Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-30 Thread Markus Rosjat 

Hi Craig,

I will check it out, for now Im glad about the input I got here from all 
of you :) The list ist in a lot of cases the right place to get help!


For me its hard to battle with some of these things because its not my 
main focus. In the end I try to write some code in c# or python. But 
since I'm the only guy that wants to battle the the cmd on a openBSD 
box, in a world surrounded by windows environments ... I try to do my 
best ;)


I will take all the input I got and try to make something out of it :)
if someone whats to share more insights plz do so ;)


regards

Markus

Am 28.01.2017 um 15:05 schrieb Craig Skinner:

Hi Markus,

On 2017-01-27 Fri 12:24 PM |, Markus Rosjat wrote:

I dont like the idea of one single virtual user handling all the traffic to
the maildirectories.


Me neither.

Here, all users have proper shell accounts & SSH access, for mutt, etc.

Stop Dovecot, unmount /var/mail (where mail stays), dump(1). No SQL "spool".

There is no LDAP nor SQL, it is all simple stuff;-

*) The MTA delivers via LMTP to Dovecot - which sieves mail.
   (Thunderbird & other mail clients have a sieve plugin.)

*) Users IMAP/POP/SMTP auth via an individual passwd file,
   which they change via a script (which calls pwqcheck(1) in ports).
   /etc/passwd is _NOT_ used for mail authentication.
   (MTA SMTP submission port auth relaying is validated by Dovecot too.)

No webmail; everybody is expected to have their own IMAP/POP/SSH device.

$ doveconf -n
# 2.2.24 (a82c823): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.14 (099a97c)
# OS: OpenBSD 6.0 i386  ffs
auth_mechanisms = cram-md5 apop
auth_username_format = %Ln
first_valid_uid = 1000
listen = *
mail_location = maildir:/var/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
  inbox = yes
  location =
  mailbox Archive {
auto = subscribe
special_use = \Archive
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Templates {
auto = subscribe
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix =
  separator = /
  type = private
}
passdb {
  args = /var/dovecot/auth.d/%u/passwd.CRAM-MD5
  driver = passwd-file
}
passdb {
  args = /var/dovecot/auth.d/%u/passwd.CLEAR
  driver = passwd-file
  skip = authenticated
}
plugin {
  sieve = file:/var/mail/%u/sieve/;active=active.sieve
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = _postfix
mode = 0660
user = _postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = _postfix
mode = 0660
user = _postfix
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
}
ssl = no
userdb {
  args = blocking=no
  driver = passwd
  result_failure = return-fail
}
protocol lmtp {
  mail_plugins = " sieve"
  postmaster_address = postmaster
}


In the future I hope to be able to deploy OpenSMTPd,
when the filtering & other work has stabilised.

Cheers,



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-28 Thread Craig Skinner 
Hi Markus,

On 2017-01-27 Fri 12:24 PM |, Markus Rosjat wrote:
> I dont like the idea of one single virtual user handling all the traffic to
> the maildirectories.

Me neither.

Here, all users have proper shell accounts & SSH access, for mutt, etc.

Stop Dovecot, unmount /var/mail (where mail stays), dump(1). No SQL "spool".

There is no LDAP nor SQL, it is all simple stuff;-

*) The MTA delivers via LMTP to Dovecot - which sieves mail.
   (Thunderbird & other mail clients have a sieve plugin.)

*) Users IMAP/POP/SMTP auth via an individual passwd file,
   which they change via a script (which calls pwqcheck(1) in ports).
   /etc/passwd is _NOT_ used for mail authentication.
   (MTA SMTP submission port auth relaying is validated by Dovecot too.)

No webmail; everybody is expected to have their own IMAP/POP/SSH device.

$ doveconf -n
# 2.2.24 (a82c823): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.14 (099a97c)
# OS: OpenBSD 6.0 i386  ffs
auth_mechanisms = cram-md5 apop
auth_username_format = %Ln
first_valid_uid = 1000
listen = *
mail_location = maildir:/var/mail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character 
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy 
include variables body enotify environment mailbox date index ihave duplicate 
mime foreverypart extracttext
mbox_write_locks = fcntl
mmap_disable = yes
namespace inbox {
  inbox = yes
  location = 
  mailbox Archive {
auto = subscribe
special_use = \Archive
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Junk {
auto = subscribe
special_use = \Junk
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox "Sent Messages" {
special_use = \Sent
  }
  mailbox Templates {
auto = subscribe
  }
  mailbox Trash {
auto = subscribe
special_use = \Trash
  }
  prefix = 
  separator = /
  type = private
}
passdb {
  args = /var/dovecot/auth.d/%u/passwd.CRAM-MD5
  driver = passwd-file
}
passdb {
  args = /var/dovecot/auth.d/%u/passwd.CLEAR
  driver = passwd-file
  skip = authenticated
}
plugin {
  sieve = file:/var/mail/%u/sieve/;active=active.sieve
}
protocols = imap pop3 lmtp sieve
service auth {
  unix_listener /var/spool/postfix/private/dovecot-auth {
group = _postfix
mode = 0660
user = _postfix
  }
}
service lmtp {
  unix_listener /var/spool/postfix/private/dovecot-lmtp {
group = _postfix
mode = 0660
user = _postfix
  }
}
service managesieve-login {
  inet_listener sieve {
port = 4190
  }
}
ssl = no
userdb {
  args = blocking=no
  driver = passwd
  result_failure = return-fail
}
protocol lmtp {
  mail_plugins = " sieve"
  postmaster_address = postmaster
}


In the future I hope to be able to deploy OpenSMTPd,
when the filtering & other work has stabilised.

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-27 Thread Stuart Henderson 
On 2017-01-27, Markus Rosjat  wrote:
> Hi Kim,
>
> I dont like the idea of one single virtual user handling all the traffic 
> to the maildirectories. I did read about it but it feels strange to me. 

It makes things a lot simpler in some cases (e.g. if you share some
folders between users, or if you're using dsync-over-ssh and don't
want to give it root).

>>>  - is it possible to migrate old maildirs to use with dovecot
>> It is possible, Maildir can be used directly, mbox transferred.
>> There also exists an courier-dovecot-migrate script that rewrites
>> couriers index et. al. for dovecot.
>> (https://wiki2.dovecot.org/Migration/Courier)

Or you can use "doveadm sync" with an imap source. If you want to convert
to something other than Maildir (for example mdbox, which works well)
then that would let you do it in a single step.

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-27 Thread Marcus MERIGHI 
Hello,

ros...@ghweb.de (Markus Rosjat), 2017.01.27 (Fri) 09:44 (CET):
> so my question is what is the best strategy to migrate an exsiting LDAP
> directory from a system that has sendmail and courier running to a system
> with openSMTP and Dovecot.
> 
> Old system:
> 
> - Has systemaccount that match LDAP account
> - system accounts to handle access to the filesystem
> - LDAP account to auth with courier/sendmail

This system wasn't OpenBSD?

> New Sytem should:
> 
>  - use old system accounts
>  - use old LDAP dir to auth with OpenSMTP/Dovecot

I think ypldap(8) is what you are looking for. 

> Additional Questions:
> 
>  - is it possible to migrate old maildirs to use with dovecot
> 
> I dont want to set up just one virtual user to handle dovecot delivery since
> I already have the LDAP users. I tested to set permissions on directories
> and files for a LDAP user that has no systemaccount counterpart and it seems
> to work but it doesn't feel right to do so in a production environement :)

Please elaborate... user foobar did not exist in passwd(5) and you did a
'chown foobar /home/foobar'? Without ypldap(8)?

Marcus

> If someone could give some advice or point in the right direction it would
> be much appreciated.
> 
> 
> Regards
> 
> -- 
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> 
> G+H Webservice GbR Gorzolla, Herrmann
> K??nigsbr??cker Str. 70, 01099 Dresden
> 
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
> 
> Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
> 
> 
> !DSPAM:588b088d24847776135!

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-27 Thread Markus Rosjat 

Hi Kim,

I dont like the idea of one single virtual user handling all the traffic 
to the maildirectories. I did read about it but it feels strange to me. 
On the other hand I'm only the guy who has topick up old things and gets 
tasked to maked them working with new parts :(


Am 27.01.2017 um 10:48 schrieb Kim Zeitler:

Hi Markus

On 01/27/17 09:44, Markus Rosjat wrote:

Hi there,

so my question is what is the best strategy to migrate an exsiting LDAP
directory from a system that has sendmail and courier running to a
system with openSMTP and Dovecot.


Couple of years ago we changed from Courier to Dovecot and in short we
wouldn't go back.

As setup we hold all our users in LDAP except for system users (_*,
root, ...) and have a dedicated server for mail running postfix as MTA
and dovecot.

We started from Postfix+Courier with the LDAP users as system users. The
users could log into their accounts via ssh and do what ever they
wanted. This configuration caused some problems with performance and
also caused some permission problems as the dovecot process had to run
as the user.

Now Dovecot has direct access to the LDAP using the users as virtual
users, all maildirs belong to the dovecot user _vmail. Postfix
distinguishes between local users and ldap users, local users are
directly delivered via local delivery, ldap users relayed to dovecot's
lmtp server.



 - is it possible to migrate old maildirs to use with dovecot

It is possible, Maildir can be used directly, mbox transferred.
There also exists an courier-dovecot-migrate script that rewrites
couriers index et. al. for dovecot.
(https://wiki2.dovecot.org/Migration/Courier)

You might want to move courier's flat maildir format to a file system format


I dont want to set up just one virtual user to handle dovecot delivery
since I already have the LDAP users. I tested to set permissions on
directories and files for a LDAP user that has no systemaccount
counterpart and it seems to work but it doesn't feel right to do so in a
production environement :)

See my comment further up to using an _vmail user


Cheers
Kim

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]



--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT

Re: Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-27 Thread Kim Zeitler 
Hi Markus

On 01/27/17 09:44, Markus Rosjat wrote:
> Hi there,
>
> so my question is what is the best strategy to migrate an exsiting LDAP
> directory from a system that has sendmail and courier running to a
> system with openSMTP and Dovecot.
>
Couple of years ago we changed from Courier to Dovecot and in short we
wouldn't go back.

As setup we hold all our users in LDAP except for system users (_*,
root, ...) and have a dedicated server for mail running postfix as MTA
and dovecot.

We started from Postfix+Courier with the LDAP users as system users. The
users could log into their accounts via ssh and do what ever they
wanted. This configuration caused some problems with performance and
also caused some permission problems as the dovecot process had to run
as the user.

Now Dovecot has direct access to the LDAP using the users as virtual
users, all maildirs belong to the dovecot user _vmail. Postfix
distinguishes between local users and ldap users, local users are
directly delivered via local delivery, ldap users relayed to dovecot's
lmtp server.


>  - is it possible to migrate old maildirs to use with dovecot
It is possible, Maildir can be used directly, mbox transferred.
There also exists an courier-dovecot-migrate script that rewrites
couriers index et. al. for dovecot.
(https://wiki2.dovecot.org/Migration/Courier)

You might want to move courier's flat maildir format to a file system format
>
> I dont want to set up just one virtual user to handle dovecot delivery
> since I already have the LDAP users. I tested to set permissions on
> directories and files for a LDAP user that has no systemaccount
> counterpart and it seems to work but it doesn't feel right to do so in a
> production environement :)
See my comment further up to using an _vmail user


Cheers
Kim

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Migrate Mailserver from sendmail/Curier/LDAP to OpenSMTP/Dovecot/LDAP

2017-01-27 Thread Markus Rosjat 

Hi there,

so my question is what is the best strategy to migrate an exsiting LDAP 
directory from a system that has sendmail and courier running to a 
system with openSMTP and Dovecot.


Old system:

- Has systemaccount that match LDAP account
- system accounts to handle access to the filesystem
- LDAP account to auth with courier/sendmail

New Sytem should:

 - use old system accounts
 - use old LDAP dir to auth with OpenSMTP/Dovecot

Additional Questions:

 - is it possible to migrate old maildirs to use with dovecot

I dont want to set up just one virtual user to handle dovecot delivery 
since I already have the LDAP users. I tested to set permissions on 
directories and files for a LDAP user that has no systemaccount 
counterpart and it seems to work but it doesn't feel right to do so in a 
production environement :)


If someone could give some advice or point in the right direction it 
would be much appreciated.



Regards

--
Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before 
you print it, think about your responsibility and commitment to the 
ENVIRONMENT