Install/iRedAPD/MySQL

From iRedMail

(Difference between revisions)
Jump to: navigation, search
(Available access policy levels)
(Add moderators for mail alias)
(31 intermediate revisions not shown)
Line 1: Line 1:
 +
__TOC__
 +
 +
{{Install/iRedAPD/MySQL/Languages}}
 +
= Summary & Feature List =
= Summary & Feature List =
* iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
* iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
* Currently, it works with both OpenLDAP and MySQL backend.
* Currently, it works with both OpenLDAP and MySQL backend.
-
* Available plugins:
+
{{iRedAPD/Plugins}}
-
** ldap_maillist_access_policy: Used to restrict mail list access with OpenLDAP backend.
+
-
** sql_alias_access_policy: Used to restrict alias access with MySQL backend.
+
= Requirements =
= Requirements =
Line 12: Line 14:
* DBUtils, is a suite of tools providing solid, persistent and pooled connections to a database.
* DBUtils, is a suite of tools providing solid, persistent and pooled connections to a database.
* iRedMail: All iRedMail versions should work as expected.
* iRedMail: All iRedMail versions should work as expected.
 +
 +
= Alter MySQL Table =
 +
Plugin '''sql_alias_access_policy''' requires two more columns in '''vmail.alias''' table, used to store access policy and addresses of moderators.
 +
{{cmd|<pre>
 +
mysql> USE vmail;
 +
mysql> ALTER TABLE alias ADD COLUMN accesspolicy VARCHAR(30) NOT NULL DEFAULT '';
 +
mysql> ALTER TABLE alias ADD COLUMN moderators TEXT NOT NULL DEFAULT '';
 +
</pre>}}
 +
 +
= Create new user =
 +
We will run iRedAPD as a low privilege user for security reason.
 +
 +
{{cmd|<pre>
 +
#
 +
# ---- On RHEL/CentOS/Debian/Ubuntu ----
 +
#
 +
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd
 +
 +
#
 +
# ---- On FreeBSD ----
 +
#
 +
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd
 +
</pre>}}
= Install required python modules =
= Install required python modules =
* on RHEL/CentOS:
* on RHEL/CentOS:
-
<pre>
+
{{cmd|<pre>
# yum install MySQL-python python-setuptools
# yum install MySQL-python python-setuptools
# easy_install web.py DBUtils
# easy_install web.py DBUtils
-
</pre>
+
</pre>}}
* on Debian/Ubuntu:
* on Debian/Ubuntu:
 +
{{cmd|<pre>
 +
$ sudo apt-get install python-setuptools python-mysqldb
 +
$ sudo easy_install web.py DButils
 +
</pre>}}
 +
* on FreeBSD:
* on FreeBSD:
 +
{{cmd|<pre>
 +
# cd /usr/ports/databases/py-MySQLdb
 +
# make install clean
 +
 +
# cd /usr/ports/www/webpy/
 +
# make install clean
 +
# cd /usr/ports/databases/py-dbutils/
 +
# make install clean
 +
</pre>}}
= Download and configure iRedAPD =
= Download and configure iRedAPD =
* Download iRedAPD from [http://www.iredmail.org/download.html#iredapd download page].
* Download iRedAPD from [http://www.iredmail.org/download.html#iredapd download page].
* Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
* Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
-
<pre>
+
{{cmd|<pre>
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# chmod +x /opt/iredapd/src/iredapd.py
# chmod +x /opt/iredapd/src/iredapd.py
-
</pre>
+
</pre>}}
* Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD):
* Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD):
-
<pre>
+
{{cmd|<pre>
# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# chmod +x /etc/init.d/iredapd
# chmod +x /etc/init.d/iredapd
-
</pre>
+
</pre>}}
* Copy sample setting file:
* Copy sample setting file:
-
<pre>
+
{{cmd|<pre>
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
-
</pre>
+
</pre>}}
* Open /opt/iredapd/etc/iredapd.ini and set correct values:
* Open /opt/iredapd/etc/iredapd.ini and set correct values:
-
<pre>
+
{{cfg|/opt/iredapd/etc/iredapd.ini|<pre>
[general]
[general]
# Listen address and port.
# Listen address and port.
listen_addr    = 127.0.0.1
listen_addr    = 127.0.0.1
listen_port    = 7777
listen_port    = 7777
 +
 +
run_as_user    = iredapd
# Background/daemon mode: yes, no.
# Background/daemon mode: yes, no.
Line 79: Line 120:
# Enabled plugins.
# Enabled plugins.
plugins = sql_alias_access_policy
plugins = sql_alias_access_policy
-
</pre>
+
</pre>}}
* Start iRedAPD now.
* Start iRedAPD now.
-
<pre>
+
{{cmd|<pre>
# /etc/init.d/iredapd start
# /etc/init.d/iredapd start
-
</pre>
+
</pre>}}
* Make iRedAPD start when boot your server.
* Make iRedAPD start when boot your server.
-
** on RHEL/CentOS:<pre># chkconfig --level 345 iredapd on</pre>
+
** on RHEL/CentOS:{{cmd|<pre># chkconfig --level 345 iredapd on</pre>}}
-
** on Debian/Ubuntu:<pre>$ update-rc.d iredapd defaults</pre>
+
** on Debian/Ubuntu:{{cmd|<pre>$ update-rc.d iredapd defaults</pre>}}
-
** on FreeBSD, you should append below line to '''/etc/rc.conf''':<pre>iredapd_enable='YES'</pre>
+
** on FreeBSD, you should append below line to '''/etc/rc.conf''':{{cfg|/etc/rc.conf|<pre>iredapd_enable='YES'</pre>}}
= Configure postfix =
= Configure postfix =
-
* In postfix main.cf, modify smtpd_recipient_restrictions setting:
+
* Modify postfix setting '''smtpd_recipient_restrictions''' setting in '''/etc/postfix/main.cf''':
-
<pre>
+
{{cfg|/etc/postfix/main.cf|<pre>
smtpd_recipient_restrictions =
smtpd_recipient_restrictions =
     ...
     ...
-
     check_policy_service inet:127.0.0.1:7777,
+
     check_policy_service inet:127.0.0.1:7777,     # <-- Insert this line
     permit_mynetworks,
     permit_mynetworks,
     permit_sasl_authenticated,
     permit_sasl_authenticated,
     reject_unauth_destination,
     reject_unauth_destination,
     ...
     ...
-
</pre>
+
</pre>}}
* Restart postfix to make it work.
* Restart postfix to make it work.
-
<pre># /etc/init.d/postfix restart</pre>
+
{{cmd|<pre># /etc/init.d/postfix restart</pre>}}
-
= Available access policy levels =
+
= Rotate log file with logrotate =
-
There're five default policy rules for mail list:
+
Add new file in logrotate to rotate iRedAPD log file:
 +
{{cfg|/etc/logrotate.d/iredapd|<pre>
 +
/var/log/iredapd.log {
 +
    compress
 +
    daily
 +
    rotate 30
 +
    missingok
 +
 
 +
    # Use bzip2 for compress.
 +
    compresscmd /usr/bin/bzip2
 +
    uncompresscmd /usr/bin/bunzip2
 +
    compressoptions -9
 +
    compressext .bz2
 +
 
 +
    # Used on RHEL/CentOS.
 +
    postrotate
 +
        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
 +
    endscript
 +
 
 +
    # Used on Ubuntu.
 +
    #postrotate
 +
    #    invoke-rc.d sysklogd reload > /dev/null
 +
    #endscript
 +
}
 +
</pre>}}
 +
 
 +
= Available access policies =
 +
 
 +
Below access policies are recognized in iRedAPD-1.3.4:
<table border="1">
<table border="1">
<tr>
<tr>
-
<th>Policy</th>
+
    <th>Restriction</th>
-
<th>Description</th>
+
    <th>Comment</th>
-
<th>Value of 'accesspolicy'</th>
+
    <th>Value of column 'alias.accesspolicy'</th>
</tr>
</tr>
<tr>
<tr>
-
<td>Unrestricted</td>
+
    <td>Unrestricted</td>
-
<td>Email is unrestricted, which means everyone can mail to this address.</td>
+
    <td>Email is unrestricted, which means everyone can mail to this address.</td>
-
<td>public</td>
+
    <td>public</td>
</tr>
</tr>
<tr>
<tr>
-
<td>Domain Wide</td>
+
  <td>Domain Wide</td>
-
<td>Only users under same domain can send mail to this address.</td>
+
  <td>Only users under same domain can send mail to this address.</td>
-
<td>domain</td>
+
  <td>domain</td>
-
<tr>
+
</tr>
<tr>
<tr>
-
<td>Members Only</td>
+
  <td>Domain and all sub-domains</td>
-
<td>Only members can send mail to this address.</td>
+
  <td>Only users under same domain and sub-domains can send mail to this address.</td>
-
<td>membersOnly</td>
+
  <td>subdomain</td>
</tr>
</tr>
<tr>
<tr>
-
<td>Moderators Only</td>
+
  <td>Members Only</td>
-
<td>Only moderators can send mail to this address.</td>
+
  <td>Only members can send mail to this address</td>
-
<td>allowedOnly</td>
+
  <td>membersOnly</td>
</tr>
</tr>
<tr>
<tr>
-
<td>Members and Moderators Only</td>
+
  <td>Moderators Only</td>
-
<td>Only members and moderators can send mail to this address.</td>
+
  <td>Only moderators can send mail to this address</td>
-
<td>membersAndModeratorsOnly</td>
+
  <td>moderatorsOnly</td>
</tr>
</tr>
 +
<tr>
 +
  <td>Moderators Only</td>
 +
  <td>Only members and moderators can send mail to this address</td>
 +
  <td>membersAndModeratorsOnly</td>
 +
</tr>
</table>
</table>
 +
 +
= Add moderators for mail alias =
 +
To add moderators for certain mail alias, just list all email addresses of moderators in SQL column '''moderators''', multiple addresses must be separated by comma. For example:
 +
{{cmd|<pre>
 +
sql> UPDATE alias SET moderators='user1@domain.ltd' WHERE address='myalias01@domain.ltd';
 +
sql> UPDATE alias SET moderators='user1@domain.ltd,user2@domain.ltd,user3@domain.ltd' WHERE address='myalias02@domain.ltd';
 +
</pre>}}
= Troubleshooting & Debug =
= Troubleshooting & Debug =
If iRedAPD doesn't work as expected, you can simplily set '''log_level = debug''' in '''/opt/iredapd/etc/iredapd.ini''', restart iredapd and monitor its log file '''/var/log/iredapd.log''', create a new forum topic in [http://www.iredmail.org/forum/ iRedMail forum] and paste log message in forum topic.
If iRedAPD doesn't work as expected, you can simplily set '''log_level = debug''' in '''/opt/iredapd/etc/iredapd.ini''', restart iredapd and monitor its log file '''/var/log/iredapd.log''', create a new forum topic in [http://www.iredmail.org/forum/ iRedMail forum] and paste log message in forum topic.

Revision as of 00:40, 16 June 2012

Contents


  • Read this tutorial in other languages

Summary & Feature List

  • iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
  • Currently, it works with both OpenLDAP and MySQL backend.
Available Plugins
Plugin name Description Backend
ldap_maillist_access_policy Used to restrict mail list access OpenLDAP
sql_alias_access_policy Used to restrict alias access MySQL

Requirements

  • Python >= 2.4, core programming language.
  • Python-MySQLdb, is the Python DB API-2.0 interface.
  • web.py >= 0.3.0, a web framework for python that is as simple as it is powerful.
  • DBUtils, is a suite of tools providing solid, persistent and pooled connections to a database.
  • iRedMail: All iRedMail versions should work as expected.

Alter MySQL Table

Plugin sql_alias_access_policy requires two more columns in vmail.alias table, used to store access policy and addresses of moderators.

Terminal: 
mysql> USE vmail;
mysql> ALTER TABLE alias ADD COLUMN accesspolicy VARCHAR(30) NOT NULL DEFAULT '';
mysql> ALTER TABLE alias ADD COLUMN moderators TEXT NOT NULL DEFAULT '';

Create new user

We will run iRedAPD as a low privilege user for security reason.

Terminal: 
#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd

#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd

Install required python modules

  • on RHEL/CentOS:
Terminal: 
# yum install MySQL-python python-setuptools
# easy_install web.py DBUtils
  • on Debian/Ubuntu:
Terminal: 
$ sudo apt-get install python-setuptools python-mysqldb
$ sudo easy_install web.py DButils
  • on FreeBSD:
Terminal: 
# cd /usr/ports/databases/py-MySQLdb
# make install clean

# cd /usr/ports/www/webpy/
# make install clean

# cd /usr/ports/databases/py-dbutils/
# make install clean

Download and configure iRedAPD

  • Download iRedAPD from download page.
  • Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
Terminal: 
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# chmod +x /opt/iredapd/src/iredapd.py
  • Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD):
Terminal: 
# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# chmod +x /etc/init.d/iredapd
  • Copy sample setting file:
Terminal: 
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
  • Open /opt/iredapd/etc/iredapd.ini and set correct values:
File: /opt/iredapd/etc/iredapd.ini 
[general]
# Listen address and port.
listen_addr     = 127.0.0.1
listen_port     = 7777

run_as_user     = iredapd

# Background/daemon mode: yes, no.
run_as_daemon   = yes

# Path to pid file.
pid_file        = /var/run/iredapd.pid

# Log type: file.
log_type        = file
log_file        = /var/log/iredapd.log

# Log level: info, warning, error, debug.
# 'info' is recommended for product use.
log_level       = info

# Backend: ldap, mysql.
backend     = mysql

[mysql]
# For MySQL backend only.
server      = 127.0.0.1
db          = vmail
user        = vmail
password    = Psaf68wsuVctYSbj4PJzRqmFsE0rlQ
alias_table = alias

# Enabled plugins.
plugins = sql_alias_access_policy
  • Start iRedAPD now.
Terminal: 
# /etc/init.d/iredapd start
  • Make iRedAPD start when boot your server.
    • on RHEL/CentOS:
Terminal: 
# chkconfig --level 345 iredapd on
    • on Debian/Ubuntu:
Terminal: 
$ update-rc.d iredapd defaults
    • on FreeBSD, you should append below line to /etc/rc.conf:
File: /etc/rc.conf 
iredapd_enable='YES'

Configure postfix

  • Modify postfix setting smtpd_recipient_restrictions setting in /etc/postfix/main.cf:
File: /etc/postfix/main.cf 
smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777,     # <-- Insert this line
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    ...
  • Restart postfix to make it work.
Terminal: 
# /etc/init.d/postfix restart

Rotate log file with logrotate

Add new file in logrotate to rotate iRedAPD log file:

File: /etc/logrotate.d/iredapd 
/var/log/iredapd.log {
    compress
    daily
    rotate 30
    missingok

    # Use bzip2 for compress.
    compresscmd /usr/bin/bzip2
    uncompresscmd /usr/bin/bunzip2
    compressoptions -9
    compressext .bz2 

    # Used on RHEL/CentOS.
    postrotate
        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
    endscript

    # Used on Ubuntu.
    #postrotate
    #    invoke-rc.d sysklogd reload > /dev/null
    #endscript
}

Available access policies

Below access policies are recognized in iRedAPD-1.3.4:

Restriction Comment Value of column 'alias.accesspolicy'
Unrestricted Email is unrestricted, which means everyone can mail to this address. public
Domain Wide Only users under same domain can send mail to this address. domain
Domain and all sub-domains Only users under same domain and sub-domains can send mail to this address. subdomain
Members Only Only members can send mail to this address membersOnly
Moderators Only Only moderators can send mail to this address moderatorsOnly
Moderators Only Only members and moderators can send mail to this address membersAndModeratorsOnly

Add moderators for mail alias

To add moderators for certain mail alias, just list all email addresses of moderators in SQL column moderators, multiple addresses must be separated by comma. For example:

Terminal: 
sql> UPDATE alias SET moderators='user1@domain.ltd' WHERE address='myalias01@domain.ltd';
sql> UPDATE alias SET moderators='user1@domain.ltd,user2@domain.ltd,user3@domain.ltd' WHERE address='myalias02@domain.ltd';

Troubleshooting & Debug

If iRedAPD doesn't work as expected, you can simplily set log_level = debug in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic in iRedMail forum and paste log message in forum topic.

Retrieved from "http://iredmail.org/wiki/index.php?title=Install/iRedAPD/MySQL"
Personal tools