Install/iRedAPD/OpenLDAP
From iRedMail
(Difference between revisions)
(Undo revision 1569 by ZhangHuangbin (Talk)) |
(→Summary & Feature List) |
||
| Line 3: | Line 3: | ||
= Summary & Feature List = | = Summary & Feature List = | ||
| - | NOTE: This installation guide is for '''iRedAPD-1.3.3'''. | + | NOTE: This installation guide is for '''iRedAPD-1.3.3''' and later versions. |
* iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support. | * iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support. | ||
Revision as of 09:48, 13 June 2012
Contents |
Summary & Feature List
NOTE: This installation guide is for iRedAPD-1.3.3 and later versions.
- iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
- Currently, it works with both OpenLDAP and MySQL backend, but this installation guide is for OpenLDAP.
- Plugin:
- ldap_maillist_access_policy: Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution.
- block_amavisd_blacklisted_senders: Used for per-user sender whitelist and blacklist.
- ldap_recipient_restrictions: Used for per-user recipient whitelist and blacklist.
How to manage it
- iRedAdmin-Pro (full-featured edition) users can manage mail list deliver restrictions and per-user blacklist/whitelist directly.
- If you didn't purchased iRedAdmin-Pro, you can also manage them with phpLDAPadmin.
Requirements
- Python >= 2.4, core programming language.
- Python-LDAP >= 2.3.7. An object-oriented API to access LDAP directory servers from Python programs.
- iRedMail >= 0.5.0
Install iRedAPD
We will configure iRedAPD as two postfix policy daemons.
- Daemon listen on port 7777: Used in postfix smtpd_recipient_restrictions, for mail list deliver restriction.
- Daemon listen on port 7778: Used in postfix smtpd_sender_restrictions, for per-user blacklist and whitelist.
Create new user
We will run iRedAPD as a low privilege user for security reason.
| Terminal: |
# # ---- On RHEL/CentOS ---- # # useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd # # ---- On Debian/Ubuntu ---- # # useradd -s /sbin/nologin -m -d /home/iredapd -c "iRedAPD daemon user" iredapd # # ---- On FreeBSD ---- # # pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd |
Install required python modules
TIP: You can skip this step if you already have iRedAdmin installed.
| Terminal: |
# # ---- on RHEL/CentOS ---- # # yum install python-ldap # # ---- on Debian/Ubuntu ---- # $ sudo apt-get install python-ldap # # ---- on FreeBSD ---- # # cd /usr/ports/net/py-ldap2 && make install clean |
Download and configure iRedAPD
- Download iRedAPD from download page: http://www.iredmail.org/download.html#iredapd
- Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
| Terminal: |
# # ---- Uncompress tarball, create symbol link ---- # tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/ # ln -s /opt/iRedAPD-x.y.z /opt/iredapd # chown -R iredapd:iredapd /opt/iRedAPD-x.y.z/ # chmod -R 0700 /opt/iRedAPD-x.y.z/ # chmod +x /opt/iredapd/src/iredapd.py # # ---- Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD) ---- # # cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd # cp /opt/iredapd/rc_scripts/iredapd-rr /etc/init.d/iredapd-rr # chmod +x /etc/init.d/iredapd /etc/init.d/iredapd-rr # # ---- Copy sample setting file ---- # ---- Note: We just copy one sample config file now ---- # # cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini # chmod 0600 /opt/iredapd/etc/iredapd.ini |
- Open /opt/iredapd/etc/iredapd.ini and set correct values.
| File: /opt/iredapd/etc/iredapd.ini |
# # ---- Note: This config file is self-documented ---- # ---- just open it and read the comment ---- # [general] listen_addr = 127.0.0.1 listen_port = 7777 run_as_user = iredapd run_as_daemon = yes pid_file = /var/run/iredapd.pid log_type = file log_file = /var/log/iredapd.log log_level = info backend = ldap [ldap] uri = ldap://127.0.0.1:389 binddn = cn=vmail,dc=iredmail,dc=org bindpw = mRAEWpGRtlCs1O0QuWpXoaJ36EjRql basedn = o=domains,dc=iredmail,dc=org # # ---- Enable plugin for mail list deliver restrictions ---- # plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders |
- Copy this file for another iRedAPD daemon.
| Terminal: |
# cd /opt/iredapd/etc/ # cp iredapd.ini iredapd-rr.ini # chown iredapd:iredapd iredapd-rr.ini # chmod 0600 iredapd-rr.ini |
- Change values of below parameters in iredapd-rr.ini:
| File: /opt/iredapd/etc/iredpad-rr.ini |
listen_port = 7778 pid_file = /var/run/iredapd-rr.pid log_file = /var/log/iredapd-rr.log plugins = ldap_recipient_restrictions |
- Create log files:
| Terminal: |
# # ---- On ALL OS ---- # # touch /var/log/iredapd.log /var/log/iredapd-rr.log # chmod 0600 /var/log/iredapd.log /var/log/iredapd-rr.log |
- Make iRedAPD start when boot your server.
| Terminal: |
# # ---- on RHEL/CentOS ---- # # chkconfig --level 345 iredapd on # chkconfig --level 345 iredapd-rr on # # ---- on Debian/Ubuntu ---- # $ sudo update-rc.d iredapd defaults $ sudo update-rc.d iredapd-rr defaults # # ---- on FreeBSD, please edit /etc/rc.conf, append below line ---- # iredapd_enable='YES' |
Start iRedAPD
| Terminal: |
# # ---- On RHEL/CentOS/Debian/Ubuntu ---- # # /etc/init.d/iredapd start # /etc/init.d/iredapd-rr start # # ---- On FreeBSD ---- # # /usr/local/etc/rc.d/iredapd start # /usr/local/etc/rc.d/iredapd-rr start |
Configure postfix
In postfix main.cf, modify smtpd_recipient_restrictions setting:
| File: /etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD) |
#
# ---- IMPORTANT NOTE ----
# ---- Apply the order of restriction rules STRICTLY ----
# ---- otherwise iRedAPD may not work as expected. ----
#
smtpd_recipient_restrictions =
...
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
...
smtpd_sender_restrictions =
check_policy_service inet:127.0.0.1:7778,
...
|
- Restart postfix to make it work.
| Terminal: |
# # ---- On RHEL/CentOS/Debian/Ubuntu ---- # # /etc/init.d/postfix restart # # ---- On FreeBSD ---- # # /usr/local/etc/rc.d/postfix restart |
Rotate log file with logrotate
Add new file in logrotate to rotate iRedAPD log file:
| File: /etc/logrotate.d/iredapd |
/var/log/iredapd.log {
compress
daily
rotate 30
missingok
# Use bzip2 for compress.
compresscmd /usr/bin/bzip2
uncompresscmd /usr/bin/bunzip2
compressoptions -9
compressext .bz2
# Used on RHEL/CentOS.
postrotate
/bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
endscript
# Used on Ubuntu.
#postrotate
# invoke-rc.d sysklogd reload > /dev/null
#endscript
}
|
Available access policies
Below access policies are recognized in iRedAPD-1.3.4:
| Restriction | Comment | Value of attribute 'accessPolicy' in LDAP |
|---|---|---|
| Unrestricted | Email is unrestricted, which means everyone can mail to this address. | public |
| Domain Wide | Only users under same domain can send mail to this address. | domain |
| Domain and all sub-domains | Only users under same domain and sub-domains can send mail to this address. | subdomain |
| Members Only | Only members can send mail to this address | membersOnly |
| Moderators Only | Only moderators can send mail to this address | moderatorsOnly |
| Moderators Only | Only members and moderators can send mail to this address | membersAndModeratorsOnly |
How to set per-user blacklist/whitelist
TIP:
- If you have iRedAdmin-Pro installed, you can manage it in user profile page, under tab Restrictions.
- If you don't have iRedAdmin-Pro installed, you can also manage it with phpLDAPadmin or other LDAP client tools.
How to set blacklist and whitelist sender or recipient address:
- To bypass or block a single user, use full email address. e.g. user@domain.ltd
- To bypass or block whole domain, use @domain.ltd. e.g. @domain.ltd
- To bypass or block a domain and its sub-domains, use @.domain.ltd. e.g. @.domain.ltd
- Use @. to bypass or block all accounts.
- Whitelist has higher priority than blacklist.
Troubleshooting & Debug
If iRedAPD doesn't work as expected, you can simplily set 'log_level = debug' in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic and paste log message in forum topic.
