3

I'm trying to migrate our linux system user based post system to virtual users.

I have

  • sendmail with procmail delivery
  • dovecot
  • system users with different uids
  • roundcube web interface

Sendmail handles all mail delivery to user mailboxes, dovecot handles pop3 and imap interraction with users, everything is working like a charm

Now we start to implement active directory globally and i want to refuse from linux system email users prior to ldap virutal users.

I enabled sendmail ldap_routing

define(`confLDAP_DEFAULT_SPEC', `-h "10.1.0.1" -b "ou=portal,dc=univ,dc=priv" -d "cn=portal admin,ou=portal,dc=univ,dc=priv" -MLDAP_AUTH_SIMPLE -P/etc/mail/ldap_pass')dnl

LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldap_route_domains')dnl

FEATURE(`ldap_routing', `null', `ldap -1 -T -v sAMAccountName -k (&(|(objectclass=user)(objectclass=group))(|(mail=%0)(proxyAddresses=smtp:%0)))',`passthru')dnl

created simple alias file for ldap users via perl script. File initially looked like this

sAMAccountName1:    vmail
sAMAccountName2:    vmail
....
sAMAccountNameN:    vmail

enabled dovecot-lda using this howto

Unfortunately sendmail passes real system user name ("vmail" in my case) as -d argument, not sAMAccountName of virtial user with this configuration.

After that i modify my alias file in something like this (inspired by this topic)

sAMAccountName1:    "|/usr/libexec/dovecot/dovecot-lda -d sAMAccountName1"
sAMAccountName2:    "|/usr/libexec/dovecot/dovecot-lda -d sAMAccountName1"
....
sAMAccountNameN:    "|/usr/libexec/dovecot/dovecot-lda -d sAMAccountName1"

This solution fails because of system right problem i can't solve. Here's log messages

Fatal: setgid(5000(vmail) from userdb lookup) failed with euid=8(mail), gid=12(mail), egid=12(mail): Operation not permitted (This binary should probably be called with process group set to 5000(vmail) instead of 12(mail))

dovecot deliver agent defined in sendmail.cf with U=vmail:vmail

Mdovecot,      P=/usr/libexec/dovecot/dovecot-lda,
           F=l59DFMPhnu,
           S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
           M=51200000,
           U=vmail:vmail,
           T=DNS/RFC822/X-Unix,
           A=/usr/libexec/dovecot/dovecot-lda -d $u

dovecot-lda has same owner and group

-rwxr-x--- 1 vmail vmail 28512 апр.   5  2013 /usr/libexec/dovecot/dovecot-lda

If i use system user mail instead vmail everything starts working fine. But this config seems to me less secure and i want use user vmail with uid > 100 instead of user mail.

So mail delivery fails. I appreciate any help solving this problem.

Community
  • 1
Ilya 'elcamlost' Rassadin
  • 31
  • 1
  • 4

2 Answers2

1

  1. Skip reading if you are not determined :-)

  2. Make vmail special to sendmail (no DNS lookups for destination)

    LOCAL_CONFIG
CPvmail

  3. Use FEATURE(ldap_routing) to select mailHost not mailRoutingAddress

  4. Use FEATURE(mailertable) to select delivery method (mailer)

    mailertable

    vmail  dovecot:dummy

  5. Do not make dovecot the local mailer - FEATURE(local_procmail,...)

  6. In dovecot mailer definition use xSMTP rules not xL (local) rules

    http://wiki2.dovecot.org/LDA/Sendmail

AnFi
  • 6,103
  • 1
  • 14
  • 27
  • So step 2 helps to treat it like a host in mailertable. – AnFi Feb 24 '14 at 18:59
  • I have existent local users in same domain. Delivery to local users fails if i use 'bounce' in ldap_routing. And sendmail doesn't return "550 User Unknown" error if recipient doesnt't exists in ldap and in local database if i use 'passthru'. How can i solve this issue? – Ilya 'elcamlost' Rassadin Feb 24 '14 at 19:17
  • And one more issue. I don't store hostMail in Active Directory, is it possible to return some static value from ldap query if mail address was found? – Ilya 'elcamlost' Rassadin Feb 24 '14 at 19:29
  • 1) I suggested redirecting SOME users/addresses to another mailer (dovecot) so standard local mailer would reject mails to non existing users. 2) I can see no easy way but you can use returned "vmail" – AnFi Feb 24 '14 at 20:13
  • 2) i meant syntax. Simple ldap query suggest -v 'some ldap param name' -k 'ldap_filter'. How can i write query, which return simple prefefined string, not value of ldap param specified with -v. – Ilya 'elcamlost' Rassadin Feb 25 '14 at 08:47
  • 1) if i use mailertable definition, it will redirect all mail to dovecot without checking virtusertable or alias file. so knowing about user existence is problem of mailer, not sendmail. It's different of what i used before and i wanted to save it (( – Ilya 'elcamlost' Rassadin Feb 25 '14 at 09:19
  • In the suggested case: mailertable is supposed to select special delivery based on destination (pseudo host) provided by ldap_routing for some local email addresses. – AnFi Feb 25 '14 at 15:53
1

I was trying to set this up myself and was finding snippets here and there but not a complete recipe. Here's how I did it.

I'm running FreeBSD 10.3-RELEASE, sendmail 8.15.2 and dovecot 2.2.29.

You need a user for the virtual user files:

# passwd
vmail:*:2025:2025:Dovecot Virtual Mail:/var/empty:/usr/sbin/nologin

# group
vmail:*:2025:

The dovecot is simple so let's do that first. Assuming a working dovecot config you will already have at least one userdb setting. Add a new one for virtual users:

# Virtual users
userdb {
        driver = static
        args = uid=vmail gid=vmail home=/var/vmail/%u
}

If you don't have one already add a passdb setting for static credentials:

passdb {
        args = scheme=plain-md5 username_format=%u /usr/local/etc/dovecot/imap-passwd
        driver = passwd-file
}

Create /var/vmail:

mkdir /var/vmail
chown vmail:vmail /var/vmail

and unless you want to manually create directories for each new virtual users, add:

# Virtual users config
lda_mailbox_autocreate = yes

to dovecot.conf (the symptom of not turning on lda_mailbox_autocreate and the directories not existing is EX_TEMPFAIL errors and messages stuck in the local sendmail queue).

Use "doveadm pw -s PLAIN-MD5" and add a line for the new virtual user:

vfred:{PLAIN-MD5}912ec803b2ce49e4a541068d495ab570

Restart dovecot to pick up the new config:

service dovecot restart

Now on to sendmail. If you don't have a mailertable you'll need to add one:

FEATURE(`mailertable')dnl

to sendmail.mc and:

vmail dovecot:dummy

to mailertable. This is telling sendmail to use the dovecot local delivery agent for *@vmail.

At the end of your sendmail.mc you probably have something like:

MAILER(local)dnl
MAILER(smtp)dnl

Append something along the lines of:

dnl
dnl Dovecot virtual user delivery agent
dnl
LOCAL_CONFIG
Mdovecot,
    P=/usr/local/libexec/dovecot/dovecot-lda,
    F=l59DFMPhnu,
    S=EnvFromL/HdrFromL,
    R=EnvToL/HdrToL,
    M=51200000,
    U=vmail:vmail,
    T=DNS/RFC822/X-Unix,
    A=/usr/local/libexec/dovecot/dovecot-lda -d $u

generate a new sendmail.cf and restart sendmail:

service sendmail stop ; sleep 1 ; service sendmail start

("service sendmail restart" is a bit funny under FreeBSD)

Finally add your virtual user to the aliases file:

vfred: vfred@vmail

Run newaliases and test.

Captain Happy
  • 11
  • 1