Mail system authentication in LDAP
I suppose that Dovecot and Postfix are up and running, and you can receive and send mail with system user (see previous posts). It is time to configure authentication in LDAP.
Use of directory service to user authentication allows for flexible management of mail system, hosting and so on. LDAP is established standard for authentication and authorization and almost all software which requires authentication support this protocol.
Let’s begin from POP3/IMAP Dovecot server, which also deliver authentication mechanism for Postfix:
/usr/bin/sudo -i
cd /etc/dovecot
vi dovecot-ldap.conf
In this file you need to define LDAP server/s parameters, authentication method, filter and attributes. I list those most important:
hosts = localhost
auth_bind = yes
base = o=hosting,dc=example,dc=com
scope = subtree
user_attrs = homeDirectory=home
user_filter = (&(objectClass=mailUser)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=mailUser)(mail=%u))
below is short description:
hosts - space separated list of LDAP hosts to use. host:port is allowed too, eg.:
localhost ldap1:1389 192.168.1.2:2389
auth_bind - use authentication binding for verifying password's validity. This works by logging into LDAP server using the username and password given by client. If you set 'no', Dovecot will use credentials given in auth_bind_userdn, which must permission to read userPassword attributes
base - base DN in which Dovecot will search for users
scope - search scope: base, onelevel, subtree
user_attrs - LDAP to Dovecot attributes mapping given in LDAP-name=dovecot-internal-name form, here I set homeDirectory from LDAP as user home directory (home)
user_filter - filter used for LDAP search, here I set mailUser objectClass and mail given by client (note that I use full e-mail address, not uid which is default).
pass_attrs - password checking attributes
pass_filter - as user_filter
This is not the end of Dovecot configuration, but now we need to add appropriate entries to LDAP directory. You can use one of utilities to manage entries. I used phpLDAPadmin:
dn: o=hosting,dc=example,dc=com
o: hosting
objectclass: organization
objectclass: top
this is base DN for mail system. Below we put virtual domains based on mailDomain object class from iredmail.ldif schema. This is LDIF for virtual domain:
dn: domainName=example.com,o=hosting,dc=example,dc=com
domainname: example.com
objectclass: mailDomain
objectclass: top
mailDomain object class has possibility to set some useful attributes, but for now this is enough. Now we can add virtual user, this should be postmaster, to avoid be RFC ignorant:
dn: uid=postmaster,domainName=example.com,o=hosting,dc=example,dc=com
cn: postmaster
mail: postmaster@example.com
objectclass: inetOrgPerson
objectclass: top
sn: Postmaster
uid: postmaster
userpassword: {MD5}Gnmk1g3mcY6OWzJuM4rlMw==
Please note, that I did not add mailUser but inetOrgPerson object class, because mailUser is not structural object class and can not be added standalone to directory. It should be added in second step, this is LDIF:
dn: uid=postmaster,domainName=example.com,o=hosting,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: mailUser
It is time to go back to Dovecot configuration and activate LDAP authentication. Edit the dovecot.conf file and set:
mail_uid = 501
mail_gid = 501
auth_verbose = yes
auth_debug = yes
in section auth default:
mechanisms = plain login
passdb ldap {
# Path for LDAP configuration file
args = /etc/dovecot/dovecot-ldap.conf
}
userdb ldap {
# Path for LDAP configuration file
args = /etc/dovecot/dovecot-ldap.conf
}
Add group and user to system and create home directory:
groupadd -g 501 vmail
useradd -g vmail -u 501 -d /vdhome -m -s /bin/false -c "Virtual mail user" vmail
Restart Dovecot server, and configure mail user agent (eg. Thunderbird), and check logs:
service dovecot restart
tail -f /var/log/mail.log /var/log/auth.log /var/log/syslog
If you can log in to Inbox, that means that this description is very good 🙂 But Murphy’s law says: „If everything seems to be going well, you have obviously overlooked something.” 😉
Probably your mail client will use 'postmaster’ as user name (not 'postmaster@example.com’), especially recent versions tries to automagically configure mail servers and username. I do not like when machines tries to be smarter than I am… We need to put full e-mail there (postmaster@example.com).
I suppose that you persuaded your mail client to use full e-mail as username or you changed attributes and filters to log in by uid, and you can log in to mailbox. There should be created similiar directory structure on server’s disk:
ls -la /vdhome/example.com/postmaster/Maildir/
total 40
drwx------ 6 vmail vmail 4096 2010-12-03 22:34 .
drwx------ 3 vmail vmail 4096 2010-12-03 22:34 ..
drwx------ 2 vmail vmail 4096 2010-12-03 22:34 cur
-rw------- 1 vmail vmail 248 2010-12-03 22:34 dovecot.index.log
-rw------- 1 vmail vmail 17 2010-12-03 22:34 dovecot-uidlist
-rw------- 1 vmail vmail 8 2010-12-03 22:34 dovecot-uidvalidity
-rw------- 1 vmail vmail 0 2010-12-03 22:34 dovecot-uidvalidity.4cf9626e
drwx------ 2 vmail vmail 4096 2010-12-03 22:34 new
-rw------- 1 vmail vmail 6 2010-12-03 22:34 subscriptions
drwx------ 2 vmail vmail 4096 2010-12-03 22:34 tmp
drwx------ 5 vmail vmail 4096 2010-12-03 22:34 .Trash
