Code

How to configure “Postfix + Dovecot with AD” in CentOS 7 (LDAP authentication)

Code

There was necessary to send and receive mail in the test environment, I built a mail server with AD using postfix + dovecot.

I investigated how to cofigure it, but there was a lot of information on old CentOS version 5 or 6, so I summarized the procedure for configure in CentOS 7 this time.

This time, I configure to send and receive mail on one CentOS 7 server.
Also, for the email address, refer to the mail attribute set for the Active Direcotry user in LDAP.

Overview this configure

  • Configure a mail server (postfix + dovecot) with CentOS7 and confirm that you can send and receive mail.
  • You can receive emails (@ syachiku.com) of the specified domain. It will not be forwarded to other mail servers.
  • Set up AD linkage with Postfix and refer to the email address set in AD user’s email attribute to deliver the email.
  • Set up AD linkage with Dovecot so that only the user who succeeded in AD user authentication can receive mail.
  • The CentOS7 mail server does not need to join in the domain because LDAP authentication is performed (although domain participation is required when performing NTLM authentication).
  • No authentication is performed when sending an email, and SSL is not used. Use normal port 25.

Enviroment

  • Mail Server(192.168.10.23)
    • CentOS Linux release 7.5.1804 (Core)
    • postfix-2.10.1-6.el7.x86_64
    • dovecot-2.2.36-3.el7_7.1.x86_64
    • Mail Domain to recieve:syachiku.com (e.g.:xxxxx@syachiku.com)
  • Domain Controller(192.168.10.21)
    • Window Server 2016
    • Domain Name:syachiku.local
    • BaseOU : OU=SyachikuUser,DC=syachiku,DC=local
      • ->OU where user objects are stored
    • BindUser:CN=super,CN=Users,DC=syachiku,DC=local
    • BindPasswd:P@ssw0rd
      • ->User to refer LDAP information
    • Registred User / E-mail Address / Password
      • user001 / user001@syachiku.com / P@ssw0rd
      • user002 / user002@syachiku.com / P@ssw0rd
      • user003 / user003@syachiku.com / P@ssw0rd
  • Other
    • Firewall / SELinuux disabled on servers

System Diagram

I tried to write a block diagram in PlantUML.

The sent flow is blueand the reception flow is red. It is the flow to deliver to mailbox with postfix and receive with dovecot.

Required package installation

Telnet is installed for check.
openldap-clients is used for debugging with the ldapsearch command.

[root@mail ~]# yum install postfix dovecot telnet openldap-clients

Postfix configuration

I will skip the detailed explanation and paste the entire contents of the actually operating configuration file.

Please correct the information such as domain name and BaseOU according to your environment.

/etc/postfix/main.cf

change point

  • Change “mydomain” to your own receiving domain name
  • Change “mynetworks” to your own network
  • Change “home_mailbox” to “MailDir/”
  • Copy and paste the lower part from “virtual_transport = virtual”. Specify the configuration file for referencing LDAP.
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = mail.syachiku.local
mydomain = syachiku.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = all
mydestination = 
unknown_local_recipient_reject_code = 550
mynetworks = 192.168.10.0/24, 127.0.0.0/8
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

virtual_transport = virtual
virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /var/spool/virtual
virtual_alias_maps = ldap:/etc/postfix/ldap-alias.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-mailbox.cf
virtual_uid_maps = static:10000
virtual_gid_maps = static:10000
local_recipient_maps = proxy:unix:passwd.byname $alias_maps $virtual_mailbox_maps

/etc/postfix/ldap-alias.cf

This is the delivery configuration file used for LDAP lookups. Set it according to the environment of the domain controller.

At other sites, query_filter is often “mail=%s”, but this is an example when using openldap of Linux. Basically in AD, mail should be “samAccountName=%s”.

server_host = 192.168.10.21
search_base = OU=SyachikuUser,DC=syachiku,DC=local
bind = yes
bind_dn = CN=super,CN=Users,DC=syachiku,DC=local
bind_pw = P@ssw0rd
scope = one
query_filter = (samAccountName=%s)
result_attribute = mail

/etc/postfix/ldap-mailbox.cf 

server_host = 192.168.10.21
search_base = OU=SyachikuUser,DC=syachiku,DC=local
bind = yes
bind_dn = CN=super,CN=Users,DC=syachiku,DC=local
bind_pw = P@ssw0rd
scope = one
query_filter = (samAccountName=%s)
result_attribute = mail
result_format = %u/Maildir/

Create directory “/var/spool/virtual” and restart postfix service

Create a directory (/var/spool/virtual) for mail delivery in advance. Also set the permission to 10000.

[root@mail postfix]# mkdir -p /var/spool/virtual
[root@mail postfix]# chown 10000.10000 /var/spool/virtual/

[root@mail postfix]# systemctl restart postfix.service

Confirm Postfix Ldap connection

Check that the postfix settings are correct using the postalias command. If you can get the email address and directory name, the Ldap connection is successful.

[root@mail postfix]# postalias -q user001 ldap:/etc/postfix/ldap-alias.cf
user001@syachiku.com
[root@mail postfix]# postalias -q user001 ldap:/etc/postfix/ldap-mailbox.cf 
user001/Maildir/

Confirm email sent

After confirming the LDAP connection, you can actually send an e-mail to confirm that it will be delivered to the mailbox.

[root@mail postfix]# mailx user001@syachiku.com
Subject: Test01
Hello, User001
.
EOT

Or you can check it by telnet.

[root@mail postfix]# telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.syachiku.local ESMTP Postfix
HELO test
250 mail.syachiku.local
MAIL FROM:test@local
250 2.1.0 Ok
RCPT TO: user001@syachiku.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test
.
250 2.0.0 Ok: queued as A360C412FB52

Confirm the email is sent correctly to “/var/spool/virtual/<Use Name>/”.

[root@mail ~]# ll /var/spool/virtual/user001/Maildir/new/
-rw------- 1 10000 10000 539  2月  5 21:28 1580905696.Vfd00I412fb64M983617.mail.syachiku.local

ここまででPostfixでメールが配送されていることまでが確認できました。この後は引き続きDovecotでメールがPOP or IMAPで受信できるように設定します。

Dovecot設定

dovecot側の設定ですが、新しいバージョンから細かくファイルで分割されてしまったので修正箇所が多いです。以下が設定ファイルです。

/etc/dovecot/dovecot.conf

# Debug用
auth_verbose = yes
auth_debug = yes

protocols = imap pop3
listen = *
dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
!include conf.d/*.conf
!include_try local.conf

/etc/dovecot/conf.d/10-auth.conf

disable_plaintext_auth = no
auth_mechanisms = plain
!include auth-system.conf.ext
!include auth-ldap.conf.ext

/etc/dovecot/conf.d/10-ssl.conf

ssl = no
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

/etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:~/Maildir
namespace inbox {
  inbox = yes
}
first_valid_uid = 1000
protocol !indexer-worker {
}
mbox_write_locks = fcntl

/etc/dovecot/conf.d/auth-ldap.conf.ext

passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
}

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
  default_fields = home=/var/spool/virtual/%u
}

userdb {
  driver = static
  args = uid=10000 gid=10000 home=/var/spool/vitrual/%u
}

/etc/dovecot/dovecot-ldap.conf.ext

hosts = 192.168.10.21
base = OU=SyachikuUser,DC=syachiku,DC=local
ldap_version = 3
auth_bind = yes
auth_bind_userdn = syachiku\%u
user_filter = (samAccountName=%u)

Confirm IMAP

restart dovecot service
[root@mail var]# systemctl restart dovecot

Check IMAP
[root@mail var]# telnet localhost imap
. login user001 P@ssw0rd
. OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY SPECIAL-USE] Logged in

If you can log on correctly with IMAP, you are successful! Please confirm that you can receive it with the PC mailer.

Trouble shooting

Error1 : Permission denied is displayed

Feb  5 08:13:25 localhost postfix/virtual[12648]: warning: maildir access problem for UID/GID=10000/10000: create maildir file /var/spool/virtual//user001/Maildir/tmp/1580858005.P12648.mail.syachiku.local: Permission denied
Feb  5 08:13:25 localhost postfix/virtual[12648]: warning: perhaps you need to create the maildirs in advance
Feb  5 08:13:25 localhost postfix/virtual[12648]: 4B2264191C2A: to=<user001@syachiku.com>, relay=virtual, delay=0.66, delays=0.44/0.17/0/0.05, dsn=4.2.0, status=deferred (maildir delivery failed: create maildir file /var/spool/virtual//user001/Maildir/tmp/1580858005.P12648.mail.syachiku.local: Permission denied)

Possible causes

  • “/var/spool/virtual” does not exist or Incorrect permissions
  • SELinux is enabled
    • Confirm with the “getenforce” command-> If it is Enforce, modify the following file and restart.
[root@mail postfix]# vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Error2 : Permission denied is displayed

Feb  8 15:55:20 mail dovecot: auth-worker(12670): Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Feb  8 15:55:20 mail dovecot: auth-worker(12670): Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Feb  8 15:55:20 mail dovecot: auth-worker(12670): Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
Feb  8 15:55:20 mail dovecot: auth-worker(12670): Debug: Loading modules from directory: /usr/lib64/dovecot/auth
Feb  8 15:55:20 mail dovecot: auth-worker(12670): Debug: Module loaded: /usr/lib64/dovecot/auth/libauthdb_ldap.so
Feb  8 15:55:20 mail dovecot: auth-worker(12670): Debug: pam(user001,127.0.0.1,<oTNQ/QqeMtZ/AAAB>): lookup service=dovecot
Feb  8 15:55:20 mail dovecot: auth-worker(12670): Debug: pam(user001,127.0.0.1,<oTNQ/QqeMtZ/AAAB>): #1/1 style=1 msg=Password:
Feb  8 15:55:22 mail dovecot: auth-worker(12670): pam(user001,127.0.0.1,<oTNQ/QqeMtZ/AAAB>): unknown user
Feb  8 15:55:22 mail dovecot: auth: Debug: client passdb out: OK#0111#011user=user001
Feb  8 15:55:22 mail dovecot: auth: Debug: master in: REQUEST#0112141323265#01112596#0111#0112cd55527286ce2593fb1eb5a83511fe1#011session_pid=12677#011request_auth_token
Feb  8 15:55:22 mail dovecot: auth-worker(12670): Debug: passwd(user001,127.0.0.1,<oTNQ/QqeMtZ/AAAB>): lookup
Feb  8 15:55:22 mail dovecot: auth-worker(12670): passwd(user001,127.0.0.1,<oTNQ/QqeMtZ/AAAB>): unknown user
Feb  8 15:55:22 mail dovecot: auth: Debug: ldap(user001,127.0.0.1,<oTNQ/QqeMtZ/AAAB>): user search: base=OU=SyachikuUser,DC=syachiku,DC=local scope=subtree filter=(samAccountName=user001) fields=homeDirectory,uidNumber,gidNumber
Feb  8 15:55:22 mail dovecot: auth: Error: ldap(user001,127.0.0.1,<oTNQ/QqeMtZ/AAAB>): ldap_search(base=OU=SyachikuUser,DC=syachiku,DC=local filter=(samAccountName=user001)) failed: Operations error
Feb  8 15:55:22 mail dovecot: auth: Debug: master userdb out: USER#0112141323265#011user001#011uid=10000#011gid=10000#011home=/var/spool/vitrual/user001#011auth_token=971dfd78c950106b29f9854834752a89b6f00c43
Feb  8 15:55:22 mail dovecot: imap-login: Login: user=<user001>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=12677, secured, session=<oTNQ/QqeMtZ/AAAB>
Feb  8 15:55:22 mail dovecot: imap(user001): Error: Namespace '': mkdir(/var/spool/vitrual/user001/Maildir) failed: Permission denied (euid=10000(<unknown>) egid=10000(<unknown>) missing +w perm: /var/spool, dir owned by 0:0 mode=0755)
Feb  8 15:55:22 mail dovecot: imap(user001): Namespace '': mkdir(/var/spool/vitrual/user001/Maildir) failed: Permission denied (euid=10000(<unknown>) egid=10000(<unknown>) missing +w perm: /var/spool, dir owned by 0:0 mode=0755) in=0 out=366

Possible causes
->  Insufficient permissions on “/var/spool”. Please add access rights.

[root@mail var]# chmod 777 /var/spool/

LdapSearch command for debugging

You can use the ldapserach command to check whether the LDAP parameters are correct.

Get All User
# ldapsearch -LLL -H ldap://192.168.10.21:389 -D CN=super,CN=Users,DC=syachiku,DC=local -w P@ssw0rd -x -b "OU=SyachikuUser,DC=syachiku,DC=local"
Get onlu user001 user
# ldapsearch -LLL -H ldap://192.168.10.21:389 -D CN=super,CN=Users,DC=syachiku,DC=local -w P@ssw0rd -x -b "OU=SyachikuUser,DC=syachiku,DC=local" "(samAccountName=user001)"
dn:: Q04944Om44O844K2MDAxLE9VPVN5YWNoaWt1VXNlcixEQz1zeWFjaGlrdSxEQz1sb2NhbA==
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn:: 44Om44O844K2MDAx
distinguishedName:: Q04944Om44O844K2MDAxLE9VPVN5YWNoaWt1VXNlcixEQz1zeWFjaGlrdS
 xEQz1sb2NhbA==
instanceType: 4
whenCreated: 20200203232955.0Z
whenChanged: 20200203232955.0Z
displayName:: 44Om44O844K2MDAx
uSNCreated: 32925
uSNChanged: 32929
name:: 44Om44O844K2MDAx
objectGUID:: PMBNHeGcUU2PL2N3MgGCNw==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 132252461958078713
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA6RhpJU6MIuDCikfkYAQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user001
sAMAccountType: 805306368
userPrincipalName: user001@syachiku.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=syachiku,DC=local
dSCorePropagationData: 16010101000000.0Z
mail: user001@syachiku.com

That is all.

コメント