From iRedMail
Summary & Feature List
NOTE: This installation guide is for iRedAPD-1.3.3 and later versions.
- iRedAPD is designed to work in conjunction with Postfix as an Access Policy Delegation daemon, with plugin support.
- Currently, it works with both OpenLDAP and MySQL backend, but this installation guide is for OpenLDAP.
- Plugin:
- ldap_maillist_access_policy: Check user's rights to post messages to mail list which builtin in iRedMail OpenLDAP solution.
- block_amavisd_blacklisted_senders: Used for per-user sender whitelist and blacklist.
- ldap_recipient_restrictions: Used for per-user recipient whitelist and blacklist.
How to manage it
Requirements
- Python >= 2.4, core programming language.
- Python-LDAP >= 2.3.7. An object-oriented API to access LDAP directory servers from Python programs.
- iRedMail >= 0.5.0
Install iRedAPD
We will configure iRedAPD as two postfix policy daemons.
- Daemon listen on port 7777: Used in postfix smtpd_recipient_restrictions, for mail list deliver restriction.
- Daemon listen on port 7778: Used in postfix smtpd_sender_restrictions, for per-user blacklist and whitelist.
Create new user
We will run iRedAPD as a low privilege user for security reason.
| Terminal:
|
#
# ---- On RHEL/CentOS ----
#
# useradd -s /sbin/nologin -M -d /home/iredapd -c "iRedAPD daemon user" iredapd
#
# ---- On Debian/Ubuntu ----
#
# useradd -s /sbin/nologin -m -d /home/iredapd -c "iRedAPD daemon user" iredapd
#
# ---- On FreeBSD ----
#
# pw useradd -s /sbin/nologin -d /home/iredapd -c "iRedAPD daemon user" -n iredapd
|
Install required python modules
TIP: You can skip this step if you already have iRedAdmin installed.
| Terminal:
|
#
# ---- on RHEL/CentOS ----
#
# yum install python-ldap
#
# ---- on Debian/Ubuntu ----
#
$ sudo apt-get install python-ldap
#
# ---- on FreeBSD ----
#
# cd /usr/ports/net/py-ldap2 && make install clean
|
Download and configure iRedAPD
| Terminal:
|
#
# ---- Uncompress tarball, create symbol link ----
# tar xjf iRedAPD-x.y.z.tar.bz2 -C /opt/
# ln -s /opt/iRedAPD-x.y.z /opt/iredapd
# chown -R iredapd:iredapd /opt/iRedAPD-x.y.z/
# chmod -R 0700 /opt/iRedAPD-x.y.z/
# chmod +x /opt/iredapd/src/iredapd.py
#
# ---- Copy necessary RC script to /etc/init.d/ (Linux) or /usr/local/etc/rc.d/ (FreeBSD) ----
#
# cp /opt/iredapd/rc_scripts/iredapd /etc/init.d/iredapd
# cp /opt/iredapd/rc_scripts/iredapd-rr /etc/init.d/iredapd-rr
# chmod +x /etc/init.d/iredapd /etc/init.d/iredapd-rr
#
# ---- Copy sample setting file ----
# ---- Note: We just copy one sample config file now ----
#
# cp /opt/iredapd/etc/iredapd.ini.sample /opt/iredapd/etc/iredapd.ini
# chmod 0600 /opt/iredapd/etc/iredapd.ini
|
- Open /opt/iredapd/etc/iredapd.ini and set correct values.
| File: /opt/iredapd/etc/iredapd.ini
|
#
# ---- Note: This config file is self-documented ----
# ---- just open it and read the comment ----
#
[general]
listen_addr = 127.0.0.1
listen_port = 7777
run_as_user = iredapd
run_as_daemon = yes
pid_file = /var/run/iredapd.pid
log_type = file
log_file = /var/log/iredapd.log
log_level = info
backend = ldap
[ldap]
uri = ldap://127.0.0.1:389
binddn = cn=vmail,dc=iredmail,dc=org
bindpw = mRAEWpGRtlCs1O0QuWpXoaJ36EjRql
basedn = o=domains,dc=iredmail,dc=org
#
# ---- Enable plugin for mail list deliver restrictions ----
#
plugins = ldap_maillist_access_policy, block_amavisd_blacklisted_senders
|
- Copy this file for another iRedAPD daemon.
| Terminal:
|
# cd /opt/iredapd/etc/
# cp iredapd.ini iredapd-rr.ini
# chown iredapd:iredapd iredapd-rr.ini
# chmod 0600 iredapd-rr.ini
|
- Change values of below parameters in iredapd-rr.ini:
| File: /opt/iredapd/etc/iredpad-rr.ini
|
listen_port = 7778
pid_file = /var/run/iredapd-rr.pid
log_file = /var/log/iredapd-rr.log
plugins = ldap_recipient_restrictions
|
| Terminal:
|
#
# ---- On ALL OS ----
#
# touch /var/log/iredapd.log /var/log/iredapd-rr.log
# chmod 0600 /var/log/iredapd.log /var/log/iredapd-rr.log
|
- Make iRedAPD start when boot your server.
| Terminal:
|
#
# ---- on RHEL/CentOS ----
#
# chkconfig --level 345 iredapd on
# chkconfig --level 345 iredapd-rr on
#
# ---- on Debian/Ubuntu ----
#
$ sudo update-rc.d iredapd defaults
$ sudo update-rc.d iredapd-rr defaults
#
# ---- on FreeBSD, please edit /etc/rc.conf, append below line ----
#
iredapd_enable='YES'
|
Start iRedAPD
| Terminal:
|
#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# /etc/init.d/iredapd start
# /etc/init.d/iredapd-rr start
#
# ---- On FreeBSD ----
#
# /usr/local/etc/rc.d/iredapd start
# /usr/local/etc/rc.d/iredapd-rr start
|
Configure postfix
In postfix main.cf, modify smtpd_recipient_restrictions setting:
| File: /etc/postfix/main.cf (Linux) or /usr/local/etc/postfix/main.cf (FreeBSD)
|
#
# ---- IMPORTANT NOTE ----
# ---- Apply the order of restriction rules STRICTLY ----
# ---- otherwise iRedAPD may not work as expected. ----
#
smtpd_recipient_restrictions =
...
check_policy_service inet:127.0.0.1:7777,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
...
smtpd_sender_restrictions =
check_policy_service inet:127.0.0.1:7778,
...
|
- Restart postfix to make it work.
| Terminal:
|
#
# ---- On RHEL/CentOS/Debian/Ubuntu ----
#
# /etc/init.d/postfix restart
#
# ---- On FreeBSD ----
#
# /usr/local/etc/rc.d/postfix restart
|
Rotate log file with logrotate
Add new file in logrotate to rotate iRedAPD log file:
| File: /etc/logrotate.d/iredapd
|
/var/log/iredapd.log {
compress
daily
rotate 30
missingok
# Use bzip2 for compress.
compresscmd /usr/bin/bzip2
uncompresscmd /usr/bin/bunzip2
compressoptions -9
compressext .bz2
# Used on RHEL/CentOS.
postrotate
/bin/kill -HUP $(cat /var/run/syslogd.pid 2> /dev/null) 2> /dev/null || true
endscript
# Used on Ubuntu.
#postrotate
# invoke-rc.d sysklogd reload > /dev/null
#endscript
}
|
Available access policies
Below access policies are recognized in iRedAPD-1.3.4:
| Restriction |
Comment |
Value of attribute 'accessPolicy' in LDAP |
| Unrestricted |
Email is unrestricted, which means everyone can mail to this address. |
public |
| Domain Wide |
Only users under same domain can send mail to this address. |
domain |
| Domain and all sub-domains |
Only users under same domain and sub-domains can send mail to this address. |
subdomain |
| Members Only |
Only members can send mail to this address |
membersOnly |
| Moderators Only |
Only moderators can send mail to this address |
moderatorsOnly |
| Moderators Only |
Only members and moderators can send mail to this address |
membersAndModeratorsOnly |
How to set per-user blacklist/whitelist
TIP:
- If you have iRedAdmin-Pro installed, you can manage it in user profile page, under tab Restrictions.
- If you don't have iRedAdmin-Pro installed, you can also manage it with phpLDAPadmin or other LDAP client tools.
How to set blacklist and whitelist sender or recipient address:
- To bypass or block a single user, use full email address. e.g. user@domain.ltd
- To bypass or block whole domain, use @domain.ltd. e.g. @domain.ltd
- To bypass or block a domain and its sub-domains, use @.domain.ltd. e.g. @.domain.ltd
- Use @. to bypass or block all accounts.
- Whitelist has higher priority than blacklist.
Troubleshooting & Debug
If iRedAPD doesn't work as expected, you can simplily set 'log_level = debug' in /opt/iredapd/etc/iredapd.ini, restart iredapd and monitor its log file /var/log/iredapd.log, create a new forum topic and paste log message in forum topic.
