The Perfect Mailserver: LDAP with Postfix and Dovecot
A three-part series on configuring LDAP, mail, and merging the two. We're starting with the end. I'll be writing about gluing together LDAP and your mail daemons.
Welcome to a three-part series on configuring LDAP, mail, and merging the two. We're starting with the end. I'll be writing about gluing together LDAP and your mail daemons.
I'm going to assume you've already got working mailserver with Postfix and Dovecot, and got a LDAP server working. If not, please check out my articles on these by travelling into the future (stay tuned for links).
In the below templates, xf
is the name of my LDAP trust root and cn=mail,ou=groups,dc=xf
is the distinguished name (DN) of the groups giving access to email services (we'll use the same one for both incoming and outgoing). The account we bind to in order to retrieve passwords is cn=passdn,ou=admin,dc=xf
, as LDAP best practice is to not make hashed passwords available publicly, but rather have a dedicated account for retrieving them. Substitute in your own values for these, you will also probably have two dc
entries, such as dc=google,dc=com
. I went with one for minimalism, and because I had control over all the DNS, so I could make xf.
actually resolve to something, which is a requirement in LDAP.
We'll start with the main configuration:
uris = ldaps://xf:636
ldap_version = 3
auth_bind = yes
dn = cn=passdn,ou=admin,dc=xf
dnpass = hunter2
base = ou=users,dc=xf
scope = subtree
deref = never
user_filter = (&(memberOf=cn=mail,ou=groups,dc=xf)(uid=%u))
pass_attrs = uid=user,userPassword=password
pass_filter = (&(memberOf=cn=mail,ou=groups,dc=xf)(uid=%u))
default_pass_scheme = SSHA
user_attrs = uid=user
This assumes that uid
is the username, and userPassword
is the hashed password.
Let's protect that password with chmod 0640 /etc/dovecot/dovecot-ldap.conf.ext
.
You can see that in the user and pass filters, we're specifying an additional filter, for the users to be in the mail
group, which is referenced by its full DN. You'll need the memberOf
overlay to get this to work. If you don't want to look up a group (or couldn't get memberOf
to work), change it like so:
user_filter = (uid=%u)
pass_filter = (uid=%u)
Next, we'll set up the main bit:
mbox_write_locks = fcntl
mmap_disable = yes
auth_username_format=%Ln
passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
}
userdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap.conf.ext
default_fields = home=/srv/mail/%u
}
We'll probably want mailboxes to be created if they don't exist for new users logging in:
lda_mailbox_autocreate = yes
Be sure you also have something like this:
mail_uid = 6600
mail_gid = 6600
first_valid_uid = 6600
first_valid_gid = 6600
Now, moving onto Postfix, we just have a few files to change:
virtual_mailbox_domains = zm.is, rkveideman.is, opennic.cyb
virtual_minimum_uid = 6600
virtual_alias_maps = hash:/etc/postfix/virtual
ldap:/etc/postfix/maps
smtpd_sender_login_maps = ldap:/etc/postfix/senders
This part is if you want to set up any catch-alls, here I've set that up for two of my domains:
@zm.is m
@rkveideman.is m
server_host = ldaps://xf
server_port = 636
version = 3
bind = no
start_tls = no
bind_dn = cn=passdn,ou=admin,dc=xf
bind_pw = hunter2
search_base = ou=users,dc=xf
scope = sub
query_filter = (&(memberOf=cn=mail,ou=groups,dc=xf)(mail=%s))
result_attribute = uid
Keep it safe: chmod 0640 /etc/postfix/maps
.
Youn may already be seeing a problem. We're logging into Dovecot with our uid
, but need to receive mail with our mail
attribute, so we need some glue between these:
server_host = ldaps://xf
server_port = 636
version = 3
bind = no
start_tls = no
search_base = ou=users,dc=xf
scope = sub
query_filter = (&(memberOf=cn=mail,ou=groups,dc=xf)(uid=%s))
result_attribute = mail
No password needed here since it's simply looking up the uid
and returning the mail
attribute. Easy.
Go ahead and restart any relevant services, and log in with your new credentials.
If it doesn't work, stay tuned for the mailserver instalment in this series, where I will demistify the time-old overcomplicated topic of running your own mailserver.