Postfix/Dovecot/ADS: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „ActiveDirectory/PostfixDovecot *Ziel:* Einrichten von Postfix und Dovecot zur Authentifizierung von Benutzern in Active Directory. Inhaltsverzeichnis * Aufga…“)
 
 
(2 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
ActiveDirectory/PostfixDovecot
+
=Ziel=
 +
* Einrichten von Postfix und Dovecot zur Authentifizierung von Benutzern in Active Directory.
  
*Ziel:* Einrichten von Postfix und Dovecot zur Authentifizierung von Benutzern in Active Directory.
+
=Aufgabe=
 
 
Inhaltsverzeichnis
 
* Aufgabe
 
* Vorbereitung
 
* Postfix-Konfiguration
 
* Dovecot-Konfiguration
 
* Sicherheit
 
* Debugging
 
 
 
Aufgabe
 
 
* Postfix und Dovecot sollen so konfiguriert werden, dass sie die Benutzer aus Active Directory authentifizieren.
 
* Postfix und Dovecot sollen so konfiguriert werden, dass sie die Benutzer aus Active Directory authentifizieren.
 
* Mailverzeichnis: /var/mail/<Benutzername>
 
* Mailverzeichnis: /var/mail/<Benutzername>
Zeile 17: Zeile 8:
 
* Authentifizierung: Vollständige E-Mail-Adresse (z.B. rudi@lab34.linuggs.de) oder Benutzername (z.B. rudi)
 
* Authentifizierung: Vollständige E-Mail-Adresse (z.B. rudi@lab34.linuggs.de) oder Benutzername (z.B. rudi)
  
Vorbereitung
+
=Vorbereitung=
* Erstellen eines Benutzers in Active Directory:
+
Erstellen eines Benutzers in Active Directory:
  * samba-tool user create -W Users vmail
+
* samba-tool user create -W Users mailservice
  * samba-tool user setexpiry vmail --noexpiry
+
* samba-tool user setexpiry mailservice --noexpiry
  
Postfix-Konfiguration
+
=Postfix-Konfiguration=
 
* Installation des Pakets postfix-ldap
 
* Installation des Pakets postfix-ldap
 
* Anpassen der folgenden Dateien unter /etc/postfix:
 
* Anpassen der folgenden Dateien unter /etc/postfix:
  
main.cf
+
=main.cf=
  * mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
+
    mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
  * inet_protocols = ipv4
+
    inet_protocols = ipv4
  * virtual_mailbox_base = /var/mail
+
    virtual_mailbox_base = /var/mail
  * virtual_mailbox_domains = lab34.linuggs.de
+
    virtual_mailbox_domains = lab34.linuggs.de
  * virtual_mailbox_maps = ldap:/etc/postfix/ad_local_recipients.cf
+
    virtual_mailbox_maps = ldap:/etc/postfix/ad_local_recipients.cf
  * virtual_alias_maps = ldap:/etc/postfix/ad_mail_groups.cf
+
    virtual_alias_maps = ldap:/etc/postfix/ad_mail_groups.cf
  * virtual_transport = dovecot
+
    virtual_transport = dovecot
  * local_transport = virtual
+
    local_transport = virtual
  * local_recipient_maps = $virtual_mailbox_maps
+
    local_recipient_maps = $virtual_mailbox_maps
  * smtpd_use_tls = yes
+
    smtpd_use_tls = yes
  * smtpd_tls_security_level = encrypt
+
    smtpd_tls_security_level = encrypt
  * smtpd_sasl_auth_enable = yes
+
    smtpd_sasl_auth_enable = yes
  * smtpd_sasl_local_domain = lab34.linuggs.de
+
    smtpd_sasl_local_domain = lab34.linuggs.de
  * smtpd_sasl_path = private/auth
+
    smtpd_sasl_path = private/auth
  * smtpd_sasl_type = dovecot
+
    smtpd_sasl_type = dovecot
  * smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login.cf
+
    smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login.cf
  * smtpd_tls_auth_only = yes
+
    smtpd_tls_auth_only = yes
  * smtpd_tls_cert_file = /var/lib/ssl/certs/dovecot.cert
+
    smtpd_tls_cert_file = /var/lib/ssl/certs/dovecot.cert
  * smtpd_tls_key_file = /var/lib/ssl/private/dovecot.key
+
    smtpd_tls_key_file = /var/lib/ssl/private/dovecot.key
  * smtpd_tls_CAfile = /var/lib/ssl/certs/dovecot.pem
+
    smtpd_tls_CAfile = /var/lib/ssl/certs/dovecot.pem
  * smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
+
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
  * smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
+
    smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
  * default_destination_recipient_limit = 1
+
    default_destination_recipient_limit = 1
 +
:Hinweis: Die Datei /etc/postfix/mydestination muss leer sein.
 +
 
 +
=master.cf=
 +
    dovecot unix - n n - - pipe
 +
      flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
 +
    smtps inet n - n - - smtpd
 +
      -o smtpd_tls_wrappermode=yes
 +
      -o smtpd_sasl_auth_enable=yes
 +
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
 
 +
=ad_local_recipients.cf=
 +
    version = 3
 +
    server_host = lab34.linuggs.de:389
 +
    search_base = dc=lab34,dc=linuggs,dc=de
 +
    scope = sub
 +
    query_filter = (&(|(mail=%s)(otherMailbox=%u@%d))(sAMAccountType=805306368))
 +
    result_filter = %s
 +
    result_attribute = mail
 +
    special_result_attribute = member
 +
    bind = yes
 +
    bind_dn = cn=mailservice,cn=users,dc=lab34,dc=linuggs,dc=de
 +
    bind_pw = 12345-Xinux
 +
 
 +
=ad_mail_groups.cf=
 +
    version = 3
 +
    server_host = lab34.linuggs.de:389
 +
    search_base = dc=lab34,dc=linuggs,dc=de
 +
    timeout = 3
 +
    scope = sub
 +
    query_filter = (&(mail=%s)(sAMAccountType=268435456))
 +
    result_filter = %s
 +
    leaf_result_attribute = mail
 +
    special_result_attribute = member
 +
    bind = yes
 +
    bind_dn = cn=mailservice,cn=users,dc=lab34,dc=linuggs,dc=de
 +
    bind_pw = 12345-Xinux
 +
 
 +
=ad_sender_login.cf=
 +
    version = 3
 +
    server_host = lab34.linuggs.de:389
 +
    search_base = dc=lab34,dc=linuggs,dc=de
 +
    scope = sub
 +
    query_filter = (&(objectClass=user)(|(sAMAccountName=%s)(mail=%s)))
 +
    result_attribute = mail
 +
    bind = yes
 +
    bind_dn = cn=mailservice,cn=users,dc=lab34,dc=de
 +
    bind_pw = 12345-Xinux
 +
 
 +
=Testen der Postfix-Konfiguration=
 +
* postconf >/dev/null
 +
* postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_local_recipients.cf
 +
* postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_sender_login.cf
 +
 
 +
=Neustart des Postfix-Dienstes=
 +
* service postfix restart
 +
 
 +
=Dovecot-Konfiguration=
 +
* Installation des Pakets dovecot-lmtpd
 +
* Anpassen der folgenden Dateien unter /etc/dovecot:
  
  * Hinweis: Die Datei /etc/postfix/mydestination muss leer sein.
+
=dovecot-ldap.conf.ext=
 +
    hosts = lab34.linuggs.de:389
 +
    ldap_version = 3
 +
    auth_bind = yes
 +
    dn = cn=mailservice,cn=Users,dc=lab34,dc=linuggs,dc=de
 +
    dnpass = 12345-Xinux
 +
    base = cn=Users,dc=lab34,dc=linuggs,dc=de
 +
    scope = subtree
 +
    deref = never
  
master.cf
+
     user_filter = (&(objectClass=user)(|(mail=%Lu)(sAMAccountName=%Lu)))
  * Hinzufügen:
+
     user_attrs = =uid=8,gid=12,mail=user
     * dovecot unix - n n - - pipe
+
     pass_filter = (&(objectClass=user)(|(mail=%Lu)(sAMAccountName=%Lu)))
     * flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
+
     pass_attrs = mail=user
     * smtps inet n - n - - smtpd
 
    * -o smtpd_tls_wrappermode=yes
 
     * -o smtpd_sasl_auth_enable=yes
 
    * -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 
  
ad_local_recipients.cf
+
=10-auth.conf=
  * version = 3
+
    auth_mechanisms = plain login
  * server_host = lab34.linuggs.de:389
+
    !include auth-ldap.conf.ext
  * search_base = dc=lab34,dc=linuggs,dc=de
 
  * scope = sub
 
  * query_filter = (&(|(mail=%s)(otherMailbox=%u@%d))(sAMAccountType=805306368))
 
  * result_filter = %s
 
  * result_attribute = mail
 
  * special_result_attribute = member
 
  * bind = yes
 
  * bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
 
  * bind_pw = Pa$$word
 
  
ad_mail_groups.cf
+
=10-master.conf=
  * version = 3
+
    service auth {
  * server_host = lab34.linuggs.de:389
+
      unix_listener /var/spool/postfix/private/auth {
  * search_base = dc=lab34,dc=linuggs,dc=de
+
        mode = 0660
  * timeout = 3
+
        user = postfix
  * scope = sub
+
        group = postfix
  * query_filter = (&(mail=%s)(sAMAccountType=268435456))
+
      }
  * result_filter = %s
+
    }
  * leaf_result_attribute = mail
 
  * special_result_attribute = member
 
  * bind = yes
 
  * bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
 
  * bind_pw = Pa$$word
 
  
ad_sender_login.cf
+
=10-mail.conf=
  * version = 3
+
    mail_location = mbox:/var/mail/%n
  * server_host = lab34.linuggs.de:389
+
    mail_uid = mail
  * search_base = dc=lab34,dc=linuggs,dc=de
+
    mail_gid = mail
  * scope = sub
 
  * query_filter = (&(objectClass=user)(|(sAMAccountName=%s)(mail=%s)))
 
  * result_attribute = mail
 
  * bind = yes
 
  * bind_dn = cn=vmail,cn=users,dc=lab34,dc=linuggs,dc=de
 
  * bind_pw = Pa$$word
 
  
* Testen der Postfix-Konfiguration:
+
=15-lda.conf=
  * postconf >/dev/null
+
    protocol lda {
  * postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_local_recipients.cf
+
      hostname = lab34.linuggs.de
  * postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_sender_login.cf
+
      postmaster_address = administrator@lab34.linuggs.de
 +
    }
  
* Neustart des Postfix-Dienstes:
+
=Neustart des Dovecot-Dienstes=
  * service postfix restart
+
* service dovecot restart

Aktuelle Version vom 5. Oktober 2024, 17:33 Uhr

Ziel

  • Einrichten von Postfix und Dovecot zur Authentifizierung von Benutzern in Active Directory.

Aufgabe

  • Postfix und Dovecot sollen so konfiguriert werden, dass sie die Benutzer aus Active Directory authentifizieren.
  • Mailverzeichnis: /var/mail/<Benutzername>
  • IMAPS-Zugriff (Port 993) und SMTP mit SSL (Port 465)
  • Authentifizierung: Vollständige E-Mail-Adresse (z.B. rudi@lab34.linuggs.de) oder Benutzername (z.B. rudi)

Vorbereitung

Erstellen eines Benutzers in Active Directory:

  • samba-tool user create -W Users mailservice
  • samba-tool user setexpiry mailservice --noexpiry

Postfix-Konfiguration

  • Installation des Pakets postfix-ldap
  • Anpassen der folgenden Dateien unter /etc/postfix:

main.cf

   mailbox_command = /usr/libexec/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"
   inet_protocols = ipv4
   virtual_mailbox_base = /var/mail
   virtual_mailbox_domains = lab34.linuggs.de
   virtual_mailbox_maps = ldap:/etc/postfix/ad_local_recipients.cf
   virtual_alias_maps = ldap:/etc/postfix/ad_mail_groups.cf
   virtual_transport = dovecot
   local_transport = virtual
   local_recipient_maps = $virtual_mailbox_maps
   smtpd_use_tls = yes
   smtpd_tls_security_level = encrypt
   smtpd_sasl_auth_enable = yes
   smtpd_sasl_local_domain = lab34.linuggs.de
   smtpd_sasl_path = private/auth
   smtpd_sasl_type = dovecot
   smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login.cf
   smtpd_tls_auth_only = yes
   smtpd_tls_cert_file = /var/lib/ssl/certs/dovecot.cert
   smtpd_tls_key_file = /var/lib/ssl/private/dovecot.key
   smtpd_tls_CAfile = /var/lib/ssl/certs/dovecot.pem
   smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated, reject
   smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
   default_destination_recipient_limit = 1
Hinweis: Die Datei /etc/postfix/mydestination muss leer sein.

master.cf

   dovecot unix - n n - - pipe
     flags=DRhu user=mail:mail argv=/usr/libexec/dovecot/deliver -d ${recipient}
   smtps inet n - n - - smtpd
     -o smtpd_tls_wrappermode=yes
     -o smtpd_sasl_auth_enable=yes
     -o smtpd_client_restrictions=permit_sasl_authenticated,reject

ad_local_recipients.cf

   version = 3
   server_host = lab34.linuggs.de:389
   search_base = dc=lab34,dc=linuggs,dc=de
   scope = sub
   query_filter = (&(|(mail=%s)(otherMailbox=%u@%d))(sAMAccountType=805306368))
   result_filter = %s
   result_attribute = mail
   special_result_attribute = member
   bind = yes
   bind_dn = cn=mailservice,cn=users,dc=lab34,dc=linuggs,dc=de
   bind_pw = 12345-Xinux

ad_mail_groups.cf

   version = 3
   server_host = lab34.linuggs.de:389
   search_base = dc=lab34,dc=linuggs,dc=de
   timeout = 3
   scope = sub
   query_filter = (&(mail=%s)(sAMAccountType=268435456))
   result_filter = %s
   leaf_result_attribute = mail
   special_result_attribute = member
   bind = yes
   bind_dn = cn=mailservice,cn=users,dc=lab34,dc=linuggs,dc=de
   bind_pw = 12345-Xinux

ad_sender_login.cf

   version = 3
   server_host = lab34.linuggs.de:389
   search_base = dc=lab34,dc=linuggs,dc=de
   scope = sub
   query_filter = (&(objectClass=user)(|(sAMAccountName=%s)(mail=%s)))
   result_attribute = mail
   bind = yes
   bind_dn = cn=mailservice,cn=users,dc=lab34,dc=de
   bind_pw = 12345-Xinux

Testen der Postfix-Konfiguration

  • postconf >/dev/null
  • postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_local_recipients.cf
  • postmap -q rudi@lab34.linuggs.de ldap:/etc/postfix/ad_sender_login.cf

Neustart des Postfix-Dienstes

  • service postfix restart

Dovecot-Konfiguration

  • Installation des Pakets dovecot-lmtpd
  • Anpassen der folgenden Dateien unter /etc/dovecot:

dovecot-ldap.conf.ext

   hosts = lab34.linuggs.de:389
   ldap_version = 3
   auth_bind = yes
   dn = cn=mailservice,cn=Users,dc=lab34,dc=linuggs,dc=de
   dnpass = 12345-Xinux
   base = cn=Users,dc=lab34,dc=linuggs,dc=de
   scope = subtree
   deref = never

   user_filter = (&(objectClass=user)(|(mail=%Lu)(sAMAccountName=%Lu)))
   user_attrs = =uid=8,gid=12,mail=user
   pass_filter = (&(objectClass=user)(|(mail=%Lu)(sAMAccountName=%Lu)))
   pass_attrs = mail=user

10-auth.conf

   auth_mechanisms = plain login
   !include auth-ldap.conf.ext

10-master.conf

   service auth {
     unix_listener /var/spool/postfix/private/auth {
       mode = 0660
       user = postfix
       group = postfix
     }
   }

10-mail.conf

   mail_location = mbox:/var/mail/%n
   mail_uid = mail
   mail_gid = mail

15-lda.conf

   protocol lda {
     hostname = lab34.linuggs.de
     postmaster_address = administrator@lab34.linuggs.de
   }

Neustart des Dovecot-Dienstes

  • service dovecot restart
Abgerufen von „http://wiki.ixheim.de/index.php?title=Postfix/Dovecot/ADS&oldid=57038