Postfix LDAP Howto v2.1

This post is also available in: Engels

Last updated on 05th of August 2007

 

 

Full-fledged Postfix using LDAP HOWTO

Postfix, LDAP, IMAP, WebMail, Virus- and spamscanning/checking mail system

by Tom Scholten and authors of likewise documents

v2.1

Special thanks to Richard from UnixGuru.nl

Postfix OpenLDAP

 

 

This document tens to provide a description of how to set up a 'full fledge' mailserver using Postfix as it's core. It will be extended using mailing list managers and webmail on the frontend side but will feature spam- and virus detection and avoidance software to handle the backend. There will also be a backend interface for mailhandling (web-based). All software used is available from the web and open source. The solution chosen will provide capabilities for multiple users and multiple domains, so you might use it for your small/average ISP solutions. This document can be used as a HOWTO document on FreeBSD or likewise systems, but will also apply to generic Unices like Solaris or Linuces (e.g. RedHat/Ubuntu/Debian/etc. There are other documents describing how to implement Postfix and LDAP, and this howto is based upon them, but is written as a 'from-scratch' to 'fully-operational' manual, as i found a great tutorial on Postfix-Mysql including a nice PHP admin frontend besides the great JAMM approach which has also a nice, but in java (server pages), admin tool. Plans for now are to deliver both a perl/cgi interface AND a PHP interface to administrate you're very own Postfix-LDAP mail system.

 

 

 

This page describes how i installed and configured the solution on a FreeBSD 6.x system. There is no reason why this wouldn't work on any other UN*X system, including all flavors of linux, *bsd, hpux, tru64, solaris or aix. Maybe on SCO but i don't like either there OS nor their attitude. Ofcourse no responsibility or liability blah blah blah, to be continued

 

 

 

Installed software (on FreeBSD)

Today, 05th of August 2007, I started updating this howto by building a complete new mailsystem. It should be fairly up to date and fully usable for you! Installing using the order provided might ensure you have all the packages required (due to their dependencies).

  • lang/perl58 v5.8.8 (either as additional package during install or usinig ports)
  • mail/p5-Mail-ClamAV and security/p5-File-Scan-ClamAV
  • databases/p5-DBD-mysql50
  • net/openldap23-server v2.3.37 (check dependencies first, as v2.4 might become dependent instead of v2.3)
  • www/apache22 v2.2.4_2 (WITH_LDAP_MODULES=yes)
  • mail/postfix (using pcre, sasl, tls, mysql, openldap, vda and test) v2.54
  • lang/php5 v5.2.3 and lang/php5-extensions (at least enable openldap, mysql and imap)
  • databases/mysql50-server v5.0.45
  • mail/dovecot v1.0.2 (with LDAP and MYSQL enabled)
  • security/clamav v0.91.1
  • mail/mailscanner v4.61.7
  • net/phpldapadmin
  • mail/roundcube
  • Optionally you could install these packages:
  • procmail
  • phpldapadmin
  • phpmyadmin

Assumptions

Assumptions made for this howto

  • The example domain name will be 'example.org'
  • The virtual users (mail)directory store will live under /usr/virtual
  • The virtual user used is vmail (group vmail) uid/gid are both 2001
  • The scanner runs as vscan/vscan (2002/2002)

OpenLDAP configuration

First edit /usr/local/etc/openldap/slapd.conf, the example below does NOT have a safe password (secret), which you should create using slappasswd from the commandline. It asks you to type you’re password twice and then prints out the string to be used. You can use another (than SSHA, the default) algorythm, man slappasswd for more information!

Also in the example below there are no acl’s so anyone has access to you’re information, consider RTFM on (Open)LDAP to secure you’re LDAPtree some more./usr/local/etc/openldap/slapd.conf

PLAIN TEXT
CODE:
  1. #
  2. # See slapd.conf(5) for details on configuration options.
  3. # This file should NOT be world readable.
  4. #
  5.  
  6. pidfile         /var/run/openldap/slapd.pid
  7. argsfile        /var/run/openldap/slapd.args
  8.  
  9. # Load dynamic backend modules:
  10. modulepath      /usr/local/libexec/openldap/
  11. moduleload      back_bdb
  12.  
  13. # Sample security restrictions
  14. #       Require integrity protection (prevent hijacking)
  15. #       Require 112-bit (3DES or better) encryption for updates
  16. #       Require 63-bit encryption for simple bind
  17. # security ssf=1 update_ssf=112 simple_bind=64
  18.  
  19. # Sample access control policy:
  20. #       Root DSE: allow anyone to read it
  21. #       Subschema (sub)entry DSE: allow anyone to read it
  22. #       Other DSEs:
  23. #               Allow self write access
  24. #               Allow authenticated users read access
  25. #               Allow anonymous users to authenticate
  26. #       Directives needed to implement policy:
  27. # access to dn.base="" by * read
  28. # access to dn.base="cn=Subschema" by * read
  29. # access to *
  30. #       by self write
  31. #       by users read
  32. #       by anonymous auth
  33. #
  34. # if no access controls are present, the default policy
  35. # allows anyone and everyone to read anything but restricts
  36. # updates to rootdn.  (e.g., "access to * by * read")
  37. #
  38. # rootdn can always read and write EVERYTHING!
  39.  
  40. #######################################################################
  41. # BDB database definitions
  42. #######################################################################
  43.  
  44. # OpenLDAP configuration for example.org
  45.  
  46. # Core schema's delivered with OpenLDAP
  47. include /usr/local/etc/openldap/schema/core.schema
  48. include /usr/local/etc/openldap/schema/cosine.schema
  49. include /usr/local/etc/openldap/schema/inetorgperson.schema
  50. include /usr/local/etc/openldap/schema/nis.schema
  52. # Mailserver schema used with postfix
  53. include /usr/local/etc/openldap/schema/mailserver.schema
  55. #
  57. # ldbm database definitions
  58. #
  60. database bdb
  61. suffix "dc=example,dc=org"
  63. rootdn "cn=Manager,dc=example,dc=org"
  64. rootpw secret
  66. pidfile /var/run/openldap/slapd.pid
  68. # The database directory MUST exist prior to running slapd AND
  69. # should only be accessable by the slapd/tools. Mode 700 recommended.
  70. directory /var/db/openldap-data
  72. # Indices to maintain
  73. index objectClass pres,eq
  74. index mail,cn eq,sub
  76. # logging
  77. loglevel 256
  79. access to attrs=userPassword
  80. by self write
  81. by anonymous auth
  82. by peername.ip=127.0.0.1 read
  83. by dn="cn=dovecot,dc=example,dc=org" read
  84. by * none
  86. access to *
  87. by dn="cn=postfix,dc=example,dc=org" read
  88. by dn="cn=courier,dc=example,dc=org" read
  89. by peername.ip=127.0.0.1 read
  90. by * read

OpenLDAP scheme for mailserver

Next, create the LDAPscheme to be used for our mailserver in /usr/local/etc/openldap/schemaDownload mailserver.schema

Ready, Aim, OpenLDAP

Now start up you’re OpenLDAP server either by hand or set slapd_enable=”YES” in /etc/rc.conf and use /usr/local/etc/rc.d/slapd start and verify that slapd is running.If it’s running were ready to fill …

Initial LDIF

OpenLDAP tree layout and initial ldif. You can load this to your serverusing

PLAIN TEXT
CODE:
  1. cat /home/user/ldap/initial.ldif | ldapadd -x -D "cn=Manager,dc=example,dc=org" -W

PLAIN TEXT
CODE:
  1. # example
  2. dn: dc=example, dc=org
  3. objectClass: top
  4. objectClass: organization
  5. objectClass: dcObject
  6. o: example
  7. dc: example
  8.  
  9. # MAnager
  10. dn: cn=Manager,dc=example,dc=org
  11. objectClass: top
  12. objectClass: organizationalRole
  13. cn: Manager
  14.  
  15. # mail, example
  16. dn: dc=mail, dc=example, dc=org
  17. objectClass: top
  18. objectClass: organizationalunit
  19. objectClass: dcObject
  20. ou: mail
  21. dc: mail
  22.  
  23. dn: cn=postfix,dc=example,dc=org
  24. objectClass: top
  25. objectClass: simpleSecurityObject
  26. objectClass: organizationalRole
  27. userPassword:: secret
  28. cn: postfix
  29.  
  30. dn: cn=dovecot,dc=example,dc=org
  31. objectClass: top
  32. objectClass: simpleSecurityObject
  33. objectClass: organizationalRole
  34. userPassword:: secret
  35. cn: dovecot
  36.  
  37. # example.org, mail, example
  38. dn: dc=example.org, dc=mail, dc=example,dc=org
  39. accountActive: TRUE
  40. editPostmasters: TRUE
  41. editAccounts: TRUE
  42. objectClass: top
  43. objectClass: mailDomain
  44. dc: example.org
  45. delete: FALSE
  46. lastChange: 111
  47. postfixTransport: virtual:
  48.  
  49. # somenudomain.nu, mail, example
  50. dn: dc=somenudomain.nu, dc=mail, dc=example,dc=org
  51. accountActive: TRUE
  52. editPostmasters: TRUE
  53. editAccounts: TRUE
  54. objectClass: top
  55. objectClass: mailDomain
  56.  
  57. dc: somenudomain.nu
  58. delete: FALSE
  59. lastChange: 111
  60. postfixTransport: virtual:
  61.  
  62. # someoldaccount.demon.org, mail, example
  63. dn: dc=someoldaccount.demon.org, dc=mail, dc=example,dc=org
  64. accountActive: TRUE
  65. editPostmasters: TRUE
  66. editAccounts: TRUE
  67. objectClass: top
  68. objectClass: mailDomain
  69. dc: someoldaccount.demon.org
  70. delete: FALSE
  71. lastChange: 111
  72. postfixTransport: virtual:
  73.  
  74. # domain3.org, mail, example
  75. dn: dc=domain3.org, dc=mail, dc=example,dc=org
  76. accountActive: TRUE
  77. editPostmasters: TRUE
  78. editAccounts: TRUE
  79. objectClass: top
  80. objectClass: mailDomain
  81. dc: domain3.org
  82. delete: FALSE
  83. lastChange: 111
  84. postfixTransport: virtual:

Apache webserver

Add the following lines to your/usr/local/etc/apache22/httpd.conf and make sure ‘DirectoryIndex’ also contains index.php

PLAIN TEXT
CODE:
  1. AddType application/x-httpd-php .phpAddType application/x-httpd-php-source .phps

phpLdapAdmin

Since not all people are keen on adding/removing/changing users by hand using scripts there is also ‘phpldapadmin’ in the portstree that makes things a little easier, after installing the port (assuming apache+php are up and running!!!) add the following lines to a secure (https) instance of your webserver /usr/local/etc/apache22/extra/httpd-ssl.conf

PLAIN TEXT
CODE:
  1. Alias /phpldapadmin "/usr/local/www/phpldapadmin/"
  2.  
  3. AllowOverride AuthConfig
  4.  
  5. Allow from all

And put a .htaccess file in /usr/local/www/phpldapadmin containing

PLAIN TEXT
CODE:
  1. AuthUserFile /usr/local/etc/apache22/htpasswd.admin
  2.  
  3. AuthName "/admin auth"
  4.  
  5. AuthType Basicrequire valid-user

Next create the htpasswd file using “htpasswd -cm /usr/local/etc/apache22/htpasswd.admin {username}” and any further users leaving the -c out.Next edit the /usr/local/www/phpldapadmin/config/config.php and change/add the following lines

PLAIN TEXT
CODE:
  1. $ldapservers->SetValue($i,'server','host','127.0.0.1');
  2.  
  3. $ldapservers->SetValue($i,'server','port','389');
  4.  
  5. $ldapservers->SetValue($i,'server','auth_type','config');
  6.  
  7. $ldapservers->SetValue($i,'login','dn','cn=Manager,dc=example,dc=org');
  8.  
  9. $ldapservers->SetValue($i,'login','pass','secret');
  10.  
  11. $ldapservers->SetValue($i,'server','tls',false);

Restart your webserver and test if everything works The reason i use plain htpasswd authentication instead of ldap authentication (that is possible by using the example .htaccess below) is that any FU in your ldap would knock yourself out of it.Example .htaccess using ldap authentication

PLAIN TEXT
CODE:
  1. AuthName "/auth required"
  2.  
  3. AuthType BasicAuthLDAPURL ldap://localhost/dc=employees,dc=example,dc=org?name??
  4.  
  5. require valid-user

ClamAV, virusscanner

You might want to run it by enabling clamav_clamd_enable and clamav_freshclam_enable in /etc/rc.conf

DOVECOT imap server

Copy /usr/local/etc/dovecot-example to dovecot.conf and adjust the
following lines

PLAIN TEXT
CODE:
  1. protocols = imaps pop3s
  2. disable_plaintext_auth = no
  3. syslog_facility = mail
  4. ssl_disable = no
  5. ssl_cert_file = /etc/ssl/certs/mailserver.pem
  6. ssl_key_file = /etc/ssl/certs/mailserver.pem
  7. login_user = dovecot
  8. mail_location = maildir:/usr/virtual/%d/%n/Maildir
  9. first_valid_uid = 500
  10. last_valid_uid = 0
  11. last_valid_gid = 0
  12. valid_chroot_dirs = /usr/virtual
  13. passdb ldap {
  14. args = /usr/local/etc/dovecot-ldap.conf
  15. }
  16. userdb ldap {
  17. args = /usr/local/etc/dovecot-ldap.conf
  18. }

Copy /usr/local/etc/dovecot-ldap-example.conf to dovecot-ldap.conf and
adjust the following lines

PLAIN TEXT
CODE:
  1. hosts = localhost
  2. dn="cn=dovecot,dc=example,dc=org"
  3. dnpass="secret"
  4. tls = no
  5. auth_bind = no
  6. ldap_version = 3
  7. base = dc=mail,dc=example,dc=org
  8. user_filter =
  9. (&(objectClass=MailAccount)(accountActive=TRUE)(delete=FALSE))
  10. user_attrs = mail,homeDirectory,,,,
  11. pass_attrs = mail=user,userPassword=password
  12. pass_attrs = mail,userPassword
  13. pass_filter = (&(objectClass=MailAccount)(mail=%u))
  14. default_pass_scheme = CRYPT
  15. user_global_uid = 5000
  16. user_global_gid = 5000

Next start dovecot using /usr/local/etc/rc.d/dovecot start

RoundCube Webmail

Make sure mysql is started (/usr/local/etc/rc.d/mysql_server start) next issue

mysql -uroot -p (depending on if you already secured your database)

PLAIN TEXT
CODE:
  1. > create database roundcube;
  2.  
  3. > grant all on roundcube.* to roundcube@localhost identified by ’secret’;

Issue cat /usr/ports/mail/roundcube/work/roundcube*/SQL/mysql5.initial.sql | mysql -u roundcube -psecret roundcube and add the following lines to your /usr/local/etc/apache22/extra/httpd-ssl.conf

PLAIN TEXT
CODE:
  1. Alias /webmail /usr/local/www/roundcube>
  2.  
  3. <Directory “/usr/local/www/roundcube”>
  4.  
  5. Allow from all
  6.  
  7. </Directory>

OpenLDAP scripts

Using the script provide below we can add users, according to the domain setup shown below using the following commands example· ./ldapadduser.pl vivian example.org “Secret123? mailbox | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl alexander example.org “Dog=Cr@zy” mailbox | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl roland_dg example.org “a1zihw” mailbox | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl postmaster example.org alexander@example.org,vivian@example.org alias | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl webmaster example.org john@webbuilders.com alias | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl “*” example.org vivian@example.org alias | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secretsomenudomain.nu· ./ldapadduser.pl ian somenudomain.nu “vivian” mailbox | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl postmaster somenudomain.nu alexander@example.org alias | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl webmaster somenudomain.nu “w3bs1t3? mailbox | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secretsomeoldaccount.demon.org· ./ldapadduser.pl “*” someoldaccount.demon.org @somenudomain.nu alias | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secretdomain3.org· ./ldapadduser.pl postmaster domain3.org alexander@example.org alias | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secret· ./ldapadduser.pl webmaster domain3.org alexander@example.org alias | ldapadd -x -D ‘cn=Manager,dc=example,dc=org’ -w secretAnd so, we should have created a tree looking like this, with vivian@example.org receiving all ‘non-existing-mailbox’ mail from example.org and all mail from ’someoldaccount.demon.org’ delivered to somenudomain.nu (so you can email ian@someoldaccount.demon.org and still reach ian, whom (ofcourse) should have procmail or so set up to warn people about his changed domain name, but that’s outside the scope of this document). Also mind that postmaster@example.org is delivered to BOTH alexander AND vivian. The add-script just makes to ‘maildrop’s in the LDAP tree!

MailScanner

First of all, copy all .sample files to their respective realnames (and make changes if you like) in /usr/local/etc/MailScanner and subdirectories. Do the same for /usr/local/share/MailScanner/reports/en/ (or other languages). To enable ‘autofinding’ clamav, also issue acp /usr/local/libexec/MailScanner/clamav-wrapper.sample /usr/local/libexec/MailScanner/clamav-wrapper

I recommend using clamavmodule however, this will save you overhead and time of seperate clamav processes on your precious system!

Adjust /usr/local/etc/MailScanner/MailScanner.conf with at least the following lines.

PLAIN TEXT
CODE:
  1. %org-name% = YourOrg
  2. %org-long-name% = Your Full Organisation Name
  3. %web-site% = www.example.org
  4. Run As User = postfix
  5. Run As Group = postfix
  6. Incoming Queue Dir = /var/spool/postfix/hold
  7. Outgoing Queue Dir = /var/spool/postfix/incoming
  8. MTA = postfix
  9. Quarantine User = postfix
  10. Quarantine Group = www
  11. Deliver Disinfected Files = yes
  12. Quarantine Whole Message = yes
  13. Information Header Value = See you're providers webpage or
  14. www.mailscanner.info for more information
  15. Notify Senders = no
  16. Required SpamAssassin Score = 3
  17. High SpamAssassin Score = 5
  18. Depending on your choice you might change :
  19. #High Scoring Spam Actions = deliver header "X-Spam-Status: Yes"
  20. High Scoring Spam Actions = store
  22. Monitors for ClamAV Updates = /var/db/clamav/*.inc/* /var/db/clamav/*.cvd

MailWatch (MailScanner front-end)

Download the package from http://mailwatch.sf.net and untar in /tmp and change to the directory.

PLAIN TEXT
CODE:
  1. $ mysql -uroot -p <create.sql

PLAIN TEXT
CODE:
  1. $ mysql -uroot -p

PLAIN TEXT
MySQL:
  1. mysql> GRANT ALL ON mailscanner.* TO mailwatch@localhost IDENTIFIED BY 'secret';
  2.  
  3. mysql> GRANT FILE ON *.* TO mailwatch@localhost IDENTIFIED BY 'secret';
  4.  
  5. mysql> FLUSH PRIVILEGES;
  6.  
  7. mysql> USE mailscanner;
  8.  
  9. mysql> INSERT INTO users (username, password, fullname, type) VALUES ('<username'>,md5('<password>'),'<name>','A');

Edit the MailWatch.pm file and change the database configuration

PLAIN TEXT
CODE:
  1. my($db_user) = 'mailwatch';
  2.  
  3. my($db_pass) = 'secret';

Next copy this file to the MailScanner directories : cp MailWatch.pm /usr/local/lib/MailScanner/MailScanner/CustomFunctions/Move the mailscanner directory to your webroot and "chown www:www" it (i.e. /usr/local/www/mailscanner) and add the following lines to your apache configuration

PLAIN TEXT
CODE:
  1. Alias /mailscanner /usr/local/www/mailscanner
  2.  
  3. Directory “/usr/local/www/mailscanner”
  4.  
  5. Allow from all
  6.  
  7. /Directory<

Next restart your mailscanner (/usr/local/etc/rc.d/mailscanner restart) and watch the /var/log/maillog closely. If no obvious errors or warnings occur try to send yourself an email. If it all works (email received) just go ahead and browse to MailWatch to see some stats!

Configure postfix

Changes to postfix’ main.cf, also change other settings to customize you’re requirements. Setting ’soft_bounce=yes’ for testing purposes while starting out using you’re new mailserver would be a wise decision!We also need to change some things regarding to sending Postfix’ incoming mail through MailScanner first in main.cf

PLAIN TEXT
CODE:
  1. hash_queue_depth = 1
  2. hash_queue_names = incoming,hold,deferred,defer
  3. inet_protocols = all
  4. header_checks = regexp:/usr/local/etc/postfix/header_checks
  5. And add the following line to /usr/local/etc/postfix/header_checks
  6. /^Received:/    HOLD
  7. Further, change your main.cf to contain the following ldap-related stuff.
  8. queue_directory = /var/spool/postfix
  9. command_directory = /usr/local/sbin
  10. daemon_directory = /usr/local/libexec/postfix
  11. mail_owner = postfix
  12. myhostname = mail.example.org
  13. mydomain = example.org
  14. myorigin = $mydomain
  15. local_recipient_maps =
  16. unknown_local_recipient_reject_code = 550
  17.  
  18. debug_peer_level = 2
  19. debugger_command =
  20. PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
  21. xxgdb $daemon_directory/$process_name $process_id & sleep 5
  22. sendmail_path = /usr/local/sbin/sendmail
  23. newaliases_path = /usr/local/bin/newaliases
  24. mailq_path = /usr/local/bin/mailq
  25. setgid_group = maildrop
  26. html_directory = no
  27. manpage_directory = /usr/local/man
  28. sample_directory = /usr/local/etc/postfix
  29. readme_directory = no
  30. domains_server_host = 127.0.0.1
  31. domains_search_base = dc=mail,dc=example,dc=org
  32. domains_query_filter =
  33. (&(dc=%s)(objectClass=mailDomain)(accountActive=TRUE)(delete=FALSE))
  34. domains_result_attribute = postfixTransport
  35. domains_bind = no
  36. domains_scope = one
  37. aliases_server_host = 127.0.0.1
  38. aliases_search_base = dc=mail,dc=example,dc=org
  39. aliases_query_filter =
  40. (&(objectClass=mailAlias)(mail=%s)(accountActive=TRUE))
  41. aliases_result_attribute = maildrop
  42. aliases_bind = no
  43. aliasalternates_server_host = 127.0.0.1
  44. aliasalternates_search_base = dc=mail,dc=example,dc=org
  45. aliasalternates_query_filter =
  46. (&(objectClass=mailAlias)(mailalternateaddress=%s)(accountActive=TRUE))
  47. aliasalternates_result_attribute = maildrop
  48. aliasalternates_bind = no
  49. accounts_server_host = 127.0.0.1
  50. accounts_search_base = dc=mail,dc=example,dc=org
  51. accounts_query_filter =
  52. (&(objectClass=mailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
  53. accounts_result_attribute = mailbox
  54. accounts_bind = no
  55.  
  56. accountsmap_server_host = 127.0.0.1
  57. accountsmap_search_base = dc=mail,dc=example,dc=org
  58. accountsmap_query_filter =
  59. (&(objectClass=mailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE))
  60. accountsmap_result_attribute = mail
  61. accountsmap_bind = no
  62. accountalternates_server_host = 127.0.0.1
  63. accountalternates_search_base = dc=mail,dc=example,dc=org
  64. accountalternates_query_filter =
  65. (&(objectClass=mailAccount)(mailalternateaddress=%s)(accountActive=TRUE)(del
  66. ete=FALSE))
  67. accountalternates_result_attribute = mail
  68. accountalternates_bind = no
  69. transport_maps = ldap:domains
  70. masquerade_domains = ldap:domains
  71. virtual_maps = ldap:accountsmap, ldap:aliases, ldap:accountalternates,
  72. ldap:aliasalternates
  73. virtual_transport = local
  74. virtual_mailbox_base = /usr/virtual
  75. virtual_mailbox_maps = ldap:accounts
  76. virtual_mailbox_domains = ldap:domains
  77. virtual_minimum_uid = 5000
  78. virtual_uid_maps = static:5000
  79. virtual_gid_maps = static:5000
  80. local_alias_maps = hash:/etc/mail/aliases
  81. local_transport = local
  82. mailbox_command = /usr/local/bin/procmail
  83. mydestination = localhost.example.org, localhost
  84. relay_domains = localhost
  85. mynetworks = localhost, mail.example.org
  86.  
  87. owner_request_special = no
  88. recipient_delimiter = +
  89. unknown_local_recipient_reject_code = 550
  90. smtpd_client_restrictions = check_client_access
  91. hash:/usr/local/etc/postfix/access, permit
  92. smtpd_sender_restrictions = hash:/usr/local/etc/postfix/access
  93. header_checks = regexp:/usr/local/etc/postfix/header_checks
  94.  
  95. hash_queue_depth = 1
  96. hash_queue_names = incoming,hold,deferred,defer
  97.  
  98. inet_protocols = all
  99. debug_peer_level = 9

And finally some code to protect your drive from flooding

PLAIN TEXT
CODE:
  1. # A maximum limit of a mailbox
  2. virtual_mailbox_limit = 1000000
  3.  
  4. # Limits only INBOX part (usefull when
  5. # using when you have IMAP users)
  6. virtual_mailbox_limit_inbox = yes

You may want to add a few dnsbl statements to limit the amount of unwanted
mail in your main.cf using

PLAIN TEXT
CODE:
  1. smtpd_recipient_restrictions =
  2. permit_mynetworks,
  3. reject_unauth_destination,
  4. reject_unknown_recipient_domain,
  5. reject_invalid_hostname,
  6. reject_non_fqdn_hostname,
  7. reject_non_fqdn_sender,
  8. reject_non_fqdn_recipient,
  9. reject_unknown_sender_domain,
  10. reject_rbl_client list.dsbl.org,
  11. reject_rbl_client sbl.spamhaus.org,
  12. reject_rbl_client cbl.abuseat.org,
  13. reject_rbl_client dul.dnsbl.sorbs.net,
  14. permit

Starting you’re mailserver

Next again edit /etc/rc.conf to disable sendmail and enable postfix Insert

  • sendmail_enable=”NONE”

    • Comment out/remove

  • sendmail_enable=”YES”
  • sendmail_flags=”-bd”
  • sendmail_pidfile=”/var/spool/postfix/pid/master.pid”
  • sendmail_outbound_enable=”NO”
  • sendmail_submit_enable=”NO”
  • sendmail_msp_queue_enable=”NO”Now would be a great time to start postfix, but before you do touch /var/log/maillog and open a second terminal, screen or whatever and do a tail -f /var/log/maillog there (as well as maybe a tail on /var/log/messages) to see what’s going on.First start mailscanner (/usr/local/etc/rc.d/mailscanner start) but remember to add mailscanner_enable=”YES” to your /etc/rc.conf watch your logging for a while before proceeding with the next step.Now you’re ready to start postfix simply by typing postfix start

    Verify mail sending and receiving

    Verify that you can send mail by sending yourself mail. If using an address@example.org which is an alias (pointing outside one of the domains for wich your new postfix server receives mail) please check you’re headers and confirm their ok. If receiving on a mailbox address (at your new postfix server), look in /usr/virtual and confirm you have a new directory named example.org (depending on the recipient). Below that directory your mailbox name (as a directory) should emerge, containing various maildir files. Besides checking that your mail was received also check the headers!Note that users of a mailbox should have received at least one email to have their directory (and maildir files) in place When you create a new mailbox (not alias), you should send the new user a ‘welcome’ mail of some kind to let postfix create their ‘homedirectory’ in /usr/virtual. When omitted the user will receive an error when checking mail (either via imap/pop or when using webmail)

    Documents and resources used

    Besides RTFM on various packages used to install a number of special resources will be named below the packages linklist; (in no particular order)

  • Postfix, MTA used
  • Spam tagging software
  • LDAP software
  • Webmail software
  • Mailinglist software (when done, you could add mailinglists, not captured in this document)
  • ClamAV Antivirus software
  • Short for [A] [MA]il [VI]rus [S]canner
  • Apache webserver for webmail and admin (php) interface
  • The admin interface was build using phpMost usefull to produce this document was :http://janus.errornet.de/ with his pdf and schema ((mirrored here) pdf and schema)

    Others resources used

    • http://jamm.sourceforge.net everything else seems to be based upon this
    • http://www.vriesman.tk detailed enough for me
    Tom Scholten is consultant with Snow B.V., a Dutch Technical Consultancy Company supplying specialists in the fields of Storage, Networking and Unix   

    Snow B.V.     FreeBSD
    • 3 Reacties op “Postfix LDAP Howto v2.1”
    1. Eef van Beveren zegt:
      11 juni 2007 om 12:49

      Dag Tom,
      Geen reactie maar een advies graag:
      Ik probeer een .ldif file te schrijven voor
      evolutie om me van een lijst e-mail addressen
      een “members list” te maken, zodat ik al mijn
      conferentiedeelnemers in 1 klap kan bereiken.
      Helaas, wat ik ook worstel, evolutie blijft er
      een persoon van maken met 500 alternatieve
      e-mail adressen. Ik heb nu de volgende code:

      dn: cn=naampje
      objectClass: ListOfMembers
      member: mail=a@b
      member: mail=b@c
      etc.

      Dat geeft helemaal niets met import.

      Wat moet daar nog bij?
      En nog, waar is zoiets te vinden op het net?

      Groeten, Eef

    2. tom zegt:
      11 juni 2007 om 13:04

      Eef,

      Ik zelf maak er geen gebruik van, ik gebruik een mailinglijst manager programma voor mail distributie, maar google eens op “objectclass: mailgroup”, met wat wijzigingen op je schema kan dit goed werken.

      Je kunt het ook quick-n-dirty proberen een ou of een dc aanmaken, maar ik weet niet of “evolutie” snapt dat hij alle ‘mailadressen’ die daaronder vallen dan snapt als een members list.

      Een andere mogelijkheid is om mailinglijst software te gebruiken, bijvoorbeeld mailman (http://www.list.org) of sympa (http://www.sympa.org). Ook majordomo kan, maar ik ben er geen fan van.

      Het voordeel van mailing lijst manager software is dat het voor jou bij kan houden wie ‘bounced’ en zo automatisch zichzelf schoon houdt.

      Ik zal even kijken wat een handige manier is, ik houd je op de hoogte.

      Tom

    3. tom.scholten.nu » Blog Archive » Postfix Howto updated zegt:
      9 augustus 2007 om 19:31

      [...] Postfix LDAP Howto v2.1 [...]

    4.  
    Plaats een reactie