Debian, Dovecot, postfix

Building Mailserver with Postfix

It’s been a week since i started playing around with Postfix. Though we are qmail lovers, a few days back one of my friend asked me to help him to build a Mail server. But he wanted to use Postfix as the MTA. I decided to integrate LDAP also, so that he can have a centralized user management. So in this blog i will be explaining on how to set up postfix to use LDAP for user lookup as well as using Dovecot SASL for SMTP auth and Dovecot’s lda for delivering the mails to the user’s Mailboxes. I’m using Debian 6.4 as the base os. I’ve also installed SLAPD, and i’ve a few test user’s in it. My LDAP setup has two OU’s, People and Groups respectively.

First we will setup Dovecot. The Debian Squeeze repository has Dovecot 1.2, so i will be installing those.

$ apt-get install dovecot-common dovecot-pop3d dovecot-imapd

Once dovecot is installed, we need to enable dovecot’s LDA and the dovecot’s SASL auth. Modify the dovecot.conf file as below. Since i’m using a virtual user vmail, i need to define the mail_uid and mail_gid as the vmail’s corresponding uid and gid. Also login_user must be postfix

In the lda section,

protocol lda {
 postmaster_address = postmaster@<domain_name>
 mail_plugin_dir = /usr/lib/dovecot/modules/lda
 deliver_log_format = msgid=%m: %$
 sendmail_path = /usr/sbin/sendmail
 rejection_subject = Rejected: %s
 auth_socket_path = /var/run/dovecot/auth-master
 log_path = /var/log/dovecot-deliver.log
 info_log_path = /var/log/dovecot-deliver.log
}

In the auth section,

auth default {
 mechanisms = plain

  passdb ldap {
        args = /etc/dovecot/dovecot-ldap.conf
  }

  userdb ldap {
        args = /etc/dovecot/dovecot-ldap.conf
  }

  socket listen {
         master {  
    path = /var/run/dovecot/auth-master
        mode = 0666
        # Default user/group is the one who started dovecot-auth (root)
        user = vmail
        group = vmail   
        }

     client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
        }

Below is the content of my dovecot-ldap.conf

hosts = localhost
dn =  <ldap_bind_dn>
dnpass = <ldap_bind_pwd>
sasl_bind = no
auth_bind = yes
ldap_version = 3
base = <ldap_base_dn>
auth_bind = yes
pass_attrs = uid=user
pass_filter = (&(objectClass=posixAccount)(uid=%u))
user_attrs = homeDirectory=home,mailQuotaSize=quota=dirsize:storage
user_filter = (&(objectClass=posixAccount)(|(mail=%u)(mailAlternateAddress=%u)(uid=%u)))

So now Dovecot is ready, we need to go ahead with Postfix installation. We need to install the below packages.

$ apt-get install postfix postfix-ldap

Once the packages are installed, we need to configure the main config file of postfix ie, main.cf. Below is the my configuration,

myhostname = vagratn-postifx-box
smtpd_banner = <smtp_banner>
biff = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/server.pem
smtpd_tls_key_file=/etc/ssl/private/server.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
virtual_mailbox_maps = ldap:/etc/postfix/ldap_virtual_users.cf          #This ldap lookup will return user's MAilbox as the result from LDAPv
virtual_alias_maps = ldap:/etc/postfix/ldap_virtual_mailalt.cf      #This ldap lookup will return uid from LDAP
$alias_maps = hash:/etc/aliases,ldap:/etc/postfix/ldap_virtual_mailalt.cf
local_recipient_maps = $alias_maps
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_senders.cf     #This ldap lookup will return uid attribute from LDAP
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
mailbox_transport = dovecot
dovecot_destination_recipient_limit = 1
virtual_mailbox_domains = <add virtual domains here>
virtual_transport = dovecot

We can also mention the SMTP sender and recipient restrictions in the above file,

smtpd_client_restrictions=
        permit_mynetworks,

smtpd_recipient_restrictions=
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unverified_recipient,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        permit_auth_destination,
        reject_unauth_destination,

smtpd_sender_restrictions=
        reject_unknown_sender_domain,
        reject_unlisted_sender,
        reject_authenticated_sender_login_mismatch,

Below are the contents of the various LDAP lookup file’s contents. We can verify this lookup’s using postmap command. ”postmap -q ldap:/

########ldap_virtual_mailalt.cf########

    server_host = ldap://localhost
    version = 3
    search_base = <ldap_base_dn>
    bind_dn = <ldap_bind_dn>
    bind_pw = <ldap_bind_password>
    bind = yes
    debug_level = 3
    query_filter = (&(|(mail=%s)(mailAlternateAddress=%s)))
    result_attribute = uid 


########ldap_virtual_users.cf########

    server_host = ldap://localhost
        version = 3
        search_base = <ldap_base_dn>
        bind_dn = <ldap_bind_dn>
        bind_pw = <ldap_bind_password>
        bind = yes
        debug_level = 3
    query_filter = (&(|(mail=%s)(mailAlternateAddress=%s)))
    result_attribute = uid
    result_format = %s/Maildir/


########ldap_senders.cf########

    server_host = ldap://localhost
        version = 3
        search_base = <ldap_base_dn>
        bind_dn = <ldap_bind_dn>
        bind_pw = <ldap_bind_password>
        bind = yes
        debug_level = 3
        query_filter = (&(|(mail=%s)(mailAlternateAddress=%s)))            
    result_attribute = uid

Now we need to allow dovecot for delivery, so we need to add the following entry to master.cf

dovecot   unix  -       n       n       -       -       pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient}

I’m using recipient email id completely as the delivery option, because, in the multi domain setup, ifthere exist two different user’s with same name say “abc”, LDAP dn is always unique, so we cannot have same user name for two different user’s, in such cases, we uses the full email id as the username for the second user, so in such scenario, we cannot use the user parameter as delivery option, because the it dovecot will remove the @domain part and takes the rest as the user, so if we use full email id, it will not deliver to the actual user.

This setup has worked perfectly with Debian Squeeze and as well as Debian Vagrant Boxes. I’m writing a puppet module which will automate LDAP,Postfix and Dovecot installation and configuration and will have a ready to use mail server. Soon i will upload it into my github account.

Advertisements
Standard

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s