This guide is about setting up a Postfix/Dovecot system using LDAP/Fusiondirectoory as a backend.
Prerequisites
- Install an LDAP/Fusiondirectory infrastructure
- A DNS A Record:
mail.example.com. 300 IN A 4.5.6.7 - A DNS PTR Record:
7.6.5.4.in-addr.arpa. 300 IN PTR mail.example.com. - A DNS MX Record (Actually more than one):
example.com. 300 IN MX 5 mail.example.com.
Install FusionDirectory Plugins
- Install the Mail plugin:
apt -y install fusiondirectory-plugin-mail fusiondirectory-plugin-mail-schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd.schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd-conf.schema - Install the Alias plugin:
apt -y install fusiondirectory-plugin-alias fusiondirectory-plugin-alias-schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/alias-fd-conf.schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/alias-fd.schema - Install the Postfix plugin:
apt -y install fusiondirectory-plugin-postfix fusiondirectory-plugin-postfix-schema fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/postfix-fd.schema
Setup mail services:
- Enter the mail.example.com server configuration (Systems plugin)
-
From the ‘Services’ tab create a ‘Postfix (SMTP)’ and an ‘IMAP/POP3 generic’ service
-
Add mail capability to all normal users:
- Click the ‘Mail’ tab of a user and then press ‘Add Mail settings’
-
Fill in the ‘Primary Address. field and select mail.example.com as the server.
Add All necessary distribution lists and redirections from ‘Aliases’
Setup postfix
-
Create a service account for postfix using the ‘DSA’ plugin in *FusionDirectory’. It should look like this:
dn: cn=postfix,ou=dsa,dc=example,dc=com cn: postfix userPassword:: yeduyt2732tet87eoiewoi32t4873t4387f7gf47gf49i6= structuralObjectClass: organizationalRole entryUUID: 280427ce-9a54-1035-8e48-bf1fd814366b creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20160419082627Z objectClass: organizationalRole objectClass: top objectClass: simpleSecurityObject entryCSN: 20160419082628.006263Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20160419082628Z - Install postfix:
apt -y install postfix postfix-pcre postfix-ldapWhen you are prompted about "General type of mail configuration:" select "No configuration"
-
Prepare the /etc/postfix/main.cf file:
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/mail.example.com.crt
smtpd_tls_key_file=/etc/ssl/private/mail.example.com.key
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 0
smtpd_client_new_tls_session_rate_limit = 10
smtpd_tls_exclude_ciphers =
EXP
EDH-RSA-DES-CBC-SHA
ADH-DES-CBC-SHA
DES-CBC-SHA
SEED-SHA
aNULL
eNULL
EXPORT
DES
RC4
MD5
PSK
aECDH
EDH-DSS-DES-CBC3-SHA
KRB5-DES-CBC3-SHA
myhostname = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mail.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.10.10.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
local_transport = local
postscreen_greet_action = enforce
smtpd_recipient_restrictions =
reject
permit_mynetworks
permit_sasl_authenticated
warn_if_reject reject_non_fqdn_hostname
warn_if_reject reject_non_fqdn_sender
reject_invalid_hostname
reject_unknown_sender_domain
reject_unverified_recipient
reject_unauth_destination
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_non_fqdn_helo_hostname
check_sender_ns_access cidr:/etc/postfix/drop.cidr
check_sender_mx_access cidr:/etc/postfix/drop.cidr
reject_rbl_client bl.spamcop.net,
reject_rbl_client cbl.abuseat.org
reject
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_sender_restrictions =
reject_non_fqdn_sender
reject_unknown_sender_domain
smtpd_helo_restrictions =
permit_mynetworks
check_helo_access pcre:/etc/postfix/identitycheck.pcre
reject_invalid_helo_hostname
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_delay_reject = no
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
message_size_limit = 51200000
-
Prepare the rest of the configuration files:
- Prepare the virtual domains file:
cat > /etc/postfix/virtual_domains < < EOF # Domain Anything example.com OK EOF - Prepare the virtual recipients file:
cat > /etc/postfix/ldap_virtual_recipients.cf < < EOF bind = yes bind_dn = cn=postfix,ou=dsa,dc=example,dc=com bind_pw = NotTheRealPassword server_host = ldap://ldap.example.com:389 search_base = ou=people,dc=example,dc=com domain = example.com query_filter = (mail=%s) result_attribute = mail start_tls = yes version = 3 EOF - Prepare the virtual aliases file:
cat > /etc/postfix/ldap_virtual_aliases.cf < < EOF bind = yes bind_dn = cn=postfix,ou=dsa,dc=example,dc=com bind_pw = NotTheRealPass server_host = ldap://ldap.example.com:389 search_base = ou=alias,dc=example,dc=com domain = example.com query_filter = (mail=%s) result_attribute = gosaMailAlternateAddress, gosaMailForwardingAddress start_tls = yes version = 3 EOF - Prepare the identity check file:
cat > /etc/postfix/identitycheck.pcre < < EOF # Identity (RegEx) Action /^(mail\.example\.com)$/ REJECT Hostname Abuse: $1 /^(1\.2\.3\.4)$/ REJECT Hostname Abuse: $1 /^(\[1\.2\.3\.4\])$/ REJECT Hostname Abuse: $1 EOF - Prepare the blacklist file:
cat > /etc/postfix/drop.cidr < < EOF # IP/CIDR Action 1.2.3.0/24 REJECT Blacklisted EOF
- Prepare the virtual domains file:
- Generate the virtual domains hashmap:
postmap hash:/etc/postfix/virtual_domains - Start postfix:
systemctl start postfixVerify:
ss -lnptu | grep master tcp LISTEN 0 100 *:25 *:* users (("master",pid=15539,fd=12)) - Enable support for smtps (port 465) and submission (port 587):
Uncomment the following lines from /etc/postfix/master.cf:
submission inet n - - - - smtpd smtps inet n - - - - smtpdRestart postfix:
systemctl restart postfixVerify:
ss -lnptu | grep master tcp LISTEN 0 100 *:587 *:* users:(("master",pid=15854,fd=16)) tcp LISTEN 0 100 *:465 *:* users:(("master",pid=15854,fd=19)) tcp LISTEN 0 100 *:25 *:* users:(("master",pid=15854,fd=12)) - Take precautions for perfect forward secrecy:
mkdir /etc/postfix/certs cd /etc/postfix/certs openssl dhparam -2 -out dh_512.pem 512 openssl dhparam -2 -out dh_1024.pem 1024 chmod 600 dh_* - Lookup test:
postmap -q theo@example.com ldap:/etc/postfix/ldap_virtual_recipients.cf theo@example.com - Open SMTP, SMTPS ans Submission ports:
ufw allow 25/tcp ufw allow 465/tcp ufw allow 587/tcp
Install and configure dovecot
- Create a service account for dovecot using the ‘DSA’ plugin in *FusionDirectory’. It should look like this:
dn: cn=dovecot,ou=dsa,dc=example,dc=com cn: dovecot userPassword:: ljsdewd98dej932j98dxjud8x3jx9843xj8943j438439e3= structuralObjectClass: organizationalRole entryUUID: 4d0d7174-9a54-1035-8e49-bf1fd814366b creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20160419082730Z objectClass: organizationalRole objectClass: top objectClass: simpleSecurityObject entryCSN: 20160419082730.138012Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20160419082730Z - Install dovecot:
apt -y install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-ldap - Make the following changes in /etc/dovecot/conf.d/10-ssl.conf:
ssl = required
ssl_cert =
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 110
}
inet_listener pop3s {
port = 995
ssl = yes
}
}
service auth {
unix_listener auth-userdb {
mode = 0777
user = dovecot
group = dovecot
}
}
-
Add the vmail user in the system:
addgroup --system --gid 5000 vmail adduser --system --home /srv/vmail --uid 5000 --gid 5000 --disabled-password --disabled-login vmail - Restart dovecot:
systemctl restart dovecotVerify:
netstat -lnptu | grep dovecot tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 20894/dovecot tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 20894/dovecot tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 20894/dovecot tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 20894/dovecot tcp6 0 0 :::993 :::* LISTEN 20894/dovecot tcp6 0 0 :::995 :::* LISTEN 20894/dovecot tcp6 0 0 :::110 :::* LISTEN 20894/dovecot tcp6 0 0 :::143 :::* LISTEN 20894/dovecot - Check if you can login:
openssl s_client -connect localhost:993
<output ommitted...>
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a1 LOGIN theo MyNotSoSecretPass
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
a3 LOGOUT
* BYE Logging out
a2 OK Logout completed.
closed
-
Enable IMAP, IMAPS, POP3 and POP3S ports:
ufw allow 110/tcp ufw allow 143/tcp ufw allow 993/tcp ufw allow 995/tcp - Tell postfix to deliver mail using dovecot:
- Add the following lines at the end of /etc/postfix/master.cf:
dovecot unix - n n - - pipe flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f ${sender} -d ${recipient} - Add these attributes in /etc/postfix/main.cf:
virtual_transport = dovecot dovecot_destination_recipient_limit = 1
- Add the following lines at the end of /etc/postfix/master.cf:
- Restart postfix and dovecot:
systemctl restart postfix dovecot
Install SASL for SMTP AUTH
- Create a service account for saslauthd using the ‘DSA’ plugin in *FusionDirectory’. It should look like this:
dn: cn=saslauthd,ou=dsa,dc=example,dc=com cn: saslauthd userPassword:: ejdoedoifj9ewufd9843e9ejfd98je938jcr9843843= structuralObjectClass: organizationalRole entryUUID: 61143234-9a54-1035-8e4a-bf1fd814366b creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20160419082803Z objectClass: organizationalRole objectClass: top objectClass: simpleSecurityObject entryCSN: 20160419082803.738357Z#000000#000#000000 modifiersName: cn=admin,dc=example,dc=com modifyTimestamp: 20160419082803Z - Install SASL:
apt -y install libsasl2-2 sasl2-bin - Create the /etc/postfix/sasl/smtpd.conf file:
cat > /etc/postfix/sasl/smtpd.conf < < EOF log_level: 3 pwcheck_method: saslauthd mech_list: PLAIN LOGIN EOF - Make the following changes in /etc/default/saslauthd:
START=yes MECHANISMS="ldap" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" - Create the /etc/saslauthd.conf file:
cat > /etc/saslauthd.conf < < EOF ldap_servers: ldap://ldap.example.com/ ldap_bind_dn: cn=saslauthd,ou=dsa,dc=example,dc=com ldap_bind_pw: MySecretPass ldap_timeout: 10 ldap_time_limit: 10 ldap_scope: sub ldap_search_base: ou=people,dc=example,dc=com ldap_auth_method: bind ldap_filter: (&(uid=%u)(mail=*)) ldap_debug: 0 ldap_verbose: off ldap_ssl: yes ldap_starttls: no ldap_referrals: yes EOF - Add the postfix user in the sasl group:
usermod -aG sasl postfix - Add these attributes in /etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes - Restart saslauthd and postfix:
systemctl restart saslauthd postfix - Test message delivery using SMTP AUTH:
First you need to install swaks:
apt -y install swaksThen use swaks to test message delivery:
swaks --from noreply@example.com --to theo@example.com --server 127.0.0.1:25 --tls --auth plain --auth-user=theo - Test if the message has been delivered to inbox:
First you need to install mutt:
apt -y install muttThen use mutt to test if the message has been delivered to inbox:
mutt -f /srv/vmail/theo@example.com/Maildir/NOTE: When you are asked to create a ‘mail’ folder just say ‘no’.
References
- https://documentation.fusiondirectory.org/en/documentation/plugin/mail_plugin
- https://documentation.fusiondirectory.org/en/documentation/plugin/alias_plugin
- https://documentation.fusiondirectory.org/en/documentation/plugin/dovecot_plugin</output>
8 replies on “Setting up a Postfix/Dovecot mail system with an LDAP/Fusiondirectory backend”
Hi Theo,
After following this tutorial. I keep ending up with a temporary lookup failure on postfix when using swaks to send the test mail.
Can you post your postfix config on pastebin and send me the link to have a look? (Mask out any information you don’t want to be public)
hi, I’ve been follow your posts and successfuly install the fusiondirectory and mail server. now I am not able to use the password recovery utility from fusiondirectory. mail server is working properly. I setup mail box for admin but is not sendin mail on pasword recovery request. probably is missing some settings. please can you help with some guidance. thank you.
Hi Felix,
Better talk to the mailing list of FusionDirectory about this.
Hi,
thank you for pointing out FusionDirectory. Till this time i”ve ever ignored this software, I don’t no why ><
My first question is:
What do you meen with the sentence: "Create a service account for postfix using the ‘DSA’ plugin in *FusionDirectory’. It should look like this:"
I can create a "Simple security object" named postfix but It looks like this:
ldapsearch -xLLL -b cn=postfix,ou=dsa,dc=zzeroo,dc=org
dn: cn=postfix,ou=dsa,dc=zzeroo,dc=org
objectClass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
cn: postfix
If you create a security object in DSA you should be fine. In my example I just use an excerpt from the
slapcatoutput , to show you how it appears in LDAP.mail_uid = 5000
mail_uid = 5000
should this be
mail_uid = 5000
mail_gid = 5000
Thanks! It is corrected now.