Install/iRedAPD/OpenLDAP

From iRedMail
(Difference between revisions)
Jump to: navigation, search
 

Latest revision as of 10:57, 2 March 2013

Contents


NOTE: This installation guide is for iRedAPD-1.3.8 and earlier versions, please check the latest installation guide here: Install the latest iRedAPD.

[edit] Summary & Feature List

  • iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
  • Currently, it works with both OpenLDAP and MySQL backend, but this installation guide is for OpenLDAP.
  • Plugin:
    • ldap_maillist_access_policy: Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution.
    • block_amavisd_blacklisted_senders: Used for per-user sender whitelist and blacklist.
    • ldap_recipient_restrictions: Used for per-user recipient whitelist and blacklist.

[edit] How to manage it

[edit] Requirements

  • Python >= 2.4, core programming language.
  • Python-LDAP >= 2.3.7. An object-oriented API to access LDAP directory servers from Python programs.
  • iRedMail >= 0.5.0

[edit] Install iRedAPD

We will configure iRedAPD as two postfix policy daemons.

  • Daemon listen on port 7777: Used in postfix smtpd_recipient_restrictions, for mail list deliver restriction.
  • Daemon listen on port 7778: Used in postfix smtpd_sender_restrictions, for per-user blacklist and whitelist.

[edit] Create new user

We will run iRedAPD as a low privilege user for security reason.

Terminal:
#
# ---- On RHEL/CentOS ----
#
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd

#
# ---- On Debian/Ubuntu ----
#
# useradd -s /sbin/nologin -m -d /home/iredapd -c "iRedAPD daemon user" iredapd

#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd

[edit] Install required python modules

TIP: You can skip this step if you already have iRedAdmin installed.

Terminal:
#
# ---- on RHEL/CentOS ----
#
# yum install python-ldap

#
# ---- on Debian/Ubuntu ----
#
$ sudo apt-get install python-ldap

#
# ---- on FreeBSD ----
#
# cd /usr/ports/net/py-ldap2 && make install clean

[edit] Download and configure iRedAPD

Terminal:
#
# ---- Uncompress tarball, create symbol link ----
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# chown -R iredapd:iredapd /opt/iRedAPD-x.y.z/
# chmod -R 0700 /opt/iRedAPD-x.y.z/
# chmod +x /opt/iredapd/src/iredapd.py

#
# ---- Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD) ----
#
# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# cp /opt/iredapd/rc_scripts/iredapd-rr /etc/init.d/iredapd-rr
# chmod +x /etc/init.d/iredapd /etc/init.d/iredapd-rr

#
# ---- Copy sample setting file ----
# ---- Note: We just copy one sample config file now ----
#
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
# chmod 0600 /opt/iredapd/etc/iredapd.ini
  • Open /opt/iredapd/etc/iredapd.ini and set correct values.
File: /opt/iredapd/etc/iredapd.ini
#
# ---- Note: This config file is self-documented ----
# ----       just open it and read the comment ----
#
[general]
listen_addr     = 127.0.0.1
listen_port     = 7777
run_as_user    = iredapd
run_as_daemon   = yes
pid_file        = /var/run/iredapd.pid
log_type        = file
log_file        = /var/log/iredapd.log
log_level       = info
backend = ldap

[ldap]
uri         = ldap://127.0.0.1:389
binddn      = cn=vmail,dc=iredmail,dc=org
bindpw      = mRAEWpGRtlCs1O0QuWpXoaJ36EjRql
basedn      = o=domains,dc=iredmail,dc=org

#
# ---- Enable plugin for mail list deliver restrictions ----
#
plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders
  • Copy this file for another iRedAPD daemon.
Terminal:
# cd /opt/iredapd/etc/
# cp iredapd.ini iredapd-rr.ini
# chown iredapd:iredapd iredapd-rr.ini
# chmod 0600 iredapd-rr.ini
  • Change values of below parameters in iredapd-rr.ini:
File: /opt/iredapd/etc/iredpad-rr.ini
listen_port = 7778
pid_file        = /var/run/iredapd-rr.pid
log_file        = /var/log/iredapd-rr.log
plugins = ldap_recipient_restrictions
  • Create log files:
Terminal:
#
# ---- On ALL OS ----
#
# touch /var/log/iredapd.log /var/log/iredapd-rr.log
# chmod 0600 /var/log/iredapd.log /var/log/iredapd-rr.log
  • Make iRedAPD start when boot your server.
Terminal:
#
# ---- on RHEL/CentOS ----
#
# chkconfig --level 345 iredapd on
# chkconfig --level 345 iredapd-rr on

#
# ---- on Debian/Ubuntu ----
#
$ sudo update-rc.d iredapd defaults
$ sudo update-rc.d iredapd-rr defaults

#
# ---- on FreeBSD, please edit /etc/rc.conf, append below line ----
#
iredapd_enable='YES'

[edit] Start iRedAPD

Terminal:
#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# /etc/init.d/iredapd start
# /etc/init.d/iredapd-rr start

#
# ---- On FreeBSD ----
#
# /usr/local/etc/rc.d/iredapd start
# /usr/local/etc/rc.d/iredapd-rr start

[edit] Configure postfix

In postfix main.cf, modify smtpd_recipient_restrictions setting:

File: /etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD)
#
# ---- IMPORTANT NOTE ----
# ---- Apply the order of restriction rules STRICTLY ----
# ---- otherwise iRedAPD may not work as expected. ----
#
smtpd_recipient_restrictions =
    ...
    check_policy_service inet:127.0.0.1:7777,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    ...

smtpd_sender_restrictions =
    check_policy_service inet:127.0.0.1:7778,
    ...
  • Restart postfix to make it work.
Terminal:
#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# /etc/init.d/postfix restart

#
# ---- On FreeBSD ----
#
# /usr/local/etc/rc.d/postfix restart

[edit] Rotate log file with logrotate

Add new file in logrotate to rotate iRedAPD log file:

File: /etc/logrotate.d/iredapd
/var/log/iredapd.log {
    compress
    daily
    rotate 30
    missingok

    # Use bzip2 for compress.
    compresscmd /usr/bin/bzip2
    uncompresscmd /usr/bin/bunzip2
    compressoptions -9
    compressext .bz2 

    # Used on RHEL/CentOS.
    postrotate
        /bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
    endscript

    # Used on Ubuntu.
    #postrotate
    #    invoke-rc.d sysklogd reload > /dev/null
    #endscript
}

[edit] Available access policies

Below access policies are recognized in iRedAPD-1.3.4:

Restriction Comment Value of attribute 'accessPolicy' in LDAP
Unrestricted Email is unrestricted, which means everyone can mail to this address. public
Domain Wide Only users under same domain can send mail to this address. domain
Domain and all sub-domains Only users under same domain and sub-domains can send mail to this address. subdomain
Members Only Only members can send mail to this address membersOnly
Moderators Only Only moderators can send mail to this address moderatorsOnly
Moderators Only Only members and moderators can send mail to this address membersAndModeratorsOnly

[edit] How to set per-user blacklist/whitelist

TIP:

  • If you have iRedAdmin-Pro installed, you can manage it in user profile page, under tab Restrictions.
  • If you don't have iRedAdmin-Pro installed, you can also manage it with phpLDAPadmin or other LDAP client tools.

How to set blacklist and whitelist sender or recipient address:

  • To bypass or block a single user, use full email address. e.g. user@domain.ltd
  • To bypass or block whole domain, use @domain.ltd. e.g. @domain.ltd
  • To bypass or block a domain and its sub-domains, use @.domain.ltd. e.g. @.domain.ltd
  • Use @. to bypass or block all accounts.
  • Whitelist has higher priority than blacklist.

[edit] Troubleshooting & Debug

If iRedAPD doesn't work as expected, you can simplily set 'log_level = debug' in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic and paste log message in forum topic.

Personal tools