From iRedMail

(Difference between revisions)

Current revision as of 16:58, 2 March 2013

Summary & Feature List

iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
Currently, it works with OpenLDAP, MySQL and PostgreSQL backends.

Available Plugins
Plugin name	Description	Backend
ldap_maillist_access_policy	Used to restrict mail list access	OpenLDAP
sql_alias_access_policy	Used to restrict alias access	MySQL

Requirements

iRedMail: All iRedMail versions should work as expected.
Python >= 2.4, core programming language.
Python-MySQLdb, is the Python DB API-2.0 interface.
web.py >= 0.3.5, a web framework for python that is as simple as it is powerful.

Create new user

We will run iRedAPD as a low privilege user for security reason.

Terminal:

#
# ---- On RHEL/CentOS/Debian/Ubuntu/OpenBSD ----
#
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd

#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd

Install required python modules

on RHEL/CentOS:

Terminal:

# yum install MySQL-python python-setuptools
# easy_install web.py

on Debian/Ubuntu:

Terminal:

$ sudo apt-get install python-setuptools python-mysqldb
$ sudo easy_install web.py

on FreeBSD:

Terminal:

# cd /usr/ports/databases/py-MySQLdb
# make install clean

# cd /usr/ports/www/webpy/
# make install clean

Download and configure iRedAPD

Download iRedAPD from Download page.
Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.

Terminal:

# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd

Copy RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD). Note: We have RC script for different Linux/BSD distributions, please copy the one matches your distribution.

Terminal:

# cp /opt/iredapd/rc_scripts/iredapd.rhel /etc/init.d/iredapd
# chmod +x /etc/init.d/iredapd

Copy sample setting file and set correct file permission:

Terminal:

# cp /opt/iredapd/settings.py.sample /opt/iredapd/settings.py
# chown iredapd:iredapd /opt/iredapd/settings.py
# chmod 0500 /opt/iredapd/settings.py

Warning: settings.py contains LDAP/SQL username and password, please don't make it world readable.

Open /opt/iredapd/settings.py and set correct values:

File: /opt/iredapd/settings.py

# Listen address and port.
listen_address = "127.0.0.1"
listen_port = "7777"

# Daemon user.
run_as_user = "iredapd"

# Path to pid file.
pid_file = "/var/run/iredapd.pid"

# Log type: file.
log_file = "/var/log/iredapd.log"

# Log level: info, warning, error, debug.
# 'info' is recommended for product use.
log_level = "info"

# Backend: ldap, mysql, pgsql.
backend = "ldap"

# Enabled plugins.
plugins = ["sql_alias_access_policy"]

# For MySQL and PostgreSQL backends.
sql_server = "127.0.0.1"
sql_db = "vmail"
sql_user = "vmail"
sql_password = "Psaf68wsuVctYSbj4PJzRqmFsE0rlQ"

Start iRedAPD now.

Terminal:

# /etc/init.d/iredapd start

Make iRedAPD start when boot your server.
- on RHEL/CentOS:

Terminal:

# chkconfig --level 345 iredapd on

- on Debian/Ubuntu:

Terminal:

$ update-rc.d iredapd defaults

- on FreeBSD, you should append below line to /etc/rc.conf:

File: /etc/rc.conf

iredapd_enable='YES'

- on OpenBSD, you should append "iredapd" in parameter "pkg_scripts" in /etc/rc.conf.local:

File: /etc/rc.conf.local

pkg_scripts=" ... iredapd"

Configure postfix

Modify postfix setting smtpd_recipient_restrictions setting in /etc/postfix/main.cf:

File: /etc/postfix/main.cf

smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777,     # <-- Insert this line before "permit_mynetworks"
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    ...

Restart postfix to make it work.

Terminal:

# /etc/init.d/postfix restart

Rotate log file with logrotate

Add new file in logrotate to rotate iRedAPD log file:

File: /etc/logrotate.d/iredapd

/var/log/iredapd.log {
    compress
    daily
    rotate 30
    missingok

    # Use bzip2 for compress.
    compresscmd /usr/bin/bzip2
    uncompresscmd /usr/bin/bunzip2
    compressoptions -9
    compressext .bz2 

    # Used on RHEL/CentOS.
    postrotate
        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
    endscript

    # Used on Ubuntu.
    #postrotate
    #    invoke-rc.d sysklogd reload > /dev/null
    #endscript
}

Available access policies

Below access policies are recognized in iRedAPD-1.3.4:

Restriction	Comment	Value of column 'alias.accesspolicy'
Unrestricted	Email is unrestricted, which means everyone can mail to this address.	public
Domain Wide	Only users under same domain can send mail to this address.	domain
Domain and all sub-domains	Only users under same domain and sub-domains can send mail to this address.	subdomain
Members Only	Only members can send mail to this address	membersOnly
Moderators Only	Only moderators can send mail to this address	allowedOnly
Moderators Only	Only members and moderators can send mail to this address	membersAndModeratorsOnly

Add moderators for mail alias

To add moderators for certain mail alias, just list all email addresses of moderators in SQL column moderators, multiple addresses must be separated by comma. For example:

Terminal:

sql> UPDATE alias SET moderators='user1@domain.ltd' WHERE address='myalias01@domain.ltd';
sql> UPDATE alias SET moderators='user1@domain.ltd,user2@domain.ltd,user3@domain.ltd' WHERE address='myalias02@domain.ltd';

Troubleshooting & Debug

If iRedAPD doesn't work as expected, you can simplily set log_level = debug in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic in iRedMail forum and paste log message in forum topic.

@@ Line 1: / Line 1: @@
 __TOC__
-{{Install/iRedAPD/MySQL/Languages}}
+NOTE: This installation guide is for '''iRedAPD-1.3.8''' and earlier versions, please check the latest installation guide here: [https://bitbucket.org/zhb/iredapd/src/default/README.md?at=default Install the latest iRedAPD].
 = Summary & Feature List =
 * iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
-* Currently, it works with both OpenLDAP and MySQL backend.
+* Currently, it works with OpenLDAP, MySQL and PostgreSQL backends.
 {{iRedAPD/Plugins}}
 = Requirements =
+* iRedMail: All iRedMail versions should work as expected.
 * Python >= 2.4, core programming language.
 * Python-MySQLdb, is the Python DB API-2.0 interface.
-* web.py >= 0.3.0, a web framework for python that is as simple as it is powerful.
+* web.py >= 0.3.5, a web framework for python that is as simple as it is powerful.
-* DBUtils, is a suite of tools providing solid, persistent and pooled connections to a database.
-* iRedMail: All iRedMail versions should work as expected.
-= Alter MySQL Table =
-Plugin '''sql_alias_access_policy''' requires two more columns in '''vmail.alias''' table, used to store access policy and addresses of moderators.
-{{cmd|<pre>
-mysql> USE vmail;
-mysql> ALTER TABLE alias ADD COLUMN accesspolicy VARCHAR(30) NOT NULL DEFAULT '';
-mysql> ALTER TABLE alias ADD COLUMN moderators TEXT NOT NULL DEFAULT '';
-</pre>}}
 = Create new user =
@@ Line 28: / Line 20: @@
 {{cmd|<pre>
 #
-# ---- On RHEL/CentOS/Debian/Ubuntu ----
+# ---- On RHEL/CentOS/Debian/Ubuntu/OpenBSD ----
 #
 # useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd
@@ Line 43: / Line 35: @@
 {{cmd|<pre>
 # yum install MySQL-python python-setuptools
-# easy_install web.py DBUtils
+# easy_install web.py
 </pre>}}
@@ Line 49: / Line 41: @@
 {{cmd|<pre>
 $ sudo apt-get install python-setuptools python-mysqldb
-$ sudo easy_install web.py DButils
+$ sudo easy_install web.py
 </pre>}}
@@ Line 58: / Line 50: @@
 # cd /usr/ports/www/webpy/
-# make install clean
-# cd /usr/ports/databases/py-dbutils/
 # make install clean
 </pre>}}
 = Download and configure iRedAPD =
-* Download iRedAPD from [http://www.iredmail.org/download.html#iredapd download page].
+* Download iRedAPD from [https://bitbucket.org/zhb/iredapd/downloads Download page].
 * Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
 {{cmd|<pre>
 # tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
 # ln -s /opt/iRedAPD-x.y.z /opt/iredapd
-# chmod +x /opt/iredapd/src/iredapd.py
 </pre>}}
-* Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD):
+* Copy RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD). Note: We have RC script for different Linux/BSD distributions, please copy the one matches your distribution.
 {{cmd|<pre>
-# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
+# cp /opt/iredapd/rc_scripts/iredapd.rhel /etc/init.d/iredapd
 # chmod +x /etc/init.d/iredapd
 </pre>}}
-* Copy sample setting file:
+* Copy sample setting file and set correct file permission:
 {{cmd|<pre>
-# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
+# cp /opt/iredapd/settings.py.sample /opt/iredapd/settings.py
+# chown iredapd:iredapd /opt/iredapd/settings.py
+# chmod 0500 /opt/iredapd/settings.py
 </pre>}}
+Warning: settings.py contains LDAP/SQL username and password, please don't make it world readable.
-* Open /opt/iredapd/etc/iredapd.ini and set correct values:
+* Open /opt/iredapd/settings.py and set correct values:
-{{cfg|/opt/iredapd/etc/iredapd.ini|<pre>
+{{cfg|/opt/iredapd/settings.py|<pre>
-[general]
 # Listen address and port.
-listen_addr     = 127.0.0.1
+listen_address = "127.0.0.1"
-listen_port     = 7777
+listen_port = "7777"
-run_as_user     = iredapd
+# Daemon user.
+run_as_user = "iredapd"
-# Background/daemon mode: yes, no.
-run_as_daemon   = yes
 # Path to pid file.
-pid_file        = /var/run/iredapd.pid
+pid_file = "/var/run/iredapd.pid"
 # Log type: file.
-log_type        = file
+log_file = "/var/log/iredapd.log"
-log_file        = /var/log/iredapd.log
 # Log level: info, warning, error, debug.
 # 'info' is recommended for product use.
-log_level       = info
+log_level = "info"
-# Backend: ldap, mysql.
+# Backend: ldap, mysql, pgsql.
-backend     = mysql
+backend = "ldap"
-[mysql]
-# For MySQL backend only.
-server      = 127.0.0.1
-db          = vmail
-user        = vmail
-password    = Psaf68wsuVctYSbj4PJzRqmFsE0rlQ
-alias_table = alias
 # Enabled plugins.
-plugins = sql_alias_access_policy
+plugins = ["sql_alias_access_policy"]
+# For MySQL and PostgreSQL backends.
+sql_server = "127.0.0.1"
+sql_db = "vmail"
+sql_user = "vmail"
+sql_password = "Psaf68wsuVctYSbj4PJzRqmFsE0rlQ"
 </pre>}}
@@ Line 131: / Line 117: @@
 ** on Debian/Ubuntu:{{cmd|<pre>$ update-rc.d iredapd defaults</pre>}}
 ** on FreeBSD, you should append below line to '''/etc/rc.conf''':{{cfg|/etc/rc.conf|<pre>iredapd_enable='YES'</pre>}}
+** on OpenBSD, you should append "iredapd" in parameter "pkg_scripts" in '''/etc/rc.conf.local''': {{cfg|/etc/rc.conf.local|<pre>pkg_scripts=" ... iredapd"</pre>}}
 = Configure postfix =
@@ Line 137: / Line 124: @@
 smtpd_recipient_restrictions =
      ...
-     check_policy_service inet:127.0.0.1:7777,     # <-- Insert this line
+     check_policy_service inet:127.0.0.1:7777,     # <-- Insert this line before "permit_mynetworks"
      permit_mynetworks,
      permit_sasl_authenticated,
@@ Line 211: / Line 198: @@
    <td>Moderators Only</td>
    <td>Only moderators can send mail to this address</td>
-   <td>moderatorsOnly</td>
+   <td>allowedOnly</td>
 </tr>

Install/iRedAPD/MySQL

From iRedMail

Current revision as of 16:58, 2 March 2013

Contents

Summary & Feature List

Requirements

Create new user

Install required python modules

Download and configure iRedAPD

Configure postfix

Rotate log file with logrotate

Available access policies

Add moderators for mail alias

Troubleshooting & Debug

Views

Personal tools

Navigation

Search

Toolbox