Dovecot, Postfix - With LDAP for Active Directory [Exclusive Guide]


Today there is an article about Dovecot, Postfix and the connection to an Active Directory via LDAP.
have used I Debian Jessie (as coming “soon” stable) and Microsoft Windows Server 2012 R2 .


Dovecot should be version > = 2.1 to Postfix must make the least concerned. I think that all distributions ship a version that is recent enough.


I go to many places not so much detail, as many might wish. In particular, the general configuration of Dovecot and Postfix I will mostly from or explain simply not (sorry).
I think that I have with this article many unanswered questions about Linux Mail Server + Active Directory klären- or at least in the right may encounter direction.
The syntax is occasionally wild, but it’s not that hard. It just takes some time
Do not be angry with me that “dc = debinux” and not “dc = domain” can be seen on the screenshot …; -.)


What is also possible in this setup, is the creation of groups within the OU “People” (described in history …) with an e-mail address, whose members receive these messages.
A quota is also provided with a ( custom) attribute from the Active Directory read.


Changelog


  • 03. December 2014 – caching of login information if LDAP offline for 5 minutes

Preparations


In my Active Directory to create an account for the LDAP bind from the mail server to the AD, the DN ( “Distinguished Name”) I note to myself:


Dovecot, Postfix, Active Directory Abbildung 1

Dovecot, Postfix, Active Directory Figure 1



Dovecot, Postfix, Active Directory Abbildung 2

Dovecot, Postfix, Active Directory Figure 2



The “Distinguished Name” thus reads:

 CN = Dovecot Administrator, OU = Service Accounts, DC = domain, DC = local 

Next, I need a private attribute “quotaBytes” , which is globally available for all users.
in Technet is described understandable as I own attribute initial treatment in an AD:


Caution: However, it is necessary then to open the attribute created again and “Replicate this attribute to the Global Catalog” to hook


.

My users do I place in the OU “People”.


Dovecot, Postfix, Active Directory Abbildung 3

Dovecot, Postfix, Active Directory Figure 3



On page of the Linux server will be following packages installed


 apt-get install dovecot-ldap dovecot-imapd postfix-ldap 

Postfix will ask for the location / the type of server, your choice does not matter, because the configuration is later deleted anyway.
If during Dovecot installation errors occur, this is simply the lack of certificate for SSL and is not a problem
the appropriate configuration file can gelöscht- and the packages will be installed again.


 rm /etc/dovecot/conf.d/10-ssl.conf
apt-get install dovecot-ldap dovecot-imapd

Before I continue, I add the user “vmail” with the UID 5000 and the group “vmail” with GID 5000 .
Dovecot is later (the course .) ordered to reduce its privileges to this user after successful authentication
mail is in the “/ var / vmail” lie that “vmail” is the home directory of the user:


 groupadd -g 5000 vmail
useradd -g -u vmail 5000 vmail -d / var / vmail
mkdir / var / vmail
chown vmail: vmail / var / vmail

Dovecot


For clarity, I delete all sample configuration files:


 rm -r / etc / dovecot / * 

For coupling of Dovecot for AD, I have created the following LDAP configuration
Behind the options some explanations:.


 nano /etc/dovecot/dovecot-ldap.conf.ext

Content:


 hosts = 192.168.99.1 # Windows Active Directory
dn = CN = Dovecot Administrator, OU = Service Accounts, DC = domain, DC = local
dnpass = MeinPasswortDesServiceAccounts
tls = no # I do not need (!)
auth_bind = yes # For the duration of the authentication itself Dovecot binds as einloggender MailUser
ldap_version = 3
base = OU = People, DC = domain, DC = local # My OU with users
scope = subtree # or "base", if not to be recursively searched for in the OU
user_attrs =
  = = * Quota_rule: bytes =% ldap: quotaBytes,
  = Home = / var / vmail /% d /% ldap: sAMAccountName,
  = Mail = maildir: / var / vmail /% d /% ldap: sAMAccountName / Maildir
user_filter = (& (mail =% u) (objectclass = person) ((userAccountControl: 1.2.840.113556.1.4.803: = 2))) # Only persons, only non-disabled, only with mail Attribute
pass_filter = (& (mail =% u) (objectclass = person) ((userAccountControl: 1.2.840.113556.1.4.803: = 2))) # Only persons, only non-disabled, only with mail Attribute
iterate_attrs = mail = user # Used primarily by "doveadm" needed to users
iterate_filter = (objectclass = person)

to “user_attrs”
– The “quota_rule” need not be specified in the AD in bytes, also are possible values ​​like “100M” or “2G”
– this parameter. “home” is the home directory of the user mail. This should never correspond to the mail directory
-. However, “home” and “mail” two completely different directories be


.

I decide “mail” be completed within “home”. For a better understanding:


Home: /var/vmail/domain.tld/user.name
Mail: /var/vmail/domain.tld/user.name/Maildir



protect Finally, the file against unauthorized access:


 chown root: /etc/dovecot/dovecot-ldap.conf.ext; chmod 600 /etc/dovecot/dovecot-ldap.conf.ext

Here in the next step a simple “dovecot.conf” template.


 nano /etc/dovecot/dovecot.conf

 auth_mechanisms = plain login
mail_uid = vmail
mail_gid = vmail
ssl_cert = /ssl/mail.crt
ssl_key = /ssl/mail.key
login_log_format_elements = "user = method =% m rip =% r lip =% l MPID =% s% c% k"
mail_plugins = quota
ssl_protocols =! SSLv3! SSLv2
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
log_timestamp = "% Y-% m-% d% H:% M:% S"
protocols = imap
listen = *
auth_cache_size = 50000 # ~ 200 users with password
auth_cache_ttl = 300 # in seconds, 5 minutes
auth_cache_negative_ttl = 30 # when users did not exist at last check
userdb
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap

passdb
  args = /etc/dovecot/dovecot-ldap.conf.ext
  driver = ldap

service auth
  unix_listener / var / spool / postfix / private / auth_dovecot
    group = postfix
    mode = 0660
    user = postfix
  
  unix_listener auth userdb
    mode = 0600
    user = vmail
  
  user = root

service dict
    unix_listener dict
        mode = 0660
        user = vmail
        group = vmail
    

namespace inbox
  inbox = yes
  location =
  Drafts mailbox
    auto = subscribe
    special_use = Drafts
  
  Junk mailbox
    auto = subscribe
    special_use = Junk
  
  Sent mailbox
    auto = subscribe
    special_use = Sent
  
  Trash mailbox
    auto = subscribe
    special_use = Trash
  
  prefix =

protocol imap
  mail_plugins = quota imap_quota

plugin
  quota = maildir: User quota


In this configuration, it will only provide IMAP and the possibility of quota usage. The usual directories / “mailboxes” are created when logging in.
is worth mentioning the socket within “service dict” which must be understandably started as “vmail”.
“service auth” will provide the socket for Postfix, over which it can then authenticate. Therefore, the path inside the “chroot” environment “/ var / spool / postfix” and performed as a postfix. Postfix
That “ssl_cert” and “ssl_key” adapt are, I need not say. 🙂


Postfix


Again a very simple template for configuring the file “/ etc / postfix / master.cf”


 smtp inet n - - - - smtpd
submission inet n - - - - smtpd
  -o smtpd_enforce_tls = yes
  -o smtpd_tls_security_level = encrypt
  -o tls_preempt_cipherlist = yes
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxy write unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
SCACHE unix - - - - 1 SCACHE
maildrop unix - n n - - pipe
  flags = DrHu user = vmail argv = / usr / bin / maildrop -d $ recipient
uucp unix - n n - - pipe
  flags = Fqhu user = uucp argv = uux -r -n -z -a $ sender - $ nexthop rmail ($ recipient)
ifmail unix - n n - - pipe
  flags = R user = ftn argv = / usr / lib / ifmail / ifmail -r $ nexthop ($ recipient)
bsmtp unix - n n - - pipe
  flags = Fq. user = bsmtp argv = / usr / lib / bsmtp / bsmtp -t $ nexthop -f $ sender $ recipient
scalemail-backend unix - n n - 2 pipe
  flags = R user = scalemail argv = / usr / lib / scalemail / bin / scalemail-store $ nexthop $ user $ extension
mailman unix - n n - - pipe
  flags = FR user = list argv = / usr / lib / mailman / bin / postfix-to-mailman.py
  $ Nexthop $ user
dovecot unix - n n - - pipe
  flags = DrHu user = vmail: vmail argv = / usr / lib / dovecot / deliver -d $ recipient

In the last two lines of the transfer of the mail will be described in Dovecot. Otherwise it was only of “submission” port 587 / tcp enabled . Here I have to initiate a secure connection with STARTTLS.
For the listener on port 25 but this is optional as possible- not be necessary.


Now to the file “/ etc / postfix / main.cf” .


 nano /etc/postfix/main.cf

Content:



smtpd_banner = $ myhostname
biff = no
inet_protocols = ipv4
append_dot_mydomain = no
readme_directory = / usr / share / doc / postfix
smtpd_tls_cert_file = /etc/ssl/mail.crt
smtpd_tls_key_file = /etc/ssl/mail.key
smtpd_tls_security_level = may
smtp_tls_cert_file = /etc/ssl/mail.crt
smtp_tls_key_file = /etc/ssl/mail.key
smtp_tls_security_level = may
smtpd_tls_session_cache_database = btree: $ data_directory / smtpd_scache
smtp_tls_session_cache_database = btree: $ data_directory / smtp_scache
smtpd_tls_auth_only = yes
smtpd_tls_mandatory_protocols =! SSLv2,! SSLv3
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_eecdh_grade = strong
myhostname = hostname.domain.tld # eg mail.domain.tld
alias_maps = hash: / etc / aliases
alias_database = hash: / etc / aliases
myorigin = / etc / mail name
mydestination = hostname.domain.tld localhost # Here ON must NEVER be a virtual domain!
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0] / 104 [::1] / 128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private / auth_dovecot
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
proxy_read_maps = $ local_recipient_maps $ mydestination $ virtual_alias_maps $ virtual_alias_domains $ virtual_mailbox_maps $ virtual_mailbox_domains $ relay_recipient_maps $ relay_domains $ canonical_maps $ sender_canonical_maps $ recipient_canonical_maps $ relocated_maps $ transport_maps $ mynetworks $ smtpd_sender_login_maps
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
   reject_unknown_sender_domain,
   permit_sasl_authenticated
smtpd_recipient_restrictions = permit_sasl_authenticated,
   permit_mynetworks,
   reject_rbl_client zen.spamhaus.org,
   reject_unauth_destination,
   reject_unknown_reverse_client_hostname,
smtpd_data_restrictions =
   reject_unauth_pipelining,
   permit
virtual_mailbox_base = / var / vmail /
virtual_alias_domains =
virtual_minimum_uid = 104
virtual_uid_maps = static: 5000
virtual_gid_maps = static: 5000
virtual_transport = dovecot
html_directory = / usr / share / doc / postfix / html
sender_bcc_maps =
recipient_bcc_maps =
relay_domains =
relay_recipient_maps =
smtpd_sasl_local_domain = domain.tld # If appended if no domain is specified
virtual_mailbox_domains = domain.tld # All virtual domains
smtpd_sender_login_maps = proxy: ldap: /etc/postfix/ldap/sender_login_maps.cf
virtual_mailbox_maps = proxy: ldap: /etc/postfix/ldap/virtual_mailbox_maps.cf
virtual_alias_maps = proxy: ldap: /etc/postfix/ldap/virtual_group_maps.cf
dovecot_destination_recipient_limit = 1 # Necessary for the group function

The above is again just a template, which I have copied a part in fufix.
adjust course without MySQL Proxy Maps Absolutely. myhostname, mydestination, smtpd_sasl_local_domain, virtual_mailbox_domains


Please DO NOT enter the external domain under mydestination


The content of the proxy Maps is as follows:


1. – /etc/postfix/ldap/sender_login_maps.cf


 nano /etc/postfix/ldap/sender_login_maps.cf

Content:


 server_host = 192.168.99.1
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = CN = Dovecot Administrator, OU = Service Accounts, DC = domain, DC = local
bind_pw = MeinPasswortDesServiceAccounts
search_base = OU = People, DC = domain, DC = local
scope = sub
query_filter = (& (mail =% s) (objectclass = person) ((userAccountControl: 1.2.840.113556.1.4.803: = 2)))
result_attribute = mail

2. – /etc/postfix/ldap/virtual_group_maps.cf


 nano /etc/postfix/ldap/virtual_group_maps.cf

Content:


 server_host = 192.168.99.1
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = CN = Dovecot Administrator, OU = Service Accounts, DC = domain, DC = local
bind_pw = MeinPasswortDesServiceAccounts
search_base = OU = People, DC = domain, DC = local
scope = sub
query_filter = (& (objectclass = group) (mail =% s))
leaf_result_attribute = mail
special_result_attribute = member
result_attribute = mail
debug level = 0

3. – /etc/postfix/ldap/virtual_mailbox_maps.cf


 nano /etc/postfix/ldap/virtual_mailbox_maps.cf

Content:


 server_host = 192.168.99.1
server_port = 389
version = 3
bind = yes
start_tls = no
bind_dn = CN = Dovecot Administrator, OU = Service Accounts, DC = domain, DC = local
bind_pw = MeinPasswortDesServiceAccounts
search_base = OU = People, DC = domain, DC = local
scope = sub
query_filter = (& (mail =% s) (objectclass = person) ((userAccountControl: 1.2.840.113556.1.4.803: = 2)))
result_attribute = mail
result_format =% d /% u / Maildir /
debug level = 0

The new proxy Maps please even protect against unauthorized access:


 chmod 744 / etc / postfix / ldap / * 

Finally, a few words about the above proxy Maps. Much can, however, be derived from the Dovecot configuration
The “query_filter”, logically, a filter for the search, for example:.


(&(mail=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

here would by people wanted with the email address “% s” , which are not disabled ( “userAccountControl: XYZ” ).
Everything must be true, so the operator “&” at the beginning. There are many different operators and Active Directory-specific filters .
“result_attribute” This parameter is the value that is returned. He may be empty , if no results were achieved.


No comments:

Powered by Blogger.