I thought others might be interested in how I got a non-Sendmail, secure, LDAP enabled, SMTP (Postfix) server and IMAP (Dovecot) server going on my Rimu virtual host.

Basically, I want to offer IMAP/SMTP email to friends and family across domains (my sister on abc.com, a friend on def.com, etc.), and I didn't want to use the pre-configured Sendmail. If you want to do something similar, here's the HOWTO: http://wanderingbarque.com/mailserver.html

Pete

Excellent documentation.

I setup a similar system over a year ago, and let me tell you, finding documentation on how to do it was next to impossible. I ended up taking a few different ways of doing it and mashing it into one that worked :D So your work is appreciated. Very surprising to me that this doesn't work out of the box on any Linux distros.

I may try following your docs if I decide to upgrade my VPS to a WBL.

Nice job with the docs!

I did something similar also, but went with MySQL for the backend. I think if I was going to do it again, I would try this patch:

http://dovecot.org/patches/postfix/

It's a patch for Postfix so that it can use dovecot-auth instead of Cyrus SASL for SMTP authentication. Looks like a good idea, since it means one less thing to break. :)

- kron

Thanks, guys, for the feedback. I hope the HOWTO was useful.

RedOut, you wrote that you might "upgrade" to WBL. I've been thinking that if it was reasonably easy, I'd move away from WBL to Debian. Not anytime soon, though.

And, Kron, how did you even find this patch!? Someday, again not today, I'll be upgrading Postfix to 2.1.x so I can use greylisting. When I do I'll apply this patch as well and create a new HOWTO to document the whole thing.

Pete

Anything would be an upgrade for me... I'm running RH 8.0, yet. :D Trying to decide which way to go, haven't been excited about using Fedora, and because I've used RH since 4.2 I'm not excited about switching to Debian and re-learning the file system layout.

Wow, followed your instructions and in a couple hours had my server up and running. Truely excellent howto, you saved me several hours of work.

Edit: I might note though, that the latest version of Dovecot for some reason doesn't work right. It was hanging after authentication. I went back to 0.99.10.9 and things worked fine.

One thing that caught me during the install was the hostname (It's in your howto, but I skimmed that part :D) My solution was to just rename my machine chuck.redout.org while still also responding to the other aliases I use. Once I did that, postfix stopped bouncing messages, and root@chuck.redout.org or any local accounts still receive mail locally.

I noticed you were thinking about adding Squirelmail to the list. The squirelmail install is trivial, but if you'd like a brief writeup, I'd be more than happy to do so.

For anyone wanting to add SpamAssassin to this config, it's pretty simple to have a sitewide setup. Here's the process for a WBL system.

Install spamassassin, if it isn't already installed
#apt-get install spamassassin

Edit /etc/postfix/master.cf

Find:

smtp inet n - n - - smtpd


Replace with:

smtp inet n - n - - smtpd -o content_filter=spamassassin


At the end of the file add:

spamassassin
unix - n n - - pipe
user=nobody argv=/usr/bin/spamc -u vmail -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
# The 2nd and 3rd lines above must begin with whitespace to function properly


Start spamassassin and restart postfix:

#service spamassassin start
#service postfix restart


You'll want to start spamassassin on boot as well. Use chkconfig to add it to your desired runlevels.

Now you can 'tail -f /var/log/maillog' and send yourself a message and it should create the default configuration files in the ~vmail/.spamassassin/ direcrory. Subsequent messages should produce spamd chatter. Assuming you don't see any ugly messages saying spam assassin couldn't create the default prefs files or something you're all set. If you do get that message make sure ~vmail is owned and writable by vmail.

Now you can use the files in the ~vmail/.spamassassin directory or the /etc/spamassassin/local.cf file to customize your install with any rules you like. Out of the box though, it is pretty decent, it lets legit commercial email through, but gets most of the garbage.

Hi,

I just want to thank you guys for some excellent documentation! I have now set everything up on my Rimu-hosted server. I had problems with dovecot and went with Courier for a while, but then they relased the 0.99.13 version which fixed some things.

Having run Courier for a while and switching (back) to Dovecot I was impressed by Dovecots speed.

Now there are only couple of more things that I would like:

1) The ability to set Quotas on my Dovecot users.
2) To have name-based virtual SSL hosts in Apache.
3) Have a smooth way to have users log on without having to use the whole e-mail adress. (optional :))

Again, thanks a bunch!

/Mike

I'm trying to figure out how to do #1... Haven't yet though.

#2 though is probably not going to happen in the forseeable future. You can't run 2 SSL servers on the same IP:Port because SSL works at a lower level than the Apache Namebased Virtual servers. Since the secure connection is established first, there's no opportunity to determine which server is being called.

This isn't a change that will ever be made either. Doing it any other way would compromise part of the security of SSL.

I also want to thank Pete for the excellent howto - I got email up and running in a few hours over the space of a few evenings.


One thing that caught me during the install was the hostname (It's in your howto, but I skimmed that part :D) My solution was to just rename my machine chuck.redout.org while still also responding to the other aliases I use. Once I did that, postfix stopped bouncing messages, and root@chuck.redout.org or any local accounts still receive mail locally.


I also wanted to have virtual users (ha! there's really only myself) on fugutabetai.com, hosted off of fugutabetai.com. I changed the "myhostname" parameter in /etc/postfix/main.cf to
myhostname = mail.fugutabetai.com
and things are working just fine. I think mail might bounce if I tried to send to person@mail.fugutabetai.com, but I'm not worried about that.

Also, I installed http://phpldapadmin.sourceforge.net/ to browse and modify LDAP entries - setup was a breeze and it worked out of the box (modula necessary config setup) with the LDAP server setup in the postfix HOWTO. It makes it really easy to change the JAMM postmaster accounts, etc., and I've even started a small addressbook in there.

Thanks again for the great howto!

By the way, I'm running on a MataiVPS1, and was worried about running tomcat for JAMM. It hasn't had a problem. I was thinking of manually starting / stopping tomcat so it isn't running unless I need to do mail setup management, but I haven't seen any problems just leaving tomcat going. I'm pretty impressed.

I should note that I had to make a few other changes to get remote mail sending via TLS/SSL working. It wasn't difficult, but took me a while to figure out.

First, I'm using cyrus-sasl 2.1.20, and was having problems getting authentication working properly. In the end, I had an ldap_filter setting in /etc/saslauthd.conf of ldap_filter: (&(objectClass=JammMailAccount)(mail=%U@%d)(accoun tActive=TRUE)(delete=FALSE)), using the %U which only gives the user part of full email logins (e.g., test from test@example.com) and %d which is the domain, or realm if that isn't set.

if you have problems with testsaslauthd -u test@example.com -p testPassword you should try adding -r example.com and checking to see what happens. You can use syslog to check saslauthd messages (set auth.debug=/var/log/auth or something in /etc/syslog.conf and do a service syslog restart) but saslauthd doesn't seem to be too verbose.

I also needed to start up the saslauthd daemon with the -r command line option which "Combines the realm with the login before passing to authentication mechanism" according to saslauthd -h. Anyway, itwas working.

The final thing I had to do was to enable listening on port 465 and 587 in /etc/postfix/master.cf - I didn't see it mentioned in the howto, but was getting telnet mail.example.com 465 attempts refused outright. Checking the master.cf file showed that those mechanisms were not enabled. So un-comment or add in the lines

smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
# submission is port 587 - see RFC 2476 http://www.ietf.org/rfc/rfc2476.txt
submission inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes


I hope someone else found this useful. Thanks again for the great howto...

I set up a catch-address for one of my domains, and it over-rode delivery to virtual users. I did a bit of searching, and this is known behavior - you have to add a bit to the postfix setup to fix this problem. I followed the setup as shown in http://jamm.sourceforge.net/howto/single-html/mailserver.html#IMPL-POSTFIX (see a discussion of why this happens at http://sourceforge.net/mailarchive/message.php?msg_id=2027413) and things worked fine with a service postfix restart. For completeness, the two things I had to add to postfix's main.cf were:

accountsmap_server_host = localhost
accountsmap_search_base = o=hosting,dc=myhosting,dc=example
accountsmap_query_filter = (&(objectClass=JammMailAccount)(mail=%s)(accountAc tive=TRUE)(delete=FALSE))
accountsmap_result_attribute = mail
accountsmap_bind = no

and the line to tell postfix to look up virtual delivery via both the aliases and this new accountsmap service:

virtual_alias_maps = ldap:accountsmap, ldap:aliases


Well, I can't imagine that I'll run into many more problems, but I hope this helps someone out there.

Thanks again for even better documentation, Placey! I refer to your page for all kinds of things that I can't quite remember. Keep up the good work!

One thing that you might want to include regarding password changes. I found that any user can log in to Jamm and see his/her account, change password, and other things. If a user has the "Postmaster" role then he/she can edit other users account information for that domain.

3) Have a smooth way to have users log on without having to use the whole e-mail adress. (optional :))

Following up on my own post I found a SquirrelMail plugin "Virtual Host Login" which does just this. It does other useful things too. As a matter of fact there are any number of useful SM-plugins which go well with virtual domains! 8)

thx/mike

Thanks for sharing the knowledge!

I am trying to follow this HOW-TO, and have gotten so far:

* Certificates part: Skipped for now...
Want to make sure things work in plain first...

* OpenLDAP v2.0.27-17: Working!
Should I upgrade to latest v2.2.23?

* Tomcat / Jamm v0.9.6: Working!

* Postfix v2.0.16: Working so far!
Should I upgrade to latest v2.1.5?

* Cyrus-SASL v2.1.20: Configure "couldn't find openssl"...

Using "# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --with-ldap"

I stopped here before the make command...

* Dovecot v1.0-test-59: Built "without SSL support"...

Using "# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc --mandir=/usr/share/man --with-ldap -with-ssldir=/usr/share/ssl # make # make install"

Maybe it couldn't find openssl either?

At this point, should I fix the openssl issue before going further? Any advices will be appreciated!

3) Have a smooth way to have users log on without having to use the whole e-mail adress. (optional)


Try putting this in /etc/dovecot/dovecot.conf:

auth_default_realm = yourdomain.com


- kron

* Cyrus-SASL v2.1.20: Configure "couldn't find openssl"...

Using "# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --with-ldap"

I stopped here before the make command...

* Dovecot v1.0-test-59: Built "without SSL support"...

Using "# ./configure CPPFLAGS=-I/usr/kerberos/include LDFLAGS=-L/usr/kerberos/lib --prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/libexec --datadir=/usr/share --sysconfdir=/etc --mandir=/usr/share/man --with-ldap -with-ssldir=/usr/share/ssl # make # make install"

Maybe it couldn't find openssl either?

At this point, should I fix the openssl issue before going further? Any advices will be appreciated!
I had a similar problem when building Cyrus-SASL, and had to apt-get install krb5-devel and OpenSSL-devel before I could compile it. Be sure to remove configure.cache and re-configure to pick up the new libs. I might have had to modify the Dovecot build so it picked up the OpenSSL-devel libs too, but I don't remember and didn't have anything written down in my notes... Good luck!

One thing I have noticed is that I'm getting lots of spam now. So it looks like I'll have to do the SpamAssasin install as well...

thanks, fugutabetai,

i actually got through that part after doing:

# apt-get install openssl-devel

now the whole system is working except the SASL part: no clients can authenticate for SMTP sending

i noted your post above regarding SASL issues also; got the ports open;

testsaslauthd on the command line can authenticate, but remote clients cannot; and remote attempts are not logged in SASL's log...

still trying...

Before making Postfix/Cyrus-SASL work with LDAP to authenticate, would it be simpler to have SMTP-AUTH done by setting up a special SMTP send-only account?

Before making Postfix/Cyrus-SASL work with LDAP to authenticate, would it be simpler to have SMTP-AUTH done by setting up a special SMTP send-only account?
I would try to get authentication working via LDAP if that is what you want to end up doing - I didn't have much of a problem. Once I could authenticate on the command line with testsaslauthd, I just had to set my email client to use the full domain with email to log in.

I had to modify some settings in the saslauthd.conf (the ldap_filter in particular) to get things working. When debugging things I also modified the logging setup (I can't remember offhand where this is though - the system wide logging configuration and the postfix logging I think) to see what was going on. I definitely could see SASL report failed login attemps after turning the debugging level up a notch or two. You should try that.

I wouldn't know about setting up a special account just for sending mail. You could do it that way, but I think it would be better to authenticate each user myself.

Wow! I really should check in here more often. Sometimes I get emails from Rimu when a topic I've posted too is active, but - apparently - most times I don't. In any event, I haven't check in here since mid-December or so, so my apolgies for not following up on some of these postings.

First, thanks everyone for the feedback. I'm glad that I have been of some help to you.

Now, in order:

To Mike Henry: Don't count on Dovecot quotas for a good long time. Regarding name based virtual hosts; you can still have them (I do), it's just that only one of them can run over SSL. If you need more, sorry. It looks like you already have an answer to allow people to log in with just their username. I updated the howto on 1/20/05 to reflect this.

To FuguTabetai: You must have been tracking right along with me :-) Yes, the Cyrus SASL parameters shown at the time were wrong for the most recent release. It seems Cyrus SASL, for no good reason, decided to change the way things worked when they released 2.1.17.

You go on to note that you had to enable smtps and submission to get your system to work. Note, I _did not_ have to do this. I'd have to learn more about Postfix before I comment intelligently, but smtps looks like simply running SMTP over SSL as opposed to the setup I have here which starts SSL on command (STARTTLS) for the client and won't run otherwise. Subtle difference, I know, but you should not have had to do enable these services.

As for the catch-all problem, I'm aware of this and referenced the same JAMM comment in my doc. In fact, earlier versions had the accontsmap aliases in it. I removed it, as I saw it as clutter and not likely to affect anyone. Sorry you got burned, but I think for now I'm going to leave it out.

To Wisdcom: I can't verify that upgrading the various packages is not going to break anything, but you're probably safe. However, Dovecot 0.99.12 won't work as LDAP support was broken in that release (fixed in 13 and 14, the latest). In general, I was trying to stay within the package management framework when I could. I want to go to Postfix 2.1.5 myself, but I'm waiting until apt-get can get me there. Also, you will definitely need the open-ssl and Kerberos packages to get everything working right. This is documented in the HOWTO, but I'll make it clearer as this spans services.

To Kron: Your suggestion for allowing users to log on with just their username (and not the complete email address) will work, but for only one domain, so it's not very effective.

I think that's everything. If anyone has any additional questions feel free to email me directly as well as posting here, placey @ wanderingbarque.com. And, Wisdcom, if you're not up and running yet, let me know and I'll do what I can.

Thanks,
Pete

I'm having the same problem as FuguTabetai did regarding authentication, but his solution doesn't work for me. I can authenticate from the command line using testsaslauthd as a local user, but not as a virtual user. Passing the domain through -r does not help.

I've got everything else working fine (JAMM is creating entries), but cannot solve this. Any pointers would be much appreciated. Also I don't seem to get any errors logged using FuguTabetai's /var/log/auth and syslog idea, and Squirrelmail just returns "ERROR : Connection dropped by imap-server. Query: CAPABILITY." for known users. I assume this is due to the saslauth problem. Squirrelmail is checking the username/password with ldap as it returns unknown users to the login screen.

<edit>

1. the extra saslauthd file at /etc/sysconfig/saslauthd was still set to use shadow, not imap.Thanks Peter at Rimuhosting.
2. with the saslauthd reset to use the original saslauth daemon startup command (removed the -r option), I can now authenticate at the command line with testsaslauthd -u info -r domain.example -p password. However, local users can no longer authenticate, and testsaslauthd -u info@domain.example -p password fails. I guess there is a problem with the filters?

The following is from /var/log/maillog on trying to log in from Squirrelmail:


Jul 11 00:37:05 myserver dovecot-auth: LDAP: No username in reply
Jul 11 00:37:05 myserver imap-login: Internal login failure: user@domain.example [127.0.0.1]


If I enter an unknown user, the message in the same log indicates "Jul 11 00:36:54 myserver dovecot-auth: ldap(usre@domain.example): unknown user".

However, otherwise I can still not log in via Squirrelmail, and mail appears not to be arriving in the /home/vmail/domains/ folders.

<end edit>

Rimuhosting Karaka Dedicated Server CentOS 4
JAMM 0.9.6
Tomcat 5.5.9
Cyrus-SASL 2.1.19
Dovecot 0.99.11
Postfix 2.1.15
OpenLDAP 2.2.13

Any help would be much appreciated.

Cheers,

Euan.

I just got a new VPS running rimu's RHEL4 distro... things look a little different, and my first attempt failed spectacularly :D I had problems from OpenLDAP and SASL primarily. I'll post some notes here as I go through the process on what you'll need to do if you decide to jump to one of the new fancy VPS plans.

First issue:

Ldap access control does not like the provided DN : dn=".*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"

using openldap-2.2.13-2

Gives an error:
/etc/openldap/slapd.conf: line 74: bad DN ".*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example" in to DN clause

(dc of course has been changed appropriately)

Seems to be choking on ".*,jvd=([^,]+)," remove that and ldap starts fine.


SOLUTION:

replace dn= with dn.regex=

I'm still running into problems with saslauthd...

Looks like the copy of postfix included with the RHEL4 distribution doesn't have SASL auth compiled into it. So to get this to work you'll need to roll your own.

Since I only use squirrelmail, and that connects on localhost, I'm probably not going to bother.

Otherwise with that small change to the ldap acl, everything worked fine. I'm recieving for multiple domains without a problem, and sending locally via squirrelmail as well.

I finally got around to adding the "regex" syntax to the OpenLDAP ACLs. I've been meaning to do this for a while, but have been putting it off as the instructions are for OpenLDAP 2.0 and it's 2.2 that requires this syntax. Anyway, fixed.

As for the SASL problem that RedOut mentions, I don't know what you're experiencing, but I'd be surprised if it was due to the RHEL4 Postfix binary not including SASL support. I looked at the RPM build script, and it's certainly capable of including it. Whether RedHat, CentOS, WhiteBox, or Rimu left it out, I can't say. If so, however, that seems a little wierd as now there is no way for a non-local user to send mail.

You might want to verify this (cheap way: ldd /usr/sbin/postfix | grep sasl). If SASL support is indeed linked in, I would look further. SASL in general and Cyrus-SASL in particular is a touchy beast, but the instructions should work.

Good Luck,
Pete

Oops, forgot to post my resolution...

That was my assumption too, initially that SASL wasn't linked in. But, it appears to be in the stock postfix RPM. The problem was with saslauthd, it was setup properly, but always returning an auth failure.

It appears the LDAP filter for saslauthd 2.1.19 (possibly 2.1.18 too) needs to go back to the original "ldap_filter: (&(objectClass=JammMailAccount)(mail=%u)(accountActi ve=TRUE)(delete=FALSE))"

<rant>

Jiminy Frickin' Crickets! Why is Cyrus-SASL that only open source SASL implementation? Why is CMU constantly tweaking an implementation of a spec that hasn't changed in eight years? Why does Postfix insist on a SASL only authentication mechanism? Is SASL really the best universal authentication protocol? Grrr.

</rant>

RedOut, thanks for the info. I'll update the HOWTO tonight. When Dovecot 1.0 is ready I'm going to redo the whole thing. First on my list is to dump Cyrus-SASL and use the SASL implementation built into the post .99 releases of Dovecot.

Pete

There is a problem using Jamm when delegating authority to domain administrators. The reason for this is due to a ',' (comma) in slapd.conf in many HOWTOs. The fix is to remove the ',' (comma) from ".*,jvd" so that it becomes ".*jvd" instead. See full example below.

Change: dn=".*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
To: dn=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example"

Openldap 2.2 users should of course use "dn.regex=" instead of "dn=" in the examples above.

Placey: Thanks for such an excellent HOWTO! (I refer to it every time I reconfigure my server). Please update it with this info.

Hi,

Have anybody got any vacation plugins to work with SquirrelMail using the set-up found in the HOWTO?

Any input appreciated!

/mike