Please be aware we have a wiki on github and I will take time converting it into a FAQ if people take time filling it in :-)
Gilles On 12/03/13 18:33, edwin wrote: > On 12/03/2013 08:15 AM, Philippe Lelidy wrote: >> Hi, >> >> After a long struggle with OpenSMTPD and dovecot, I send what I have managed >> to work, for seconding the suggestion to publish some working configs. Here >> is my contribution >> >> A) The MUA ( Thunderbird) >> >> a) SMTP: port 587, a <submission-username>, normal password, STARTTLS >> b) IMAP: port 143, <[email protected]>, SSL/TLS, normal password for virtuser, >> but for system user the login name has to be only <user> >> >> B) OpenSMTPD >> >> The mail server listen on port submission only for users in >> <submission.creds>. The usernames in this table are never used elsewhere, >> except, of course, in the MUA. >> >> cat submission.creds: >> >> submission-username >> $2a$06$wFyLTXxVQN/VNj7SajXz3ekJVSpY3XjBwj.o736xaf1lOe589KHEa >> >> listen on egress port submission tls-require pki mon.domaine.fr auth >> <submission.creds> hostname mon.domaine.fr >> >> Here I use egress which is a nice OpenBSD abstraction for external network >> interface(s). >> >> What to do for mails whose rcpt-to's domain is in <domaines.locaux> and >> rcpt-to's user is either in <virtual.aliases> or in <mes.utilisateurs> ? >> >> accept for domain <domaines.locaux> alias <virtual.aliases> userbase >> <mes.utilisateurs> deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -f >> %{sender} -d %{dest}" >> >> A couple of warnings, here: >> >> 1) >> don't use "virtual <virtual.aliases>" but "alias <virtual.aliases>". After >> reading 4 times the man page, I don't unterstand the difference. But for me >> "virtual <virtual.aliases> is broken. >> With the same table which works with "alias" I have erratic results with >> "virtual". >> >> smtpd -dv -T lookup >> >> gives >> >> ----------------- >> lookup: lookup "[email protected]" as ALIAS in table >> static:virtual.aliases -> 0 >> lookup: lookup "user" as ALIAS in table static:virtual.aliases -> 0 >> lookup: lookup "@mon.domaine.fr" as ALIAS in table static:virtual.aliases -> >> 0 >> lookup: lookup "@" as ALIAS in table static:virtual.aliases -> 0 >> smtp-in: Failed command on session fd4bc2bef2645ea9: "RCPT >> TO:<[email protected]>" => 550 Invalid recipient >> ----------------- >> >> but with alias, it works >> >> ----------------- >> lookup: lookup "user" as ALIAS in table static:virtual.aliases -> 0 >> lookup: lookup "user" as USERINFO in table static:mes.utilisateurs -> >> "user:5000:5000:" >> ----------------- >> >> 2)Alias resolution is recursive >> >> 3) In the second part of alias file you HAVE to use a domain name. Not doing >> so, the mails will arrive in the original rcpt-to mailbox >> >> 4) OpenSMTPD doesn't inform of the address translation in the headers of the >> mail ( Postfix does do it). >> >> Here is <domaines.locaux> >> --------------- >> domaine.fr >> *.domaine.fr >> >> Here is <virtual.aliases> >> --------------- >> apple [email protected] >> # does change %{dest} >> #apple pub doesn't change %{dest} >> phil phili >> phili [email protected] >> gmail [email protected] >> --------------- >> >> Here is <mes.utilisateurs> >> --------- >> user1 5000:5000: >> user2 5000:5000: >> pub 5000:5000: >> --------- >> >> A couple of remarks about this table. >> >> a) The directory part is useless because I don't use OpenSMTPD's own MDA, so >> I happily not have to put it in this file. >> b) The uig:gid part is useless for the same reason, but is MANDATORY >> c) Don't use [email protected] >> >> C) OpenSMTPD --> Dovecot >> >> deliver to mda "/usr/local/libexec/dovecot/dovecot-lda -f %{sender} -d >> %{dest}" >> >> I discovered that the the -a is not used by dovecot-lda. I struglled hard to >> have %{dest} being the final recipient and not the original rcpt-to. >> >> I don't use OpenSMTPD's own MDA for having only one software dealing with >> mailboxes. >> I don't use the LMTP way of transmission from OpenSMTPD to Dovecot because >> OpenSMTPD use RCPT TO:<user> and not RCPT TO:<[email protected]>, so dovecot >> can't distinguish between bob@domain1 and bob@domain2. >> >> D) Dovecot >> >> l) Listen >> protocols = imap lmtp >> >> service imap-login { >> inet_listener imap { >> address = localhost >> port = 143 >> ssl = no (* for webmail *) >> } >> inet_listener imaps { >> address = host.domaine.fr >> port = 143 (* 993 deprecated *) >> ssl = yes >> } >> } >> >> a) In /etc/passwd >> doveLDA:*:5000:5000:Facteur chargi de livrer le >> courrier:/nonexistent:/sbin/nologin >> >> b) ls -ld /var/mail/users >> drwxr-xr-x 4 doveLDA doveLDA 512 Dec 3 03:18 /var/mail/users >> Permission of auto-created directories will inherit from /var/mail/users >> >> c) Auth >> c-1) System users: >> passdb { >> driver = bsdauth >> # args = username_format=%n REFUSED >> } > I also had to add this to /etc/login.conf to have system-user authentication > working (on OpenBSD 5.4): > dovecot:\ > :auth=:\ > :auth-imap=passwd:\ > :openfiles-cur=512:\ > :openfiles-max=2048:\ > :tc=daemon: > > >> This is the reason why system user have to login as <user> and not as >> <user@domain> >> c-2) Virt users: >> passdb { >> driver = passwd-file >> args = username_format=%n /etc/dovecot/passwd >> } >> Only <user> from login <user@domain> is used to check the password ( NOT >> VERY CONSUSTENT, I acknowledge!) >> >> d) mailboxes >> lda_mailbox_autocreate = yes >> lda_mailbox_autosubscribe = yes >> mail_home=/var/mail/users/%d/%n # will be overriden by value from >> /etc/passwd for system users >> mail_location = maildir:/var/mail/users/system/%n/Maildir # will be >> overriden from userdb for system users >> userdb { >> driver = static >> args = uid=5000 gid=5000 mail=mdbox:~/mdbox allow_all_users=yes >> } >> >> e) Debugging >> >> e-1) All dovecot sub-routines can be used stand alone, make debugging easy >> >> e-2) >> #auth_verbose = yes >> #auth_verbose_passwords = plain >> #auth_debug_passwords = yes >> mail_debug=yes >> deliver_log_format = msgid=%m: %$ From: %f Subject: %s >> >> TO-DO >> >> 1) listen on egress port smtp > I found the 'secure' flag useful here, as it provides all I wanted (port 25 > with optional STARTTLS, and port 465 SMTPS): > listen on egress secure pki mx.etorok.net > > Best regards, > --Edwin > -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
