Auto Maildir Creation for LDAP authenticated users

arunabh_biswas · 09-16-2010, 07:42 AM

Dear Experts,
Hi to all.
I've a RHEL 5 server running postfix and squirrelmail in it. I'm having a LDAP server on SLES 9, which is used for centralized authentication for my internet (via squid server) and mail users.
My internet users and mail users are properly authencating and using internet and mails. But the problem what I'm facing is I've to create users home (i.e. /home/username) and maildir (i.e. /home/username/Maildir) manually and assign ownership and permissions for their concern home and maildirs.
After googling alot, I've read somewhere that Openwebmail is capable of doing it automatically. After creating user is in ldap server (say test1), when that user (test1) login first time using openwebmail client, its home and maildir creates automatically in mail server. Is there any way to do the same with squirrelmail, so that I don't need to create home and mail dirs manually.

Regards
Arunabh

jamrock · 09-17-2010, 07:25 AM

Please post the output from postconf -n

arunabh_biswas · 09-20-2010, 03:22 AM

Quote:

Originally Posted by jamrock

Please post the output from postconf -n

Dear Jamrock,

Thanks for the reply.

Below is the output of "postconf -n" ....

Quote:

alias_maps = hash:/etc/aliases ldap:ldapserver
body_checks = regexp:/etc/postfix/body_checks
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_recipient_maps =
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = xyz.ac.in
myhostname = mail.xyz.ac.in
mynetworks = 172.xx.x.0/24, 127.0.0.0/8
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = $mydestination
relayhost =
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient reject_non_fqdn_sender reject_unknown_sender_domain reject_unknown_recipient_domain check_recipient_access hash:/etc/postfix/roleaccount_exception check_relay_domains permit_mynetworks check_recipient_access hash:/etc/postfix/recipient_access check_sender_access hash:/etc/postfix/sender_access permit_sasl_authenticated reject_unauth_destination permit
smtpd_sasl_auth_enable = yes
strict_rfc821_envelopes = yes
unknown_local_recipient_reject_code = 550

Regards
Arunabh

jamrock · 09-21-2010, 07:45 AM

Postfix automatically creates the home directories for me. Once the user exists in LDAP, Postfix creates the mailboxes when the first mail is received for each user.

I do the following:

Create a Linux user and group to manage the mailbox directory structure.

Assign ownership of the directory structure to this user and group.

Use /etc/skel to create the maildir directory structure for the users.

Control where the mailboxes are created by adding the following line to my main.cf.

virtual_mailbox_base = /var/postfix/maildirs/

Here is a section of my notes.

Quote:

Configure Postfix for LDAP

Using virtual accounts

Postfix can be used with local accounts, virtual accounts or a combination of both. Local accounts are regular Linux accounts stored in /etc/passwd. Virtual accounts exist in a database such as OpenLDAP or Active Directory.

Virtual accounts need to be associated with at least one local account. Mail for the virtual accounts can be stored in sub-directories within the local account's home directory.

We will create a local group account called vmail and a local user account called vmail to manage the virtual accounts.

Create the vmail group

groupadd vmail

Make the directory to store the mail

mkdir /var/postfix

Add the vmail user

useradd -g vmail -m -d /var/postfix/maildirs -s /bin/false -c "Virtual Account" vmail

Note -d /var/postfix/maildirs. This sets vmail's home directory. Mail will be stored in directories below this one.

Make a note of the postfix user's UID and GID. We will need to put them in the main.cf and dovecot.conf files. This will tell the applications which users have access to the directories where the mail is stored.

Give vmail ownership of the directory.

chown -R vmail:vmail /var/postfix/maildirs
Restrict access to the directory to vmail

chmod 700 /var/postfix/maildirs

/etc/skel and mail directories

A user's mail is stored in a mailbox on the Postfix server. A number of mailbox formats exist. We use the Maildir mailbox format. Maildir stores mail in three directories in the user's home folder. These are new, cur and tmp.

It is best to configure Linux so that this directory structure is automatically created when a user is added to the system. We can use the /etc/skel directory to achieve this.

The /etc/skel directory is used to determine the directory structure that is created when a user is added to Linux. Directories and files located in /etc/skel will be added to each user's home directory. We therefore add the required directories to the /etc/skel folder.

mkdir /etc/skel/new
mkdir /etc/skel/cur
mkdir /etc/skel/tmp

Tell Postfix to use ldap for lookups

The following section configures Postfix to use virtual users.

Add the following to the /etc/postfix/main.cf:

# Prevents mail from being sent to local user accounts
local_transport = virtual

# Information about mailboxes
virtual_mailbox_base = /var/postfix/maildirs/
virtual_mailbox_maps = ldap:/etc/postfix/ldap_mailboxes.cf
virtual_minimum_uid = 501
virtual_uid_maps = static:501
virtual_gid_maps = static:502

# Files storing user and group information
virtual_maps = ldap:/etc/postfix/ldap_users.cf, ldap:/etc/postfix/ldap_groups.cf

Explanation of configuration above:

virtual_mailbox_base = /var/postfix/maildirs/

All mailboxes are stored within this directory. A sub-directory is created with the same name as the user's Active Directory account name. The directories created in the /etc/skel directory are created within it. Unread mail is stored in the new sub-directory.

virtual_mailbox_maps = ldap:/etc/postfix/ldap_mailboxes.cf

This tells Postfix where to find information about the virtual mailboxes. The data is stored in a ldap directory and the ldap_mailboxes.cf file contains more information.

virtual_minimum_uid = 501
virtual_uid_maps = static:501
virtual_gid_maps = static:502

User and group ids for the local accounts which manage the virtual accounts. The uid and gid will vary depending on the ids assigned when the vmail user and group are created.

Hope this helps.

arunabh_biswas · 09-22-2010, 01:18 AM

Dear Jamrock,

This is what I'm looking for. Thanks alot.

I'll follow these steps and I wish I'll end up to a successful completion. Before implementing the above steps, i want to ask few more questions ...

1) Whether I need to create this file? what will be the content of this file ?
virtual_mailbox_maps = ldap:/etc/postfix/ldap_mailboxes.cf
virtual_maps = ldap:/etc/postfix/ldap_users.cf, ldap:/etc/postfix/ldap_groups.cf

2) whether I need to enable PAM authentication for this or the above procedure will be work without PAM auth (using system-config-authentication) ?

3) Will the above procedure will work for MBOX format also as my server has MBOX format (stores mails in /var/spool/mail) ?

4) Is there any change need to be made in dovecot.conf?

5) Below are some users' ldif entries which i always refer to upload new users in LDAP DIT (it was created by previous IT admin in our organization). I've basic knowledge of LDAP, so i can't understand that whether there anything missing or needed to add/modify below entries to work with MBOX format.

dn: o=XYZ Ind,c=IN
o: XYZ Ind
objectClass: top
objectClass: organization
objectClass: domainRelatedObject
associatedDomain: xyz.ac.in
structuralObjectClass: organization
entryUUID: 57e16ffc-f033-102c-8761-a528f648fead
creatorsName: cn=root,o=XYZ Ind,c=IN
createTimestamp: 20080727142335Z
entryCSN: 20080727142335Z#000001#00#000000
modifiersName: cn=root,o=XYZ Ind,c=IN
modifyTimestamp: 20080727142335Z
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE

dn: ou=people,o=XYZ Ind,c=IN
associatedDomain: xyz.ac.in
ou: 20
ou: people
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
structuralObjectClass: organizationalUnit
entryUUID: 2fef74a6-f035-102c-9aab-f5f999862fa6
creatorsName: cn=root,o=XYZ Ind,c=IN
createTimestamp: 20080727143647Z
entryCSN: 20080727143647Z#000001#00#000000
modifiersName: cn=root,o=XYZ Ind,c=IN
modifyTimestamp: 20080727143647Z
subschemaSubentry: cn=Subschema
hasSubordinates: TRUE

dn: cn=balthakre,ou=people,o=XYZ Ind,c=IN
objectClass: top
objectClass: posixGroup
cn: balthakre
gidNumber: 501
structuralObjectClass: posixGroup
entryUUID: 152181bc-06cb-102d-8814-e72fb706f553
creatorsName: cn=root,o=XYZ Ind,c=IN
createTimestamp: 20080825082512Z
entryCSN: 20090404051641Z#000001#00#000000
modifiersName: cn=root,o=XYZ Ind,c=IN
modifyTimestamp: 20090404051641Z
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

dn: uid=sachin.econ,ou=people,o=XYZ Ind,c=IN
givenName: Sachin
objectClass: mailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: davvUser
email-access: yes
registration: yes
shadowLastChange: 11718
userPassword: {crypt}$1$jIrLef2v$5hQxM4KUzV9UAziTUz1N3/
net-access: yes
uid: sachin.econ
mail: sachin.econ@xyz.ac.in
uidNumber: 530
cn: Sachin Choudhary
loginShell: /bin/bash
gidNumber: 2002
shadowMax: 99999
gecos: Sachin Choudhary
homeDirectory: /home/sachin.econ
sn: Choudhary
mailForwardingAddress: sachin.econ@mail.xyz.ac.in
structuralObjectClass: inetOrgPerson
entryUUID: 3a82b9c8-f035-102c-9aec-f5f999862fa6
creatorsName: cn=root,o=XYZ Ind,c=IN
createTimestamp: 20080727143705Z
entryCSN: 20080727143705Z#000003#00#000000
modifiersName: cn=root,o=XYZ Ind,c=IN
modifyTimestamp: 20080727143705Z
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Regards
Arunabh

jamrock · 09-22-2010, 07:23 AM

I would recommend setting up a test server. You should make the changes and test them on this test server before making changes to your production server.

Quote:

1) Whether I need to create this file? what will be the content of this file ?
virtual_mailbox_maps = ldap:/etc/postfix/ldap_mailboxes.cf
virtual_maps = ldap:/etc/postfix/ldap_users.cf, ldap:/etc/postfix/ldap_groups.cf

These files tell Postfix how to search the ldap database and find the mailbox, user and group information. I think you have some thing similar

Quote:

alias_maps = hash:/etc/aliases ldap:ldapserver

My files look like this:

/etc/postfix/ldap_mailboxes.cf

server_host = ldaps://mail.testcompany.com:636
version = 3
tls_ca_cert_file = /etc/postfix/ssl/cacert.pem
search_base = ou=users,ou=mail,dc=testcompay,dc=com
query_filter = (&(mail=%s) (objectClass=mailUser))
result_attribute = maildrop
result_format = %s/
bind_dn = name of ldap account to do lookups
bind_pw = password for account to do ldap lookups

/etc/postfix/ldap_users.cf

server_host = ldaps://mail.testcompany.com:636
version = 3
tls_ca_cert_file = /etc/postfix/ssl/cacert.pem
search_base = ou=users,ou=mail,dc=testcompay,dc=com
query_filter = (&(mail=%s) (objectClass=mailUser))
result_attribute = maildrop
bind_dn = name of ldap account to do lookups
bind_pw = password for account to do ldap lookups

/etc/postfix/ldap_groups.cf

server_host = ldaps://mail.testcompany.com:636
version = 3
tls_ca_cert_file = /etc/postfix/ssl/cacert.pem
search_base = ou=groups,ou=mail,dc=testcompay,dc=com
query_filter = (&(mail=%s) (objectClass=mailGroup))
special_result_attribute = member
result_attribute = maildrop
bind_dn = name of ldap account to do lookups
bind_pw = password for account to do ldap lookups

You can ignore the lines that start with tls if you are not using ssl encryption at this time.

Quote:

2) whether I need to enable PAM authentication for this or the above procedure will be work without PAM auth (using system-config-authentication) ?

I don't use PAM authentication. I use standard ldap queries. The search parameters are stored in the files above.

Quote:

3) Will the above procedure will work for MBOX format also as my server has MBOX format (stores mails in /var/spool/mail) ?

It should. AFAIK, a mailbox is just a storage area.

I will answer the other questions later.