Install/iRedAPD/OpenLDAP
From iRedMail
(Difference between revisions)
(→Summary & Feature List) |
(→Summary & Feature List) |
||
| (22 intermediate revisions not shown) | |||
| Line 3: | Line 3: | ||
= Summary & Feature List = | = Summary & Feature List = | ||
| - | NOTE: This installation guide is for iRedAPD-1.3. | + | NOTE: This installation guide is for '''iRedAPD-1.3.3''' and later versions. |
* iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support. | * iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support. | ||
| Line 9: | Line 9: | ||
* Plugin: | * Plugin: | ||
** '''ldap_maillist_access_policy''': Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution. | ** '''ldap_maillist_access_policy''': Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution. | ||
| - | ** '''block_amavisd_blacklisted_senders''': | + | ** '''block_amavisd_blacklisted_senders''': Used for per-user sender whitelist and blacklist. |
| - | ** '''ldap_recipient_restrictions''': Used for per-user whitelist and blacklist. | + | ** '''ldap_recipient_restrictions''': Used for per-user recipient whitelist and blacklist. |
= How to manage it = | = How to manage it = | ||
| Line 27: | Line 27: | ||
* Daemon listen on port '''7777''': Used in postfix '''smtpd_recipient_restrictions''', for mail list deliver restriction. | * Daemon listen on port '''7777''': Used in postfix '''smtpd_recipient_restrictions''', for mail list deliver restriction. | ||
* Daemon listen on port '''7778''': Used in postfix '''smtpd_sender_restrictions''', for per-user blacklist and whitelist. | * Daemon listen on port '''7778''': Used in postfix '''smtpd_sender_restrictions''', for per-user blacklist and whitelist. | ||
| + | |||
| + | == Create new user == | ||
| + | We will run iRedAPD as a low privilege user for security reason. | ||
| + | |||
| + | {{cmd|<pre> | ||
| + | # | ||
| + | # ---- On RHEL/CentOS ---- | ||
| + | # | ||
| + | # useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd | ||
| + | |||
| + | # | ||
| + | # ---- On Debian/Ubuntu ---- | ||
| + | # | ||
| + | # useradd -s /sbin/nologin -m -d /home/iredapd -c "iRedAPD daemon user" iredapd | ||
| + | |||
| + | # | ||
| + | # ---- On FreeBSD ---- | ||
| + | # | ||
| + | # pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd | ||
| + | </pre>}} | ||
== Install required python modules == | == Install required python modules == | ||
| Line 56: | Line 76: | ||
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/ | # tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/ | ||
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd | # ln -s /opt/iRedAPD-x.y.z /opt/iredapd | ||
| + | # chown -R iredapd:iredapd /opt/iRedAPD-x.y.z/ | ||
| + | # chmod -R 0700 /opt/iRedAPD-x.y.z/ | ||
# chmod +x /opt/iredapd/src/iredapd.py | # chmod +x /opt/iredapd/src/iredapd.py | ||
| Line 70: | Line 92: | ||
# | # | ||
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini | # cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini | ||
| + | # chmod 0600 /opt/iredapd/etc/iredapd.ini | ||
</pre>}} | </pre>}} | ||
| Line 81: | Line 104: | ||
listen_addr = 127.0.0.1 | listen_addr = 127.0.0.1 | ||
listen_port = 7777 | listen_port = 7777 | ||
| + | run_as_user = iredapd | ||
run_as_daemon = yes | run_as_daemon = yes | ||
pid_file = /var/run/iredapd.pid | pid_file = /var/run/iredapd.pid | ||
| Line 97: | Line 121: | ||
# ---- Enable plugin for mail list deliver restrictions ---- | # ---- Enable plugin for mail list deliver restrictions ---- | ||
# | # | ||
| - | plugins = ldap_maillist_access_policy | + | plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders |
</pre>}} | </pre>}} | ||
| Line 104: | Line 128: | ||
# cd /opt/iredapd/etc/ | # cd /opt/iredapd/etc/ | ||
# cp iredapd.ini iredapd-rr.ini | # cp iredapd.ini iredapd-rr.ini | ||
| + | # chown iredapd:iredapd iredapd-rr.ini | ||
| + | # chmod 0600 iredapd-rr.ini | ||
</pre>}} | </pre>}} | ||
| Line 112: | Line 138: | ||
log_file = /var/log/iredapd-rr.log | log_file = /var/log/iredapd-rr.log | ||
plugins = ldap_recipient_restrictions | plugins = ldap_recipient_restrictions | ||
| + | </pre>}} | ||
| + | |||
| + | * Create log files: | ||
| + | {{cmd|<pre> | ||
| + | # | ||
| + | # ---- On ALL OS ---- | ||
| + | # | ||
| + | # touch /var/log/iredapd.log /var/log/iredapd-rr.log | ||
| + | # chmod 0600 /var/log/iredapd.log /var/log/iredapd-rr.log | ||
</pre>}} | </pre>}} | ||
| Line 134: | Line 169: | ||
</pre>}} | </pre>}} | ||
| - | + | == Start iRedAPD == | |
{{cmd|<pre> | {{cmd|<pre> | ||
# | # | ||
| Line 152: | Line 187: | ||
In postfix main.cf, modify smtpd_recipient_restrictions setting: | In postfix main.cf, modify smtpd_recipient_restrictions setting: | ||
{{cfg|/etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD)|<pre> | {{cfg|/etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD)|<pre> | ||
| + | # | ||
| + | # ---- IMPORTANT NOTE ---- | ||
| + | # ---- Apply the order of restriction rules STRICTLY ---- | ||
| + | # ---- otherwise iRedAPD may not work as expected. ---- | ||
| + | # | ||
smtpd_recipient_restrictions = | smtpd_recipient_restrictions = | ||
... | ... | ||
| Line 178: | Line 218: | ||
</pre>}} | </pre>}} | ||
| - | = | + | = Rotate log file with logrotate = |
| + | Add new file in logrotate to rotate iRedAPD log file: | ||
| + | {{cfg|/etc/logrotate.d/iredapd|<pre> | ||
| + | /var/log/iredapd.log { | ||
| + | compress | ||
| + | daily | ||
| + | rotate 30 | ||
| + | missingok | ||
| - | + | # Use bzip2 for compress. | |
| + | compresscmd /usr/bin/bzip2 | ||
| + | uncompresscmd /usr/bin/bunzip2 | ||
| + | compressoptions -9 | ||
| + | compressext .bz2 | ||
| + | |||
| + | # Used on RHEL/CentOS. | ||
| + | postrotate | ||
| + | /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true | ||
| + | endscript | ||
| + | |||
| + | # Used on Ubuntu. | ||
| + | #postrotate | ||
| + | # invoke-rc.d sysklogd reload > /dev/null | ||
| + | #endscript | ||
| + | } | ||
| + | </pre>}} | ||
| + | |||
| + | = Available access policies = | ||
| + | |||
| + | Below access policies are recognized in iRedAPD-1.3.4: | ||
<table border="1"> | <table border="1"> | ||
<tr> | <tr> | ||
| Line 198: | Line 265: | ||
<td>Only users under same domain can send mail to this address.</td> | <td>Only users under same domain can send mail to this address.</td> | ||
<td>domain</td> | <td>domain</td> | ||
| + | </tr> | ||
| + | |||
| + | <tr> | ||
| + | <td>Domain and all sub-domains</td> | ||
| + | <td>Only users under same domain and sub-domains can send mail to this address.</td> | ||
| + | <td>subdomain</td> | ||
</tr> | </tr> | ||
| Line 209: | Line 282: | ||
<td>Moderators Only</td> | <td>Moderators Only</td> | ||
<td>Only moderators can send mail to this address</td> | <td>Only moderators can send mail to this address</td> | ||
| - | <td> | + | <td>moderatorsOnly</td> |
| + | </tr> | ||
| + | |||
| + | <tr> | ||
| + | <td>Moderators Only</td> | ||
| + | <td>Only members and moderators can send mail to this address</td> | ||
| + | <td>membersAndModeratorsOnly</td> | ||
</tr> | </tr> | ||
</table> | </table> | ||
Revision as of 09:48, 13 June 2012
Contents |
Summary & Feature List
NOTE: This installation guide is for iRedAPD-1.3.3 and later versions.
- iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
- Currently, it works with both OpenLDAP and MySQL backend, but this installation guide is for OpenLDAP.
- Plugin:
- ldap_maillist_access_policy: Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution.
- block_amavisd_blacklisted_senders: Used for per-user sender whitelist and blacklist.
- ldap_recipient_restrictions: Used for per-user recipient whitelist and blacklist.
How to manage it
- iRedAdmin-Pro (full-featured edition) users can manage mail list deliver restrictions and per-user blacklist/whitelist directly.
- If you didn't purchased iRedAdmin-Pro, you can also manage them with phpLDAPadmin.
Requirements
- Python >= 2.4, core programming language.
- Python-LDAP >= 2.3.7. An object-oriented API to access LDAP directory servers from Python programs.
- iRedMail >= 0.5.0
Install iRedAPD
We will configure iRedAPD as two postfix policy daemons.
- Daemon listen on port 7777: Used in postfix smtpd_recipient_restrictions, for mail list deliver restriction.
- Daemon listen on port 7778: Used in postfix smtpd_sender_restrictions, for per-user blacklist and whitelist.
Create new user
We will run iRedAPD as a low privilege user for security reason.
| Terminal: |
# # ---- On RHEL/CentOS ---- # # useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd # # ---- On Debian/Ubuntu ---- # # useradd -s /sbin/nologin -m -d /home/iredapd -c "iRedAPD daemon user" iredapd # # ---- On FreeBSD ---- # # pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd |
Install required python modules
TIP: You can skip this step if you already have iRedAdmin installed.
| Terminal: |
# # ---- on RHEL/CentOS ---- # # yum install python-ldap # # ---- on Debian/Ubuntu ---- # $ sudo apt-get install python-ldap # # ---- on FreeBSD ---- # # cd /usr/ports/net/py-ldap2 && make install clean |
Download and configure iRedAPD
- Download iRedAPD from download page: http://www.iredmail.org/download.html#iredapd
- Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
| Terminal: |
# # ---- Uncompress tarball, create symbol link ---- # tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/ # ln -s /opt/iRedAPD-x.y.z /opt/iredapd # chown -R iredapd:iredapd /opt/iRedAPD-x.y.z/ # chmod -R 0700 /opt/iRedAPD-x.y.z/ # chmod +x /opt/iredapd/src/iredapd.py # # ---- Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD) ---- # # cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd # cp /opt/iredapd/rc_scripts/iredapd-rr /etc/init.d/iredapd-rr # chmod +x /etc/init.d/iredapd /etc/init.d/iredapd-rr # # ---- Copy sample setting file ---- # ---- Note: We just copy one sample config file now ---- # # cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini # chmod 0600 /opt/iredapd/etc/iredapd.ini |
- Open /opt/iredapd/etc/iredapd.ini and set correct values.
| File: /opt/iredapd/etc/iredapd.ini |
# # ---- Note: This config file is self-documented ---- # ---- just open it and read the comment ---- # [general] listen_addr = 127.0.0.1 listen_port = 7777 run_as_user = iredapd run_as_daemon = yes pid_file = /var/run/iredapd.pid log_type = file log_file = /var/log/iredapd.log log_level = info backend = ldap [ldap] uri = ldap://127.0.0.1:389 binddn = cn=vmail,dc=iredmail,dc=org bindpw = mRAEWpGRtlCs1O0QuWpXoaJ36EjRql basedn = o=domains,dc=iredmail,dc=org # # ---- Enable plugin for mail list deliver restrictions ---- # plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders |
- Copy this file for another iRedAPD daemon.
| Terminal: |
# cd /opt/iredapd/etc/ # cp iredapd.ini iredapd-rr.ini # chown iredapd:iredapd iredapd-rr.ini # chmod 0600 iredapd-rr.ini |
- Change values of below parameters in iredapd-rr.ini:
| File: /opt/iredapd/etc/iredpad-rr.ini |
listen_port = 7778 pid_file = /var/run/iredapd-rr.pid log_file = /var/log/iredapd-rr.log plugins = ldap_recipient_restrictions |
- Create log files:
| Terminal: |
# # ---- On ALL OS ---- # # touch /var/log/iredapd.log /var/log/iredapd-rr.log # chmod 0600 /var/log/iredapd.log /var/log/iredapd-rr.log |
- Make iRedAPD start when boot your server.
| Terminal: |
# # ---- on RHEL/CentOS ---- # # chkconfig --level 345 iredapd on # chkconfig --level 345 iredapd-rr on # # ---- on Debian/Ubuntu ---- # $ sudo update-rc.d iredapd defaults $ sudo update-rc.d iredapd-rr defaults # # ---- on FreeBSD, please edit /etc/rc.conf, append below line ---- # iredapd_enable='YES' |
Start iRedAPD
| Terminal: |
# # ---- On RHEL/CentOS/Debian/Ubuntu ---- # # /etc/init.d/iredapd start # /etc/init.d/iredapd-rr start # # ---- On FreeBSD ---- # # /usr/local/etc/rc.d/iredapd start # /usr/local/etc/rc.d/iredapd-rr start |
Configure postfix
In postfix main.cf, modify smtpd_recipient_restrictions setting:
| File: /etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD) |
#
# ---- IMPORTANT NOTE ----
# ---- Apply the order of restriction rules STRICTLY ----
# ---- otherwise iRedAPD may not work as expected. ----
#
smtpd_recipient_restrictions =
...
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
...
smtpd_sender_restrictions =
check_policy_service inet:127.0.0.1:7778,
...
|
- Restart postfix to make it work.
| Terminal: |
# # ---- On RHEL/CentOS/Debian/Ubuntu ---- # # /etc/init.d/postfix restart # # ---- On FreeBSD ---- # # /usr/local/etc/rc.d/postfix restart |
Rotate log file with logrotate
Add new file in logrotate to rotate iRedAPD log file:
| File: /etc/logrotate.d/iredapd |
/var/log/iredapd.log {
compress
daily
rotate 30
missingok
# Use bzip2 for compress.
compresscmd /usr/bin/bzip2
uncompresscmd /usr/bin/bunzip2
compressoptions -9
compressext .bz2
# Used on RHEL/CentOS.
postrotate
/bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
endscript
# Used on Ubuntu.
#postrotate
# invoke-rc.d sysklogd reload > /dev/null
#endscript
}
|
Available access policies
Below access policies are recognized in iRedAPD-1.3.4:
| Restriction | Comment | Value of attribute 'accessPolicy' in LDAP |
|---|---|---|
| Unrestricted | Email is unrestricted, which means everyone can mail to this address. | public |
| Domain Wide | Only users under same domain can send mail to this address. | domain |
| Domain and all sub-domains | Only users under same domain and sub-domains can send mail to this address. | subdomain |
| Members Only | Only members can send mail to this address | membersOnly |
| Moderators Only | Only moderators can send mail to this address | moderatorsOnly |
| Moderators Only | Only members and moderators can send mail to this address | membersAndModeratorsOnly |
How to set per-user blacklist/whitelist
TIP:
- If you have iRedAdmin-Pro installed, you can manage it in user profile page, under tab Restrictions.
- If you don't have iRedAdmin-Pro installed, you can also manage it with phpLDAPadmin or other LDAP client tools.
How to set blacklist and whitelist sender or recipient address:
- To bypass or block a single user, use full email address. e.g. user@domain.ltd
- To bypass or block whole domain, use @domain.ltd. e.g. @domain.ltd
- To bypass or block a domain and its sub-domains, use @.domain.ltd. e.g. @.domain.ltd
- Use @. to bypass or block all accounts.
- Whitelist has higher priority than blacklist.
Troubleshooting & Debug
If iRedAPD doesn't work as expected, you can simplily set 'log_level = debug' in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic and paste log message in forum topic.
