Tag: postfix

Categories
Linux

Setting up a Postfix/Dovecot mail system with an LDAP/Fusiondirectory backend

This guide is about setting up a Postfix/Dovecot system using LDAP/Fusiondirectoory as a backend.

Prerequisites

  • Install an LDAP/Fusiondirectory infrastructure
  • A DNS A Record:
    mail.example.com. 300 IN A 4.5.6.7
  • A DNS PTR Record:
    7.6.5.4.in-addr.arpa. 300 IN PTR mail.example.com.
  • A DNS MX Record (Actually more than one):
    example.com. 300 IN MX 5 mail.example.com.

Install FusionDirectory Plugins

  • Install the Mail plugin: 
    apt -y install fusiondirectory-plugin-mail fusiondirectory-plugin-mail-schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/mail-fd-conf.schema
  • Install the Alias plugin: 
    apt -y install fusiondirectory-plugin-alias fusiondirectory-plugin-alias-schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/alias-fd-conf.schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/alias-fd.schema
  • Install the Postfix plugin: 
    apt -y install fusiondirectory-plugin-postfix fusiondirectory-plugin-postfix-schema
fusiondirectory-insert-schema -i /etc/ldap/schema/fusiondirectory/postfix-fd.schema

Setup mail services:

  • Enter the mail.example.com server configuration (Systems plugin)

  • From the ‘Services’ tab create a ‘Postfix (SMTP)’ and an ‘IMAP/POP3 generic’ service

  • Add mail capability to all normal users:

    • Click the ‘Mail’ tab of a user and then press ‘Add Mail settings’

  • Fill in the ‘Primary Address. field and select mail.example.com as the server.

  • Add All necessary distribution lists and redirections from ‘Aliases’

    • Setup postfix

    • Create a service account for postfix using the ‘DSA’ plugin in *FusionDirectory’. It should look like this:

      dn: cn=postfix,ou=dsa,dc=example,dc=com
cn: postfix
userPassword:: yeduyt2732tet87eoiewoi32t4873t4387f7gf47gf49i6=
structuralObjectClass: organizationalRole
entryUUID: 280427ce-9a54-1035-8e48-bf1fd814366b
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20160419082627Z
objectClass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
entryCSN: 20160419082628.006263Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20160419082628Z

    • Install postfix: 
      apt -y install postfix postfix-pcre postfix-ldap

      When you are prompted about "General type of mail configuration:" select "No configuration"

    • Prepare the /etc/postfix/main.cf file:

    smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/mail.example.com.crt
smtpd_tls_key_file=/etc/ssl/private/mail.example.com.key
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem
smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem
tls_random_source = dev:/dev/urandom
smtpd_tls_loglevel = 0
smtpd_client_new_tls_session_rate_limit = 10
smtpd_tls_exclude_ciphers =
    EXP
    EDH-RSA-DES-CBC-SHA
    ADH-DES-CBC-SHA
    DES-CBC-SHA
    SEED-SHA
    aNULL
    eNULL
    EXPORT
    DES
    RC4
    MD5
    PSK
    aECDH
    EDH-DSS-DES-CBC3-SHA
    KRB5-DES-CBC3-SHA
myhostname = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mail.example.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 10.10.10.0/24
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
local_transport = local
postscreen_greet_action = enforce
smtpd_recipient_restrictions =
    reject
    permit_mynetworks
    permit_sasl_authenticated
    warn_if_reject reject_non_fqdn_hostname
    warn_if_reject reject_non_fqdn_sender
    reject_invalid_hostname
    reject_unknown_sender_domain
    reject_unverified_recipient
    reject_unauth_destination
    reject_non_fqdn_sender
    reject_non_fqdn_recipient
    reject_non_fqdn_helo_hostname
    check_sender_ns_access cidr:/etc/postfix/drop.cidr
    check_sender_mx_access cidr:/etc/postfix/drop.cidr
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org
    reject
smtpd_data_restrictions = reject_multi_recipient_bounce
smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unknown_sender_domain
smtpd_helo_restrictions =
    permit_mynetworks
    check_helo_access pcre:/etc/postfix/identitycheck.pcre
    reject_invalid_helo_hostname
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_delay_reject = no
smtpd_client_restrictions = check_client_access cidr:/etc/postfix/drop.cidr
message_size_limit = 51200000

    • Prepare the rest of the configuration files:

      • Prepare the virtual domains file: 
        cat > /etc/postfix/virtual_domains < < EOF
 # Domain                Anything

example.com            OK
EOF
      • Prepare the virtual recipients file: 
        cat > /etc/postfix/ldap_virtual_recipients.cf < < EOF
bind = yes
bind_dn = cn=postfix,ou=dsa,dc=example,dc=com
bind_pw = NotTheRealPassword
server_host = ldap://ldap.example.com:389
search_base = ou=people,dc=example,dc=com
domain = example.com
query_filter = (mail=%s)
result_attribute = mail
start_tls = yes
version = 3
EOF
      • Prepare the virtual aliases file: 
        cat > /etc/postfix/ldap_virtual_aliases.cf < < EOF
bind = yes
bind_dn = cn=postfix,ou=dsa,dc=example,dc=com
bind_pw = NotTheRealPass
server_host = ldap://ldap.example.com:389
search_base = ou=alias,dc=example,dc=com
domain = example.com
query_filter = (mail=%s)
result_attribute = gosaMailAlternateAddress, gosaMailForwardingAddress
start_tls = yes
version = 3
EOF
      • Prepare the identity check file: 
        cat > /etc/postfix/identitycheck.pcre &lt; &lt; EOF
# Identity (RegEx)              Action

/^(mail\.example\.com)$/       REJECT Hostname Abuse: $1
/^(1\.2\.3\.4)$/                REJECT Hostname Abuse: $1
/^(\[1\.2\.3\.4\])$/            REJECT Hostname Abuse: $1
EOF
      • Prepare the blacklist file: 
        cat > /etc/postfix/drop.cidr &lt; &lt; EOF
# IP/CIDR                       Action

1.2.3.0/24                      REJECT Blacklisted
EOF
    • Generate the virtual domains hashmap: 
      postmap hash:/etc/postfix/virtual_domains
    • Start postfix: 
      systemctl start postfix

      Verify:

      ss -lnptu | grep master
tcp    LISTEN     0      100    *:25      *:*      users (("master",pid=15539,fd=12))
    • Enable support for smtps (port 465) and submission (port 587):

      Uncomment the following lines from /etc/postfix/master.cf:

      submission inet n       -       -       -       -       smtpd
smtps     inet  n       -       -       -       -       smtpd

      Restart postfix:

      systemctl restart postfix

      Verify:

      ss -lnptu | grep master
tcp    LISTEN     0      100    *:587     *:*      users:(("master",pid=15854,fd=16))
tcp    LISTEN     0      100    *:465     *:*      users:(("master",pid=15854,fd=19))
tcp    LISTEN     0      100    *:25      *:*      users:(("master",pid=15854,fd=12))
    • Take precautions for perfect forward secrecy: 
      mkdir /etc/postfix/certs
cd /etc/postfix/certs
openssl dhparam -2 -out dh_512.pem 512
openssl dhparam -2 -out dh_1024.pem 1024
chmod 600 dh_*
    • Lookup test: 
      postmap -q theo@example.com ldap:/etc/postfix/ldap_virtual_recipients.cf
theo@example.com
    • Open SMTP, SMTPS ans Submission ports: 
      ufw allow 25/tcp
ufw allow 465/tcp
ufw allow 587/tcp

    Install and configure dovecot

    • Create a service account for dovecot using the ‘DSA’ plugin in *FusionDirectory’. It should look like this: 
      dn: cn=dovecot,ou=dsa,dc=example,dc=com
cn: dovecot
userPassword:: ljsdewd98dej932j98dxjud8x3jx9843xj8943j438439e3=
structuralObjectClass: organizationalRole
entryUUID: 4d0d7174-9a54-1035-8e49-bf1fd814366b
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20160419082730Z
objectClass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
entryCSN: 20160419082730.138012Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20160419082730Z
    • Install dovecot: 
      apt -y install dovecot-core dovecot-imapd dovecot-pop3d dovecot-lmtpd dovecot-ldap
    • Make the following changes in /etc/dovecot/conf.d/10-ssl.conf:
    ssl = required
ssl_cert = 

service imap-login {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

service pop3-login {
  inet_listener pop3 {
    port = 110
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

service auth {
  unix_listener auth-userdb {
    mode = 0777
    user = dovecot
    group = dovecot
  }
}

    • Add the vmail user in the system:

      addgroup --system --gid 5000 vmail
adduser --system --home /srv/vmail --uid 5000 --gid 5000 --disabled-password --disabled-login vmail

    • Restart dovecot: 
      systemctl restart dovecot

      Verify:

      netstat -lnptu | grep dovecot
tcp        0      0 0.0.0.0:993             0.0.0.0:*               LISTEN      20894/dovecot   
tcp        0      0 0.0.0.0:995             0.0.0.0:*               LISTEN      20894/dovecot   
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN      20894/dovecot   
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      20894/dovecot   
tcp6       0      0 :::993                  :::*                    LISTEN      20894/dovecot   
tcp6       0      0 :::995                  :::*                    LISTEN      20894/dovecot   
tcp6       0      0 :::110                  :::*                    LISTEN      20894/dovecot   
tcp6       0      0 :::143                  :::*                    LISTEN      20894/dovecot
    • Check if you can login:
    openssl s_client -connect localhost:993
<output ommitted...>
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
a1 LOGIN theo MyNotSoSecretPass
a1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE] Logged in
a3 LOGOUT
* BYE Logging out
a2 OK Logout completed.
closed

    • Enable IMAP, IMAPS, POP3 and POP3S ports:

      ufw allow 110/tcp
ufw allow 143/tcp
ufw allow 993/tcp
ufw allow 995/tcp

    • Tell postfix to deliver mail using dovecot:
      • Add the following lines at the end of /etc/postfix/master.cf: 
        dovecot   unix  -       n       n       -       -       pipe
  flags=ODRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -e -f ${sender} -d ${recipient}
      • Add these attributes in /etc/postfix/main.cf: 
        virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
    • Restart postfix and dovecot: 
      systemctl restart postfix dovecot

    Install SASL for SMTP AUTH

    • Create a service account for saslauthd using the ‘DSA’ plugin in *FusionDirectory’. It should look like this: 
      dn: cn=saslauthd,ou=dsa,dc=example,dc=com
cn: saslauthd
userPassword:: ejdoedoifj9ewufd9843e9ejfd98je938jcr9843843=
structuralObjectClass: organizationalRole
entryUUID: 61143234-9a54-1035-8e4a-bf1fd814366b
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20160419082803Z
objectClass: organizationalRole
objectClass: top
objectClass: simpleSecurityObject
entryCSN: 20160419082803.738357Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20160419082803Z
    • Install SASL: 
      apt -y install libsasl2-2 sasl2-bin
    • Create the /etc/postfix/sasl/smtpd.conf file: 
      cat > /etc/postfix/sasl/smtpd.conf < < EOF
log_level: 3
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
EOF
    • Make the following changes in /etc/default/saslauthd: 
      START=yes
MECHANISMS="ldap"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
    • Create the /etc/saslauthd.conf file: 
      cat > /etc/saslauthd.conf < < EOF
ldap_servers: ldap://ldap.example.com/
ldap_bind_dn: cn=saslauthd,ou=dsa,dc=example,dc=com
ldap_bind_pw: MySecretPass
ldap_timeout: 10
ldap_time_limit: 10
ldap_scope: sub
ldap_search_base: ou=people,dc=example,dc=com
ldap_auth_method: bind
ldap_filter: (&(uid=%u)(mail=*))
ldap_debug: 0
ldap_verbose: off
ldap_ssl: yes
ldap_starttls: no
ldap_referrals: yes
EOF
    • Add the postfix user in the sasl group: 
      usermod -aG sasl postfix
    • Add these attributes in /etc/postfix/main.cf: 
      smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
    • Restart saslauthd and postfix: 
      systemctl restart saslauthd postfix
    • Test message delivery using SMTP AUTH:

      First you need to install swaks:

      apt -y install swaks

      Then use swaks to test message delivery:

      swaks --from noreply@example.com --to theo@example.com --server 127.0.0.1:25 --tls --auth plain --auth-user=theo
    • Test if the message has been delivered to inbox:

      First you need to install mutt:

      apt -y install mutt

      Then use mutt to test if the message has been delivered to inbox:

      mutt -f /srv/vmail/theo@example.com/Maildir/

      NOTE: When you are asked to create a ‘mail’ folder just say ‘no’.

    References

    • https://documentation.fusiondirectory.org/en/documentation/plugin/mail_plugin
    • https://documentation.fusiondirectory.org/en/documentation/plugin/alias_plugin
    • https://documentation.fusiondirectory.org/en/documentation/plugin/dovecot_plugin</output>