Am Sa, den 17.12.2005 schrieb John Francis um 4:14: No HTML list postings please. > Does anyone have any tips or best practice pointers regarding setting > up a mailserver system on an FC4 box. > > I would like to use Postfix as my MTA, Cyrus IMAP as the IMAP or POP > server and I would like all authentication done through LDAP. I will > be using the Fedora Directory Server for LDAP. Recently did that myself. Though it is a hosting server running CentOS 4.2 and OpenLDAP instead of FDS. > I have done some reading and fiddling around but haven't been able to > get it going yet. I am new to PAM concepts as well as Cyrus IMAP so > any help in those areas in particular would be appreciated. Why PAM? > John Francis I suspect you have the FDS already running and all required user data put into it. Means, querying the FDS by hand does provide you the requested data. You don't need PAM for the mailserver part (Postfix and Cyrus-IMAPd). What you need in FDS is a user which plays a special role: a proxy auth user. That user must be able to authorize as any other user who shall get authorization to mail and to get mail. Within OpenLDAP (so far I have not investigated the FDS) you would give that permissions to a specific user by following ldif entries: dn: uid=proxyuser,ou=admins,o=hosting,dc=domain,dc=tld saslAuthzTo: uid=cyrus,ou=admins,o=hosting,dc=domain,dc=tld saslAuthzTo: uid=(.*),ou=users,hostingDomain=(.*),o=hosting,dc=domain,dc=tld A few other settings are required/recommended for this to work in /etc/openldap/slapd.conf. Now about Postfix and Cyrus-IMAPd. Both can directly handle the ldapdb plugin of SASLv2. Postfix: /usr/lib[64]/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: ldapdb ldapdb_uri: ldap://127.0.0.1 ldapdb_id:<proxyuser_userid> ldapdb_pw:<proxyuser_password> ldapdb_mech: login plain digest-md5 Of course you too need the common SMTP AUTH settings in main.cf Cyrus-IMAPd: /etc/imapd.conf sasl_pwcheck_method: auxprop sasl_auxprop_plugin: ldapdb sasl_ldapdb_uri: ldap://127.0.0.1 sasl_ldapdb_id:<proxyuser_userid> sasl_ldapdb_pw:<proxyuser_password> sasl_ldapdb_mech: login plain digest-md5 As you have stored authentication information inside the 2 configuration files in cleartext you have to take care that the permission for both files are set properly so that only root and in case of imapd.conf only cyrus can read the files. Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 15:47:01 up 12 days, 20:24, load average: 0.46, 0.20, 0.08
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
