Postfix Virtual Hosting With LDAP Backend With Dovecot As IMAP/POP3 Server On Ubuntu Hardy Heron 8.04 TLS - Page 4

Submitted by mbrams (Contact Author) (Forums) on Mon, 2008-07-28 17:54. ::

Step 5: Installing and configuring phamm:

Since we downloaded and extracted the phamm archive before, we can directly begin with the installation  and configuration of the phamm interface.

Note: I hacked into the phamm configuration and .php script files to accomplish the following:

  • Maildrop to to postmaster@example.tld rather than postmaster wich is a unix account
  • Maildrop for abuse to postmaster@example.tld rather than postmaster
  • %domain% for the welcome message to reflect postmaster@domain.tld rather than postmaster
  • cc for the welcome message to postmaster@example.tld to have an idea of the number of mailboxes created by the virtual mail domain admins. ==> defoult maps to postmaster so your unix account will get the mails or rather root.

The other hacks are just to define other defaults:

  • Setting smtp auth to default
  • Setting the quota number form mail
  • Setting the default home directory for ftp
  • setting the default quota for ftp

In any case I believe that these changes are an improvement rather than customisation so I will list them here before we go into the actual installation and configuration of phamm. For those who do not care about these features can skip the following until the actual phamm configuration and installation.

My hacks:

The hacks are done on the source, not the actual (see later installation).

First we will do the welcome message part.

cd /usr/src/phammphamm-0.5.12
vi config.inc.php

Change (starting line 94):

// Welcome message
define ('SEND_WELCOME',0);
$welcome_msg = '../welcome_message.txt';
$welcome_subject = 'Welcome!';
$welcome_sender = 'root@localhost';
$welcome_bcc = 'root@localhost';

To

// Welcome message
define ('SEND_WELCOME',1);
$welcome_msg = '../welcome_message.txt';
$welcome_subject = 'Welcome!';
$welcome_sender = 'postmaster@%domain%';
$welcome_bcc = 'postmaster@example.tld';

This will send the welcome email as from postmaster@domain.tld (domain.tld being the mail domain (virtual) and send a bcc to postmaster@example.tld where example.tld represents the technical domain.

Next we will set the defaults for email and domain creation:

vi plugins/mail.xml

Change (line 288):

$entry["maildrop"] = "postmaster";

To

$entry["mail"] = "postmaster@".$domain_new;

And also (line  307) from:

$entry_abuse["maildrop"] = "postmaster";

To

$entry_abuse["maildrop"] = "postmaster@".$domain_new;

OK these were my cuntom hacks, now let's go to the installation and configuration of phamm.

mkdir /yourwwwroot/phamm
cp -R * /yourwwwroot/pham/.
chown -R www-data:www-data /yourwwwroot/pham
cd /yourwwwroot/phamm
rm -R examples
rm -R doc
rm -R DTD
rm -R schema

This in order to remove files that are not needed in the www directory.

Now we will configure phamm for actual use.

vi config.inc.php

Change the ldap connection parameters to fit your actual configuration. 

// *============================*
// *=== LDAP Server Settings ===*
// *============================*

// The server address (IP or FQDN)
define ('LDAP_HOST_NAME','127.0.0.1');

// The protocol version [2,3]
define ('LDAP_PROTOCOL_VERSION','3');

// The server port
define ('LDAP_PORT','389');

// The container
define ('SUFFIX','dc=example,dc=tld');

// The admin bind dn (could be rootdn)
define ('BINDDN','cn=admin,dc=example,dc=tld');

// The Phamm container
define ('LDAP_BASE','o=hosting,dc=example,dc=tld');

Enable the fpt plugin (line  172) by removing the //

And on line 215 change  CRYPT to MD5. Most other software that use LDAP use MD5 hashing, so it is therefore a good thing to have phamm use MD5.

Since the transport maildrop: is hardcoded in phamm we need to change this in order to enable dovecot deliver.

vi plugins/mail.xml

Replace each entry with maildrop: with dovecot: (do no forget the semicolon). In ordinary situations, the commands in postfix's main.cf would do (that we added before), but ldap transport as used and implemented by phamm overrides this and implements maildrop.

This has to be done for line  62. This will substitute maildrop for dovecot deliver.

That's it for the configuration.

You can edit plugins/mail.xml to change the defaults for smtp and quota, modify them to your needs.

You can edit plugins/ftp.xml to change the defaults for default ftp (base) directory and quoata, modify them to your needs.

OK we're almost there.

Now execute the following commands:

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

Next browse to http://yourdoamin.tld/phamm and log in with the account admin and your openldap password.

Add the email domain, next add a mailbox and you should be up and running.

Use the following command to see if there are any errors:

tail -f /var/log/mail.log

Hey we're up and runnung.

Well almost, one last thing to do if everything wotks is to add the acl for phamm to openldap in order for domain admins to administer their domains and users to change their passwords  and/or vacation, forwards.

vi /etc/ldap/slapd.conf

Comment the following entries:

# The admin dn has full write access, everyone else
# can read everything.
#access to *
#        by dn="cn=admin,dc=example,dc=tld" write
#        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=example,dc=tld" write
#        by dnattr=owner write

And add the following above (change if your configuration is different from the assumptions)

# acl specific for phamm

#  Copyright (c) 2005 Alessandro De Zorzi, Mirko Grava
#                  <phamm@rhx.it> http://phamm.rhx.it/
#
#  Permission is granted to copy, distribute and/or modify this document
#  under the terms of the GNU Free Documentation License, Version 1.2
#  or any later version published by the Free Software Foundation;
#  A copy of the license in DOCS.LICENSE file.

# First of all
# acl for pdns
access to dn.regex="^(.+,)?cn=([^,]+),ou=dns,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth
        by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write

access to dn.regex="^(.+,)?dc=([^,]+),ou=dns,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth
        by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write

access to dn.exact="ou=dns,dc=example,dc=tld"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth
        by dn.exact="cn=dnsldap,ou=dns,dc=example,dc=tld" read

# now mail service
# account must edit his password, spam level, forward, vacation, his name
# postmaster with editAccounts=FALSE do the same thing for his domain
# postmaster with editAccounts=TRUE can add account/alias and edit also amavisBypassVirusChecks, quota and smtpAuth
# vadmin could do the same as postmaster with editAccounts=TRUE for some domains
access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassVirusChecks,quota,smtpAuth,accountActive
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by set="user/editAccounts & [TRUE]" write
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=cn,sn,forwardActive,vacationActive,vacationInfo,vacationStart,vacationEnd,vacationForward,amavisSpamTagLevel,amavisSpamTag2Level,amavisSpamKillLevel
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$1]" write

access to dn.regex="^.*,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=editAccounts
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by set="user/editAccounts & [TRUE]" write
        by * none

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=objectClass,entry
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous read
        by set="user/editAccounts & [TRUE]" write
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=amavisBypassSpamChecks,accountActive,delete
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=FTPQuotaMBytes,FTPStatus,FTPQuotaFiles,uid,otherPath
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous read
        by self read
        by dn.exact,expand="cn=postmaster,vd=$1,o=hosting,dc=example,dc=tld" read
        by set="user/vd & [$1]" write

access to dn.regex=".+,vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=uidNumber,gidNumber,createMaildir,vdHome,mailbox,otherTransport
        by dn="cn=admin,dc=example,dc=tld" write
        by self read
        by set="user/vd & [$1]" read

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$" attrs=vd
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$2]" write

access to dn.regex="^(.+,)?vd=([^,]+),o=hosting,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by set="user/editAccounts & [FALSE]" read
        by dn.exact,expand="cn=postmaster,vd=$2,o=hosting,dc=example,dc=tld" write
        by set="user/vd & [$2]" write

access to dn.regex=".+,o=hosting,dc=example,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth

access to dn.regex=".+,dc=tld$"
        by dn="cn=admin,dc=example,dc=tld" write
        by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=userPassword
        by dn="cn=admin,dc=example,dc=tld" write
        by self write
        by anonymous auth

access to dn.regex=".+,ou=admin,dc=example,dc=tld$" attrs=vd
        by dn="cn=admin,dc=example,dc=tld" write
        by self read

Restart slapd and if you don't get errors the acl is implemented.

/etc/init.d/slapd restart

To thest the acl you can log in to phamm usein as uid/pmd the credentials for the virtual mail domain you created, eg: example.tld pwd

If you can log in and add/change/delete mail accounts the acl is ok.

up

Copyright © 2008 Miguel Brams
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s) |
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
In your PHAMM hack, you say
Submitted by Anonymous (not registered) on Fri, 2008-11-21 02:07.
In your PHAMM hack, you say to edit 'plugins/mail.xml'... WAY OFF... How about 'www-data/main.php'?
reply | view as pdf view as pdf