请教在Redhat ES4下的OpenLDAP+Postfix的配置
各位老大,小弟正在学习postfix的配置,我的测试服务器装的是Redhat ES4,缺省安装了OpenLDAP 2.2.13-2和Postfix-2.1.5-2.3,由于缺省安装的Postfix不支持MySQL,所以我使用LDAP来保存邮件账户信息,我打算避开使用系统账户作为邮件账户,但不使用虚拟域,可是不知道该如何做,查了网上的一些文档,能不能给我一些帮助呢? 顶阿,我也想知道阿,怎么没人回答啊 [quote]【[b]在 ooops 发表的大作中提到:[/b]】:各位老大,小弟正在学习postfix的配置,我的测试服务器装的是Redhat ES4,缺省安装了OpenLDAP 2.2.13-2和Postfix-2.1.5-2.3,由于缺省安装的Postfix不支持MySQL,所以我使用LDAP来保存邮件账户信息,我打算避开使用系统账户作为邮件账户,但不使用虚拟域,可是不知道该如何做,查了网上的一些文档,能不能给我一些帮助呢?
[/quote]
这是我 2002年写的(最后在2003年1月更新过)的简单howto。希望有帮助:
[url]http://www.hzqbbc.com/devel/mini-howto.html[/url]
当然,完全按照来做可能已不能适应目前的情况。目前postfix已到了2.x了。 那请问如果不用courier-imp 而用cyrus imap和cyrus sasl怎么做啊 [code]$Id: mini-howto.html,v 1.1.1.2 2003/01/09 04:04:18 hzqbbc Exp $
Postfix+Maildrop+openLDAP+SqWebMail+courier-imp mini-howto
This is not the first time i wrote a document, but there must exist a lot of mistake and please feedback to me if you like it or found some bug. Please give clear indication of source to your article if you cite my mini-howto
Disclaimer:
All things and codes mention in this document have not been tested so much and use it as your own risk. Everything is *experiment* !
--------------------------------------------------------------------------------
1.Preparation of Postfix+Ldap
$su - root
#groupadd -g 1000 vgroup
#useradd -d /home/domains -u 1000 vuser
#rm -rf ~vuser/*
#rm -rf ~vuser/.*
2.OpenLDAP arch and base configuration
dc=MailServer,dc=CN
|
o=Postfix
________________|_______________
| | |
vd=bj.cn | vd=sh.cn
| | ________|_______________
cn=postmaster | | |
| cn=postmaster uid=user1,mail=user1@sh.cn
vd=gd.cn
________________|_______________________________
| | | |
cn=postmaster | | uid=user1,mail=user1@gd.cn
| uid=user2,mail=user2@gd.cn
uid=user3,mail=user3@gd.cn
figure-1
Now, we will assume there are three VirtualDomain: bj.cn, sh.cn, gd.cn
with the architecture showing in figure-1.There are 4 virtual user call
[email]user1@sh.cn[/email], [email]user1@gd.cn[/email], [email]user2@gd.cn[/email], [email]user3@gd.cn[/email]
3.Configure Slapd
Schema
We will use qmail.schema ship with qmail-ldap patch to add to slapd.conf
Schema
As an alternative, jamm.schema is not better than qmail.schema, without
much more feature and attribute, NOT GOOD SOLUTION TO ISP or ENTERPRISE!
Jamm.schema configuration from:
[url]http://ftp.hzqbbc.com/Mirror/postfix.collections/www.crt.realtors.org/[/url]
projects/email-redir/howto-single-html/mailserver.html
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=MailServer,dc=CN"
rootdn "cn=Manager,dc=MailServer,dc=CN"
#rootpw secret
rootpw {SSHA}ra0sD47QP32ASAlaAhF8kgi+8Aflbgr7
# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/postfix-ldap
# Indices to maintain
index objectClass pres,eq
index mail,cn eq,sub
# logging
loglevel 256
# Basic ACL
# Cation: Strip the '\' from the following section before running slapd
# or the slapd report error!!!
access to dn=".*,vd=([^,]+),o=hosting,dc=MailServer,dc=CN"
attr=userPassword
by self write
by group/organizationalRole/roleOccupant="cn=postmaster,\
vd=$1,o=Postfix,dc=MailServer,dc=CN" write
by anonymous auth
by * none
access to dn=".*,vd=([^,]+),o=Postfix,dc=MailServer,dc=CN"
by self write
by group/organizationalRole/roleOccupant="cn=postmaster,\
vd=$1,o=Postfix,dc=MailServer,dc=CN" write
by * read
access to *
by * read
4.2 Password generation
4.2.1 rootpw generation
#slappasswd
New password: secret
Re-enter new password: secret
{SSHA}ra0sD47QP32ASAlaAhF8kgi+8Aflbgr7
4.2.2 common userpw generation
SSHA --> slappasswd
crypt --> passwd or other programe use crypt lib(see below:Add a new
user with script)
4.3 Creating All the basic directory
# Cation !!!
# all the information below is not full and don't use in enter-
# prise application. Before use them in enterprise, they should
# be designed carefully!! Adding quota, mailalternativeaddress,
# etc..please refer to qmail.schema and get information, or ex-
# ten it to fit your need :-)
filename:postfix-base.ldif
#cat postfix-base.ldif
dn: dc=MailServer, dc=CN
objectClass: top
dn: cn=Manager,dc=MailServer,dc=CN
objectClass: top
objectClass: organizationalRole
cn: Manager
dn: o=Postfix,dc=MailServer,dc=CN
objectClass: top
objectClass: organization
o: Postfix
filename:postfix-vdomain.ldif
#cat postfix-vdomain.ldif
dn: vd=bj.cn,o=Postfix,dc=MailServer,dc=CN
objectClass: top
objectClass: VirtualDomain
postfixTransport: virtual:
description: VirtualDomain for Beijing name bj.cn
dn: vd=sh.cn,o=Postfix,dc=MailServer,dc=CN
objectClass: top
objectClass: VirtualDomain
postfixTransport: virtual:
description: VirtualDomain for Shanghai name sh.cn
dn: vd=gd.cn,o=Postfix,dc=MailServer,dc=CN
objectClass: top
objectClass: VirtualDomain
postfixTransport: virtual:
description: VirtualDomain for Guangdong name gd.cn
filename:postfix-vuser.ldif
# Please notice that the following content is only for test
# and in the same subtree, uid must be unique, so if you want
# to add [email]user1@gd.cn[/email] and [email]user1@sh.cn[/email] in the same subtree as :
# o=Postfix,dc=MailServer,dc=CN
# using old style : mail=%s,o=Postfix,dc=MailServer,dc=CN
# with different mail value will cause ldapadd report error!!
# so add new user in this way: mail=%s,vd=%s,o=%s,dc=%s
#
# 2002-08-27
# Update: change mailbox and homeDirectory attribute in entry
# for compatibble with SqWebMail's chdir mechanism. Here
# homeDirectory attribute used by SqWebMail's authldap and
# mailbox used by Postfix(end with Maildir/)
#
# SqWebMail mechanism to chdir:
# $homeDirectory/$mailStorage if homeDirectory set to /user1
# and mailStroage set to ./Maildir so chdir to:/user1/Maildir
# But for Postfix delivery programe will delivery mail to
# /user1 only!(That means /user1/new not /user1/Maildir/new
#
# Default mailStorage will set to ./Maildir if it not set in
# authldaprc configuration file!
#
# 2002-08-26
# Update: change userPassword encryption from SSHA/SHA to the
# clearPassword (for debug use) and crypt, Which are supported
# by SqWebMail.(SSHA authorization code is under develpment)
#
# 2002-08-24
# Update: old style of VirtualAccount DN is uid=%s,vd=%s,o=%s
# ,dc=%s,dc=%s But this will cause some problem, when new
# mail deliver the mailbox path and structure will be:
# $virtual_mailbox_base/mail,vd , for example a VirtualDomain
# name domain1.com and VirtualAccount user1,the structure
# will be: /home/domain/user1@domain1.com,domain1.com
# It's not a good idea and looks ugly so change to new style
# cat postfix-vuser.ldif
dn: mail=user1@gd.cn,vd=gd.cn,o=Postfix,dc=MailServer,dc=CN
objectClass: top
objectClass: MailAccount
accountActive: TRUE
mail: [email]user1@gd.cn[/email]
homeDirectory: gd.cn/user1
mailbox: gd.cn/user1/Maildir/
clearPassword: user1
userPassword: {crypt}n04ilheq14NL2
dn: mail=user2@gd.cn,vd=gd.cn,o=Postfix,dc=MailServer,dc=CN
objectClass: top
objectClass: MailAccount
accountActive: TRUE
mail: [email]user2@gd.cn[/email]
homeDirectory: gd.cn/user2
mailbox: gd.cn/user2/Maildir/
clearPassword: user2
userPassword: {crypt}KVHlZletsnD2c
dn: mail=user1@sh.cn,vd=sh.cn,o=Postfix,dc=MailServer,dc=CN
objectClass: top
objectClass: MailAccount
accountActive: TRUE
mail: [email]user1@sh.cn[/email]
homeDirectory: sh.cn/user1
mailbox: sh.cn/user1/Maildir/
clearPassword: user1
userPassword: {crypt}n04ilheq14NL2
4.4 Adding a new user
For some technology reason, No mature ldap user admini-
stration tools available, so i decide to write some simple tools
for adding a new user and generate password or so.
Here is a small perl script to generate new user:
#!/usr/bin/perl
#
# AddUser-LDAP: Generate User entry for adding in LDAP
# Author: Raymond Ho
# History: Modify from genuser.pl from
# MacGyver aka Habeeb J. Dihu
# Copyright (C) 2002, He Zhi Qiang Raymond.Ho
use Carp;
croak "Usage: $0 \n" unless $#ARGV == 2;
# Random salt.
$salt = join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];
# output list
$dn = "dn: mail=$ARGV[0]\@$ARGV[1],vd=$ARGV[1],\
o=Postfix,dc=MailServer,dc=CN\n";
$obj1 = "objectClass: top\n";
$obj2 = "objectClass: MailAccount\n";
$at = "accountActive: TRUE\n";
$mail = "mail: $ARGV[0]\@$ARGV[1]\n";
$home = "homeDirectory: $ARGV[1]\/$ARGV[0]\n";
$mailbox = "mailbox: $ARGV[1]\/$ARGV[0]\/Maildir\/\n";
$clearpwd = "clearPassword: $ARGV[2]\n";
$userpwd = "userPassword: {crypt}".crypt($ARGV[2], $salt)."\n";
# output to stdin
print "$dn$obj1$obj2$at$mail$home$mailbox$clearpwd$userpwd";
This programe is derive from genuser.pl in proftpd package. when run
this programe it will output the new user information in ldif format,just
redirect it to ldapadd, here is an example:
./adduser-ldap.pl user1 gd.cn user1 | ldapadd -x -D \
"cn=Manager,dc=MailServer,dc=CN" -w secr
5.Postfix Configuration
#Support qmail style mailbox Maildir
#Remeber to add slash('/') follow Maildir
home_mailbox = Maildir/
#########################################################################
# Example Virtual Users & Domain defination start from here! Please pay #
# more attention to it and configure properly. Every section would has #
# explaination and comments, get help from postfix offical docs or view #
# [url]http://ftp.hzqbbc.com/Mirror/postfix[/url]* for help :-) by hzqbbc #
#########################################################################
# mydestination configuration is very important , because Postfix default
# relays mail for $mynetworks,$relay_domains,$mydestination,$virtual_maps
# so if you want Postfix could relay mail of VirtualAccount in Virtual-
# Domain, you must add $transport_maps to here, addtional & detail please
# refer postfix document!
# PS: $virtual_maps here has no effect while postfix relays mail if you
# want VirtualDomain relays take effect!!! Only transport_maps :-)
#
# Notes: Don't add $virtual_maps to mydestination
# mydestination = $myhostname, $mydomain, $transport_maps, \
# localhost.$mydomain, $virtual_maps
# mailbox_command directive tell postfix which MDA for unix user will be
# use, value = procmail or maildrop or thers
mailbox_command = /usr/bin/procmail
# ldap:transport , ldapsource here tell postfix the information while
# doing transport
transport_server_host = localhost
transport_search_base = o=Postfix,dc=MailServer,dc=CN
transport_query_filter = (&(vd=%s)(objectClass=VirtualDomain))
transport_result_attribute = postfixTransport
transport_cache = yes
transport_bind = no
transport_scope = one
# ldap:aliases, ldapsource here tell postfix the information while search
# Alias instead of using hash file for lookup :-)
aliases_server_host = localhost
aliases_search_base = o=Postfix,dc=MailServer,dc=CN
aliases_query_filter = (&(&(objectClass=MailAlias)(mail=%s))(accountActive=TRUE))
aliases_result_attribute = maildrop
aliases_bind = no
aliases_cache = yes
# ldap:accounts, ldapsource here tell postfix about VirtualAccount infor-
# mation while doing Account ldap lookup
accounts_server_host = localhost
accounts_search_base = o=Postfix,dc=MailServer,dc=CN
accounts_query_filter = (&(&(objectClass=MailAccount)(mail=%s))(accountActive=TRUE))
accounts_result_attribute = mailbox
accounts_cache = yes
accounts_bind = no
# transport_maps & virtual_maps show here, please read docs of postfix carefully
transport_maps = ldap:transport
#Caution: in doc "mail redirection" virtual_maps is wrong! alias -> should be aliases
virtual_maps = ldap:aliases
# Basic configruation of VirtualAccount/Domain
# the dir will arrange as "$virtual_mailbox_base/$mailbox"
# for example, virtual_mailbox_base=/home/domains , [email]user1@domain1.com[/email]'s $mailbox
# is domain1.com/user1/ so the mail will store in /home/domains/domain1.com/user1/
# and in this directory will automatic create 'cur,new,tmp' when the first mail
# arrive , it usually done by virtual delivery programe "virtual".
virtual_mailbox_base = /home/domains
virtual_mailbox_maps = ldap:accounts
virtual_minimum_uid = 1000
# The uid and gid own the $virtual_mailbox_base directory
virtual_uid_maps = static:1000
virtual_gid_maps = static:1000
# local_transport should set to "virtual" to deliver mail to local VirtualAccount
# 's $HOME direcotry . or not set here, mail delivery would be failure
local_transport = virtual
local_recipient_maps = $alias_maps unix:passwd.byname $virtual_mailbox_maps
6.master.cf configuration
virtual & maildrop configuration will show here
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ==========================================================================
# Please pay more attention to virtual 's chroot flag,make sure set it to "n",
# Or you will get error as following:
# (maildir delivery failed: create /xxx/xxx/username/Maildir/tmp/xxx.xxx.filname:
# Permission denied !! Because you are using chroot mode
virtual unix - n n - - virtual
maildrop unix - n n - - pipe
flags=R user=vuser argv=/usr/bin/maildrop -d ${recipient}
7.jamm.schema's extension from qmail.schema
I have exten jamm.schema with qmail.schema to my.schema :-)
8.WebMail and authorization
Without any doubt, SqWebMail is the fastest webmail in the world,it read maildir
directly and N times faster than webmail using pop3/imap. It's not difficult to
configure SqWebMail to cooperate with Postfix(Maildir support) and openLDAP.
I will demonstrate how to configure SqWebMail and test authorization with LDAP.
8.1 Configuration
No much more comments about this part,just a build.sh, comments in it will show
you how to:
#!/bin/sh
# build.sh: build sqwebmail with authldap support and work with Postfix
# Author: He Zhi Qiang
prefix=/home/sqwebmail
./configure --enable-webpass --enable-unicode=ISO-8859-1,US-ASCII,GB2312 \
--with-htmllibdir=${prefix} --enable-mimecharset=gb2312 --with-maxargsize=5000000 \
--with-maxformargsize=5000000 --with-maxmsgsize=5000000 --disable-autorenamesent \
--enable-softtimeout=1800 --enable-mimetypes=/etc/httpd/conf/apache-mime.types \
--prefix=${prefix} --enable-cgibindir=${prefix}/cgi-bin \
--enable-imagedir=${prefix}/html/sqwebmail/images --enable-imageurl=/sqwebmail/images \
--with-cachedir=${prefix}/share --without-authpam --without-authuserdb \
--without-authpwd --without-authshadow --without-authmysql --without-authvchkpw \
--without-authcram --without-authcustom --with-authldap --with--authldaprc=${prefix} \
--with-formdata --disable-utf7-folder-encoding \
--with-makedatprog=${prefix}/libexec/sqwebmail/makedatprog \
--with-authchangepwdir=${prefix}/libexec/authlib \
--with-authdaemonvar=${prefix}/var/authdaemon --sysconfdir=${prefix}
# If you ignore the following "make htmllibdir.h" step, perhaps errors will
# occupy , in my case need this step
cd sqwebmail
make htmllibdir.h
cd ..
make
make configure-check
make install-strip
#EOF of build.sh
After successfully installed SqWebMail, read ${prefix}/authldaprc carefully and
edit it to fit your need,here is an example of my configuration:
##NAME: LOCATION:0
#
# Location of your LDAP server:
LDAP_SERVER localhost
LDAP_PORT 389
##NAME: LDAP_BASEDN:0
#
# Look for authentication here:
LDAP_BASEDN dc=MailServer,dc=CN
##NAME: LDAP_BINDDN:0
#
# You may or may not need to specify the following. Because you've got
# a password here, authldaprc should not be world-readable!!!
LDAP_BINDDN cn=Manager,dc=MailServer,dc=CN
LDAP_BINDPW secret
##NAME: LDAP_TIMEOUT:0
#
# Timeout for LDAP search
LDAP_TIMEOUT 5
##NAME: LDAP_AUTHBIND:0
#
# Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND
# the password is validated by rebinding with the supplied userid and password.
# If rebind succeeds, this is considered to be an authenticated request. This
# does not support CRAM-MD5 authentication, which requires userPassword.
#
# WARNING - as of the time this note is written, there are memory leaks in
# OpenLDAP that affect this option, see ITS #1116 in openldap.org's bug
# tracker. Avoid using this option until these leaks are plugged.
#
# LDAP_AUTHBIND 1
##NAME: LDAP_MAIL:0
#
# Here's the field on which we query
LDAP_MAIL mail
##NAME: LDAP_FILTER:0
#
# This LDAP filter will be ANDed with the query for the field defined above
# in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER
# defined to be "(objectClass=CourierMailAccount)" the query that is performed
# will be "(&(objectClass=CourierMailAccount)(mail=))"
#
# LDAP_FILTER (objectClass=CourierMailAccount)
LDAP_FILTER (objectClass=MailAccount)
##NAME: LDAP_DOMAIN:0
#
# The following default domain will be appended, if not explicitly specified.
#
# LDAP_DOMAIN example.com
##NAME: LDAP_GLOB_IDS:0
#
# The following two variables can be used to set everybody's uid and gid.
# This is convenient if your LDAP specifies a bunch of virtual mail accounts
# The values can be usernames or userids:
#
# LDAP_GLOB_UID vmail
# LDAP_GLOB_GID vmail
LDAP_GLOB_UID 1000
LDAP_GLOB_GID 1000
##NAME: LDAP_HOMEDIR:0
#
# We will retrieve the following attributes
#
# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
LDAP_HOMEDIR homeDirectory
##NAME: LDAP_MAILROOT:0
#
# If homeDirectory is not an absolute path, define the root of the
# relative paths in LDAP_MAILROOT
#
LDAP_MAILROOT /home/domains
##NAME: LDAP_MAILDIR:0
#
# The MAILDIR attribute is OPTIONAL, and specifies the location of the
# mail directory. If not specified, ./Maildir will be used
# LDAP_MAILDIR mailbox
##NAME: LDAP_MAILDIRQUOTA:0
#
# The following variable, if defined, specifies the field containing the
# maildir quota, see README.maildirquota for more information
#
# LDAP_MAILDIRQUOTA maildirQuota
##NAME: LDAP_FULLNAME:0
#
# FULLNAME is optional, specifies the user's full name
#LDAP_FULLNAME cn
##NAME: LDAP_PW:0
#
# CLEARPW is the clear text password. CRYPT is the crypted password.
# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
# libhmac.a is available, CRAM authentication will be possible!
LDAP_CLEARPW clearPassword
#LDAP_CRYPTPW userPassword
##NAME: LDAP_IDS:0
#
# Uncomment the following, and modify as appropriate, if your LDAP database
# stores individual userids and groupids. Otherwise, you must uncomment
# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID
# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
# be defined as attributes for everyone.
#
# LDAP_UID uidNumber
# LDAP_GID gidNumber
##NAME: LDAP_DEREF:0
#
# Determines how aliases are handled during a search. This option is available
# only with OpenLDAP 2.0
#
# LDAP_DEREF can be one of the following values:
# never, searching, finding, always. If not specified, aliases are
# never dereferenced.
LDAP_DEREF never
##NAME: LDAP_TLS:0
#
# Set LDAP_TLS to 1 to enable LDAP over SSL/TLS. Experimental setting.
# Requires OpenLDAP 2.0
#
LDAP_TLS 0
##NAME: LDAP_EMAILMAP:0
#
# The following optional settings, if enabled, result in an extra LDAP
# lookup to first locate a handle for an E-mail address, then a second lookup
# on that handle to get the actual authentication record. You'll need
# to uncomment these settings to enable an email handle lookup.
#
# The E-mail address must be of the form user@realm, and this is plugged
# into the following search string. "@user@" and "@realm@" are placeholders
# for the user and the realm portions of the login ID.
#
# LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@))
#END of this file
# Detail please read authldaprc.dist for help
When you finished editing this file,start authdaemond with:
${prefix}/libexec/authlib/authdaemond start
$Id: mini-howto.html,v 1.1.1.2 2003/01/09 04:04:18 hzqbbc Exp $
[/code]
页:
[1]