Fedore COre 9 + Postfix (包括aliases的設定)
OPENLDAP ON FecoreCore9
# postfix和sshd
1. 關於pam的設定
1.1 system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
1.2 smtp
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_deny.so
account sufficient pam_ldap.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid > 100 quiet_success
account required pam_unix.so broken_shadow
password sufficient pam_ldap.so
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password requisite pam_cracklib.so try_first_pass retry=3
password required pam_deny.so
session optional pam_keyinit.so revoke
session optional pam_ldap.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_limits.so
session required pam_unix.so
1.3 dovecot
#%PAM-1.0
auth required pam_nologin.so
auth include system-auth
account include system-auth
session include system-auth
1.4 smtp.postfix
#%PAM-1.0
auth include system-auth
account include system-auth
1.5 /etc/pam.d/sshd
#%PAM-1.0
auth required pam_ldap.so
account required pam_ldap.so
password required pam_cracklib.so
password sufficient pam_ldap.so
session required pam_ldap.so
2. 關於slapd.conf部份
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/postfix.schema
allow bind_v2
loglevel 296
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
security ssf=1 update_ssf=112 simple_bind=64
database bdb
suffix "dc=your-domain,dc=idv,dc=tw"
rootdn "uid=root,ou=People,dc=your-domain,dc=idv,dc=tw"
rootpw secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
database monitor
access to attrs=userPassword
by self write
by dn="uid=dovecot,ou=People,dc=your-domain,dc=idv,dc=tw" read
by dn="uid=root,ou=People,dc=your-domain,dc=idv,dc=tw" write
by * auth
2.1 dovecot.conf
base_dir = /var/run/dovecot/
protocols = pop3
shutdown_clients = yes
syslog_facility = mail
ssl_disable = yes
mail_location = mbox:/var/mail/%u
client_workarounds = oe6-fetch-no-newmail outlook-idle
protocol imap {
listen = *:143
}
protocol pop3 {
}
auth default {
mechanisms = plain
passdb ldap {
args = /etc/dovecot-ldap.conf
}
userdb ldap {
args = /etc/dovecot-ldap.conf
}
user = root
}
listen = *
ssl_listen =
2.2 dovecot-ldap.conf
auth_bind = yes
hosts = dns.your-domain.idv.tw
auth_bind_userdn = uid=%u,dc=your-domain,dc=idv,dc=tw
ldap_version = 3
base = dc=your-domain, dc=idv, dc=tw
scope = subtree
mail_location = mbox:~/mail:INBOX=/var/mail/%u
user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
pass_attrs = uid=user,userPassword=password
user_filter = (&(objectClass=posixAccount)(uid=%u))
default_pass_scheme = LDAP-MD5
user_global_uid = dovecot
user_global_gid = mail
3. postfix的設定
3.1 main.cf
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
address_verify_map = hash:/var/lib/postfix/verify
mail_spool_directory = /var/mail
mail_owner = postfix
mailbox=/var/mail
myhostname = ms1.your-domain.idv.tw
mydomain = your-domain.idv.tw
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/postfix/aliases, ldap:/etc/postfix/ldap-aliases.cf
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.5.1/samples
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
inet_protocols = all
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = ' '
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unknown_reverse_client_hostname
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_sender_restrictions = reject_rhsbl_sender dsn.rfc- ignorant.org
3.2 ldap-aliases.cf
server_host = dns.your-domain.idv.tw
search_base = dc=your-domain,dc=idv,dc=tw
server_port = 389
query_filter = mail=%s
result_format = %s
result_attribute = mailacceptinggeneralid
scope = sub
bind = no
4. ldif格式
4.1 base.ldif
dn: dc=your-domain,dc=idv,dc=tw
objectClass: top
objectClass: domain
dc: your-domain
4.2 container.ldif
dn: ou=People,dc=your-domain,dc=idv,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=your-domain,dc=idv,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: Group
dn: ou=Friend,dc=your-domain,dc=idv,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: Friend
dn: ou=guest,dc=your-domain,dc=idv,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: guest
dn: ou=Admin,dc=your-domain,dc=idv,dc=tw
objectClass: top
objectClass: organizationalUnit
ou: Admin
4.3 user.ldif
dn: uid=tonyvan,ou=People,dc=your-domain,dc=idv,dc=tw
uid: tonyvan
cn: tonyvan
sn: tonyvan
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}12345.
shadowLastChange: 14073
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 100
homeDirectory: /home/tonyvan
mail: tonyvan@your-domain.idv.tw
4.4 group.ldif
dn: cn=wheel,ou=Group,dc=your-domain,dc=idv,dc=tw
objectClass: posixGroup
objectClass: top
cn: wheel
userPassword: {crypt}87
gidNumber: 10
memberUid: j3p4.k9
memberUid: root
4.5 mail aliases base ldif
4.5.1 aliases.base.ldif
dn: ou=Aliases,dc=your-domain,dc=idv,dc=tw
ou: Aliases
objectClass: inetLocalMailRecipient
objectClass: organizationalUnit
objectClass: top
4.5.2 aliases.supervisior.ldif
dn: cn=supervisior,ou=Aliases,dc=your-domain,dc=idv,dc=tw
cn: supervisior
sn: supervisior
objectClass: inetOrgPerson
objectClass: organizationalPerson
mail: supervisior
mailacceptinggeneralid: tonyvan@your-domain.idv.tw
mailacceptinggeneralid: j3p4.k9@your-domain.idv.tw
