LDAP + Cyrus IMAP + Postfix on FC4

Alexander Dalloz ad+lists at uni-x.org
Sat Dec 17 15:19:58 UTC 2005 

Am Sa, den 17.12.2005 schrieb John Francis um 4:14:

No HTML list postings please.

> Does anyone have any tips or best practice pointers regarding setting
> up a mailserver system on an FC4 box.
> 
> I would like to use Postfix as my MTA, Cyrus IMAP as the IMAP or POP
> server and I would like all authentication done through LDAP.  I will
> be using the Fedora Directory Server for LDAP.

Recently did that myself. Though it is a hosting server running CentOS
4.2 and OpenLDAP instead of FDS.

> I have done some reading and fiddling around but haven't been able to
> get it going yet.  I am new to PAM concepts as well as Cyrus IMAP so
> any help in those areas in particular would be appreciated.

Why PAM?

> John Francis

I suspect you have the FDS already running and all required user data
put into it. Means, querying the FDS by hand does provide you the
requested data.

You don't need PAM for the mailserver part (Postfix and Cyrus-IMAPd).
What you need in FDS is a user which plays a special role: a proxy auth
user. That user must be able to authorize as any other user who shall
get authorization to mail and to get mail. Within OpenLDAP (so far I
have not investigated the FDS) you would give that permissions to a
specific user by following ldif entries:

dn: uid=proxyuser,ou=admins,o=hosting,dc=domain,dc=tld
saslAuthzTo: uid=cyrus,ou=admins,o=hosting,dc=domain,dc=tld
saslAuthzTo:
uid=(.*),ou=users,hostingDomain=(.*),o=hosting,dc=domain,dc=tld

A few other settings are required/recommended for this to work in
/etc/openldap/slapd.conf.

Now about Postfix and Cyrus-IMAPd. Both can directly handle the ldapdb
plugin of SASLv2.

Postfix:
/usr/lib[64]/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: ldapdb
ldapdb_uri: ldap://127.0.0.1
ldapdb_id:<proxyuser_userid>
ldapdb_pw:<proxyuser_password>
ldapdb_mech: login plain digest-md5

Of course you too need the common SMTP AUTH settings in main.cf

Cyrus-IMAPd:
/etc/imapd.conf

sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: ldapdb
sasl_ldapdb_uri: ldap://127.0.0.1
sasl_ldapdb_id:<proxyuser_userid>
sasl_ldapdb_pw:<proxyuser_password>
sasl_ldapdb_mech: login plain digest-md5

As you have stored authentication information inside the 2 configuration
files in cleartext you have to take care that the permission for both
files are set properly so that only root and in case of imapd.conf only
cyrus can read the files.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 15:47:01 up 12 days, 20:24, load average: 0.46, 0.20, 0.08 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20051217/2bb182fe/attachment-0001.sig>

More information about the fedora-list mailing list