On 18/12/05, Alexander Dalloz <ad+lists@xxxxxxxxx> wrote: > Am Sa, den 17.12.2005 schrieb John Francis um 4:14: > > No HTML list postings please. > Oops. Didn't realise GMail did that. > > Does anyone have any tips or best practice pointers regarding setting > > up a mailserver system on an FC4 box. > > > > I would like to use Postfix as my MTA, Cyrus IMAP as the IMAP or POP > > server and I would like all authentication done through LDAP. I will > > be using the Fedora Directory Server for LDAP. > > Recently did that myself. Though it is a hosting server running CentOS > 4.2 and OpenLDAP instead of FDS. > > > I have done some reading and fiddling around but haven't been able to > > get it going yet. I am new to PAM concepts as well as Cyrus IMAP so > > any help in those areas in particular would be appreciated. > > Why PAM? After doing some research I was pointed in the direction of /etc/pam.d/imap and /etc/pam.d/smtp. > > > John Francis > > I suspect you have the FDS already running and all required user data > put into it. Means, querying the FDS by hand does provide you the > requested data. Yes and no. I do have user data in FDS but I'm not sure whether or not that data is sufficient for my purposes. For example, how do I handle aliases, virtual domains, etc. > > You don't need PAM for the mailserver part (Postfix and Cyrus-IMAPd). > What you need in FDS is a user which plays a special role: a proxy auth > user. That user must be able to authorize as any other user who shall > get authorization to mail and to get mail. Within OpenLDAP (so far I > have not investigated the FDS) you would give that permissions to a > specific user by following ldif entries: > > dn: uid=proxyuser,ou=admins,o=hosting,dc=domain,dc=tld > saslAuthzTo: uid=cyrus,ou=admins,o=hosting,dc=domain,dc=tld > saslAuthzTo: > uid=(.*),ou=users,hostingDomain=(.*),o=hosting,dc=domain,dc=tld > > A few other settings are required/recommended for this to work in > /etc/openldap/slapd.conf. > > Now about Postfix and Cyrus-IMAPd. Both can directly handle the ldapdb > plugin of SASLv2. > > Postfix: > /usr/lib[64]/sasl2/smtpd.conf > > pwcheck_method: auxprop > auxprop_plugin: ldapdb > ldapdb_uri: ldap://127.0.0.1 > ldapdb_id:<proxyuser_userid> > ldapdb_pw:<proxyuser_password> > ldapdb_mech: login plain digest-md5 > > Of course you too need the common SMTP AUTH settings in main.cf > > Cyrus-IMAPd: > /etc/imapd.conf > > sasl_pwcheck_method: auxprop > sasl_auxprop_plugin: ldapdb > sasl_ldapdb_uri: ldap://127.0.0.1 > sasl_ldapdb_id:<proxyuser_userid> > sasl_ldapdb_pw:<proxyuser_password> > sasl_ldapdb_mech: login plain digest-md5 > > As you have stored authentication information inside the 2 configuration > files in cleartext you have to take care that the permission for both > files are set properly so that only root and in case of imapd.conf only > cyrus can read the files. > > Alexander > > > -- > Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 > legal statement: http://www.uni-x.org/legal.html > Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp > Serendipity 15:47:01 up 12 days, 20:24, load average: 0.46, 0.20, 0.08 > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQBDpCyeEEG6lbNmp3MRAoNXAJ0RcW1B/kTtgPOi8ace0aZZz2F1tgCglthX > ygXlu31wlVEGQEpC3/T/4FA= > =pFQj > -----END PGP SIGNATURE----- > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > > -- Kind regards, John Francis
