Postfix/Dovecot/ADS: Unterschied zwischen den Versionen

Version vom 5. Oktober 2024, 17:20 Uhr

ActiveDirectory/PostfixDovecot

Ziel:* Einrichten von Postfix und Dovecot zur Authentifizierung von Benutzern in Active Directory.

Inhaltsverzeichnis

Aufgabe
Vorbereitung
Postfix-Konfiguration
Dovecot-Konfiguration
Sicherheit
Debugging

Aufgabe

Postfix und Dovecot sollen so konfiguriert werden, dass sie die Benutzer aus Active Directory authentifizieren.
Mailverzeichnis: /var/mail/<Benutzername>
IMAPS-Zugriff (Port 993) und SMTP mit SSL (Port 465)
Authentifizierung: Vollständige E-Mail-Adresse (z.B. rudi@lab34.linuggs.de) oder Benutzername (z.B. rudi)

Vorbereitung

Erstellen eines Benutzers in Active Directory:

 * .samba-tool user create -W Users vmail
 * .samba-tool user setexpiry vmail --noexpiry

Postfix-Konfiguration

Installation des Pakets postfix-ldap
Anpassen der folgenden Dateien unter /etc/postfix:

 main.cf
   mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
   inet_protocols = ipv4
   virtual_mailbox_base = /var/mail
   virtual_mailbox_domains = lab34.linuggs.de
   virtual_mailbox_maps = ldap:/etc/postfix/ad_local_recipients.cf
   virtual_alias_maps = ldap:/etc/postfix/ad_mail_groups.cf
   virtual_transport = dovecot
   local_transport = virtual
   local_recipient_maps = $virtual_mailbox_maps
   smtpd_use_tls = yes
   smtpd_tls_security_level = encrypt
   smtpd_sasl_auth_enable = yes
   smtpd_sasl_local_domain = lab34.linuggs.de
   smtpd_sasl_path = private/auth
   smtpd_sasl_type = dovecot
   smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login.cf
   smtpd_tls_auth_only = yes
   smtpd_tls_cert_file = /var/lib/ssl/certs/dovecot.cert
   smtpd_tls_key_file = /var/lib/ssl/private/dovecot.key
   smtpd_tls_CAfile = /var/lib/ssl/certs/dovecot.pem
   smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
   smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
   default_destination_recipient_limit = 1

   * Hinweis: Die Datei /etc/postfix/mydestination muss leer sein.

 master.cf
   dovecot unix - n n - - pipe
     flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
   smtps inet n - n - - smtpd
     -o smtpd_tls_wrappermode=yes
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject

 ad_local_recipients.cf
   version = 3
   server_host = lab34.linuggs.de:389
   search_base = dc=lab34,dc=linuggs,dc=de
   scope = sub
   query_filter = (&(|(mail=%s)(otherMailbox=%u@%d))(sAMAccountType=805306368))
   result_filter = %s
   result_attribute = mail
   special_result_attribute = member
   bind = yes
   bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
   bind_pw = Pa$$word

 ad_mail_groups.cf
   version = 3
   server_host = lab34.linuggs.de:389
   search_base = dc=lab34,dc=linuggs,dc=de
   timeout = 3
   scope = sub
   query_filter = (&(mail=%s)(sAMAccountType=268435456))
   result_filter = %s
   leaf_result_attribute = mail
   special_result_attribute = member
   bind = yes
   bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
   bind_pw = Pa$$word

 ad_sender_login.cf
   version = 3
   server_host = lab34.linuggs.de:389
   search_base = dc=lab34,dc=linuggs,dc=de
   scope = sub
   query_filter = (&(objectClass=user)(|(sAMAccountName=%s)(mail=%s)))
   result_attribute = mail
   bind = yes
   bind_dn = cn=vmail,cn=users,dc=lab34,dc=de
   bind_pw = Pa$$word

Testen der Postfix-Konfiguration:

 * .postconf >/dev/null
 * .postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_local_recipients.cf
 * .postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_sender_login.cf

Neustart des Postfix-Dienstes:

 * .service postfix restart

@@ Zeile 19: / Zeile 19: @@
 Vorbereitung
 * Erstellen eines Benutzers in Active Directory:
-   * samba-tool user create -W Users vmail
+   * .samba-tool user create -W Users vmail
-   * samba-tool user setexpiry vmail --noexpiry
+   * .samba-tool user setexpiry vmail --noexpiry
 Postfix-Konfiguration
@@ Zeile 26: / Zeile 26: @@
 * Anpassen der folgenden Dateien unter /etc/postfix:
-main.cf
+  main.cf
-  * mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
+    mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
-  * inet_protocols = ipv4
+    inet_protocols = ipv4
-  * virtual_mailbox_base = /var/mail
+    virtual_mailbox_base = /var/mail
-  * virtual_mailbox_domains = lab34.linuggs.de
+    virtual_mailbox_domains = lab34.linuggs.de
-  * virtual_mailbox_maps = ldap:/etc/postfix/ad_local_recipients.cf
+    virtual_mailbox_maps = ldap:/etc/postfix/ad_local_recipients.cf
-  * virtual_alias_maps = ldap:/etc/postfix/ad_mail_groups.cf
+    virtual_alias_maps = ldap:/etc/postfix/ad_mail_groups.cf
-  * virtual_transport = dovecot
+    virtual_transport = dovecot
-  * local_transport = virtual
+    local_transport = virtual
-  * local_recipient_maps = $virtual_mailbox_maps
+    local_recipient_maps = $virtual_mailbox_maps
-  * smtpd_use_tls = yes
+    smtpd_use_tls = yes
-  * smtpd_tls_security_level = encrypt
+    smtpd_tls_security_level = encrypt
-  * smtpd_sasl_auth_enable = yes
+    smtpd_sasl_auth_enable = yes
-  * smtpd_sasl_local_domain = lab34.linuggs.de
+    smtpd_sasl_local_domain = lab34.linuggs.de
-  * smtpd_sasl_path = private/auth
+    smtpd_sasl_path = private/auth
-  * smtpd_sasl_type = dovecot
+    smtpd_sasl_type = dovecot
-  * smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login.cf
+    smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login.cf
-  * smtpd_tls_auth_only = yes
+    smtpd_tls_auth_only = yes
-  * smtpd_tls_cert_file = /var/lib/ssl/certs/dovecot.cert
+    smtpd_tls_cert_file = /var/lib/ssl/certs/dovecot.cert
-  * smtpd_tls_key_file = /var/lib/ssl/private/dovecot.key
+    smtpd_tls_key_file = /var/lib/ssl/private/dovecot.key
-  * smtpd_tls_CAfile = /var/lib/ssl/certs/dovecot.pem
+    smtpd_tls_CAfile = /var/lib/ssl/certs/dovecot.pem
-  * smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
+    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
-  * smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
+    smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
-  * default_destination_recipient_limit = 1
+    default_destination_recipient_limit = 1
-  * Hinweis: Die Datei /etc/postfix/mydestination muss leer sein.
+    * Hinweis: Die Datei /etc/postfix/mydestination muss leer sein.
-master.cf
+  master.cf
-  * Hinzufügen:
+     dovecot unix - n n - - pipe
-     * dovecot unix - n n - - pipe
+      flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
-    * flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
+     smtps inet n - n - - smtpd
-     * smtps inet n - n - - smtpd
+      -o smtpd_tls_wrappermode=yes
-    * -o smtpd_tls_wrappermode=yes
+      -o smtpd_sasl_auth_enable=yes
-    * -o smtpd_sasl_auth_enable=yes
+      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-    * -o smtpd_client_restrictions=permit_sasl_authenticated,reject
-ad_local_recipients.cf
+  ad_local_recipients.cf
-  * version = 3
+    version = 3
-  * server_host = lab34.linuggs.de:389
+    server_host = lab34.linuggs.de:389
-  * search_base = dc=lab34,dc=linuggs,dc=de
+    search_base = dc=lab34,dc=linuggs,dc=de
-  * scope = sub
+    scope = sub
-  * query_filter = (&(|(mail=%s)(otherMailbox=%u@%d))(sAMAccountType=805306368))
+    query_filter = (&(|(mail=%s)(otherMailbox=%u@%d))(sAMAccountType=805306368))
-  * result_filter = %s
+    result_filter = %s
-  * result_attribute = mail
+    result_attribute = mail
-  * special_result_attribute = member
+    special_result_attribute = member
-  * bind = yes
+    bind = yes
-  * bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
+    bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
-  * bind_pw = Pa$$word
+    bind_pw = Pa$$word
-ad_mail_groups.cf
+  ad_mail_groups.cf
-  * version = 3
+    version = 3
-  * server_host = lab34.linuggs.de:389
+    server_host = lab34.linuggs.de:389
-  * search_base = dc=lab34,dc=linuggs,dc=de
+    search_base = dc=lab34,dc=linuggs,dc=de
-  * timeout = 3
+    timeout = 3
-  * scope = sub
+    scope = sub
-  * query_filter = (&(mail=%s)(sAMAccountType=268435456))
+    query_filter = (&(mail=%s)(sAMAccountType=268435456))
-  * result_filter = %s
+    result_filter = %s
-  * leaf_result_attribute = mail
+    leaf_result_attribute = mail
-  * special_result_attribute = member
+    special_result_attribute = member
-  * bind = yes
+    bind = yes
-  * bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
+    bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
-  * bind_pw = Pa$$word
+    bind_pw = Pa$$word
-ad_sender_login.cf
+  ad_sender_login.cf
-  * version = 3
+    version = 3
-  * server_host = lab34.linuggs.de:389
+    server_host = lab34.linuggs.de:389
-  * search_base = dc=lab34,dc=linuggs,dc=de
+    search_base = dc=lab34,dc=linuggs,dc=de
-  * scope = sub
+    scope = sub
-  * query_filter = (&(objectClass=user)(|(sAMAccountName=%s)(mail=%s)))
+    query_filter = (&(objectClass=user)(|(sAMAccountName=%s)(mail=%s)))
-  * result_attribute = mail
+    result_attribute = mail
-  * bind = yes
+    bind = yes
-  * bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
+    bind_dn = cn=vmail,cn=users,dc=lab34,dc=de
-  * bind_pw = Pa$$word
+    bind_pw = Pa$$word
 * Testen der Postfix-Konfiguration:
-   * postconf >/dev/null
+   * .postconf >/dev/null
-   * postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_local_recipients.cf
+   * .postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_local_recipients.cf
-   * postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_sender_login.cf
+   * .postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_sender_login.cf
 * Neustart des Postfix-Dienstes:
-   * service postfix restart
+   * .service postfix restart

Postfix/Dovecot/ADS: Unterschied zwischen den Versionen

Version vom 5. Oktober 2024, 17:20 Uhr

Navigationsmenü

Suche