{"id":240,"date":"2011-03-16T14:06:53","date_gmt":"2011-03-16T13:06:53","guid":{"rendered":""},"modified":"2011-05-25T15:13:07","modified_gmt":"2011-05-25T13:13:07","slug":"mail-system-authentication-ldap","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/mail-system-authentication-ldap\/","title":{"rendered":"Mail system authentication in LDAP"},"content":{"rendered":"

I suppose that Dovecot and Postfix are up and running, and you can receive and send mail with system user (see previous posts). It is time to configure authentication in LDAP.<\/h3>\n

Use of directory service to user authentication allows for flexible management of mail system, hosting and so on. LDAP is established standard for authentication and authorization and almost all software which requires authentication support this protocol.<\/p>\n

Let’s begin from POP3\/IMAP Dovecot server, which also deliver authentication mechanism for Postfix:<\/h3>\n
\r\n\/usr\/bin\/sudo -i\r\ncd \/etc\/dovecot\r\nvi dovecot-ldap.conf\r\n<\/code><\/pre>\n
In this file you need to define LDAP server\/s parameters, authentication method, filter and attributes. I list those most important:<\/p>\n
\r\nhosts = localhost\r\nauth_bind = yes\r\nbase = o=hosting,dc=example,dc=com\r\nscope = subtree\r\nuser_attrs = homeDirectory=home\r\nuser_filter = (&(objectClass=mailUser)(mail=%u))\r\npass_attrs = mail=user,userPassword=password\r\npass_filter = (&(objectClass=mailUser)(mail=%u))\r\n<\/code><\/pre>\n
<\/p>\n
below is short description:<\/p>\n
\r\nhosts - space separated list of LDAP hosts to use. host:port is allowed too, eg.:\r\nlocalhost ldap1:1389 192.168.1.2:2389<\/code>\r\nauth_bind - use authentication binding for verifying password's validity. This works by logging into LDAP server using the username and password given by client. If you set 'no', Dovecot will use credentials given in auth_bind_userdn, which must permission to read userPassword attributes\r\nbase - base DN in which Dovecot will search for users\r\nscope - search scope: base, onelevel, subtree\r\nuser_attrs - LDAP to Dovecot attributes mapping given in LDAP-name=dovecot-internal-name form, here I set homeDirectory from LDAP as user home directory (home)\r\nuser_filter - filter used for LDAP search, here I set mailUser<\/b> objectClass and mail<\/b> given by client (note that I use full e-mail address, not uid<\/b> which is default).\r\npass_attrs - password checking attributes\r\npass_filter - as user_filter\r\n<\/pre>\n
This is not the end of Dovecot configuration, but now we need to add appropriate entries to LDAP directory. You can use one of utilities to manage entries. I used phpLDAPadmin:<\/p>\n
\r\ndn: o=hosting,dc=example,dc=com\r\no: hosting\r\nobjectclass: organization\r\nobjectclass: top\r\n<\/code><\/pre>\n
this is base DN for mail system. Below we put virtual domains based on mailDomain<\/b> object class from iredmail.ldif<\/code> schema. This is LDIF for virtual domain:<\/p>\n
\r\ndn: domainName=example.com,o=hosting,dc=example,dc=com\r\ndomainname: example.com\r\nobjectclass: mailDomain\r\nobjectclass: top\r\n<\/code><\/pre>\n
mailDomain<\/b> object class has possibility to set some useful attributes, but for now this is enough. Now we can add virtual user, this should be postmaster, to avoid be RFC ignorant<\/i>:<\/p>\n
\r\ndn: uid=postmaster,domainName=example.com,o=hosting,dc=example,dc=com\r\ncn: postmaster\r\nmail: postmaster@example.com\r\nobjectclass: inetOrgPerson\r\nobjectclass: top\r\nsn: Postmaster\r\nuid: postmaster\r\nuserpassword: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==\r\n<\/code><\/pre>\n
Please note, that I did not add mailUser<\/b> but inetOrgPerson<\/b> object class, because mailUser<\/b> is not structural object class and can not be added standalone to directory. It should be added in second step, this is LDIF:<\/p>\n
\r\ndn: uid=postmaster,domainName=example.com,o=hosting,dc=example,dc=com\r\nchangetype: modify\r\nadd: objectclass\r\nobjectclass: mailUser\r\n<\/code><\/pre>\n
It is time to go back to Dovecot configuration and activate LDAP authentication. Edit the dovecot.conf<\/code> file and set:<\/h3>\n
\r\nmail_uid = 501\r\nmail_gid = 501\r\n\r\nauth_verbose = yes\r\nauth_debug = yes\r\n<\/code><\/pre>\n
in section auth default<\/code>:<\/p>\n
\r\n  mechanisms = plain login\r\n\r\n  passdb ldap {\r\n    # Path for LDAP configuration file\r\n    args = \/etc\/dovecot\/dovecot-ldap.conf\r\n  }\r\n\r\n  userdb ldap {\r\n    # Path for LDAP configuration file\r\n    args = \/etc\/dovecot\/dovecot-ldap.conf\r\n  }\r\n<\/code><\/pre>\n
Add group and user to system and create home directory:<\/p>\n
\r\ngroupadd -g 501 vmail\r\nuseradd -g vmail -u 501 -d \/vdhome -m -s \/bin\/false -c \"Virtual mail user\" vmail\r\n<\/code><\/pre>\n
Restart Dovecot server, and configure mail user agent (eg. Thunderbird), and check logs:<\/p>\n
\r\nservice dovecot restart\r\ntail -f \/var\/log\/mail.log \/var\/log\/auth.log \/var\/log\/syslog\r\n<\/code><\/pre>\n
If you can log in to Inbox, that means that this description is very good \ud83d\ude42 But Murphy’s law says: “If everything seems to be going well, you have obviously overlooked something.”<\/i> \ud83d\ude09<\/p>\n
Probably your mail client will use ‘postmaster’ as user name (not ‘postmaster@example.com’), especially recent versions tries to automagically configure mail servers and username. I do not like when machines tries to be smarter than I am… We need to put full e-mail there (postmaster@example.com).<\/p>\n
I suppose that you persuaded your mail client to use full e-mail as username or you changed attributes and filters to log in by uid, and you can log in to mailbox. There should be created similiar directory structure on server’s disk:<\/p>\n
\r\nls -la \/vdhome\/example.com\/postmaster\/Maildir\/\r\ntotal 40\r\ndrwx------ 6 vmail vmail 4096 2010-12-03 22:34 .\r\ndrwx------ 3 vmail vmail 4096 2010-12-03 22:34 ..\r\ndrwx------ 2 vmail vmail 4096 2010-12-03 22:34 cur\r\n-rw------- 1 vmail vmail  248 2010-12-03 22:34 dovecot.index.log\r\n-rw------- 1 vmail vmail   17 2010-12-03 22:34 dovecot-uidlist\r\n-rw------- 1 vmail vmail    8 2010-12-03 22:34 dovecot-uidvalidity\r\n-rw------- 1 vmail vmail    0 2010-12-03 22:34 dovecot-uidvalidity.4cf9626e\r\ndrwx------ 2 vmail vmail 4096 2010-12-03 22:34 new\r\n-rw------- 1 vmail vmail    6 2010-12-03 22:34 subscriptions\r\ndrwx------ 2 vmail vmail 4096 2010-12-03 22:34 tmp\r\ndrwx------ 5 vmail vmail 4096 2010-12-03 22:34 .Trash\r\n<\/code><\/pre>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
I suppose that Dovecot and Postfix are up and running, and you can receive and send mail with system user (see previous posts). It is time to configure authentication in LDAP.<\/h3>\n
Use of directory service to user authentication allows for flexible management of mail system, hosting and so on. LDAP is established standard for authentication and authorization and almost all software which requires authentication support this protocol.<\/p>\n
Let’s begin from POP3\/IMAP Dovecot server, which also deliver authentication mechanism for Postfix:<\/h3>\n
\r\n\/usr\/bin\/sudo -i\r\ncd \/etc\/dovecot\r\nvi dovecot-ldap.conf\r\n<\/code><\/pre>\n
In this file you need to define LDAP server\/s parameters, authentication method, filter and attributes. I list those most important:<\/p>\n
\r\nhosts = localhost\r\nauth_bind = yes\r\nbase = o=hosting,dc=example,dc=com\r\nscope = subtree\r\nuser_attrs = homeDirectory=home\r\nuser_filter = (&(objectClass=mailUser)(mail=%u))\r\npass_attrs = mail=user,userPassword=password\r\npass_filter = (&(objectClass=mailUser)(mail=%u))\r\n<\/code><\/pre>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[],"tags":[22,54],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-3S","jetpack-related-posts":[{"id":330,"url":"https:\/\/drfugazi.eu.org\/en\/mail-system-authentication-ldap\/","url_meta":{"origin":240,"position":0},"title":"Mail system authentication in LDAP","author":"","date":"Wednesday March 16th, 2011","format":false,"excerpt":"I suppose that Dovecot and Postfix are up and running, and you can receive and send mail with system user (see previous posts). It is time to configure authentication in LDAP. Use of directory service to user authentication allows for flexible management of mail system, hosting and so on. LDAP\u2026","rel":"","context":"Similar post","block_context":{"text":"Similar post","link":""},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":374,"url":"https:\/\/drfugazi.eu.org\/en\/mail-system-implementation\/","url_meta":{"origin":240,"position":1},"title":"Mail system implementation","author":"drfugazi","date":"Thursday August 16th, 2012","format":false,"excerpt":"My experience, which I gained during implementation of different systems shows, that implementation should be done in stages. Then, at each stage you can see if it works, if there are some fields to improve and then go to the next stage of implementation. Mail system implementation is not exception.\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":373,"url":"https:\/\/drfugazi.eu.org\/en\/budowa-systemu-pocztowego\/","url_meta":{"origin":240,"position":2},"title":"Building mail system","author":"drfugazi","date":"Monday August 13th, 2012","format":false,"excerpt":"This description is based on my experience, which I gained during mail system implementation on University of Silesia (Katowice\/Poland). In the first stage there was about 3 000 of users, now the system is handling about 40 k of mail users. Whole system (exluding Sophos AV) is based on Open\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":231,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-uwierzytelniania-poczty-w-ldap\/","url_meta":{"origin":240,"position":3},"title":"Konfiguracja uwierzytelniania poczty w LDAP","author":"drfugazi","date":"Friday December  3rd, 2010","format":false,"excerpt":"Zak\u0142adam, \u017ce Dovecot i Postfix ju\u017c dzia\u0142aj\u0105 i mo\u017cna odebra\u0107 i wys\u0142a\u0107 poczt\u0119 loguj\u0105c si\u0119 na u\u017cytkownika systemowego (patrz poprzednie wpisy). Nadszed\u0142 zatem czas na uruchomienie uwierzytelniania w naszym katalogu LDAP (patrz konfiguracja LDAP). Wykorzystanie LDAPa do uwierzytelniania u\u017cytkownik\u00f3w pozwala na elastyczne zarz\u0105dzanie hostingiem poczty i nie tylko. LDAP jest\u2026","rel":"","context":"In \"Dovecot\"","block_context":{"text":"Dovecot","link":"https:\/\/drfugazi.eu.org\/en\/tag\/dovecot\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":236,"url":"https:\/\/drfugazi.eu.org\/en\/installation-on-ubuntu\/","url_meta":{"origin":240,"position":4},"title":"Installation of mail system on Ubuntu","author":"drfugazi","date":"Tuesday January 18th, 2011","format":false,"excerpt":"I assume that you have installed system with basic configuration and SSH running. After login to system we can install dovecot-postfix package, which is described as fully functional mail server: drfugazi@charr:~% sudo aptitude install dovecot-postfix [sudo] password for drfugazi: Reading extended state information Initializing package states... Gotowe The following NEW\u2026","rel":"","context":"In \"Mail system\"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/tag\/mail_system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":272,"url":"https:\/\/drfugazi.eu.org\/en\/mail-delivery-configuration-ldap\/","url_meta":{"origin":240,"position":5},"title":"Mail delivery configuration with LDAP","author":"drfugazi","date":"Wednesday May 25th, 2011","format":false,"excerpt":"Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.Ostatnim razem pisa\u0142em o uwierzytelnianiu u\u017cytkownik\u00f3w w katalogu LDAP aby umo\u017cliwia\u0107 im odbieranie i nadawanie poczty. Teraz nadszed\u0142\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/240"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=240"}],"version-history":[{"count":0,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/240\/revisions"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}