Hi peoples, :)
I'm building a new mail server with "focus" on
more security. For this "setup" I have enough time to
read more carefully the guides, how-to's and manuals,
and also, do some tests to check the security and
implementations.
The new server is UP and "in quarentena",
waiting to go "in production". Before I would like to
try solve some doubts, and if it is possible, I would
to contribute for LWQ-ldap to fullfill the missing
points. :)) I don't know if Henning Brauer (LWQ-ldap
author) is around, so if it not possible, I hope I can
write a "complement" to life-with-qmail-ldap. :))
The system is a Debian Woody (stable) 3.0r2 i386
Compaq Proliant (ML370)
Pentium III 1GHz / 512 MB (RAM)1
HD 36.4 GB SCSI (10K) (XFS filesystem)
Normal LWQ and LWQ-ldap installation.
1) "Automagically" directory creation and permissions
I've turned on AUTOMAILDIRMAKE and AUTOHOMEDIRMAKE,
in Makefile I set this:
MDIRMAKE=-DAUTOMAILDIRMAKE
HDIRMAKE=-DAUTOHOMEDIRMAKE
Is there any configuration to AUTOMAILDIRMAKE?
I believe that it is inside qmail-ldap patch, so it
creates the maildir directory inside /var/qmail/maildirs,
is this correct?
What is the correct permissions do qmail maildirs
directory? I'm using 0775, with vmail:vmail, but it looks
like that in this way it is not possible to create de
dir. What am I missing here?
For AUTOHOMEDIRMAKE I create the ~control/dirmaker
and put a create-homedir script inside ~qmail/bin. But I
got the same problem, permissions. My /home is 2775, with
root:staff; I have to change the permissions and the
owner:group? Is it really necessary to create the homedir?
Or the delivery happens without the homedir?
My create-homedir script has:
#!/bin/sh
mkdir -m 700 -p $1
#EOF
2) SSL/TLS
The ldap packages for Debian came without TLS, so
I download the sources (apt-get source) and rebuild it
using TLS, so it is the same package just with TLS enabled.
I need to rebuild the ldaputils, slapd and libldap2 and
libldap2-dev.
I'm expecting to setup a TLS-only mail server,
running ldaps://127.0.0.1/ and ldaps://PUBLIC-IP/, is
it possible? Because I cannot find how to setup qmail-ldap
to access the LDAP server using TLS. My other question is,
am I being to much paranoid, in other words, don't need to
use TLS in localhost??
3) LDAP access control
I was wondering if we can collect some good examples
of "access control" for LDAP, probably Andre and Claudio can
give good information about this.
I would like to give just the "needed" permission to
qmail-ldap work, but I'm not completely sure about what it
needs.
The main
Thanks for "patience"! :o)
Best regards,
--
//////////
// Felipe Augusto van de Wiel
// Admin. de Redes e Sistemas
// [EMAIL PROTECTED]
// http://www.paranacidade.org.br/
//////////
