From iRedMail
Summary & Feature List
- iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
- Currently, it works with OpenLDAP, MySQL and PostgreSQL backends.
Available Plugins
| Plugin name
| Description
| Backend
|
| ldap_maillist_access_policy
| Used to restrict mail list access
| OpenLDAP
|
| sql_alias_access_policy
| Used to restrict alias access
| MySQL
|
Requirements
- iRedMail: All iRedMail versions should work as expected.
- Python >= 2.4, core programming language.
- Python-MySQLdb, is the Python DB API-2.0 interface.
- web.py >= 0.3.5, a web framework for python that is as simple as it is powerful.
Create new user
We will run iRedAPD as a low privilege user for security reason.
| Terminal:
|
#
# ---- On RHEL/CentOS/Debian/Ubuntu/OpenBSD ----
#
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd
#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd
|
Install required python modules
| Terminal:
|
# yum install MySQL-python python-setuptools
# easy_install web.py
|
| Terminal:
|
$ sudo apt-get install python-setuptools python-mysqldb
$ sudo easy_install web.py
|
| Terminal:
|
# cd /usr/ports/databases/py-MySQLdb
# make install clean
# cd /usr/ports/www/webpy/
# make install clean
|
Download and configure iRedAPD
- Download iRedAPD from Download page.
- Copy iRedAPD to /opt/, set correct file permissions, and create symbol link.
| Terminal:
|
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
|
- Copy RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD). Note: We have RC script for different Linux/BSD distributions, please copy the one matches your distribution.
| Terminal:
|
# cp /opt/iredapd/rc_scripts/iredapd.rhel /etc/init.d/iredapd
# chmod +x /etc/init.d/iredapd
|
- Copy sample setting file and set correct file permission:
| Terminal:
|
# cp /opt/iredapd/settings.py.sample /opt/iredapd/settings.py
# chown iredapd:iredapd /opt/iredapd/settings.py
# chmod 0500 /opt/iredapd/settings.py
|
Warning: settings.py contains LDAP/SQL username and password, please don't make it world readable.
- Open /opt/iredapd/settings.py and set correct values:
| File: /opt/iredapd/settings.py
|
# Listen address and port.
listen_address = "127.0.0.1"
listen_port = "7777"
# Daemon user.
run_as_user = "iredapd"
# Path to pid file.
pid_file = "/var/run/iredapd.pid"
# Log type: file.
log_file = "/var/log/iredapd.log"
# Log level: info, warning, error, debug.
# 'info' is recommended for product use.
log_level = "info"
# Backend: ldap, mysql, pgsql.
backend = "ldap"
# Enabled plugins.
plugins = ["sql_alias_access_policy"]
# For MySQL and PostgreSQL backends.
server = "127.0.0.1"
db = "vmail"
user = "vmail"
password = "Psaf68wsuVctYSbj4PJzRqmFsE0rlQ"
|
| Terminal:
|
# /etc/init.d/iredapd start
|
- Make iRedAPD start when boot your server.
| Terminal:
|
# chkconfig --level 345 iredapd on
|
| Terminal:
|
$ update-rc.d iredapd defaults
|
- on FreeBSD, you should append below line to /etc/rc.conf:
| File: /etc/rc.conf
|
iredapd_enable='YES'
|
- on OpenBSD, you should append below line to /etc/rc.conf.local:
| File: /etc/rc.conf.local
|
iredapd_flags='YES'
|
Configure postfix
- Modify postfix setting smtpd_recipient_restrictions setting in /etc/postfix/main.cf:
| File: /etc/postfix/main.cf
|
smtpd_recipient_restrictions =
...
check_policy_service inet:127.0.0.1:7777, # <-- Insert this line
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
...
|
- Restart postfix to make it work.
| Terminal:
|
# /etc/init.d/postfix restart
|
Rotate log file with logrotate
Add new file in logrotate to rotate iRedAPD log file:
| File: /etc/logrotate.d/iredapd
|
/var/log/iredapd.log {
compress
daily
rotate 30
missingok
# Use bzip2 for compress.
compresscmd /usr/bin/bzip2
uncompresscmd /usr/bin/bunzip2
compressoptions -9
compressext .bz2
# Used on RHEL/CentOS.
postrotate
/bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
endscript
# Used on Ubuntu.
#postrotate
# invoke-rc.d sysklogd reload > /dev/null
#endscript
}
|
Available access policies
Below access policies are recognized in iRedAPD-1.3.4:
| Restriction |
Comment |
Value of column 'alias.accesspolicy' |
| Unrestricted |
Email is unrestricted, which means everyone can mail to this address. |
public |
| Domain Wide |
Only users under same domain can send mail to this address. |
domain |
| Domain and all sub-domains |
Only users under same domain and sub-domains can send mail to this address. |
subdomain |
| Members Only |
Only members can send mail to this address |
membersOnly |
| Moderators Only |
Only moderators can send mail to this address |
moderatorsOnly |
| Moderators Only |
Only members and moderators can send mail to this address |
membersAndModeratorsOnly |
Add moderators for mail alias
To add moderators for certain mail alias, just list all email addresses of moderators in SQL column moderators, multiple addresses must be separated by comma. For example:
| Terminal:
|
sql> UPDATE alias SET moderators='user1@domain.ltd' WHERE address='myalias01@domain.ltd';
sql> UPDATE alias SET moderators='user1@domain.ltd,user2@domain.ltd,user3@domain.ltd' WHERE address='myalias02@domain.ltd';
|
Troubleshooting & Debug
If iRedAPD doesn't work as expected, you can simplily set log_level = debug in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic in iRedMail forum and paste log message in forum topic.
