wiki:postfixLdap

TOC?

Objectif : configuration d'un serveur Mail !Postfix utilisant un annuaire LDAP et le format Maildir pour le stockage des mails. Pour l'authenfication propre nous utiliserons le module pam_ldap (plus simple pour configurer les autres services après) et pour la gestion des alias ainsi que des mailings listes l'annuaire LDAP directement depuis Postfix.

La config est faite sur Debian, elle peut varier un peu sur les autres systèmes

Config de NSS

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         ldap    compat
group:          ldap    compat
shadow:         ldap    compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure libnss-ldap to configure this file.
#
 @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1

# The distinguished name of the search base.
base dc=enib,dc=fr

# Another way to specify your LDAP server is to provide an
uri ldap://127.0.0.1/
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.
rootbinddn cn=reader,dc=enib,dc=fr

# Reconnect policy:
#  hard_open: reconnect to DSA with exponential backoff if
#             opening connection failed
#  hard_init: reconnect to DSA with exponential backoff if
#             initializing connection failed
#  hard:      alias for hard_open
#  soft:      return immediately on server failure
bind_policy soft

Il faut absolument mettre bind_policy à soft, sinon l'ordinateur peut ne pas démarrer (il y a un Bug : nss essaye de se connecter à LDAP avant que la carte réseau ai été configurée...)

#/etc/libnss-ldap.secret
reader

Configuration du Module PAM

Effacez le fichier /etc/pam_ldap.conf et faites un lien symbolique de /etc/libnss-ldap.conf vers /etc/pam_ldap.conf, ça évite de taper 2x la meme chose

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
#Avant : auth   required        pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so
auth    sufficient      pam-unix.so nullok_secure use_first_pass
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
#Avant : account        required        pam_unix.so
#LDAP Tokens
account         sufficient      pam_ldap.so
account         sufficient      pam_unix.so use_first_pass
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).  The default is pam_unix.
#
session required        pam_unix.so
session required        pam_mkhomedir.so

Sur le fichier common-session, pam_mkhomedir.so a été rajouté pour permettre de créer automatiquement la création du homedir de l'user lorsqu'il se connecte sur la machine, a priori, c'est pas obligatoire ici, nous allons utiliser une autre méthode pour que postfix créé le homerdir lors de la réception d'un mail

###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1

# The distinguished name of the search base.
base dc=enib,dc=fr

# Another way to specify your LDAP server is to provide an
uri ldap://127.0.0.1/
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=reader,dc=enib,dc=fr

# The credentials to bind with.
# Optional: default is no credential.
bindpw reader

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
bind_policy soft

# Redirect users to a URL or somesuch on password
# changes.
pam_password_prohibit_message Pour changer votre mot de passe, rendez-vous sur http://ldap.enib.fr

pam_password_prohibit affiche un message lors de l'utisation de la commande passwd

Bloquer l'accès SSH aux comptes de l'annuaire LDAP

Notre serveur étant exclusivement un serveur mail, il est inutile que les utilisateurs LDAP possédent un accès SSH à la machine, nous allons donc le bloquer.

On modifie le fichier de config de pam pour SSH :

#/etc/pam.d/ssh
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth-ssh

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account-ssh

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

Il faut ensuite créer les fichiers common-auth-ssh et common-account-ssh (copier les fichiers common-auth et common-account et modifiez les) :

#
# /etc/pam.d/common-account-ssh - authorization settings SSH
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required        pam_unix.so
#Ldap Tokens
#account                sufficient      pam_ldap.so
#account                sufficient      pam_unix.so use_first_pass
#
# /etc/pam.d/common-auth-ssh - authentication settings SSH
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required        pam_unix.so nullok_secure
#LDap Tokens
#auth   sufficient      pam_ldap.so
#auth   sufficient      pam-unix.so nullok_secure use_first_pass

Seul les comptes locaux à la machine peuvent se connecter en SSH.

Installation de Postfix

apt-get install postfix postfix-ldap

Configuration de Postfix

Création d'un fichier ldap-aliases.cf :

#/etc/postfix/ldap-aliases.cf
server_host = localhost
search_base = ou=people,dc=enib,dc=fr
scope = sub
query_filter = (mail=%s)
result_attribute = uid
bind_dn = cn=reader,dc=enib,dc=fr
bind_pw = reader

Modif de la config de PostFix :

#/etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = nb888-mail.rezid.org
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

myorigin = /etc/mailname
mydestination = nb888-mail.rezid.org, localhost.rezid.org, localhost, enib.fr
relayhost =
mynetworks = 127.0.0.0/8

#Pour le format Maildir
home_mailbox = Maildir/

#mailbox_command = procmail -a "$EXTENSION"
#mailbox_command = procmail -f- -a ${USER}
#mailbox_command = /etc/postfix/createHome.sh
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

Il ne reste plus qu'a recharger le config de PostFix :

/etc/init.d/postfix reload

Pour info, mes entrées dans LDAP ont cette forme :

dn: uid=niboucha,ou=people,dc=enib,dc=fr
cn: Nicolas Bouchard
sn: Nicolas
uid: niboucha
objectClass: inetOrgPerson
objectClass: top
objectClass: posixAccount
userPassword: {MD5}4UbLQwyn8S5rvraYOiYuxw==
gidNumber: 123456
homeDirectory: /home/niboucha
uidNumber: 123456
mail: niboucha@enib.fr
mail: nico@localhost
mail: nico@nb888-mail.rezid.org
mail: nicolas.bouchard@enib.fr

Auto Création des HomeDir par PostFix

Il suffit de changer les droits de /home en 777 et Postfix pourra créer les homes manquant. C'est une bonne raison pour dedier le serveur au Mail et de bloquer l'accès SSH au serveur pour les utilisateurs LDAP.

Test

Vous pouvez faire un test en utilisant la commande "mail" (paquet "mailx" sur Debian)

Mailling Lists

On va commencer par créer un nouveau fichier de configuration ldap-maillists.cf

#/etc/postfix/ldap-maillists.cf
server_host = localhost
search_base = ou=groups,dc=enib,dc=fr
scope = sub
query_filter = (description=%s)
result_attribute = memberUid
bind_dn = cn=reader,dc=enib,dc=fr
bind_pw = reader

On modifie en ensuite cette ligne du main.cf :

virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-maillists.cf

Pour mes tests, vu que j'ai pas trouvé de schéma LDAP pour faire des mailings list, j'ai utilisé un autre schéma, le mieux à faire est probablement de créer son propre schéma :

dn: cn=students,ou=groups,dc=enib,dc=fr
cn: students
gidNumber: 1000
objectClass: posixGroup
objectClass: top
memberUid: nib888@gmail.com
memberUid: nb888@localhost
description: all@localhost

description correspond à l'adresse mail de la liste, memberUid aux destinataires.

Ne pas oublier de recharger la config de Postfix avant de tester

Dovecot

Dovecot est un serveur pop3 / imap qui permet aux utilisateurs de lire leurs mails

Etant donné que nous utilisons le mode PAM, la configuration de dovecot est classique, il n'y a rien de plus à faire que pour une configuration avec des comptes locaux.

apt-get install dovecot*

Faire les modifs suivantes dans le fichier /etc/dovecot/dovecot.conf :

protocols = pop3 pop3s imap imaps

mail_location = maildir:/home/%u/Maildir

listen = *

Vous testez le fonctionnement avec cette commande :

mutt -f imap://username@localhost/

Note

Si un utilisateur cherche à consulter sa boîte mail alors que son homedir n'existe pas encore, pas de problème, il est créé automatiquement

Attachments