From iRedMail

(Difference between revisions)

Revision as of 12:49, 22 July 2010

Summary & Feature List

iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
Currently, it works with both OpenLDAP and MySQL backend.

Available Plugins
Plugin name	Description	Backend
ldap_maillist_access_policy	Used to restrict mail list access	OpenLDAP
sql_alias_access_policy	Used to restrict alias access	MySQL

Requirements

Python >= 2.4, core programming language.
Python-MySQLdb, is the Python DB API-2.0 interface.
web.py >= 0.3.0, a web framework for python that is as simple as it is powerful.
DBUtils, is a suite of tools providing solid, persistent and pooled connections to a database.
iRedMail: All iRedMail versions should work as expected.

Alter MySQL Table

Plugin sql_alias_access_policy requires two more columns in vmail.alias table, used to store access policy and addresses of moderators.

Terminal:

mysql> USE vmail;
mysql> ALTER TABLE alias ADD COLUMN accesspolicy VARCHAR(30) NOT NULL DEFAULT '';
mysql> ALTER TABLE alias ADD COLUMN moderators TEXT NOT NULL DEFAULT '';

Create new user

We will run iRedAPD as a low privilege user for security reason.

Terminal:

#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd

#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd

Install required python modules

on RHEL/CentOS:

Terminal:

# yum install MySQL-python python-setuptools
# easy_install web.py DBUtils

on Debian/Ubuntu:

Terminal:

$ sudo apt-get install python-setuptools python-mysqldb
$ sudo easy_install web.py DButils

on FreeBSD:

Terminal:

# cd /usr/ports/databases/py-MySQLdb
# make install clean

# cd /usr/ports/www/webpy/
# make install clean

# cd /usr/ports/databases/py-dbutils/
# make install clean

Download and configure iRedAPD

Download iRedAPD from download page.
Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.

Terminal:

# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# chmod +x /opt/iredapd/src/iredapd.py

Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD):

Terminal:

# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# chmod +x /etc/init.d/iredapd

Copy sample setting file:

Terminal:

# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini

Open /opt/iredapd/etc/iredapd.ini and set correct values:

File: /opt/iredapd/etc/iredapd.ini

[general]
# Listen address and port.
listen_addr     = 127.0.0.1
listen_port     = 7777

# Background/daemon mode: yes, no.
run_as_daemon   = yes

# Path to pid file.
pid_file        = /var/run/iredapd.pid

# Log type: file.
log_type        = file
log_file        = /var/log/iredapd.log

# Log level: info, warning, error, debug.
# 'info' is recommended for product use.
log_level       = info

# Backend: ldap, mysql.
backend     = mysql

[mysql]
# For MySQL backend only.
server      = 127.0.0.1
db          = vmail
user        = vmail
password    = Psaf68wsuVctYSbj4PJzRqmFsE0rlQ
alias_table = alias

# Enabled plugins.
plugins = sql_alias_access_policy

Start iRedAPD now.

Terminal:

# /etc/init.d/iredapd start

Make iRedAPD start when boot your server.
- on RHEL/CentOS:

Terminal:

# chkconfig --level 345 iredapd on

- on Debian/Ubuntu:

Terminal:

$ update-rc.d iredapd defaults

- on FreeBSD, you should append below line to /etc/rc.conf:

File: /etc/rc.conf

iredapd_enable='YES'

Configure postfix

Modify postfix setting smtpd_recipient_restrictions setting in /etc/postfix/main.cf:

File: /etc/postfix/main.cf

smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777,     # <-- Insert this line
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    ...

Restart postfix to make it work.

Terminal:

# /etc/init.d/postfix restart

Rotate log file with logrotate

Add new file in logrotate to rotate iRedAPD log file:

File: /etc/logrotate.d/iredapd

/var/log/mail.log {
    compress
    daily
    rotate 30
    missingok

    # Use bzip2 for compress.
    compresscmd /bin/bzip2
    uncompresscmd /bin/bunzip2
    compressoptions -9
    compressext .bz2 

    # Used on RHEL/CentOS.
    postrotate
        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
    endscript

    # Used on Ubuntu.
    #postrotate
    #    invoke-rc.d sysklogd reload > /dev/null
    #endscript
}

Available access policy levels

There're five default policy rules for mail alias:

Policy	Description	Value of column 'accesspolicy'
Unrestricted	Email is unrestricted, which means everyone can mail to this address.	public
Domain Wide	Only users under same domain can send mail to this address.	domain
Members Only	Only members can send mail to this address.	membersOnly
Moderators Only	Only moderators can send mail to this address.	moderatorsOnly
Members and Moderators Only	Only members and moderators can send mail to this address.	membersAndModeratorsOnly

Note: Value of column 'accesspolicy' is case-insensitive.

Troubleshooting & Debug

If iRedAPD doesn't work as expected, you can simplily set log_level = debug in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic in iRedMail forum and paste log message in forum topic.

Install/iRedAPD/MySQL

From iRedMail

Revision as of 12:49, 22 July 2010

Contents

Summary & Feature List

Requirements

Alter MySQL Table

Create new user

Install required python modules

Download and configure iRedAPD

Configure postfix

Rotate log file with logrotate

Available access policy levels

Troubleshooting & Debug

Views

Personal tools

Navigation

Search

Toolbox