Mail server on Debian GNU/Linux Sarge

 

Webmail with Horde/IMP

Password/Forward/Vacation

  • Give the ability to users to change their password, configure email forwarding, and set up vacation messages through the webmail interface. Unfortunatelly, there is no usable packages in Debian for these modules.
  • As these modules are really tiny and not very intrusive, using the tar.gz is as easy as making a Debian package or a backport (the maintenance/updates has to be done by the administrator in all cases).
  • We are also going to modify the authldap.schema from the courier-imap packages. We need to do this to make it aware of mailforward parameter, and some other ones for the vacation part. Please note this operation is quite fussy : LDAP schemas are normalized, so be cautious before doing it in your company’s LDAP directory.
  • YOUR LDAP SERVER WILL NOT RESTART WITH DUPLICATE NAMES (usually from qmail.schema or ispenv2.schema)
  • Edit /etc/ldap/schema/authldap.schema and modify it this way (this is only the end of the file) :
#                    ****************************************
#                    * MODIFY YOUR SCHEMA AT YOUR OWN RISK! *
#                    ****************************************

attributetype ( 1.3.6.1.4.1.10018.1.1.14 NAME 'mailhost'
        DESC 'Host to which incoming POP/IMAP connections should be proxied'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.10018.1.1.15 NAME 'mailforward'
        DESC 'Mailbox - mail forward'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )

attributetype ( 1.3.6.1.4.1.10018.1.1.16 NAME 'vacationInfo'
        DESC 'Mailbox - vacation message'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} )

attributetype ( 1.3.6.1.4.1.10018.1.1.17 NAME 'vacationActive'
        DESC 'Mailbox - vacation active'
        EQUALITY caseIgnoreIA5Match
        SUBSTR caseIgnoreIA5SubstringsMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

objectclass ( 1.3.6.1.4.1.10018.1.2.1 NAME 'CourierMailAccount' SUP top AUXILIARY
        DESC 'Mail account object as used by the Courier mail server'
        MUST ( mail $ homeDirectory )
        MAY ( uidNumber $ gidNumber $ mailbox $ uid $ cn $ gecos $ description $ loginShell $ 
			quota $ userPassword $ clearPassword $ defaultdelivery $ disableimap $ 
			disablepop3 $ disablewebmail $ sharedgroup $ disableshared $ mailhost $ 
			mailforward $ vacationInfo $ vacationActive) )

objectclass ( 1.3.6.1.4.1.10018.1.2.2 NAME 'CourierMailAlias' SUP top AUXILIARY
        DESC 'Mail aliasing/forwarding entry'
        MUST ( mail $ maildrop )
        MAY ( mailsource $ description ) )

objectclass ( 1.3.6.1.4.1.10018.1.2.3 NAME 'CourierDomainAlias' SUP top AUXILIARY
        DESC 'Domain mail aliasing/forwarding entry'
        MUST ( virtualdomain $ virtualdomainuser )
        MAY ( mailsource $ description ) )
  • Index mailforward in /etc/ldap/slapd.conf :
index           mailforward eq
  • Run slapindex and restart OpenLDAP :
slapindex
/etc/init.d/slapd restart

Password

  • Download the passwd module (change the date to today) :
wget http://ftp.horde.org/pub/snaps/latest/passwd-HEAD-year-month-day.tar.gz
  • We need php4-hash for password encryption :
apt-get install php4-mhash
  • Reload Apache2 :
/etc/init.d/apache2 reload
  • Uncompress it in /usr/share/horde3 :
tar zxvf passwd-HEAD-year-month-day.tar.gz -C /usr/share/horde3
  • Change owners of config directory :
chown -R www-data.www-data /usr/share/horde3/passwd/config
  • Generate passwd conf file in the administration tab of Horde.
  • Create a new file /usr/share/horde3/passwd/config/backends.php with this content :
$backends['ldapadmin'] = array(
    'name' => 'localhost',
    'preferred' => 'localhost',
    'password policy' => array(
        'minLength' => 6,
        'maxLength' => 30
    ),
    'driver' => 'ldap',
    'params' => array(
        'host' => 'localhost',
        'port' => 389,
        'basedn' => 'ou=people,dc=domain,dc=ch',
        'admindn' => '',
        'adminpw' => '',
        'uid' => 'uid',
        'attribute' => 'userPassword',
        // this will be appended to the username when looking for the userdn.
        //'realm' => '',
        'encryption' => 'sha',
        // make sure the host == cn in the server certificate
        'tls' => false,
        'sslhost' => false
    )
);
  • In order to work, slapd.conf has to authorize a user to change his password with the according acl :
    • The default install should be ok.
access to attrs=userPassword
        by dn="cn=admin,dc=domain,dc=ch" write
        by dn="cn=adminro,dc=domain,dc=ch" read
        by anonymous auth
        by self write
        by * none
  • Edit /etc/horde/horde3/registry.php and activate “passwd” module.
    'status' => 'active'
  • Test it in the web interface.


Forward

  • This is used to redirect emails of users to other ones, or to send emails to another address (for example during holidays). This address is definied in the LDAP directory and will be modified through the IMP interface by the user himself.
  • Download the passwd module (change the date to today) :
wget http://ftp.horde.org/pub/snaps/latest/forwards-HEAD-year-month-day.tar.gz
  • Uncompress it in /usr/share/horde3 :
tar zxvf forwards-HEAD-year-month-day.tar.gz -C /usr/share/horde3
  • Change owners of config directory :
chown -R www-data.www-data /usr/share/horde3/forwards/config
  • Generate forwards conf file in the administration tab of Horde :
    • Select “Exim mailer based LDAP driver” as a driver.
    • “Hostname where the LDAP server is running on” : localhost
    • “Port that the LDAP server is using” : 389
    • “LDAP version” : 3
    • “Basedn” : ou=people,dc=domain,dc=ch
    • “Userdn” :
    • “Realm” :
    • “The attribute that is searched for the user ID” : uid
    • “The attribute that defines where the mail should go” : mailforward
    • Uncheck “Setting this option will allow a user the choice of keeping a local copy of forwarded mail.”
    • Uncheck “Setting this option will force the user to provide a password.”
    • Generate the configuration.
  • Edit /etc/horde/horde3/registry.php and activate “forward” module.
    'status' => 'active'
  • Create an ACL to authorize the user to change this LDAP field :
    • We just add the “mailforward” parameter to the Horde/IMP acl for example :
access to attrs=hordePrefs,impPrefs,mailforward
        by self write
        by * read
  • Restart OpenLDAP :
/etc/init.d/slapd restart
  • Now we have to tell postfix how to handle this.
  • Create a file /etc/postfix/ldap/forwards.cf with this content :
version = 3
bind = no
scope = sub
server_host = ldap://127.0.0.1
search_base = dc=domain,dc=ch
query_filter = (mail=%s)
result_attribute = mailforward
  • Modify /etc/postfix/main.cf with this line :
    • Order is important !! 
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/forwards.cf, proxy:ldap:/etc/postfix/ldap/maildrop_aliases.cf
  • Reload Postfix :
/etc/init.d/postfix reload
  • Test it with the web interface

 

Vacation

  • This module give to the user the ability to create vacation messages :
  • Download the passwd module (change the date to today) :
wget http://ftp.horde.org/pub/snaps/latest/vacation-HEAD-year-month-day.tar.gz
apt-get install vacation
tar zxvf vacation-HEAD-year-month-day.tar.gz -C /usr/share/horde3
  • Change owners of config directory :
chown -R www-data.www-data /usr/share/horde3/vacation/config
  • Generate vacation conf file in the administration tab of Horde :
    • Modify path of vacation binary : /usr/bin/vacation
    • Uncheck “Does your vacation setup support configurable email senders (rom: headers)?”
    • Select “LDAP driver” as a driver.
    • “Hostname where the LDAP server is running on” : localhost
    • “Port that the LDAP server is using " : 389
    • “LDAP Protocol Version” : LDAPv3
    • “Basedn” : dc=domain,dc=ch
    • “Userdn” :
    • “The attribute to search for. If it exists it defines the vacation message” : vacationInfo
    • “The attribute which contains the vacation status” : vacationActive
    • “The value of the status attribute if the vacation is enabled” : Y
    • “The value of the status attribute if the vacation is disabled” : N
    • “The name of the attribute which acts as the RDN for the ldap entry” : uid
    • “Should we log the user automatically in with the username and password he uses to login to Horde?” : Yes but with the domain stripped from the username
    • Uncheck “Give the user the ability to change which aliases to use?”
    • “Method to retrieve aliases” : none
  • Generate vacation configuration.
  • Edit /etc/horde/horde3/registry.php and activate “vacation” module.
    'status' => 'active'
  • Install gnarwl to add “vacation support” to postfix :
    • Note: “ed” has been removed before, but it’s a dependency of “gnarwl” which is not automatically installed (See bug #375490).
apt-get install gnarwl ed
  • LDAP server : localhost
  • base of the LDAP server : ou=people,dc=domain,dc=ch
  • Configure gnarwl with the following /etc/gnarwl.cfg :
    • These parameters have been modified from the orginal configuration file :
...
# map_field $begin vacationStart
# map_field $end vacationEnd
# map_field $deputy vacationForward

base ou=people,dc=domain,dc=ch
queryfilter (&(maildrop=$recepient)(vacationActive=Y))

mta /usr/sbin/sendmail $recepient $sender
...
  • Modify /var/lib/gnarwl/header.txt :
    • (remove the ‘subject’ line as it is present in LDAP).
    • Make sure there is no empty line at the end of the file.
From: $fullname <$recepient>
To: $sender
X-mailer: GNARWL
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
  • Add a new user “gnarwl” :
useradd -c "Vacation user" -d /var/lib/gnarwl/ -g vmail -s /bin/false -u 1002  gnarwl
  • Change the owner of gnarwl files and directories :
chown gnarwl /etc/gnarwl.cfg
chown -R gnarwl /var/lib/gnarwl
  • Add this line in /etc/postfix/master.cf :
gnarwl    unix  -       n       n       -       -       pipe
  flags=F user=gnarwl argv=/usr/bin/gnarwl -s $sender -a $recipient
  • Add this line in /etc/postfix/transports :
autoreply.domain.ch     gnarwl:
  • Rehash the transports table :
postmap /etc/postfix/transports
  • Reload Postfix :
/etc/init.d/postfix reload
  • Add a new maildrop to user ‘csahut’ :
    • Create a file add_autoreply_csahut.ldif with this content :
dn: uid=csahut,ou=people,dc=domain,dc=ch
changetype: modify
add: maildrop
maildrop: csahut@autoreply.domain.ch
  • Add this ldif to LDAP :
ldapmodify -x -f add_autoreply_csahut.ldif -D "cn=admin,dc=domain,dc=ch" -W
  • Create an ACL to authorize the user to change vacation LDAP fields:
    • We just modify the Horde/IMP acl for example :
access to attrs=hordePrefs,impPrefs,mailforward,vacationActive,vacationInfo
        by self write
        by * read
  • Restart OpenLDAP :
/etc/init.d/slapd restart
  • Now, each message is sent to ‘user’@autoreply.domain.ch. The transports table and Postfix’s master.cf make this message sent to gnarwl. If vacationActive is set, an autoreply is sent.
    • Gnarwl blocks for 48h people who sent an email to a user with vacation enabled. It prevents from receiving a lot “out of office” messages. If you want to test it, make sure that there is no file “csahut@autoreply.domain.ch” in /var/lib/gnarwl.
  • Test : enable the vacation feature in the Web interface. Send an email to the user.