User talk:Secureit

POSTFIX Mail Server using LDAP Virtual Users (Postfix + LDAP + Dovecot + SquirellMail + ClamAV + MailScanner + SpamAssassin)

(Last updated on 27/01/2008) (Latest version available at secureit.in) suggestions@secureit.in

Motive of Doc

The motive of this document is to setup a postfix mail server with virtual domain(s)/user support using LDAP,Ldap is being used to manage the users and domain in heirarcial manner and the users are not as same as linux system users which actually are virtual and does not exist on mail server box. ldap can store a lot of information about users which can be used for central address book purpose.

I have tried to make document as easiest as possible. If you have any suggestion of want to update anything in database kindly send me mail at suggestions@secureit.in.

Kindly go through step by step and read entire document carefully.

Prerequisite Packages

1.Postfix

I have chosen it becoz i love it. It is one of the most commited, stable,impressive and full gadzet less server which gives the freedom to implement the security and flexibilty of open source.

2.Openldap 2.1 openldap-devel 2.2 openldap-servers 2.3 openldap

LDAP stands for Lightweight Directory Access Protocol. This is a lightweight protocol for accessing directory services. This runs over TCP/IP or connection oriented transfer services. The LDAP model is based on entries. Each entry will have set of attributes. Each entry will be uniquely identified by Distinguished Name (DN). Attribute can have multiple values also. Each entry can be numeric, string, binary etc.. The arrangement of the LDAP is like hierarchical tree. Each node in a tree should be uniquely identified with DN. Each entry will have objectclass which describes the attributes of object classes. Each entry can have multiple objectclasses.

I have chosen it becoz it is the demand of Present and Future. It is hard for first time use,but once it is in form, it is the easiest package to marge with other co-related applications like address book , pop3 server and imap server.

Lots of network related application are coming with build in support of ldap because it is fast and reliable.

Implementation Environment

Actually tested on CentOS5, but should work on all postfix and openload supported plateform.

Words mean

mycompany.com   -  the domain name for which we have to setup mail server like anyuser@mycompany.com. box                        -  the system which is being used as mail server. virtual                   - the term given to domain/user which does exist on box. mycompany.net    - the domain name which is seperate from mycompany.com and is being used for box hostname purpose only.(for details read next section "prerequisite arrangements")

Prerequisite Arrangements

Atleast one fully qualified domain name apart from the hostname given to the mail server box which will be used for mails.

why so ?

Your actual @mycompany.com will be virtual.

If you want to setup a mail server for mycompany.com then mycompany.com should not be assigned to box as hostname because if the hostname will be same as your virtual domain, postfix will treat user@mycompany.com as local unix user not the user which we will create as virtual.

So you can use mycompany.org or .net as hostname and any other domain name which is not to be used as virtual domain.

Installation

First create the mailbox directory

Postfix will understand only one user which exist on system "vmail". So create a user with group id 800 (your choice id) and create user vmail with user id 800(your choise id). Create domains directory under vmail home directory and assigned the ownership to vmail user/group. Create mycomapny.com directory under domains directory where domain related users mail files will be stored. The mail format is same as your common unix mail format /var/mail/$user.

---

groupadd -g 800 vmail useradd -d /home/vmail -g 800 -m -s /bin/false -u 800 vmail mkdir /home/vmail/domains chown vmail:vmail /home/vmail/domains

I am not going to mention the details to install postfix and Ldap through source or binaries.I am assuming that you have already installed all prerequisite packages on box.

Leave the default configuration as it is.

LDAP Implementation

In our first process we will work on ldap. which is our base/core application. Ldap is basically a hierarcial database system to maintain the user informations.

Main Files

Base Directory : /etc/openldap Main File: /etc/openldap/slapd.conf Executable File: /usr/sbin/slapd

As i mention earlier in the doc that is a "hierarcial database". Postfix will be using ldap to know about domains,user accounts and their aliases.

First we will create ldap hierarchy.I am going to create very simple hierarchy, so that you could understand it properly.

mycompany.net Technical      |       Marketing -                   - user1 - user2                user3 - user4

First of all if you have noticed that i have used mycompany.net as the top root. Becoz as i told you mycompany.com is virtual only and it should not be used as hostname or any other place.mycompany.net is just for name.

Second i have segregated users into two department for better flexibility.

Now we will implement the ldap database.

/etc/openldap/slapd.conf

you will see a lot of lines with commect or uncomment.You take the backup of default file and we will be writing our own new file. If you are not interested in doing same then directly go to 3rd Step.

1. Ldap should understand the attributes of users and this is achieved through "schema". Ldap includes the schema definition files to do so.You can write your schema also.but i am going to use the schema which are already available.

Schema file name ends with .schema extention and generally placed in /etc/openldap/schema directory.

--- include        /etc/openldap/schema/core.schema include        /etc/openldap/schema/cosine.schema include        /etc/openldap/schema/inetorgperson.schema include        /etc/openldap/schema/nis.schema include        /etc/openldap/schema/qmail.schema --- 2. Add process file information (paste it as it is, if /var/run/openldap directory does not exist, create it). --- pidfile        /var/run/openldap/slapd.pid argsfile       /var/run/openldap/slapd.args --- 3. Now we will be putting the actual stuff. Please comment these lines in default file, if you are using same file. --- database       bdb suffix          "dc=mycompany,dc=net" rootdn         "cn=manager,dc=mycompany,dc=net" rootpw         secret directory      /var/lib/ldap --- database - the type of database should be used. suffix - the root suffix. rootdn - The Distinguished Name (DN) of root. rootpw - the clear text password to access ldap(it can be encrpted also, which is described in Other Way Solutions 1.) directory - where the data will be stored. You need to take the regular backup of this folder to recovering during ldap crash.

4. Indices to maintain for this database ( paste it as it is) --- index objectClass                      eq,pres index ou,cn,mail,surname,givenname     eq,pres,sub index uidNumber,gidNumber,loginShell   eq,pres index uid,memberUid                    eq,pres,sub index nisMapName,nisMapEntry           eq,pres,sub ---

5. Now start the ldap server.

--- /usr/sbin/slapd -d 100 -f /etc/openldap/slapd.conf --- This will run ldap server in foreground with debugging, if you don't want to run in foreground then just remove "-d 100" from the command line.

If their is no mistake in configuration than ldap will keep running otherwise it will exit.

Till now we have initialize the ldap database and start it. Now we will be filling it with information about users.

6. Their are ldap commands which are used to manage the ldap database.

Ldap entries are maintained through the configuration files with the extention ldif.

create a file base.ldif and copy the following contents.

A.first we will define the company.net

--- 1.dn: dc=mycompany,dc=net 2.objectClass: dcObject 3.objectClass: organization 4.dc: mycompany 5.o: mycompany --- B.Now we will define the department.

--- 6.dn: ou=Technical,dc=mycompany,dc=net 7.objectClass: organizationalUnit 8.ou: Technical

9.dn: ou=Marketing,dc=mycompany,dc=net 10.objectClass: organizationalUnit 11.ou: Marketing --- C.Adding users in respective department --- 12.dn: uid=user1,ou=Technical,dc=mycompany,dc=net 13.cn: user1 14.objectClass: top 15.objectClass: organizationalRole 16.objectClass: simpleSecurityObject 17.objectClass: qmailUser 18.uid: user1 19.mailMessageStore: mycompany.com/user1 20.userPassword: user123 21.mail: user1@mycompany.com --- Each line of file describe the attribute or entry in database.

First Line create the user1 in Technical Department with Common Name(cn) user1, userid(uid) user1 and email address(mail) as user1@mycompany.com.

mailMessageStore contains the path of user's mail file under "/home/vmail/domains/".

So each user should have one file with his/her name in his/her domain directory.

--- dn: uid=user2,ou=Technical,dc=mycompany,dc=net cn: user2 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user2 mailMessageStore: mycompany.com/user2 userPassword: secret2 mail: user2@mycompany.com

dn: uid=user3,ou=Marketing,dc=mycompany,dc=net cn: user3 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user3 mailMessageStore: mycompany.com/user3 userPassword: secret mail: user3@mycompany.com

dn: uid=user4,ou=Marketing,dc=mycompany,dc=net cn: user4 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user4 mailMessageStore: mycompany.com/user4 userPassword: secret mail: user4@mycompany.com ---

Now we are ready to insert the records in ldap database.

For the same ldapadd command is used.

ldapadd -x -D "cn=manager,dc=mycomapny,dc=net" -W -f base.ldif -

the paramenter -D ans it's value is very important part for us.

-D specifies the "rootdn" value we specified in our slapd.conf file. -f is the file which we just created. -W        prompt for bind password, which was specified in slapd.conf -x        Simple authentication

for more details about ldapadd command, kindly go throught the man page.

to test whether you entries exist or not use the following command.

--- ldapsearch -x -b 'dc=mycompany,dc=net' ---

If you are getting error "ldap_bind: Invalid credentials, it means either you are giving wrong value with "-D" which is nothing your rootdn or "dn" line in your ldif file (my example file 1,6,9,12 dn lines).

You do not require to restart the ldap server everytime you made the changes.

Postfix Implementation

i am not going to tell you how to install postfix, it is incuded in all linux distribution by default or you can download it from www.postfix.org

My Assumption is that the postfix is installed in /etc/postfix directory.

i would suggest you to take the backup of /etc/postfix/main.cf

queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix myhostname = mycompany.net mydomain = mycompany.net myorigin = $myhostname inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 mynetworks_style = subnet mynetworks = 168.100.189.0/28, 127.0.0.0/8 header_checks = regexp:/etc/postfix/header_checks debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop

These lines are the common lines.

You have to just define myhostname,mydomain,mynetworks_style and mynetworks.

Now we need to tell postfix about ldap.Postfix will use ldap to fetch the local user details.

1.virtual_mailbox_domains = example.co.ke,secureit.in,mycompany.com 2.virtual_transport = virtual 3.virtual_uid_maps = static:800 4.virtual_gid_maps = static:800 5.virtual_mailbox_base = /home/vmail/domains 6.virtual_mailbox_maps = ldap:/etc/postfix/virtual_ldap/virtual_mailbox_maps.cf 7.virtual_alias_maps = hash:/etc/postfix/virtual

1. Specifies the domain which postfix should treat as local mail server.

You can add as much as domains for whome postfix should treat as local mail server. Use "," comma to seperate the multiple domains.

2. The virtual process will be used to handle such mails. 3. The userid  of vmail user which we created in our 1st step. 4. The groupid of vmail user which we created in our 1st step. 5. The Home directory of users which we created in 1st step and it will fetch the mail directory of users from ldap

Now here you need to understand how you can manage the users.

Now you need to create the user mail path "files" accordingly.

our base directory is /home/vmail/domains

now if i have user user1@mycompany.com.

Then it will go to the file

/home/vmail/domains/mycompany.com/user1

Here i am using unix standard file format, so all mails of user1 will go to user1 "file". That's why i gave relative path of users mail file in ldap. We are passing base directory to postfix so it will automatically append the path with base path.

It was necessary because their is only one unix user "vmail" which will be used by postfix for the entire process, so the user's files should also be accessible to vmail user , which is easy only when we will use the common path for all users.

Next if you have more domains, you just add anotherdomain.com directory in base directory.

You can use Maildir format also to store user mails which we will discuss later on.

6. To get the user mail path.

Create a directory /etc/postfix/virtual_ldap/ Create a file /etc/postfix/virtual_ldap/virtual_mailbox_maps.cf.

copy the following lines in the file.

server_host=localhost search_base=dc=example,dc=co,dc=ke query_filter=(mail=%u@%d) result_attribute=mailMessageStore

These lines will fetch the attribute mailMessageStore value for the users mail file relative path.

7. As usual alias file to know about aliases.

Upto here your SMTP Server is ready to accept and send mail for local users and remote users. POSTFIX Mail Server using LDAP Virtual Users (Postfix + LDAP + Dovecot + SquirellMail + ClamAV + MailScanner + SpamAssassin)

(Last updated on 27/01/2008) (Latest version available at secureit.in) suggestions@secureit.in

Motive of Doc

The motive of this document is to setup a postfix mail server with virtual domain(s)/user support using LDAP,Ldap is being used to manage the users and domain in heirarcial manner and the users are not as same as linux system users which actually are virtual and does not exist on mail server box. ldap can store a lot of information about users which can be used for central address book purpose.

I have tried to make document as easiest as possible. If you have any suggestion of want to update anything in database kindly send me mail at suggestions@secureit.in.

Kindly go through step by step and read entire document carefully.

Prerequisite Packages

1.Postfix

I have chosen it becoz i love it. It is one of the most commited, stable,impressive and full gadzet less server which gives the freedom to implement the security and flexibilty of open source.

2.Openldap 2.1 openldap-devel 2.2 openldap-servers 2.3 openldap

LDAP stands for Lightweight Directory Access Protocol. This is a lightweight protocol for accessing directory services. This runs over TCP/IP or connection oriented transfer services. The LDAP model is based on entries. Each entry will have set of attributes. Each entry will be uniquely identified by Distinguished Name (DN). Attribute can have multiple values also. Each entry can be numeric, string, binary etc.. The arrangement of the LDAP is like hierarchical tree. Each node in a tree should be uniquely identified with DN. Each entry will have objectclass which describes the attributes of object classes. Each entry can have multiple objectclasses.

I have chosen it becoz it is the demand of Present and Future. It is hard for first time use,but once it is in form, it is the easiest package to marge with other co-related applications like address book , pop3 server and imap server.

Lots of network related application are coming with build in support of ldap because it is fast and reliable.

Implementation Environment

Actually tested on CentOS5, but should work on all postfix and openload supported plateform.

Words mean

mycompany.com   -  the domain name for which we have to setup mail server like anyuser@mycompany.com. box                        -  the system which is being used as mail server. virtual                   - the term given to domain/user which does exist on box. mycompany.net    - the domain name which is seperate from mycompany.com and is being used for box hostname purpose only.(for details read next section "prerequisite arrangements")

Prerequisite Arrangements

Atleast one fully qualified domain name apart from the hostname given to the mail server box which will be used for mails.

why so ?

Your actual @mycompany.com will be virtual.

If you want to setup a mail server for mycompany.com then mycompany.com should not be assigned to box as hostname because if the hostname will be same as your virtual domain, postfix will treat user@mycompany.com as local unix user not the user which we will create as virtual.

So you can use mycompany.org or .net as hostname and any other domain name which is not to be used as virtual domain.

Installation

First create the mailbox directory

Postfix will understand only one user which exist on system "vmail". So create a user with group id 800 (your choice id) and create user vmail with user id 800(your choise id). Create domains directory under vmail home directory and assigned the ownership to vmail user/group. Create mycomapny.com directory under domains directory where domain related users mail files will be stored. The mail format is same as your common unix mail format /var/mail/$user.

---

groupadd -g 800 vmail useradd -d /home/vmail -g 800 -m -s /bin/false -u 800 vmail mkdir /home/vmail/domains chown vmail:vmail /home/vmail/domains

I am not going to mention the details to install postfix and Ldap through source or binaries.I am assuming that you have already installed all prerequisite packages on box.

Leave the default configuration as it is.

LDAP Implementation

In our first process we will work on ldap. which is our base/core application. Ldap is basically a hierarcial database system to maintain the user informations.

Main Files

Base Directory : /etc/openldap Main File: /etc/openldap/slapd.conf Executable File: /usr/sbin/slapd

As i mention earlier in the doc that is a "hierarcial database". Postfix will be using ldap to know about domains,user accounts and their aliases.

First we will create ldap hierarchy.I am going to create very simple hierarchy, so that you could understand it properly.

mycompany.net Technical      |       Marketing -                   - user1 - user2                user3 - user4

First of all if you have noticed that i have used mycompany.net as the top root. Becoz as i told you mycompany.com is virtual only and it should not be used as hostname or any other place.mycompany.net is just for name.

Second i have segregated users into two department for better flexibility.

Now we will implement the ldap database.

/etc/openldap/slapd.conf

you will see a lot of lines with commect or uncomment.You take the backup of default file and we will be writing our own new file. If you are not interested in doing same then directly go to 3rd Step.

1. Ldap should understand the attributes of users and this is achieved through "schema". Ldap includes the schema definition files to do so.You can write your schema also.but i am going to use the schema which are already available.

Schema file name ends with .schema extention and generally placed in /etc/openldap/schema directory.

--- include        /etc/openldap/schema/core.schema include        /etc/openldap/schema/cosine.schema include        /etc/openldap/schema/inetorgperson.schema include        /etc/openldap/schema/nis.schema include        /etc/openldap/schema/qmail.schema --- 2. Add process file information (paste it as it is, if /var/run/openldap directory does not exist, create it). --- pidfile        /var/run/openldap/slapd.pid argsfile       /var/run/openldap/slapd.args --- 3. Now we will be putting the actual stuff. Please comment these lines in default file, if you are using same file. --- database       bdb suffix          "dc=mycompany,dc=net" rootdn         "cn=manager,dc=mycompany,dc=net" rootpw         secret directory      /var/lib/ldap --- database - the type of database should be used. suffix - the root suffix. rootdn - The Distinguished Name (DN) of root. rootpw - the clear text password to access ldap(it can be encrpted also, which is described in Other Way Solutions 1.) directory - where the data will be stored. You need to take the regular backup of this folder to recovering during ldap crash.

4. Indices to maintain for this database ( paste it as it is) --- index objectClass                      eq,pres index ou,cn,mail,surname,givenname     eq,pres,sub index uidNumber,gidNumber,loginShell   eq,pres index uid,memberUid                    eq,pres,sub index nisMapName,nisMapEntry           eq,pres,sub ---

5. Now start the ldap server.

--- /usr/sbin/slapd -d 100 -f /etc/openldap/slapd.conf --- This will run ldap server in foreground with debugging, if you don't want to run in foreground then just remove "-d 100" from the command line.

If their is no mistake in configuration than ldap will keep running otherwise it will exit.

Till now we have initialize the ldap database and start it. Now we will be filling it with information about users.

6. Their are ldap commands which are used to manage the ldap database.

Ldap entries are maintained through the configuration files with the extention ldif.

create a file base.ldif and copy the following contents.

A.first we will define the company.net

--- 1.dn: dc=mycompany,dc=net 2.objectClass: dcObject 3.objectClass: organization 4.dc: mycompany 5.o: mycompany --- B.Now we will define the department.

--- 6.dn: ou=Technical,dc=mycompany,dc=net 7.objectClass: organizationalUnit 8.ou: Technical

9.dn: ou=Marketing,dc=mycompany,dc=net 10.objectClass: organizationalUnit 11.ou: Marketing --- C.Adding users in respective department --- 12.dn: uid=user1,ou=Technical,dc=mycompany,dc=net 13.cn: user1 14.objectClass: top 15.objectClass: organizationalRole 16.objectClass: simpleSecurityObject 17.objectClass: qmailUser 18.uid: user1 19.mailMessageStore: mycompany.com/user1 20.userPassword: user123 21.mail: user1@mycompany.com --- Each line of file describe the attribute or entry in database.

First Line create the user1 in Technical Department with Common Name(cn) user1, userid(uid) user1 and email address(mail) as user1@mycompany.com.

mailMessageStore contains the path of user's mail file under "/home/vmail/domains/".

So each user should have one file with his/her name in his/her domain directory.

--- dn: uid=user2,ou=Technical,dc=mycompany,dc=net cn: user2 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user2 mailMessageStore: mycompany.com/user2 userPassword: secret2 mail: user2@mycompany.com

dn: uid=user3,ou=Marketing,dc=mycompany,dc=net cn: user3 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user3 mailMessageStore: mycompany.com/user3 userPassword: secret mail: user3@mycompany.com

dn: uid=user4,ou=Marketing,dc=mycompany,dc=net cn: user4 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user4 mailMessageStore: mycompany.com/user4 userPassword: secret mail: user4@mycompany.com ---

Now we are ready to insert the records in ldap database.

For the same ldapadd command is used.

ldapadd -x -D "cn=manager,dc=mycomapny,dc=net" -W -f base.ldif -

the paramenter -D ans it's value is very important part for us.

-D specifies the "rootdn" value we specified in our slapd.conf file. -f is the file which we just created. -W        prompt for bind password, which was specified in slapd.conf -x        Simple authentication

for more details about ldapadd command, kindly go throught the man page.

to test whether you entries exist or not use the following command.

--- ldapsearch -x -b 'dc=mycompany,dc=net' ---

If you are getting error "ldap_bind: Invalid credentials, it means either you are giving wrong value with "-D" which is nothing your rootdn or "dn" line in your ldif file (my example file 1,6,9,12 dn lines).

You do not require to restart the ldap server everytime you made the changes.

Postfix Implementation

i am not going to tell you how to install postfix, it is incuded in all linux distribution by default or you can download it from www.postfix.org

My Assumption is that the postfix is installed in /etc/postfix directory.

i would suggest you to take the backup of /etc/postfix/main.cf

queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix myhostname = mycompany.net mydomain = mycompany.net myorigin = $myhostname inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 mynetworks_style = subnet mynetworks = 168.100.189.0/28, 127.0.0.0/8 header_checks = regexp:/etc/postfix/header_checks debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop

These lines are the common lines.

You have to just define myhostname,mydomain,mynetworks_style and mynetworks.

Now we need to tell postfix about ldap.Postfix will use ldap to fetch the local user details.

1.virtual_mailbox_domains = example.co.ke,secureit.in,mycompany.com 2.virtual_transport = virtual 3.virtual_uid_maps = static:800 4.virtual_gid_maps = static:800 5.virtual_mailbox_base = /home/vmail/domains 6.virtual_mailbox_maps = ldap:/etc/postfix/virtual_ldap/virtual_mailbox_maps.cf 7.virtual_alias_maps = hash:/etc/postfix/virtual

1. Specifies the domain which postfix should treat as local mail server.

You can add as much as domains for whome postfix should treat as local mail server. Use "," comma to seperate the multiple domains.

2. The virtual process will be used to handle such mails. 3. The userid  of vmail user which we created in our 1st step. 4. The groupid of vmail user which we created in our 1st step. 5. The Home directory of users which we created in 1st step and it will fetch the mail directory of users from ldap

Now here you need to understand how you can manage the users.

Now you need to create the user mail path "files" accordingly.

our base directory is /home/vmail/domains

now if i have user user1@mycompany.com.

Then it will go to the file

/home/vmail/domains/mycompany.com/user1

Here i am using unix standard file format, so all mails of user1 will go to user1 "file". That's why i gave relative path of users mail file in ldap. We are passing base directory to postfix so it will automatically append the path with base path.

It was necessary because their is only one unix user "vmail" which will be used by postfix for the entire process, so the user's files should also be accessible to vmail user , which is easy only when we will use the common path for all users.

Next if you have more domains, you just add anotherdomain.com directory in base directory.

You can use Maildir format also to store user mails which we will discuss later on.

6. To get the user mail path.

Create a directory /etc/postfix/virtual_ldap/ Create a file /etc/postfix/virtual_ldap/virtual_mailbox_maps.cf.

copy the following lines in the file.

server_host=localhost search_base=dc=example,dc=co,dc=ke query_filter=(mail=%u@%d) result_attribute=mailMessageStore

These lines will fetch the attribute mailMessageStore value for the users mail file relative path.

7. As usual alias file to know about aliases.

Upto here your SMTP Server is ready to accept and send mail for local users and remote users. POSTFIX Mail Server using LDAP Virtual Users (Postfix + LDAP + Dovecot + SquirellMail + ClamAV + MailScanner + SpamAssassin)

(Last updated on 27/01/2008) (Latest version available at secureit.in) suggestions@secureit.in

Motive of Doc

The motive of this document is to setup a postfix mail server with virtual domain(s)/user support using LDAP,Ldap is being used to manage the users and domain in heirarcial manner and the users are not as same as linux system users which actually are virtual and does not exist on mail server box. ldap can store a lot of information about users which can be used for central address book purpose.

I have tried to make document as easiest as possible. If you have any suggestion of want to update anything in database kindly send me mail at suggestions@secureit.in.

Kindly go through step by step and read entire document carefully.

Prerequisite Packages

1.Postfix

I have chosen it becoz i love it. It is one of the most commited, stable,impressive and full gadzet less server which gives the freedom to implement the security and flexibilty of open source.

2.Openldap 2.1 openldap-devel 2.2 openldap-servers 2.3 openldap

LDAP stands for Lightweight Directory Access Protocol. This is a lightweight protocol for accessing directory services. This runs over TCP/IP or connection oriented transfer services. The LDAP model is based on entries. Each entry will have set of attributes. Each entry will be uniquely identified by Distinguished Name (DN). Attribute can have multiple values also. Each entry can be numeric, string, binary etc.. The arrangement of the LDAP is like hierarchical tree. Each node in a tree should be uniquely identified with DN. Each entry will have objectclass which describes the attributes of object classes. Each entry can have multiple objectclasses.

I have chosen it becoz it is the demand of Present and Future. It is hard for first time use,but once it is in form, it is the easiest package to marge with other co-related applications like address book , pop3 server and imap server.

Lots of network related application are coming with build in support of ldap because it is fast and reliable.

Implementation Environment

Actually tested on CentOS5, but should work on all postfix and openload supported plateform.

Words mean

mycompany.com   -  the domain name for which we have to setup mail server like anyuser@mycompany.com. box                        -  the system which is being used as mail server. virtual                   - the term given to domain/user which does exist on box. mycompany.net    - the domain name which is seperate from mycompany.com and is being used for box hostname purpose only.(for details read next section "prerequisite arrangements")

Prerequisite Arrangements

Atleast one fully qualified domain name apart from the hostname given to the mail server box which will be used for mails.

why so ?

Your actual @mycompany.com will be virtual.

If you want to setup a mail server for mycompany.com then mycompany.com should not be assigned to box as hostname because if the hostname will be same as your virtual domain, postfix will treat user@mycompany.com as local unix user not the user which we will create as virtual.

So you can use mycompany.org or .net as hostname and any other domain name which is not to be used as virtual domain.

Installation

First create the mailbox directory

Postfix will understand only one user which exist on system "vmail". So create a user with group id 800 (your choice id) and create user vmail with user id 800(your choise id). Create domains directory under vmail home directory and assigned the ownership to vmail user/group. Create mycomapny.com directory under domains directory where domain related users mail files will be stored. The mail format is same as your common unix mail format /var/mail/$user.

---

groupadd -g 800 vmail useradd -d /home/vmail -g 800 -m -s /bin/false -u 800 vmail mkdir /home/vmail/domains chown vmail:vmail /home/vmail/domains

I am not going to mention the details to install postfix and Ldap through source or binaries.I am assuming that you have already installed all prerequisite packages on box.

Leave the default configuration as it is.

LDAP Implementation

In our first process we will work on ldap. which is our base/core application. Ldap is basically a hierarcial database system to maintain the user informations.

Main Files

Base Directory : /etc/openldap Main File: /etc/openldap/slapd.conf Executable File: /usr/sbin/slapd

As i mention earlier in the doc that is a "hierarcial database". Postfix will be using ldap to know about domains,user accounts and their aliases.

First we will create ldap hierarchy.I am going to create very simple hierarchy, so that you could understand it properly.

mycompany.net Technical      |       Marketing -                   - user1 - user2                user3 - user4

First of all if you have noticed that i have used mycompany.net as the top root. Becoz as i told you mycompany.com is virtual only and it should not be used as hostname or any other place.mycompany.net is just for name.

Second i have segregated users into two department for better flexibility.

Now we will implement the ldap database.

/etc/openldap/slapd.conf

you will see a lot of lines with commect or uncomment.You take the backup of default file and we will be writing our own new file. If you are not interested in doing same then directly go to 3rd Step.

1. Ldap should understand the attributes of users and this is achieved through "schema". Ldap includes the schema definition files to do so.You can write your schema also.but i am going to use the schema which are already available.

Schema file name ends with .schema extention and generally placed in /etc/openldap/schema directory.

--- include        /etc/openldap/schema/core.schema include        /etc/openldap/schema/cosine.schema include        /etc/openldap/schema/inetorgperson.schema include        /etc/openldap/schema/nis.schema include        /etc/openldap/schema/qmail.schema --- 2. Add process file information (paste it as it is, if /var/run/openldap directory does not exist, create it). --- pidfile        /var/run/openldap/slapd.pid argsfile       /var/run/openldap/slapd.args --- 3. Now we will be putting the actual stuff. Please comment these lines in default file, if you are using same file. --- database       bdb suffix          "dc=mycompany,dc=net" rootdn         "cn=manager,dc=mycompany,dc=net" rootpw         secret directory      /var/lib/ldap --- database - the type of database should be used. suffix - the root suffix. rootdn - The Distinguished Name (DN) of root. rootpw - the clear text password to access ldap(it can be encrpted also, which is described in Other Way Solutions 1.) directory - where the data will be stored. You need to take the regular backup of this folder to recovering during ldap crash.

4. Indices to maintain for this database ( paste it as it is) --- index objectClass                      eq,pres index ou,cn,mail,surname,givenname     eq,pres,sub index uidNumber,gidNumber,loginShell   eq,pres index uid,memberUid                    eq,pres,sub index nisMapName,nisMapEntry           eq,pres,sub ---

5. Now start the ldap server.

--- /usr/sbin/slapd -d 100 -f /etc/openldap/slapd.conf --- This will run ldap server in foreground with debugging, if you don't want to run in foreground then just remove "-d 100" from the command line.

If their is no mistake in configuration than ldap will keep running otherwise it will exit.

Till now we have initialize the ldap database and start it. Now we will be filling it with information about users.

6. Their are ldap commands which are used to manage the ldap database.

Ldap entries are maintained through the configuration files with the extention ldif.

create a file base.ldif and copy the following contents.

A.first we will define the company.net

--- 1.dn: dc=mycompany,dc=net 2.objectClass: dcObject 3.objectClass: organization 4.dc: mycompany 5.o: mycompany --- B.Now we will define the department.

--- 6.dn: ou=Technical,dc=mycompany,dc=net 7.objectClass: organizationalUnit 8.ou: Technical

9.dn: ou=Marketing,dc=mycompany,dc=net 10.objectClass: organizationalUnit 11.ou: Marketing --- C.Adding users in respective department --- 12.dn: uid=user1,ou=Technical,dc=mycompany,dc=net 13.cn: user1 14.objectClass: top 15.objectClass: organizationalRole 16.objectClass: simpleSecurityObject 17.objectClass: qmailUser 18.uid: user1 19.mailMessageStore: mycompany.com/user1 20.userPassword: user123 21.mail: user1@mycompany.com --- Each line of file describe the attribute or entry in database.

First Line create the user1 in Technical Department with Common Name(cn) user1, userid(uid) user1 and email address(mail) as user1@mycompany.com.

mailMessageStore contains the path of user's mail file under "/home/vmail/domains/".

So each user should have one file with his/her name in his/her domain directory.

--- dn: uid=user2,ou=Technical,dc=mycompany,dc=net cn: user2 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user2 mailMessageStore: mycompany.com/user2 userPassword: secret2 mail: user2@mycompany.com

dn: uid=user3,ou=Marketing,dc=mycompany,dc=net cn: user3 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user3 mailMessageStore: mycompany.com/user3 userPassword: secret mail: user3@mycompany.com

dn: uid=user4,ou=Marketing,dc=mycompany,dc=net cn: user4 objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject objectClass: qmailUser uid: user4 mailMessageStore: mycompany.com/user4 userPassword: secret mail: user4@mycompany.com ---

Now we are ready to insert the records in ldap database.

For the same ldapadd command is used.

ldapadd -x -D "cn=manager,dc=mycomapny,dc=net" -W -f base.ldif -

the paramenter -D ans it's value is very important part for us.

-D specifies the "rootdn" value we specified in our slapd.conf file. -f is the file which we just created. -W        prompt for bind password, which was specified in slapd.conf -x        Simple authentication

for more details about ldapadd command, kindly go throught the man page.

to test whether you entries exist or not use the following command.

--- ldapsearch -x -b 'dc=mycompany,dc=net' ---

If you are getting error "ldap_bind: Invalid credentials, it means either you are giving wrong value with "-D" which is nothing your rootdn or "dn" line in your ldif file (my example file 1,6,9,12 dn lines).

You do not require to restart the ldap server everytime you made the changes.

Postfix Implementation

i am not going to tell you how to install postfix, it is incuded in all linux distribution by default or you can download it from www.postfix.org

My Assumption is that the postfix is installed in /etc/postfix directory.

i would suggest you to take the backup of /etc/postfix/main.cf

queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix mail_owner = postfix myhostname = mycompany.net mydomain = mycompany.net myorigin = $myhostname inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 mynetworks_style = subnet mynetworks = 168.100.189.0/28, 127.0.0.0/8 header_checks = regexp:/etc/postfix/header_checks debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail.postfix newaliases_path = /usr/bin/newaliases.postfix mailq_path = /usr/bin/mailq.postfix setgid_group = postdrop

These lines are the common lines.

You have to just define myhostname,mydomain,mynetworks_style and mynetworks.

Now we need to tell postfix about ldap.Postfix will use ldap to fetch the local user details.

1.virtual_mailbox_domains = example.co.ke,secureit.in,mycompany.com 2.virtual_transport = virtual 3.virtual_uid_maps = static:800 4.virtual_gid_maps = static:800 5.virtual_mailbox_base = /home/vmail/domains 6.virtual_mailbox_maps = ldap:/etc/postfix/virtual_ldap/virtual_mailbox_maps.cf 7.virtual_alias_maps = hash:/etc/postfix/virtual

1. Specifies the domain which postfix should treat as local mail server.

You can add as much as domains for whome postfix should treat as local mail server. Use "," comma to seperate the multiple domains.

2. The virtual process will be used to handle such mails. 3. The userid  of vmail user which we created in our 1st step. 4. The groupid of vmail user which we created in our 1st step. 5. The Home directory of users which we created in 1st step and it will fetch the mail directory of users from ldap

Now here you need to understand how you can manage the users.

Now you need to create the user mail path "files" accordingly.

our base directory is /home/vmail/domains

now if i have user user1@mycompany.com.

Then it will go to the file

/home/vmail/domains/mycompany.com/user1

Here i am using unix standard file format, so all mails of user1 will go to user1 "file". That's why i gave relative path of users mail file in ldap. We are passing base directory to postfix so it will automatically append the path with base path.

It was necessary because their is only one unix user "vmail" which will be used by postfix for the entire process, so the user's files should also be accessible to vmail user , which is easy only when we will use the common path for all users.

Next if you have more domains, you just add anotherdomain.com directory in base directory.

You can use Maildir format also to store user mails which we will discuss later on.

6. To get the user mail path.

Create a directory /etc/postfix/virtual_ldap/ Create a file /etc/postfix/virtual_ldap/virtual_mailbox_maps.cf.

copy the following lines in the file.

server_host=localhost search_base=dc=example,dc=co,dc=ke query_filter=(mail=%u@%d) result_attribute=mailMessageStore

These lines will fetch the attribute mailMessageStore value for the users mail file relative path.

7. As usual alias file to know about aliases.

Upto here your SMTP Server is ready to accept and send mail for local users and remote users.