction of the mail. If you wanted a regular user to handle the mail, you could just as easily make it</p><p><tt>pic.ab.ca:ian</tt></p><p>then by creating a ~ian/.qmail-default file, all mail for pic.ab.ca would be directed through the instructions in ~ian/.qmail-default</p> | |
| |
| ====== SMTP_AUTH: ====== | |
| <uri strref="http://www.lifewithqmail.org/ldap/#SMTP%20AUTH"/> | |
| |
| If you get: | |
| <p> <tt>421 out of memory (#4.3.0)</tt></p><p>You need to check the permissions on /var/qmail/bin/auth_smtp! auth_smtp must be executable by qmaild. Try a chmod 755 /var/qmail/bin/auth_smtp</p> | |
| <code> | |
| telnet localhost 25 | |
| Trying 127.0.0.1... | |
| Connected to 127.0.0.1. | |
| Escape character is '^]'. | |
| 220 mail.mrzesty.net ESMTP | |
| helo mrzesty.net | |
| 250 mail.mrzesty.net | |
| auth plain | |
| 421 out of memory (#4.3.0) | |
| 535 auth failure | |
| quit | |
| </code> | |
| |
| If you want to test smtp-auth and 'auth login' you will need to generate base64 encoded versions of your username and password (I'm using PHP here): | |
| |
| <code> | |
| echo '<?php print base64_encode('ian').'\n'; ?>' | php | |
| aWFu | |
| |
| echo '<?php print base64_encode('password').'\n'; ?>' | php | |
| cGFzc3dvcmQ= | |
| </code> | |
| ... then supply when prompted by VXNlcm5hbWU6 (Username:) and UGFzc3dvcmQ6 (Password:) | |
| |
| <code> | |
| telnet localhost 25 | |
| Trying 127.0.0.1... | |
| Connected to 127.0.0.1. | |
| Escape character is '^]'. | |
| 220 mail.mrzesty.net ESMTP | |
| helo mrzesty.net | |
| 250 mail.mrzesty.net | |
| auth login | |
| 334 VXNlcm5hbWU6 | |
| aWFu | |
| 334 UGFzc3dvcmQ6 | |
| cGFzc3dvcmQ= | |
| 235 go ahead | |
| rset | |
| 250 flushed | |
| quit | |
| </code> | |
| If you authenticate successfully, you will see '235 go ahead'. | |
| |
| ====== ezmlm: ====== | |
| I would suggest getting the ezmlm-idx patch <uri strref="http://ezmlm.org/,"/> it has a lot more features and the ability to use MySQL or PostreSQL for the list storage. | |
| |
| To add a footer to each message sent to the list for regular ezmlm-0.53, edit the ~user/maillist/editor file and add: | |
| <p><tt>| cat - /var/qmail/alias/maillist/text/footer</tt> to the beginning of the ezmlm-send line.</p><p>For example:</p> | |
| <code> | |
| |/usr/local/bin/ezmlm/ezmlm-reject | |
| | cat - /var/qmail/alias/maillist/text/footer |/usr/local/bin/ezmlm/ezmlm-send '/var/qmail/alias/maillist' | |
| |/usr/local/bin/ezmlm/ezmlm-warn '/var/qmail/alias/maillist' || exit 0 | |
| </code> | |
| Then create the /var/qmail/alias/maillist/text/footer file with instructions or notes about the mailing list. | |
| |
| ====== OpenLDAP Replication notes: ====== | |
| Add the following to the primary openldap server's slapd.conf: | |
| |
| replogfile /usr/local/var/openldap-slurp/slurpd.replog | |
| <p>replica host=ldap2.mrzesty.net:389 binddn='cn=manager,dc=mrzesty,dc=net' bindmethod=simple credentials=managers-password</p><p>Add the following two lines to the slave's slapd.conf:</p><p>updatedn 'cn=manager,dc=mrzesty,dc=net'</p><p>updateref ldap://ldap1.mrzesty.net</p><p>Start slapd and slurpd on the primary ldap server, and start slapd on the secondary. If you already have data in the ldap database - you should manually copy the /usr/local/var/openldap-ldbm directory and its files to the slave server - before starting slapd and slurpd.</p> | |
| |
