Step By Step Configuration Squid To block Streaming media Online
Config File squid configuration in /etc/squid/squid.conf
Edit File in squid.conf above line in ACL Zone.
################## ACL for Radio / Video Stream ###########################
acl StreamingRequest1 req_mime_type -i ^video/x-ms-asf$
acl StreamingRequest2 req_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingRequest3 req_mime_type -i ^application/x-mms-framed$
acl StreamingRequest4 req_mime_type -i ^audio/x-pn-realaudio$
acl StreamingReply1 rep_mime_type -i ^video/x-ms-asf$
acl StreamingReply2 rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl StreamingReply3 rep_mime_type -i ^application/x-mms-framed$
acl StreamingReply4 rep_mime_type -i ^audio/x-pn-realaudio$
################## ACL for Radio / Video Stream ###########################
Edit File in squid.conf above line in http_access Zone.
#################### Rules to block Radio / Video Stream #################
http_access deny StreamingRequest1 all
http_access deny StreamingRequest2 all
http_access deny StreamingRequest3 all
http_access deny StreamingRequest4 all
http_reply_access deny StreamingReply1 all
http_reply_access deny StreamingReply2 all
http_reply_access deny StreamingReply3 all
http_reply_access deny StreamingReply4 all
#################### Rules to block Radio / Video Stream #################
czwartek, 31 marca 2011
Krok po kroku zainstalować Postfix + OpenLDAP + Dovecot + + SASL + Jamm SquirrelMail
Step By Step install Postfix + OpenLDAP + Dovecot + Jamm + SASL + SquirrelMail Krok po kroku zainstalować Postfix + OpenLDAP + Dovecot + + SASL + Jamm SquirrelMail
Implementation Wdrożenie
This section describes how to implement a virtual mail solution. Ten rozdział opisuje jak wdrożyć rozwiązania wirtualne mail. Not every little detail is covered, just what is needed above and beyond the “standard” installations. Nie każdy najmniejszych detali, tylko to, co potrzebne jest ponad i poza "standard" instalacji.
Prerequisites Wymagania
Here is the list of software that I used. Poniżej znajduje się lista oprogramowania, które użyłem. It is likely that other, older and newer, versions will work, but I didn't test them. Jest prawdopodobne, że inne, starsze i nowsze, wersje będzie działać, ale nie je przetestować. However, It's essential that both Postfix and Cyrus-SASL be at versions greater than 2. Jednakże, jest to istotne, że zarówno Postfix i Cyrus-SASL być większa niż 2 wersje.
The Software List Lista oprogramowania
White Box (Red Hat) Enterprise Linux 3 Box White (Red Hat) Linux Enterprise 3
Postfix 2.0.16 Postfix 2.0.16
OpenLDAP 2.0.27 OpenLDAP 2.0.27
Dovecot 0.99.10.9 Dovecot 0.99.10.9
Jamm 0.9.6 Jamm 0.9.6
Cyrus-SASL 2.1.15 Cyrus-SASL 2.1.15
SquirrelMail 1.2.1.1 SquirrelMail 1.2.1.1
Preparing Your System Przygotowanie systemu
To prepare a Unix (like) system there are a few tasks you'll need to accomplish: Aby przygotować Unix (jak) system jest kilka zadań, które należy wykonać:
Pre-installation Preparation Przygotowanie przed instalacją
Create the vmail user and decide where you're going to store the virtual users email. Tworzenie użytkownika vmail zdecydować dokąd idziesz do sklepu wirtualnego e-mail użytkowników.
Optionally, remove sendmail from the system. Opcjonalnie, sendmail usunąć z systemu.
Determine your mail server's domain name. Określanie serwera poczty nazwę domeny.
Determine your LDAP base. Określ swoje bazy LDAP.
Create certificates for Postfix, Dovecot, and Apache (SquirrelMail). Tworzenie certyfikatów dla Postfix, Dovecot, i Apache (SquirrelMail).
Create the vmail User Tworzenie użytkownika vmail
Hint: It is not strictly necessary to create an actual user. Wskazówka: Nie jest to absolutnie niezbędne do stworzenia rzeczywistego użytkownika. It is only necessary to create a mailbox directory and change the owner and group to some ID that's is not going to be used by any real user, like 5000:5000. Konieczne jest jedynie do tworzenia katalogu skrzynki pocztowej i zmienić właściciela i grupę, do niektórych ID to nie będzie używane przez żadnego rzeczywistego użytkownika, jak 5000:5000.
Creating the vmail user is just like creating any other system account. Tworzenie użytkownika vmail jest tak jak tworzenie innych kont systemowych. You'll want to have a UID and a GID that is used for vmail alone. Będziemy chcieli mieć UID i GID, który jest używany do vmail sam. You may also want to set its home directory to the location you've selected for the storage area of the virtual users' email. Można też ustawić jego katalogu domowego do miejsca wybranego na obszarze przechowywania e-mail wirtualnych użytkowników. In my system I used vmail as the user and group name. W moim systemie używane vmail jako użytkownik i nazwa grupy. I also decided to store our virtual users email in /home/vmail/domains. Postanowiłam też zapisać nasze wirtualne e-mail użytkowników w / home / vmail / domen.
The following example works on a RedHat Linux distribution and results in a vmail user being created and an empty mail storage directory being created. Następujące prace np. w dystrybucji RedHat Linux i powoduje użytkownika vmail tworzone i pustego katalogu przechowywania poczty tworzone. I'm told that CentOS 4 (and therefore RHEL 4 and WBEL 4) requires the -g (group) flag. Mówiono mi, że CentOS 4 (a więc RHEL 4 i WBEL 4) wymaga-g (grupa) bandery.
# groupadd -r vmail # Vmail groupadd-r
# useradd -m -r -d /home/vmail vmail # Useradd-m-r-d / home / vmail vmail
# mkdir ~vmail/domains # Mkdir vmail ~ / domains
# chown vmail.vmail ~vmail/domains # Chown vmail.vmail vmail ~ / domains
Hint: If you elected not to create a real user, then skip the groupadd and useradd commands, and change the rest to something like mkdir /home/vmail/domains; chown 5000.5000 /home/vmail/domains. Wskazówka: Jeśli nie została wybrana do stworzenia prawdziwego użytkownika, a następnie przejdź groupadd i useradd polecenia, a resztę na coś mkdir / home / vmail / domains; chown 5000.5000 / home / vmail / domen.
Remove Sendmail Usuń Sendmail
On the advice of somebody out there I completely removed (the pre-installed) Sendmail, just in case it got in the way of Postfix. Za radą ktoś tam zupełnie usunięte (zainstalowany fabrycznie) Sendmail, tylko w przypadku, gdy nie dostał się na drodze Postfix.
# rpm -e sendmail # Rpm-e sendmail
Determine your mail server's domain name Określanie serwera poczty nazwę domeny
If you have a static IP address, then you most likely already have a registered domain name. Jeśli masz statyczny adres IP, to najprawdopodobniej już zarejestrowanej domeny. If, like me, you have a single host on the net, you may have given it the same name. Jeśli, tak jak ja, masz pojedynczego hosta w sieci, być może trzeba dać jej tej samej nazwie. However, if you want to use that name as a virtual host, you'll have some difficulties. Jeśli jednak chcesz używać tej nazwy jako wirtualnego hosta, będziesz miał pewne trudności. For instance, if you already own the domain “whitehouse.gov,” and your host is named “whitehouse.gov,” and you want to have virtual users at “whitehouse.gov,” then you're out of luck as Postfix will treat all users at “whitehouse.gov” as local. Na przykład, jeśli już właścicielem domeny "whitehouse.gov", a Twój komputer jest nazwany "whitehouse.gov", a chcesz mieć wirtualnych użytkowników "whitehouse.gov", to masz pecha jak Postfix będzie traktowania wszystkich użytkowników "whitehouse.gov" lokalne. You can probably correct this by setting the appropriate Postfix variables ($myhostname, $mydomain), but you may consider renaming your host instead. Pewnie to poprawić poprzez ustawienie odpowiednich zmiennych Postfix ($ myhostname, $ mydomain), ale można rozważyć zmianę nazwy hosta zamiast.
Furthermore, the domain name you use in your certificate should match the SMTP/IMAP server name used in your mail clients, otherwise the mail clients will complain. Ponadto, nazwa domeny używać w powinien być zgodny z SMTP / nazwa serwera IMAP używane w klientach poczty, w przeciwnym wypadku klientów poczty będą narzekać. Finally, you'll probably want to use your domain name as the base name in your LDAP tree. Wreszcie, prawdopodobnie będziesz chciał użyć nazwy domeny jako nazwy bazy w drzewie LDAP.
To neatly resolve all these issues, I elected to buy a new domain name, “whitehouse.net” (continuing the example), and rename my server accordingly. Aby porządnie rozwiązać wszystkie te problemy, I wybrany na nową nazwę domeny "whitehouse.net" (Kontynuując przykład), i zmienić nazwę mojego serwera odpowiednio. Here's how I renamed my machine: Oto jak przemianowany moim komputerze:
Modified /etc/hosts Ostatnia aktualizacja / etc / hosts
Modified /etc/sysconfig/network Ostatnia aktualizacja / etc / sysconfig / network
Modified /etc/hostname Ostatnia aktualizacja / etc / hostname
I rebooted after this, but if nothing's yet running that cares about the hostname, you can probably just run hostname –file /etc/hostname. I po ponownym uruchomieniu komputera, ale jeśli nic nie jest jeszcze uruchomiony, która dba o nazwę hosta, prawdopodobnie wystarczy uruchomić plik hostname / etc / hostname.
Hint: You will need an MX record set up in the public DNS that points to your server. Wskazówka: Należy ustanowić rekord MX w DNS publicznych, który wskazuje na serwer. The MX record should not be the IP address of your machine. Rekord MX nie należy adres IP komputera. Instead it should be the name of an A record. Zamiast tego należy nazwę rekordu. That is, set up an A record, eg mail.mydomain.com to point to your IP, then set the MX record to be mail.mydomain.com. Oznacza to, że ustanowiony rekord, np. mail.mydomain.com by wskazywała na twój IP, a następnie ustanowił rekord MX do mail.mydomain.com.
Determine your LDAP base (root, suffix, whatever) Sprawdź swoją bazę LDAP (root, przyrostek, cokolwiek)
Do whatever you want here, but the current convention, and the one I used, is to break your domain name into components and reference them with the “dc” (domain component) attribute. Rób co chcesz tutaj, ale obecnej konwencji, a ten, kiedyś, jest przełamanie nazwę domeny w części i odniesienie ich do "dc" (składnik domeny) atrybutów. That is, your base should be something like: dc=whitehouse,dc=net or dc=mail,dc=whitehouse,dc=net. Oznacza to, że bazy powinno być coś takiego: dc = Whitehouse, dc = net lub dc mail =, dc = Whitehouse, dc = net.
Summary Podsumowanie
Your server's name should not also be the name of any virtual host Serwer jego nazwa nie powinna być również nazwę każdej wirtualnej domeny
The domain name used in your cert should be the same as your server's DNS name Nazwa domeny używane w cert powinien być taki sam jak nazwa serwera DNS
You should probably use your domain name as the root of your LDAP tree. Powinieneś raczej użyć nazwy domeny jako korzeń drzewa LDAP.
Creating certificates for Postfix, Dovecot and Apache Tworzenie certyfikatów dla Postfix, Apache i Dovecot
If you want you can skip this step for now and return to it once you've got the unencrypted versions of Postfix and Dovecot running. Jeśli chcesz, możesz pominąć ten krok i powrócić do niego kiedy już niezaszyfrowane wersje Postfix i Dovecot uruchomiony.
What we want to do here is create a cert and a private key that can be used for Postfix, Dovecot, and Apache (SquirrelMail over SSL). Co chcemy zrobić tutaj jest stworzenie cert i klucz prywatny, który może być używany do Postfix, Dovecot, i Apache (SquirrelMail SSL). Technically, it's not necessary to sign this cert, but we will. Technicznie nie jest to konieczne do podpisania certyfikatu, ale my możemy. This allows our users to install the signing (root) certificate in their user agents/operating systems. To pozwala naszym użytkownikom instalowanie podpisania (root) certyfikatu w ich agentów user / systemów operacyjnych. There are a number of HOWTO's on this subject, but you probably want to put a little thought into this first. Istnieje kilka HOWTO na ten temat, ale prawdopodobnie chcesz umieścić trochę myśli w tej pierwszej. What I wanted was to create a signing certificate (root CA certificate), a signed cert and a private key that were appropriately named. Chciałem było stworzenie podpisania certyfikatu (certyfikat root CA), podpisanego certyfikatu i klucza prywatnego, które zostały odpowiednio nazwane. On Red Hat like systems certs are kept in /usr/share/ssl. W Red Hat, jak systemy certyfikatów są przechowywane w / usr / share / ssl. I didn't want to use the existing directory structure below that, instead I create a directory called hosting.example (remember that's a pseudonym for what I really used), and created all my certs in there. Nie chciałem, aby wykorzystać istniejące struktury katalogów poniżej, zamiast utworzyć katalog o nazwie hosting.example (pamiętaj, że to pseudonim, co naprawdę jest używany) i stworzył wszystkie moje certyfikaty tam.
There are a handful of shell scripts in /usr/share/ssl/misc that wrap the OpenSSL utilities for manipulating certs, and we'll use these. Istnieje kilka skryptów powłoki w / usr / share / ssl / misc, które otaczają OpenSSL narzędzia do certyfikatów manipulowania i będziemy korzystać z nich. (You can call OpenSSL directly for more fine grained control, if you want. It will avoid some post-creation manipulation of the certs.) But first we have to modify the script we want to use, CA. (Możesz zadzwonić bezpośrednio do OpenSSL więcej łatwą kontrolę, jeśli chcesz. Będzie to uniknąć pewnych manipulacji po tworzenie certyfikatów.) Ale najpierw musimy zmodyfikować skrypt chcemy wykorzystać, CA.
By default the CA script will encrypt the certs it creates. Domyślnie skrypt CA szyfrowania certyfikatów tworzy. Generally this is a good thing, but on a server it's not. Ogólnie jest to dobra rzecz, ale na serwerze już nie. This is because a process that uses the cert needs to supply a keyphrase to unlock it. To dlatego, że to proces, który używa cert potrzebne do świadczenia keyphrase aby je odblokować. If the server reboots on its own, then no one will be there to type in the key, and the server will never fully boot up. Jeśli ponownym uruchomieniu serwera na własną rękę, to nikt nie będzie tam wpisać klucz, a serwer będzie nigdy w pełni nie uruchomi się. So make a copy of CA (call it CA_nodes) and edit it. Więc zrób kopię CA (nazwijmy go CA_nodes) i zmodyfikować. Search for “# create a certificate” and add -nodes to the line below, the one that begins with $REQ. Szukaj "# utworzyć certyfikat" i dodatek do linii węzłów poniżej, która zaczyna się od $ REQ. When your done with this search for “# create a certificate request” (just below) and do the same again. Kiedy skończysz, z tego wyszukiwania dla "# utworzyć żądania certyfikatu" (poniżej) i zrobić to samo jeszcze raz.
Another change we want to make is to make sure the signing cert lasts for longer than the default year. Kolejna zmiana, chcemy, aby się upewnić się, że cert podpisania trwa dłużej niż rok domyślnie. Do this by searching for the line that reads 'DAYS=”-days 365″' (the first non-comment line in my instance) and change 365 to some larger value – I used 3650, ten years. Czy to przez wyszukanie linii, która brzmi "DAYS ="-days 365 "(w pierwszej linii nie komentarz w moim przypadku) i zmiana 365 jakiejś większej wartości - użyłem 3650, dziesięć lat.
When you're done it should look like this: Po zakończeniu powinien wyglądać tak:
DAYS=”-days 3650″ DAYS = "-days 3650"
… ...
-newcert) -Newcert)
# create a certificate # Tworzenie certyfikatu
$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS $ REQ-new-nodes-x509-keyout newreq.pem newreq.pem-out $ dni
RET=$? RET = $?
echo “Certificate (and private key) is in newreq.pem” echo "Certificate (i klucz prywatny) jest w newreq.pem"
;; ;;
-newreq) -Newreq)
# create a certificate request # Tworzenie wniosku o certyfikat
$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS $ REQ-new-nodes-keyout newreq.pem newreq.pem-out $ dni
RET=$? RET = $?
echo “Request (and private key) is in newreq.pem” echo "Request (i klucz prywatny) jest w newreq.pem"
;; ;;
Now, these scripts will ask for a lot of input. Teraz te skrypty poprosi o wiele wejściowych. To make life easier, and to avoid errors in typing, this input can be defaulted to the contents of a particular file; /usr/share/ssl/openssl.cnf. Aby ułatwić życie i uniknąć błędów podczas pisania, wejście to może być domyślnie zawartość danego pliku, / usr / share / ssl / openssl.cnf. It should already be there, lets edit it. Powinna już tam być, pozwala edytować.
You'll need to change countryName_default, 0.organizationName_default, organizationalUnitName_default, commonName_default, and emailAddress_default. Musisz zmienić countryName_default, 0.organizationName_default, organizationalUnitName_default, commonName_default i emailAddress_default. In addition, I also changed the default_days of the CA_default setting from 365 to 3650 (1 year to 10 years). Ponadto, ja też zmienił default_days na ustawienie CA_default od 365 do 3650 (1 roku do 10 lat). For clarity's sake, here's the relevant bits of my openssl.conf file: Dla jasności, oto odpowiednie fragmenty mojego pliku openssl.conf:
… ...
[ CA_default ] [CA_default]
dir = ./demoCA # Where everything is kept dir = /. demoCA # gdzie wszystko jest przechowywane
… ...
default_days = 3650 # How long to certify for = 3650 # default_days Jak długo poświadczyć za
… ...
[ req_distinguished_name ] [Req_distinguished_name]
countryName = Country Name (code) countryName Country Name = (kod)
countryName_default = US countryName_default = US
countryName_min = 2 countryName_min = 2
countryName_max = 2 countryName_max = 2
stateOrProvinceName = State or Province Name (full name) stateOrProvinceName = członkowskiego lub nazwa prowincji (pełna nazwa)
stateOrProvinceName_default = Massachusetts stateOrProvinceName_default = Massachusetts
localityName = Locality Name (eg, city) localityName = Miejscowość Name (eg, city)
localityName_default = Anytown localityName_default = Anytown
0.organizationName = Organization Name (eg, company) 0.organizationName = Nazwa organizacji (np. firmy)
0.organizationName_default = My Hosting Company Name 0.organizationName_default = Hosting Nazwa firmy
# we can do this but it is not needed normally # Możemy to zrobić, ale nie jest to konieczne normalnie :-)
#1.organizationName = Second Organization Name (eg, company) # 1.organizationName = Drugi Nazwa organizacji (np. firmy)
#1.organizationName_default = World Wide Web Pty Ltd # 1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName = Organizational Unit Name (np. sekcji)
organizationalUnitName_default = ISP organizationalUnitName_default = ISP
commonName = Common Name (eg, your name or your server\'s hostname) commonName = Common Name (eg, nazwisko lub serwera \ nazwa hosta)
# (Very Important, in order to keep mail clients and other user agents from complaining, this name must # (Bardzo ważne, aby utrzymać klientów poczty i inne aplikacje z narzekać, nazwa musi być
# match exactly the name that the user will be entering into their client settings. # Dokładnie odpowiadać nazwie, że użytkownik będzie wprowadzał do swoich ustawień klienta. Whether that be Czy będzie
# domain.extension or mail.domain.extension or what. # Domain.extension lub mail.domain.extension czy co. It must be a valid DNS name pointing at your To musi być prawidłową nazwę DNS, wskazując na swoje
# server. # Serwera.
commonName_default = myhosting.example commonName_default = myhosting.example
commonName_max = 64 commonName_max = 64
emailAddress = Email Address EmailAddress = Adres e-mail
emailAddress_default = postmaster@myhosting.example emailAddress_default = postmaster@myhosting.example
emailAddress_max = 64 emailAddress_max = 64
… ...
With this done we can create a signing (root CA) certificate. Z tego dokonać możemy stworzyć podpisania (root CA) certyfikatu. Go to the directory you created earlier; /usr/share/ssl/hosting.example , and run the CA_nodes script: Przejdź do katalogu utworzonego wcześniej; / usr / share / ssl / hosting.example, i uruchom skrypt CA_nodes:
# ../misc/CA_nodes -newca # .. / Misc / CA_nodes-newca
CA certificate filename (or enter to create)[hit enter] certyfikat CA pliku (lub wprowadzić do stworzenia) [wciskamy Enter]
Making CA certificate … Tworzenie certyfikatu CA ...
Generating a 1024 bit RSA private key Generowanie 1024 bit RSA klucz prywatny
…………………………++++++ ... ... ... ... ... ... ... ... ... ... ++++++
…………….++++++ ... ... ... ... ... .++++++
writing new private key to './demoCA/private/./cakey.pem' pisanie nowego klucza prywatnego ". / demoCA / private /. / cakey.pem"
Enter PEM pass phrase:[enter a password and remember it] Enter PEM pass phrase: [wprowadź hasło i pamiętaj, że]
Verifying – Enter PEM pass phrase: Weryfikacja - Enter PEM pass phrase:
—– -
You are about to be asked to enter information that will be incorporated Masz zamiar zostać poproszony o podanie informacji, które będą włączane
into your certificate request. na swoje żądanie certyfikatu.
What you are about to enter is what is called a Distinguished Name or a DN. Co masz zamiar wprowadzić to, co nazywa się nazwa wyróżniająca lub DN.
There are quite a few fields but you can leave some blank Istnieje sporo dziedzinach, ale można zostawić niektóre puste
For some fields there will be a default value, W niektórych dziedzinach nie będzie wartość domyślna,
If you enter '.', the field will be left blank. Jeśli wpiszesz '.', Pole należy pozostawić puste.
—– -
Country Name (2 letter code) [US]:[hit enter] Nazwa kraju (2 litery kodu) [US]: [wciskamy Enter]
State or Province Name (full name) [Massachusetts]:[hit enter] Członkowskiego lub nazwa prowincji (pełna nazwa) [Massachusetts]: [wciskamy Enter]
Locality Name (eg, city) [Anytown]:[hit enter] Nazwa Miejscowość (np. miasta) [Anytown]: [wciskamy Enter]
Organization Name (eg, company) [My Hosting Company Name]:[hit enter] Nazwa organizacji (np. firmy) [Hosting nazwa firmy]: [wciskamy Enter]
Organizational Unit Name (eg, section) [ISP]:[hit enter] Nazwa jednostki organizacyjnej (np. sekcji) [ISP]: [wciskamy Enter]
Common Name (eg, your name or your server's hostname) [myhosting.example]:[hit enter] Nazwa zwyczajowa (np. imię i nazwisko lub nazwę hosta serwera) [myhosting.example]: [wciskamy Enter]
Email Address [postmaster@myhostng.example]:[hit enter] Adres email [postmaster@myhostng.example]: [wciskamy Enter]
You now have a directory called demoCA in which is your signing cert, cacert.pem, and a number of other files and directories that makeup the (currently empty) database of certificates you've signed and revoked. Teraz masz katalog o nazwie demoCA, w którym jest twój cert podpisania cacert.pem, i wiele innych plików i katalogów, makijaż (pusty) bazy danych certyfikatów zalogowaniu i odwołane. Now we'll create a new certificate “request” (we'll have a proper cert once we sign it). Teraz tworzymy nowy certyfikat "żądanie" (będziemy mieć odpowiednią cert Po jego podpisania).
# ../misc/CA_nodes -newreq # .. / Misc / CA_nodes-newreq
Generating a 1024 bit RSA private key Generowanie 1024 bit RSA klucz prywatny
…………………………………………………………………………………++++++ ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ++++++
…………….++++++ ... ... ... ... ... .++++++
writing new private key to 'newreq.pem' pisanie nowego klucza prywatnego "newreq.pem"
—– -
You are about to be asked to enter information that will be incorporated Masz zamiar zostać poproszony o podanie informacji, które będą włączane
into your certificate request. na swoje żądanie certyfikatu.
What you are about to enter is what is called a Distinguished Name or a DN. Co masz zamiar wprowadzić to, co nazywa się nazwa wyróżniająca lub DN.
There are quite a few fields but you can leave some blank Istnieje sporo dziedzinach, ale można zostawić niektóre puste
For some fields there will be a default value, W niektórych dziedzinach nie będzie wartość domyślna,
If you enter '.', the field will be left blank. Jeśli wpiszesz '.', Pole należy pozostawić puste.
—– -
Country Name (2 letter code) [US]:[hit enter] Nazwa kraju (2 litery kodu) [US]: [wciskamy Enter]
State or Province Name (full name) [Massachusetts]:[hit enter] Członkowskiego lub nazwa prowincji (pełna nazwa) [Massachusetts]: [wciskamy Enter]
Locality Name (eg, city) [Anytown]:[hit enter] Nazwa Miejscowość (np. miasta) [Anytown]: [wciskamy Enter]
Organization Name (eg, company) [My Hosting Company Name]:[hit enter] Nazwa organizacji (np. firmy) [Hosting nazwa firmy]: [wciskamy Enter]
Organizational Unit Name (eg, section) [ISP]:[hit enter] Nazwa jednostki organizacyjnej (np. sekcji) [ISP]: [wciskamy Enter]
Common Name (eg, your name or your server's hostname) [myhosting.example]:[hit enter] Nazwa zwyczajowa (np. imię i nazwisko lub nazwę hosta serwera) [myhosting.example]: [wciskamy Enter]
Email Address [postmaster@myhosting.example]:[hit enter] Adres email [postmaster@myhosting.example]: [wciskamy Enter]
Please enter the following 'extra' attributes Proszę podać następujące "ekstra" atrybuty
to be sent with your certificate request być wysyłane z żądania certyfikatu
A challenge password []:[anything will do, I used "certpass"] Wyzwanie hasło []: [coś zrobi, kiedyś "certpass"]
An optional company name []:[hit enter] Opcjonalna nazwa firmy []: [wciskamy Enter]
Request (and private key) is in newreq.pem Wniosek (i klucz prywatny) jest w newreq.pem
The output of this is your certificate request, newreq.pem inside of which is your certifcate and private key (take a look, if you want). W wyniku tego jest żądanie certyfikatu, wewnątrz newreq.pem te swoje certifcate i klucza prywatnego (zajrzyj, jeśli chcesz). Now we'll sign this to generate a real certifcate. Teraz zajmiemy się podpisać to, aby wygenerować prawdziwy certifcate.
# ../misc/CA_nodes -sign # .. / Misc / CA_nodes-sign
Using configuration from /usr/share/ssl/openssl.cnf Korzystanie z konfiguracji z / usr / share / ssl / openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: [enter the passphrase used when creating the signing (CA) cert above] Wpisz fraz do / demoCA / private / cakey.pem:. [Wprowadzić hasło użyte podczas tworzenia podpisu (CA) cert powyżej]
Check that the request matches the signature Sprawdź, czy wniosek jest zgodny z podpisem
Signature ok Podpis ok
Certificate Details: Szczegóły certyfikatu:
Serial Number: 1 (0×1) Numer seryjny: 1 (0 × 1)
Validity Ważności
Not Before: Sep 4 19:04:43 2004 GMT Nie przed: 04 września 2004 19:04:43 GMT
Not After : Sep 4 19:04:43 2014 GMT Nie po: 04 wrzesień 2014 19:04:43 GMT
Subject: Temat:
countryName = US countryName = US
stateOrProvinceName = Massachusetts stateOrProvinceName = Massachusetts
[output elided] [Wyjście elided]
Certificate is to be certified until Sep 2 19:04:43 2014 GMT (3650 days) Certyfikat ma być kwalifikowany do 02 września 2014 19:04:43 GMT (3650 dni)
Sign the certificate? Zarejestruj certyfikat? [y/n]:[hit "y"] [Y / n]: [hit "y"]
1 out of 1 certificate requests certified, commit? 1 z 1 wniosków kwalifikowany certyfikat, popełnić? [y/n]:[hit "y"] [Y / n]: [hit "y"]
Write out database with 1 new entries Wypisz bazy danych z 1 nowych wpisów
Data Base Updated Aktualizacja bazy danych
Certificate: Certyfikat:
Data: Data:
Version: 3 (0×2) Wersja: 3 (0 × 2)
Serial Number: 1 (0×1) Numer seryjny: 1 (0 × 1)
[output elided] [Wyjście elided]
—–BEGIN CERTIFICATE—– - BEGIN CERTIFICATE -
MIIEGTCCA4KgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBsTEL… MIIEGTCCA4KgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBsTEL ...
[output elided] [Wyjście elided]
—–END CERTIFICATE—– - Certyfikat ukończenia -
Signed certificate is in newcert.pem Podpis certyfikatu jest newcert.pem
Your certificate is now in newcert.pem. Certyfikat jest teraz w newcert.pem. There's just one thing left to do to make all this nice and clean, we want to extract the private key from the certificate request and into its own file. Jest tylko jedna rzecz do zrobienia, aby to wszystko ładne i czyste, chcemy, aby wyodrębnić klucz prywatny z żądania certyfikatu i do własnego pliku. So edit newreq.pem, delete the certificate (all the lines between “Begin Certificate Request” and “End Certificate Request” inclusive, and save with a meaningful name, eg ExamplePrivateKey.pem (where “Example” is your domain name, like whitehouse). I also renamed newcert.pem to ExampleCert.pem. Więc edytować newreq.pem, usunąć certyfikat (wszystkie linie pomiędzy "Begin żądanie certyfikatu" i "End żądanie certyfikatu" włącznie, i zapisać z takiej nazwy, np. ExamplePrivateKey.pem (gdzie "Przykład" jest nazwą domeny, jak Whitehouse ). Ja również nazwy newcert.pem do ExampleCert.pem.
In summary we now have three files we care about (we don't care about newreq.pem anymore): Podsumowując mamy obecnie trzy pliki dbamy o (nie dbamy o newreq.pem więcej):
demoCA/cacert.pem: Our root CA certificate demoCA / cacert.pem: Nasz główny certyfikat CA
ExampleCert.pem: Our certificate for use ExampleCert.pem: Nasz certyfikat do użycia
ExamplePrivateKey.pem: Our private key ExamplePrivateKey.pem: Nasz klucz prywatny
Because various processes, running as various users will need to access these certs, make sure they are readable by world (should be already). Ponieważ różne procesy, pracuje jako różni użytkownicy będą mieć dostęp do tych certyfikatów, upewnij się, że są rozpoznawalne na świecie (należy wcześniej). This is probably bad practice in the event that a local user (or a black hat who has local user privleges) steals them, but I only have one user on my machine, root. Prawdopodobnie jest to zła praktyka, w przypadku gdy użytkownik lokalny (lub czarnym kapeluszu, który lokalnych privleges użytkownika) kradnie ich, ale mam tylko jednego użytkownika na moim komputerze, root. And if root gets owned, well that's it. A jeśli root dostaje własnością, a to jest to.
OpenLDAP OpenLDAP
Installation Instalacja
Not all of OpenLDAP was preinstalled on my system. Nie wszystkie z OpenLDAP został wstępnie zainstalowany na moim komputerze. White Box supports apt which I used to get OpenLDAP. White Box wspiera apt, którego użyłem, aby OpenLDAP. You'll need all three packages. Musisz wszystkie trzy pakiety. I highly recommend installing from your distro's package management system rather than compiling yourself. Gorąco polecam do instalacji z Twojej dystrybucji systemu zarządzania pakietami, a nie kompie siebie.
# apt-get install openldap # Apt-get install openldap
# apt-get install openldap-servers # Apt-get install openldap serwerów
# apt-get install openldap-devel # Apt-get install openldap-devel
Understanding the Jamm Schema Zrozumienie schematu Jamm
Configuring OpenLDAP for our needs requires Jamm's schema files so you should download the Jamm binary now. Konfiguracja OpenLDAP do naszych potrzeb wymaga Jamm schematu plików więc należy pobrać binarnych Jamm teraz. Put it anywhere and explode it. Umieść ją w dowolnym miejscu i to eksplodować.
# tar -zxvf jamm-0.9.6-bin.tar.gz # Tar-zxvf Jamm-0.9.6-bin.tar.gz
The Jamm schema introduces four new object classes and a handful of attributes. Przeznaczenie Jamm wprowadza cztery nowe klasy obiektów i kilka atrybutów. These are: Są to:
Object Class Obiekt klasy
JammMailAccount A user's mail account JammMailAccount użytkownika konta pocztowego
Interesting Attributes Ciekawe atrybuty
mail User's full email address and, consequentially, their login name. Użytkownik poczty e-mail i pełny adres, wynikowe, ich nazwy. Ex: joe@myschool.edu Np.: joe@myschool.edu
homeDirectory User's home directory. Użytkownik homedirectory katalogu domowym. Here it will always be /home/vmail/domains Tutaj zawsze będzie / home / vmail / domains
mailbox User's mail directory. Skrzynek pocztowych użytkowników katalogu mail. Ex: myschool.edu/joe. Np.: myschool.edu / joe. The concatenation of homeDirectory and mailbox give the absolute path to a user's mail directory Konkatenacją homedirectory i skrzynki pocztowej podać ścieżkę do katalogu użytkownika mail
cn User's common name. Cn użytkownika nazwa zwyczajowa. Ex: Joe Blow Ex: Joe Blow
accountActive Boolean telling whether account is active accountActive Boolean powiedzieć, czy konto jest aktywne
delete Boolean telling whether account has been deleted. usunąć Boolean powiedzieć, czy konto zostało usunięte. Note Jamm never actually deletes anything, it just sets this flag Uwaga Jamm w rzeczywistości nigdy nie usuwa niczego, po prostu ustawia tę flagę
userPassword User's password, preferably encrypted Użytkownik userPassword hasło, najlepiej zaszyfrowany
Object Class Obiekt klasy
JammVirtualDomain A domain that's hosted on this system JammVirtualDomain domeny jest obsługiwane przez ten
Interesting Attributes Ciekawe atrybuty
jvd A hosted domain name. JVD gospodarzem nazwę domeny. Ex: myschool.edu Np.: myschool.edu
accountActive Boolean telling whether this domain is active accountActive Boolean powiedzieć, czy ta domena jest aktywny
delete Boolean telling whether this domain has been deleted. usunąć Boolean powiedzieć, czy to domena została usunięta. Note Jamm never actually deletes anything, it just sets this flag Uwaga Jamm w rzeczywistości nigdy nie usuwa niczego, po prostu ustawia tę flagę
Object Class Obiekt klasy
JammMailAlias Aliases (other email addresses) that users may set up to redirect their mail JammMailAlias Aliasy (inne adresy e-mail), które użytkownicy mogą ustawić przekierowanie poczty
Interesting Attributes Ciekawe atrybuty
mail The receiving email address. odbierania poczty e-mail. Ex: joe@myschool.edu Np.: joe@myschool.edu
maildrop Email address to redirect to. maildrop Adres e-mail do przekierowania. Ex: joseph@myschool.edu . Np.: joseph@myschool.edu . Ex: joe@yahoo.com Np.: joe@yahoo.com
delete Boolean telling whether this domain has been deleted. usunąć Boolean powiedzieć, czy to domena została usunięta. Note Jamm never actually deletes anything, it just sets this flag Uwaga Jamm w rzeczywistości nigdy nie usuwa niczego, po prostu ustawia tę flagę
accountActive Boolean telling whether this alias is active accountActive Boolean powiedzieć, czy ten alias jest aktywny
Object Class Obiekt klasy
JammPostmaster Signifies that this account is a “Postmaster,” kind of a domain level super user. JammPostmaster Oznacza, że to konto "postmaster" rodzaj poziomie domeny użytkownika super. Multiple people can be Postmasters in a domain. Wiele osób może być Postmasters w domenie.
Interesting Attributes Ciekawe atrybuty
roleOccupant The distinguished name (dn) of the user who acts as postmaster for a domain. roleOccupant nazwę wyróżniającą (DN) użytkownika, który działa jako postmaster dla domeny. Can be more than one Może być więcej niż jeden
Once you have built the base LDAP tree and added a few domains and users the structure will look like what's shown in figure 2. Kiedy już podstawy drzewa LDAP oraz dodano kilka domen i użytkowników struktura wygląda tak, jak to pokazano na rysunku 2.
Figure 2. Rysunek 2. Jamm LDAP tree Jamm drzewa LDAP
Configuring slapd Konfiguracja slapd
All slapd configuration is in slapd.conf. Wszystkie slapd konfiguracja jest w slapd.conf. On my box that's in /etc/openldap. Na moim polu, że w / etc / openldap. On yours it might be in /usr/local/etc/openldap. Na Twój może być w / usr / local / etc / openldap.
Adding Schemas Dodawanie schematów
You need to make Jamm's schema file available, so copy the jamm.schema file in the Jamm distribution to the OpenLDAP schema directory, /etc/openldap/schema/ in my case. Musisz zrobić Jamm schematu plik dostępny, więc skopiuj plik jamm.schema w dystrybucji Jamm do katalogu schematu OpenLDAP, / etc / openldap / schema / w moim przypadku. jamm.schema depends on cosine.schema and nis.schema. jamm.schema zależy od cosine.schema i nis.schema. Add these lines to slapd.conf. Dodaj te linie do slapd.conf. The first two may already be there. Pierwsze dwa mogą być już tam.
include /etc/openldap/schema/cosine.schema include / etc / openldap / schema / cosine.schema
include /etc/openldap/schema/nis.schema include / etc / openldap / schema / nis.schema
include /etc/openldap/schema/jamm.schema include / etc / openldap / schema / jamm.schema
Remember, these schemas might be in /usr/local/etc/opennldap/schema (or anywhere else) on your machine. Pamiętaj, że te schematy mogą być w / usr / local / etc / opennldap / schematu (lub gdziekolwiek indziej) na komputerze.
Setting the Password Hash Type Ustawianie typu hash hasła
Passwords are (should be) encrypted when stored in LDAP. Hasła są (powinny być) przechowywane w postaci zaszyfrowanej LDAP. The default encryption mechansim is SSHA, but Dovecot doesn't support that. Mechansim szyfrowania domyślnie SSHA, ale Dovecot nie obsługuje. So set OpenLDAP's password hashing mechanism to CRYPT. Tak więc ustawić hasło OpenLDAP mieszania mechanizm krypty. I added the following line near the top of slapd.conf, right after all the includes. I dodaje się następujący wiersz w górnej części slapd.conf, tuż po tym wszystkim.
password-hash {CRYPT} hash hasła} {CRYPT
Adding a Database Definition Dodanie definicji bazy danych
Next, you need to set up a database definition. Następnie należy utworzyć definicję bazy danych. You can do this with the following lines: Można to zrobić z następujących linii:
database ldbm ldbm bazy danych
directory /var/lib/ldap katalogu / var / lib / ldap
suffix “dc=myhosting,dc=example” suffix "dc = myhosting, dc = example"
The database directive specifies the back-end type to use. Dyrektywa określa typ bazy danych typu back-end w użyciu. You should use LDBM as the back-end database. Należy używać LDBM jako bazy danych zaplecza. The directory directive specifies the path to the LDBM database. Dyrektywa katalogu określa ścieżkę do bazy danych LDBM. The suffix directive specifies the root suffix for this database. Przyrostek dyrektywy określa sufiks root dla tej bazy danych.
Creating the Root User Tworzenie roota
The next few lines set up the “super user” or “root” account: Następne kilka linii ustawić "super user" lub "root" konto:
rootdn “cn=Manager,dc=myhosting,dc=example” RootDN "cn = Manager, dc = myhosting, dc = example"
rootpw {SSHA}ea0sD475P32ASAlaAhR8kgi+8Aflbgr7 rootpw {SSHA} ea0sD475P32ASAlaAhR8kgi +8 Aflbgr7
The rootdn entry has complete access to the database, which is why the password is stored outside the actual database. Wpis RootDN ma pełny dostęp do bazy danych, dlatego hasło jest przechowywane poza właściwej bazy danych. The password in rootpw should always be stored in hashed format. Hasło w rootpw powinny być zawsze przechowywane w hashed format. Do not store the password in clear text. Nie należy przechowywać hasła w postaci zwykłego tekstu. To convert the clear text password secret to a hashed format, use the slappasswd command: Aby przekonwertować tekst jasne tajne hasło zakodowane w formacie, użyj slappasswd polecenie:
# slappasswd # Slappasswd
New password: [enter some password and remember it] Nowe hasło: [podać hasło i pamiętaj, że]
Re-enter new password: [enter it again] Ponownie wprowadź nowe hasło: [wprowadź je ponownie]
{SSHA}ea0sD475P32ASAlaAhR8kgi+8Aflbgr7 {SSHA} ea0sD475P32ASAlaAhR8kgi +8 Aflbgr7
Take the output from slappasswd, and copy that into slapd.conf, as we did above. Weź wyjście z slappasswd, a następnie skopiować do slapd.conf, jak to zrobiliśmy powyżej.
Setting up Access Control Konfigurowanie kontroli dostępu
NOTE: The instructions that follow are for OpenLDAP 2.0.x. UWAGA: Przedstawione poniżej instrukcje są dla OpenLDAP 2.0.x. Most distributions now ship with 2.2. Większość dystrybucji teraz statku 2.2. In OpenLDAP 2.2 the syntax for setting up ACLs changed slightly. W OpenLDAP 2.2 składnia tworzenia list ACL nieznacznie zmienione. Please read the comments associated with 2.0, but use the 2.2 syntax that's given immediately after. Proszę przeczytać komentarze związane z 2.0, ale skorzystać z 2,2 składni, udzieloną bezpośrednio po.
The last part in slapd.conf is the access control. Ostatnia część w slapd.conf jest kontrola dostępu. You can define your own policy, be here's the one Jamm follows that I've modified for Dovecot: Możesz zdefiniować własne polityki, tu jest jeden Jamm wynika, że mam zmodyfikowane do gołębnika:
The user can change any of their own attributes. Użytkownik może zmieniać własne atrybuty.
Anyone in the postmaster group of the domain may change any user's attributes in their domain, including the password. Każdy w grupie postmaster domeny, mogą zmienić atrybutów użytkownika w domenie, w tym hasło. This allows the postmaster to reset a users password if they forget it. Pozwala to na postmaster do resetowania hasła użytkowników, jeśli zapomnisz.
The “dovecot” user can read passwords. "Dovecot" użytkownik może odczytać hasła.
Anonymous (non-authenticated) users may read all information, except the password attribute. Anonimowy (nieuwierzytelnionych) użytkownicy mogą przeczytać wszystkie informacje, z wyjątkiem atrybutu hasło.
Access control statements are evaluated in order, so they should be defined from most specific to most general. oświadczenia kontroli dostępu oceniane są w porządku, więc powinny być określone z najbardziej szczegółowych do najbardziej ogólnych. Access to the password attribute, userPassword, is the most specific in our case, and hence it's specified first: Dostęp do atrybutu hasło userPassword, jest najbardziej specyficzne w naszym przypadku, a tym samym nie określono pierwszy:
access to dn=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
attr=userPassword attr = userPassword
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant=”cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write przez grupę / jammPostmaster / roleOccupant = "cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by dn=”cn=dovecot,dc=myhosting,dc=example” read przez dn = "cn = dovecot, dc = myhosting, dc = example" read
by anonymous auth przez anonimowych auth
by * nonePlease note, the line in red referencing dovecot is not in the original Jamm HOWTO, but is needed by Dovecot so it can read the userPassword. uwagą nonePlease *, linia w kolorze czerwonym dovecot odniesienie nie jest w oryginalnym Jamm HOWTO, ale jest wymagany przez Dovecot więc może przeczytać userPassword. Typically an authenticating application tries to bind to LDAP as the user in question, a successful login thus validating the password. Zazwyczaj stosowanie uwierzytelniania próbuje wiązać się LDAP jako danego użytkownika, udanym zalogowaniu w ten sposób sprawdzania hasła. Dovecot does not yet support “authentication binds,” so we must allow the Dovecot user read access to the user's password. Dovecot nie obsługuje jeszcze "wiąże uwierzytelniania", więc musimy pozwolić użytkownikowi Dovecot do odczytu hasła użytkownika.
The access to line specifies what entries and attributes to which the following rules apply. Dostęp do linii określa, jakie wpisy i atrybuty, do których stosuje się następujące zasady. The dn regular expression matches any entry in a domain of our hosting tree, and attr limits these rules to the userPassword attribute. Dn wyrażenie regularne pasuje do każdego wejścia w domenie naszego drzewa hosting, i ograniczenia attr te zasady do atrybutu userPassword. Write access is granted to the user itself and anyone in the postmaster group. Napisz do udzielenia dostępu do samego użytkownika i ktoś w grupie postmaster. The dovecot user can read it. Użytkownik dovecot mógł go odczytać. Anonymous users may only access this field when trying to authenticate. Anonimowi użytkownicy mogą mieć dostęp tylko tym zakresie podczas próby uwierzytelnienia użytkownika. For all other cases, access is denied. We wszystkich innych przypadkach, dostęp jest zabroniony.
Next, all other attributes to entries in a domain's tree are specified: Następnie wszystkie inne atrybuty, które wpisy w domenie drzewa są określone:
access to dn=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant=”cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write przez grupę / jammPostmaster / roleOccupant = "cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by * readThis access to line is very similar the previous one, except that there is no attr specification and no reference to dovecot. przez * readThis dostęp do linii jest bardzo podobny do poprzedniego, tyle że nie ma żadnych specyfikacji attr i bez żadnego odniesienia do dovecot. Hence, this matches all other attributes other than userPassword. Stąd ten pasuje do wszystkich innych atrybutów innych niż userPassword. Again, write access is granted to the user and anyone in the postmaster group. Ponownie, napisać można uzyskać dostęp do instrukcji i każdy w grupie postmaster. Everyone is granted read access. Wszyscy są udzielane odczytu.
Finally, we provide read access to all other elements in the database: Ponadto oferujemy dostęp do odczytu wszystkich pozostałych elementów w bazie danych:
access to * * dostęp do
by * readUse these ACL statements if using OpenLDAP 2.2. przez * readUse tych ACL oświadczeń w przypadku korzystania z OpenLDAP 2.2. Caution: Untested. Uwaga: niesprawdzone.
access to dn.regex=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn.regex =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
attr=userPassword attr = userPassword
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant.expand=\ przez grupę / jammPostmaster / roleOccupant.expand = \
“cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write "Cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by dn=”cn=dovecot,dc=myhosting,dc=example” read przez dn = "cn = dovecot, dc = myhosting, dc = example" read
by anonymous auth przez anonimowych auth
by * none przez brak *
access to dn.regex=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn.regex =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant.expand=\ przez grupę / jammPostmaster / roleOccupant.expand = \
“cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write "Cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by * read przez * przeczytaj
access to * * dostęp do
by * readCreating the Directory Tree przez * readCreating katalogów
Now that slapd is configured, it's time to start adding data to the LDAP directory. Teraz slapd jest skonfigurowany, nadszedł czas, aby rozpocząć dodawanie danych do katalogu LDAP. We will use the command line tools that come with OpenLDAP and create LDIF files to modify the directory. Będziemy używać narzędzi linii poleceń, które pochodzą z OpenLDAP i tworzenie plików LDIF do zmiany katalogu.
The first step is to create a base tree structure with our root node, the hosting organization, and an entry for the rootdn. Pierwszym krokiem jest utworzenie struktury bazy drzewo z naszym głównym węzłem, organizacji goszczącej, oraz wpis do RootDN. Create a file called base.ldif (I put mine in /etc/openldap for safekeeping) with the following contents: Utwórz plik o nazwie base.ldif (stawiam kopalni w / etc / openldap na przechowanie) o następującej treści:
Caution: OpenLDAP is very sensitive to whitespace in LDIF files. Please make sure that there's no trailing spaces on any of these lines.
dn: dc=myhosting, dc=example
objectClass: top
objectClass: domain
domainComponent: myhosting
dn: cn=Manager, dc=myhosting, dc=example
objectClass: top
objectClass: organizationalRole
cn: Manager
dn: o=hosting, dc=myhosting, dc=example
objectClass: top
objectClass: organization
o: hosting
dn: cn=dovecot, dc=myhosting, dc=example
objectClass: top
objectClass: organizationalPerson
cn: dovecot
sn: dovecotNote, the bit in red is not part of the original Jamm HOWTO, but is needed for Dovecot. This is the user Dovecot will bind to LDAP as.
Start up OpenLDAP. On RH/WB Linux you can use: service ldap start, or /etc/init.d/ldap start. It's probably similar on your system. Alternately you can start it directly with slapd -u ldap -h ldap://127.0.0.1 .
Now use ldapadd, binding as the root user, to add this LDIF:
# ldapadd -x -D “cn=Manager,dc=myhosting,dc=example” -W -f base.ldif
Enter LDAP Password: [enter the LDAP password created earlier]
adding new entry “dc=myhosting, dc=example”
adding new entry “cn=Manager, dc=myhosting, dc=example”
adding new entry “o=hosting, dc=myhosting, dc=example”
adding new entry “cn=dovecot, dc=myhosting, dc=example”
Note, the Dovecot user requires a password. Add one like this:
# ldappasswd -x -W -S -D “cn=Manager,dc=myhosting,dc=example” “cn=dovecot,dc=myhosting,dc=example”
New Password: [enter a password for the Dovecot user and remember it]
Re-enter new password: [enter it again]
Enter bind password: [enter the LDAP password created earlier]
Hint: If you ever need to blast this database and start again from scratch, simply stop openldap, delete all the files in the LDAP directory (/var/lib/ldap), start openldap again, and repeat the above process.
Postfix Postfix
We'll only cover the sections of Postfix that pertain to the mail hosting. To deal with other parts of Postfix setup, please visit the Postfix web page.
Compiling Postfix with LDAP
Postfix was pre-installed on my system and linked with the appropriate libraries (LDAP, SASL, etc.). The following instructions are not guaranteed to work, but may be helpful. If at all possible install Postfix from a properly configured package, it's just easier. Detailed instructions on installing from source can be found here: http://www.postfix.org/INSTALL.html .
Download the Postfix source and untar it. Postfix veers slightly away from the ordinary configure; make; make install pattern of autoconf. In lieu of configure, with Postfix you make the makefiles. The default makefiles don't include LDAP or SASL, so you'll need to rebuild the makefiles to include them. To do this, execute the following command.
# make makefiles CCARGS=”-DUSE_SASL_AUTH -DHAS_LDAP -I/usr/include” AUXLIBS=”-lldap -llber -lsasl”
Note, this is how it would be done on my system. On yours the LDAP and SASL libraries are probably in /usr/local/lib and the header files in /usr/local/include. In which case the following will work for you.
# make makefiles CCARGS=”-DUSE_SASL_AUTH -DHAS_LDAP -I/usr/local/include” AUXLIBS=”-L/usr/local/lib -lldap -llber -lsasl”
Also note that the above commands are for SASL 1. If you want SASL 2 support, just change -lsasl to -lsasl2. Details are here: http://www.postfix.org/SASL_README.html .
Finally, Postfix does not include TLS support in the main code base. In order to use TLS, you need to patch the postfix source as documented here: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/
After you have rebuilt the makefiles and patched the source you can follow the normal Postfix compiling and installing instructions as documented in its INSTALL file. Which mostly amounts to make; make install.
At one point I tried to upgrade to Postfix 2.1.5 from source, but never succeeded. If I gave myself more time, I could have, but by the time I tried to do this my existing Postfix install was my primary mail server, and the longer I futzed with it, the more mail I was dropping. Anyway, I had all sorts of issues with OpenLDAP containing SASL 1 code and the Postfix I just built having SASL 2 code, and all sorts of library issues like that. These problems tend to show up as strange, unrelated errors in the log files. Let the compiler beware.
Understanding Postfix
Read this, it'll probably help. Postfix is composed of a number of components that run in synchrony. First, there's a mail transfer agent (MTA) called smtpd. The MTA accepts mail over the network using the simple mail transfer protocol, SMTP. The MTA is essentially a router, it determines whether incoming mail is ultimately destined for this server or not. If not, it relays it on (or, more commonly, refuses to accept it). If the message should be delivered to someone on this server, however, it hands it over to another process called cleanup that rewrites and sanitizes the message and drops it in the incoming queue. The MTA's job is now done.
Once a message is put in the queue, the queue manager passes it to a mail delivery agent (MDA) for ultimate delivery to a user's inbox or to another program for further processing. These MDAs and other programs are called “transports” in Postfix. The different transports are defined in the file /etc/postfix/master.cf (on my system). For our purposes there are two MDAs we want to know about: local and virtual. Both of these agents put email in the user's mailbox.
The MDA takes the verified mail that the MTA has put in the queue and delivers it. The local transport knows how to deliver mail for users that have accounts on the system. For virtual users there is a different transport named “virtual.” The virtual agent, the one we use, is used when users do not exist on the system. The primary difference between the two is that virtual can get user information from remote data stores like LDAP, while local assumes the user store is system based. In fact, virtual is simply a hacked version of local. Much more information can be found on the Postfix architecure page.
Configuring Postfix
While configuring Postfix for this task, we'll be mostly concerned with /etc/postfix/main.cf (possibly /usr/local/etc/postfix/main.cf on your machine). For most of the Postfix configuration, you will configure things in a way that make the most sense for your site and you can follow the documentation contained in the Postfix source or on the Postfix web page. In this document, we'll talk about the settings that are unique to and/or affected by this setup. If any of the configuration examples shown below aren't explicitly attributed to a specific file, assume they would be found in main.cf.
Configuring LDAP Sources
Postfix user and domain information can be stored in a variety of places, ie sources. When using LDAP, you can create a source name out of thin air, then use that name as a prefix for the required LDAP variables. Later that same name will be used to tell Postfix that a certain piece of information can be found in LDAP by using these variables. For instance, if you are going to have Postfix search LDAP for domain information, the variable prefix might be “domains.” Then variables will be defined as such: domains_server_host, domains_search_base, and so on.
You can easily define multiple LDAP sources. LDAP source parameters are documented in README_FILES/LDAP_README The parameter names follow the pattern of ldapsource_parameter. The LDAP source name is defined when it is first used. In main.cf, you'll need one LDAP source definition per each lookup.
Configuring the Source for Virtual Domain Information
domains_server_host = localhost
domains_search_base = o=hosting,dc=myhosting,dc=example
domains_query_filter = (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
domains_result_attribute = jvd
domains_bind = no
domains_scope = oneThe first LDAP source definition is for looking up the virtual domains being hosted. By having this as an LDAP lookup, we'll be able to dynamically add new domains by adding new JammVirtualDomain entries to LDAP. jvd is “Jamm Virtual Domain,” the attribute where Jamm stores domain names like whitehouse.gov.
We've named this LDAP source “domains”. Mamy tego źródła LDAP nazwie "domeny". In our configuration, as specificed by the server_host line, our LDAP server is running on localhost. W naszej konfiguracji, w określonym jako server_host line, nasz serwer LDAP jest uruchomiony na localhost. Our search base is the top of the hosting subtree we defined in our LDAP server, and according to scope we only want to search the directory level right under the base. Nasza baza wyszukiwania góry poddrzewa hosting określiliśmy na naszym serwerze LDAP, i zgodnie z zakresem tylko chcemy, aby wyszukać odpowiedniego poziomu katalogu, w bazie. We're querying for items where the jvd element matches the domain of the e-mail recipient as well as items that are of the jammVirtualDomain object class. Jesteśmy zapytań za przedmioty, gdzie JVD element odpowiada domeny odbiorcy e-mail, jak również elementy, które należą do klasy obiekt jammVirtualDomain. We also check to make sure the accountActive attribute is set to true and that the delete attribute is set to false. Mamy również sprawdzić, czy accountActive atrybut jest ustawiony na true, a usunąć atrybut jest ustawiony na false. As specified by bind, we do not want to bind/login to the LDAP server, we just want to do an anonymous search. Jak określono przez bind, nie chcemy, aby bind / logowanie do serwera LDAP, po prostu chcemy zrobić anonimowy wyszukiwania. Since we're only interested in whether there's a match, and not any particular value of the match, we just return jvd as the result_attribute. Ponieważ nie jesteśmy zainteresowani tylko, czy jest mecz, a nie konkretnych wartości w meczu, po prostu powrót JVD jak result_attribute.
Configuring the Source for User Aliases Konfiguracja Source dla aliasów
aliases_server_host = localhost aliases_server_host = localhost
aliases_search_base = o=hosting,dc=myhosting,dc=example aliases_search_base = o = hosting, dc = myhosting, DC = przykład
aliases_query_filter = (&(objectClass=JammMailAlias)(mail=%s)(accountActive=TRUE)) aliases_query_filter = (& (objectClass = JammMailAlias) (mail =% s) (accountActive = TRUE))
aliases_result_attribute = maildrop aliases_result_attribute = maildrop
aliases_bind = noThis LDAP source definition is for virtual aliases. aliases_bind = noThis definicji źródła LDAP jest wirtualne aliasy. We've named this LDAP source “aliases.” We're querying for items where the mail element matches the email recipient as well as items that are of the jammMailAlias object class. Mamy nazwali to LDAP source "aliasów." Jesteśmy zapytań za przedmioty, gdzie element mail meczach-mail odbiorcy, a także przedmioty, które są jammMailAlias obiektu klasy. We also check to make sure the alias is active by checking if the accountActive attribute is set to true. Mamy również sprawdzić, czy alias jest aktywny poprzez sprawdzenie, czy accountActive atrybut jest ustawiony na true. The destination of the alias is the maildrop attribute. Przeznaczenia alias jest atrybutem maildrop. Because we have not specified a scope in our ldap definition, it will perform the default search of the entire subtree under the base. Ponieważ nie określono zakres naszej definicji ldap, wykona domyślną wyszukiwarkę całego poddrzewa pod podstawą.
Aliases are a good way of having generic mail addresses delivered to one or more specific people. Aliasy są dobrym sposobem posiadania ogólnej mail dostarczone do jednego lub więcej określonych osób. For instance, you can create an alias (easy when using Jamm) called sales@example.com , and have all the mail sent to that address actually delivered to bill@example.com and sue@example.com . Na przykład, możesz utworzyć alias (łatwe, jeżeli śpią na Jamm) wezwał sales@example.com , i wszystkie wiadomości wysłane na podany adres, rzeczywiście dostarczonej do bill@example.com i sue@example.com . Of course, the actual recipients may be in another domain; for instance, if Bill has left the company, you can delete his email account and create an alias of the same name, such that all mail sent to bill@example.com is forwarded to bill@someplacelese.com . Oczywiście, rzeczywistych beneficjentów może być w innej domenie, na przykład, jeśli Bill odszedł z firmy, możesz usunąć swoje konto e-mail i utworzyć alias o tej samej nazwie, na przykład, że wszystkie wiadomości wysłane do bill@example.com jest przekazywany do bill@someplacelese.com .
But possibly the least intuitive use for this feature is as a replacement for the user oriented .forward file. Ale możliwie najmniej intuicyjna obsługa tej funkcji jest jako zamiennik dla zorientowanych na użytkownika. Przekazania pliku. It turns out that it's the local mail delivery agent that knows how to process .forward files, virtual doesn't. Okazuje się, że jest to lokalny agent dostarczania poczty, który wie, w jaki sposób przetwarzać pliki. Przodu, nie wirtualnej. Even though virtual is just a hacked version of local, during the hackery, apparently for security reasons, the ability to process a .forward file was removed. Nawet jeśli jest tylko wirtualna posiekany wersja lokalnym, podczas skompulowania, najwyraźniej ze względów bezpieczeństwa, zdolność do wykonywania pliku. Przodu został usunięty. The upshot of this is that there's no easy way to allow for a user to specify that they want mail deliverd to their normal inbox and one or more external mailboxes. W rezultacie jest to, że nie ma łatwego sposobu, aby umożliwić użytkownikowi określenie, które chcą mail wręczyła swoje zwykłe skrzynki i jednego lub więcej zewnętrznych skrzynek pocztowych. One possible approach is to use a different delivery agent that supports both LDAP and .forward functionality. Jednym z możliwych rozwiązań jest zastosowanie innego środka stanie, który obsługuje zarówno LDAP. Funkcjonalność do przodu. Procmail won't do because, like local, it can't get user information from LDAP. Procmail nie zrobi, ponieważ podobnie jak lokalne, nie można uzyskać informacji o użytkowniku z LDAP. Maildrop might work except the latest incarnation of Maildrop requires yet another daemon process to run in order to get to LDAP (and MySQL, etc.), and I simply don't want that. Maildrop może działać poza najnowszym wcieleniem maildrop wymaga jeszcze inny proces demona, aby uruchomić w celu uzyskania do LDAP (i MySQL itp.), a ja po prostu tego nie chcę. There are no other suitable delivery agents that I'm aware of. Nie ma innych odpowiednich środków stanie, że jestem świadomy.
However, the proper use of aliases can solve this problem. Jednakże właściwe stosowanie aliasów może rozwiązać ten problem. The trick is to create an alias of the name that the user will be known as to the outside world, say jane@example.com , then give that aliased user two or more destinations. Sztuką jest stworzenie aliasu nazwy, że użytkownik będzie znany jako ze światem zewnętrznym, powiedzmy jane@example.com , następnie, że alias użytkownika dwóch lub więcej miejsc. One destination would be the email adress of the actual user on this server (that you also create), say jane.doe@example.com and the rest are the remote addresses to which mail should also be forwarded, such as jane@gmail.com . One docelowy będzie adres e-mail rzeczywistego użytkownika na tym serwerze (który także tworzyć), powiedzmy jane.doe @ example.com , a reszta zdalnych adresów, do których poczta powinna zostać również przekazane, takie jak jane @ gmail. com . The user would have to set up her IMAP clients (including Squirrelmail) to have a from: or replyTo: set to the alias name ( jane@example.com ) and not the actual account name. Użytkownik musi ustawić jej klientów IMAP (w tym Squirrelmail), aby od: lub replyto: ustawienie aliasu ( jane@example.com ), a nie rzeczywista nazwa konta. Any mail sent directly to the actual user ( jane.doe@example.com ) won't get forwarded. Każdy mail przesłany bezpośrednio do rzeczywistych użytkowników ( jane.doe @ example.com ) nie będzie się przekazywać.
Configuring the Source for User Accounts Konfigurowanie kont użytkowników Source
accounts_server_host = localhost accounts_server_host = localhost
accounts_search_base = o=hosting,dc=myhosting,dc=example accounts_search_base = o = hosting, dc = myhosting, DC = przykład
accounts_query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE)) accounts_query_filter = (& (objectClass = JammMailAccount) (mail =% s) (accountActive = TRUE) (delete = FALSE))
accounts_result_attribute = mailbox accounts_result_attribute = skrzynka pocztowa
accounts_bind = noThe accounts source is very similar to our aliases source. accounts_bind = noThe źródła konta jest bardzo podobny do naszego źródła aliasy. It's used by Postfix to look up actual users. Jest używany przez Postfix patrzeć na rzeczywistych użytkowników. The big difference here is that we're looking for entries that have an object class of jammMailAccount and we're interested in the mailbox attribute of the resulting match. Największą różnicą jest to, że szukamy wpisów, które mają klasy obiektów o jammMailAccount i jesteśmy zainteresowani w atrybucie skrzynki pocztowej w meczu wynikających. We also check to make sure the account is still active by looking at the accountActive attribute and make sure the account is not marked for deletion by checking the delete attribute. Mamy również sprawdzić, czy konto jest nadal aktywne, patrząc na accountActive atrybut i upewnij się, że konto nie jest oznaczona do usunięcia, sprawdzając usunąć atrybut.
It's possible to use virtual aliases to define “catch-all” addresses, such as “@example.com -> mike@example.com .” A catch-all address receives mail for every address in this domain that is not also listed in the virtual alias list. Jest to możliwe do wykorzystania wirtualne aliasy zdefiniować "catch-all" adresów, takich jak "@ example.com -> mike@example.com . "catch-all adres odbiera pocztę do każdego adresu w tej domenie, która nie jest również wymienione w wirtualnych przedmiotów alias. What this means is that if we have a catch-all address, it will indeed catch all email, even email destined for actual users on the system, unless those actual users are also listed in the alias list. Oznacza to, że jeśli mamy adres catch-all, to rzeczywiście złapać wszystkie wiadomości e-mail, nawet e-mail przeznaczone dla rzeczywistych użytkowników w systemie, chyba że te rzeczywistych użytkowników są również wymienione w wykazie alias. If you use catch-all aliases, you can guard against this behavior by creating another (seemingly redundant) LDAP source that returns the email address (contained in a user's mail attribute) of all users, and force Postfix to use both this LDAP source and the aliases LDAP source when looking up virtual aliases. Jeśli korzystasz z catch-all aliasy, możesz zabezpieczyć się przed tego problemu przez utworzenie innej (pozornie zbędny) źródło LDAP, która zwraca adres e-mail (zawarte w instrukcji atrybut mail) dla wszystkich użytkowników, a życie Postfix używać zarówno tego źródła LDAP i aliasy LDAP źródła, gdy patrząc na wirtualne aliasy. Here is that LDAP source: Tutaj jest tego źródła LDAP:
accountsmap_server_host = localhost accountsmap_server_host = localhost
accountsmap_search_base = o=hosting,dc=myhosting,dc=example accountsmap_search_base = o = hosting, dc = myhosting, DC = przykład
accountsmap_query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE)) accountsmap_query_filter = (& (objectClass = JammMailAccount) (mail =% s) (accountActive = TRUE) (delete = FALSE))
accountsmap_result_attribute = mail accountsmap_result_attribute = mail
accountsmap_bind = noThis is identical to the accounts LDAP source except we are returning the mail attribute (email address) of a user rather than her mailbox location. accountsmap_bind = noThis jest identyczny z kont LDAP źródła, z wyjątkiem wracamy atrybut mail (adres e-mail) użytkownika, a nie jej lokalizacji skrzynki pocztowej.
The Virtual Alias Maps Virtual Alias Maps
Now that the aliases LDAP source(s) have been defined, we need to let Postfix know to use it. Teraz, aliasy LDAP źródło (-a) zostały określone, musimy Postfix wiedział z niego korzystać. This is taken care of using the virtual_alias_maps parameter in main.cf To jest załatwione za pomocą parametrów w pliku main.cf virtual_alias_maps
virtual_alias_maps = ldap:aliases virtual_alias_maps = ldap: aliasy
If you are using catch-all addresses, and need to correct for Postfix's quirkly handling as just described, then the virtual alias maps should look like this instead: Jeśli korzystasz z catch-all adresy i konieczność korekty dla Postfiksa w quirkly obsługi jak opisany powyżej, a następnie wirtualnej alias mapy powinien wyglądać tak, zamiast:
virtual_alias_maps = ldap:accountsmap, ldap:aliases virtual_alias_maps = ldap: accountsmap, ldap: aliasy
When Postfix builds this mapping table it will include all actual users plus all aliases, keeping catch-all aliases from catching mail meant for legitimate users. Kiedy Postfix buduje tabeli mapowania będą też wszystkie rzeczywistych użytkowników oraz wszystkie aliasy, trzymając catch-all aliasy z połowu mail przeznaczone dla legalnych użytkowników.
The Virtual Accounts Rachunków wirtualnych
Telling Postfix about the virtual accounts is a bit trickier than the aliases. Mówienie o Postfix rachunków wirtualnych jest nieco trudniejsze niż aliasy. This is due to the fact that we need to define a lot of extra information about the virtual mail storage. Wynika to z faktu, że musimy zdefiniować wiele dodatkowych informacji na temat wirtualnego miejsca mail.
For this example, we assume that there is a vmail Unix account created that has a UID of 101, a GID of 101, and its home directory is /home/vmail. W tym przykładzie zakładamy, że istnieje vmail konto Unix stworzony, że ma UID 101, GID z 101, a jego katalogu domowego / home / vmail. We will use the home directory of the vmail user as the place where we store our virtual mail repository. Będziemy korzystać z katalogu domowego użytkownika vmail jako miejsce, gdzie możemy przechowywać nasze wirtualne mail repozytorium. As before, add this to main.cf Tak jak poprzednio, dodać do main.cf
virtual_transport = virtual virtual_transport = virtual
virtual_mailbox_base = /home/vmail/domains virtual_mailbox_base = / home / vmail / domains
virtual_mailbox_maps = ldap:accounts virtual_mailbox_maps = ldap: rachunki
virtual_mailbox_domains = ldap:domains virtual_mailbox_domains = ldap: domen
virtual_minimum_uid = 101 virtual_minimum_uid = 101
virtual_uid_maps = static:101 virtual_uid_maps = static: 101
virtual_gid_maps = static:101Most of the above is pretty straight forward, except for virtual_transport, virtual_minimum_uid, virtual_uid_maps, and virtual_gid_maps. virtual_gid_maps = static: 101Most powyższego jest bardzo prosty, z wyjątkiem virtual_transport, virtual_minimum_uid, virtual_uid_maps i virtual_gid_maps.
For virtual accounts, we want to use the virtual transport and set virtual_transport to specify this. Dla rachunków wirtualnych, chcemy do korzystania z wirtualnej transport i ustawienie virtual_transport tego definiować.
With the domains LDAP source defined, Postfix needs to be configured to use it. Z domen LDAP źródło zdefiniowane, Postfix musi być skonfigurowany do użycia. This is done by setting the virtual_mailbox_domains in main.cf to ldap:domains. Odbywa się to poprzez ustawienie virtual_mailbox_domains w main.cf do ldap: domen.
The Postfix documentation states “[virtual_minimum_uid] specifies a minimum UID that will be accepted as a return from a virtual_uid_maps lookup. Stanowi, Postfix dokumentacji "[virtual_minimum_uid] określa minimalne UID, które zostaną zaakceptowane jako powrót z virtual_uid_maps wyszukiwania. Returned values less than this will be rejected, and the message will be deferred.” Since we have decided that all mail for virtual accounts will be stored using the vmail Unix account, we set the virtual_minimum_uid to be the UID of vmail. Zwrócone wartości poniżej zostaną odrzucone, a wiadomość zostanie odroczony. "Ponieważ uznaliśmy, że wszystkie listy do wirtualnych kont są przechowywane przy użyciu vmail konto Unix, ustawiamy virtual_minimum_uid się UID vmail. Also, we set the virtual_uid_maps and virtual_gid_maps to a special static map and hard code it to the UID and GID of the vmail user. Ponadto, mamy ustawić virtual_uid_maps i virtual_gid_maps do specjalnego statycznych map i zaprogramować go do UID i GID użytkownika vmail. All of the parameters shown here are fully documented in README_FILES/VIRTUAL_README that comes with the Postfix source. Wszystkie parametry tutaj pokazane są w pełni udokumentowane w README_FILES / VIRTUAL_README, że pochodzi z source Postfix.
Other Postfix Settings Inne ustawienia Postfix
Many defaults are fine in this setup (myhostname, mydomain, etc.), but change them if you need to. In my case I also set (in main.cf):
inet_interfaces = $myhostname, localhost
This tells postfix to listen for connections from the outside world and from localhost. localhost is needed by SquirrelMail if nothing else.
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
Even though we are depending solely on the virtual transport, the local transport is apparently still active. This transport really wants to have an alias database of its own, and that's what these are. It seems safe to comment these out, if, and only if, you also comment out the local transport in the master.cf file (but I'm not sure how advisable that is). I elected to leave these intact and have postfix create the local alias database from the empty local alias maps file by runing the command: newaliases or postalias /etc/postfix/aliases (same thing). You'll probably need to do the same thing.
home_mailbox = Maildir/
Make Postfix use Maildir (one file per email) format instead of mbox (one big file)
. .
Postfix setup is complete. You can start Postfix with the following command:service postfix start. If you don't have another email account to test this one with (like whoever@yahoo.com ), then this service might be useful: http://www.zoneedit.com/smtp.html .
SMTP AUTH with SASL
The setup so far will allow a virtual user to receive mail and that's it. No virtual user can send (relay) mail (though local ones can), nor can any other server. We don't want servers to be able to relay, but you definitely want your users to. There are a number of inelegant ways to get this to happen, but the cleanest is to use SMTP authentication; making your users authenticate to Postfix, and allowing authenticated users to send mail.
Building SASL
To use SMTP AUTH you must also use SASL, an authentication protocol invented by Netscape. The most common FOSS implementation of SASL is Cyrus-SASL from Carnegie Mellon University. On my machine Cyrus-SASL was preinstalled, but it lacked LDAP support, so I downloaded the source and compiled that. You can get the source tarball here: http://ftp.andrew.cmu.edu/pub/cyrus-mail
Some of the defaults were not as they should be for a Red Hat like system, so I ran configure like this:
# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib –prefix=/usr –sysconfdir=/etc –mandir=/usr/share/man –with-ldap
# make
# make install
The important part is the “–with-ldap” flag (make sure you have the OpenLDAP development libraries installed as above). The CPPFLAGS and LDFLAGS may or may not be important. Dovecot needed them (more later), and I figured they couldn't hurt, so I used them here too. They basically point to the Kerberos development files which on my system were not in /usr/lib and /usr/include.
Configuring SASL
Cyrus-SASL requires a particular directory to keep it's runtime information. This directory will (probably) not be created for you. Run saslauthd from the command line and let it yell at you, then you'll know. You can create the asked for directory manually without problems. I used /var/run/saslauthd. Or rather, the pre-existing init script did by passing in the -m flag, but I concurred.
Cyrus-SASL also uses a config file that's not automatically created. In my case it's called /etc/saslauthd.conf. Create this file with the following self-explanatory contents:
ldap_servers: ldap://127.0.0.1
ldap_search_base: o=hosting,dc=myhosting,dc=example
ldap_filter: (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
Important: If you are using Cyrus-SASL 2.1.17 (possibly 2.1.18, as well), then you must change the ldap_filter directive above to be as follows:
ldap_filter: (&(objectClass=JammMailAccount)( mail=%u@%r)(accountActive=TRUE)(delete=FALSE))Finally , you must tell Cyrus-SASL that it is to use LDAP by passing -a LDAP to it at startup. There are two ways to do this (and you might find that it's already been done for you); you can add it to the init script or you can add it to a file read in by the init script. I chose the former, but it's up to you. Here's the relevant part of my init script (located at /etc/init.d/saslauthd:
# Source function library.
. . /etc/init.d/functions
# Source our configuration file for these variables.
SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS=
if [ -f /etc/sysconfig/saslauthd ] ; then
. . /etc/sysconfig/saslauthd
fi fi
RETVAL=0
# Set up some common variables before we launch into what might be
# considered boilerplate by now.
prog=saslauthd
path=/usr/sbin/saslauthd
start() {
echo -n $”Starting $prog: “
daemon $path -m $SOCKETDIR -a $MECH $FLAGS
RETVAL=$?
echo echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
} }
Notice how the MECH variable is set to ldap and how it is later used with the -a flag when kicking off the daemon. (Also notice how the SOCKETDIR variable is set to the path of SASL's runtime directory.) Alternately, as you can see, you coul have added the MECH (and SOCKETDIR) variables to the /etc/sysconfig/saslauthd file which is sourced by this script.
Later, when you've actually added a user to LDAP, you can test your SASL configuration like this:
# testsaslauthd -u users_login_name -p users_password
For instance: Na przykład:
# testsaslauthd -u george@whitehouse.gov -p thisisasecret
0: OK “Success.”
Configuring Posftix / SASL Environment
You may or may not need the following. My setup works both ways, however I'm leaving it in for safety. The premise is that every process that users SASL can have a SASL specific configuration file. In other words Postfix (not SASL) will look in /usr/lib/sasl2 (note the “2″), for a file called smtpd.conf. On some systems (Debian? chrooted?) this file path may be /etc/postfix/sasl. Postfix will then learn a few things about SASL. What we're interested in telling Postfix is what mechanism SASL will use to look something up and what formats it will accept user information in. In short, create the file /usr/lib/sasl2/smtpd.conf (or /etc/postfix/sasl/smtpd.conf) and make it look like this:
pwcheck_method: saslauthd
mech_list: login plain
This will tell Postfix to contact the saslauthd daemon for authentication purposes, and keep Postfix from telling user agents that is supports, say Kerberos (which it may, but SASL/LDAP doesn't) when SASL only accepts “plain.” (Or something like that.)
Configuring Posftix
Add the following Postfix directives to the end of /etc/postfix/main.cf:
# SASL support
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains
smtpd_sasl_security_options = noanonymous
smtp_sasl_auth_enable = no
The first line is obvious. The second is very important — smtpd_sasl_local_domain must be there (not missing or commented out) and it must be blank! The value of this variable is appended to the login name Postfix sends to SASL. Since our login names already have the domain component, using this would cause Postfix to send something like “ george@whitehouse.gov@whitehouse.gov ” or worse “ george@whitehorse.gov@myisp.net .” And if it's not there at all, bad things happen.
The smtpd_recipient_restrictions allow local users and users authenticated via SASL to send mail — and nobody else (unless you have set up allowed relays, which, presumably, you haven't.)
The smtpd_sasl_security_options bit is obvious but important. The final variable, smtp_sasl_auth_enable refers to having this server authenticate to other servers, and we don't care about that.
SMTP over SSL (TLS)
Since we are using plain text logins we need to be able to encrypt them. Besides, there's no reason to let others sniff our mail either. Turning on SSL is pretty easy. You just have to create a few certs and then set a few variables.
How to create certs was detailed above. If you haven't done that part, you'll need to do it now. To enable Postfix to support TLS modify /etc/postfix/main.cf as follows (these settings won't be there by default, so just add them to the bottom):
# TLS Support
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /usr/share/ssl/hosting.example/ExamplePrivateKey.pem
smtpd_tls_cert_file = /usr/share/ssl/hosting.example/ExampleCert.pem
smtpd_tls_CAfile = /usr/share/ssl/hosting.example/demoCA/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
These settings should be more or less self-explanatory, although I don't know why Postfix needs the CA cert. You can play with the log level, but I found setting it to 3 generated a lot of LDAP/SASL noise in my log files.
Dovecot IMAP
Building Dovecot
Dovecot was not pre-installed on my system. It was available via apt-get, but not with LDAP support. This meant compiling from source, here's how:
# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib –prefix=/usr –bindir=/usr/bin –sbindir=/usr/sbin –libexecdir=/usr/libexec –datadir=/usr/share –sysconfdir=/etc –mandir=/usr/share/man –with-ldap -with-ssldir=/usr/share/ssl # make # make install
In the above run of configure, the –with-ldap flag is the most important. But you must pay special attention to the output of configure. Even if the LDAP libraries are not found, Dovecot will still build and install! This may be legitimate, but Dovecot will fail to communicate with LDAP, and it may lead you (as it did me) to believe that your Dovecot build is good, and something else is keeping the communication from happening. In a similar vein, Dovecot wants to build against Kerberos, and silently continued even though it couldn't find the Kerberos libraries, which on my machine are in /usr/kerberos/lib (the header files are in /usr/kereberos/include) instead of /usr/lib. The –with-ssldir is used to tell Dovecot the base directory for certificates. It's not really important in our configuration, as we'll be setting the full path to our certs, but it might as well be accurate anyway. As for all the other directory flags, well, I would have liked to keep everything in the default /usr/local (and you probably do too), but previous installs of the non-LDAP, apt-get binary made me chose to imitate that and place things as you see above — your choice.
Creating the Dovecot Auth User
Dovecot's IMAP implementation is made up of several processes. One of these, imap-login, accepts incoming connections and should run as the “dovecot” user, which should have been created for you during package installation or during the make install step. The Dovecot authentication process, dovecot-auth, which authenticates users against some user store, should run, for security reasons, as some other user. It defaults to root, which would be necessary for /etc/shadow or PAM based authentication. But since our users are kept in LDAP, we should run this process as a less privileged user. On my RedHat-like system, this user can be the “nobody” user. I'm informed, however, that this will not work on Debian-based systems. In this case, and even on RedHat, you should create a dovecot-auth user and group.
# groupadd -r dovecot-auth
# useradd -m -r -d /usr/libexec/dovecot dovecot-auth
Note the use of /usr/libexec/dovecot as a home directory. This is where I've installed the Dovecot binaries. You can use whatever you want.
Configuring Dovecot
Dovecot uses the dovecot.conf file for most of its configuration settings. Using the above configure command the dovecot.conf file will be found in the /etc directory (in your case it might be /usr/local/etc or wherever you set sysconfdir to point to). LDAP is configured elsewhere and discussed in the next section. In general, if you leave a Dovecot setting commented out it defaults to something reasonable. Below, I will show only those settings that are meaningful in the context of this HOWTO.
protocols = imap imaps
Enable only IMAP and IMAP over SSL. Do not enable POP or secure POP. Though you can if you want to.
imap_listen = 127.0.0.1
Non-secure IMAP will only accept connections from local processes. This will be needed for SquirrelMail.
imaps_listen = *
Secure IMAP will accept connections from anywhere.
ssl_disable = no
It's not enough to simply set imaps in the protocols setting, you have to explicitly enable SSL.
ssl_cert_file = /usr/share/ssl/hosting.example/ExampleCert.pem
ssl_key_file = /usr/share/ssl/hosting.example/ExamplePrivateKey.pem
The absolute path to the certificate and private key created earlier. You do not need to specify the CA cert.
disable_plaintext_auth = no
Setting this to true would keep people from connecting unless they came in over SSL. However, that would keep SquirrelMail from working, so this has to be set to no. It's okay though, as the imaps_listen directive above keeps non-encrypted IMAP ports from being open to the outside world..
login_user = dovecot
The user that the login process runs as. The dovecot user should have been created for you during make install or during the package installation. Should not be root.
first_valid_uid = 101
last_valid_uid = 101
When we get around to configuring Dovecot for LDAP we will set up a single virtual user, vmail, just as we did for Postfix. Since vmail will be our only user, we can set the first and last valid user IDs to vmail's uid; 101 in this exampl, almost certainly different on your system.
first_valid_gid = 101
last_valid_gid = 101
Same as above, but for groups.
valid_chroot_dirs = /home/vmail/domains
This is a list of directories where chrooting can take place. In our case, we need only one. It should be set to the root directory of our user's mailboxes, ie /home/vmail/domains.
Note: Immediately below this is a setting called mail_chroot. Do not set this! This value is implied by the fact that we are using an absolute path in the default_mail_env setting.
default_mail_env = maildir:/home/vmail/domains/%d/%n
The all important setting! Okay, if I got this right, Dovecot has this notion of a “mail environment.” It consists of a mailbox format (mbox or maildir), a colon, the relative (?) or absolute path to the user's mailbox, and a few other things that are inadequately explained. It is possible to store the mail environment in LDAP, but since this is not a standard LDAP attribute, nor part of the Jamm schema, we will forego this. When the mail environment can't be retrieved from LDAP, Dovecot uses the default_mail_env instead. (If both of these are unavailable, I think Dovecot makes a best guess.)
The value of this setting is constructed at runtime from the text given here and some simple substitution (explained in the conf file comments). In my case it is set to use the maildir mailbox format. It also specifies that mailboxes can be found in /home/vmail/domains/[the domain name of the user logging in]/[the user name of the user logging in]. Expanded, this might be, /home/vmail/domains/whitehouse.gov/george. Note, I did not use “%u” (you) for user name, I used %n (en). This is because “%u” will expand to “ user@domain.extension ,” and we just want the first part.
auth = default
Set up our first (and only) authentication process.
auth_mechanisms = plain
The user will send authentication information as clear text. The session, of course, is SSL encrypted.
auth_userdb = ldap /etc/dovecot-ldap.conf
Where the user database is. In our case, this is LDAP. The LDAP settings are found in the file /etc/dovecot-ldap.conf (created in the next step).
auth_passdb = ldap /etc/dovecot-ldap.conf
Where the password database is. Same as above.
auth_executable = /usr/libexec/dovecot/dovecot-auth
This is Dovecot's authentication executable. I didn't have to uncomment it as it's in the default place, but you may have to if you installed in /usr/local, for instance.
auth_user = dovecot-auth
The user to run the above authentication executable as. This is the user we created earlier.
That's it. To wszystko. There's a number of other Dovecot settings you might want to use, eg, auth_verbose, maildir_copy_with_hardlinks, and so on. The conf file explains each of these well enough for you to decide.
Configuring Dovecot for LDAP usage
Dovecot keeps its LDAP settings in a separate file. This file is referenced by the auth_userdb and auth_passdb settings in dovecot.conf. It's name defaults to dovecot-ldap.conf and it should be in the /etc directory. You do not have to create this from scratch, a sample file can be found in the Dovecot docs (/usr/share/doc/dovecot-0.99.10.9/dovecot-ldap.conf on my system). Copy this file to /etc and edit it as follows.
hosts = localhost
The server name/IP address where LDAP is running.
dn = cn=dovecot,dc=myhosting,dc=example
The DN of the user that Dovecot will bind to LDAP as.
dnpass = secret
The Dovecot user's password. You do remember it, don't you?
ldap_version = 3
What version of LDAP to use.
base = o=hosting,dc=myhosting, dc=example
The LDAP base under which our users can be found.
deref = never
I have no idea. If you think you care, maybe this will help: http://www.holbaeksem.dk/help/readme.nsf/0/ffc017ce09e9fd2585256cc600651017?OpenDocument
scope = subtree
How far under the base should a search look. Subtree is all the way down.
user_attrs = mail,homeDirectory,,,,
Pay attention to this one. The user_attrs setting lists the names of the LDAP attributes for those parts of a user's entry that Dovecot cares about. They are, in order:
The virtual user's user name ( user@domain ).
The user's Home directory.
The user's mail environment. See the default_mail_env setting above.
The local user's user name.
The local user's user ID.
The local user's group ID.
Now, I may not have gotten this perfectly correct, but of these we're only interested in the first one. In the Jamm schema the virtual user's user name is stored in the mail attribute.
I have also set the attribute for the user's home directory (homeDirectory in the Jamm schema). This is not strictly necessary, and can be safely left out. However, Dovecot claims to have some additional logging that's dependent on this setting (among other things). This is also where core files will be dumped if Dovecot crashes. I was never able to get this logging to work, however, even after following the FAQ on this subject.
As was discussed earlier regarding the default_mail_env setting, it is possible to put the user's mail environment (eg, maildir:/home/username/Maildir) in LDAP, but since the standard LDAP schemas and the Jamm schema have no such attribute, we leave that blank.
As for the remaining three attributes, none of our users are local, therefore we don't need to set these. When Dovecot needs a uid and gid it will get them from the user_global_uid and user_global_gid settings below. It won't need a system user name, as, apparently, that's only needed for accessing /etc/groups.
user_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
The LDAP filter Dovecot will use when looking up users. Should be familiar by now.
pass_attrs = mail,userPassword
The LDAP attributes that contain the user's virtual user name and password.
pass_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
The LDAP filter Dovecot will use when looking up a user's password.
default_pass_scheme = CRYPT
The format that passwords are stored in LDAP. We use CRYPT here to match our setting in slapd.conf. Other values are PLAIN, PLAIN-MD5, and DIGEST-MD5.
user_global_uid = 101
user_global_gid = 101
Though we set the first and last valid uid and gid in dovecot.conf, we never did set the uid of the vmail user — we do that here. This is the uid and gid Dovecot will use in lieu of the empty LDAP settings above when reading and writing from the user's mailbox and chrooting too, I guess.
And that's it for Dovecot.
Jamm
What follows are the [slightly edited] instructions from the original Jamm HOWTO.
Installing and Configuring Jamm
Installing and configuring a web servlet container like Tomcat or Resin is outside the scope of this document. (On my hosted system Tomcat was already installed in /usr/local/tomcat). However, once you have a working servlet container, installing and configuring Jamm is a snap. Change into the webapps deployment directory, make a new directory called jamm, cd into that directory, drop the jamm.war file (that we downloaded way back at the beginning of this HOWTO) into the jamm directory, and unjar the war file. Then cd to the WEB-INF directory. Copy jamm.properties.dist to jamm.properties, and edit jamm.properties as apppropriate.
# cd /usr/local/tomcat/webapps
# mkdir jamm
# cd jamm
# cp [wherever]/jamm-0.9.6.war .
# jar -xvf jamm-0.9.1.war
# cd WEB-INF
# cp jamm.properties.dist jamm.properties
Now you need to edit jamm.properties. To continue to follow our examples for dc=myhosting,dc=example, we've edited the following lines in jamm.properties.
jamm.ldap.search_base = o=hosting,dc=myhosting,dc=example
jamm.ldap.root_dn = cn=Manager,dc=myhosting,dc=example
None of the values in jamm.properties should have quotes around them. This will cause problems at run time as Jamm is not expecting them. This has bitten people in the past when they copied their rootdn from slapd.conf.
Administration Administracja
To access Jamm, startup your servlet container (on my system this is Tomcat; service tomcat start) if it's not already started. From a browser goto: http://servername.tld:8080/jamm .
To login as the site administrator, the username is “root” (as specified in the jamm.properties file). The password is whatever password you gave to the LDAP superuser or root user way back when we were configuring LDAP.
Jamm allows for three levels of access: the site admin, the domain admin, and the user. The site admin controls the entire site and has access to every option all the time, very much like root on a unix system. The domain admin can add, remove, and modify accounts and aliases for his domain as well as assign other people to be a domain admin. The user can only effect his settings.
Site Admin Site Admin
Figure 3. Rysunek 3. Site Admin Screen
When a site admin logs in, they are presented with a list of domains. They can click on the domain to drill down to that domain admin page or manipulate the capabilities of the domain admin.
Can Edit Accounts controls the ability for a domain admin to add and remove virtual accounts. When this is switched off, the domain admin can still modify the attributes of existing accounts such as the password.
Appoint Postmasters controls the ability for a domain admin to grant the powers of domain admin to other accounts in the domain. With this turned off, only the site admin can give users domain admin access.
Domain Is Active turns on or off the “active” flag on the domain in ldap. If your mail server or imap server are configured to pay attention to this flag, one can turn on or off domains temporarily without removing them from ldap.
Domain Admin
Figure 4. Rysunek 4. Domain Admin Screen
When a domain admin logs in, they are presented with a list of accounts and aliases for their domain. They can click on a user to drill down to that user admin page, add or delete accounts or aliases, appoint other admins/postmasters, and activate and deactivate accounts. Some of this options may not be present depending on how the site admin has configured the domain's capabilities.
Delete Account does pretty much what it says it will.
Account Is Active activatees or deactivates an account without deleting it. Much like Domain Is Active, your mail server and imap servers must be configured to pay attention to this flag inside ldap.
Postmaster gives or removes the ability for that user to act as a domain admin.
User Admin Użytkownik Admin
Figure 5. Rysunek 5. User Admin Screen
When a user logs in, they are presented with a user screen appropriate to whether they have an account or an alias. Currently, all that a user with an account can do is change their password. An alias user is a bit more intereting, they can edit their destination(s).
To add destinations to an alias, the user only needs to add them in the text area in either a comma seperated list or one per line. To delete destinations, just check the box next to the destination to be deleted.
Account Creation Notes
When you create an account or an alias inside the LDAP database it will instantly become active as far as the mail system is concerned. For virtual accounts, it should be noted that the Unix directory in ~vmail is not created at this time. However, we can work around this because Postfix's virtual delivery agent will create the necessary directories the first time it has to deliver mail. Due to this fact, we recommend sending a welcome e-mail as soon as you create the account. Important! Ważne! I did not find this to be true! Postfix did not create any directories for me. Therefore, for me anyway, account creation is a two step process; create the appropriate directorty tree (/home/vmail/domains/somedomain/someuser) and then create that domain and/or user in LDAP via Jamm.
Account Deletion Notes
When you delete an account or an alias in the LDAP database, it will instantly become inactive. For virtual accounts, it should be noted that the Unix file system isn't cleaned up, ie the data remains on disk until a sysadmin can remove it. This will allow you to keep the data from dead accounts around for a grace period in case the account was deleted in error. However, if another account is created with the same name with the same mail path, the data will be available to the new user. This could be considered a privacy violation for the previous user.
SquirrelMail
Installing and Configuring SquirrelMail
SquirrelMail is simplicity itself to install. You have to make sure your system matches the prerequisites stated here: http://www.squirrelmail.org/wiki/SquirrelMailRequirements — essentially Apache and PHP. After that you should install the binary package (or grab the tarball, if necessary — http://www.squirrelmail.org/download.php )
# apt-get install squirrelmail
The installation process will put the appropriate Apache 2.0 configuration file in Apache's conf.d directory. The config file simply adds a “webmail” alias that points at the Squirrelmail index page. It put Squirrelmail itself in /usr/share/squirrelmail. Now you just need to make a couple of quick changes to the Squirrelmail configuration. You can do this via a Perl script located at /usr/share/squirrelmail/config/conf.pl or by directly editing the config file /usr/share/squirrelmail/config/config.php (which is aliased to /etc/squirrelmail/config.php). I chose the latter. The edits are few and are summarized here:
$use_authenticated_smtp = true;
$imap_server_type = 'courier';
$optional_delimiter = '.';
$default_folder_prefix = ”; Yes, I know it says “courier” for IMAP server type, but Squirrelmail doesn't have a quirks mode for Dovecot, and the Courier settings work. There are any number of other changes you may want to make, but they're all optional.
Enabling Apache 2.0 SSL
Important: If you are supporting (name-based) virtual hosts, then read this: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
It's likely that your Apache install can already speak SSL. If you're happy with this, then great, skip to the next section. However, the default SSL configuration won't be using those shiny new certs we made earlier. To enable SSL to begin with or to modify which certs it uses goto /etc/httpd/conf.d (on my system, yours may be different) and edit the file ssl.conf.
First, make sure that SSL is enabled by searching for the string “Listen” (with a capital “L”). It should be uncommented and set to an IP address of all zeros or the IP address of the server and followed by a port number (443), like this:
Listen 0.0.0.0:443 Słuchaj 0.0.0.0:443
It's likely that the rest of the global settings are acceptable, so skip down to the VirtualHost settings and search for the string SSLCertificateFile and change the file path to /usr/share/ssl/hosting.example/ExampleCert.pem (again, hosting.example/ExampleCert.pem is a place holder – substitute in the actual name you gave the cert). A few lines below this is the private key information. So change SSLCertificateKeyFile to point to /usr/share/ssl/hosting.example/ExamplePrivateKey.pem. That's all the changes you need to make, but you may want to fiddle with some other settings. Save the file and restart Apache: service httpd restart.
Enabling SquirrelMail SSL
Now that Apache can handle SSL, you only need to make one small change for SquirrelMail. In the same directory, /etc/httpd/conf.d, you'll find the SquirrelMail configuration file squirrelmail.conf. It's just one alias command. Add the following command to it:
SSLRequireSSL
You can now access Squirrelmail via the URL: https://myhosting.example/webmail .
Figure 6. Rysunek 6. My Squirrelmail interface after fiddling with fonts and themes.
Allow Users to Change Their LDAP Password from SquirrelMail (OPTIONAL)
The functionality presented here is entirely optional as it reproduces some of the functionality of JAMM. However, now that SquirrelMail is up and running, it makes sense to me to have the user stay in that interface as much as possible. Over time I will install and create more plugins to SquirrelMail so that the everyday user can perform all personal administration from their.
To allow a user to change their LDAP managed password, first download the “change_ldappass” SquirrelMail plugin: http://squirrelmail.org/plugin_view.php?id=26 . Change_ldappass is dependent on the Squirrelmail “compatibility” plugin, so download that too: http://www.squirrelmail.org/plugin_view.php?id=152 .
Installing it is a breeze. First, untar the compatibility plugin into the Squirrelmail plugins directory. Then untar the change_ldappass package into the SquirrelMail plugins directory, cd into the resulting change_ldappass directory, copy the config.php.sample file to config.php and edit it.
The changes that have to be made to the config file are minimal and limited to the very top of the file. Simply change the $ldap_user_field to mail, the LDAP attribute where our usernames (eg joe@example.com ) are stored; and change the $ldap_base_dn to your version of o=hosting,dc=myhosting,dc=example. Do not change the $ldap_password_field from userpassword to userPassword (note the capital “P”) as I did. It will work with the default, but not elsewise. The top few lines of the config.php file should look like this:
$ldap_server = “localhost”;
$ldap_password_field = “userpassword”;
$ldap_user_field = “mail”;
//put the ldap base dn of your server here
$ldap_base_dn = “o=hosting,dc=myhosting,dc=example”; There's no need to restart Apache. Users can now access the change password screen from the “options” page of SquirrelMail.
Figure 7. Rysunek 7. The new “Change Password” option in Squirrelmail's option page.
Post Install Configuration
Now that all the software has been installed and configured, there are a few other things you probably want to do.
Make LDAP inaccesible to the Internet
Currently the OpenLDAP process will answer requests from anywhere. What you probably want to do is limit connectivity only to the processes running locally (on this server). This is done with the -h flag to slapd. I modified the init script on my system, /etc/init.d/ldap, to accept normal and SSL connections only from processes on the same host. Here's the relevant part of the init script, in the start function.
prog=`basename ${slapd}`
echo -n $”Starting $prog: “
if grep -q ^TLS /etc/openldap/slapd.conf ; then
daemon ${slapd} -u ldap -h '” ldap://127.0.0.1 ldaps://127.0.0.1″' $OPTIONS $SLAPD_OPTIONS
RETVAL=$?
else więcej
daemon ${slapd} -u ldap -h '” ldap://127.0.0.1″' $OPTIONS $SLAPD_OPTIONS
RETVAL=$?
fi fi
Start up on reboot
You probably want to set up your system to start up all processes at reboot. This is especially true if your server is hosted, and you may not even be aware that your server has been restarted. If your machine is local to you, you can probably use the appropriate GUI application. However, if your machine is remote (and RedHat based), you can use the chkconfig utility to do this. Or, if necessary, do it manually. I set all processes to start at runlevels 3 and 5. You may want to use 2, 3, 4, and 5. You can get details on how chkconfig elsewhere, but here's how I did it:
# chkconfig –level 35 ldap on
# chkconfig –level 35 saslauthd on
# chkconfig –level 35 postfix on
# chkconfig –level 35 dovecot on
# chkconfig –level 35 tomcat on
Make sure you're not a relay
If you followed the instructions above, and given the default configuration of Postfix, you should not be acting as an open (spam) relay. But, better safe than sorry. Go here and test your system: http://www.abuse.net/relay.html
Adjust Postmaster Account
When you create a virtual domain with Jamm it creates the postmaster@domain.name and abuse@domain.name accounts automatically. Both of these accounts are set as aliases to the “postmaster” user who is presumed to be be a local user. This is fine, but on my system I don't want any local users. Besides, if I did, I'd have to add another authentication mechanism to Dovecot, and I don't want to do that either. In any case, if you would like to change the abuse and postmaster aliases to point at a virtual user, you can do so as follows:
Create an LDIF file that looks something like this:
dn: cn=postmaster,jvd=domain.name,o=hosting,dc=myhosting,dc=example
changetype: modify
replace: maildrop
maildrop: user@domain.name
dn: mail=abuse@domain.name,jvd=domain.name,o=hosting,dc=myhosting,dc=example
changetype: modify
replace: maildrop
maildrop: user@domain.name
Where domain.name is the virtual domain you've created and maildrop is the virtual user in that domain who is to receive mail for postmaster and abuse.
You can use this file to update the LDAP directory like this:
# ldapmodify -x -D “cn=Manager,dc=myhosting,dc=example” -W -f ldif_file_name
Email Client Settings
I won't detail how to set up mail.app, Thunderbird, Outlook, etc., but here are the client settings that should be generally applicable.
Assumptions: Your mail server is accessible via a public DNS MX record at example.net. You want to host a virtual domain of anydomain.org and its MX record points to the same host, Julie is a user at anydomain.org.
User Name: julie@anydomain.org
Password: [Julie's password]
Incoming Mail Account Type: IMAP
Incoming Mail Server: example.net
Incoming Mail Server uses SSL: Yes, on the default port of 993
Incoming Mail Server Authentication: Password
Outgoing Mail Server: example.net
Outgoing Mail Server uses SSL: Yes
Outgoing Mail Server Authentication: Password
Also, remember that you'll want your users to import the signing (CA) cert into their client or OS as applicable.
Credits Peter Lacey; placey at wanderingbarque.com
Implementation Wdrożenie
This section describes how to implement a virtual mail solution. Ten rozdział opisuje jak wdrożyć rozwiązania wirtualne mail. Not every little detail is covered, just what is needed above and beyond the “standard” installations. Nie każdy najmniejszych detali, tylko to, co potrzebne jest ponad i poza "standard" instalacji.
Prerequisites Wymagania
Here is the list of software that I used. Poniżej znajduje się lista oprogramowania, które użyłem. It is likely that other, older and newer, versions will work, but I didn't test them. Jest prawdopodobne, że inne, starsze i nowsze, wersje będzie działać, ale nie je przetestować. However, It's essential that both Postfix and Cyrus-SASL be at versions greater than 2. Jednakże, jest to istotne, że zarówno Postfix i Cyrus-SASL być większa niż 2 wersje.
The Software List Lista oprogramowania
White Box (Red Hat) Enterprise Linux 3 Box White (Red Hat) Linux Enterprise 3
Postfix 2.0.16 Postfix 2.0.16
OpenLDAP 2.0.27 OpenLDAP 2.0.27
Dovecot 0.99.10.9 Dovecot 0.99.10.9
Jamm 0.9.6 Jamm 0.9.6
Cyrus-SASL 2.1.15 Cyrus-SASL 2.1.15
SquirrelMail 1.2.1.1 SquirrelMail 1.2.1.1
Preparing Your System Przygotowanie systemu
To prepare a Unix (like) system there are a few tasks you'll need to accomplish: Aby przygotować Unix (jak) system jest kilka zadań, które należy wykonać:
Pre-installation Preparation Przygotowanie przed instalacją
Create the vmail user and decide where you're going to store the virtual users email. Tworzenie użytkownika vmail zdecydować dokąd idziesz do sklepu wirtualnego e-mail użytkowników.
Optionally, remove sendmail from the system. Opcjonalnie, sendmail usunąć z systemu.
Determine your mail server's domain name. Określanie serwera poczty nazwę domeny.
Determine your LDAP base. Określ swoje bazy LDAP.
Create certificates for Postfix, Dovecot, and Apache (SquirrelMail). Tworzenie certyfikatów dla Postfix, Dovecot, i Apache (SquirrelMail).
Create the vmail User Tworzenie użytkownika vmail
Hint: It is not strictly necessary to create an actual user. Wskazówka: Nie jest to absolutnie niezbędne do stworzenia rzeczywistego użytkownika. It is only necessary to create a mailbox directory and change the owner and group to some ID that's is not going to be used by any real user, like 5000:5000. Konieczne jest jedynie do tworzenia katalogu skrzynki pocztowej i zmienić właściciela i grupę, do niektórych ID to nie będzie używane przez żadnego rzeczywistego użytkownika, jak 5000:5000.
Creating the vmail user is just like creating any other system account. Tworzenie użytkownika vmail jest tak jak tworzenie innych kont systemowych. You'll want to have a UID and a GID that is used for vmail alone. Będziemy chcieli mieć UID i GID, który jest używany do vmail sam. You may also want to set its home directory to the location you've selected for the storage area of the virtual users' email. Można też ustawić jego katalogu domowego do miejsca wybranego na obszarze przechowywania e-mail wirtualnych użytkowników. In my system I used vmail as the user and group name. W moim systemie używane vmail jako użytkownik i nazwa grupy. I also decided to store our virtual users email in /home/vmail/domains. Postanowiłam też zapisać nasze wirtualne e-mail użytkowników w / home / vmail / domen.
The following example works on a RedHat Linux distribution and results in a vmail user being created and an empty mail storage directory being created. Następujące prace np. w dystrybucji RedHat Linux i powoduje użytkownika vmail tworzone i pustego katalogu przechowywania poczty tworzone. I'm told that CentOS 4 (and therefore RHEL 4 and WBEL 4) requires the -g (group) flag. Mówiono mi, że CentOS 4 (a więc RHEL 4 i WBEL 4) wymaga-g (grupa) bandery.
# groupadd -r vmail # Vmail groupadd-r
# useradd -m -r -d /home/vmail vmail # Useradd-m-r-d / home / vmail vmail
# mkdir ~vmail/domains # Mkdir vmail ~ / domains
# chown vmail.vmail ~vmail/domains # Chown vmail.vmail vmail ~ / domains
Hint: If you elected not to create a real user, then skip the groupadd and useradd commands, and change the rest to something like mkdir /home/vmail/domains; chown 5000.5000 /home/vmail/domains. Wskazówka: Jeśli nie została wybrana do stworzenia prawdziwego użytkownika, a następnie przejdź groupadd i useradd polecenia, a resztę na coś mkdir / home / vmail / domains; chown 5000.5000 / home / vmail / domen.
Remove Sendmail Usuń Sendmail
On the advice of somebody out there I completely removed (the pre-installed) Sendmail, just in case it got in the way of Postfix. Za radą ktoś tam zupełnie usunięte (zainstalowany fabrycznie) Sendmail, tylko w przypadku, gdy nie dostał się na drodze Postfix.
# rpm -e sendmail # Rpm-e sendmail
Determine your mail server's domain name Określanie serwera poczty nazwę domeny
If you have a static IP address, then you most likely already have a registered domain name. Jeśli masz statyczny adres IP, to najprawdopodobniej już zarejestrowanej domeny. If, like me, you have a single host on the net, you may have given it the same name. Jeśli, tak jak ja, masz pojedynczego hosta w sieci, być może trzeba dać jej tej samej nazwie. However, if you want to use that name as a virtual host, you'll have some difficulties. Jeśli jednak chcesz używać tej nazwy jako wirtualnego hosta, będziesz miał pewne trudności. For instance, if you already own the domain “whitehouse.gov,” and your host is named “whitehouse.gov,” and you want to have virtual users at “whitehouse.gov,” then you're out of luck as Postfix will treat all users at “whitehouse.gov” as local. Na przykład, jeśli już właścicielem domeny "whitehouse.gov", a Twój komputer jest nazwany "whitehouse.gov", a chcesz mieć wirtualnych użytkowników "whitehouse.gov", to masz pecha jak Postfix będzie traktowania wszystkich użytkowników "whitehouse.gov" lokalne. You can probably correct this by setting the appropriate Postfix variables ($myhostname, $mydomain), but you may consider renaming your host instead. Pewnie to poprawić poprzez ustawienie odpowiednich zmiennych Postfix ($ myhostname, $ mydomain), ale można rozważyć zmianę nazwy hosta zamiast.
Furthermore, the domain name you use in your certificate should match the SMTP/IMAP server name used in your mail clients, otherwise the mail clients will complain. Ponadto, nazwa domeny używać w powinien być zgodny z SMTP / nazwa serwera IMAP używane w klientach poczty, w przeciwnym wypadku klientów poczty będą narzekać. Finally, you'll probably want to use your domain name as the base name in your LDAP tree. Wreszcie, prawdopodobnie będziesz chciał użyć nazwy domeny jako nazwy bazy w drzewie LDAP.
To neatly resolve all these issues, I elected to buy a new domain name, “whitehouse.net” (continuing the example), and rename my server accordingly. Aby porządnie rozwiązać wszystkie te problemy, I wybrany na nową nazwę domeny "whitehouse.net" (Kontynuując przykład), i zmienić nazwę mojego serwera odpowiednio. Here's how I renamed my machine: Oto jak przemianowany moim komputerze:
Modified /etc/hosts Ostatnia aktualizacja / etc / hosts
Modified /etc/sysconfig/network Ostatnia aktualizacja / etc / sysconfig / network
Modified /etc/hostname Ostatnia aktualizacja / etc / hostname
I rebooted after this, but if nothing's yet running that cares about the hostname, you can probably just run hostname –file /etc/hostname. I po ponownym uruchomieniu komputera, ale jeśli nic nie jest jeszcze uruchomiony, która dba o nazwę hosta, prawdopodobnie wystarczy uruchomić plik hostname / etc / hostname.
Hint: You will need an MX record set up in the public DNS that points to your server. Wskazówka: Należy ustanowić rekord MX w DNS publicznych, który wskazuje na serwer. The MX record should not be the IP address of your machine. Rekord MX nie należy adres IP komputera. Instead it should be the name of an A record. Zamiast tego należy nazwę rekordu. That is, set up an A record, eg mail.mydomain.com to point to your IP, then set the MX record to be mail.mydomain.com. Oznacza to, że ustanowiony rekord, np. mail.mydomain.com by wskazywała na twój IP, a następnie ustanowił rekord MX do mail.mydomain.com.
Determine your LDAP base (root, suffix, whatever) Sprawdź swoją bazę LDAP (root, przyrostek, cokolwiek)
Do whatever you want here, but the current convention, and the one I used, is to break your domain name into components and reference them with the “dc” (domain component) attribute. Rób co chcesz tutaj, ale obecnej konwencji, a ten, kiedyś, jest przełamanie nazwę domeny w części i odniesienie ich do "dc" (składnik domeny) atrybutów. That is, your base should be something like: dc=whitehouse,dc=net or dc=mail,dc=whitehouse,dc=net. Oznacza to, że bazy powinno być coś takiego: dc = Whitehouse, dc = net lub dc mail =, dc = Whitehouse, dc = net.
Summary Podsumowanie
Your server's name should not also be the name of any virtual host Serwer jego nazwa nie powinna być również nazwę każdej wirtualnej domeny
The domain name used in your cert should be the same as your server's DNS name Nazwa domeny używane w cert powinien być taki sam jak nazwa serwera DNS
You should probably use your domain name as the root of your LDAP tree. Powinieneś raczej użyć nazwy domeny jako korzeń drzewa LDAP.
Creating certificates for Postfix, Dovecot and Apache Tworzenie certyfikatów dla Postfix, Apache i Dovecot
If you want you can skip this step for now and return to it once you've got the unencrypted versions of Postfix and Dovecot running. Jeśli chcesz, możesz pominąć ten krok i powrócić do niego kiedy już niezaszyfrowane wersje Postfix i Dovecot uruchomiony.
What we want to do here is create a cert and a private key that can be used for Postfix, Dovecot, and Apache (SquirrelMail over SSL). Co chcemy zrobić tutaj jest stworzenie cert i klucz prywatny, który może być używany do Postfix, Dovecot, i Apache (SquirrelMail SSL). Technically, it's not necessary to sign this cert, but we will. Technicznie nie jest to konieczne do podpisania certyfikatu, ale my możemy. This allows our users to install the signing (root) certificate in their user agents/operating systems. To pozwala naszym użytkownikom instalowanie podpisania (root) certyfikatu w ich agentów user / systemów operacyjnych. There are a number of HOWTO's on this subject, but you probably want to put a little thought into this first. Istnieje kilka HOWTO na ten temat, ale prawdopodobnie chcesz umieścić trochę myśli w tej pierwszej. What I wanted was to create a signing certificate (root CA certificate), a signed cert and a private key that were appropriately named. Chciałem było stworzenie podpisania certyfikatu (certyfikat root CA), podpisanego certyfikatu i klucza prywatnego, które zostały odpowiednio nazwane. On Red Hat like systems certs are kept in /usr/share/ssl. W Red Hat, jak systemy certyfikatów są przechowywane w / usr / share / ssl. I didn't want to use the existing directory structure below that, instead I create a directory called hosting.example (remember that's a pseudonym for what I really used), and created all my certs in there. Nie chciałem, aby wykorzystać istniejące struktury katalogów poniżej, zamiast utworzyć katalog o nazwie hosting.example (pamiętaj, że to pseudonim, co naprawdę jest używany) i stworzył wszystkie moje certyfikaty tam.
There are a handful of shell scripts in /usr/share/ssl/misc that wrap the OpenSSL utilities for manipulating certs, and we'll use these. Istnieje kilka skryptów powłoki w / usr / share / ssl / misc, które otaczają OpenSSL narzędzia do certyfikatów manipulowania i będziemy korzystać z nich. (You can call OpenSSL directly for more fine grained control, if you want. It will avoid some post-creation manipulation of the certs.) But first we have to modify the script we want to use, CA. (Możesz zadzwonić bezpośrednio do OpenSSL więcej łatwą kontrolę, jeśli chcesz. Będzie to uniknąć pewnych manipulacji po tworzenie certyfikatów.) Ale najpierw musimy zmodyfikować skrypt chcemy wykorzystać, CA.
By default the CA script will encrypt the certs it creates. Domyślnie skrypt CA szyfrowania certyfikatów tworzy. Generally this is a good thing, but on a server it's not. Ogólnie jest to dobra rzecz, ale na serwerze już nie. This is because a process that uses the cert needs to supply a keyphrase to unlock it. To dlatego, że to proces, który używa cert potrzebne do świadczenia keyphrase aby je odblokować. If the server reboots on its own, then no one will be there to type in the key, and the server will never fully boot up. Jeśli ponownym uruchomieniu serwera na własną rękę, to nikt nie będzie tam wpisać klucz, a serwer będzie nigdy w pełni nie uruchomi się. So make a copy of CA (call it CA_nodes) and edit it. Więc zrób kopię CA (nazwijmy go CA_nodes) i zmodyfikować. Search for “# create a certificate” and add -nodes to the line below, the one that begins with $REQ. Szukaj "# utworzyć certyfikat" i dodatek do linii węzłów poniżej, która zaczyna się od $ REQ. When your done with this search for “# create a certificate request” (just below) and do the same again. Kiedy skończysz, z tego wyszukiwania dla "# utworzyć żądania certyfikatu" (poniżej) i zrobić to samo jeszcze raz.
Another change we want to make is to make sure the signing cert lasts for longer than the default year. Kolejna zmiana, chcemy, aby się upewnić się, że cert podpisania trwa dłużej niż rok domyślnie. Do this by searching for the line that reads 'DAYS=”-days 365″' (the first non-comment line in my instance) and change 365 to some larger value – I used 3650, ten years. Czy to przez wyszukanie linii, która brzmi "DAYS ="-days 365 "(w pierwszej linii nie komentarz w moim przypadku) i zmiana 365 jakiejś większej wartości - użyłem 3650, dziesięć lat.
When you're done it should look like this: Po zakończeniu powinien wyglądać tak:
DAYS=”-days 3650″ DAYS = "-days 3650"
… ...
-newcert) -Newcert)
# create a certificate # Tworzenie certyfikatu
$REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS $ REQ-new-nodes-x509-keyout newreq.pem newreq.pem-out $ dni
RET=$? RET = $?
echo “Certificate (and private key) is in newreq.pem” echo "Certificate (i klucz prywatny) jest w newreq.pem"
;; ;;
-newreq) -Newreq)
# create a certificate request # Tworzenie wniosku o certyfikat
$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS $ REQ-new-nodes-keyout newreq.pem newreq.pem-out $ dni
RET=$? RET = $?
echo “Request (and private key) is in newreq.pem” echo "Request (i klucz prywatny) jest w newreq.pem"
;; ;;
Now, these scripts will ask for a lot of input. Teraz te skrypty poprosi o wiele wejściowych. To make life easier, and to avoid errors in typing, this input can be defaulted to the contents of a particular file; /usr/share/ssl/openssl.cnf. Aby ułatwić życie i uniknąć błędów podczas pisania, wejście to może być domyślnie zawartość danego pliku, / usr / share / ssl / openssl.cnf. It should already be there, lets edit it. Powinna już tam być, pozwala edytować.
You'll need to change countryName_default, 0.organizationName_default, organizationalUnitName_default, commonName_default, and emailAddress_default. Musisz zmienić countryName_default, 0.organizationName_default, organizationalUnitName_default, commonName_default i emailAddress_default. In addition, I also changed the default_days of the CA_default setting from 365 to 3650 (1 year to 10 years). Ponadto, ja też zmienił default_days na ustawienie CA_default od 365 do 3650 (1 roku do 10 lat). For clarity's sake, here's the relevant bits of my openssl.conf file: Dla jasności, oto odpowiednie fragmenty mojego pliku openssl.conf:
… ...
[ CA_default ] [CA_default]
dir = ./demoCA # Where everything is kept dir = /. demoCA # gdzie wszystko jest przechowywane
… ...
default_days = 3650 # How long to certify for = 3650 # default_days Jak długo poświadczyć za
… ...
[ req_distinguished_name ] [Req_distinguished_name]
countryName = Country Name (code) countryName Country Name = (kod)
countryName_default = US countryName_default = US
countryName_min = 2 countryName_min = 2
countryName_max = 2 countryName_max = 2
stateOrProvinceName = State or Province Name (full name) stateOrProvinceName = członkowskiego lub nazwa prowincji (pełna nazwa)
stateOrProvinceName_default = Massachusetts stateOrProvinceName_default = Massachusetts
localityName = Locality Name (eg, city) localityName = Miejscowość Name (eg, city)
localityName_default = Anytown localityName_default = Anytown
0.organizationName = Organization Name (eg, company) 0.organizationName = Nazwa organizacji (np. firmy)
0.organizationName_default = My Hosting Company Name 0.organizationName_default = Hosting Nazwa firmy
# we can do this but it is not needed normally # Możemy to zrobić, ale nie jest to konieczne normalnie :-)
#1.organizationName = Second Organization Name (eg, company) # 1.organizationName = Drugi Nazwa organizacji (np. firmy)
#1.organizationName_default = World Wide Web Pty Ltd # 1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName = Organizational Unit Name (np. sekcji)
organizationalUnitName_default = ISP organizationalUnitName_default = ISP
commonName = Common Name (eg, your name or your server\'s hostname) commonName = Common Name (eg, nazwisko lub serwera \ nazwa hosta)
# (Very Important, in order to keep mail clients and other user agents from complaining, this name must # (Bardzo ważne, aby utrzymać klientów poczty i inne aplikacje z narzekać, nazwa musi być
# match exactly the name that the user will be entering into their client settings. # Dokładnie odpowiadać nazwie, że użytkownik będzie wprowadzał do swoich ustawień klienta. Whether that be Czy będzie
# domain.extension or mail.domain.extension or what. # Domain.extension lub mail.domain.extension czy co. It must be a valid DNS name pointing at your To musi być prawidłową nazwę DNS, wskazując na swoje
# server. # Serwera.
commonName_default = myhosting.example commonName_default = myhosting.example
commonName_max = 64 commonName_max = 64
emailAddress = Email Address EmailAddress = Adres e-mail
emailAddress_default = postmaster@myhosting.example emailAddress_default = postmaster@myhosting.example
emailAddress_max = 64 emailAddress_max = 64
… ...
With this done we can create a signing (root CA) certificate. Z tego dokonać możemy stworzyć podpisania (root CA) certyfikatu. Go to the directory you created earlier; /usr/share/ssl/hosting.example , and run the CA_nodes script: Przejdź do katalogu utworzonego wcześniej; / usr / share / ssl / hosting.example, i uruchom skrypt CA_nodes:
# ../misc/CA_nodes -newca # .. / Misc / CA_nodes-newca
CA certificate filename (or enter to create)[hit enter] certyfikat CA pliku (lub wprowadzić do stworzenia) [wciskamy Enter]
Making CA certificate … Tworzenie certyfikatu CA ...
Generating a 1024 bit RSA private key Generowanie 1024 bit RSA klucz prywatny
…………………………++++++ ... ... ... ... ... ... ... ... ... ... ++++++
…………….++++++ ... ... ... ... ... .++++++
writing new private key to './demoCA/private/./cakey.pem' pisanie nowego klucza prywatnego ". / demoCA / private /. / cakey.pem"
Enter PEM pass phrase:[enter a password and remember it] Enter PEM pass phrase: [wprowadź hasło i pamiętaj, że]
Verifying – Enter PEM pass phrase: Weryfikacja - Enter PEM pass phrase:
—– -
You are about to be asked to enter information that will be incorporated Masz zamiar zostać poproszony o podanie informacji, które będą włączane
into your certificate request. na swoje żądanie certyfikatu.
What you are about to enter is what is called a Distinguished Name or a DN. Co masz zamiar wprowadzić to, co nazywa się nazwa wyróżniająca lub DN.
There are quite a few fields but you can leave some blank Istnieje sporo dziedzinach, ale można zostawić niektóre puste
For some fields there will be a default value, W niektórych dziedzinach nie będzie wartość domyślna,
If you enter '.', the field will be left blank. Jeśli wpiszesz '.', Pole należy pozostawić puste.
—– -
Country Name (2 letter code) [US]:[hit enter] Nazwa kraju (2 litery kodu) [US]: [wciskamy Enter]
State or Province Name (full name) [Massachusetts]:[hit enter] Członkowskiego lub nazwa prowincji (pełna nazwa) [Massachusetts]: [wciskamy Enter]
Locality Name (eg, city) [Anytown]:[hit enter] Nazwa Miejscowość (np. miasta) [Anytown]: [wciskamy Enter]
Organization Name (eg, company) [My Hosting Company Name]:[hit enter] Nazwa organizacji (np. firmy) [Hosting nazwa firmy]: [wciskamy Enter]
Organizational Unit Name (eg, section) [ISP]:[hit enter] Nazwa jednostki organizacyjnej (np. sekcji) [ISP]: [wciskamy Enter]
Common Name (eg, your name or your server's hostname) [myhosting.example]:[hit enter] Nazwa zwyczajowa (np. imię i nazwisko lub nazwę hosta serwera) [myhosting.example]: [wciskamy Enter]
Email Address [postmaster@myhostng.example]:[hit enter] Adres email [postmaster@myhostng.example]: [wciskamy Enter]
You now have a directory called demoCA in which is your signing cert, cacert.pem, and a number of other files and directories that makeup the (currently empty) database of certificates you've signed and revoked. Teraz masz katalog o nazwie demoCA, w którym jest twój cert podpisania cacert.pem, i wiele innych plików i katalogów, makijaż (pusty) bazy danych certyfikatów zalogowaniu i odwołane. Now we'll create a new certificate “request” (we'll have a proper cert once we sign it). Teraz tworzymy nowy certyfikat "żądanie" (będziemy mieć odpowiednią cert Po jego podpisania).
# ../misc/CA_nodes -newreq # .. / Misc / CA_nodes-newreq
Generating a 1024 bit RSA private key Generowanie 1024 bit RSA klucz prywatny
…………………………………………………………………………………++++++ ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ++++++
…………….++++++ ... ... ... ... ... .++++++
writing new private key to 'newreq.pem' pisanie nowego klucza prywatnego "newreq.pem"
—– -
You are about to be asked to enter information that will be incorporated Masz zamiar zostać poproszony o podanie informacji, które będą włączane
into your certificate request. na swoje żądanie certyfikatu.
What you are about to enter is what is called a Distinguished Name or a DN. Co masz zamiar wprowadzić to, co nazywa się nazwa wyróżniająca lub DN.
There are quite a few fields but you can leave some blank Istnieje sporo dziedzinach, ale można zostawić niektóre puste
For some fields there will be a default value, W niektórych dziedzinach nie będzie wartość domyślna,
If you enter '.', the field will be left blank. Jeśli wpiszesz '.', Pole należy pozostawić puste.
—– -
Country Name (2 letter code) [US]:[hit enter] Nazwa kraju (2 litery kodu) [US]: [wciskamy Enter]
State or Province Name (full name) [Massachusetts]:[hit enter] Członkowskiego lub nazwa prowincji (pełna nazwa) [Massachusetts]: [wciskamy Enter]
Locality Name (eg, city) [Anytown]:[hit enter] Nazwa Miejscowość (np. miasta) [Anytown]: [wciskamy Enter]
Organization Name (eg, company) [My Hosting Company Name]:[hit enter] Nazwa organizacji (np. firmy) [Hosting nazwa firmy]: [wciskamy Enter]
Organizational Unit Name (eg, section) [ISP]:[hit enter] Nazwa jednostki organizacyjnej (np. sekcji) [ISP]: [wciskamy Enter]
Common Name (eg, your name or your server's hostname) [myhosting.example]:[hit enter] Nazwa zwyczajowa (np. imię i nazwisko lub nazwę hosta serwera) [myhosting.example]: [wciskamy Enter]
Email Address [postmaster@myhosting.example]:[hit enter] Adres email [postmaster@myhosting.example]: [wciskamy Enter]
Please enter the following 'extra' attributes Proszę podać następujące "ekstra" atrybuty
to be sent with your certificate request być wysyłane z żądania certyfikatu
A challenge password []:[anything will do, I used "certpass"] Wyzwanie hasło []: [coś zrobi, kiedyś "certpass"]
An optional company name []:[hit enter] Opcjonalna nazwa firmy []: [wciskamy Enter]
Request (and private key) is in newreq.pem Wniosek (i klucz prywatny) jest w newreq.pem
The output of this is your certificate request, newreq.pem inside of which is your certifcate and private key (take a look, if you want). W wyniku tego jest żądanie certyfikatu, wewnątrz newreq.pem te swoje certifcate i klucza prywatnego (zajrzyj, jeśli chcesz). Now we'll sign this to generate a real certifcate. Teraz zajmiemy się podpisać to, aby wygenerować prawdziwy certifcate.
# ../misc/CA_nodes -sign # .. / Misc / CA_nodes-sign
Using configuration from /usr/share/ssl/openssl.cnf Korzystanie z konfiguracji z / usr / share / ssl / openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: [enter the passphrase used when creating the signing (CA) cert above] Wpisz fraz do / demoCA / private / cakey.pem:. [Wprowadzić hasło użyte podczas tworzenia podpisu (CA) cert powyżej]
Check that the request matches the signature Sprawdź, czy wniosek jest zgodny z podpisem
Signature ok Podpis ok
Certificate Details: Szczegóły certyfikatu:
Serial Number: 1 (0×1) Numer seryjny: 1 (0 × 1)
Validity Ważności
Not Before: Sep 4 19:04:43 2004 GMT Nie przed: 04 września 2004 19:04:43 GMT
Not After : Sep 4 19:04:43 2014 GMT Nie po: 04 wrzesień 2014 19:04:43 GMT
Subject: Temat:
countryName = US countryName = US
stateOrProvinceName = Massachusetts stateOrProvinceName = Massachusetts
[output elided] [Wyjście elided]
Certificate is to be certified until Sep 2 19:04:43 2014 GMT (3650 days) Certyfikat ma być kwalifikowany do 02 września 2014 19:04:43 GMT (3650 dni)
Sign the certificate? Zarejestruj certyfikat? [y/n]:[hit "y"] [Y / n]: [hit "y"]
1 out of 1 certificate requests certified, commit? 1 z 1 wniosków kwalifikowany certyfikat, popełnić? [y/n]:[hit "y"] [Y / n]: [hit "y"]
Write out database with 1 new entries Wypisz bazy danych z 1 nowych wpisów
Data Base Updated Aktualizacja bazy danych
Certificate: Certyfikat:
Data: Data:
Version: 3 (0×2) Wersja: 3 (0 × 2)
Serial Number: 1 (0×1) Numer seryjny: 1 (0 × 1)
[output elided] [Wyjście elided]
—–BEGIN CERTIFICATE—– - BEGIN CERTIFICATE -
MIIEGTCCA4KgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBsTEL… MIIEGTCCA4KgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBsTEL ...
[output elided] [Wyjście elided]
—–END CERTIFICATE—– - Certyfikat ukończenia -
Signed certificate is in newcert.pem Podpis certyfikatu jest newcert.pem
Your certificate is now in newcert.pem. Certyfikat jest teraz w newcert.pem. There's just one thing left to do to make all this nice and clean, we want to extract the private key from the certificate request and into its own file. Jest tylko jedna rzecz do zrobienia, aby to wszystko ładne i czyste, chcemy, aby wyodrębnić klucz prywatny z żądania certyfikatu i do własnego pliku. So edit newreq.pem, delete the certificate (all the lines between “Begin Certificate Request” and “End Certificate Request” inclusive, and save with a meaningful name, eg ExamplePrivateKey.pem (where “Example” is your domain name, like whitehouse). I also renamed newcert.pem to ExampleCert.pem. Więc edytować newreq.pem, usunąć certyfikat (wszystkie linie pomiędzy "Begin żądanie certyfikatu" i "End żądanie certyfikatu" włącznie, i zapisać z takiej nazwy, np. ExamplePrivateKey.pem (gdzie "Przykład" jest nazwą domeny, jak Whitehouse ). Ja również nazwy newcert.pem do ExampleCert.pem.
In summary we now have three files we care about (we don't care about newreq.pem anymore): Podsumowując mamy obecnie trzy pliki dbamy o (nie dbamy o newreq.pem więcej):
demoCA/cacert.pem: Our root CA certificate demoCA / cacert.pem: Nasz główny certyfikat CA
ExampleCert.pem: Our certificate for use ExampleCert.pem: Nasz certyfikat do użycia
ExamplePrivateKey.pem: Our private key ExamplePrivateKey.pem: Nasz klucz prywatny
Because various processes, running as various users will need to access these certs, make sure they are readable by world (should be already). Ponieważ różne procesy, pracuje jako różni użytkownicy będą mieć dostęp do tych certyfikatów, upewnij się, że są rozpoznawalne na świecie (należy wcześniej). This is probably bad practice in the event that a local user (or a black hat who has local user privleges) steals them, but I only have one user on my machine, root. Prawdopodobnie jest to zła praktyka, w przypadku gdy użytkownik lokalny (lub czarnym kapeluszu, który lokalnych privleges użytkownika) kradnie ich, ale mam tylko jednego użytkownika na moim komputerze, root. And if root gets owned, well that's it. A jeśli root dostaje własnością, a to jest to.
OpenLDAP OpenLDAP
Installation Instalacja
Not all of OpenLDAP was preinstalled on my system. Nie wszystkie z OpenLDAP został wstępnie zainstalowany na moim komputerze. White Box supports apt which I used to get OpenLDAP. White Box wspiera apt, którego użyłem, aby OpenLDAP. You'll need all three packages. Musisz wszystkie trzy pakiety. I highly recommend installing from your distro's package management system rather than compiling yourself. Gorąco polecam do instalacji z Twojej dystrybucji systemu zarządzania pakietami, a nie kompie siebie.
# apt-get install openldap # Apt-get install openldap
# apt-get install openldap-servers # Apt-get install openldap serwerów
# apt-get install openldap-devel # Apt-get install openldap-devel
Understanding the Jamm Schema Zrozumienie schematu Jamm
Configuring OpenLDAP for our needs requires Jamm's schema files so you should download the Jamm binary now. Konfiguracja OpenLDAP do naszych potrzeb wymaga Jamm schematu plików więc należy pobrać binarnych Jamm teraz. Put it anywhere and explode it. Umieść ją w dowolnym miejscu i to eksplodować.
# tar -zxvf jamm-0.9.6-bin.tar.gz # Tar-zxvf Jamm-0.9.6-bin.tar.gz
The Jamm schema introduces four new object classes and a handful of attributes. Przeznaczenie Jamm wprowadza cztery nowe klasy obiektów i kilka atrybutów. These are: Są to:
Object Class Obiekt klasy
JammMailAccount A user's mail account JammMailAccount użytkownika konta pocztowego
Interesting Attributes Ciekawe atrybuty
mail User's full email address and, consequentially, their login name. Użytkownik poczty e-mail i pełny adres, wynikowe, ich nazwy. Ex: joe@myschool.edu Np.: joe@myschool.edu
homeDirectory User's home directory. Użytkownik homedirectory katalogu domowym. Here it will always be /home/vmail/domains Tutaj zawsze będzie / home / vmail / domains
mailbox User's mail directory. Skrzynek pocztowych użytkowników katalogu mail. Ex: myschool.edu/joe. Np.: myschool.edu / joe. The concatenation of homeDirectory and mailbox give the absolute path to a user's mail directory Konkatenacją homedirectory i skrzynki pocztowej podać ścieżkę do katalogu użytkownika mail
cn User's common name. Cn użytkownika nazwa zwyczajowa. Ex: Joe Blow Ex: Joe Blow
accountActive Boolean telling whether account is active accountActive Boolean powiedzieć, czy konto jest aktywne
delete Boolean telling whether account has been deleted. usunąć Boolean powiedzieć, czy konto zostało usunięte. Note Jamm never actually deletes anything, it just sets this flag Uwaga Jamm w rzeczywistości nigdy nie usuwa niczego, po prostu ustawia tę flagę
userPassword User's password, preferably encrypted Użytkownik userPassword hasło, najlepiej zaszyfrowany
Object Class Obiekt klasy
JammVirtualDomain A domain that's hosted on this system JammVirtualDomain domeny jest obsługiwane przez ten
Interesting Attributes Ciekawe atrybuty
jvd A hosted domain name. JVD gospodarzem nazwę domeny. Ex: myschool.edu Np.: myschool.edu
accountActive Boolean telling whether this domain is active accountActive Boolean powiedzieć, czy ta domena jest aktywny
delete Boolean telling whether this domain has been deleted. usunąć Boolean powiedzieć, czy to domena została usunięta. Note Jamm never actually deletes anything, it just sets this flag Uwaga Jamm w rzeczywistości nigdy nie usuwa niczego, po prostu ustawia tę flagę
Object Class Obiekt klasy
JammMailAlias Aliases (other email addresses) that users may set up to redirect their mail JammMailAlias Aliasy (inne adresy e-mail), które użytkownicy mogą ustawić przekierowanie poczty
Interesting Attributes Ciekawe atrybuty
mail The receiving email address. odbierania poczty e-mail. Ex: joe@myschool.edu Np.: joe@myschool.edu
maildrop Email address to redirect to. maildrop Adres e-mail do przekierowania. Ex: joseph@myschool.edu . Np.: joseph@myschool.edu . Ex: joe@yahoo.com Np.: joe@yahoo.com
delete Boolean telling whether this domain has been deleted. usunąć Boolean powiedzieć, czy to domena została usunięta. Note Jamm never actually deletes anything, it just sets this flag Uwaga Jamm w rzeczywistości nigdy nie usuwa niczego, po prostu ustawia tę flagę
accountActive Boolean telling whether this alias is active accountActive Boolean powiedzieć, czy ten alias jest aktywny
Object Class Obiekt klasy
JammPostmaster Signifies that this account is a “Postmaster,” kind of a domain level super user. JammPostmaster Oznacza, że to konto "postmaster" rodzaj poziomie domeny użytkownika super. Multiple people can be Postmasters in a domain. Wiele osób może być Postmasters w domenie.
Interesting Attributes Ciekawe atrybuty
roleOccupant The distinguished name (dn) of the user who acts as postmaster for a domain. roleOccupant nazwę wyróżniającą (DN) użytkownika, który działa jako postmaster dla domeny. Can be more than one Może być więcej niż jeden
Once you have built the base LDAP tree and added a few domains and users the structure will look like what's shown in figure 2. Kiedy już podstawy drzewa LDAP oraz dodano kilka domen i użytkowników struktura wygląda tak, jak to pokazano na rysunku 2.
Figure 2. Rysunek 2. Jamm LDAP tree Jamm drzewa LDAP
Configuring slapd Konfiguracja slapd
All slapd configuration is in slapd.conf. Wszystkie slapd konfiguracja jest w slapd.conf. On my box that's in /etc/openldap. Na moim polu, że w / etc / openldap. On yours it might be in /usr/local/etc/openldap. Na Twój może być w / usr / local / etc / openldap.
Adding Schemas Dodawanie schematów
You need to make Jamm's schema file available, so copy the jamm.schema file in the Jamm distribution to the OpenLDAP schema directory, /etc/openldap/schema/ in my case. Musisz zrobić Jamm schematu plik dostępny, więc skopiuj plik jamm.schema w dystrybucji Jamm do katalogu schematu OpenLDAP, / etc / openldap / schema / w moim przypadku. jamm.schema depends on cosine.schema and nis.schema. jamm.schema zależy od cosine.schema i nis.schema. Add these lines to slapd.conf. Dodaj te linie do slapd.conf. The first two may already be there. Pierwsze dwa mogą być już tam.
include /etc/openldap/schema/cosine.schema include / etc / openldap / schema / cosine.schema
include /etc/openldap/schema/nis.schema include / etc / openldap / schema / nis.schema
include /etc/openldap/schema/jamm.schema include / etc / openldap / schema / jamm.schema
Remember, these schemas might be in /usr/local/etc/opennldap/schema (or anywhere else) on your machine. Pamiętaj, że te schematy mogą być w / usr / local / etc / opennldap / schematu (lub gdziekolwiek indziej) na komputerze.
Setting the Password Hash Type Ustawianie typu hash hasła
Passwords are (should be) encrypted when stored in LDAP. Hasła są (powinny być) przechowywane w postaci zaszyfrowanej LDAP. The default encryption mechansim is SSHA, but Dovecot doesn't support that. Mechansim szyfrowania domyślnie SSHA, ale Dovecot nie obsługuje. So set OpenLDAP's password hashing mechanism to CRYPT. Tak więc ustawić hasło OpenLDAP mieszania mechanizm krypty. I added the following line near the top of slapd.conf, right after all the includes. I dodaje się następujący wiersz w górnej części slapd.conf, tuż po tym wszystkim.
password-hash {CRYPT} hash hasła} {CRYPT
Adding a Database Definition Dodanie definicji bazy danych
Next, you need to set up a database definition. Następnie należy utworzyć definicję bazy danych. You can do this with the following lines: Można to zrobić z następujących linii:
database ldbm ldbm bazy danych
directory /var/lib/ldap katalogu / var / lib / ldap
suffix “dc=myhosting,dc=example” suffix "dc = myhosting, dc = example"
The database directive specifies the back-end type to use. Dyrektywa określa typ bazy danych typu back-end w użyciu. You should use LDBM as the back-end database. Należy używać LDBM jako bazy danych zaplecza. The directory directive specifies the path to the LDBM database. Dyrektywa katalogu określa ścieżkę do bazy danych LDBM. The suffix directive specifies the root suffix for this database. Przyrostek dyrektywy określa sufiks root dla tej bazy danych.
Creating the Root User Tworzenie roota
The next few lines set up the “super user” or “root” account: Następne kilka linii ustawić "super user" lub "root" konto:
rootdn “cn=Manager,dc=myhosting,dc=example” RootDN "cn = Manager, dc = myhosting, dc = example"
rootpw {SSHA}ea0sD475P32ASAlaAhR8kgi+8Aflbgr7 rootpw {SSHA} ea0sD475P32ASAlaAhR8kgi +8 Aflbgr7
The rootdn entry has complete access to the database, which is why the password is stored outside the actual database. Wpis RootDN ma pełny dostęp do bazy danych, dlatego hasło jest przechowywane poza właściwej bazy danych. The password in rootpw should always be stored in hashed format. Hasło w rootpw powinny być zawsze przechowywane w hashed format. Do not store the password in clear text. Nie należy przechowywać hasła w postaci zwykłego tekstu. To convert the clear text password secret to a hashed format, use the slappasswd command: Aby przekonwertować tekst jasne tajne hasło zakodowane w formacie, użyj slappasswd polecenie:
# slappasswd # Slappasswd
New password: [enter some password and remember it] Nowe hasło: [podać hasło i pamiętaj, że]
Re-enter new password: [enter it again] Ponownie wprowadź nowe hasło: [wprowadź je ponownie]
{SSHA}ea0sD475P32ASAlaAhR8kgi+8Aflbgr7 {SSHA} ea0sD475P32ASAlaAhR8kgi +8 Aflbgr7
Take the output from slappasswd, and copy that into slapd.conf, as we did above. Weź wyjście z slappasswd, a następnie skopiować do slapd.conf, jak to zrobiliśmy powyżej.
Setting up Access Control Konfigurowanie kontroli dostępu
NOTE: The instructions that follow are for OpenLDAP 2.0.x. UWAGA: Przedstawione poniżej instrukcje są dla OpenLDAP 2.0.x. Most distributions now ship with 2.2. Większość dystrybucji teraz statku 2.2. In OpenLDAP 2.2 the syntax for setting up ACLs changed slightly. W OpenLDAP 2.2 składnia tworzenia list ACL nieznacznie zmienione. Please read the comments associated with 2.0, but use the 2.2 syntax that's given immediately after. Proszę przeczytać komentarze związane z 2.0, ale skorzystać z 2,2 składni, udzieloną bezpośrednio po.
The last part in slapd.conf is the access control. Ostatnia część w slapd.conf jest kontrola dostępu. You can define your own policy, be here's the one Jamm follows that I've modified for Dovecot: Możesz zdefiniować własne polityki, tu jest jeden Jamm wynika, że mam zmodyfikowane do gołębnika:
The user can change any of their own attributes. Użytkownik może zmieniać własne atrybuty.
Anyone in the postmaster group of the domain may change any user's attributes in their domain, including the password. Każdy w grupie postmaster domeny, mogą zmienić atrybutów użytkownika w domenie, w tym hasło. This allows the postmaster to reset a users password if they forget it. Pozwala to na postmaster do resetowania hasła użytkowników, jeśli zapomnisz.
The “dovecot” user can read passwords. "Dovecot" użytkownik może odczytać hasła.
Anonymous (non-authenticated) users may read all information, except the password attribute. Anonimowy (nieuwierzytelnionych) użytkownicy mogą przeczytać wszystkie informacje, z wyjątkiem atrybutu hasło.
Access control statements are evaluated in order, so they should be defined from most specific to most general. oświadczenia kontroli dostępu oceniane są w porządku, więc powinny być określone z najbardziej szczegółowych do najbardziej ogólnych. Access to the password attribute, userPassword, is the most specific in our case, and hence it's specified first: Dostęp do atrybutu hasło userPassword, jest najbardziej specyficzne w naszym przypadku, a tym samym nie określono pierwszy:
access to dn=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
attr=userPassword attr = userPassword
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant=”cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write przez grupę / jammPostmaster / roleOccupant = "cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by dn=”cn=dovecot,dc=myhosting,dc=example” read przez dn = "cn = dovecot, dc = myhosting, dc = example" read
by anonymous auth przez anonimowych auth
by * nonePlease note, the line in red referencing dovecot is not in the original Jamm HOWTO, but is needed by Dovecot so it can read the userPassword. uwagą nonePlease *, linia w kolorze czerwonym dovecot odniesienie nie jest w oryginalnym Jamm HOWTO, ale jest wymagany przez Dovecot więc może przeczytać userPassword. Typically an authenticating application tries to bind to LDAP as the user in question, a successful login thus validating the password. Zazwyczaj stosowanie uwierzytelniania próbuje wiązać się LDAP jako danego użytkownika, udanym zalogowaniu w ten sposób sprawdzania hasła. Dovecot does not yet support “authentication binds,” so we must allow the Dovecot user read access to the user's password. Dovecot nie obsługuje jeszcze "wiąże uwierzytelniania", więc musimy pozwolić użytkownikowi Dovecot do odczytu hasła użytkownika.
The access to line specifies what entries and attributes to which the following rules apply. Dostęp do linii określa, jakie wpisy i atrybuty, do których stosuje się następujące zasady. The dn regular expression matches any entry in a domain of our hosting tree, and attr limits these rules to the userPassword attribute. Dn wyrażenie regularne pasuje do każdego wejścia w domenie naszego drzewa hosting, i ograniczenia attr te zasady do atrybutu userPassword. Write access is granted to the user itself and anyone in the postmaster group. Napisz do udzielenia dostępu do samego użytkownika i ktoś w grupie postmaster. The dovecot user can read it. Użytkownik dovecot mógł go odczytać. Anonymous users may only access this field when trying to authenticate. Anonimowi użytkownicy mogą mieć dostęp tylko tym zakresie podczas próby uwierzytelnienia użytkownika. For all other cases, access is denied. We wszystkich innych przypadkach, dostęp jest zabroniony.
Next, all other attributes to entries in a domain's tree are specified: Następnie wszystkie inne atrybuty, które wpisy w domenie drzewa są określone:
access to dn=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant=”cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write przez grupę / jammPostmaster / roleOccupant = "cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by * readThis access to line is very similar the previous one, except that there is no attr specification and no reference to dovecot. przez * readThis dostęp do linii jest bardzo podobny do poprzedniego, tyle że nie ma żadnych specyfikacji attr i bez żadnego odniesienia do dovecot. Hence, this matches all other attributes other than userPassword. Stąd ten pasuje do wszystkich innych atrybutów innych niż userPassword. Again, write access is granted to the user and anyone in the postmaster group. Ponownie, napisać można uzyskać dostęp do instrukcji i każdy w grupie postmaster. Everyone is granted read access. Wszyscy są udzielane odczytu.
Finally, we provide read access to all other elements in the database: Ponadto oferujemy dostęp do odczytu wszystkich pozostałych elementów w bazie danych:
access to * * dostęp do
by * readUse these ACL statements if using OpenLDAP 2.2. przez * readUse tych ACL oświadczeń w przypadku korzystania z OpenLDAP 2.2. Caution: Untested. Uwaga: niesprawdzone.
access to dn.regex=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn.regex =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
attr=userPassword attr = userPassword
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant.expand=\ przez grupę / jammPostmaster / roleOccupant.expand = \
“cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write "Cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by dn=”cn=dovecot,dc=myhosting,dc=example” read przez dn = "cn = dovecot, dc = myhosting, dc = example" read
by anonymous auth przez anonimowych auth
by * none przez brak *
access to dn.regex=”.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example” dostęp do dn.regex =".*, JVD =([^,]+), o = hosting, dc = myhosting, dc = example "
by self write przez siebie pisać
by group/jammPostmaster/roleOccupant.expand=\ przez grupę / jammPostmaster / roleOccupant.expand = \
“cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example” write "Cn = postmaster, JVD = $ 1, o = hosting, dc = myhosting, DC = przykład" write
by * read przez * przeczytaj
access to * * dostęp do
by * readCreating the Directory Tree przez * readCreating katalogów
Now that slapd is configured, it's time to start adding data to the LDAP directory. Teraz slapd jest skonfigurowany, nadszedł czas, aby rozpocząć dodawanie danych do katalogu LDAP. We will use the command line tools that come with OpenLDAP and create LDIF files to modify the directory. Będziemy używać narzędzi linii poleceń, które pochodzą z OpenLDAP i tworzenie plików LDIF do zmiany katalogu.
The first step is to create a base tree structure with our root node, the hosting organization, and an entry for the rootdn. Pierwszym krokiem jest utworzenie struktury bazy drzewo z naszym głównym węzłem, organizacji goszczącej, oraz wpis do RootDN. Create a file called base.ldif (I put mine in /etc/openldap for safekeeping) with the following contents: Utwórz plik o nazwie base.ldif (stawiam kopalni w / etc / openldap na przechowanie) o następującej treści:
Caution: OpenLDAP is very sensitive to whitespace in LDIF files. Please make sure that there's no trailing spaces on any of these lines.
dn: dc=myhosting, dc=example
objectClass: top
objectClass: domain
domainComponent: myhosting
dn: cn=Manager, dc=myhosting, dc=example
objectClass: top
objectClass: organizationalRole
cn: Manager
dn: o=hosting, dc=myhosting, dc=example
objectClass: top
objectClass: organization
o: hosting
dn: cn=dovecot, dc=myhosting, dc=example
objectClass: top
objectClass: organizationalPerson
cn: dovecot
sn: dovecotNote, the bit in red is not part of the original Jamm HOWTO, but is needed for Dovecot. This is the user Dovecot will bind to LDAP as.
Start up OpenLDAP. On RH/WB Linux you can use: service ldap start, or /etc/init.d/ldap start. It's probably similar on your system. Alternately you can start it directly with slapd -u ldap -h ldap://127.0.0.1 .
Now use ldapadd, binding as the root user, to add this LDIF:
# ldapadd -x -D “cn=Manager,dc=myhosting,dc=example” -W -f base.ldif
Enter LDAP Password: [enter the LDAP password created earlier]
adding new entry “dc=myhosting, dc=example”
adding new entry “cn=Manager, dc=myhosting, dc=example”
adding new entry “o=hosting, dc=myhosting, dc=example”
adding new entry “cn=dovecot, dc=myhosting, dc=example”
Note, the Dovecot user requires a password. Add one like this:
# ldappasswd -x -W -S -D “cn=Manager,dc=myhosting,dc=example” “cn=dovecot,dc=myhosting,dc=example”
New Password: [enter a password for the Dovecot user and remember it]
Re-enter new password: [enter it again]
Enter bind password: [enter the LDAP password created earlier]
Hint: If you ever need to blast this database and start again from scratch, simply stop openldap, delete all the files in the LDAP directory (/var/lib/ldap), start openldap again, and repeat the above process.
Postfix Postfix
We'll only cover the sections of Postfix that pertain to the mail hosting. To deal with other parts of Postfix setup, please visit the Postfix web page.
Compiling Postfix with LDAP
Postfix was pre-installed on my system and linked with the appropriate libraries (LDAP, SASL, etc.). The following instructions are not guaranteed to work, but may be helpful. If at all possible install Postfix from a properly configured package, it's just easier. Detailed instructions on installing from source can be found here: http://www.postfix.org/INSTALL.html .
Download the Postfix source and untar it. Postfix veers slightly away from the ordinary configure; make; make install pattern of autoconf. In lieu of configure, with Postfix you make the makefiles. The default makefiles don't include LDAP or SASL, so you'll need to rebuild the makefiles to include them. To do this, execute the following command.
# make makefiles CCARGS=”-DUSE_SASL_AUTH -DHAS_LDAP -I/usr/include” AUXLIBS=”-lldap -llber -lsasl”
Note, this is how it would be done on my system. On yours the LDAP and SASL libraries are probably in /usr/local/lib and the header files in /usr/local/include. In which case the following will work for you.
# make makefiles CCARGS=”-DUSE_SASL_AUTH -DHAS_LDAP -I/usr/local/include” AUXLIBS=”-L/usr/local/lib -lldap -llber -lsasl”
Also note that the above commands are for SASL 1. If you want SASL 2 support, just change -lsasl to -lsasl2. Details are here: http://www.postfix.org/SASL_README.html .
Finally, Postfix does not include TLS support in the main code base. In order to use TLS, you need to patch the postfix source as documented here: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/
After you have rebuilt the makefiles and patched the source you can follow the normal Postfix compiling and installing instructions as documented in its INSTALL file. Which mostly amounts to make; make install.
At one point I tried to upgrade to Postfix 2.1.5 from source, but never succeeded. If I gave myself more time, I could have, but by the time I tried to do this my existing Postfix install was my primary mail server, and the longer I futzed with it, the more mail I was dropping. Anyway, I had all sorts of issues with OpenLDAP containing SASL 1 code and the Postfix I just built having SASL 2 code, and all sorts of library issues like that. These problems tend to show up as strange, unrelated errors in the log files. Let the compiler beware.
Understanding Postfix
Read this, it'll probably help. Postfix is composed of a number of components that run in synchrony. First, there's a mail transfer agent (MTA) called smtpd. The MTA accepts mail over the network using the simple mail transfer protocol, SMTP. The MTA is essentially a router, it determines whether incoming mail is ultimately destined for this server or not. If not, it relays it on (or, more commonly, refuses to accept it). If the message should be delivered to someone on this server, however, it hands it over to another process called cleanup that rewrites and sanitizes the message and drops it in the incoming queue. The MTA's job is now done.
Once a message is put in the queue, the queue manager passes it to a mail delivery agent (MDA) for ultimate delivery to a user's inbox or to another program for further processing. These MDAs and other programs are called “transports” in Postfix. The different transports are defined in the file /etc/postfix/master.cf (on my system). For our purposes there are two MDAs we want to know about: local and virtual. Both of these agents put email in the user's mailbox.
The MDA takes the verified mail that the MTA has put in the queue and delivers it. The local transport knows how to deliver mail for users that have accounts on the system. For virtual users there is a different transport named “virtual.” The virtual agent, the one we use, is used when users do not exist on the system. The primary difference between the two is that virtual can get user information from remote data stores like LDAP, while local assumes the user store is system based. In fact, virtual is simply a hacked version of local. Much more information can be found on the Postfix architecure page.
Configuring Postfix
While configuring Postfix for this task, we'll be mostly concerned with /etc/postfix/main.cf (possibly /usr/local/etc/postfix/main.cf on your machine). For most of the Postfix configuration, you will configure things in a way that make the most sense for your site and you can follow the documentation contained in the Postfix source or on the Postfix web page. In this document, we'll talk about the settings that are unique to and/or affected by this setup. If any of the configuration examples shown below aren't explicitly attributed to a specific file, assume they would be found in main.cf.
Configuring LDAP Sources
Postfix user and domain information can be stored in a variety of places, ie sources. When using LDAP, you can create a source name out of thin air, then use that name as a prefix for the required LDAP variables. Later that same name will be used to tell Postfix that a certain piece of information can be found in LDAP by using these variables. For instance, if you are going to have Postfix search LDAP for domain information, the variable prefix might be “domains.” Then variables will be defined as such: domains_server_host, domains_search_base, and so on.
You can easily define multiple LDAP sources. LDAP source parameters are documented in README_FILES/LDAP_README The parameter names follow the pattern of ldapsource_parameter. The LDAP source name is defined when it is first used. In main.cf, you'll need one LDAP source definition per each lookup.
Configuring the Source for Virtual Domain Information
domains_server_host = localhost
domains_search_base = o=hosting,dc=myhosting,dc=example
domains_query_filter = (&(objectClass=JammVirtualDomain)(jvd=%s)(accountActive=TRUE)(delete=FALSE))
domains_result_attribute = jvd
domains_bind = no
domains_scope = oneThe first LDAP source definition is for looking up the virtual domains being hosted. By having this as an LDAP lookup, we'll be able to dynamically add new domains by adding new JammVirtualDomain entries to LDAP. jvd is “Jamm Virtual Domain,” the attribute where Jamm stores domain names like whitehouse.gov.
We've named this LDAP source “domains”. Mamy tego źródła LDAP nazwie "domeny". In our configuration, as specificed by the server_host line, our LDAP server is running on localhost. W naszej konfiguracji, w określonym jako server_host line, nasz serwer LDAP jest uruchomiony na localhost. Our search base is the top of the hosting subtree we defined in our LDAP server, and according to scope we only want to search the directory level right under the base. Nasza baza wyszukiwania góry poddrzewa hosting określiliśmy na naszym serwerze LDAP, i zgodnie z zakresem tylko chcemy, aby wyszukać odpowiedniego poziomu katalogu, w bazie. We're querying for items where the jvd element matches the domain of the e-mail recipient as well as items that are of the jammVirtualDomain object class. Jesteśmy zapytań za przedmioty, gdzie JVD element odpowiada domeny odbiorcy e-mail, jak również elementy, które należą do klasy obiekt jammVirtualDomain. We also check to make sure the accountActive attribute is set to true and that the delete attribute is set to false. Mamy również sprawdzić, czy accountActive atrybut jest ustawiony na true, a usunąć atrybut jest ustawiony na false. As specified by bind, we do not want to bind/login to the LDAP server, we just want to do an anonymous search. Jak określono przez bind, nie chcemy, aby bind / logowanie do serwera LDAP, po prostu chcemy zrobić anonimowy wyszukiwania. Since we're only interested in whether there's a match, and not any particular value of the match, we just return jvd as the result_attribute. Ponieważ nie jesteśmy zainteresowani tylko, czy jest mecz, a nie konkretnych wartości w meczu, po prostu powrót JVD jak result_attribute.
Configuring the Source for User Aliases Konfiguracja Source dla aliasów
aliases_server_host = localhost aliases_server_host = localhost
aliases_search_base = o=hosting,dc=myhosting,dc=example aliases_search_base = o = hosting, dc = myhosting, DC = przykład
aliases_query_filter = (&(objectClass=JammMailAlias)(mail=%s)(accountActive=TRUE)) aliases_query_filter = (& (objectClass = JammMailAlias) (mail =% s) (accountActive = TRUE))
aliases_result_attribute = maildrop aliases_result_attribute = maildrop
aliases_bind = noThis LDAP source definition is for virtual aliases. aliases_bind = noThis definicji źródła LDAP jest wirtualne aliasy. We've named this LDAP source “aliases.” We're querying for items where the mail element matches the email recipient as well as items that are of the jammMailAlias object class. Mamy nazwali to LDAP source "aliasów." Jesteśmy zapytań za przedmioty, gdzie element mail meczach-mail odbiorcy, a także przedmioty, które są jammMailAlias obiektu klasy. We also check to make sure the alias is active by checking if the accountActive attribute is set to true. Mamy również sprawdzić, czy alias jest aktywny poprzez sprawdzenie, czy accountActive atrybut jest ustawiony na true. The destination of the alias is the maildrop attribute. Przeznaczenia alias jest atrybutem maildrop. Because we have not specified a scope in our ldap definition, it will perform the default search of the entire subtree under the base. Ponieważ nie określono zakres naszej definicji ldap, wykona domyślną wyszukiwarkę całego poddrzewa pod podstawą.
Aliases are a good way of having generic mail addresses delivered to one or more specific people. Aliasy są dobrym sposobem posiadania ogólnej mail dostarczone do jednego lub więcej określonych osób. For instance, you can create an alias (easy when using Jamm) called sales@example.com , and have all the mail sent to that address actually delivered to bill@example.com and sue@example.com . Na przykład, możesz utworzyć alias (łatwe, jeżeli śpią na Jamm) wezwał sales@example.com , i wszystkie wiadomości wysłane na podany adres, rzeczywiście dostarczonej do bill@example.com i sue@example.com . Of course, the actual recipients may be in another domain; for instance, if Bill has left the company, you can delete his email account and create an alias of the same name, such that all mail sent to bill@example.com is forwarded to bill@someplacelese.com . Oczywiście, rzeczywistych beneficjentów może być w innej domenie, na przykład, jeśli Bill odszedł z firmy, możesz usunąć swoje konto e-mail i utworzyć alias o tej samej nazwie, na przykład, że wszystkie wiadomości wysłane do bill@example.com jest przekazywany do bill@someplacelese.com .
But possibly the least intuitive use for this feature is as a replacement for the user oriented .forward file. Ale możliwie najmniej intuicyjna obsługa tej funkcji jest jako zamiennik dla zorientowanych na użytkownika. Przekazania pliku. It turns out that it's the local mail delivery agent that knows how to process .forward files, virtual doesn't. Okazuje się, że jest to lokalny agent dostarczania poczty, który wie, w jaki sposób przetwarzać pliki. Przodu, nie wirtualnej. Even though virtual is just a hacked version of local, during the hackery, apparently for security reasons, the ability to process a .forward file was removed. Nawet jeśli jest tylko wirtualna posiekany wersja lokalnym, podczas skompulowania, najwyraźniej ze względów bezpieczeństwa, zdolność do wykonywania pliku. Przodu został usunięty. The upshot of this is that there's no easy way to allow for a user to specify that they want mail deliverd to their normal inbox and one or more external mailboxes. W rezultacie jest to, że nie ma łatwego sposobu, aby umożliwić użytkownikowi określenie, które chcą mail wręczyła swoje zwykłe skrzynki i jednego lub więcej zewnętrznych skrzynek pocztowych. One possible approach is to use a different delivery agent that supports both LDAP and .forward functionality. Jednym z możliwych rozwiązań jest zastosowanie innego środka stanie, który obsługuje zarówno LDAP. Funkcjonalność do przodu. Procmail won't do because, like local, it can't get user information from LDAP. Procmail nie zrobi, ponieważ podobnie jak lokalne, nie można uzyskać informacji o użytkowniku z LDAP. Maildrop might work except the latest incarnation of Maildrop requires yet another daemon process to run in order to get to LDAP (and MySQL, etc.), and I simply don't want that. Maildrop może działać poza najnowszym wcieleniem maildrop wymaga jeszcze inny proces demona, aby uruchomić w celu uzyskania do LDAP (i MySQL itp.), a ja po prostu tego nie chcę. There are no other suitable delivery agents that I'm aware of. Nie ma innych odpowiednich środków stanie, że jestem świadomy.
However, the proper use of aliases can solve this problem. Jednakże właściwe stosowanie aliasów może rozwiązać ten problem. The trick is to create an alias of the name that the user will be known as to the outside world, say jane@example.com , then give that aliased user two or more destinations. Sztuką jest stworzenie aliasu nazwy, że użytkownik będzie znany jako ze światem zewnętrznym, powiedzmy jane@example.com , następnie, że alias użytkownika dwóch lub więcej miejsc. One destination would be the email adress of the actual user on this server (that you also create), say jane.doe@example.com and the rest are the remote addresses to which mail should also be forwarded, such as jane@gmail.com . One docelowy będzie adres e-mail rzeczywistego użytkownika na tym serwerze (który także tworzyć), powiedzmy jane.doe @ example.com , a reszta zdalnych adresów, do których poczta powinna zostać również przekazane, takie jak jane @ gmail. com . The user would have to set up her IMAP clients (including Squirrelmail) to have a from: or replyTo: set to the alias name ( jane@example.com ) and not the actual account name. Użytkownik musi ustawić jej klientów IMAP (w tym Squirrelmail), aby od: lub replyto: ustawienie aliasu ( jane@example.com ), a nie rzeczywista nazwa konta. Any mail sent directly to the actual user ( jane.doe@example.com ) won't get forwarded. Każdy mail przesłany bezpośrednio do rzeczywistych użytkowników ( jane.doe @ example.com ) nie będzie się przekazywać.
Configuring the Source for User Accounts Konfigurowanie kont użytkowników Source
accounts_server_host = localhost accounts_server_host = localhost
accounts_search_base = o=hosting,dc=myhosting,dc=example accounts_search_base = o = hosting, dc = myhosting, DC = przykład
accounts_query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE)) accounts_query_filter = (& (objectClass = JammMailAccount) (mail =% s) (accountActive = TRUE) (delete = FALSE))
accounts_result_attribute = mailbox accounts_result_attribute = skrzynka pocztowa
accounts_bind = noThe accounts source is very similar to our aliases source. accounts_bind = noThe źródła konta jest bardzo podobny do naszego źródła aliasy. It's used by Postfix to look up actual users. Jest używany przez Postfix patrzeć na rzeczywistych użytkowników. The big difference here is that we're looking for entries that have an object class of jammMailAccount and we're interested in the mailbox attribute of the resulting match. Największą różnicą jest to, że szukamy wpisów, które mają klasy obiektów o jammMailAccount i jesteśmy zainteresowani w atrybucie skrzynki pocztowej w meczu wynikających. We also check to make sure the account is still active by looking at the accountActive attribute and make sure the account is not marked for deletion by checking the delete attribute. Mamy również sprawdzić, czy konto jest nadal aktywne, patrząc na accountActive atrybut i upewnij się, że konto nie jest oznaczona do usunięcia, sprawdzając usunąć atrybut.
It's possible to use virtual aliases to define “catch-all” addresses, such as “@example.com -> mike@example.com .” A catch-all address receives mail for every address in this domain that is not also listed in the virtual alias list. Jest to możliwe do wykorzystania wirtualne aliasy zdefiniować "catch-all" adresów, takich jak "@ example.com -> mike@example.com . "catch-all adres odbiera pocztę do każdego adresu w tej domenie, która nie jest również wymienione w wirtualnych przedmiotów alias. What this means is that if we have a catch-all address, it will indeed catch all email, even email destined for actual users on the system, unless those actual users are also listed in the alias list. Oznacza to, że jeśli mamy adres catch-all, to rzeczywiście złapać wszystkie wiadomości e-mail, nawet e-mail przeznaczone dla rzeczywistych użytkowników w systemie, chyba że te rzeczywistych użytkowników są również wymienione w wykazie alias. If you use catch-all aliases, you can guard against this behavior by creating another (seemingly redundant) LDAP source that returns the email address (contained in a user's mail attribute) of all users, and force Postfix to use both this LDAP source and the aliases LDAP source when looking up virtual aliases. Jeśli korzystasz z catch-all aliasy, możesz zabezpieczyć się przed tego problemu przez utworzenie innej (pozornie zbędny) źródło LDAP, która zwraca adres e-mail (zawarte w instrukcji atrybut mail) dla wszystkich użytkowników, a życie Postfix używać zarówno tego źródła LDAP i aliasy LDAP źródła, gdy patrząc na wirtualne aliasy. Here is that LDAP source: Tutaj jest tego źródła LDAP:
accountsmap_server_host = localhost accountsmap_server_host = localhost
accountsmap_search_base = o=hosting,dc=myhosting,dc=example accountsmap_search_base = o = hosting, dc = myhosting, DC = przykład
accountsmap_query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountActive=TRUE)(delete=FALSE)) accountsmap_query_filter = (& (objectClass = JammMailAccount) (mail =% s) (accountActive = TRUE) (delete = FALSE))
accountsmap_result_attribute = mail accountsmap_result_attribute = mail
accountsmap_bind = noThis is identical to the accounts LDAP source except we are returning the mail attribute (email address) of a user rather than her mailbox location. accountsmap_bind = noThis jest identyczny z kont LDAP źródła, z wyjątkiem wracamy atrybut mail (adres e-mail) użytkownika, a nie jej lokalizacji skrzynki pocztowej.
The Virtual Alias Maps Virtual Alias Maps
Now that the aliases LDAP source(s) have been defined, we need to let Postfix know to use it. Teraz, aliasy LDAP źródło (-a) zostały określone, musimy Postfix wiedział z niego korzystać. This is taken care of using the virtual_alias_maps parameter in main.cf To jest załatwione za pomocą parametrów w pliku main.cf virtual_alias_maps
virtual_alias_maps = ldap:aliases virtual_alias_maps = ldap: aliasy
If you are using catch-all addresses, and need to correct for Postfix's quirkly handling as just described, then the virtual alias maps should look like this instead: Jeśli korzystasz z catch-all adresy i konieczność korekty dla Postfiksa w quirkly obsługi jak opisany powyżej, a następnie wirtualnej alias mapy powinien wyglądać tak, zamiast:
virtual_alias_maps = ldap:accountsmap, ldap:aliases virtual_alias_maps = ldap: accountsmap, ldap: aliasy
When Postfix builds this mapping table it will include all actual users plus all aliases, keeping catch-all aliases from catching mail meant for legitimate users. Kiedy Postfix buduje tabeli mapowania będą też wszystkie rzeczywistych użytkowników oraz wszystkie aliasy, trzymając catch-all aliasy z połowu mail przeznaczone dla legalnych użytkowników.
The Virtual Accounts Rachunków wirtualnych
Telling Postfix about the virtual accounts is a bit trickier than the aliases. Mówienie o Postfix rachunków wirtualnych jest nieco trudniejsze niż aliasy. This is due to the fact that we need to define a lot of extra information about the virtual mail storage. Wynika to z faktu, że musimy zdefiniować wiele dodatkowych informacji na temat wirtualnego miejsca mail.
For this example, we assume that there is a vmail Unix account created that has a UID of 101, a GID of 101, and its home directory is /home/vmail. W tym przykładzie zakładamy, że istnieje vmail konto Unix stworzony, że ma UID 101, GID z 101, a jego katalogu domowego / home / vmail. We will use the home directory of the vmail user as the place where we store our virtual mail repository. Będziemy korzystać z katalogu domowego użytkownika vmail jako miejsce, gdzie możemy przechowywać nasze wirtualne mail repozytorium. As before, add this to main.cf Tak jak poprzednio, dodać do main.cf
virtual_transport = virtual virtual_transport = virtual
virtual_mailbox_base = /home/vmail/domains virtual_mailbox_base = / home / vmail / domains
virtual_mailbox_maps = ldap:accounts virtual_mailbox_maps = ldap: rachunki
virtual_mailbox_domains = ldap:domains virtual_mailbox_domains = ldap: domen
virtual_minimum_uid = 101 virtual_minimum_uid = 101
virtual_uid_maps = static:101 virtual_uid_maps = static: 101
virtual_gid_maps = static:101Most of the above is pretty straight forward, except for virtual_transport, virtual_minimum_uid, virtual_uid_maps, and virtual_gid_maps. virtual_gid_maps = static: 101Most powyższego jest bardzo prosty, z wyjątkiem virtual_transport, virtual_minimum_uid, virtual_uid_maps i virtual_gid_maps.
For virtual accounts, we want to use the virtual transport and set virtual_transport to specify this. Dla rachunków wirtualnych, chcemy do korzystania z wirtualnej transport i ustawienie virtual_transport tego definiować.
With the domains LDAP source defined, Postfix needs to be configured to use it. Z domen LDAP źródło zdefiniowane, Postfix musi być skonfigurowany do użycia. This is done by setting the virtual_mailbox_domains in main.cf to ldap:domains. Odbywa się to poprzez ustawienie virtual_mailbox_domains w main.cf do ldap: domen.
The Postfix documentation states “[virtual_minimum_uid] specifies a minimum UID that will be accepted as a return from a virtual_uid_maps lookup. Stanowi, Postfix dokumentacji "[virtual_minimum_uid] określa minimalne UID, które zostaną zaakceptowane jako powrót z virtual_uid_maps wyszukiwania. Returned values less than this will be rejected, and the message will be deferred.” Since we have decided that all mail for virtual accounts will be stored using the vmail Unix account, we set the virtual_minimum_uid to be the UID of vmail. Zwrócone wartości poniżej zostaną odrzucone, a wiadomość zostanie odroczony. "Ponieważ uznaliśmy, że wszystkie listy do wirtualnych kont są przechowywane przy użyciu vmail konto Unix, ustawiamy virtual_minimum_uid się UID vmail. Also, we set the virtual_uid_maps and virtual_gid_maps to a special static map and hard code it to the UID and GID of the vmail user. Ponadto, mamy ustawić virtual_uid_maps i virtual_gid_maps do specjalnego statycznych map i zaprogramować go do UID i GID użytkownika vmail. All of the parameters shown here are fully documented in README_FILES/VIRTUAL_README that comes with the Postfix source. Wszystkie parametry tutaj pokazane są w pełni udokumentowane w README_FILES / VIRTUAL_README, że pochodzi z source Postfix.
Other Postfix Settings Inne ustawienia Postfix
Many defaults are fine in this setup (myhostname, mydomain, etc.), but change them if you need to. In my case I also set (in main.cf):
inet_interfaces = $myhostname, localhost
This tells postfix to listen for connections from the outside world and from localhost. localhost is needed by SquirrelMail if nothing else.
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
Even though we are depending solely on the virtual transport, the local transport is apparently still active. This transport really wants to have an alias database of its own, and that's what these are. It seems safe to comment these out, if, and only if, you also comment out the local transport in the master.cf file (but I'm not sure how advisable that is). I elected to leave these intact and have postfix create the local alias database from the empty local alias maps file by runing the command: newaliases or postalias /etc/postfix/aliases (same thing). You'll probably need to do the same thing.
home_mailbox = Maildir/
Make Postfix use Maildir (one file per email) format instead of mbox (one big file)
. .
Postfix setup is complete. You can start Postfix with the following command:service postfix start. If you don't have another email account to test this one with (like whoever@yahoo.com ), then this service might be useful: http://www.zoneedit.com/smtp.html .
SMTP AUTH with SASL
The setup so far will allow a virtual user to receive mail and that's it. No virtual user can send (relay) mail (though local ones can), nor can any other server. We don't want servers to be able to relay, but you definitely want your users to. There are a number of inelegant ways to get this to happen, but the cleanest is to use SMTP authentication; making your users authenticate to Postfix, and allowing authenticated users to send mail.
Building SASL
To use SMTP AUTH you must also use SASL, an authentication protocol invented by Netscape. The most common FOSS implementation of SASL is Cyrus-SASL from Carnegie Mellon University. On my machine Cyrus-SASL was preinstalled, but it lacked LDAP support, so I downloaded the source and compiled that. You can get the source tarball here: http://ftp.andrew.cmu.edu/pub/cyrus-mail
Some of the defaults were not as they should be for a Red Hat like system, so I ran configure like this:
# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib –prefix=/usr –sysconfdir=/etc –mandir=/usr/share/man –with-ldap
# make
# make install
The important part is the “–with-ldap” flag (make sure you have the OpenLDAP development libraries installed as above). The CPPFLAGS and LDFLAGS may or may not be important. Dovecot needed them (more later), and I figured they couldn't hurt, so I used them here too. They basically point to the Kerberos development files which on my system were not in /usr/lib and /usr/include.
Configuring SASL
Cyrus-SASL requires a particular directory to keep it's runtime information. This directory will (probably) not be created for you. Run saslauthd from the command line and let it yell at you, then you'll know. You can create the asked for directory manually without problems. I used /var/run/saslauthd. Or rather, the pre-existing init script did by passing in the -m flag, but I concurred.
Cyrus-SASL also uses a config file that's not automatically created. In my case it's called /etc/saslauthd.conf. Create this file with the following self-explanatory contents:
ldap_servers: ldap://127.0.0.1
ldap_search_base: o=hosting,dc=myhosting,dc=example
ldap_filter: (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
Important: If you are using Cyrus-SASL 2.1.17 (possibly 2.1.18, as well), then you must change the ldap_filter directive above to be as follows:
ldap_filter: (&(objectClass=JammMailAccount)( mail=%u@%r)(accountActive=TRUE)(delete=FALSE))Finally , you must tell Cyrus-SASL that it is to use LDAP by passing -a LDAP to it at startup. There are two ways to do this (and you might find that it's already been done for you); you can add it to the init script or you can add it to a file read in by the init script. I chose the former, but it's up to you. Here's the relevant part of my init script (located at /etc/init.d/saslauthd:
# Source function library.
. . /etc/init.d/functions
# Source our configuration file for these variables.
SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS=
if [ -f /etc/sysconfig/saslauthd ] ; then
. . /etc/sysconfig/saslauthd
fi fi
RETVAL=0
# Set up some common variables before we launch into what might be
# considered boilerplate by now.
prog=saslauthd
path=/usr/sbin/saslauthd
start() {
echo -n $”Starting $prog: “
daemon $path -m $SOCKETDIR -a $MECH $FLAGS
RETVAL=$?
echo echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
} }
Notice how the MECH variable is set to ldap and how it is later used with the -a flag when kicking off the daemon. (Also notice how the SOCKETDIR variable is set to the path of SASL's runtime directory.) Alternately, as you can see, you coul have added the MECH (and SOCKETDIR) variables to the /etc/sysconfig/saslauthd file which is sourced by this script.
Later, when you've actually added a user to LDAP, you can test your SASL configuration like this:
# testsaslauthd -u users_login_name -p users_password
For instance: Na przykład:
# testsaslauthd -u george@whitehouse.gov -p thisisasecret
0: OK “Success.”
Configuring Posftix / SASL Environment
You may or may not need the following. My setup works both ways, however I'm leaving it in for safety. The premise is that every process that users SASL can have a SASL specific configuration file. In other words Postfix (not SASL) will look in /usr/lib/sasl2 (note the “2″), for a file called smtpd.conf. On some systems (Debian? chrooted?) this file path may be /etc/postfix/sasl. Postfix will then learn a few things about SASL. What we're interested in telling Postfix is what mechanism SASL will use to look something up and what formats it will accept user information in. In short, create the file /usr/lib/sasl2/smtpd.conf (or /etc/postfix/sasl/smtpd.conf) and make it look like this:
pwcheck_method: saslauthd
mech_list: login plain
This will tell Postfix to contact the saslauthd daemon for authentication purposes, and keep Postfix from telling user agents that is supports, say Kerberos (which it may, but SASL/LDAP doesn't) when SASL only accepts “plain.” (Or something like that.)
Configuring Posftix
Add the following Postfix directives to the end of /etc/postfix/main.cf:
# SASL support
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains
smtpd_sasl_security_options = noanonymous
smtp_sasl_auth_enable = no
The first line is obvious. The second is very important — smtpd_sasl_local_domain must be there (not missing or commented out) and it must be blank! The value of this variable is appended to the login name Postfix sends to SASL. Since our login names already have the domain component, using this would cause Postfix to send something like “ george@whitehouse.gov@whitehouse.gov ” or worse “ george@whitehorse.gov@myisp.net .” And if it's not there at all, bad things happen.
The smtpd_recipient_restrictions allow local users and users authenticated via SASL to send mail — and nobody else (unless you have set up allowed relays, which, presumably, you haven't.)
The smtpd_sasl_security_options bit is obvious but important. The final variable, smtp_sasl_auth_enable refers to having this server authenticate to other servers, and we don't care about that.
SMTP over SSL (TLS)
Since we are using plain text logins we need to be able to encrypt them. Besides, there's no reason to let others sniff our mail either. Turning on SSL is pretty easy. You just have to create a few certs and then set a few variables.
How to create certs was detailed above. If you haven't done that part, you'll need to do it now. To enable Postfix to support TLS modify /etc/postfix/main.cf as follows (these settings won't be there by default, so just add them to the bottom):
# TLS Support
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /usr/share/ssl/hosting.example/ExamplePrivateKey.pem
smtpd_tls_cert_file = /usr/share/ssl/hosting.example/ExampleCert.pem
smtpd_tls_CAfile = /usr/share/ssl/hosting.example/demoCA/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
These settings should be more or less self-explanatory, although I don't know why Postfix needs the CA cert. You can play with the log level, but I found setting it to 3 generated a lot of LDAP/SASL noise in my log files.
Dovecot IMAP
Building Dovecot
Dovecot was not pre-installed on my system. It was available via apt-get, but not with LDAP support. This meant compiling from source, here's how:
# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib –prefix=/usr –bindir=/usr/bin –sbindir=/usr/sbin –libexecdir=/usr/libexec –datadir=/usr/share –sysconfdir=/etc –mandir=/usr/share/man –with-ldap -with-ssldir=/usr/share/ssl # make # make install
In the above run of configure, the –with-ldap flag is the most important. But you must pay special attention to the output of configure. Even if the LDAP libraries are not found, Dovecot will still build and install! This may be legitimate, but Dovecot will fail to communicate with LDAP, and it may lead you (as it did me) to believe that your Dovecot build is good, and something else is keeping the communication from happening. In a similar vein, Dovecot wants to build against Kerberos, and silently continued even though it couldn't find the Kerberos libraries, which on my machine are in /usr/kerberos/lib (the header files are in /usr/kereberos/include) instead of /usr/lib. The –with-ssldir is used to tell Dovecot the base directory for certificates. It's not really important in our configuration, as we'll be setting the full path to our certs, but it might as well be accurate anyway. As for all the other directory flags, well, I would have liked to keep everything in the default /usr/local (and you probably do too), but previous installs of the non-LDAP, apt-get binary made me chose to imitate that and place things as you see above — your choice.
Creating the Dovecot Auth User
Dovecot's IMAP implementation is made up of several processes. One of these, imap-login, accepts incoming connections and should run as the “dovecot” user, which should have been created for you during package installation or during the make install step. The Dovecot authentication process, dovecot-auth, which authenticates users against some user store, should run, for security reasons, as some other user. It defaults to root, which would be necessary for /etc/shadow or PAM based authentication. But since our users are kept in LDAP, we should run this process as a less privileged user. On my RedHat-like system, this user can be the “nobody” user. I'm informed, however, that this will not work on Debian-based systems. In this case, and even on RedHat, you should create a dovecot-auth user and group.
# groupadd -r dovecot-auth
# useradd -m -r -d /usr/libexec/dovecot dovecot-auth
Note the use of /usr/libexec/dovecot as a home directory. This is where I've installed the Dovecot binaries. You can use whatever you want.
Configuring Dovecot
Dovecot uses the dovecot.conf file for most of its configuration settings. Using the above configure command the dovecot.conf file will be found in the /etc directory (in your case it might be /usr/local/etc or wherever you set sysconfdir to point to). LDAP is configured elsewhere and discussed in the next section. In general, if you leave a Dovecot setting commented out it defaults to something reasonable. Below, I will show only those settings that are meaningful in the context of this HOWTO.
protocols = imap imaps
Enable only IMAP and IMAP over SSL. Do not enable POP or secure POP. Though you can if you want to.
imap_listen = 127.0.0.1
Non-secure IMAP will only accept connections from local processes. This will be needed for SquirrelMail.
imaps_listen = *
Secure IMAP will accept connections from anywhere.
ssl_disable = no
It's not enough to simply set imaps in the protocols setting, you have to explicitly enable SSL.
ssl_cert_file = /usr/share/ssl/hosting.example/ExampleCert.pem
ssl_key_file = /usr/share/ssl/hosting.example/ExamplePrivateKey.pem
The absolute path to the certificate and private key created earlier. You do not need to specify the CA cert.
disable_plaintext_auth = no
Setting this to true would keep people from connecting unless they came in over SSL. However, that would keep SquirrelMail from working, so this has to be set to no. It's okay though, as the imaps_listen directive above keeps non-encrypted IMAP ports from being open to the outside world..
login_user = dovecot
The user that the login process runs as. The dovecot user should have been created for you during make install or during the package installation. Should not be root.
first_valid_uid = 101
last_valid_uid = 101
When we get around to configuring Dovecot for LDAP we will set up a single virtual user, vmail, just as we did for Postfix. Since vmail will be our only user, we can set the first and last valid user IDs to vmail's uid; 101 in this exampl, almost certainly different on your system.
first_valid_gid = 101
last_valid_gid = 101
Same as above, but for groups.
valid_chroot_dirs = /home/vmail/domains
This is a list of directories where chrooting can take place. In our case, we need only one. It should be set to the root directory of our user's mailboxes, ie /home/vmail/domains.
Note: Immediately below this is a setting called mail_chroot. Do not set this! This value is implied by the fact that we are using an absolute path in the default_mail_env setting.
default_mail_env = maildir:/home/vmail/domains/%d/%n
The all important setting! Okay, if I got this right, Dovecot has this notion of a “mail environment.” It consists of a mailbox format (mbox or maildir), a colon, the relative (?) or absolute path to the user's mailbox, and a few other things that are inadequately explained. It is possible to store the mail environment in LDAP, but since this is not a standard LDAP attribute, nor part of the Jamm schema, we will forego this. When the mail environment can't be retrieved from LDAP, Dovecot uses the default_mail_env instead. (If both of these are unavailable, I think Dovecot makes a best guess.)
The value of this setting is constructed at runtime from the text given here and some simple substitution (explained in the conf file comments). In my case it is set to use the maildir mailbox format. It also specifies that mailboxes can be found in /home/vmail/domains/[the domain name of the user logging in]/[the user name of the user logging in]. Expanded, this might be, /home/vmail/domains/whitehouse.gov/george. Note, I did not use “%u” (you) for user name, I used %n (en). This is because “%u” will expand to “ user@domain.extension ,” and we just want the first part.
auth = default
Set up our first (and only) authentication process.
auth_mechanisms = plain
The user will send authentication information as clear text. The session, of course, is SSL encrypted.
auth_userdb = ldap /etc/dovecot-ldap.conf
Where the user database is. In our case, this is LDAP. The LDAP settings are found in the file /etc/dovecot-ldap.conf (created in the next step).
auth_passdb = ldap /etc/dovecot-ldap.conf
Where the password database is. Same as above.
auth_executable = /usr/libexec/dovecot/dovecot-auth
This is Dovecot's authentication executable. I didn't have to uncomment it as it's in the default place, but you may have to if you installed in /usr/local, for instance.
auth_user = dovecot-auth
The user to run the above authentication executable as. This is the user we created earlier.
That's it. To wszystko. There's a number of other Dovecot settings you might want to use, eg, auth_verbose, maildir_copy_with_hardlinks, and so on. The conf file explains each of these well enough for you to decide.
Configuring Dovecot for LDAP usage
Dovecot keeps its LDAP settings in a separate file. This file is referenced by the auth_userdb and auth_passdb settings in dovecot.conf. It's name defaults to dovecot-ldap.conf and it should be in the /etc directory. You do not have to create this from scratch, a sample file can be found in the Dovecot docs (/usr/share/doc/dovecot-0.99.10.9/dovecot-ldap.conf on my system). Copy this file to /etc and edit it as follows.
hosts = localhost
The server name/IP address where LDAP is running.
dn = cn=dovecot,dc=myhosting,dc=example
The DN of the user that Dovecot will bind to LDAP as.
dnpass = secret
The Dovecot user's password. You do remember it, don't you?
ldap_version = 3
What version of LDAP to use.
base = o=hosting,dc=myhosting, dc=example
The LDAP base under which our users can be found.
deref = never
I have no idea. If you think you care, maybe this will help: http://www.holbaeksem.dk/help/readme.nsf/0/ffc017ce09e9fd2585256cc600651017?OpenDocument
scope = subtree
How far under the base should a search look. Subtree is all the way down.
user_attrs = mail,homeDirectory,,,,
Pay attention to this one. The user_attrs setting lists the names of the LDAP attributes for those parts of a user's entry that Dovecot cares about. They are, in order:
The virtual user's user name ( user@domain ).
The user's Home directory.
The user's mail environment. See the default_mail_env setting above.
The local user's user name.
The local user's user ID.
The local user's group ID.
Now, I may not have gotten this perfectly correct, but of these we're only interested in the first one. In the Jamm schema the virtual user's user name is stored in the mail attribute.
I have also set the attribute for the user's home directory (homeDirectory in the Jamm schema). This is not strictly necessary, and can be safely left out. However, Dovecot claims to have some additional logging that's dependent on this setting (among other things). This is also where core files will be dumped if Dovecot crashes. I was never able to get this logging to work, however, even after following the FAQ on this subject.
As was discussed earlier regarding the default_mail_env setting, it is possible to put the user's mail environment (eg, maildir:/home/username/Maildir) in LDAP, but since the standard LDAP schemas and the Jamm schema have no such attribute, we leave that blank.
As for the remaining three attributes, none of our users are local, therefore we don't need to set these. When Dovecot needs a uid and gid it will get them from the user_global_uid and user_global_gid settings below. It won't need a system user name, as, apparently, that's only needed for accessing /etc/groups.
user_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
The LDAP filter Dovecot will use when looking up users. Should be familiar by now.
pass_attrs = mail,userPassword
The LDAP attributes that contain the user's virtual user name and password.
pass_filter = (&(objectClass=JammMailAccount)(mail=%u)(accountActive=TRUE)(delete=FALSE))
The LDAP filter Dovecot will use when looking up a user's password.
default_pass_scheme = CRYPT
The format that passwords are stored in LDAP. We use CRYPT here to match our setting in slapd.conf. Other values are PLAIN, PLAIN-MD5, and DIGEST-MD5.
user_global_uid = 101
user_global_gid = 101
Though we set the first and last valid uid and gid in dovecot.conf, we never did set the uid of the vmail user — we do that here. This is the uid and gid Dovecot will use in lieu of the empty LDAP settings above when reading and writing from the user's mailbox and chrooting too, I guess.
And that's it for Dovecot.
Jamm
What follows are the [slightly edited] instructions from the original Jamm HOWTO.
Installing and Configuring Jamm
Installing and configuring a web servlet container like Tomcat or Resin is outside the scope of this document. (On my hosted system Tomcat was already installed in /usr/local/tomcat). However, once you have a working servlet container, installing and configuring Jamm is a snap. Change into the webapps deployment directory, make a new directory called jamm, cd into that directory, drop the jamm.war file (that we downloaded way back at the beginning of this HOWTO) into the jamm directory, and unjar the war file. Then cd to the WEB-INF directory. Copy jamm.properties.dist to jamm.properties, and edit jamm.properties as apppropriate.
# cd /usr/local/tomcat/webapps
# mkdir jamm
# cd jamm
# cp [wherever]/jamm-0.9.6.war .
# jar -xvf jamm-0.9.1.war
# cd WEB-INF
# cp jamm.properties.dist jamm.properties
Now you need to edit jamm.properties. To continue to follow our examples for dc=myhosting,dc=example, we've edited the following lines in jamm.properties.
jamm.ldap.search_base = o=hosting,dc=myhosting,dc=example
jamm.ldap.root_dn = cn=Manager,dc=myhosting,dc=example
None of the values in jamm.properties should have quotes around them. This will cause problems at run time as Jamm is not expecting them. This has bitten people in the past when they copied their rootdn from slapd.conf.
Administration Administracja
To access Jamm, startup your servlet container (on my system this is Tomcat; service tomcat start) if it's not already started. From a browser goto: http://servername.tld:8080/jamm .
To login as the site administrator, the username is “root” (as specified in the jamm.properties file). The password is whatever password you gave to the LDAP superuser or root user way back when we were configuring LDAP.
Jamm allows for three levels of access: the site admin, the domain admin, and the user. The site admin controls the entire site and has access to every option all the time, very much like root on a unix system. The domain admin can add, remove, and modify accounts and aliases for his domain as well as assign other people to be a domain admin. The user can only effect his settings.
Site Admin Site Admin
Figure 3. Rysunek 3. Site Admin Screen
When a site admin logs in, they are presented with a list of domains. They can click on the domain to drill down to that domain admin page or manipulate the capabilities of the domain admin.
Can Edit Accounts controls the ability for a domain admin to add and remove virtual accounts. When this is switched off, the domain admin can still modify the attributes of existing accounts such as the password.
Appoint Postmasters controls the ability for a domain admin to grant the powers of domain admin to other accounts in the domain. With this turned off, only the site admin can give users domain admin access.
Domain Is Active turns on or off the “active” flag on the domain in ldap. If your mail server or imap server are configured to pay attention to this flag, one can turn on or off domains temporarily without removing them from ldap.
Domain Admin
Figure 4. Rysunek 4. Domain Admin Screen
When a domain admin logs in, they are presented with a list of accounts and aliases for their domain. They can click on a user to drill down to that user admin page, add or delete accounts or aliases, appoint other admins/postmasters, and activate and deactivate accounts. Some of this options may not be present depending on how the site admin has configured the domain's capabilities.
Delete Account does pretty much what it says it will.
Account Is Active activatees or deactivates an account without deleting it. Much like Domain Is Active, your mail server and imap servers must be configured to pay attention to this flag inside ldap.
Postmaster gives or removes the ability for that user to act as a domain admin.
User Admin Użytkownik Admin
Figure 5. Rysunek 5. User Admin Screen
When a user logs in, they are presented with a user screen appropriate to whether they have an account or an alias. Currently, all that a user with an account can do is change their password. An alias user is a bit more intereting, they can edit their destination(s).
To add destinations to an alias, the user only needs to add them in the text area in either a comma seperated list or one per line. To delete destinations, just check the box next to the destination to be deleted.
Account Creation Notes
When you create an account or an alias inside the LDAP database it will instantly become active as far as the mail system is concerned. For virtual accounts, it should be noted that the Unix directory in ~vmail is not created at this time. However, we can work around this because Postfix's virtual delivery agent will create the necessary directories the first time it has to deliver mail. Due to this fact, we recommend sending a welcome e-mail as soon as you create the account. Important! Ważne! I did not find this to be true! Postfix did not create any directories for me. Therefore, for me anyway, account creation is a two step process; create the appropriate directorty tree (/home/vmail/domains/somedomain/someuser) and then create that domain and/or user in LDAP via Jamm.
Account Deletion Notes
When you delete an account or an alias in the LDAP database, it will instantly become inactive. For virtual accounts, it should be noted that the Unix file system isn't cleaned up, ie the data remains on disk until a sysadmin can remove it. This will allow you to keep the data from dead accounts around for a grace period in case the account was deleted in error. However, if another account is created with the same name with the same mail path, the data will be available to the new user. This could be considered a privacy violation for the previous user.
SquirrelMail
Installing and Configuring SquirrelMail
SquirrelMail is simplicity itself to install. You have to make sure your system matches the prerequisites stated here: http://www.squirrelmail.org/wiki/SquirrelMailRequirements — essentially Apache and PHP. After that you should install the binary package (or grab the tarball, if necessary — http://www.squirrelmail.org/download.php )
# apt-get install squirrelmail
The installation process will put the appropriate Apache 2.0 configuration file in Apache's conf.d directory. The config file simply adds a “webmail” alias that points at the Squirrelmail index page. It put Squirrelmail itself in /usr/share/squirrelmail. Now you just need to make a couple of quick changes to the Squirrelmail configuration. You can do this via a Perl script located at /usr/share/squirrelmail/config/conf.pl or by directly editing the config file /usr/share/squirrelmail/config/config.php (which is aliased to /etc/squirrelmail/config.php). I chose the latter. The edits are few and are summarized here:
$use_authenticated_smtp = true;
$imap_server_type = 'courier';
$optional_delimiter = '.';
$default_folder_prefix = ”; Yes, I know it says “courier” for IMAP server type, but Squirrelmail doesn't have a quirks mode for Dovecot, and the Courier settings work. There are any number of other changes you may want to make, but they're all optional.
Enabling Apache 2.0 SSL
Important: If you are supporting (name-based) virtual hosts, then read this: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 .
It's likely that your Apache install can already speak SSL. If you're happy with this, then great, skip to the next section. However, the default SSL configuration won't be using those shiny new certs we made earlier. To enable SSL to begin with or to modify which certs it uses goto /etc/httpd/conf.d (on my system, yours may be different) and edit the file ssl.conf.
First, make sure that SSL is enabled by searching for the string “Listen” (with a capital “L”). It should be uncommented and set to an IP address of all zeros or the IP address of the server and followed by a port number (443), like this:
Listen 0.0.0.0:443 Słuchaj 0.0.0.0:443
It's likely that the rest of the global settings are acceptable, so skip down to the VirtualHost settings and search for the string SSLCertificateFile and change the file path to /usr/share/ssl/hosting.example/ExampleCert.pem (again, hosting.example/ExampleCert.pem is a place holder – substitute in the actual name you gave the cert). A few lines below this is the private key information. So change SSLCertificateKeyFile to point to /usr/share/ssl/hosting.example/ExamplePrivateKey.pem. That's all the changes you need to make, but you may want to fiddle with some other settings. Save the file and restart Apache: service httpd restart.
Enabling SquirrelMail SSL
Now that Apache can handle SSL, you only need to make one small change for SquirrelMail. In the same directory, /etc/httpd/conf.d, you'll find the SquirrelMail configuration file squirrelmail.conf. It's just one alias command. Add the following command to it:
SSLRequireSSL
You can now access Squirrelmail via the URL: https://myhosting.example/webmail .
Figure 6. Rysunek 6. My Squirrelmail interface after fiddling with fonts and themes.
Allow Users to Change Their LDAP Password from SquirrelMail (OPTIONAL)
The functionality presented here is entirely optional as it reproduces some of the functionality of JAMM. However, now that SquirrelMail is up and running, it makes sense to me to have the user stay in that interface as much as possible. Over time I will install and create more plugins to SquirrelMail so that the everyday user can perform all personal administration from their.
To allow a user to change their LDAP managed password, first download the “change_ldappass” SquirrelMail plugin: http://squirrelmail.org/plugin_view.php?id=26 . Change_ldappass is dependent on the Squirrelmail “compatibility” plugin, so download that too: http://www.squirrelmail.org/plugin_view.php?id=152 .
Installing it is a breeze. First, untar the compatibility plugin into the Squirrelmail plugins directory. Then untar the change_ldappass package into the SquirrelMail plugins directory, cd into the resulting change_ldappass directory, copy the config.php.sample file to config.php and edit it.
The changes that have to be made to the config file are minimal and limited to the very top of the file. Simply change the $ldap_user_field to mail, the LDAP attribute where our usernames (eg joe@example.com ) are stored; and change the $ldap_base_dn to your version of o=hosting,dc=myhosting,dc=example. Do not change the $ldap_password_field from userpassword to userPassword (note the capital “P”) as I did. It will work with the default, but not elsewise. The top few lines of the config.php file should look like this:
$ldap_server = “localhost”;
$ldap_password_field = “userpassword”;
$ldap_user_field = “mail”;
//put the ldap base dn of your server here
$ldap_base_dn = “o=hosting,dc=myhosting,dc=example”; There's no need to restart Apache. Users can now access the change password screen from the “options” page of SquirrelMail.
Figure 7. Rysunek 7. The new “Change Password” option in Squirrelmail's option page.
Post Install Configuration
Now that all the software has been installed and configured, there are a few other things you probably want to do.
Make LDAP inaccesible to the Internet
Currently the OpenLDAP process will answer requests from anywhere. What you probably want to do is limit connectivity only to the processes running locally (on this server). This is done with the -h flag to slapd. I modified the init script on my system, /etc/init.d/ldap, to accept normal and SSL connections only from processes on the same host. Here's the relevant part of the init script, in the start function.
prog=`basename ${slapd}`
echo -n $”Starting $prog: “
if grep -q ^TLS /etc/openldap/slapd.conf ; then
daemon ${slapd} -u ldap -h '” ldap://127.0.0.1 ldaps://127.0.0.1″' $OPTIONS $SLAPD_OPTIONS
RETVAL=$?
else więcej
daemon ${slapd} -u ldap -h '” ldap://127.0.0.1″' $OPTIONS $SLAPD_OPTIONS
RETVAL=$?
fi fi
Start up on reboot
You probably want to set up your system to start up all processes at reboot. This is especially true if your server is hosted, and you may not even be aware that your server has been restarted. If your machine is local to you, you can probably use the appropriate GUI application. However, if your machine is remote (and RedHat based), you can use the chkconfig utility to do this. Or, if necessary, do it manually. I set all processes to start at runlevels 3 and 5. You may want to use 2, 3, 4, and 5. You can get details on how chkconfig elsewhere, but here's how I did it:
# chkconfig –level 35 ldap on
# chkconfig –level 35 saslauthd on
# chkconfig –level 35 postfix on
# chkconfig –level 35 dovecot on
# chkconfig –level 35 tomcat on
Make sure you're not a relay
If you followed the instructions above, and given the default configuration of Postfix, you should not be acting as an open (spam) relay. But, better safe than sorry. Go here and test your system: http://www.abuse.net/relay.html
Adjust Postmaster Account
When you create a virtual domain with Jamm it creates the postmaster@domain.name and abuse@domain.name accounts automatically. Both of these accounts are set as aliases to the “postmaster” user who is presumed to be be a local user. This is fine, but on my system I don't want any local users. Besides, if I did, I'd have to add another authentication mechanism to Dovecot, and I don't want to do that either. In any case, if you would like to change the abuse and postmaster aliases to point at a virtual user, you can do so as follows:
Create an LDIF file that looks something like this:
dn: cn=postmaster,jvd=domain.name,o=hosting,dc=myhosting,dc=example
changetype: modify
replace: maildrop
maildrop: user@domain.name
dn: mail=abuse@domain.name,jvd=domain.name,o=hosting,dc=myhosting,dc=example
changetype: modify
replace: maildrop
maildrop: user@domain.name
Where domain.name is the virtual domain you've created and maildrop is the virtual user in that domain who is to receive mail for postmaster and abuse.
You can use this file to update the LDAP directory like this:
# ldapmodify -x -D “cn=Manager,dc=myhosting,dc=example” -W -f ldif_file_name
Email Client Settings
I won't detail how to set up mail.app, Thunderbird, Outlook, etc., but here are the client settings that should be generally applicable.
Assumptions: Your mail server is accessible via a public DNS MX record at example.net. You want to host a virtual domain of anydomain.org and its MX record points to the same host, Julie is a user at anydomain.org.
User Name: julie@anydomain.org
Password: [Julie's password]
Incoming Mail Account Type: IMAP
Incoming Mail Server: example.net
Incoming Mail Server uses SSL: Yes, on the default port of 993
Incoming Mail Server Authentication: Password
Outgoing Mail Server: example.net
Outgoing Mail Server uses SSL: Yes
Outgoing Mail Server Authentication: Password
Also, remember that you'll want your users to import the signing (CA) cert into their client or OS as applicable.
Credits Peter Lacey; placey at wanderingbarque.com
Subskrybuj:
Posty (Atom)