 |
 |
| Disclaimer : This documentation is not intended for installation guide, per say, but rather, a recording my work. And, for the record, it definitely did work. |
Background
I was working on RED HAT ES 3 Linux on
a Compaq ProLiant ML330 Machine G3 ( Pentium Xeon 3.06 GHZ, 512 MB ECC RAM and 3
X 36GB SCSI Hard Disk. It was a fresh new machine (no preinstalled OS - a
blank slate)
Preinstallation : -
1 ) Compaq Patches
ProLiant Support Pack for Red Hat Enterprise Linux 3
http://h18004.www1.hp.com/support/files/server/us/download/21102.htmll
Download it in
/downloads/patches
cd /downloads/patches
gunzip psp-7.11.rhel3.linux.en.tar.gz
tar -xf psp-7.11.rhel3.linux.en.tar
cd /compaq/csp/linux
./install.sh |
|
Hints
1. Files that are missing can be located using the find command
| find / -name <filename> -print |
2. Applications can be located using the which or locate programs
3. Processes can be viewed with the ps command. Some of my favorite ps command variations :-
| ps -ef | grep <processname> |
This is the basic command. If the process is running, you'll see it (given that the process name that was provided is correct) |
| ps -axf | grep <processname> |
This is a more detailed command. If the process is running, you'll see it (given that the process name that was provided is correct). It will also display what other processes that the process is invoking and the other processes that may invoke the process. |
4. Sometimes, the rpm database could end up corrupted. Issue this command to fix it.
5. Some of these links may come in handy if you are having problems with your compiler (gcc or glibcc). For some reason the compiler sometimes cannot locate its errno.h file. By patching it, you'd face less problem with your compilation (make or make setup check command).
http://www.qmail.org/moni.csi.hu/pub/glibc-2.3.1/
http://djbware.csi.hu/patches/
6. Some of you might be overwhelmed by this whole process. You might start wondering, "What the heck I am doing?", "Why do I need this in the first place?", "Will this installation wreak havoc on my machine?", etc. To answer your questions, here's some big pictures that will give you an idea what the heck all this mess is all about.
Qmail Big Picture 1
Qmail Big Picture 2
Qmail Big Picture 3
Qmail Big Picture 4
Qmail Installation Big Picture
|
1.0 - Introduction
qmail-ldap is a patch to the original qmail that adds a slew of functionality, most apparent of which is the ability to store user configuration and mail policies in your LDAP tree. The qmail-ldap patch is actually a combination of a collection of third-party patches to qmail and a powerful integration of LDAP functionality by Andre Oppermann. This feature enhancement allows qmail to scale wonderfully in large multiuser environments where quick configuration is desired.
This guide will help the reader install qmail-ldap on thier server and configure it as their mail server with the following capabilities:
Virtual mail users stored in LDAP
Automatic home directory and Maildir creation
Optional support for antivirus scanning with McAfee uvscan (VirusScan for Linux)
Mailbox quotas
SMTP encryption (TLS via STARTTLS)
Authenticated SMTP (smtpauth)
RBL support
Autoreply with custom reply messenges
POP3 mail retrieval
IMAP4 mail retrieval
There is much more possible as far as the qmail-ldap configuration capabilities go. Users wishing to implement the addtional features are welcome to browse the program documentation and enable them as they wish. This document should be adequate for setting up a powerful mail server for a home office or small company where no redundancy or complex configuration is required.
|
2.0 - Preparation
2.1 - Packages Needed
These are the packages I have pre-installed with my RED HAT ES 3 Linux. Pre-installation packages list were obtained from www.qmailrocks.org
To check my installed packages, I issued the following commands.
(Packages in red letters is important, really important to have installed)
(Packages in orange letters is somewhat important, outcome may differ if they're not installed)
| Name : httpd |
Relocations: (not relocateable) |
| Group : System Environment/Daemons Source |
RPM: httpd-2.0.46-25.ent.src.rpm |
| URL : http://httpd.apache.org/ |
Summary : The httpd Web server |
| Name : redhat-config-httpd |
Relocations: (not relocateable) |
| Group : Applications/System |
Source RPM: redhat-config-httpd-1.1.0-4.src.rpm |
| URL : http://httpd.apache.org/ |
Summary : A graphical configuration tool for the httpd Web server.
A graphical configuration tool for the httpd Web server. |
| rpm -qa -i | grep openldap |
| Name : openldap |
Relocations: (not relocateable) |
| Group : System Environment/Daemons |
Source RPM: openldap-2.0.27-11.src.rpm |
| URL : http://www.openldap.org/ |
over the Internet. The openldap package contains configuration files, |
| Name : openldap-clients |
Relocations: (not relocateable) |
| Group : Applications/Internet |
Source RPM: openldap-2.0.27-11.src.rpm |
| URL : http://www.openldap.org/ |
over the Internet. The openldap-clients package contains the client |
|
Name : openldap-servers |
Relocations: (not
relocateable) |
|
Group : System
Environment/Daemons Source |
RPM:
openldap-2.0.27-11.src.rpm |
|
URL : http://www.openldap.org/ |
|
| Name : openldap-devel |
Relocations: (not relocateable) |
| Group : Development/Libraries |
Source RPM: openldap-2.0.27-11.src.rpm |
| URL : http://www.openldap.org/ |
The openldap-devel package includes the development libraries and |
| Name : php |
Relocations: (not relocateable) |
| Group : Development/Languages |
Source RPM: php-4.3.2-8.ent.src.rpm |
| URL : http://www.php.net/ |
mod_php module enables the Apache Web server to understand and process |
| Name : php-ldap |
Relocations: (not relocateable) |
| Group : Development/Languages |
Source RPM: php-4.3.2-8.ent.src.rpm |
| URL : http://www.php.net/ |
The php-ldap package is a dynamic shared object (DSO) for the Apache
need to install this package in addition to the php package. |
|
Name : php-imap |
Relocations: (not relocateable) |
|
Group : Development/Languages |
Source RPM: php-4.3.2-8.ent.src.rpm |
|
URL : http://www.php.net/ |
The php-imap package contains a dynamic shared object (DSO) for the
Apache Web server. When compiled into Apache, the php-imap module will
and the php package. |
| Name : perl-Parse-Yapp |
Relocations: (not relocateable) |
| Group : Applications/CPAN |
Source RPM: perl-Parse-Yapp-1.05-30.src.rpm |
| |
(reentrant) parsers with perl object oriented interface. The script PostScript that is able to properly render PostScript documents in a display |
|
Name : perl-URI |
Relocations: (not
relocateable) |
|
Group : Applications/CPAN |
Source RPM: perl-URI-1.21-7.src.rpm |
|
Name : perl-CPAN |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM: perl-5.8.0-88.4.src.rpm |
|
Name : perl-Filter |
Relocations: (not
relocateable) |
|
Group : Development/Libraries |
Source RPM: perl-Filter-1.29-3.src.rpm |
|
Name : perl-DateManip |
Relocations: (not
relocateable) |
|
Group : Applications/CPAN |
Source RPM: perl-DateManip-5.40-30.src.rpm |
|
Name : perl-XML-Dumper |
Relocations: /usr |
|
Group : System
Environment/Libraries |
Source RPM:
perl-XML-Dumper-0.4-25.src.rpm |
|
|
if the modules are installed on the system where the perl objects are
the perl objects are converted and reconstituted in the same |
|
Name : newt-perl |
Relocations: (not
relocateable) |
|
Group : System
Environment/Libraries |
Source RPM:
newt-perl-1.08-4.src.rpm |
|
Name : perl-XML-Grove |
Relocations: (not
relocateable) |
|
Group : System
Environment/Libraries |
Source RPM:
perl-XML-Grove-0.46alpha-25.src.rpm |
|
Name : perl |
Relocations: (not
relocateable) |
|
Group : Development/Languages
Source |
RPM: perl-5.8.0-88.4.src.rpm |
|
|
the CGI scripts on the web are written in Perl. You need the perl |
|
Name : perl-HTML-Parser |
Relocations: (not
relocateable) |
|
Group : System
Environment/Libraries |
Source RPM:
perl-HTML-Parser-3.26-17.src.rpm |
|
|
The HTML-Parser module for perl to parse and extract information from |
|
Name : perl-XML-Parser |
Relocations: (not
relocateable) |
|
Group : Applications/CPAN |
Source RPM: perl-XML-Parser-2.31-15.src.rpm |
|
Name : perl-libxml-perl |
Relocations: (not
relocateable) |
|
Group : System
Environment/Libraries |
Source RPM:
perl-libxml-perl-0.07-28.src.rpm |
|
|
libxml-perl is a collection of smaller Perl modules, scripts, and
documents for working with XML in Perl. libxml-perl software works in |
|
Name : perl-XML-Twig |
Relocations: (not
relocateable) |
|
Group : Development/Libraries |
Source RPM: perl-XML-Twig-3.09-3.src.rpm |
|
|
Summary : A perl module for processing huge XML documents in tree mode. |
|
Name : mod_perl |
Relocations: (not
relocateable) |
|
Group : System
Environment/Daemons |
Source RPM:
mod_perl-1.99_09-10.ent.src.rpm |
|
URL : http://perl.apache.org/ |
Mod_perl incorporates a Perl interpreter into the Apache Web server,
so the Apache Web server can directly execute Perl code. Mod_perl
Install mod_perl if you are installing the Apache Web server and you |
|
Name : perl-libxml-enno |
Relocations: (not
relocateable) |
|
Group : Applications/CPAN |
Source RPM: perl-libxml-enno-1.02-29.src.rpm |
|
Name : gcc-java-ssa |
Relocations: (not
relocateable) |
|
Group : Development / Languages |
Source RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
URL : http://gcc.gnu.org/ projects/tree-ssa/ |
Summary : Java support for gcc version 3. |
|
Group : Development/Languages |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
Summary : Libraries for Java development using gcc.
programs using the gcc Java compiler (gcj). |
|
Group : Development/Libraries |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
|
|
Name : libgcc-ssa |
Relocations: (not
relocateable) |
|
Group : System
Environment/Libraries |
Source RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
URL : http://gcc.gnu.org/projects/ tree-ssa/ |
|
|
Name : gcc-g77 |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
Summary : Fortran 77 support for gcc.
The gcc-g77 package provides support for compiling Fortran 77 programs
with the GNU gcc compiler.
You should install gcc-g77 if you are going to do Fortran development
and you would like to use the gcc compiler. You will also need gcc. |
|
Name : gcc-ssa |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
URL : http://gcc.gnu.org/projects/ tree-ssa/ |
The gcc-ssa package contains a snapshot of the GNU Compiler Collection, |
|
Group : System
Environment/Libraries |
Source RPM:
compat-gcc-7.3-2.96.122.src.rpm |
|
URL : http://gcc.gnu.org |
|
|
Name : gcc-objc |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
Summary : Objective C support for gcc.
gcc-objc provides Objective C support for the GNU C compiler (gcc).
Install gcc-objc if you are going to do Objective C development and
you would like to use the gcc compiler. You also need gcc. |
|
Group : System
Environment/Libraries |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
|
|
Group : System
Environment/Libraries |
Source RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
URL : http://gcc.gnu.org/projects/ tree-ssa/ |
|
|
Group : Development/Languages |
Source RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
URL : http://gcc.gnu.org/projects/ tree-ssa/ |
Summary : Libraries for Java development using gcc version 3.
package to compile your Java programs using the gcc version 3 |
|
Name : gcc |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
Summary : The GNU cc and gcc C compilers.
The gcc package includes the cc and gcc GNU compilers for compiling C |
|
Name : gcc-g77-ssa |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
URL : http://gcc.gnu.org/projects/ tree-ssa/ |
Summary : Fortran 77 support for gcc version 3.
The gcc-g77 package provides support for compiling Fortran 77
programs with the GNU gcc compiler version 3.0. |
|
Group : System
Environment/Libraries |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
|
|
Group : System
Environment/Libraries |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
|
|
Name : gcc-objc-ssa |
Relocations: (not
relocateable) |
|
Group : Development/Languages
Source |
RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
|
Summary : Objective C support for gcc version 3.
gcc-objc provides Objective C support for the GNU C compiler version
3.0. |
|
Name : libgcc |
Relocations: (not
relocateable) |
|
Group : System
Environment/Libraries |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
|
|
Group : System
Environment/Libraries |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
Summary : The Java runtime library for gcc.
to run Java programs compiled using the gcc Java compiler (gcj). |
|
Group : System
Environment/Libraries Source |
RPM:
gcc-ssa-3.5ssa-0.20030801.41.src.rpm |
|
URL : http://gcc.gnu.org/projects/ tree-ssa/ |
|
|
Name : gcc-java |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
Summary : Java support for gcc.
The gcc-java package adds experimental support for compiling Java(TM)
to install the Java runtime library included in the gcc-libgcj |
|
Group : Development/Languages |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
|
|
Name : gcc-c++ |
Relocations: (not
relocateable) |
|
Group : Development/Languages |
Source RPM: gcc-3.2.3-20.src.rpm |
|
URL : http://gcc.gnu.org |
Summary : C++ support for the GNU gcc compiler.
The gcc-c++ package adds C++ support to the GNU C compiler. It |
| Name : MySQL-server |
Relocations : (not relocateable) |
| Version : 4.1.8 |
Vendor : MySQL AB |
| Group : Applications/Databases |
Source RPM : MySQL-4.1.8-0.src.rpm |
|
Summary : MySQL: a very fast and reliable SQL database server
The MySQL(TM) software delivers a very fast, multi-threaded, multi-user,
and robust SQL (Structured Query Language) database server. MySQL Server
as for embedding into mass-deployed software. MySQL is a trademark of
MySQL AB.
|
The MySQL software has Dual Licensing, which means you can use the MySQL
(http://www.gnu.org/licenses/). You can also purchase commercial MySQL
licenses from MySQL AB if you do not wish to be bound by the terms of
The MySQL web site (http://www.mysql.com/) provides the latest
news and information about the MySQL software. Also please see the
This package includes the MySQL server binary (incl. InnoDB) as well
as related utilities to run and administrate a MySQL server.
package "MySQL-client" as well!
|
| Name : MySQL-client |
Relocations : (not relocateable) |
| Version : 4.1.8 |
Vendor : MySQL AB |
| Group : Applications/Databases |
Source RPM : MySQL-4.1.8-0.src.rpm |
| Summary : MySQL - Client |
This package contains the standard MySQL clients and administration tools.
For a description of MySQL see the base MySQL RPM or http://www.mysql.com
|
| Name : MySQL-bench |
Relocations : (not relocateable) |
| Version : 4.1.8 |
Vendor : MySQL AB |
| Group : Applications/Databases |
Source RPM : MySQL-4.1.8-0.src.rpm |
| Summary : MySQL - Benchmarks and test system |
This package contains MySQL benchmark scripts and data.
For a description of MySQL see the base MySQL RPM or http://www.mysql.com
|
| Name : MySQL-shared |
Relocations : (not relocateable) |
| Version : 4.1.8 |
Vendor : MySQL AB |
| Group : Applications/Databases |
Source RPM : MySQL-4.1.8-0.src.rpm |
| Summary : MySQL - Shared libraries |
Summary : A module for PHP applications that use MySQL databases.
MySQL database support to PHP. MySQL is an object-relational database
you need MySQL support for PHP applications, you will need to install
languages and applications need to dynamically load and use MySQL.
|
| Name : MySQL-devel |
Relocations : (not relocateable) |
| Version : 4.1.8 |
Vendor : MySQL AB |
| Group : Applications/Databases |
Source RPM : MySQL-4.1.8-0.src.rpm |
|
Summary : MySQL - Development header files and libraries
necessary to develop MySQL client applications.
|
For a description of MySQL see the base MySQL RPM or http://www.mysql.com
|
| Name : MySQL-shared-compat |
Relocations : (not relocateable) |
| Version : 4.1.8 |
Vendor: MySQL AB |
| Group : Applications/Databases |
Source RPM: MySQL-shared-compat-4.1.8-0.nosrc.rpm |
| Summary : MySQL shared libraries for MySQL 4.1.8 and 3.23.58 |
This package includes the shared libraries for both MySQL 3.23.58 and
MySQL 4.1.8. Install this package instead of "MySQL-shared", if you
have applications installed that are dynamically linked against MySQL
3.23.xx but you want to upgrade to MySQL 4.0.xx without breaking the library
|
| Name : MySQL-embedded |
Relocations: (not relocateable) |
| Version : 4.1.8 |
Vendor : MySQL AB |
| Group : Applications/Databases |
Source RPM : MySQL-4.1.8-0.src.rpm |
| Summary : MySQL - embedded library |
This package contains the MySQL server as an embedded library.
The embedded MySQL server library makes it possible to run a
full-featured MySQL server inside the client application.
The API is identical for the embedded MySQL version and the
For a description of MySQL see the base MySQL RPM or http://www.mysql.com
|
| Name : php-mysql |
Relocations : (not relocateable) |
| The php-mysql package contains a dynamic shared object that will add |
For a description of MySQL see the base MySQL RPM or http://www.mysql.com |
| Install Date : Thu 23 Dec 2004 05:33:30 PM MYT |
Build Host : build.mysql.com |
| Packager : Lenz Grimmer <[email protected]> |
URL : http://www.mysql.com/ |
| rpm -qa -i | grep openssl |
|
Name : openssl-devel |
Relocations: (not
relocateable) |
|
Group :
Development/Libraries |
Source RPM: openssl-0.9.7a-22.1.src.rpm |
|
URL : http://www.openssl.org/ |
OpenSSL is a toolkit for supporting cryptography. The openssl-devel |
|
Name : openssl |
Relocations: (not relocateable) |
|
Group : System
Environment/Libraries |
Source RPM:
openssl-0.9.7a-22.1.src.rpm |
|
URL : http://www.openssl.org/ |
|
|
Name : wget |
Relocations: (not relocateable) |
|
Group :
Applications/Internet |
Source RPM: wget-1.8.2-15.src.rpm |
|
Name : patchutils |
Relocations: (not relocateable) |
|
Group :
Applications/System |
Source RPM: patchutils-0.2.23-1.src.rpm |
|
URL : http://cyberelk.net/tim/ patchutils/ |
Summary : A collection of programs for manipulating patch files
This is a collection of programs that can manipulate patch files in
a variety of ways, such as interpolating between two pre-patches,
combining two incremental patches, fixing line numbers in hand-edited
patches, and simply listing the files modified by a patch.
package from Red Hat Enterprise Linux, the mcore kernel patch offered by
Mission Critical Linux, or the LKCD kernel patch.
kernel specifically patched with newer RAID support.
to provide a summary of the changes in large, complex patch files. |
|
Name : patch |
Relocations: (not relocateable) |
|
Group : Development/Tools |
Source RPM: patch-2.5.4-16.src.rpm |
|
URL : http://www.gnu.org/software/
patch/patch.htmll |
Summary : The GNU patch command, for modifying/upgrading files.
The patch program applies diff files to originals. The diff command is
patch command with the diff file to add the changes to their original
file (patching the file). |
Missing packages can be installed via the Add/Remove Packages options, that can be accessed with the RED HAT START BUTTON.
RED HAT START BUTTON => SYSTEM SETTINGS => ADD/REMOVE APPLICATIONS
To locate the packages is not easy, I
know! ( Snaps to Red Hat for their 'magnificent' GUI ) But the above-provided
Groups could make the locating hassle easier.
2.2 - Packages Not Need
Refering to
www.qmailrocks.org, I know that I don't
need to uninstall the packages mentioned below. I can just disable the services,
but to play on the safe side, I decided to uninstall them anyways.
About sendmail
- It is my opinion that it should not be disable/uninstall it until the time
comes. Some of the troubleshooting method may need it running/present.
2.2.1 - Postfix
To check if it is installed
| rpm -qa -i | grep postfix |
If it is installed, something like
this will appear (obviously, I can't remember the details, but
<something>
shouldn't be included in the commands) :-
Name : postfix-something
Group : <something>
URL : <something>
Relocations : <something>
Source : postfix-something
Summary : <something> |
To remove it, if installed (replace postfix-something with what was given in the Name : details) :-
2.2.2 - POP3
To check if it is installed
If it is installed, something like
this will appear (obviously, I can't remember the details, but
<something>
shouldn't be included in the commands) :-
Name : pop3-something
Group : <something>
URL : <something>
Relocations : <something>
Source : pop3-something
Summary : <something> |
To remove it, if installed (replace pop3-something with what was given in the Name : details) :-
2.2.3 - SMTP
To check if it is installed
If it is installed, something like
this will appear (obviously, I can't remember the details, but
<something>
shouldn't be included in the commands) :-
Name : smtp-something
Group : <something>
URL : <something>
Relocations : <something>
Source : smtp-something
Summary : <something> |
To remove it, if installed (replace
smtp-something with what was given in the Name : details) :-
2.3 - Services
If a firewall is present, enable these
services. (The option is available from the Service)
Outbound ports (tcp)
25 - SMTP
110 - POP services
143 - IMAP
783 - Spamassassin
993 - IMAPS
Inbound Ports (tcp)
25 - SMTP
80 - HTTP
110 - POP services
143 - IMAP
443 - HTTPS
783 - Spamassassin
993 - IMAPS
Services can be enabled/disabled via
the Services options, that can be accessed with the RED HAT START BUTTON.
RED HAT START BUTTON => SYSTEM SETTINGS => SERVER SETTINGS => SERVICES
|
3.0 Configuring OpenLDAP
Since OpenLDAP has already been installed via rpms, the only thing left to to is to configue it.
Using a text-editor (or vi for that matter), edit the /etc/rc.local file. This is to ensure that OpenLDAP will run as soon as the machine is powered up. Add these lines : -
# OpenLDAP
if [ -x /usr/sbin/slapd ]; then
echo ' OpenLDAP'
/usr/sbin/slapd -f /etc/openldap/slapd.conf
fi
# Apache Webserver
if [ -x /usr/sbin/httpd ]; then
echo ' Apache WebServer'
/usr/sbin/httpd
fi |
Next, let's set up the
configuration and var directories. The following command will set up the
main configuration directory and schema repository:
| mkdir -p /etc/openldap/schema |
The next command creates the directory where OpenLDAP will store its PID
file and other information:
Copy the base schema files into place in the configuration directory:
| cp /usr/local/share/examples/openldap/schema/* /etc/openldap/schema |
Next, copy the example configuration file into place:
cp /usr/local/share/examples/openldap/slapd.conf /etc/openldap
chmod 0600 /etc/openldap/slapd.conf |
The file slapd.conf is the main configuration file for OpenLDAP and is
accesible only by root since it contains passwords.
2.1 - Configure OpenLDAP
The next step is to edit the slapd.conf file to configure your LDAP
directory. Configure the following parts of the file, which should be
well-commented:
Include schemas: Add the following lines to
the top of the file to add schema definitions to your directory:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/krb5-kdc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema |
suffix: Every LDAP tree has a base identity called the suffix. There are
several ways to define one. Pick one based on your organization's naming
structure. For example, if my organization is located on the Internet as
example.tld, I could define my suffix as follows:
| suffix "dc=example,dc=tld" |
Since LDAP is arranged in a heirarchical structure, dc=example,dc=tld is
now the base suffix for all of your LDAP entities.
rootdn: The rootdn is the LDAP user that has all rights to the tree.
Think of it as the root user over the LDAP namespace. To define the
rootdn (let's call it the manager), give the user a unique name using a
cn value as follows:
| rootdn "cn=Manager,dc=example,dc=tld" |
While the LDAP security model
allows the admin to further restrict access to parts of the tree, we
will always use this rootdn account throughout this document as we
perform configuration operations on the LDAP directory. Be sure to
remember this identity (called the DN, or distinguished name.)
rootpw: This is the password that the rootdn uses to access the
directory. The default password will work for the duration of our setup,
but remember to change it the moment your LDAP server goes into
production. For details see slappasswd(8).
The rest of the default configuration settings should remain as they are.
Now it is time to start the slapd daemon, which will bring up OpenLDAP.
As the superuser, issue the following command to start it:
| /usr/sbin/slapd -f /etc/openldap/slapd.conf |
This should return you to your shell, where you may verify that the daemon has started correctly:
# ps auxwww |grep slapd
root 29000 0.0 2.4 7312 1568 ?? Ss Sun05AM 0:08.39 /usr/sbin/slapd -f /etc/openldap/slapd.conf
# cat /usr/local/var/slapd.pid
29000 |
As seen in the above command, the output of ps shows slapd running as PID 29000, as does the PID file itself. slapd should be running now.
The next step is to add the DNs specified in the config file to the
directory. To do this, create an LDIF file in your current directory
with the following contents (modified to match your LDAP configuration:)
# example.ldif
dn: dc=example,dc=tld
objectclass: dcObject
objectclass: organization
o: Example Organization
dc: example
dn: cn=Manager,dc=example,dc=tld
objectClass: organizationalRole
cn: Manager
|
After creating this as a text file and saving it out, use the ldapadd utility to add it to the tree. See ldapadd(1) for full details on this command.
| ldapadd -x -D "cn=Manager,dc=example,dc=tld" -W -f example.ldif |
Now use the ldapsearch(1) utility to verify that both of the entries you
imported can be retrieved from the tree:
| ldapsearch -x -b "dc=example,dc=tld" '(objectclass=*)' |
This should output the LDAP definitions of the suffix and the rootdn, as
defined in your LDIF file. Assuming this works as it should, we can
continue on to installing qmail-ldap.
|
4.0 - Managing
Tools
NOTE : This step is absolutely
optional. However, it is makes the installation much more fun since we
can actually see what we've accomplished via GUIs (instead of loads of
characters which is not THAT reassuring for a Windows-crazed person like
me).
4.1 - phpldapadmin
phpldapadmin will allow
managers manage their domains better using a web browser GUI. I bet
there are other better tools for OpenLDAP out there but since I've used it before and
was somewhat satisfied with its abilities, I chose to use it again.
Download and follow the
installation instructions from
http://www.phpldapadmin.org.
|
Name :
phpldapadmin-0.9.4b |
Relocations: unknown |
|
Group : none |
Source RPM: none |
|
|
Unpacked. Copied
unpacked directory to DEFAULT web server's root (/var/www/html/) |
4.2 - Webmin
Installed webmin, a great tool
to monitor and manage services and servers that are running on a machine
using a web browser GUI. Obtained from
http://www.webmin.com. Also installed the third party moduled
called OpenLDAP. Follow the installation guide from the official website
and it will be fine.
A great reason to have this installed is
if when your php admin tool is not working (phpldapadmin or phpmyadmin)
because of its php-API's, webmin could always work since it works on
perl.
| Name : webmin |
Relocations: (not relocateable) |
| Group : System/Tools |
Source RPM: webmin-1.170-1.src.rpm |
4.3 phpmyadmin
A tool designed to ease the
task of MySQL Server on a web browser. A great tool if you need a tool
that can manage advanced options for MySQL users without the hassle of
the command lines. Has a better control than webmin.
|
5.0 - Install qmail-ldap
Installation of qmail-ldap can be intimidating at first. Some consider
the stock qmail installation difficult. We will break the installation
into several parts so that it is a little easier to grasp.
5.1 - Install daemontools
daemontools is a toolset that is useful for keeping services up and
running indefinately. The daemontools collection works well for keeping
the qmail services running and manageable.
mkdir -p
/package
chmod 1755
/package
cd /package |
Download daemontools at
http://cr.yp.to/daemontools/install.htmll
gunzip daemontools-0.76.tar.gz
tar -xf daemontools-0.76.tar
cd admin/daemontools-0.76
echo gcc -02 -include /usr/include/errno.h > conf-cc
package/install |
To check if the installation
was successfull :-
|
mail root@<hostname> < /package/admin/daemontools-0.76/compile/systype |
The final step will be to reboot the
computer, so once that has finished we can continue from where we are at
and install ucspi-tcp.
5.2 - Install ucspi-tcp
The ucspi-tcp package is what is used to manage incoming connections for
services that qmail provides. It is also used to implement access
control on the network level and define our relaying policy.
Download the package via
http://cr.yp.to/ucspi-tcp/install.htmll. Save it in
/package.
gunzip ucspi-tcp-0.88.tar.gz
tar -xf ucspi-tcp-0.88.tar
cd ucspi-tcp-0.88
echo gcc -02 -include /usr/include/errno.h > conf-cc
make setup check |
To check the installation was successful : -
(echo 'First M. Last'; cat `cat SYSTYPE`) \
| mail root@<hostname> |
5.3 - Install djbdns
djbdns is a small, secure, and powerful DNS server and cache toolkit
package.
While the use of a DNS server or cache is not requisite for qmail-ldap,
it doesn't hurt so much in the first place. Having a local cache on the
server can help speed up operations without having to wait for seperate
caches to perform MX lookups on your behalf. Besides this, our primary
need for djbdns is to help install qmail-conf, which requires it.
Download the toolkit at
http://cr.yp.to/djbdns/install.htmll. Install it in
/package.
gunzip djbdns-1.05.tar.gz
tar -xf djbdns-1.05.tar
cd djbdns-1.05
echo gcc -02 -include /usr/include/errno.h > conf-cc
make setup check |
To check the installation was
successful : -
(echo 'First M. Last'; cat `cat SYSTYPE`) \
| mail root@<hostname> |
5.4 - Patching qmail-1.03
Now that the supporting software is installed, we can move on to
installing qmail-ldap. The first thing to do is to obtain the stock
qmail-1.03 source distribution and patch it with the latest qmail-ldap
patch.
First, download qmail from the author's home page. You can use wget to
download the package:
| wget http://cr.yp.to/software/qmail-1.03.tar.gz |
Next, you'll want to download the qmail-ldap patch. The home page for
this software is http://www.nrg4u.com/.
At the time of this writing, the current patch version is
qmail-ldap-20041201. The author notes that updated qmail-ldap releases
are done at the beginning of every month.
The patch is probably distributed as a gzipped (compressed) file.
Uncompress the file to its regular form using the gunzip command:
| gunzip qmail-ldap-1.03-20041201.patch.gz |
Having obtained the patch, now uncompress the qmail archive. Since this
is a tar archive, you can use the tar command to extract the source:
| tar zxvf qmail-1.03.tar.gz |
To apply the qmail-ldap patch to the qmail-1.03 release, simply change
into the qmail source directory and issue the patch command as follows:
cd qmail-1.03
patch -p1 < ../qmail-ldap-1.03-20041201.patch |
This command is patching the source code with a patch found in the same
directory as the qmail source folder is located in. As this command
runs, you should see several lines of output flow by, with messages
about "Hunks" included. There should be no "Hunk failed" messages in the
output, and if you don't see any then the patch applied successfully.
Having successfully patched your qmail source, it is now time to further
modify the OpenLDAP configuration a little more. The qmail-ldap patch
creates another schema file for use with OpenLDAP. This schema should be
included with the rest of the schema files so that it can be accessed.
Copy the schema from the qmail source tree:
| cp qmail.schema /etc/openldap/schema |
Now, add the following line to your /etc/openldap/slapd.conf:
| include /etc/openldap/schema/qmail.schema |
At the bottom of your slapd.conf, specify with the following lines to
maintain indices of important attributes for qmail-ldap:
index objectClass eq
index mail,mailAlternateAddress,uid eq,sub
index accountStatus,mailHost,deliveryMode eq
index default sub |
Having done this, give slapd a HUP signal so that it re-reads its
configuration:
| kill -HUP `cat /usr/local/var/slapd.pid` |
NOTE: When I first installed the new qmail schema file and tried to
reload the configuration, I ended up with an error about the syntax of
the schema file. In case you also run into this issue, make sure that
the last line in the schema file has the neccesary closing parentheses,
as follows:
| qlaMailQuotaCount $ qlaMailSizeMax ) ) |
5.5 - Editing the Makefile
Many of the included
third-party patches that come with qmail-ldap can be enabled or disabled
in the included Makefile. Open the Makefile in your editor and let's
look at the options that I enabled for my installation.
LDAPFLAGS: This option should be located at the top of the file. Make
sure the line is uncommented, and set it to the following string:
| LDAPFLAGS=-DDASH_EXT -DDATA_COMPRESS -DALTQUEUE -DQUOTATRASH |
These options will have the following effects:
-DDASH_EXT: This enables the capability to have extended addresses
(containing a hyphen character) and is required for use with the ezmlm
mailing list manager.
-DDATA_COMPRESS: This option enables data compression with the SMTP
traffic.
-DALTQUEUE: This enables the QMAILQUEUE patch to specify a different
program as the queue. This will allow us to install qmail-scanner later
on.
-DQUOTATRASH: This causes messages in a user's Trash folder to be
counted into the size of the mailbox as well. The default is to ignore
the size of the Trash folder, and we don't want a user to use extra
space by abusing this.
ZLIB: In order to use the SMTP compression option, we will need support
for zlib compression library. Uncomment this line in the configuration,
like so:
TLS: Next comes TLS support. TLS is transport layer security and this is
what will give us the ability to handle the STARTTLS extension and carry
on encrypted SMTP sessions. We want to build support into both
qmail-remote and qmail-smtpd, so we will make sure the TLS option is
uncommented and set as follows:
| TLS=-DTLS_REMOTE -DTLS_SMTPD |
Since the includes for OpenSSL are installed in a different place than
the Makefile is expecting, we will also have to specify this location on
the TLSINCLUDES option:
| TLSINCLUDES=-I/usr/include/openssl |
Also make sure that the OpenSSL libraries can be found by the Makefile.
The TLSLIBS line should be uncommented and set as follows:
| TLSLIBS=-L/usr/lib -lssl -lcrypto |
Auto-Maildir-make: To give qmail-ldap to automatically create Maildirs
for users with active accounts, enable the option for
MDIRMAKE:
| MDIRMAKE=-DAUTOMAILDIRMAKE |
Auto-Homedir-make: Besides creating Maildirs, qmail-ldap can also create
the users' home directories. Enable the HDIRMAKE option:
| HDIRMAKE=-DAUTOHOMEDIRMAKE |
DEBUG: The final option in the Makefile is to increase logging
capabilities for IMAP and POP3 connections. Enable the
DEBUG option.
After editing and saving the Makefile out, one other configuration
change needs to be made prior to building and installing qmail-ldap.
Adjust the value in the conf-spawn file so that it works with OpenBSD's
GENERIC kernel:
5.6 - Add system users
The only step left prior to actually compiling and installing qmail-ldap
is to set up the neccesary system users needed for it to function.
qmail's operations are partitioned into several parts each tightly
controlling the functionality of individual parts of the system and
adding to the security of the application. The following commands should
add the neccesary users and groups to the system. Ignore any error
messages generated by these commands:
groupadd nofiles
useradd -g nofiles -d /var/qmail/alias alias
useradd -g nofiles -d /var/qmail qmaild
useradd -g nofiles -d /var/qmail qmaill
useradd -g nofiles -d /var/qmail qmailp
groupadd qmail
useradd -g qmail -d /var/qmail qmailq
useradd -g qmail -d /var/qmail qmailr
useradd -g qmail -d /var/qmail qmails |
Besides the users needed for our qmail-ldap installation, let's create a
system user that will be used for local access by all of our virtual
mail users. Let's make sure this user doesn't have a login shell or a
password.
groupadd vmail
useradd -g vmail -d /var/vmail -m -s /sbin/nologin vmail
rm /var/vmail/.* |
5.7 - qmail-ldap Installation
The final step is to issue the
command to compile and install qmail-ldap into the system. Of course,
this will have to be done with root privileges:
If this command exits without any errors, qmail-ldap is installed on
your system.
| The final result of our installation is that qmail-ldap is installed into /var/qmail; all of the binaries are located under the bin/ directory, documentation is located in docs/, and man pages are located in man/ under the main directory. |
5.8 - Configure control files
The primary runtime configuration for qmail-ldap is handled by files
located under the /var/qmail/control directory. Each file controls one
particular aspect of the configuration and can be easily adjusted to
change the setting. We will examine a list of useful control files and
set up some reasonable defaults for each of them. Some must be set to a
specific parameter, and some can be adjusted to your desired setting.
For details on all of the available control files, see the documentation
located at /var/qmail/docs/QLDAPINSTALL.
me: This should be set to the FQDN of your mail server. For example, if
your primary DNS name is mail.example.tld, then do this:
| echo "mail.example.tld" > /var/qmail/control/me |
ldapserver: This file should contain the IP address or FQDN of the LDAP
server that will contain your qmail-ldap accounts. For example, if the
LDAP server is ldap.example.tld, you could do something like this:
| echo "ldap.example.tld" > /var/qmail/control/ldapserver |
ldapbasedn: This should contain the base DN under which qmail-ldap user
accounts will exist. Let's say we have an OU called qmail_users under
the root of our tree; we could do this:
| echo "ou=qmail_users,dc=example,dc=tld" > /var/qmail/control/ldapbasedn |
ldapobjectclass: This is the object class that all searches against the
LDAP tree will be limited to. The default object class is qmailUser, so
let's do:
| echo "qmailUser" > /var/qmail/control/ldapobjectclass |
ldaplocaldelivery: This contains a boolean value indicating whether to
look to the local /etc/passwd account if a user is not found in the LDAP
directory. Since we want our installation to be fully configured in
LDAP, set this to 0:
| echo 0 > /var/qmail/control/ldaplocaldelivery |
ldapcluster: This contains a boolean value indicating whether to enable
clustering in your qmail-ldap installation. Although the clustering
capabilities are very powerful, this is a standalone installation and
will not be clustered.
| echo 0 > /var/qmail/control/ldapcluster |
defaultquotasize: This is the default size (in bytes) of quotas placed
on a user's Maildir. This value can be overridden per individual user
account but is applied to users without the mailQuota* attributes. For
example, to set a default size quota of 1 MB:
| echo 1000000 > /var/qmail/control/defaultquotasize |
defaultquotacount: This file controls the number of messages that by
default consititute a user's Maildir quota. If you wish to set a quota
based on number of messages in a user's Maildir, use this control file.
| echo 1000 > /var/qmail/control/defaultquotacount |
quotawarning: This is a text message displayed to user accounts that are
approaching their quota levels. By default this point is at 70% of the
defined quota. This file can contain multiple lines.
| echo "Your quota limit is approaching!" > /var/qmail/control/quotawarning |
ldapdefaultdotmode: This file controls the default treatment of .qmail
files for a user. We want our qmail-ldap installation to retrieve all
user delivery information from LDAP.
| echo ldaponly > /var/qmail/control/ldapdefaultdotmode |
ldapmessagestore: This control is helpful for setting up automatic
home-dir and Maildir creation. This is the filesystem path where all
qmail-ldap user accounts and Maildirs are stored. Each user will have
delivery locations under this path. Make this the home directory that we
set for our vmail user earlier:
| echo /mail > /var/qmail/control/ldapmessagestore |
ldapuid: This should contain the UID of the vmail user. If you don't
know this, you can use the id command to find out. Example:
$ id vmail
uid=1001(vmail) gid=1001(vmail) groups=1001(vmail)
echo 1001 > /var/qmail/control/ldapuid |
ldapgid: This should contain the GID of the vmail user. The id command
reveals this, if unknown.
| echo 1001 > /var/qmail/control/ldapgid |
ldaptimeout: This controls the amount of time that an LDAP lookup will
be attempted for prior to giving up.
| echo 30 > /var/qmail/control/ldaptimeout |
custombouncetext: This is some custom text that can be appended to the
regular bounce messages. See the QLDAPINSTALL file for specifics on the
structure of this file.
| echo "For further assistance, contact [email protected]" > /var/qmail/control/custombouncetext |
rbllist: This control defines a set of rules for accepting or rejecting
mail delivered from hosts found on one or more RBL directories. See the
optoinal section 6.4 for more details on configuring this file, if you
are interested. For now, simply create this as an empty file.
| touch /var/qmail/control/rbllist |
outgoingip: This should contain the IP address that qmail-remote should
bind to. Most hosts can bind all addresses, certain sites will want to
bind to one specific interface, if more are avialable.
| echo 0.0.0.0 > /var/qmail/control/outgoingip |
|
6.0 - qmail-ldap configuration
This section will cover a couple of more details related to getting
qmail-ldap started and running.
6.1 - /var/qmail/rc
The first step is to create the rc file used to initialize qmail-start.
Create this file as /var/qmail/rc:
#!/bin/sh
# Taken from LWQ by Dave Sill
# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default
exec env - PATH="/var/qmail/bin:$PATH" \
qmail-start "`cat /var/qmail/control/defaultdelivery`" |
Make sure that this file is marked as executable:
Since this script uses a
control file called defaultdelivery for delivery instructions, let's
create that file next. Create this file at
/var/qmail/control/defaultdelivery:
Notice the trailing slash on the end of the word. This is very important
and deliveries will be deferred if this is not input correctly.
6.2 - qmail-conf
To help us in setting up the rc mechanics of qmail's various services,
we will use the qmail-conf package written by Tetsu Ushijima. This
enables you to use utilities to set up qmail-smtpd and qmail-send
services similar to the methods used in setting up services for djbdns.
If you've ever installed dnscache or tinydns, you already know how
useful such capabilities are.
For detailed installation instructions, refer to the author's
installation documentation located at
http://www.din.or.jp/~ushijima/qmail-conf/install.htmll.
After setting qmail-conf up, let's go ahead and create service
directories for two important qmail services: qmail and smtpd (called
qmail-send and qmail-smtpd by LWQ, respectively.)
Setting up the qmail service
To create the qmail service, use the following command to set up the
supervise directory to be used by daemontools:
/var/qmail/bin/qmail-delivery-conf qmaill
/var/qmail/service/qmail |
Link the resulting service
directory into /service so that svscan knows about the new service:
| ln -s /var/qmail/service/qmail /service |
This should cause svscan to
start the service in a couple of seconds. Wait for a few seconds and
then check on the status of your new service using svstat:
If the service started successfully and is up, you should see output
similar to below:
/service/qmail: up
(pid 1020) 14 seconds |
Disabling sendmail
By default, OpenBSD ships with
Sendmail as the system MTA. To make sure that it does not interfere with
our installation in any way, we will make sure that it is not used
anymore. There is no need to attempt uninstalling the software; simply
disabling it will do.
First, edit the file /etc/rc.conf and make sure that the program does
not initialize at boot. To do this, set the sendmail_flags option to NO.
I generally comment out the existing line in case I ever need the
original value, and add in the new value on another line that is
uncommented. So it might look something like this:
#sendmail_flags="-L
sm-mta -C/etc/mail/localhost.cf -bd -q30m"
sendmail_flags=NO |
Having disabled Sendmail at boot, make sure to kill the crontab entry
that will attempt to run queue jobs for Sendmail. To do this, edit
root's crontab and comment the job out. Use the crontab command to do
that:
Find the sendmail entry and comment it out, as below:
# sendmail
clientmqueue runner
#*/30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q |
See if any sendmail processes are running, and kill them if they are.
There probably is one since the default OpenBSD behavior is for Sendmail
to start at boot. Use the ps command to search for a sendmail process,
and the kill command to stop it. Here is an example:
# ps ax |grep sendmail
29089 ?? Is 1:13.24 sendmail: accepting connections (sendmail)
# kill 29089 |
Finally, edit the system configuration file /etc/mailer.conf so that all
mail functions are carried out through qmail instead of Sendmail. Open
this file in your editor and change all entries to use qmail's sendmail
wrapper, as follows:
# Execute qmail's sendmail wrapper, named /var/qmail/bin/sendmail
#
sendmail /var/qmail/bin/sendmail
send-mail /var/qmail/bin/sendmail
mailq /var/qmail/bin/sendmail
newaliases /var/qmail/bin/sendmail
hoststat /var/qmail/bin/sendmail
purgestat /var/qmail/bin/sendmail |
Setting up the smtpd service
To create the smtpd service, use the following command to set up the
supervise directory to be used by daemontools:
/var/qmail/bin/qmail-smtpd-conf qmaild qmaill
/var/qmail/service/smtpd |
After creating the service directory, set the service softlimit higher
so that it will run correctly under OpenBSD. To do this, change the
value of the file /var/qmail/service/smtpd/env/DATALIMIT to contain the
new value that will be used. Let's set the value to 8 MB, which should
give us adequate resource limits to give our system all the
functionality we want:
|
echo 8000000 > /var/qmail/service/smtpd/env/DATALIMIT |
Link the resulting service directory into /service so that svscan knows
about the new service:
| ln -s /var/qmail/service/smtpd /service |
This should cause svscan to start the service in a couple of seconds.
Wait for a few seconds and then check on the status of your new service
using svstat:
If the service started successfully and is up, you should see output
similar to below:
/service/smtpd: up
(pid 24020) 14 seconds |
If both of these services start up correctly, then qmail-ldap is now
started and should be running good. Our qmail-ldap installation should
be complete, but no mail will actually be delivered yet because we have
no users in our LDAP directory. The next section will focus on user
creation and making sure mail can be delivered to our users.
6.3 - Relaying
In order for our mail users to be able to send mail to domains other
than the one(s) on our server, we need to configure some rules for
selective relaying. The easiest way of doing this is by IP address or IP
network specification with tcpserver. Since we can usually assume that
users on our network are trusted and should be allowed to send, and that
those outside of our network are untrusted, this comes out to be a
simple but effective method. Another means of allowing selective
relaying is by using STMP AUTH, which is supported by qmail-ldap, but
will be discussed later.
qmail-smtpd is the component that will be in control of allowing remote
clients to relay mail to other domains. To configure its rules, edit the
file tcp under its svscan service directory.
Before jumping into this file, take a moment to build the ruleset that
will be used. Any clients that will be allowed to relay from thier IP
address will need to have the RELAYCLIENT variable set for them. Let's
say we have clients on the network 10.0.0.0/24 and 192.168.3.0/24 that
need to relay. Everyone but these addresses, and the local server
itself, will be denied. Our tcp file might look like this:
127.:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
192.168.3.:allow,RELAYCLIENT=""
:allow |
This file accomplishes what we want; the RELAYCLIENT variable is set for
our trusted hosts and networks, and although other addresses are allowed
to connect to the server, they are not given access to relay. The only
destinations for which mail will be received from these clients are
addresses housed on our server.
Once the tcp file has been correctly set up, change into the service
directory and create the CDB file that tcpserver is expecting.
This will compile the rules that tcpserver uses into the file tcp.cdb.
From one of the hosts that you configured the tcp file to allow relaying
from, attempt to send mail to a host in another domain (such as a test
account at hotmail, or similar.) |
7.0 - User addition
In order to create user accounts for our qmail-ldap system, we need to
add entries to our LDAP directory. Earlier in our configuration of
qmail-ldap control files, we specified a OU called qmail_users to
contain all of our qmail-ldap accounts. Let's first create this
container using and LDIF file.
7.1 - LDIF format
LDIF is the format used to create import files for OpenLDAP. We will use
an LDIF file with the native directory management utilities included in
OpenLDAP to add our user accounts.
NOTE: There are many other utilities such as web-based administration
tools and more that allow remote management of LDAP directories. They
can even make the addition of new user accounts to the tree very easy.
But without delving much further into the matter than we need to at this
moment, we will not be able to discuss other methods of user management
than LDIF imports.
Create a file called qmail_ou.ldif containing the below text:
dn: ou=qmail_users,dc=example,dc=tld
ou: qmail_users
objectclass: top
objectclass: organizationalUnit |
As seen above, we are specifying a definition for an OU in reference to
the suffix of our tree. You can call this OU whatever you want, but the
dn line must reference the top level of your tree, which is the suffix.
If you've forgotten what your suffix was, refer to yoru slapd.conf.
With this file created, we can now import it using the ldapadd utility
as follows:
| ldapadd -x -D "cn=Manager,dc=example,dc=tld" -W -f qmail_ou.ldif |
This should prompt you for the password of your LDAP Manager user. If
the import is successful, ldapadd should output a confirmation message:
| adding new entry "ou=qmail_users,dc=example,dc=tld" |
We can use the ldapsearch utility to make sure that our OU is now
visible in the directory. The following command will search the tree and
display any OUs that are present:
| ldapsearch -x -s one -b 'dc=example,dc=tld' '(ou=qmail_users)' |
This should output information regarding our OU, including the LDIF
format similar to what we imported. You should see something like this
as output:
# qmail_users, example, tld
dn: ou=qmail_users,dc=example,dc=tld
objectClass: top
objectClass: organizationalUnit
ou: qmail_users |
Having created our container OU, let's now move on to adding a user
account entry to our directory. The first thing to do is define an LDIF
format template that can be used. Let's try one like this:
# First last, qmail_users, example, tld
dn: cn=First Last,ou=qmail_users,dc=example,dc=tld
cn: First Last
ou: qmail_users
sn: Last
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: qmailUser
mail: [email protected]
mailHost: mail.example.tld
mailQuotaSize: 0
mailQuotaCount: 0
deliveryMode: normal
uid: username
accountStatus: active
userPassword: {hash}**********************************
mailMessageStore: username
mailAlternateAddress: [email protected] |
The first thing to note is that there are many more lines than were
present when we added our qmail_users OU. That is because the definition
of a qmail-user account has many more attributes than a container does.
For a full description of all available attributes, see the file
/var/qmail/doc/QLDAPINSTALL.
We will cover what each of these lines is and then create an LDIF import
for our first user, an administrative email contact.
-
dn: The DN is the Distinguished Name of the object. This is the full
heirarchical description of its location in the tree. This is also the
unique identifier for the object in the directory.
-
cn: CN stands for Canonical Name and is the user's short identifying
name. This is the name that will be used to identify the account object.
We will use the structure First Last to identify the object by first
name and last name.
-
ou: OU is the Organizational Unit that the object is located in. An OU
is simply a container object that a directory object can be placed in
for organization and sorting. There can be any number of OUs in an
object's heirarchy, depending where in the tree it is desired for them
to be located. If an object was located inside of more than one OU
(recursively), then there would be an "ou" entry for each OU.
-
sn: This is the object's surname, or last name. This will help make it
possible to search the tree by a user's last name, if desired.
-
objectClass: Each object in the LDAP directory has a number of required
and optional attributes. These attributes are determined by what type of
object the user account is. For example, having an objectClass of
qmailUser, an object acquires attributes such as a forwarding address,
mail store, account status, and more. Multiple objectClasses are defined
to combine attributes.
-
mail: This entry defines the account's primary, unique email address on
the server. This should be the primary address that mail will be
received at on the server.
-
mailHost: For environments where user's mailstores are located on
different server, this defines the particular mail server where the
target user's mail is stored.
-
mailQuotaSize: This attribute allows the administrator to set a custom
quota per user on the size of the user's Maildir. This should be set to
a number of bytes.
-
mailQuotaCount: This defines the max number of messages that may be
contained in a user's Maildir. This should be set to a number of
messages.
-
deliveryMode: This field has several options, some which may never be
used. The two that most interest us are normal and reply. When set to
reply, the user's account is in a sort of vacation mode and an autoreply
text message will be sent to the senders of any messages received while
the account field is in reply mode.
-
uid: This is the account's user name or login name. It must be unique
and is the ID that will be used for logging in for mail retrieval via
POP3 or IMAP.
-
accountStatus: This is really a switch that determines the access that a
user's account has on the server. Possible settings include: active (the
user can receive mail and log in to retrieve mail), noaccess (mail will
be delivered but the user may not log in to retrieve it), disabled
(incoming messages are bounced), and deleted (incoming messages bounced
and marked for deletion).
-
userPassword: This field is defined by specifying a password hash and
the password encrypted by that hash. This is the password required for
the user to login and receive email via POP3 or IMAP and also when using
SMTP-AUTH. Details for creating an LDAP-capable password of this format
can be found in the man page slappasswd(8).
-
mailMessageStore: This is the path to the user's home directory, under
which the Maildir will be found. Remember that the ldapmessagestore
control file defined a default location to search for user home
directories; since we defined a location in that file, we can simply
define a relative path in this field and it will be appended to the
contents of the control file for an absolute path. We can make this
field the same as the account uid attribute and it will keep things
consistent. Note that since we compiled qmail-ldap with automatic home
directory and maildir creation capability, these locations will
automatically be created.
-
mailAlternateAddress: This attribute defines aliases or alternate email
addresses where mail to this user may be sent and it will be delivered
to this account. If the user's mail attribute above was
[email protected], and our mail server is mail.example.tld, I usually
define a mailAlternateAddress of [email protected] so that
messages to the user at the FQDN of the host (system messages, usually)
are also delivered to this account. A user can have many of these fields
defined, if there are many alternate addresses that would be delivered
to this host. (Virtual domains and the like.)
Now, let's create our first qmail-ldap user object. The first account
we'll need is for the postmaster account; we need someone to receive
bounce messages and administrative email. To do this, create another
LDIF file. Let's call this one postmaster.ldif and take the following
items into consideration:
-
This account will receive email sent to the root user of our mail
server, mail sent to the postmaster address (for bounce messages and
other mail administrative tasks), and we want all of this under control
of a user called admin that we can log into for mail retrieval
occasionally.
-
The password for this account will be stored in and MD5 hash.
-
We will refer to this user as the mail admin for the domain, so let's
call him Example.tld Admin. The primary email address will be
[email protected].
In order to create the user's password, use the slappasswd utility as
follows:
This will prompt you to enter in and confirm a password for this user,
at which point an MD5 hash of the password will be output. Example:
$ slappasswd -h {md5}
New password:
Re-enter new password:
{MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ== |
The last line output, including the {MD5}, is the string that will put
into the user's userPassword field.
Given this information, our new user's LDIF file should look something
like this:
# Example.tld Admin, qmail_users, example, tld
dn: cn=Example.tld Admin,ou=qmail_users,dc=example,dc=tld
cn: Example.tld Admin
ou: qmail_users
sn: Admin
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: qmailUser
mail: [email protected]
mailHost: mail.example.tld
mailQuotaSize: 0
mailQuotaCount: 0
deliveryMode: normal
uid: admin
accountStatus: active
userPassword: {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
mailMessageStore: admin
mailAlternateAddress: [email protected]
mailAlternateAddress: [email protected]
mailAlternateAddress: [email protected] |
Having created this LDIF file and saved it out, use the ldapadd utility
to import the LDIF as before:
| ldapadd -x -D "cn=Manager,dc=example,dc=tld" -W -f postmaster.ldif |
If the import is successful, the utility will notify you. Now, let's use
one of qmail-ldap's utilities to see if we can retrieve the user
information from the directory. We can use the qmail-ldaplookup utility,
which must be executed by root, to perform this lookup. To do this, pass
it a -u option together with the name of the user account, as follows:
| var/qmail/bin/qmail-ldaplookup -u admin |
If the lookup is successful, you will see the LDIF format for the user
account output with all of the attributes for the user defined. This
tells us that any user attempting to log in with the UID of admin will
match the shown attributes. Alternatively, we can pass the command any
of the email addresses defined for the user account and receive
confirmation that delivery to these addresses will occur in connection
with this user account. To do this, use the -moption together with an
email address, as follows:
This should perform a lookup for an account with that email address
defined as their mail or mailAlternateAddress attribute and will return
the same information as the first query.
Now that we have a user account in our database, let's move on to the
next step and examine our log files to debug the delivery of messages on
the server.
7.2 - Test mail delivery
Earlier on, when we were configuring qmail-ldap's Makefile to enable
options we wanted, we enabled an option called automatic home directory
creation. For this to work, we need to create a script that can be used
to create a user's home directory and tell qmail-ldap to use it. Create
the following script as /var/qmail/bin/dirmaker.sh:
#!/bin/sh
/bin/mkdir -m 0700 -p $1 |
Make the script executable:
| chmod +x /var/qmail/bin/dirmaker.sh |
If this option is available, qmail-ldap will look at a control file to
find out which script it will use to create the home directory. Tell
qmail-ldap about this script by putting the path to it in the dirmaker
control file:
| echo /var/qmail/bin/dirmaker.sh > /var/qmail/control/dirmaker |
To test mail delivery, we can use the qmail-inject command to attempt a
delivery and immediately view the log files to see the status of the
delivery. To use qmail-inject, send it a delivery instruction on
standard input:
After returning to your shell, take a look at the qmail delivery service
log file. If this service was set up according to the qmail-conf
instructions, it can be found at /service/qmail/log/main/current. Use
the tail command to see the most recent delivery:
| tail /service/qmail/log/main/current |
The output should look something like this:
@400000003f9bad83236a7d7c new msg 406796
@400000003f9bad8324587f2c info msg 406796: bytes 231 from qp 12122 uid 1000
@400000003f9bad8326c2533c starting delivery 1: msg 406796 to local [email protected]
@400000003f9bad8326c56464 status: local 1/10 remote 0/20
@400000003f9bad83308224ec delivery 1: success: did_1+0+0/
@400000003f9bad8330f414e4 status: local 0/10 remote 0/20
@400000003f9bad8330fb4c8c end msg 406796 |
The logs show a new delivery (msg 406796) from the root user; the fourth
line shows it being placed in queue, giving us one local delivery to do.
The next line shows a success status, having performed "1" local
delivery. The next line shows us that there are no more messages in
queue, and the final line shows a status complete for this message
delivery.
It appears that everything went successful with this message delivery.
Remember also that we have specified automatic home directory and
maildir creation, and even though we didn't have to create any
directories for the admin user, his mail was delivered correctly!
Everything is working fine so far. Let's check under our vmail user's
home directory and make sure the structure was created for the admin
user:
# ls -l /var/vmail
drwx------ 3 vmail vmail 512 Oct 20 01:33 admin |
As we can see, we have a home directory for the admin user we created.
Since our delivery attempt to this user succeeded, we can be sure that
our automatic maildir creation succeeded also. This is one example of
how qmail-ldap can scale to an organization's needs; a directory account
can be created and no time is needed to see to creating a home directory
or mailbox, or seeing to correct permissions on the needed files, or
granting access to the mailstore via POP3 or IMAP. As we will see later,
even mail retrieval can be carefully controlled and setup through
qmail-ldap. |
8.0 - Optional feature enhancements
At our current point, we should now have a functional qmail-ldap server
that will allow users on our network to send and receive email based on
the configuration of our LDAP directory accounts for them. The upcoming
sections will expand our configuration and qmail-ldap's features with
some very useful add-on functionality.
8.1 - Authenticated SMTP with SMTP-AUTH
The main appeal in SMTP-AUTH is to be able to support roaming mail users
that wish to relay mail from our SMTP server but may not be on our
allowed list of networks in the tcp.cdb file. Authenticated SMTP will
allow the user to enter in the credentials of their qmail-ldap user
account and be granted relay access regardless of their network
location.
In order for qmail-smtpd to support this functionality, its run script
will have to be adjusted to include the auth_smtp program. Open the file
/service/smtpd/run in your editor and adjust the last line in the file
as follows:
From this:
| /var/qmail/bin/qmail-smtpd |
To this:
| /var/qmail/bin/qmail-smtpd /var/qmail/bin/auth_smtp /usr/bin/true |
The other requirement is to
set the variable SMTPAUTH on the server. To do this, return to the tcp
file that we created earlier to configure IP-based relaying rules and
adjust it to set this variable for the untrusted networks. Here is our
current tcp file:
127.:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
192.168.3.:allow,RELAYCLIENT=""
:allow |
Since our goal is to preserve
relaying permissions in our trusted networks, and extend the ability to
relay to authenticated clients in the untrusted networks, we can add the
SMTPAUTH variable to the last line of this file. To require
authentication, this variable must be set to the value AUTHREQUIRED, as
follows:
127.:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
192.168.3.:allow,RELAYCLIENT=""
:allow,SMTPAUTH="AUTHREQUIRED" |
Now force qmail-smtpd to reinitialize:
Configure a mail client on a
network that is not granted relay access to use SMTP authentication.
Several clients support this option, but if you don't have any handy,
give Mozilla Mail a try. Send a message to a user in a different domain
and the client should prompt you for your password after you click send.
Messages that have been sent from a client using SMTP-AUTH will have a
special format indicating this in their headers, like this:
| Recieved: from unknown (HELO example.tld) (admin@[172.16.22.4]) ... |
Note that the last part of
this line is prefixed with the text admin@. This indicates that the
message was sent by a user that authenticated as "admin"; normal
unauthenticated messages would be missing this part in the header and
contain only the address of the transferring mailer.
Here is a snippet of an SMTP conversation captured with recordio. Notice
how the server and client negotiate the authentication using the AUTH
LOGIN PLAIN extension. Upon successful authentication, the client is
allowed to relay to the remote user without a problem.
2003-10-30 13:41:15.410965500 12292 > 220 mail.example.tld ESMTP
2003-10-30 13:41:15.467565500 12292 < EHLO example.tld
2003-10-30 13:41:15.468188500 12292 > 250-mail.example.tld
2003-10-30 13:41:15.468793500 12292 > 250-PIPELINING
2003-10-30 13:41:15.468801500 12292 > 250-SIZE 0
2003-10-30 13:41:15.468805500 12292 > 250-DATAZ
2003-10-30 13:41:15.468810500 12292 > 250-STARTTLS
2003-10-30 13:41:15.468814500 12292 > 250-AUTH LOGIN PLAIN
2003-10-30 13:41:15.468819500 12292 > 250 8BITMIME
2003-10-30 13:41:15.470283500 12292 < AUTH PLAIN BGQkbXllAHPl739ljA==
2003-10-30 13:41:15.500701500 12292 > 235 nice to meet you
2003-10-30 13:41:15.503025500 12292 < MAIL FROM:
2003-10-30 13:41:15.503806500 12292 > 250 ok
2003-10-30 13:41:15.505684500 12292 < RCPT TO:
2003-10-30 13:41:15.506648500 12292 > 250 ok
2003-10-30 13:41:15.508681500 12292 < DATA
2003-10-30 13:41:15.511711500 12292 > 354 go ahead punk, make my day
[...] |
8.2 - Additional spam controls
8.2.1 - Using RBLs
The RBL patch included in qmail-ldap allows the qmail-smptd service to
compare a connecting mailer's IP address to one or more remote
blacklists that can identify servers with previous histories of sending
unsolicited mail or acting as an open relay. This measure alone can
dramatically cut down on the amount of undesired mail that can be
delivered to users on your server. The ability to block messages from
these servers can be altered so that senders discovered to be on an RBL
are still accepted, but are tagged in the header with an X-RBL: remark.
To configure support for RBL functionality, first configure the control
file that lists the RBLs and matching policies at
/var/qmail/control/rbllist. This file is multi-line and its syntax is
better discussed in /var/qmail/docs/QLDAPINSTALL. Below is a sample
rbllist file:
sbl.spamhaus.org reject 127.0.0.2 Spamhaus - http://www.spamhaus.org/SBL/
relays.ordb.org reject 127.0.0.2 ORDB - http://www.ordb.org/faq/
list.dsbl.org reject 127.0.0.2 DSBL - http://dsbl.org/main/
bl.spamcop.net reject 127.0.0.2 Spamcop - http://spamcop.net/
relays.ordb.org reject any ORDB - http://ordb.org/
spamguard.leadmon.net reject 127.0.0.2 Dialup - Address is a dialup address |
As seen, the file consists of
rows of 4 whitespace-separated fields. Each row defines an RBL to query
and the policy about messages that originate from senders found on these
lists. Our example file is using six different RBLs, rejecting matching
SMTP connections from any of them, and lists the RBL name and reference
URL in the returned message.
The last step needed after creating the RBL control file is to tell
qmail-smtpd the hosts or networks for which RBL checks should be done.
To do this, add the RBL environment variable to the tcp file for the IP
designations you desire. Here we add RBL checks to ranges of addresses
on the Internet, using our earlier example tcp file (found at
/service/smtpd/tcp):
127.:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
192.168.3.:allow,RELAYCLIENT=""
:allow,RBL="" |
Having edited the tcp file,
rebuild it into the CDB database format:
Finally, restart qmail-smtpd
to intialize all of the changes:
8.2.2 - Using RCPTCHECK
If a spammer has caught wind
of an address that formerly existed on your system but is no longer
valid, messages sent to this account will be accepted for delivery. When
qmail-local discovers that the account is not valid, a bounce message is
generated notifying the sender that the delivery did not succeed. If the
address the bounce message is to be delivered to is invalid (as is often
the case with spoofed spammer sender addresses), a double bounce will be
generated and sent to the system administrator or postmaster. All of
this extra traffic can be prevented if the message recipient is first
verified for delivery. This is what the RCPTCHECK variable does; when it
is enabled, messages to recipients in domains listed in control/locals
are checked for an existing LDAP account. If the account is not found,
the message is immediately rejected by qmail-smtpd and a 550 is returned
to the connecting mailer. The following log message snippet shows this
process in action. A connecting SMTP client is checked against the
configured RBLs and passes all of them, but the invalid recipient
address causes the mail to be rejected:
qmail-smtpd 8594: connection from X.X.X.X (unknown) to mail.example.tld
qmail-smtpd 8594: enabled options: starttlsrblcheck rcptcheck smtp-auth-tls-required qmailqueue /var/qmail/bin/qmail-scanner-queue.pl
qmail-smtpd 8594: RBL check with 'sbl.spamhaus.org': no match found, continue.
qmail-smtpd 8594: RBL check with 'relays.ordb.org': no match found, continue.
qmail-smtpd 8594: RBL check with 'list.dsbl.org': no match found, continue.
qmail-smtpd 8594: RBL check with 'bl.spamcop.net': no match found, continue.
qmail-smtpd 8594: RBL check with 'spamguard.leadmon.net': no match found, continue.
qmail-smtpd 8594: message denied because of recipient verify
tcpserver: end 8594 status 0
tcpserver: status: 0/40 |
To enable this option, set the
RCPTCHECK variable to an empty string for any address ranges that should
be watched in your /service/smtpd/tcp file. The following example shows
us setting the variable for any host outside of our trusted networks:
127.:allow,RELAYCLIENT=""
10.0.0.:allow,RELAYCLIENT=""
192.168.3.:allow,RELAYCLIENT=""
:allow,RBL="",RCPTCHECK="" |
Having made the neccesary
change, rebuild the tcp.cdb file so that the system can pick up the
changes:
8.3 - POP3 support with qmail-pop3d
qmail comes with its own
secure POP3 daemon with support for mail retrieval from Maildirs. To
help set up qmail-pop3d, the qmail-config package can again help us
create the correct service directory structure.
For detailed installation instructions, refer to the author's
installation documentation located at
http://www.din.or.jp/~ushijima/qmail-conf/pop3.htmll. Remember that there
is one difference between the qmail-conf directions and the directions
for qmail-ldap; qmail-ldap will use the auth_pop daemon to authenticate
POP3 users to their LDAP accounts, so instead of the qmail-conf author's
qmail-pop3d-conf command, use this one:
| qmail-pop3d-conf /var/qmail/bin/auth_pop qmaill /var/qmail/service/pop3d |
The rest of the instructions
on the author's page are fine to follow as they are.
8.4 - Antivirus with qmail-scanner and McAfee uvscan
Rather than entering the
entire process for this into this HOWTO (it's rather lengthy), let me
just refer you to my previously authored HOWTO on installing VirusScan
for Linux on OpenBSD and using qmail-scanner to provide an AV interface
into qmail. This howto can be found at
http://www.sancho2k.net/filemgmt/singlefile.php?lid=24.
8.5 - Getting the homeDirectory attribute to play nice
If you currently use, or ever
will run into a case where you will use the attribute named
homeDirectory, beware that it may have adverse affects on your
qmail-ldap user objects.
The homeDirectory object can be defined for qmail-ldap objects on an
optional basis. If it is not present, then the value of the
mailMessageStore attribute is used in its place. However, if you define
the homeDirectory attribute for an object, and set it to a different
path on the filesystem, this will affect the location that qmail will
look for the user's mailstore. An example of this situation is when
using an LDAP enabled FTP server that relies on the homeDirectory
attribute to define a user's FTP home directory (such as PureFTPd does.)
The solution to this problem is to change the attribute name in
qmail-ldap's configuration so that the real attribute will have no
effect on it. To do this, edit the file qmail-ldap.h in the qmail-ldap
source. Locate the define statement that maps the attribute for the home
directory; probably, this one:
| #define LDAP_HOMEDIR "homeDirectory" |
Change this line to a value
that you won't use. Something like this would work:
#define LDAP_HOMEDIR
"noHomeDirectory" |
Now, stop your qmail-ldap
related services, reinstall qmail-ldap with the new settings, and
re-enable your services:
svc -d /service/qmail /service/smtpd
make setup check
svc -u /service/qmail /service/smtpd |
If you would like to test this change, add an objectClass attribute of posixAccount to an object, set
the homeDirectory attribute to a location on your filesystem not related
to qmail-ldap, and try to access folders for that user such as Sent
Items or Trash. |
|
|
 |
|
|
|
