====== qmail-ldap Installation ====== You will need to get the following software: * qmail http://cr.yp.to/software/qmail-1.03.tar.gz * qmail-ldap patch http://www.nrg4u.com/qmail From your distro install slapd (openldap), phpldapadmin, daemontools-run, and ucspi-tcp-ipv6. Optional: * [ezmlm notes|#ezmlm] - mailing list manager ( Requires the dash-trick patch if you plan to set up LDAP users to have mailing lists, rather than just real users ) Untar qmail, and apply the current qmail-ldap patch:

tar xvzf qmail-1.03.tar.gz
cd qmail-1.03; gzip -dc ../qmail-ldap-1.03-xxxxxxxx.patch.gz | patch -p1

You will need to edit the qmail-1.03/Makefile and make sure that the definitions at the top are correct. Especially make sure the entries for


      MDIRMAKE=-DAUTOMAILDIRMAKE
      HDIRMAKE=-DAUTOHOMEDIRMAKE

are uncommented!

Edit /etc/openldap/slapd.conf and replace where possible:
- schemacheck - to on
- suffix - use either 'dc=domianname, dc=com' -or- 'o=~MrZesty, c=CA' (organization, country)
- rootdn - 'cn=Manager, dc=mrzesty, dc=net' - must match suffix above
- rootpw- change your password from 'secret'
- index objectclass,mail,~mailAlternateAddress,uid eq

Edit /usr/local/etc/openldap/ldap.conf and set your BASE dn: * BASE dc=mrzesty, dc=net

Copy qmail-1.03/qmail.schema to usr/local/etc/openldap/schema and add the following 3 lines to /usr/local/etc/openldap/slapd.conf after the first include line


include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/qmail.schema

The idea here is that all email will be handled through virtual accounts, not /etc/passwd accounts. Create those now:
- mkdir -p /var/qmail
- Add a group vmail
- Add a user vmail, home directory is /var/qmail/maildirs, and shell is /bin/true


  /usr/sbin/groupadd -g 200 vmail
  /usr/sbin/useradd -u 200 -g vmail -d /var/qmail/maildirs -m -k /dev/null -s /bin/true -c 'qmail vmail user' vmail

Create the other users and groups needed for qmail to operate: Create 2 groups nofiles and qmail, then create these users:

User	Primary Group	Home Directory	Shell
alias	nofiles	/var/qmail/alias	/usr/bin/true
qmaild	nofiles	/var/qmail	/usr/bin/true
qmaill	nofiles	/var/qmail	/usr/bin/true
qmailp	nofiles	/var/qmail	/usr/bin/true
qmailq	qmail	/var/qmail	/usr/bin/true
qmailr	qmail	/var/qmail	/usr/bin/true
qmails	qmail	/var/qmail	/usr/bin/true

or you can look at the file INSTALL.ids for commands for your O/S. For linux I use:


/usr/sbin/groupadd -g 201 nofiles
/usr/sbin/groupadd -g 202 qmail
/usr/sbin/useradd -u 201 -g nofiles -d /var/qmail/alias -m -k /dev/null -s /bin/true -c 'qmail server' alias
/usr/sbin/useradd -u 202 -g nofiles -d /var/qmail  -s /bin/true -c 'qmail server' qmaild
/usr/sbin/useradd -u 203 -g nofiles -d /var/qmail  -s /bin/true -c 'qmail server' qmaill
/usr/sbin/useradd -u 204 -g nofiles -d /var/qmail  -s /bin/true -c 'qmail server' qmailp
/usr/sbin/useradd -u 205 -g qmail -d /var/qmail  -s /bin/true -c 'qmail server' qmailq
/usr/sbin/useradd -u 206 -g qmail -d /var/qmail  -s /bin/true -c 'qmail server' qmailr
/usr/sbin/useradd -u 207 -g qmail -d /var/qmail  -s /bin/true -c 'qmail server' qmails

Create the initial entries in the LDAP database for the qmail-ldap structure. Create a file qmail-ldap.ldif with the following contents, modified as needed for your setup:


dn: dc=MrZesty,dc=net
objectclass: dcObject
objectclass: organization
o: MrZesty dot Net
dc: MrZesty

dn: cn=Manager,dc=MrZesty,dc=net
objectclass: organizationalRole
cn: Manager

dn: ou=qmail, dc=MrZesty, dc=net
objectclass: top
objectclass: organizationalUnit
ou: qmail

Now load the ldif file into the LDAP directory: ldapadd -vxc -h localhost -D 'cn=manager,dc=mrzesty,dc=net' -w managers_password -f qmail-ldap.ldif

Make sure you are in your qmail-1.03 source directory, and run:

make setup check

Configure qmail with default values (use the mail server name - not the machine name below):


./config-fast mail.mrzesty.net
echo 'localhost' > /var/qmail/control/ldapserver
echo 'ou=qmail, dc=mrzesty, dc=net' > /var/qmail/control/ldapbasedn
echo `id -u vmail` > /var/qmail/control/ldapuid
echo `id -g vmail` > /var/qmail/control/ldapgid
echo '/var/qmail/maildirs' > /var/qmail/control/ldapmessagestore
echo '20000000' > /var/qmail/control/defaultquotasize
echo 'You are near your quota for email.  You will need to delete some messages from the server.' > /var/qmail/control/quotawarning
echo 5 > /var/qmail/control/tarpitcount
echo '/var/qmail/bin/dirmaker.sh' > /var/qmail/control/dirmaker
echo 'mrzesty.net' > /var/qmail/control/defaulthost
echo 0 > /var/qmail/control/ldaplocaldelivery


cp dirmaker /var/qmail/bin/
chmod 755 /var/qmail/bin/dirmaker

Create default system aliases, and define who receives them:


echo 'qmail@MrZesty.net' > ~alias/.qmail-postmaster; chmod 644 ~alias/.qmail-postmaster
echo '|cat /dev/null' > ~alias/.qmail-mailer-daemon; chmod 644 ~alias/.qmail-mailer-daemon
echo 'qmail@MrZesty.net' > ~alias/.qmail-root; chmod 644 ~alias/.qmail-root
echo 'qmail@MrZesty.net' > ~alias/.qmail-abuse; chmod 644 ~alias/.qmail-abuse


cp qmail.run /var/qmail/rc
chmod 755 /var/qmail/rc

Download and install it as /var/qmail/bin/qmailctl.


cd /etc/rc.d/init.d; ln -s /var/qmail/bin/qmailctl qmail
cd /etc/rc.d/rc0.d; ln -s ../init.d/qmail K30qmail
cd /etc/rc.d/rc1.d; ln -s ../init.d/qmail K30qmail
cd /etc/rc.d/rc2.d; ln -s ../init.d/qmail S30qmail
cd /etc/rc.d/rc3.d; ln -s ../init.d/qmail S80qmail
cd /etc/rc.d/rc6.d; ln -s ../init.d/qmail K30qmail

Remember to make it executable (755). Now configure daemontools:


mkdir -p /var/qmail/supervise/qmail-send/log
mkdir -p /var/qmail/supervise/qmail-smtpd/log

Create /var/qmail/supervise/qmail-send/run:


#!/bin/sh
ulimit -n 4096
exec /var/qmail/rc

Create /var/qmail/supervise/qmail-send/log/run:


#!/bin/sh
exec /usr/bin/setuidgid qmaill /usr/bin/multilog t s999999 /var/log/qmail


cp qmail-smtpd.run /var/qmail/supervise/qmail-smtpd/run

Create /var/qmail/supervise/qmail-smtpd/log/run:


#!/bin/sh
exec /usr/bin/setuidgid qmaill /usr/bin/multilog t s999999 /var/log/qmail/smtpd

Set the new scripts as executable:


chmod 755 /var/qmail/supervise/qmail-send/run
chmod 755 /var/qmail/supervise/qmail-send/log/run
chmod 755 /var/qmail/supervise/qmail-smtpd/run
chmod 755 /var/qmail/supervise/qmail-smtpd/log/run

mkdir -p /var/log/qmail/smtpd
chown qmaill /var/log/qmail /var/log/qmail/smtpd
ln -s /etc/service /service
update-service --add /var/qmail/supervise/qmail-send
update-service --add /var/qmail/supervise/qmail-smtpd
start svscan
/etc/init.d/qmail-ldap stop

Set up relay permissions for certain IP's in /var/qmail/control/qmail-smtpd.cdb:


127.0.0.1:allow,RELAYCLIENT='',RBLSMTPD='',SMTPAUTH=''
192.168.1.:allow,RELAYCLIENT='',RBLSMTPD='',SMTPAUTH=''
:allow,DENYMAIL='DNSCHECK',SMTPAUTH='',RCPTCHECK=''

From /var/qmail/control, run: make

If you're using ReiserFS partitions, you may want to optimze the performance of the partition containing your /var/qmail/queue directory.

Add noatime,nodiratime to your /etc/fstab file. For example:

/dev/hda6       /var        reiserfs        defaults,noatime,nodiratime   0   0

(Of course you'll have to reboot before this takes effect...) You may want to read for a more detailed explanation.

Unknown to me - you end up with TLS SMTP encryption installed - without even asking! qmail will advertise the capability of receiving encrypted SMTP messages, but it won't work until you set up a server certificate (This one is a self-signed certificate for 10 years - 3650 days):

openssl req -new -x509 -nodes -out /var/qmail/control/cert.pem -days 3650 -keyout /var/qmail/control/cert.pem


chmod 640 /var/qmail/control/cert.pem
chown qmaild:qmail /var/qmail/control/cert.pem

Start it up and see if it works! /etc/init.d/qmail start Test your TLS installation by sending a test message to tag-ping@tbs-internet.com and look for the return header something like:

Received: from unknown (HELO www.TBS-satellite.com) (213.186.35.102) (envelope-sender ) by 0 (qmail-ldap-1.03) with RC4-SHA encrypted SMTP ====== virtualdomains (wildcard domain aliasing): ====== I have an old domain pic.ab.ca - I wanted to set up anything@pic.ab.ca to be automatically rewritten to sameuser@MrZesty.net To do that you must add the domain to the control/rcpthosts file only! (not to locals like you would normally do), then create a file called virtualdomains in your qmail/control directory.

Assuming that you set ldaplocaldelivery to 0 (as above), then the line in your virtualdomains file would look like:


pic.ab.ca:mrzesty

and create a file called ~alias/.qmail-mrzesty-default that contains:


| forward ${DEFAULT}@mrzesty.net

If you left ldaplocaldelivery on (1 or no file), then you must specify the user to handle the email aliasing. Your virtualdomains line would be: pic.ab.ca:alias-mrzesty

if you wanted the user 'alias' to handle the direction of the mail. If you wanted a regular user to handle the mail, you could just as easily make it

pic.ab.ca:ian

then by creating a ~ian/.qmail-default file, all mail for pic.ab.ca would be directed through the instructions in ~ian/.qmail-default

====== SMTP_AUTH: ====== If you get:

421 out of memory (#4.3.0)

You need to check the permissions on /var/qmail/bin/auth_smtp! auth_smtp must be executable by qmaild. Try a chmod 755 /var/qmail/bin/auth_smtp


telnet localhost 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mail.mrzesty.net ESMTP
helo mrzesty.net
250 mail.mrzesty.net
auth plain
421 out of memory (#4.3.0)
535 auth failure
quit

If you want to test smtp-auth and 'auth login' you will need to generate base64 encoded versions of your username and password (I'm using PHP here):


echo '' | php
aWFu

echo '' | php
cGFzc3dvcmQ=

... then supply when prompted by VXNlcm5hbWU6 (Username:) and UGFzc3dvcmQ6 (Password:)


telnet localhost 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mail.mrzesty.net ESMTP
helo mrzesty.net
250 mail.mrzesty.net
auth login
334 VXNlcm5hbWU6
aWFu
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 go ahead
rset
250 flushed
quit

If you authenticate successfully, you will see '235 go ahead'. ====== ezmlm: ====== I would suggest getting the ezmlm-idx patch it has a lot more features and the ability to use MySQL or PostreSQL for the list storage. To add a footer to each message sent to the list for regular ezmlm-0.53, edit the ~user/maillist/editor file and add:

| cat - /var/qmail/alias/maillist/text/footer to the beginning of the ezmlm-send line.

For example:


|/usr/local/bin/ezmlm/ezmlm-reject
| cat - /var/qmail/alias/maillist/text/footer |/usr/local/bin/ezmlm/ezmlm-send '/var/qmail/alias/maillist'
|/usr/local/bin/ezmlm/ezmlm-warn '/var/qmail/alias/maillist' || exit 0

Then create the /var/qmail/alias/maillist/text/footer file with instructions or notes about the mailing list. ====== OpenLDAP Replication notes: ====== Add the following to the primary openldap server's slapd.conf: replogfile /usr/local/var/openldap-slurp/slurpd.replog

replica host=ldap2.mrzesty.net:389 binddn='cn=manager,dc=mrzesty,dc=net' bindmethod=simple credentials=managers-password

Add the following two lines to the slave's slapd.conf:

updatedn 'cn=manager,dc=mrzesty,dc=net'

updateref ldap://ldap1.mrzesty.net

Start slapd and slurpd on the primary ldap server, and start slapd on the secondary. If you already have data in the ldap database - you should manually copy the /usr/local/var/openldap-ldbm directory and its files to the slave server - before starting slapd and slurpd.