Motive of Doc
The motive of this document is to setup a postfix mail server with virtual domain(s)/user support using LDAP,Ldap is being used to manage the users and domain in heirarcial manner and the users are not as same as linux system users which actually are virtual and does not exist on mail server box. ldap can store a lot of information about users which can be used for central address book purpose.
I have tried to make document as easiest as possible. If you have any suggestion of want to update anything in database kindly send me mail at suggestions@secureit.in.
Kindly go through step by step and read entire document carefully.
Prerequisite Packages
1.Postfix
I have chosen it becoz i love it. It is one of the most commited, stable,impressive and full gadzet less server which gives the freedom to implement the security and flexibilty of open source.
2.Openldap I have chosen it becoz i love it. It is one of the most commited, stable,impressive and full gadzet less server which gives the freedom to implement the security and flexibilty of open source.
2.1 openldap-devel
2.2 openldap-servers
2.3 openldap
LDAP stands for Lightweight Directory Access Protocol. This is a lightweight protocol for accessing directory services. This runs over TCP/IP or connection oriented transfer services. The LDAP model is based on entries. Each entry will have set of attributes. Each entry will be uniquely identified by Distinguished Name (DN). Attribute can have multiple values also. Each entry can be numeric, string, binary etc.. The arrangement of the LDAP is like hierarchical tree. Each node in a tree should be uniquely identified with DN. Each entry will have objectclass which describes the attributes of object classes. Each entry can have multiple objectclasses.
I have chosen it becoz it is the demand of Present and Future. It is hard for first time use,but once it is in form , it is the easiest package to marge with other co-related applications like address book , pop3 server and imap server.
Lots of network related application are coming with build in support of ldap because it is fast and reliable.
Implementation Environment
Actually tested on CentOS5 , but should work on all postfix and openload supported plateform.
Words mean
mycompany.com - the domain name for which we have to setup mail server like anyuser@mycompany.com.
box - the system which is being used as mail server.
virtual - the term given to domain/user which does exist on box.
mycompany.net - the domain name which is seperate from mycompany.com and is being used for box hostname purpose only.(for details read next section "prerequisite arrangements")
Prerequisite Arrangements
Atleast one fully qualified domain name apart from the hostname given to the mail server box which will be used for mails .
why so ?
Your actual @mycompany.com will be virtual.
If you want to setup a mail server for mycompany.com then mycompany.com should not be assigned to box as hostname because if the hostname will be same as your virtual domain, postfix will treat user@mycompany.com as local unix user not the user which we will create as virtual.
So you can use mycompany.org or .net as hostname and any other domain name which is not to be used as virtual domain.
Installation
First create the mailbox directory
Postfix will understand only one user which exist on system "vmail". So create a user with group id 800 (your choice id) and create user vmail with user id 800(your choise id).
Create domains directory under vmail home directory and assigned the ownership to vmail user/group.
Create mycomapny.com directory under domains directory where domain related users mail files will be stored.
The mail format is same as your common unix mail format /var/mail/$user.
-----------------------------------------------------------------------------------------------
groupadd -g 800 vmail useradd -d /home/vmail -g 800 -m -s /bin/false -u 800 vmail mkdir /home/vmail/domains chown vmail:vmail /home/vmail/domains------------------------------------------------------------------------------------------------
I am not going to mention the details to install postfix and Ldap through source or binaries.I am assuming that you have already installed all prerequisite packages on box.
Leave the default configuration as it is.
LDAP Implementation
In our first process we will work on ldap. which is our base/core application. Ldap is basically a hierarcial database system to maintain the user informations.
Main Files
Base Directory : /etc/openldap
Main File: /etc/openldap/slapd.conf
Executable File: /usr/sbin/slapd
As i mention earlier in the doc that is a "hierarcial database". Postfix will be using ldap to know about domains,user accounts and their aliases.
First we will create ldap hierarchy.I am going to create very simple hierarchy , so that you could understand it properly.
mycompany.net
|
|
Technical | Marketing
| |
------------- -------------
user1 - user2 user3 - user4
First of all if you have noticed that i have used mycompany.net as the top root. Becoz as i told you mycompany.com is virtual only and it should not be used as hostname or any other place.mycompany.net is just for name.| |
------------- -------------
user1 - user2 user3 - user4
Second i have segregated users into two department for better flexibility.
Now we will implement the ldap database.
/etc/openldap/slapd.conf
you will see a lot of lines with commect or uncomment.You take the backup of default file and we will be writing our own new file. If you are not interested in doing same then directly go to 3rd Step.
1. Ldap should understand the attributes of users and this is achieved through "schema". Ldap includes the schema definition files to do so.You can write your schema also.but i am going to use the schema which are already available.
Schema file name ends with .schema extention and generally placed in /etc/openldap/schema directory.
-----------------------------------------------------------------------------------------------
include /etc/openldap/schema/core.schema-----------------------------------------------------------------------------------------------
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/qmail.schema
2. Add process file information (paste it as it is, if /var/run/openldap directory does not exist , create it).
-----------------------------------------------------------------------------------------------
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
-----------------------------------------------------------------------------------------------
3. Now we will be putting the actual stuff. Please comment these lines in default file , if you are using same file.
-----------------------------------------------------------------------------------------------
database bdb
suffix "dc=mycompany,dc=net"
rootdn "cn=manager,dc=mycompany,dc=net"
rootpw secret
directory /var/lib/ldap
-----------------------------------------------------------------------------------------------
database - the type of database should be used.
suffix - the root suffix.
rootdn - The Distinguished Name (DN) of root.
rootpw - the clear text password to access ldap(it can be encrpted also, which is described in Other Way Solutions 1.)
directory - where the data will be stored. You need to take the regular backup of this folder to recovering during ldap crash.
4. Indices to maintain for this database ( paste it as it is)
-----------------------------------------------------------------------------------------------
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
-----------------------------------------------------------------------------------------------
5. Now start the ldap server.
-----------------------------------------------------------------------------------------------
/usr/sbin/slapd -d 100 -f /etc/openldap/slapd.conf
-----------------------------------------------------------------------------------------------
This will run ldap server in foreground with debugging , if you don't want to run in foreground then just remove "-d 100" from the command line.
If their is no mistake in configuration than ldap will keep running otherwise it will exit.
Till now we have initialize the ldap database and start it. Now we will be filling it with information about users.
6. Their are ldap commands which are used to manage the ldap database.
Ldap entries are maintained through the configuration files with the extention ldif.
create a file base.ldif and copy the following contents.
A.first we will define the company.net
-----------------------------------------------------------------------------------------------
1.dn: dc=mycompany,dc=net
2.objectClass: dcObject
3.objectClass: organization
4.dc: mycompany
5.o: mycompany
-----------------------------------------------------------------------------------------------
B.Now we will define the department.
-----------------------------------------------------------------------------------------------
6.dn: ou=Technical,dc=mycompany,dc=net
7.objectClass: organizationalUnit
8.ou: Technical
9.dn: ou=Marketing,dc=mycompany,dc=net
10.objectClass: organizationalUnit
11.ou: Marketing
-----------------------------------------------------------------------------------------------
C.Adding users in respective department
-----------------------------------------------------------------------------------------------
12.dn: uid=user1,ou=Technical,dc=mycompany,dc=net
13.cn: user1
14.objectClass: top
15.objectClass: organizationalRole
16.objectClass: simpleSecurityObject
17.objectClass: qmailUser
18.uid: user1
19.mailMessageStore: mycompany.com/user1
20.userPassword: user123
21.mail: user1@mycompany.com
-----------------------------------------------------------------------------------------------
Each line of file describe the attribute or entry in database.
First Line create the user1 in Technical Department with Common Name(cn) user1 , userid(uid) user1 and email address(mail) as user1@mycompany.com.
mailMessageStore contains the path of user's mail file under "/home/vmail/domains/" .
So each user should have one file with his/her name in his/her domain directory.
-----------------------------------------------------------------------------------------------
dn: uid=user2,ou=Technical,dc=mycompany,dc=net
cn: user2
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: qmailUser
uid: user2
mailMessageStore: mycompany.com/user2
userPassword: secret2
mail: user2@mycompany.com
dn: uid=user3,ou=Marketing,dc=mycompany,dc=net
cn: user3
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: qmailUser
uid: user3
mailMessageStore: mycompany.com/user3
userPassword: secret
mail: user3@mycompany.com
dn: uid=user4,ou=Marketing,dc=mycompany,dc=net
cn: user4
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
objectClass: qmailUser
uid: user4
mailMessageStore: mycompany.com/user4
userPassword: secret
mail: user4@mycompany.com
-----------------------------------------------------------------------------------------------
Now we are ready to insert the records in ldap database.
For the same ldapadd command is used.
------------------------------------------------------------------------------------------------------------
ldapadd -x -D "cn=manager,dc=mycomapny,dc=net" -W -f base.ldif
-------------------------------------------------------------------------------------------------------------
the paramenter -D ans it's value is very important part for us.
-D specifies the "rootdn" value we specified in our slapd.conf file.
-f is the file which we just created.
-W prompt for bind password , which was specified in slapd.conf
-x Simple authentication
for more details about ldapadd command , kindly go throught the man page.
to test whether you entries exist or not use the following command.
-----------------------------------------------------------------------------------------------
ldapsearch -x -b 'dc=mycompany,dc=net'
-----------------------------------------------------------------------------------------------
If you are getting error "ldap_bind: Invalid credentials , it means either you are giving wrong value with "-D" which is nothing your rootdn or "dn" line in your ldif file (my example file 1,6,9,12 dn lines).
You do not require to restart the ldap server everytime you made the changes.
Postfix Implementation
i am not going to tell you how to install postfix , it is incuded in all linux distribution by default or you can download it from www.postfix.org
My Assumption is that the postfix is installed in /etc/postfix directory.
i would suggest you to take the backup of /etc/postfix/main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = mycompany.net
mydomain = mycompany.net
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = subnet
mynetworks = 168.100.189.0/28, 127.0.0.0/8
header_checks = regexp:/etc/postfix/header_checks
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
These lines are the common lines.
You have to just define myhostname,mydomain,mynetworks_style and mynetworks.
Now we need to tell postfix about ldap.Postfix will use ldap to fetch the local user details.
1.virtual_mailbox_domains = example.co.ke,secureit.in,mycompany.com
2.virtual_transport = virtual
3.virtual_uid_maps = static:800
4.virtual_gid_maps = static:800
5.virtual_mailbox_base = /home/vmail/domains
6.virtual_mailbox_maps = ldap:/etc/postfix/virtual_ldap/virtual_mailbox_maps.cf
7.virtual_alias_maps = hash:/etc/postfix/virtual
1. Specifies the domain which postfix should treat as local mail server.
You can add as much as domains for whome postfix should treat as local mail server. Use "," comma to seperate the multiple domains.
2. The virtual process will be used to handle such mails.
3. The userid of vmail user which we created in our 1st step.
4. The groupid of vmail user which we created in our 1st step.
5. The Home directory of users which we created in 1st step and it will fetch the mail directory of users from ldap
Now here you need to understand how you can manage the users.
Now you need to create the user mail path "files" accordingly.
our base directory is /home/vmail/domains
now if i have user user1@mycompany.com.
Then it will go to the file
/home/vmail/domains/mycompany.com/user1
Here i am using unix standard file format , so all mails of user1 will go to user1 "file". That's why i gave relative path of users mail file in ldap. We are passing base directory to postfix so it will automatically append the path with base path.
It was necessary because their is only one unix user "vmail" which will be used by postfix for the entire process , so the user's files should also be accessible to vmail user , which is easy only when we will use the common path for all users.
Next if you have more domains, you just add anotherdomain.com directory in base directory.
You can use Maildir format also to store user mails which we will discuss later on.
6. To get the user mail path.
Create a directory /etc/postfix/virtual_ldap/
Create a file /etc/postfix/virtual_ldap/virtual_mailbox_maps.cf.
copy the following lines in the file.
server_host=localhost
search_base=dc=example,dc=co,dc=ke
query_filter=(mail=%u@%d)
result_attribute=mailMessageStore
These lines will fetch the attribute mailMessageStore value for the users mail file relative path.
7. As usual alias file to know about aliases.
Upto here your SMTP Server is ready to accept and send mail for local users and remote users.
1 comment:
where I get the qmail.schema??
Post a Comment