Postfix est un MTA très souple, qui peut être utilisé de beaucoup de façons différentes. Il peut utiliser les données d'un annuaire LDAP pour beaucoup de choses. Dans cet exemple, nous allons configurer deux serveurs postfix:
Il faut installer les plugin systems et mail:
yum install fusiondirectory-plugin-systems fusiondirectory-plugin-mail
Il faut charger les schémas mail-fd et mail-fd-conf.
Créez ensuite un compte mail dans la branche DSA, ajoutez quelques indexes, et des ACL à votre serveur OpenLDAP, par exemple
[...] include /etc/openldap/schema/fusiondirectory/mail-fd.schema include /etc/openldap/schema/fusiondirectory/mail-fd-conf.schema [...] index gosaMailAlternateAddress,gosaMailForwardingAddress eq index postfixTransportTable eq index postfixMyDomain,postfixMyDestinations eq [...] access to attrs=gidNumber,homeDirectory,uidNumber by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com ssf=256 write by dn=cn=unix,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read by dn=cn=unix,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read by dn=cn=unix,ou=DSA,dc=firewall-services,dc=com ssf=256 read by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com ssf=256 read by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="127.0.0.1" write by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="[::1]" write by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" ssf=256 write by self read by * none access to attrs=gosaMailQuota,gosaMailServer,gosaMailDeliveryMode,gosaMailAlternateAddress,postfixHeaderSizeLimit,postfixMailboxSizeLimit,postfixMessageSizeLimit,postfixMyDestinations,postfixMyDomain,postfixMyHostname,postfixMyNetworks,postfixRecipientRestrictions,postfixSenderRestrictions,postfixTransportTable by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com ssf=256 read by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="127.0.0.1" write by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="[::1]" write by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" ssf=256 write by * none access to dn.subtree=ou=servers,ou=systems,dc=firewall-services,dc=com filter=(|(objectClass=fdImapServer)(objectClass=fdPostfixServer)) by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com ssf=256 read by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="127.0.0.1" write by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="[::1]" write by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" ssf=256 write by * none [...]
Dans l'interface de FusionDirectory, on ne va déclarer un service postfix que sur le serveur de mail interne. Le serveur proxy utilisera la même configuration.
Dans l'ordre il faut:
Le serveur frontal (le proxy donc) va faire plusieurs choses
yum install amavisd-new postfix cyrus-sasl-ldap cyrus-sasl-ldap saslauthd
[...] amavisfeed unix - - n - 2 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters [...]
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = proxy.firewall-services.com mydomain = proxy.firewall-services.com mydestination = mynetworks = 10.10.0.0/16 transport_maps = ldap:/etc/postfix/ldap_transport.cf relay_recipient_maps = ldap:/etc/postfix/ldap_recipients.cf relay_domains = ldap:/etc/postfix/ldap_domains.cf recipient_delimiter = + smtpd_tls_cert_file = /etc/postfix/ssl/mail.firewall-services.com.crt smtpd_tls_key_file = /etc/postfix/ssl/mail.firewall-services.com.key smtpd_tls_security_level = may smtpd_sasl_path = smtpd smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unverified_recipient, reject_unauth_destination, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client psbl.surriel.com, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org, reject_rbl_client dnsbl-1.uceprotect.net content_filter = amavisfeed:[127.0.0.1]:10024
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd version = 3 start_tls = yes search_base = dc=firewall-services,dc=com query_filter = (&(objectClass=gosaMailAccount)(|(mail=%s)(gosaMailAlternateAddress=%s))) result_attribute = gosaMailServer result_format = smtp:[%s]
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd version = 3 start_tls = yes search_base = dc=firewall-services,dc=com query_filter = (&(objectClass=fdPostfixServer)(|(postfixMyDomain=%s)(postfixMyDestinations=%s))) result_attribute = postfixMyDomain,postfixMyDestinations
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd version = 3 start_tls = yes search_base = dc=firewall-services,dc=com query_filter = (&(|(objectClass=gosaMailAccount)(objectClass=mailAliasRedirection)(objectClass=mailAliasDistribution))(|(mail=%s)(gosaMailAlternateAddress=%s))) result_attribute = gosaMailServer,gosaMailAlternateAddress
chown :postfix /etc/postfix/ldap_*.cf chmod 640 /etc/postfix/ldap_.cf
Postfix va utiliser le démon saslauthd pour authentifier les utilisateurs. Ce démon saslauthd vérifiera les identifications sur l'annuaire LDAP
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=ldap
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
DAEMONOPTS="--user saslauth"
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS="-O /etc/saslauthd.conf"
ldap_servers: ldap://ldap.firewall-services.com ldap_search_base: ou=people,dc=firewall-services,dc=com ldap_filter: (&(uid=%u)(objectClass=gosaMailAccount)) ldap_bind_dn: cn=mail,ou=DSA,dc=firewall-services,dc=com ldap_bind_pw: dsa_p@ssw0rd ldap_start_tls: yes ldap_auth_method: bind ldap_version: 3
On peut maintenant démarrer les services saslauthd et postfix
On va utiliser dovecot pour la remise des mails dans la boite finale des utilisateurs (via son service LMTP), on l'installe donc maintenant, pour la configuration, vous pouvez regarder cette page
yum install postfix dovecot
queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix mail_owner = postfix myhostname = mail.firewall-services.com mydomain = mail.firewall-services.com mydestination = localhost mynetworks = 10.10.0.0/16 recipient_delimiter = + transport_maps = hash:/etc/postfix/local_transport.cf ldap:/etc/postfix/ldap_transport.cf local_recipient_maps = $alias_maps alias_maps = hash:/etc/aliases, $virtual_alias_maps alias_database = hash:/etc/aliases virtual_mailbox_domains = ldap:/etc/postfix/ldap_domains.cf virtual_alias_maps = ldap:/etc/postfix/ldap_users.cf, ldap:/etc/postfix/ldap_groups.cf, ldap:/etc/postfix/ldap_alias.cf
mail.firewall-services.com lmtp:unix:private/dovecot-lmtp
postmap /etc/postfix/local_transport.cf
pour créer un fichier exploitable par postfix
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd version = 3 start_tls = yes search_base = cn=mail,ou=servers,ou=systems,dc=firewall-services,dc=com query_filter = (&(objectClass=fdPostfixTransportTable)(fdTransportTableMatch=%s)) result_attribute = fdTransportTableRule
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd version = 3 start_tls = yes search_base = dc=firewall-services,dc=com query_filter = (&(objectClass=gosaMailAccount)(|(mail=%s)(gosaMailAlternateAddress=%s))) result_attribute = uid,gosaMailForwardingAddress
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd version = 3 start_tls = yes search_base = dc=firewall-services,dc=com ldap_groupmembers_attribute_type = dn query_filter = (&(objectClass=gosaMailAccount)(|(mail=%s)(gosaMailAlternateAddress=%s))) result_attribute = uid,gosaMailForwardingAddress special_result_attribute = member
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd timeout = 5 version = 3 start_tls = yes search_base = dc=firewall-services,dc=com query_filter = (&(|(objectClass=mailAliasDistribution)(objectClass=mailAliasRedirection))(mail=%s)) result_attribute = gosaMailAlternateAddress,gosaMailForwardingAddress
server_host = ldap://ldap.firewall-services.com bind = yes bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com bind_pw = dsa_p@ssw0rd version = 3 start_tls = yes search_base = cn=mail,ou=servers,ou=systems,dc=firewall-services,dc=com query_filter = (&(objectClass=fdPostfixServer)(|(postfixMyDomain=%s)(postfixMyDestinations=%s))) result_attribute = postfixMyDomain,postfixMyDestinations
chown :postfix /etc/postfix/ldap_*.cf chmod 640 /etc/postfix/ldap_.cf
Voilà, la partie postfix est terminée, après avoir configuré dovecot vous pourrez tester votre nouvelle installation