From iRedMail

(Difference between revisions)

Jump to: navigation, search

Current revision as of 16:57, 2 March 2013

Summary & Feature List

iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
Currently, it works with both OpenLDAP and MySQL backend, but this installation guide is for OpenLDAP.
Plugin:
- ldap_maillist_access_policy: Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution.
- block_amavisd_blacklisted_senders: Used for per-user sender whitelist and blacklist.
- ldap_recipient_restrictions: Used for per-user recipient whitelist and blacklist.

How to manage it

iRedAdmin-Pro (full-featured edition) users can manage mail list deliver restrictions and per-user blacklist/whitelist directly.
If you didn't purchased iRedAdmin-Pro, you can also manage them with phpLDAPadmin.

Requirements

Python >= 2.4, core programming language.
Python-LDAP >= 2.3.7. An object-oriented API to access LDAP directory servers from Python programs.
iRedMail >= 0.5.0

Install iRedAPD

We will configure iRedAPD as two postfix policy daemons.

Daemon listen on port 7777: Used in postfix smtpd_recipient_restrictions, for mail list deliver restriction.
Daemon listen on port 7778: Used in postfix smtpd_sender_restrictions, for per-user blacklist and whitelist.

Create new user

We will run iRedAPD as a low privilege user for security reason.

Terminal:

#
# ---- On RHEL/CentOS ----
#
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd

#
# ---- On Debian/Ubuntu ----
#
# useradd -s /sbin/nologin -m -d /home/iredapd -c "iRedAPD daemon user" iredapd

#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd

Install required python modules

TIP: You can skip this step if you already have iRedAdmin installed.

Terminal:

#
# ---- on RHEL/CentOS ----
#
# yum install python-ldap

#
# ---- on Debian/Ubuntu ----
#
$ sudo apt-get install python-ldap

#
# ---- on FreeBSD ----
#
# cd /usr/ports/net/py-ldap2 && make install clean

Download and configure iRedAPD

Download iRedAPD from download page: http://www.iredmail.org/download.html#iredapd
Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.

Terminal:

#
# ---- Uncompress tarball, create symbol link ----
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# chown -R iredapd:iredapd /opt/iRedAPD-x.y.z/
# chmod -R 0700 /opt/iRedAPD-x.y.z/
# chmod +x /opt/iredapd/src/iredapd.py

#
# ---- Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD) ----
#
# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# cp /opt/iredapd/rc_scripts/iredapd-rr /etc/init.d/iredapd-rr
# chmod +x /etc/init.d/iredapd /etc/init.d/iredapd-rr

#
# ---- Copy sample setting file ----
# ---- Note: We just copy one sample config file now ----
#
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
# chmod 0600 /opt/iredapd/etc/iredapd.ini

Open /opt/iredapd/etc/iredapd.ini and set correct values.

File: /opt/iredapd/etc/iredapd.ini

#
# ---- Note: This config file is self-documented ----
# ----       just open it and read the comment ----
#
[general]
listen_addr     = 127.0.0.1
listen_port     = 7777
run_as_user    = iredapd
run_as_daemon   = yes
pid_file        = /var/run/iredapd.pid
log_type        = file
log_file        = /var/log/iredapd.log
log_level       = info
backend = ldap

[ldap]
uri         = ldap://127.0.0.1:389
binddn      = cn=vmail,dc=iredmail,dc=org
bindpw      = mRAEWpGRtlCs1O0QuWpXoaJ36EjRql
basedn      = o=domains,dc=iredmail,dc=org

#
# ---- Enable plugin for mail list deliver restrictions ----
#
plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders

Copy this file for another iRedAPD daemon.

Terminal:

# cd /opt/iredapd/etc/
# cp iredapd.ini iredapd-rr.ini
# chown iredapd:iredapd iredapd-rr.ini
# chmod 0600 iredapd-rr.ini

Change values of below parameters in iredapd-rr.ini:

File: /opt/iredapd/etc/iredpad-rr.ini

listen_port = 7778
pid_file        = /var/run/iredapd-rr.pid
log_file        = /var/log/iredapd-rr.log
plugins = ldap_recipient_restrictions

Create log files:

Terminal:

#
# ---- On ALL OS ----
#
# touch /var/log/iredapd.log /var/log/iredapd-rr.log
# chmod 0600 /var/log/iredapd.log /var/log/iredapd-rr.log

Make iRedAPD start when boot your server.

Terminal:

#
# ---- on RHEL/CentOS ----
#
# chkconfig --level 345 iredapd on
# chkconfig --level 345 iredapd-rr on

#
# ---- on Debian/Ubuntu ----
#
$ sudo update-rc.d iredapd defaults
$ sudo update-rc.d iredapd-rr defaults

#
# ---- on FreeBSD, please edit /etc/rc.conf, append below line ----
#
iredapd_enable='YES'

Start iRedAPD

Terminal:

#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# /etc/init.d/iredapd start
# /etc/init.d/iredapd-rr start

#
# ---- On FreeBSD ----
#
# /usr/local/etc/rc.d/iredapd start
# /usr/local/etc/rc.d/iredapd-rr start

Configure postfix

In postfix main.cf, modify smtpd_recipient_restrictions setting:

File: /etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD)

#
# ---- IMPORTANT NOTE ----
# ---- Apply the order of restriction rules STRICTLY ----
# ---- otherwise iRedAPD may not work as expected. ----
#
smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    ...

smtpd_sender_restrictions =
    check_policy_service inet:127.0.0.1:7778,
    ...

Restart postfix to make it work.

Terminal:

#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# /etc/init.d/postfix restart

#
# ---- On FreeBSD ----
#
# /usr/local/etc/rc.d/postfix restart

Rotate log file with logrotate

Add new file in logrotate to rotate iRedAPD log file:

File: /etc/logrotate.d/iredapd

/var/log/iredapd.log {
    compress
    daily
    rotate 30
    missingok

    # Use bzip2 for compress.
    compresscmd /usr/bin/bzip2
    uncompresscmd /usr/bin/bunzip2
    compressoptions -9
    compressext .bz2 

    # Used on RHEL/CentOS.
    postrotate
        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
    endscript

    # Used on Ubuntu.
    #postrotate
    #    invoke-rc.d sysklogd reload > /dev/null
    #endscript
}

Available access policies

Below access policies are recognized in iRedAPD-1.3.4:

Restriction	Comment	Value of attribute 'accessPolicy' in LDAP
Unrestricted	Email is unrestricted, which means everyone can mail to this address.	public
Domain Wide	Only users under same domain can send mail to this address.	domain
Domain and all sub-domains	Only users under same domain and sub-domains can send mail to this address.	subdomain
Members Only	Only members can send mail to this address	membersOnly
Moderators Only	Only moderators can send mail to this address	moderatorsOnly
Moderators Only	Only members and moderators can send mail to this address	membersAndModeratorsOnly

How to set per-user blacklist/whitelist

TIP:

If you have iRedAdmin-Pro installed, you can manage it in user profile page, under tab Restrictions.
If you don't have iRedAdmin-Pro installed, you can also manage it with phpLDAPadmin or other LDAP client tools.

How to set blacklist and whitelist sender or recipient address:

To bypass or block a single user, use full email address. e.g. user@domain.ltd
To bypass or block whole domain, use @domain.ltd. e.g. @domain.ltd
To bypass or block a domain and its sub-domains, use @.domain.ltd. e.g. @.domain.ltd
Use @. to bypass or block all accounts.
Whitelist has higher priority than blacklist.

Troubleshooting & Debug

If iRedAPD doesn't work as expected, you can simplily set 'log_level = debug' in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic and paste log message in forum topic.

Install/iRedAPD/OpenLDAP

From iRedMail

Current revision as of 16:57, 2 March 2013

Contents

Summary & Feature List

How to manage it

Requirements

Install iRedAPD

Create new user

Install required python modules

Download and configure iRedAPD

Start iRedAPD

Configure postfix

Rotate log file with logrotate

Available access policies

How to set per-user blacklist/whitelist

Troubleshooting & Debug

Views

Personal tools

Navigation

Search

Toolbox

@@ Line 1: / Line 1: @@
-TO BE CONTINUED
+__TOC__
+NOTE: This installation guide is for '''iRedAPD-1.3.8''' and earlier versions, please check the latest installation guide here: [https://bitbucket.org/zhb/iredapd/src/default/README.md?at=default Install the latest iRedAPD].
 = Summary & Feature List =
 * iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
-* Currently, it works with only OpenLDAP, but is easy to make it support MySQL with plugins.
+* Currently, it works with both OpenLDAP and MySQL backend, but this installation guide is for OpenLDAP.
-* Plugin: check user's rights to post messages to LDAP buildin mail list.
+* Plugin:
+** '''ldap_maillist_access_policy''': Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution.
+** '''block_amavisd_blacklisted_senders''': Used for per-user sender whitelist and blacklist.
+** '''ldap_recipient_restrictions''': Used for per-user recipient whitelist and blacklist.
+= How to manage it =
+* iRedAdmin-Pro (full-featured edition) users can manage [http://screenshots.iredmail.googlecode.com/hg/iredadmin/maillist_profile_general.png mail list deliver restrictions] and [http://screenshots.iredmail.googlecode.com/hg/iredadmin/user_profile_restrictions.png per-user blacklist/whitelist] directly.
+* If you didn't purchased iRedAdmin-Pro, you can also manage them with phpLDAPadmin.
 = Requirements =
@@ Line 12: / Line 23: @@
 = Install iRedAPD =
+We will configure iRedAPD as two postfix policy daemons.
+* Daemon listen on port '''7777''': Used in postfix '''smtpd_recipient_restrictions''', for mail list deliver restriction.
+* Daemon listen on port '''7778''': Used in postfix '''smtpd_sender_restrictions''', for per-user blacklist and whitelist.
+== Create new user ==
+We will run iRedAPD as a low privilege user for security reason.
+{{cmd|<pre>
+#
+# ---- On RHEL/CentOS ----
+#
+# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd
+#
+# ---- On Debian/Ubuntu ----
+#
+# useradd -s /sbin/nologin -m -d /home/iredapd -c "iRedAPD daemon user" iredapd
+#
+# ---- On FreeBSD ----
+#
+# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd
+</pre>}}
 == Install required python modules ==
@@ Line 36: / Line 72: @@
 * Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
 {{cmd|<pre>
+#
+# ---- Uncompress tarball, create symbol link ----
 # tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
 # ln -s /opt/iRedAPD-x.y.z /opt/iredapd
+# chown -R iredapd:iredapd /opt/iRedAPD-x.y.z/
+# chmod -R 0700 /opt/iRedAPD-x.y.z/
 # chmod +x /opt/iredapd/src/iredapd.py
+#
 # ---- Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD) ----
+#
 # cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
-# chmod +x /etc/init.d/iredapd
+# cp /opt/iredapd/rc_scripts/iredapd-rr /etc/init.d/iredapd-rr
+# chmod +x /etc/init.d/iredapd /etc/init.d/iredapd-rr
+#
 # ---- Copy sample setting file ----
+# ---- Note: We just copy one sample config file now ----
+#
 # cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
+# chmod 0600 /opt/iredapd/etc/iredapd.ini
 </pre>}}
 * Open /opt/iredapd/etc/iredapd.ini and set correct values.
 {{cfg|/opt/iredapd/etc/iredapd.ini|<pre>
+#
+# ---- Note: This config file is self-documented ----
+# ----       just open it and read the comment ----
+#
 [general]
-# Listen address and port.
 listen_addr     = 127.0.0.1
 listen_port     = 7777
+run_as_user    = iredapd
-# Background/daemon mode: yes, no.
 run_as_daemon   = yes
-# Path to pid file.
 pid_file        = /var/run/iredapd.pid
-# Log type: file.
 log_type        = file
 log_file        = /var/log/iredapd.log
-# Log level: info, warning, error, debug.
-# 'info' is recommended for product use.
 log_level       = info
+backend = ldap
 [ldap]
-# LDAP server setting.
-# Uri must starts with ldap:// or ldaps:// (TLS/SSL).
-#
-# Tip: You can get binddn, bindpw from /etc/postfix/ldap_*.cf.
-#
 uri         = ldap://127.0.0.1:389
 binddn      = cn=vmail,dc=iredmail,dc=org
-bindpw      = 5NC4VyRJdws3ounpcKJw9zXu0B8ou6
+bindpw      = mRAEWpGRtlCs1O0QuWpXoaJ36EjRql
 basedn      = o=domains,dc=iredmail,dc=org
-# Enabled plugins.
+#
-plugins     = ldap_maillist_access_policy
+# ---- Enable plugin for mail list deliver restrictions ----
+#
+plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders
+</pre>}}
+* Copy this file for another iRedAPD daemon.
+{{cmd|<pre>
+# cd /opt/iredapd/etc/
+# cp iredapd.ini iredapd-rr.ini
+# chown iredapd:iredapd iredapd-rr.ini
+# chmod 0600 iredapd-rr.ini
+</pre>}}
+* Change values of below parameters in '''iredapd-rr.ini''':
+{{cfg|/opt/iredapd/etc/iredpad-rr.ini|<pre>
+listen_port = 7778
+pid_file        = /var/run/iredapd-rr.pid
+log_file        = /var/log/iredapd-rr.log
+plugins = ldap_recipient_restrictions
+</pre>}}
+* Create log files:
+{{cmd|<pre>
+#
+# ---- On ALL OS ----
+#
+# touch /var/log/iredapd.log /var/log/iredapd-rr.log
+# chmod 0600 /var/log/iredapd.log /var/log/iredapd-rr.log
 </pre>}}
@@ Line 90: / Line 155: @@
 #
 # chkconfig --level 345 iredapd on
+# chkconfig --level 345 iredapd-rr on
 #
 # ---- on Debian/Ubuntu ----
 #
-$ update-rc.d iredapd defaults
+$ sudo update-rc.d iredapd defaults
+$ sudo update-rc.d iredapd-rr defaults
 #
@@ Line 102: / Line 169: @@
 </pre>}}
-* Start iRedAPD now.
+== Start iRedAPD ==
 {{cmd|<pre>
 #
@@ Line 108: / Line 175: @@
 #
 # /etc/init.d/iredapd start
+# /etc/init.d/iredapd-rr start
 #
@@ Line 113: / Line 181: @@
 #
 # /usr/local/etc/rc.d/iredapd start
+# /usr/local/etc/rc.d/iredapd-rr start
 </pre>}}
 = Configure postfix =
 In postfix main.cf, modify smtpd_recipient_restrictions setting:
-{{cfg|/etc/postfix/main.cf|<pre>
+{{cfg|/etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD)|<pre>
+#
+# ---- IMPORTANT NOTE ----
+# ---- Apply the order of restriction rules STRICTLY ----
+# ---- otherwise iRedAPD may not work as expected. ----
+#
 smtpd_recipient_restrictions =
      ...
@@ Line 124: / Line 198: @@
      permit_sasl_authenticated,
      reject_unauth_destination,
+    ...
+smtpd_sender_restrictions =
+    check_policy_service inet:127.0.0.1:7778,
      ...
 </pre>}}
@@ Line 140: / Line 218: @@
 </pre>}}
-= Available access policy levels=
+= Rotate log file with logrotate =
+Add new file in logrotate to rotate iRedAPD log file:
+{{cfg|/etc/logrotate.d/iredapd|<pre>
+/var/log/iredapd.log {
+    compress
+    daily
+    rotate 30
+    missingok
-There're four default policy rules for mail list:
+    # Use bzip2 for compress.
+    compresscmd /usr/bin/bzip2
+    uncompresscmd /usr/bin/bunzip2
+    compressoptions -9
+    compressext .bz2
+    # Used on RHEL/CentOS.
+    postrotate
+        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
+    endscript
+    # Used on Ubuntu.
+    #postrotate
+    #    invoke-rc.d sysklogd reload > /dev/null
+    #endscript
+}
+</pre>}}
+= Available access policies =
+Below access policies are recognized in iRedAPD-1.3.4:
 <table border="1">
 <tr>
-     <td>Restriction</td>
+     <th>Restriction</th>
-     <td>Comment</td>
+     <th>Comment</th>
-     <td>Value of attribute 'accessPolicy' in LDAP</td>
+     <th>Value of attribute 'accessPolicy' in LDAP</th>
 </tr>
@@ Line 154: / Line 259: @@
      <td>Email is unrestricted, which means everyone can mail to this address.</td>
      <td>public</td>
+</tr>
+<tr>
+  <td>Domain Wide</td>
+  <td>Only users under same domain can send mail to this address.</td>
+  <td>domain</td>
+</tr>
+<tr>
+  <td>Domain and all sub-domains</td>
+  <td>Only users under same domain and sub-domains can send mail to this address.</td>
+  <td>subdomain</td>
+</tr>
+<tr>
+  <td>Members Only</td>
+  <td>Only members can send mail to this address</td>
+  <td>membersOnly</td>
+</tr>
+<tr>
+  <td>Moderators Only</td>
+  <td>Only moderators can send mail to this address</td>
+  <td>moderatorsOnly</td>
+</tr>
+<tr>
+  <td>Moderators Only</td>
+  <td>Only members and moderators can send mail to this address</td>
+  <td>membersAndModeratorsOnly</td>
 </tr>
 </table>
-Domain Wide. Only users under same domain can send mail to this address. Value of accessPolicy is domain.
-Members Only. Only members can send mail to this address. Value of accessPolicy is membersOnly.
+= How to set per-user blacklist/whitelist =
-Moderators Only. Only moderators can send mail to this address. Value of accessPolicy is allowedOnly.
-You can manage access policy levels directly with iRedAdmin (full-featured edition). View screenshots here.
+TIP:
-You can set different access level with phpLDAPadmin.
+* If you have iRedAdmin-Pro installed, you can manage it in user profile page, under tab '''Restrictions'''.
-Troubleshooting & Debug
+* If you don't have iRedAdmin-Pro installed, you can also manage it with phpLDAPadmin or other LDAP client tools.
-If iRedAPD doesn't work as expected, you can simplily set 'log_level = debug' in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic and paste log message in forum topic.
+How to set blacklist and whitelist sender or recipient address:
+* To bypass or block a single user, use full email address. e.g. '''user@domain.ltd'''
+* To bypass or block whole domain, use @domain.ltd. e.g. '''@domain.ltd'''
+* To bypass or block a domain and its sub-domains, use @.domain.ltd. e.g. '''@.domain.ltd'''
+* Use '''@.''' to bypass or block all accounts.
+* Whitelist has higher priority than blacklist.
+= Troubleshooting & Debug =
+If iRedAPD doesn't work as expected, you can simplily set 'log_level = debug' in '''/opt/iredapd/etc/iredapd.ini''', restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic and paste log message in forum topic.