On 12/03/2013 08:15 AM, Philippe Lelidy wrote:
> Hi,
>
> After a long struggle with OpenSMTPD and dovecot, I send what I have managed
> to work, for seconding the suggestion to publish some working configs. Here
> is my contribution
>
> A) The MUA ( Thunderbird)
>
> a) SMTP: port 587, a <submission-username>, normal password, STARTTLS
> b) IMAP: port 143, <[email protected]>, SSL/TLS, normal password for virtuser,
> but for system user the login name has to be only <user>
>
> B) OpenSMTPD
>
> The mail server listen on port submission only for users in
> <submission.creds>. The usernames in this table are never used elsewhere,
> except, of course, in the MUA.
>
> cat submission.creds:
>
> submission-username
> $2a$06$wFyLTXxVQN/VNj7SajXz3ekJVSpY3XjBwj.o736xaf1lOe589KHEa
>
> listen on egress port submission tls-require pki mon.domaine.fr auth
> <submission.creds> hostname mon.domaine.fr
>
> Here I use egress which is a nice OpenBSD abstraction for external network
> interface(s).
>
> What to do for mails whose rcpt-to's domain is in <domaines.locaux> and
> rcpt-to's user is either in <virtual.aliases> or in <mes.utilisateurs> ?
>
> accept for domain <domaines.locaux> alias <virtual.aliases> userbase
> <mes.utilisateurs> deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -f
> %{sender} -d %{dest}"
>
> A couple of warnings, here:
>
> 1)
> don't use "virtual <virtual.aliases>" but "alias <virtual.aliases>". After
> reading 4 times the man page, I don't unterstand the difference. But for me
> "virtual <virtual.aliases> is broken.
> With the same table which works with "alias" I have erratic results with
> "virtual".
>
> smtpd -dv -T lookup
>
> gives
>
> -----------------
> lookup: lookup "[email protected]" as ALIAS in table static:virtual.aliases
> -> 0
> lookup: lookup "user" as ALIAS in table static:virtual.aliases -> 0
> lookup: lookup "@mon.domaine.fr" as ALIAS in table static:virtual.aliases -> 0
> lookup: lookup "@" as ALIAS in table static:virtual.aliases -> 0
> smtp-in: Failed command on session fd4bc2bef2645ea9: "RCPT
> TO:<[email protected]>" => 550 Invalid recipient
> -----------------
>
> but with alias, it works
>
> -----------------
> lookup: lookup "user" as ALIAS in table static:virtual.aliases -> 0
> lookup: lookup "user" as USERINFO in table static:mes.utilisateurs ->
> "user:5000:5000:"
> -----------------
>
> 2)Alias resolution is recursive
>
> 3) In the second part of alias file you HAVE to use a domain name. Not doing
> so, the mails will arrive in the original rcpt-to mailbox
>
> 4) OpenSMTPD doesn't inform of the address translation in the headers of the
> mail ( Postfix does do it).
>
> Here is <domaines.locaux>
> ---------------
> domaine.fr
> *.domaine.fr
>
> Here is <virtual.aliases>
> ---------------
> apple [email protected]
> # does change %{dest}
> #apple pub doesn't change %{dest}
> phil phili
> phili [email protected]
> gmail [email protected]
> ---------------
>
> Here is <mes.utilisateurs>
> ---------
> user1 5000:5000:
> user2 5000:5000:
> pub 5000:5000:
> ---------
>
> A couple of remarks about this table.
>
> a) The directory part is useless because I don't use OpenSMTPD's own MDA, so
> I happily not have to put it in this file.
> b) The uig:gid part is useless for the same reason, but is MANDATORY
> c) Don't use [email protected]
>
> C) OpenSMTPD --> Dovecot
>
> deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d
> %{dest}"
>
> I discovered that the the -a is not used by dovecot-lda. I struglled hard to
> have %{dest} being the final recipient and not the original rcpt-to.
>
> I don't use OpenSMTPD's own MDA for having only one software dealing with
> mailboxes.
> I don't use the LMTP way of transmission from OpenSMTPD to Dovecot because
> OpenSMTPD use RCPT TO:<user> and not RCPT TO:<[email protected]>, so dovecot
> can't distinguish between bob@domain1 and bob@domain2.
>
> D) Dovecot
>
> l) Listen
> protocols = imap lmtp
>
> service imap-login {
> inet_listener imap {
> address = localhost
> port = 143
> ssl = no (* for webmail *)
> }
> inet_listener imaps {
> address = host.domaine.fr
> port = 143 (* 993 deprecated *)
> ssl = yes
> }
> }
>
> a) In /etc/passwd
> doveLDA:*:5000:5000:Facteur chargi de livrer le
> courrier:/nonexistent:/sbin/nologin
>
> b) ls -ld /var/mail/users
> drwxr-xr-x 4 doveLDA doveLDA 512 Dec 3 03:18 /var/mail/users
> Permission of auto-created directories will inherit from /var/mail/users
>
> c) Auth
> c-1) System users:
> passdb {
> driver = bsdauth
> # args = username_format=%n REFUSED
> }
I also had to add this to /etc/login.conf to have system-user authentication
working (on OpenBSD 5.4):
dovecot:\
:auth=:\
:auth-imap=passwd:\
:openfiles-cur=512:\
:openfiles-max=2048:\
:tc=daemon:
> This is the reason why system user have to login as <user> and not as
> <user@domain>
> c-2) Virt users:
> passdb {
> driver = passwd-file
> args = username_format=%n /etc/dovecot/passwd
> }
> Only <user> from login <user@domain> is used to check the password ( NOT VERY
> CONSUSTENT, I acknowledge!)
>
> d) mailboxes
> lda_mailbox_autocreate = yes
> lda_mailbox_autosubscribe = yes
> mail_home=/var/mail/users/%d/%n # will be overriden by value from /etc/passwd
> for system users
> mail_location = maildir:/var/mail/users/system/%n/Maildir # will be
> overriden from userdb for system users
> userdb {
> driver = static
> args = uid=5000 gid=5000 mail=mdbox:~/mdbox allow_all_users=yes
> }
>
> e) Debugging
>
> e-1) All dovecot sub-routines can be used stand alone, make debugging easy
>
> e-2)
> #auth_verbose = yes
> #auth_verbose_passwords = plain
> #auth_debug_passwords = yes
> mail_debug=yes
> deliver_log_format = msgid=%m: %$ From: %f Subject: %s
>
> TO-DO
>
> 1) listen on egress port smtp
I found the 'secure' flag useful here, as it provides all I wanted (port 25
with optional STARTTLS, and port 465 SMTPS):
listen on egress secure pki mx.etorok.net
Best regards,
--Edwin
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
