Table des matières

Gestion de serveurs postfix

Postfix est un MTA très souple, qui peut être utilisé de beaucoup de façons différentes. Il peut utiliser les données d'un annuaire LDAP pour beaucoup de choses. Dans cet exemple, nous allons configurer deux serveurs postfix:

Installation des plugins

Il faut installer les plugin systems et mail:

yum install fusiondirectory-plugin-systems fusiondirectory-plugin-mail

Configuration OpenLDAP

Il faut charger les schémas mail-fd et mail-fd-conf.

Créez ensuite un compte mail dans la branche DSA, ajoutez quelques indexes, et des ACL à votre serveur OpenLDAP, par exemple

[...]
include         /etc/openldap/schema/fusiondirectory/mail-fd.schema
include         /etc/openldap/schema/fusiondirectory/mail-fd-conf.schema
[...]
index           gosaMailAlternateAddress,gosaMailForwardingAddress     eq
index           postfixTransportTable                                  eq
index           postfixMyDomain,postfixMyDestinations                  eq
[...]
access to attrs=gidNumber,homeDirectory,uidNumber
       by dn=cn=samba,ou=DSA,dc=firewall-services,dc=com ssf=256 write
       by dn=cn=unix,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read
       by dn=cn=unix,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read
       by dn=cn=unix,ou=DSA,dc=firewall-services,dc=com ssf=256 read
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com ssf=256 read
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="127.0.0.1" write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="[::1]" write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" ssf=256 write
       by self read
       by * none
access to attrs=gosaMailQuota,gosaMailServer,gosaMailDeliveryMode,gosaMailAlternateAddress,postfixHeaderSizeLimit,postfixMailboxSizeLimit,postfixMessageSizeLimit,postfixMyDestinations,postfixMyDomain,postfixMyHostname,postfixMyNetworks,postfixRecipientRestrictions,postfixSenderRestrictions,postfixTransportTable
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com ssf=256 read
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="127.0.0.1" write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="[::1]" write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" ssf=256 write
       by * none
access to dn.subtree=ou=servers,ou=systems,dc=firewall-services,dc=com filter=(|(objectClass=fdImapServer)(objectClass=fdPostfixServer))
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="127.0.0.1" read
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com peername.ip="[::1]" read
       by dn=cn=mail,ou=DSA,dc=firewall-services,dc=com ssf=256 read
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="127.0.0.1" write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" peername.ip="[::1]" write
       by group.exact="cn=admins,ou=Groups,dc=firewall-services,dc=com" ssf=256 write
       by * none
[...]

Configuration dans FusionDirectory

Dans l'interface de FusionDirectory, on ne va déclarer un service postfix que sur le serveur de mail interne. Le serveur proxy utilisera la même configuration.

Dans l'ordre il faut:

Les champs suivants ne sont pas pris en compte par postfix pour l'instant:

Configuration du proxy

Le serveur frontal (le proxy donc) va faire plusieurs choses

Il est possible de gérer plusieurs serveurs de mails distincts en interne. le postfix frontal va demander à l'annuaire par quel serveur interne l'adresse mail en question est gérée. Dans cet exemple, il n'y en aura qu'un, mais rien n'empêche d'en avoir d'autres. La sélection du serveur se fait dans l'interface de FusionDirectory, dans l'onglet mail d'un utilisateur ou d'un groupe

Installation des composants

yum install amavisd-new postfix cyrus-sasl-ldap cyrus-sasl-ldap saslauthd
La configuration de clamav, amavisd-new et spamassassin ne sera pas détaillée ici, d'autres tuto sur internet le feront bien mieux que moi. L'important est simplement d'avoir amavisd-new qui écoute sur l'adresse de bouclage port 10024, ce qui est le cas dans sa configuration par défaut

Configuration de postfix

[...]
amavisfeed unix    -       -       n        -      2     lmtp
     -o lmtp_data_done_timeout=1200
     -o lmtp_send_xforward_command=yes
     -o disable_dns_lookups=yes
     -o max_use=20
127.0.0.1:10025 inet n    -       n       -       -     smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=permit_mynetworks,reject
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=127.0.0.0/8
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
[...]
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
 
mail_owner = postfix
myhostname = proxy.firewall-services.com
mydomain = proxy.firewall-services.com
mydestination =
mynetworks = 10.10.0.0/16
 
transport_maps = ldap:/etc/postfix/ldap_transport.cf
 
relay_recipient_maps = ldap:/etc/postfix/ldap_recipients.cf
relay_domains = ldap:/etc/postfix/ldap_domains.cf
 
recipient_delimiter = +
 
smtpd_tls_cert_file = /etc/postfix/ssl/mail.firewall-services.com.crt
smtpd_tls_key_file = /etc/postfix/ssl/mail.firewall-services.com.key
smtpd_tls_security_level = may
 
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
 
smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unverified_recipient,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client psbl.surriel.com,
    reject_rbl_client dnsbl.sorbs.net,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client b.barracudacentral.org,
    reject_rbl_client dnsbl-1.uceprotect.net
 
content_filter = amavisfeed:[127.0.0.1]:10024
server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
version = 3
start_tls = yes
search_base = dc=firewall-services,dc=com
query_filter =  (&(objectClass=gosaMailAccount)(|(mail=%s)(gosaMailAlternateAddress=%s)))
result_attribute = gosaMailServer
result_format = smtp:[%s]
server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
version = 3
start_tls = yes
search_base = dc=firewall-services,dc=com
query_filter =  (&(objectClass=fdPostfixServer)(|(postfixMyDomain=%s)(postfixMyDestinations=%s)))
result_attribute = postfixMyDomain,postfixMyDestinations
server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
version = 3
start_tls = yes
search_base = dc=firewall-services,dc=com
query_filter = (&(|(objectClass=gosaMailAccount)(objectClass=mailAliasRedirection)(objectClass=mailAliasDistribution))(|(mail=%s)(gosaMailAlternateAddress=%s)))
result_attribute = gosaMailServer,gosaMailAlternateAddress
Les 3 derniers fichiers contiennent le mot de passe de l'utilisateur cn=mail,ou=DSA,dc=firewall-services,dc=com pensez donc à restreindre les droits d'accès:
chown :postfix /etc/postfix/ldap_*.cf
chmod 640 /etc/postfix/ldap_.cf

Configuration de l'authentification

Postfix va utiliser le démon saslauthd pour authentifier les utilisateurs. Ce démon saslauthd vérifiera les identifications sur l'annuaire LDAP

# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/var/run/saslauthd
 
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=ldap
 
# Options sent to the saslauthd. If the MECH is other than "pam" uncomment the next line.
DAEMONOPTS="--user saslauth"
 
# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS="-O /etc/saslauthd.conf"
ldap_servers: ldap://ldap.firewall-services.com
ldap_search_base: ou=people,dc=firewall-services,dc=com
ldap_filter: (&(uid=%u)(objectClass=gosaMailAccount))
ldap_bind_dn: cn=mail,ou=DSA,dc=firewall-services,dc=com
ldap_bind_pw: dsa_p@ssw0rd
ldap_start_tls: yes
ldap_auth_method: bind
ldap_version: 3

On peut maintenant démarrer les services saslauthd et postfix

Configuration du serveur interne

Installation des composants

On va utiliser dovecot pour la remise des mails dans la boite finale des utilisateurs (via son service LMTP), on l'installe donc maintenant, pour la configuration, vous pouvez regarder cette page

yum install postfix dovecot

Configuration de postfix

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
 
mail_owner = postfix
myhostname = mail.firewall-services.com
mydomain = mail.firewall-services.com
mydestination = localhost
mynetworks = 10.10.0.0/16
 
recipient_delimiter = +
 
transport_maps = hash:/etc/postfix/local_transport.cf ldap:/etc/postfix/ldap_transport.cf
 
local_recipient_maps = $alias_maps
alias_maps = hash:/etc/aliases, $virtual_alias_maps
alias_database = hash:/etc/aliases
 
virtual_mailbox_domains = ldap:/etc/postfix/ldap_domains.cf
virtual_alias_maps = ldap:/etc/postfix/ldap_users.cf, ldap:/etc/postfix/ldap_groups.cf, ldap:/etc/postfix/ldap_alias.cf
mail.firewall-services.com        lmtp:unix:private/dovecot-lmtp
Lancez la commande
postmap /etc/postfix/local_transport.cf

pour créer un fichier exploitable par postfix

server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
version = 3
start_tls = yes
search_base = cn=mail,ou=servers,ou=systems,dc=firewall-services,dc=com
query_filter =  (&(objectClass=fdPostfixTransportTable)(fdTransportTableMatch=%s))
result_attribute = fdTransportTableRule
server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
version = 3
start_tls = yes
search_base = dc=firewall-services,dc=com
query_filter =  (&(objectClass=gosaMailAccount)(|(mail=%s)(gosaMailAlternateAddress=%s)))
result_attribute = uid,gosaMailForwardingAddress
server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
version = 3
start_tls = yes
search_base = dc=firewall-services,dc=com
ldap_groupmembers_attribute_type = dn
query_filter =  (&(objectClass=gosaMailAccount)(|(mail=%s)(gosaMailAlternateAddress=%s)))
result_attribute = uid,gosaMailForwardingAddress
special_result_attribute = member
server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
timeout = 5
version = 3
start_tls = yes
search_base = dc=firewall-services,dc=com
query_filter =  (&(|(objectClass=mailAliasDistribution)(objectClass=mailAliasRedirection))(mail=%s))
result_attribute = gosaMailAlternateAddress,gosaMailForwardingAddress
server_host = ldap://ldap.firewall-services.com
bind = yes
bind_dn = cn=mail,ou=DSA,dc=firewall-services,dc=com
bind_pw = dsa_p@ssw0rd
version = 3
start_tls = yes
search_base = cn=mail,ou=servers,ou=systems,dc=firewall-services,dc=com
query_filter =  (&(objectClass=fdPostfixServer)(|(postfixMyDomain=%s)(postfixMyDestinations=%s)))
result_attribute = postfixMyDomain,postfixMyDestinations
Les 5 derniers fichiers contiennent le mot de passe de l'utilisateur cn=mail,ou=DSA,dc=firewall-services,dc=com pensez donc à restreindre les droits d'accès:
chown :postfix /etc/postfix/ldap_*.cf
chmod 640 /etc/postfix/ldap_.cf

Voilà, la partie postfix est terminée, après avoir configuré dovecot vous pourrez tester votre nouvelle installation