Installing Qmail LDAP in Debian

Install ucspi-tcp

apt-get install ucspi-tcp-src
build-ucspi-tcp

Install OpenLDAP

apt-get install slapd

Parameters:

Domain name: example.com
Organization: Example
Admin password: SecretOne
Allow LDAPv2: Yes

apt-get install libldap2-dev
apt-get install ldap-utils

Install ssmtp

You need a “dummy” MTA to keep apt quiet… Let's pick the simplest one:

apt-get install ssmtp

Now using dselect freeze it using the “=” key so that apt doesen't touch it anymore.

Install qmail-ldap

Fetch the code

mkdir /var/qmail
cd /usr/src ; mkdir qmail ; cd qmail
wget http://www.qmail.org/qmail-1.03.tar.gz
wget http://www.nrg4u.com/qmail/qmail-ldap-1.03-<latest>.patch.gz
tar zxvf qmail-1.03.tar.gz

Prepare passwd and groups

Add the following users (use vipw)

alias:x:64010:65534:qmail alias,,,:/var/qmail/alias:/bin/false
qmaild:x:64011:65534:qmail daemon,,,:/var/qmail:/bin/false
qmails:x:64012:64010:qmail send,,,:/var/qmail:/bin/false
qmailr:x:64013:64010:qmail remote,,,:/var/qmail:/bin/false
qmailq:x:64014:64010:qmail queue,,,:/var/qmail:/bin/false
qmaill:x:64015:65534:qmail log,,,:/var/qmail:/bin/false
qmailp:x:64016:65534:qmail pw,,,:/var/qmail:/bin/false

… and groups (use vigr):

qmail:x:64010:
nofiles:x:64011:

Compile and install

First let's patch the stock qmail source with the LDAP patches:

cd qmail-1.03
zcat ../qmail-ldap-1.03-<latest>.patch.gz | patch -p1

Edit Makefile following QLDAPINSTALL (see also http://www.lifewithqmail.org/ldap/; add:

LDAPFLAGS=-DBIGTODO -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DSMTPEXECCHECK
MDIRMAKE=-DAUTOMAILDIRMAKE
HDIRMAKE=-DAUTOHOMEDIRMAKE
DEBUG=-DDEBUG
SHADOWLIBS=-lcrypt
ZLIB=-lz
TLS=-DTLS_SMTPD
TLSLIBS=-lssl
OPENSSLBIN=openssl

Now fetch a couple of needed libraries, and compile and install the MTA:

apt-get install zlib1g-dev libssl-dev openssl
make setup check

Install Courier IMAP

apt-get install courier-ldap courier-imap courier-imap-ssl fam

Install fastforward

wget http://cr.yp.to/software/fastforward-0.51.tar.gz
tar zxvf fastforward-0.51.tar.gz
cd fastforward-0.51

Edit error.h, replacing ”extern int errno;” with ”#include <errno.h>”

make setup check

Configure qmail-ldap

Basic system config

./config-fast mail.example.com
(cd ~alias; touch .qmail-postmaster .qmail-mailer-daemon .qmail-root)
chmod 644 ~alias/.qmail*
cd /usr/sbin
for a in mailq newaliases sendmail ; do mv $a $a.OLD ; done
ln -s /var/qmail/bin/sendmail sendmail
cd
echo 'export PATH=$PATH:/var/qmail/bin' >> .bash_profile

Now verify that you can su to alias:

su - alias

Init the message store

mkdir /var/mailhome
chown -R alias:root /var/mailhome
chmod -R 750 /var/mailhome
cat << EOF > /var/qmail/bin/create_homedir
#!/bin/sh
mkdir -m 700 -p \$1
EOF
chmod 755 /var/qmail/bin/create_homedir

Configure qmail control files

cd /var/qmail/control
echo 127.0.0.1 > ldapserver 
echo "dc=example,dc=com" > ldapbasedn
echo "cn=qmail-login,dc=example,dc=com" > ldaplogin
echo 'ItsReallySecret' > ldappassword
chmod 640 ldappassword
chown qmaild:root ldappassword
echo /var/mailhome > ldapmessagestore
id -u alias > ldapuid
id -g alias > ldapgid
echo "Please contact postmaster@example.com if you need any help." > custombouncetext
echo "Warning: you are using more than 70% of your mailbox quota." > quotawarning
touch badrcptto
echo /var/qmail/bin/create_homedir > dirmaker
echo '127.0.0.1:allow,RELAYCLIENT=""' > /etc/tcp.smtp
echo '10.0.0.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp
echo '10.1.0.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp
echo qmailUser > ldapobjectclass
make

Make a TLS certificate

cd /usr/src/qmail/qmail-1.03
make cert

Setup boot scripts

Use the provided scripts to start qmail:

cp qmail qmail-smtpd /etc/init.d
chmod 755 /etc/init.d/qmail*
chown 0:0 /etc/init.d/qmail*
update-rc.d qmail defaults
update-rc.d qmail-smtpd defaults

Setup OpenLDAP

Add the schema

cp /usr/src/qmail/qmail-1.03/qmail.schema /etc/ldap/schema/

Edit /etc/ldap/slapd.conf adding:

include /etc/ldap/schema/qmail.schema

Seed the LDAP

Restart slapd and try adding the first entries using the provided sample seed.ldif.

/etc/init.d/slapd restart
ldapadd -acrv -h localhost -D "cn=admin,dc=example,dc=com" -x -W -f seed.ldif

Add the basic authorizations

Edit /etc/ldap/slapd.conf adding the basic permissions:

## Access to the password
access to attribute=userPassword
  by dn="cn=admin,dc=example,dc=com" write
  by dn="cn=qmail-login,dc=example,dc=com" read
  by anonymous auth by self write by * none

## Access to the "Vacation" attributes
access to attrs=mailReplyText,deliveryMode
  by dn="cn=admin,dc=example,dc=com" write
  by dn="cn=qmail-login,dc=example,dc=com" read
  by self write by * auth

Configure Courier IMAP

Create a TLS certificate:

mkimapdcert

Edit /etc/courier/authdaemonrc setting:

authmodulelist="authldap"

Edit /etc/courier/authldaprc setting:

    LDAP_SERVER            127.0.0.1
    LDAP_BASEDN            dc=example,dc=com
    LDAP_BINDDN            cn=qmail-login,dc=example,dc=com
    LDAP_BINDPW            ItsReallySecret
    LDAP_AUTHBIND          1
    LDAP_GLOB_UID          alias
    LDAP_GLOB_GID          nogroup
    LDAP_MAIL              uid
    LDAP_HOMEDIR           mailMessageStore
    LDAP_MAILROOT          /var/mailhome
    ###LDAP_MAILDIR                mailbox

Edit /etc/courier/imapd commenting out IMAP_EMPTYTRASH.

Configure Fastforward

echo "| fastforward -d /etc/aliases.cdb" >  ~alias/.qmail-default
echo "testing: j.r.hacker@example.com" > /etc/aliases
newaliases