|
Size: 21629
Comment:
|
Size: 21595
Comment: Dovecot shouldn't need mail group access with maildirs
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 491: | Line 491: |
| mail_extra_groups = mail |
Software
OS
- FreeBSD 4.8
- Ubuntu 6.06 LTS
LDAP
- openldap-2.1.22
- slapd 2.2.26 (Ubuntu)
dovecot
- Originally written for Dovecot 0.99, updated to 1.0.rc11+
- dovecot 1.0-beta3-3ubuntu5.3
Environment
This sets up mail accounts for people who don't have accounts on the FBSD box; e.g. there is a mail account for ole_wobble in the LDAP registry, but no matching account in the Unix passwd file. However, each mail account does require its own directory in /var/mail; e.g. for user Ole Wobble Olson, you need the directory /var/mail/ole_wobble. There is a Unix account named postoffice which handles all administrative tasks and owns the directories and files set up for mail accounts in /var/mail. The group for files in /var/mail is mail. Using ole_wobble as an example:
# ls -l /var/mail | grep ole_wobble
drwx--x--x 3 postoffice mail - 1024 Aug 23 04:15 ole_wobbleMail storage is mbox, but these instructions should work fine with Maildir directories. The UID number for the postoffice account is 3000 and the GID number is 8. Change the ID numbers to match your system.
In each user directory in /var/mail, I create three files: inbox, outbox, and Trash. These are needed for the MUAs (mail clients) we use. Eudora requires the inbox to be "inbox", all lower case; mutt requires the outbox to be "outbox", all lower case, and Eudora uses a trash box named "Trash".
Alternatively, an appropriately set up SMTP server (like exim4) will create the boxes on the first email to the account.
If you want to use raw logging, you will need to add a directory named "dovecot.rawlog" to /home/postoffice.
OpenLDAP
The OpenLDAP instructions are extremely sketchy and are intended only to supplement the instructions at the OpenLDAP web site. They give information specific to a Dovecot setup that is missing from the OpenLDAP manual.
Install
If you are going to use CRYPT password hashing as the default in OpenLDAP (this is compatible with Dovecot), then you will need to add the --enable-crypt option to the CONFIGRE_ARGS variable in the Makefile so that OpenLDAP will compile with CRYPT support. If you don't do this, OpenLDAP may actually work for a while, but then one day you'll restart the server and OpenLDAP will refuse to run until you remove the CRYPT setting from slapd.conf, which means the user passwords won't work.
On BSD, if you have portupgrade installed, the simplest way to install OpenLDAP is by using the portinstall tool.
# portinstall openldap21
On Ubuntu, use apt-get (or aptitude).
% sudo apt-get install slapd
The instructions for configuring OpenLDAP, including a Quick Install Guide, are at
On BSD, OpenLDAP appears to be difficult to install properly. My first two attempts were unsuccessful. The FreeBSD port includes Perl scripts that run tests to ensure that the installation succeeded. Even though the installation passed the tests, it couldn't be configured to work properly. On my third attempt, OpenLDAP worked but attempts to limit access to specified attributes caused OpenLDAP to refuse access to all attributes. On my fourth attempt, OpenLDAP ignored any attempts to limit access to specified attributes. While searching for information, I found a posting that commented that every installation of OpenLDAP on FreeBSD 4.8 requires its own config file; each installation behaves differently and the config file has to be tuned to the individual installation. You may need to install a few times before you get a usable installation of OpenLDAP.
On Ubuntu, it worked fine.
Configure startup
On Ubuntu, installing slapd is sufficient to start it, and have it start on reboot. It runs as root. Proceed to Configuration.
Run as root, listen on all interfaces
This is the simplest set up. I recommed this for your initial set up and testing. Running as root is a security risk, so you probably want to change this before making the the server available to users.
The first step is to go to /etc/rc.conf and add the following line.
slapd_enable="YES"
This will cause the OS to look for slapd.sh and run it at bootup.
Go to /usr/local/etc/rc.d, and copy slapd.sh.sample to slapd.sh. (Yes, Virginia, there is a slap daemon.) Open the file in a text editor. If you have the following line
# Uncomment one of the following:
ignore it. Comment out the following line if you have it.
slapd_args="-u ldap -g ldap"
Save your changes and close the text editor.
Run as normal user, listen at specified sockets
Create a new user and group named "ldap". ldap needs access to the configuration file and the database.
chown ldap:ldap /usr/local/etc/openldap/slapd.conf chown -R ldap:ldap /var/db/openldap-data
Add the following to /etc/rc.conf.
slapd_args="-u ldap -g ldap"
By default, slapd listens on all interfaces. On very small LANS, the mail and directory services often run on the box that functions as the Internet gateway. In that case you don't want slapd listening at the external interface, so you need to specify which interfaces you do want it to listen on. In the following, the LDAP host name can be substituted for the internal IP address, if the host name is not exposed outside the LAN.
slapd_args='-u ldap -g ldap -h "ldap://localhost/ ldap://<Internal IP address>/ ldapi://%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"'
The ldapi specification is for Unix domain sockets. See the slapd man page.
slapd configuration
Go to the directory containing the OpenLDAP configuration files. On Ubuntu, this is /etc/ldap, on BSD it is /usr/local/etc/openldap. Make the appropriate substitutions below.
Make a copy of slapd.conf.default and name it slapd.conf. Open slapd.conf in a text editor. You will need the the following lines to reference the schemas you need:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schemaThe following line will set the default password hashing method to the CRYPT algorithm, which is compatible with Dovecot:
password-hash {CRYPT}The Quick Install Guide at the OpenLDAP explains how to set up an administrator with global rights on the LDAP registry, and how to add entries.
Creating the database
Here is a data hierarchy in ldif format that can be used to provide Dovecot mail accounts. You should be able to copy it into an ldif file, modify it for your own use, and install it all at once.
dn: dc=wibble,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: Wibble Corp.
dc: wibble
description: Wibble, with Ole Wobble and Ole Wubble
dn: ou=accounts,dc=wibble,dc=net
objectClass: top
objectClass: organizationalUnit
ou: accounts
# only necessary if you are NOT using 'bind' authentication
dn: cn=dovecot,ou=accounts,dc=wibble,dc=net
objectClass: top
objectclass: person
cn: dovecot
sn: dovecot
dn: uid=ole_wobble,ou=accounts,dc=wibble,dc=net
objectClass: top
objectclass: person
objectClass: posixAccount
cn: Ole Wobble Olson
sn: Olson
uid: ole_wobble
uidNumber: 1002
gidNumber: 100
homeDirectory: /usr/home/ole_wobble
dn: uid=ole_wubble,ou=accounts,dc=wibble,dc=net
objectClass: top
objectclass: person
objectClass: posixAccount
cn: Ole Wubble Olson
sn: Olson
uid: ole_wubble
uidNumber: 1003
gidNumber: 100
homeDirectory: /usr/home/ole_wubbleThe expression dc=wibble,dc=net should match the suffix setting in slapd.conf.
If you plan to install this by copying it to a file and running ldapadd, you must retain the blank lines.
INFO: on OpenLDAP 2.3.39 on FreeBSD 6.2, leading spaces in the ldif files caused errors in ldapadd. So you might try to remove these (keep the empty record seperator lines though).
uidNumber and gidNumber are only significant if mentioned in the user_attrs item in /etc/dovecot/dovecot-ldap.conf. If these are virtual accounts (authentication, including homeDirectory, uidNumber, gidNumber are used elsewhere), I recommend you leave these unset in user_attrs, and instead use
user_global_uid = dovecot
user_global_gid = mailTo insert the entries above, save them in a file named wibble.ldif. Run ldapadd from the command line:
ldapadd -W -D "cn=Manager,dc=krig,dc=net" -f /usr/local/etc/openldap/wibble.ldif
Returning to slap.conf, the following will give dovecot read access to the entries in the ou=accounts section, but no write access and no access to other parts of the registry.
access to dn.children="ou=accounts,dc=wibble,dc=net"
by dn="cn=dovecot,ou=accounts,dc=wibble,dc=net" read
by anonymous authThis is enough to allow Dovecot to authenticate mail users and itself.
The final step in setting up your LDAP registry is to add the passwords. Every account in the ou=accounts section will need one. Assuming that you've slavishly imitated the example in the Quick Install Guide at the OpenLDAP site and called your LDAP administrator "Manager", you can add passwords from the command line with
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "cn=dovecot,ou=accounts,dc=wibble,dc=net"
for the dovecot user and
$ ldappasswd -W -S -D "cn=Manager,dc=krig,dc=net" "uid=ole_wobble,ou=accounts,dc=wibble,dc=net"
for mail accounts. The -S option prompts you for the new password, and the -W option prompts you for the LDAP Manager password. Many LDAP front ends will do the same.
You can view the finished registry with
$ ldapsearch -LLL -W -D "cn=Manager,dc=krig,dc=net" -b "dc=krig,dc=net" "(objectclass=*)"
Installing Dovecot
Again, the simplest approach is the portinstall tool (on BSD) or apt-get (on Ubuntu).
BSD
If you don't include homeDirectory info with your all your LDAP entries, you will need a patch. Download the patch from
To apply the patch, go to /usr/ports/mail/dovecot. If you've previously installed dovecot and still have the work directory, you need to remove it.
# make distclean
Then you need to recreate the work directory.
# make patch
Go to the directory containing the file you need to patch.
# cd /usr/ports/mail/dovecot/work/dovecot-0.99.10/src/auth
Copy auth-no-homedir.patch (the patch file you downloaded) to this directory. Now run patch.
# patch -p0 < auth-no-homedir.patch
If you get no error messages, you can proceed with the installation. If you do get error messages, you will need to apply the patch by hand. Open auth-no-homedir.patch in a text viewer. The file you need to patch is listed in the first line of auth-no-homedir.patch. Open that file in a text editor in another ttyv or xterm.
The path file contains two contiguous lines, the first beginning with a "-" and the second beginning with a "+". The first is the line you will delete from the file to be patched, and the second is the line that will replace it; i.e. subtract the "-" line and add the "+" line. Immediately surrounding the two lines are the context lines; three above and three below. Search for the line in the file to be patched that matches the "-" line *and* has the same context lines above and below. When you find this line, delete it and replace it with the "+" line in the patch file. (Do not include the "+" marker.) Double check that you have deleted only what needs to be deleted and added only what needs to be added. Save the file and close the text editor and text viewer. Delete auth-no-homedir.patch.
Once you have successfully run patch or patched by hand, return to /usr/ports/mail/dovecot. Open the Makefile in a text editor. Find the line that begins with "CONFIGURE_ARGS+=". If you don't have the following two arguments, add them.
--with-rawlog --with-ldap
Raw logging isn't necessary, but it can be useful. You have to have the --with-ldap argument to enable Dovecot to work with LDAP.
If you remove support for alternative authentication methods (PAM, PGSQL, etc), you should leave support for passwd. When I was debugging my configuration, I found it helpful to switch between passwd and LDAP authentication. If my setup worked with passwd and not with LDAP, then I knew that I needed to look at Dovecot's LDAP configuration, or at OpenLDAP.
Save your changes to Makefile, and close the editor.
Now you're ready to install.
# make install
If make completes and registers Dovecot without giving error messages, then your installation was successful.
Configure Dovecot
dovecot-ldap.conf
To start Dovecot automatically when you boot, go to /usr/local/etc/rc.d and copy dovecot.sh.sample to dovecot.sh.
Go to /usr/local/share/doc/dovecot and copy dovecot-ldap.conf to the /usr/local/etc directory. Go to the /usr/local/etc directory and open dovecot-ldap.conf in a text editor.
The first setting is
hosts = localhost
If Dovecot and OpenLDAP are running on the same machine, then this is fine. If you have OpenLDAP running on a different machine, you will need to set this to the name of the LDAP machine.
I recommend bind authentication - dovecot will attempt to 'log in' with the username/password combination. You can then skip all this.
dn = uid=dovecot,ou=accounts,dc=wibble,dc=net
This is set to the Distinguished Name that identifies the Dovecot entry in your LDAP registry.
dnpass = flop
Set this to the password you assigned dovecot using the ldappasswd command.
ldap_version = 3
'Nuff said.
base = ou=accounts,dc=wibble,dc=net
This tells Dovecot where to search in your LDAP registry. Dovecot will search for passwords and UIDs in the entries that fall below ou=accounts in the data hierarchy.
deref = never
If you are referencing and dereferencing aliases, then you know a lot more about LDAP than I do.
scope = subtree
This tells Dovecot to search all entries that fall below the base entry. If it were set to "onelevel", Dovecot would search only entries one level below the base entry. If it were set to "base", Dovecot would search only the base entry.
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
# or if you're using global UID and GID:
user_attrs = homeDirectory=home
user_filter = (&(objectClass=posixAccount)(uid=%u))
Specifies which class to search in a given entry, and to find the uid that matches the user name passed by the mail client.
pass_attrs = uid=user,userPassword=password
Which attributes to use when matching passwords. Using bind authentication, this is not necessary.
pass_filter = (&(objectClass=posixAccount)(uid=%u))
Specifies which class to search in a given entry, and to find the uid that matches the user name passed by the mail client.
default_pass_scheme = CRYPT
This provides a default UID number for LDAP entries that lack the uidNumber attribute. If you use the posixAccount object class in your LDAP registry, you can't enter data for an account without providing a uidNumber and gidNumber, so this and the next setting aren't necessary. If you have not mentioned uidNumber and gidNumber in user_attrs, these are assumed for all entries. Make sure first_valid_uid in /etc/dovecot/dovecot.conf is less than this number.
user_global_uid = 3000
user_global_gid = 8
dovecot.conf
While still in /usr/local/etc, open dovecot.conf in a text editor.
base_dir = /var/run/dovecot/
This was created for you during installation.
protocols = imap
You can add other protocols if you want. This setup only uses IMAP.
protocol imap {
listen = *:143
}Dovecot listens on port 143 by default, so the port setting isn't necessary unless you want to use a different port. According to the documentation, * causes Dovecot to listen on all available IP4 interfaces. If your IMAP box is also your Internet gateway, and you're not offering mail services externally, then you probably don't want that. If you specify your LAN interface, Dovecot may continue to listen at localhost, but you can't count on it. If your host name isn't exposed externally, then you can use
protocol imap {
listen = wibblemailhost:143
}Otherwise use
protocol imap {
listen = 192.168.15.23:143
}
ssl_disable = yes
If you have this set to yes, you can ignore the SSL settings that follow in dovecot.conf.
login_dir = /var/run/dovecot/login
login_chroot = yes
login_user = dovecot
verbose_proctitle = yesThe above are all part of the default conf file.
first_valid_uid = 3000
last_valid_uid = 3000If you are assigning the postoffice UID number to all mail accounts, you can restrict access to only that UID number. See mention of user_global_uid above.
first_valid_gid = 8
last_valid_gid = 8Since all mail accounts are assigned the mail group's number...
mail_location = mbox:/var/mail/%u
or
mail_location = maildir:/var/mail/%u
This tells Dovecot where the mail for a given account is located. Dovecot replaces "%u" with the account name. For the two user accounts in the ldif data hierarchy given above, "%u" would expand to ole_wobble and ole_wubble.
client_workarounds = oe6-fetch-no-newmail outlook-idle
We don't use Outlook or Outlook Express. However, someone may decide to use an MS mail client in the future, and leaving this in place does no harm.
mail_save_crlf = no
My IMAP box really doesn't work very hard, so I don't think it matters how this is set. If your mail server gets hammered regularly, you may want to play with this and see if it makes a difference in speed.
maildir_copy_with_hardlinks = yes
"yes" is supposed to be faster. See the comments in the config file for the tradeoffs.
mbox_read_locks = fcntl
mbox_write_locks = fcntlI also tried flock and dotlock, and they work FBSD. This is the preferred setting, if it works on your system. Locking should not be necessary for Maildir setups.
auth default {
mechanisms = plain"plain" seems more likely to work under more circumstances.
passdb ldap {
args = /usr/local/etc/dovecot-ldap.conf
}
userdb ldap {
args = /usr/local/etc/dovecot-ldap.conf
}If you need to switch to passwd authentication for testing, change this to
passdb passwd {
}
userdb passwd {
}
user = dovecot-auth
If you need to switch to passwd authentication for testing, change this to
user = root
auth_verbose = yes
If you have to debug your configuration, you'll want as much information as possible.
Ubuntu config files
These are two full config files used on Ubuntu -
# /etc/dovecot/dovecot.conf
protocols = imap imaps
log_timestamp = "%Y-%m-%d %H:%M:%S "
first_valid_uid = 100
mail_debug = yes
default_mail_env = /var/mail/%u/Maildir
auth default {
mechanisms = plain
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
}For LDAP configuration,
auth_bind = yes
auth_bind_userdn = uid=%u,ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
ldap_version = 3
base = ou=People,dc=_WIZZY_HOSTNAME_,ou=wizzy
scope = subtree
user_attrs = homeDirectory=home
user_filter = (&(objectClass=posixAccount)(uid=%u))
user_global_uid = dovecot
user_global_gid = mail