On Thu, Jun 17, 2010 at 03:30:01PM +0200, Olaf Zevenboom wrote:
> At first I was planning on sticking to trusted Cyrus. Cyrus is the only
> IMAP server I know which has a full PHP library to admin the thing. I
> was planning on writing a plugin for LAM myself but lack of time did
> hold me back. I was also thinking about the desirability of writing a
> specific Cyrus plugin. A generic plugin for IMAP servers based on
> calling external shellscripts which can be adapted per flavor of
> IMAP-server did sound too as an option.
>
> So, Dovecot does support LDAP. Thanks mr. Melnik for providing a
> dovecot-ldap.conf. But will this work with the schema used by samba/lam
> ? Or will I need another schema and if so which?
exim cofigured for work with samba accounts
> How and where do you store your mailboxes?
in specified folder
I attach exim and dovecot configs
--
-------------------------------------------------------------------------------
Vasiliy P. Melnik VPM-RIPE, VPM-UANIC
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki.dovecot.org/AuthDatabase/LDAP
# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = 127.0.0.1
# Distinguished Name - the username used to login to the LDAP server
dn = cn=sysadmin,dc=domain
# Password for LDAP server
dnpass = password
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
# and auth_bind=yes don't work together.
sasl_bind = no
# Use TLS to connect to the LDAP server.
tls = no
# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = no
# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
# LDAP base. %variables can be used here.
base = uid=%u,ou=DomainUsers,dc=domain
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki.dovecot.org/UserDatabase/ExtraFields
user_attrs = uid=user,ou=DomainUsers,dc=domain
# Filter for user lookup. Some variables can be used (see
# http://wiki.dovecot.org/Variables for full list):
# %u - username
# %n - user part in u...@domain, same as %u if there's no domain
# %d - domain part in u...@domain, empty if user there's no domain
user_filter = (&(objectClass=posixAccount)(uid=%u))
# Password checking attributes:
# user: Virtual user name (u...@domain), if you wish to change the
# user-given username to something else
# password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = uid=user,userPassword=password,ou=DomainUsers,dc=domain
# Filter for password lookups
pass_filter = (&(objectClass=posixAccount)(uid=%u))
# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki.dovecot.org/Authentication
default_pass_scheme = PLAIN
ldap_default_servers = localhost
LDAP_DN_USER = user=cn=sysadmin,dc=domain
LDAP_DN_PASS = pass=password
LDAP_DC_BASE = dc=domain
LDAP_OU_USERS = ou=domainUsers
LDAP_OU_GROUPS = ou=domainGroups
LDAP_OU_ALIASES = ou=mailAliases
mail-server-domain.com
mail-server-domain.com
primary_hostname = mail-server-name
## Dovecot configuration file
# If you're in a hurry, see http://wiki.dovecot.org/QuickConfiguration
# "dovecot -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting this file when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Default values are shown for each setting, it's not required to uncomment
# any of the lines. Exception to this are paths, they're just examples with
# the real defaults being based on configure options. The paths listed here
# are for configure --prefix=/usr/local --sysconfdir=/usr/local/etc
--localstatedir=/var
# --with-ssldir=/etc/ssl
# Base directory where to store runtime data.
base_dir = /var/run/dovecot/
# Protocols we want to be serving: imap imaps pop3 pop3s
# If you only want to use dovecot-auth, you can set this to "none".
#protocols = imap imaps
protocols = imap pop3
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
disable_plaintext_auth = no
# Should all IMAP and POP3 processes be killed when Dovecot master process
# shuts down. Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is eg. because of a security fix). This however
# means that after master process has died, the client processes can't write
# to log files anymore.
shutdown_clients = yes
##
## Logging
##
# Syslog facility to use if you're logging to syslog. Usually if you don't
# want to use "mail", you'll use local0..local7. Also other standard
# facilities are supported.
syslog_facility = mail
##
## SSL settings
##
# Disable SSL/TLS support.
ssl = no
##
## Login processes
##
# <doc/wiki/LoginProcess.txt>
# Directory where authentication process places authentication UNIX sockets
# which login needs to be able to connect to. The sockets are created when
# running as root, so you don't have to worry about permissions. Note that
# everything in this directory is deleted when Dovecot is started.
login_dir = /var/run/dovecot/login
# chroot login process to the login_dir. Only reason not to do this is if you
# wish to run the whole Dovecot without roots. <doc/wiki/Rootless.txt>
login_chroot = yes
# User to use for the login process. Create a completely new user for this,
# and don't use it anywhere else. The user must also belong to a group where
# only it has access, it's used to control access for authentication process.
# Note that this user is NOT used to access mails. <doc/wiki/UserIds.txt>
login_user = dovecot
# Should each login be processed in it's own process (yes), or should one
# login process be allowed to process multiple connections (no)? Yes is more
# secure, espcially with SSL/TLS enabled. No is faster since there's no need
# to create processes all the time.
login_process_per_connection = yes
# Number of login processes to keep for listening new connections.
login_processes_count = 3
# Greeting message for clients.
login_greeting = POP/IMAP server ready.
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. This is the same as the old default_mail_env
# setting. The default is empty, which means that Dovecot tries to find the
# mailboxes automatically. This won't work if the user doesn't have any mail
# yet, so you should explicitly tell Dovecot the full location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in u...@domain, same as %u if there's no domain
# %d - domain part in u...@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = maildir:/usr/local/vmail/%u/Maildir
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds>
mail_uid = mailnull
mail_gid = mail
##
## Mail processes
##
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
verbose_proctitle = yes
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
first_valid_uid = 26
last_valid_uid = 26
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
first_valid_gid = 6
last_valid_gid = 6
##
## IMAP specific settings
##
protocol imap {
# Workarounds for various client bugs:
# delay-newmail:
# Send EXISTS/RECENT new mail notifications only when replying to NOOP
# and CHECK commands. Some clients ignore them otherwise, for example OSX
# Mail (<v2.1). Outlook Express breaks more badly though, without this it
# may show user "Message no longer in server" errors. Note that OE6 still
# breaks even with this workaround if synchronization is set to
# "Headers Only".
# netscape-eoh:
# Netscape 4.x breaks if message headers don't end with the empty "end of
# headers" line. Normally all messages have this, but setting this
# workaround makes sure that Netscape never breaks by adding the line if
# it doesn't exist. This is done only for FETCH BODY[HEADER.FIELDS..]
# commands. Note that RFC says this shouldn't be done.
# tb-extra-mailbox-sep:
# With mbox storage a mailbox can contain either mails or submailboxes,
# but not both. Thunderbird separates these two by forcing server to
# accept '/' suffix in mailbox names in subscriptions list.
# The list is space-separated.
imap_client_workarounds = delay-newmail netscape-eoh tb-extra-mailbox-sep
}
##
## POP3 specific settings
##
protocol pop3 {
# Workarounds for various client bugs:
# outlook-no-nuls:
# Outlook and Outlook Express hang if mails contain NUL characters.
# This setting replaces them with 0x80 character.
# oe-ns-eoh:
# Outlook Express and Netscape Mail breaks if end of headers-line is
# missing. This option simply sends it if it's missing.
# The list is space-separated.
#pop3_client_workarounds =
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
##
## Authentication processes
##
# Number of seconds to delay before replying to failed authentications.
auth_failure_delay = 15
auth default {
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp skey
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
mechanisms = plain
# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
passdb ldap {
args = /usr/local/etc/dovecot-ldap.conf
}
# LDAP database <doc/wiki/AuthDatabase.LDAP.txt>
userdb ldap {
args = /usr/local/etc/dovecot-ldap.conf
}
# User to use for the process. This user needs access to only user and
# password databases, nothing else. Only shadow and pam authentication
# requires roots, so use something else if possible. Note that passwd
# authentication with BSDs internally accesses shadow files, which also
# requires roots. Note that this user is NOT used to access mails.
# That user is specified by userdb above.
user = root
}
192.168.0.0/24
# exim.conf.transports v1.01
remote_smtp:
driver = smtp
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
address_reply:
driver = autoreply
ldap_delivery:
driver = appendfile
user = mailnull
group = mail
mode = 0600
directory=VMAILDIR/$local_part/Maildir
maildir_format = true
mode_fail_narrower = false
envelope_to_add = true
return_path_add = true
# exim.conf.authenticators v1.03
auth_plain:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup ldap{LDAP_DN_USER LDAP_DN_PASS
ldap:///LDAP_OU_USERS,LDAP_DC_BASE??sub?(&(uid=${quote_ldap:$2})(userPassword=${quote_ldap:$3}))}{yes}{no}}
server_prompts = :
server_set_id = $2
auth_login:
driver = plaintext
public_name = LOGIN
server_condition = ${lookup ldap{LDAP_DN_USER LDAP_DN_PASS
ldap:///LDAP_OU_USERS,LDAP_DC_BASE??sub?(&(uid=${quote_ldap:$1})(userPassword=${quote_ldap:$2}))}{yes}{no}}
server_prompts = Username:: : Password::
server_set_id = $1
auth_cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup ldap{LDAP_DN_USER LDAP_DN_PASS
ldaps:///LDAP_OU_USERS,LDAP_DC_BASE?userPassword?sub?(&(uid=${quote_ldap:$1}))}{$value}fail}
server_set_id = $1
VMAILDIR = /usr/local/vmail
CONFDIR = /usr/local/etc/exim
domainlist local_domains = @ : CONFDIR/exim.conf.local-domains
domainlist relay_to_domains = CONFDIR/exim.conf.relay-to-domains
hostlist relay_from_hosts = @ : 127.0.0.1 :
CONFDIR/exim.conf.relay-from-hosts
smtp_banner = "$primary_hostname ESMTP Server $tod_full"
.include CONFDIR/exim.conf.primary-hostname
.include CONFDIR/exim.conf.ldap-auth
av_scanner = clamd:/var/run/clamav/clamd.sock
spamd_address = 127.0.0.1 783
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
exim_user = mailnull
exim_group = mail
never_users = root
host_lookup = *
rfc1413_hosts = !*
ignore_bounce_errors_after = 2d
timeout_frozen_after = 7d
accept_8bitmime = true
message_size_limit = 10M
smtp_enforce_sync = true
system_filter = CONFDIR/system.filter
log_selector = +all
log_file_path = /var/log/exim/%s-%D.log
######################################################################
# ACL CONFIGURATION
######################################################################
begin acl
.include CONFDIR/exim.conf.acl-check-rcpt
.include CONFDIR/exim.conf.acl-check-data
######################################################################
# ROUTERS CONFIGURATION #
######################################################################
begin routers
.include CONFDIR/exim.conf.routers
######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports
.include CONFDIR/exim.conf.transports
######################################################################
# RETRY CONFIGURATION #
######################################################################
begin retry
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 6 hours until 4 days have passed since the first
# failed delivery.
# Address or Domain Error Retries
# ----------------- ----- -------
* * F,2h,15m; G,16h,1h,1.5; F,4d,6h
######################################################################
# REWRITE CONFIGURATION #
######################################################################
# There are no rewriting specifications in this default configuration file.
begin rewrite
######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################
# There are no authenticator specifications in this default configuration file.
begin authenticators
.include CONFDIR/exim.conf.authenticators
######################################################################
# CONFIGURATION FOR local_scan() #
######################################################################
# If you have built Exim to include a local_scan() function that contains
# tables for private options, you can define those options here. Remember to
# uncomment the "begin" line. It is commented by default because it provokes
# an error with Exim binaries that are not built with LOCAL_SCAN_HAS_OPTIONS
# set in the Local/Makefile.
# begin local_scan
# End of Exim configuration file
# exim.conf.routers v1.01
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
no_more
system_aliases:
driver = redirect
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
ldap_aliases:
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup ldap{LDAP_DN_USER LDAP_DN_PASS
ldap:///LDAP_OU_ALIASES,LDAP_DC_BASE?rfc822MailMember?sub?(&(objectClass=nisMailAlias)(cn=${quote_ldap:$local_part}))}}
file_transport = address_file
pipe_transport = address_pipe
ldap_groups_aliases:
driver = redirect
domains = +local_domains
data = ${lookup ldap{LDAP_DN_USER LDAP_DN_PASS
ldap:///LDAP_OU_GROUPS,LDAP_DC_BASE?memberUID?sub?(&(cn=${quote_ldap:$local_part}))}}
file_transport = address_file
pipe_transport = address_pipe
allow_fail
allow_defer
ldap_user:
driver = accept
domains = +local_domains
local_parts = ${lookup ldap{LDAP_DN_USER LDAP_DN_PASS
ldap:///LDAP_OU_USERS,LDAP_DC_BASE?uid?sub?(&(objectclass=posixAccount)(uid=${quote_ldap:$local_part}))}}
user = mailnull
group = mail
transport = ldap_delivery
cannot_route_message = User unknown
------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
