Table of Contents
Abstract
HOW-TO for setting up a mass virtual "name-based" e-mail hosting site with Cyrus IMAP 2.1.x and postfix, with an OpenLDAP back-end, and full SASL authentication support.
This HOW-TO walks through the configuration, and explanation of setting up a Cyrus IMAP 2.1.x IMAP server, Postfix MTA, OpenLDAP ldap authentication back-end, and Cyrus SASL with the LDAPDB auxprop plugin. The final result will be a mail server with the ability to use full e-mail addresses as the username for both Cyrus IMAP and postfix.
Abstract
This section lists the required software, and locations to obtain said software.
*nix Like Operating System. This setup has been tested on a Redhat Linux 7.3 system, however any POSIX compatabile system should work perfectly fine, so long as the above software supports that Operating System.
Cyrus SASL. Cyrus SASL 2.1.x is required for interoperability with LDAP, Postfix, and Cyrus IMAP. The latest release can be obtained from the Cyrus Project Site.Versions 2.1.13 to 2.1.15 have been tested.The LDAPDB auxprop module is required from the OpenLDAP contrib directory. A patch to integrate with the SASL configure process is available on my site.
Open LDAP. OpenLDAP 2.1.x is required for SASL interoperability between SASL and LDAP, version 2.0.x can not be used.. This can be downloaded from the OpenLDAP site.OpenLDAP 2.1.19, 2.1.21, and 2.1.22 have been tested.RPMS can be found from the Open-IT project.
Cyrus IMAP. This is the IMAP mail store and IMAP/POP3/SIEVE server used in this HOW-TO. You can obtain the latest 2.1.x version from the Cyrus Project site.2.1.13 to 2.1.15 have been testedA cross-realm patch is required to use DIGEST-MD5 authentication.the Auto Create path is highly recommended to install. It can be downloaded from here.
Postfix. The postfix secure mailer version 1.1.x is currently described in this HOW-TO. Postifx can be obtained from the Postfix site. Postfix 1.1.11 and 1.1.12 have been tested.Postfix 2.0.x has not yet been tested, but will be in the near future.the SASL2 patch for Postfix 1.1.x is required for postfix authentication to workthe LDAP patch is required compile against OpenLDAP 2.1.21 for LDAP lookup support.
Abstract
This section describes how to compile each of the software packages.On my systems I compile all programs into RPMS and install them via apt, so that all dependencies are met. The documentation below is here for admins without package management on their system, or for users who do not wish to use their package management system. Just be wary of system dependencies and conflicting library revisions.These instructions assume that you are compiling as a non-root user, which is highly recommended.
Abstract
Compiling SASL, is a two step process due to the circular dependency between Cyrus SASL with the LDAPDB plugin and Open LDAP. If a version Cyrus SASL 2.1.x is already installed on your system you can skip this step and Proede to the step Compiling OpenLDAP
Untar the source distribution of Cyrus SASL and change into the source directory
[user@linux user]$ tar -xzf cyrus-sasl-2.1.15.tar.gz [user@linux user]$ cd cyrus-sasl-2.1.15
Run configure to configure the source build.
[user@linux user]$ ./configure --prefix=/usr \ --with-plugindir=/usr/lib/sasl2 \ --with-rc4 \ --with-dblib=berkeley \ --enable-anon \ --enable-cram \ --enable-digest \ --enable-plain \ --enable-login \ --enable-ntlm
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Build Cyrus SASL
[user@linux user]$ make sasldir=/usr/lib/sasl2
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Now install Cyrus SASL
[user@linux user]$ su -c "make install sasldir=/usr/lib/sasl2"
You will be prompted for the Root password of the system in order to install.
Abstract
Compiling OpenLDAP with SASL support requires that Cyrus SASL 2.1.x already be installed on the system. Once compiled Cyrus SASL can be patched with the ldapdb plugin and recompiled with LDAP authentication support.I use the very nice quality RPMS from the Open-IT project and rebuild them on my system so they support SASL2. This instructions below are "pulled" from their spec file. If someone would like to write better directions and submit them to me, please do so.
Untar the source distribution of OpenLDAP and change into the source directory.
[user@linux user]$ tar -xzf openldap-2.1.22.tar.gz [user@linux user]$ cd openldap-2.1.22
Run configure to configure the source build
[user@linux user]$ export CPPFLAGS=`pkg-config --cflags openssl` [user@linux user]$ export LDFLAGS=`pkg-config --libs-only-L openssl` [user@linux user]$ ./configure --prefix=/usr \ --with-slapd --with-slurpd --without-ldapd \ --with-threads=posix --enable-local --enable cldap --disable-rlookups \ --with-tls \ --with-cyrus-sasl \ --enable-bdb --enable-wrappers \ --enable-passwd \ --enable-shell \ --enable-cleartext \ --enable-crypt \ --enable-spasswd \ --enable-modules \ --disable-sql \ --enable-aci \ --libexecdir=/usr/sbin \ --localstatedir=/var/run \
The main important configure option in that mess is the --with-cyrus-sasl option. If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Run make to build openldap
[user@linux user]$ make depend [user@linux user]$ make LIBTOOL=libtool
Install openldap on the system.
[user@linux user]$ su -c "make install LIBTOOL=libtool \ datadir=/var/lib/openldap \ libexecdir=/usr/sbin \ localstatedir=/var/run \ sysconfdir=/etc/openldap"
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Abstract
This compiles Cyrus SASL with the ldapdb auxprop plugin, which needs to be done after OpenLDAP has been installed.
Untar the source distribution of Cyrus SASL and change into the source directory
[user@linux user]$ tar -xzf cyrus-sasl-2.1.15.tar.gz [user@linux user]$ cd cyrus-sasl-2.1.15
Install the ldapdb config patch, and copy the ldapdb source file
[user@linux user]$ patch -p0 < ldapdb-config.patch [user@linux user]$ cp ldapdb-2.1.15.c plugins/ldapdb.c
Run autoconf and automake utilities to update the configure script and makefiles.
[user@linux user]$ libtoolize -f [user@linux user]$ aclocal -I ./config -I ./cmulocal [user@linux user]$ automake -a --include-deps [user@linux user]$ autoheader [user@linux user]$ autoconf
Run configure to configure the source build.
[user@linux user]$ ./configure --prefix=/usr \ --with-plugindir=/usr/lib/sasl2 \ --with-rc4 \ --with-dblib=berkeley \ --enable-anon \ --enable-cram \ --enable-digest \ --enable-plain \ --enable-login \ --enable-ntlm \ --enable-ldapdb
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Build Cyrus SASL
[user@linux user]$ make sasldir=/usr/lib/sasl2
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Now install Cyrus SASL
[user@linux user]$ su -c "make install sasldir=/usr/lib/sasl2"
You will be prompted for the Root password of the system in order to install.
Abstract
This compiles Cyrus IMAP.
Untar the source distribution of Cyrus IMAPand change into the source directory
[user@linux user]$ tar -xzf cyrus-imap-2.1.15.tar.gz [user@linux user]$ cd cyrus-imap-2.1.15
Install the cross-realm patch, and the auto create patch.
[user@linux user]$ patch -p0 < cross-realm.patch [user@linux user]$ patch -p1 < cyrus-imapd-2.1.13-autocreate-0.7.1.patch.txt
Run autoconf and automake utilities to update the configure script and makefiles.
[user@linux user]$ autoconf
Build Cyrus IMAP's make depend
[user@linux user]$ pushd makedepend [user@linux user]$ ./configure [user@linux user]$ make [user@linux user]$ popd
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Run configure to configure the source build.
[user@linux user]$ ./configure --prefix=/usr \ --enable-netscapehack \ --enable-annotatemore \ --enable-listext \ --enable-fulldirhash \ --enable-murder \ --without-ucdsnmp \ --with-perl=/usr/bin/pel \ --with-libwrap=/usr \ --with-cyrus-prefix= \ --with-auth=unix
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Build Cyrus IMAP
[user@linux user]$ make
If there are any errors then you are missing libraries required for the compile, you need to locate and install those libraries or the development packages for your distribution.
Now install Cyrus SASL
[user@linux user]$ su -c "make install"
You will be prompted for the Root password of the system in order to install.
Abstract
This section explains how to configure the 4 software components in the mailserver setup.
Abstract
We might as well start with the authentication back-end and go from there. It is the most complex to configure so let us get it out of the way.
First step is to configure the OpenLDAP server daemon slapd. But before we start editing the config file we need to determine the layout for the LDAP directory. You need to decide on the following things, the suffix, rootdn, rootpw, and the user root in the LDAP.
The suffix is the root DN of your LDAP directory, common suffixes are using the domain of your network. ie. dc=example,dc=com, or an organization/company followed by the country. ie. o=My Organization,c=US
The rootdn is the administrative user on the ldap system. A common name for this user is cn=Manager,o=My Organization,c=US. The user must prefix the suffix defined above. This user is not affected by the ACLs in the LDAP, and has full access to the LDAP directory.
This is the password for the administrator account specified in rootdn. This password can be encrypted using the saslpasswd program.
[user@linux user]# saslpasswd -h {SSHA} New password: Re-enter new password: {SSHA}iOZbfSeKiS9RBsyATU1HwEh1rY4n1rKn
The password is the seemingly random set of characters on the last line and the text between the braces.
The full list of encryption methods that can be used are CRYPT, MD5, SMD5, SHA SSHA, and CLEARTEXT.The user root in the DN is decision of how you want to organize the directory, and will affect how complicated the configuration of authentication will be. Common choices are to put all the users under a ou named Users or People.
uid=user@somewhere.com,ou=Users,o=My Organization,c=US
Another option would be to separate users by their domain.
uid=user@somwchere.com,dc=somewhere,dc=com,o=My Organization,c=US
In this HOW-TO I will be using the former, so the user root will ou=Users,o=My Organization,c=US
This configuration file is located in /etc/openldap/slapd.conf. Open this file in your favorite editor.
[user@linux user]# mcedit /etc/openldap/slapd.conf
Find and change the following settings in the configuration file.
Add in an allow option to allow compatibility for old LDAP clients before the database bdb line. This is only needed if you are going to have other older clients access the directory for other applications then what is covered in this HOW-TO.[Optional]
allow bind_v2 database bdb
Set the suffix of the directory
suffix "o=My Organization,c=US"
Set the rootdn to the administrator DN you wish to use.
rootdn "cn=Manager,o=My Organization,c=US"
Set the rootpw to a password created with the saslpasswd
rootpw {SSHA}iOZbfSeKiS9RBsyATU1HwEh1rY4n1rKn
Set the default password-hash type to CLEARTEXT.
password-hash {CLEARTEXT}
This is needed for SASL authentication so it will be able to provide all the SASL authentication mechanisms.
Set the sasl-authz-policy.
sasl-authz-policy to
This is needed so that proxy authentication will work correctly.
Configuring the sasl-regexp parameters is where things begin to get complicated. For my example setup this is what is needed.
sasl-regexp uid=(.*),cn=(.*),cn=digest-md5,cn=auth uid=$1@$2,ou=Users,o=My Organization,c=US sasl-regexp uid=auxprop,cn=digest-md5,cn=auth uid=$1,o=My Organization,c=US
When an e-mail address type username user@domain.com is authenticated via SASL to OpenLDAP it will be split by SASL to cn=user,cn=domain.com,cn=digest-md5,cn=auth assuming you are authenticating via the digest-md5 SASL mechanism. The first 3 lines, which are really one command, maps that SASL DN to uid=user@domain.com,ou=Users,o=My Organization,c=US.
The second set of 3 lines allows our proxy authentication user to login.. This will be needed by the ldapdb plugin.
For the more complex setup of separating the users by their domain, a sasl-regexp line like this will allow that to work.sasl-regexp uid=(.*),cn=(.*)\.([^\.]*),cn=digest-md5,cn=auth uid=$1@$2.$3,dc=$2,dc=$3,o=My Organization,c=US
or perform a search on the directory for the uid.
sasl-regexp uid=(.*),cn=(.*),cn=digest-md5,cn=auth ldap:///o=My Organization,c=US??sub?(uid=$1)
Now that everything is configured it is time to start up the sldap daemon.