This documentation is for Dovecot v1.x, see wiki2 for v2.x documentation.

Dovecot + Postfix + OpenLDAP

Please Note: Until this message is removed, treat this as a draft and therefore may contain errors ore spooling mostakaes!

Here is an overview of what the configuration offers you:

LDAP - Requirements

I use some attributes from the qmail ldap schema, which can be found under http://www.qmail-ldap.org/wiki/index.php/Qmail.schema

Each domain takes the following structure (eg: eldiablo.org) would look like this:

dn: ou=eldiablo.org,ou=domains,dc=ldap,dc=dit
ou: eldiablo.org
objectClass: top
objectClass: organizationalUnit
objectClass: qmailUser
mail: eldiablo.org
accountStatus: yes
structuralObjectClass: organizationalUnit

Each user within a domain, takes the following structure (eg: dovecot@eldiablo.org ):

dn: cn=dovecot,ou=eldiablo.org,ou=domains,dc=ldap,dc=dit
cn: dovecot
mail: dovecot@eldiablo.org
sn: dovecot
objectClass: inetOrgPerson
objectClass: qmailUser
objectClass: top
structuralObjectClass: inetOrgPerson
accountStatus: yes
mailMessageStore: /home/vmail/eldiablo.org/dovecot
mailQuotaSize: 512
deliveryMode: pop3
deliveryMode: imap
userPassword: SECRET

Using a deny db to control domains

As we want to be easily able to disable all service for any domain if required (For example a client who is very late paying), and yet be able to equally easily reestablish service, we use a deny db. All we actually do here is check the domain part of the login.

/etc/dovecot-ldap.deny

hosts = 127.0.0.1:389
sasl_bind = no
auth_bind = no
ldap_version = 3
deref = never
base = ou=%d,ou=domains,dc=ldap,dc=dit
scope = base
pass_filter = (accountStatus=no)
pass_attrs = (none)

Authing the logins

We (attempt) to bind with the username and password provided by the client. It additionally filters that the users account is enabled and their permitted services (ie: IMAP, POP3)

/etc/dovecot-ldap.pass

hosts = 127.0.0.1:389
sasl_bind = no
auth_bind = yes
ldap_version = 3
deref = never
base = cn=%n,ou=%d,ou=domains,dc=ldap,dc=dit
scope = base
pass_filter = (&(accountStatus=yes)(deliveryMode=%Ls))
user_global_uid = 10000
user_global_gid = 10000

Users information

When we require information about a given user, we check that their account is active, and if so, get their quota size and home dir. Their uid and gui are fixed

/etc/dovecot-ldap.user

hosts = 127.0.0.1:389
sasl_bind = no
auth_bind = no
ldap_version = 3
deref = never
base = cn=%n,ou=%d,ou=domains,dc=ldap,dc=dit
scope = base
user_filter = (accountStatus=yes)
user_global_uid = 10000
user_global_gid = 10000
user_attrs = mailMessageStore=home,mailQuotaSize=quota_rule=*:storage=%$

/etc/dovecot.conf

shutdown_clients = yes
ssl_disable = yes
base_dir = /var/run/dovecot/
protocols = imap pop3
listen = [::]
protocol imap {
        listen = 127.0.0.1:143
        mail_plugins = quota imap_quota
        login_executable = /usr/libexec/dovecot/imap-login
        mail_executable = /usr/libexec/dovecot/imap
}
protocol pop3 {
        mail_plugins = quota
        login_executable = /usr/libexec/dovecot/pop3-login
        mail_executable = /usr/libexec/dovecot/pop3
        pop3_no_flag_updates = yes
        pop3_reuse_xuidl = no
        pop3_lock_session = no
        pop3_uidl_format = %08Xu%08Xv
        pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s
        pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
        postmaster_address = postmaster@FQDN
        hostname = FQDN
        sendmail_path = /usr/sbin/sendmail
        auth_socket_path = /var/run/dovecot/auth-master
        mail_plugins = quota
}
disable_plaintext_auth = no
log_timestamp = "%b %d %H:%M:%S "
syslog_facility = mail
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
login_process_size = 64
login_process_per_connection = yes
login_processes_count = 16
login_max_processes_count = 128
login_max_connections = 256
login_greeting = Dovecot ready.
login_log_format_elements = user=<%u> rip=%r %c
login_log_format = %$: %s
mail_location = maildir:/home/vmail/%d/%n/
mail_full_filesystem_access = no
mail_debug = no
mail_log_prefix = "%Us(%u): "
mail_read_mmaped = no
lock_method = fcntl
mail_drop_priv_before_exec = no
verbose_proctitle = no
first_valid_uid = 10000
last_valid_uid = 10000
first_valid_gid = 10000
last_valid_gid = 10000
max_mail_processes = 1024
mail_process_size = 256
mail_max_keyword_length = 50
umask = 0077
valid_chroot_dirs = /
mbox_read_locks = fcntl
mbox_write_locks = fcntl
mbox_lock_timeout = 300
mbox_dotlock_change_timeout = 120
mbox_dirty_syncs = yes
auth_executable = /usr/libexec/dovecot/dovecot-auth
auth_process_size = 256
auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
auth_username_format = %Lu
auth_verbose = no
auth_debug = no
auth_debug_passwords = no
auth default {
        mechanisms = plain login
        passdb ldap {
                args = /etc/dovecot-ldap.deny
                deny = yes
        }
        passdb ldap {
                args = /etc/dovecot-ldap.pass
        }
        userdb ldap {
                args = /etc/dovecot-ldap.user
        }
        auth_user = nobody
        count = 1
        ssl_require_client_cert = no
        ssl_username_from_cert = no
        socket listen {
                master {
                        path = /var/run/dovecot/auth-master
                        mode = 0660
                        user = vmail
                        group = vmail
                }
                client {
                        path = /var/run/dovecot/auth-client
                        mode = 0666
                        user = postfix
                        group = postfix
                }
        }
}
plugin {
        quota = maildir
}

If you have any questions, feel free to ask [diablo] in #dovecot

HowTo/LDAPdiablo (last edited 2010-09-06 16:23:05 by TimoSirainen)