#26 Le 12/09/2007, à 14:15
- toniotonio
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
cela marchait avant l'imap ?
il cherche le chemin du home des mails
fait voir le authldaprc
Tutoriaux Postfix sur www.starbridge.org/spip
Messagerie Dédiée, Relais Mail Antispam/Antivirus, Infogérance 24/7: http://www.eole-its.com
Hors ligne
#27 Le 12/09/2007, à 15:12
- zizouth
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
excuse moi pour la reponse tardive j'ai pas vu la deuxieme page du post
donc mon authldaprc
##NAME: LOCATION:1
#
# Location of your LDAP server(s). If you have multiple LDAP servers,
# you can list them separated by commas and spaces, and they will be tried in
# turn.
LDAP_URI ldap://192.168.200.10:389
##NAME: LDAP_PROTOCOL_VERSION:0
#
# Which version of LDAP protocol to use
LDAP_PROTOCOL_VERSION 3
##NAME: LDAP_BASEDN:0
#
# Look for authentication here:
LDAP_BASEDN dc=esprit,dc=ens,dc=tn
##NAME: LDAP_BINDDN:0
#
# You may or may not need to specify the following. Because you've got
# a password here, authldaprc should not be world-readable!!!
LDAP_BINDDN cn=admin,dc=esprit,dc=ens,dc=tn
LDAP_BINDPW *****
##NAME: LDAP_TIMEOUT:0
#
# Timeout for LDAP search and connection
LDAP_TIMEOUT 5
##NAME: LDAP_AUTHBIND:0
#
# Define this to have the ldap server authenticate passwords. If LDAP_AUTHBIND
# the password is validated by rebinding with the supplied userid and password.
# If rebind succeeds, this is considered to be an authenticated request. This
# does not support CRAM-MD5 authentication, which requires clearPassword.
# Additionally, if LDAP_AUTHBIND is 1 then password changes are done under
# the credentials of the user themselves, not LDAP_BINDDN/BINDPW
#
# LDAP_AUTHBIND 1
##NAME: LDAP_MAIL:0
#
# Here's the field on which we query
LDAP_MAIL mail
##NAME: LDAP_FILTER:0
#
# This LDAP filter will be ANDed with the query for the field defined above
# in LDAP_MAIL. So if you are querying for mail, and you have LDAP_FILTER
# defined to be "(objectClass=CourierMailAccount)" the query that is performed
# will be "(&(objectClass=CourierMailAccount)(mail=<someAccount>))"
#
LDAP_FILTER (objectClass=CourierMailAccount)
##NAME: LDAP_DOMAIN:0
#
# The following default domain will be appended, if not explicitly specified.
#
LDAP_DOMAIN esprit.ens.tn
##NAME: LDAP_GLOB_IDS:0
#
# The following two variables can be used to set everybody's uid and gid.
# This is convenient if your LDAP specifies a bunch of virtual mail accounts
# The values can be usernames or userids:
#
LDAP_GLOB_UID vmail
LDAP_GLOB_GID vmail
##NAME: LDAP_HOMEDIR:0
#
# We will retrieve the following attributes
#
# The HOMEDIR attribute MUST exist, and we MUST be able to chdir to it
LDAP_HOMEDIR homeDirectory
##NAME: LDAP_MAILROOT:0
#
# If homeDirectory is not an absolute path, define the root of the
# relative paths in LDAP_MAILROOT
#
#LDAP_MAILROOT /home/vmail
##NAME: LDAP_MAILDIR:0
#
# The MAILDIR attribute is OPTIONAL, and specifies the location of the
# mail directory. If not specified, ./Maildir will be used
LDAP_MAILDIR mailbox
##NAME: LDAP_DEFAULTDELIVERY:0
#
# Courier mail server only: optional attribute specifies custom mail delivery
# DEFAULTDELIVERY from ${sysconfdir}/courierd
LDAP_DEFAULTDELIVERY defaultDelivery
##NAME: LDAP_MAILDIRQUOTA:0
#
# The following variable, if defined, specifies the field containing the
# maildir quota, see README.maildirquota for more information
#
# LDAP_MAILDIRQUOTA quota
##NAME: LDAP_FULLNAME:0
#
# FULLNAME is optional, specifies the user's full name
LDAP_FULLNAME cn
##NAME: LDAP_PW:0
#
# CLEARPW is the clear text password. CRYPT is the crypted password.
# ONE OF THESE TWO ATTRIBUTES IS REQUIRED. If CLEARPW is provided, and
# libhmac.a is available, CRAM authentication will be possible!
LDAP_CLEARPW clearPassword
LDAP_CRYPTPW userPassword
##NAME: LDAP_IDS:0
#
# Uncomment the following, and modify as appropriate, if your LDAP database
# stores individual userids and groupids. Otherwise, you must uncomment
# LDAP_GLOB_UID and LDAP_GLOB_GID above. LDAP_GLOB_UID and LDAP_GLOB_GID
# specify a uid/gid for everyone. Otherwise, LDAP_UID and LDAP_GID must
# be defined as attributes for everyone.
#
# LDAP_UID uidNumber
# LDAP_GID gidNumber
##NAME: LDAP_AUXOPTIONS:0
#
# Auxiliary options. The LDAP_AUXOPTIONS setting should contain a list of
# comma-separated "ATTRIBUTE=NAME" pairs. These names are additional
# attributes that define various per-account "options", as given in
# INSTALL's description of the OPTIONS setting.
#
# Each ATTRIBUTE specifies an LDAP attribute name. If it is present,
# the attribute value gets placed in the OPTIONS variable, with the name
# NAME. For example:
#
# LDAP_AUXOPTIONS shared=sharedgroup,disableimap=disableimap
#
# Then, if an LDAP record contains the following attributes:
#
# shared: domain1
# disableimap: 0
#
# Then authldap will initialize OPTIONS to "sharedgroup=domain1,disableimap=0"
#
# NOTE: ** no spaces in this setting **, the above example has exactly
# one tab character after LDAP_AUXOPTIONS
##NAME: LDAP_ENUMERATE_FILTER:0
#
# {EXPERIMENTAL}
# Optional custom filter used when enumerating accounts for authenumerate,
# in order to compile a list of accounts for shared folders. If present,
# this filter will be used instead of LDAP_FILTER.
#
# LDAP_ENUMERATE_FILTER (&(objectClass=CourierMailAccount)(!(disableshared=1)))
##NAME: LDAP_DEREF:0
#
# Determines how aliases are handled during a search. This option is available
# only with OpenLDAP 2.0
#
# LDAP_DEREF can be one of the following values:
# never, searching, finding, always. If not specified, aliases are
# never dereferenced.
LDAP_DEREF never
##NAME: LDAP_TLS:0
#
# Set LDAP_TLS to 1 to use the Start TLS extension (RFC 2830). This is
# when the server accepts a normal LDAP connection on port 389 which
# the client then requests 'upgrading' to TLS, and is equivalent to the
# -ZZ flag to ldapsearch. If you are using an ldaps:// URI then do not
# set this option.
#
# For additional LDAP-related options, see the authdaemonrc config file.
LDAP_TLS 0
##NAME: LDAP_EMAILMAP:0
#
# The following optional settings, if enabled, result in an extra LDAP
# lookup to first locate a handle for an E-mail address, then a second lookup
# on that handle to get the actual authentication record. You'll need
# to uncomment these settings to enable an email handle lookup.
#
# The E-mail address must be of the form user@realm, and this is plugged
# into the following search string. "@user@" and "@realm@" are placeholders
# for the user and the realm portions of the login ID.
#
# LDAP_EMAILMAP (&(userid=@user@)(realm=@realm@))
##NAME: LDAP_EMAILMAP_BASEDN:0
#
# Specify the basedn for the email lookup. The default is LDAP_BASEDN.
#
# LDAP_EMAILMAP_BASEDN o=emailmap, c=com
##NAME: LDAP_EMAILMAP_ATTRIBUTE:0
#
# The attribute which holds the handle. The contents of this attribute
# are then plugged into the regular authentication lookup, and you must set
# LDAP_EMAILMAP_MAIL to the name of this attribute in the authentication
# records (which may be the same as LDAP_MAIL).
# You MUST also leave LDAP_DOMAIN undefined. This enables authenticating
# by handles only.
#
# Here's an example:
#
# dn: userid=john, realm=example.com, o=emailmap, c=com # LDAP_EMAILMAP_BASEDN
# userid: john # LDAP_EMAILMAP search
# realm: example.com # LDAP_EMAILMAP search
# handle: cc223344 # LDAP_EMAILMAP_ATTRIBUTE
#
#
# dn: controlHandle=cc223344, o=example, c=com # LDAP_BASEDN
# controlHandle: cc223344 # LDAP_EMAILMAP_MAIL set to "controlHandle"
# uid: ...
# gid: ...
# [ etc... ]
#
# LDAP_EMAILMAP_ATTRIBUTE handle
##NAME: LDAP_EMAILMAP_MAIL:0
#
# After reading LDAP_EMAIL_ATTRIBUTE, the second query will go against
# LDAP_BASEDN, but will key against LDAP_EMAILMAP_MAIL instead of LDAP_MAIL.
#
# LDAP_EMAILMAP_MAIL mail
j'ai essayé presque toute les combinaison entre LDAP_HOMEDIR, LDAP_MAILROOT et LDAP_MAILDIR
Dernière modification par zizouth (Le 12/09/2007, à 15:23)
Hors ligne
#28 Le 12/09/2007, à 15:22
- toniotonio
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
essaye
authtest aziz@esprit.ens.tn
Tutoriaux Postfix sur www.starbridge.org/spip
Messagerie Dédiée, Relais Mail Antispam/Antivirus, Infogérance 24/7: http://www.eole-its.com
Hors ligne
#29 Le 12/09/2007, à 15:24
- zizouth
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
> authtest aziz@esprit.ens.tn
Authentication succeeded.
Authenticated: aziz@esprit.ens.tn (uid 5000, gid 5000)
Home Directory: /home/vmail
Maildir: esprit.ens.tn/aziz
Quota: (none)
Encrypted Password: {CRYPT}GBhy0MXcsJtIQ
Cleartext Password: (none)
Options: (none)
je pense qu'il est correct. mais en dirait qu'il ne concatene pas HomeDirectory et Maildir???
Dernière modification par zizouth (Le 12/09/2007, à 15:31)
Hors ligne
#30 Le 12/09/2007, à 15:43
- toniotonio
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
le pb c'est que postfix delivre les mails au format mbox (on le voit dans les logs), alors que courier ne lit que les formats Maildir.
il faut simplement ajouter un / a la fin du chemin dans la table mailbox du ldap pour que postfix livre au bon format.
cela devrait donner dans le test: esprit.ens.tn/aziz/
Dernière modification par toniotonio (Le 12/09/2007, à 15:44)
Tutoriaux Postfix sur www.starbridge.org/spip
Messagerie Dédiée, Relais Mail Antispam/Antivirus, Infogérance 24/7: http://www.eole-its.com
Hors ligne
#31 Le 12/09/2007, à 15:58
- zizouth
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
c'est bon sa marche merci pour tout!!!
tu aurais des tuto pour securiser courier et squirrelmail?
Hors ligne
#32 Le 12/09/2007, à 16:04
- toniotonio
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
squirrelmail je ne connais pas
courier a part les droits sur les repertoires, il y a pas grand choses a faire...
Tutoriaux Postfix sur www.starbridge.org/spip
Messagerie Dédiée, Relais Mail Antispam/Antivirus, Infogérance 24/7: http://www.eole-its.com
Hors ligne
#33 Le 12/09/2007, à 17:19
- Beamo
Re : [RESOLU merci a toniotonio]Postfix virtual user et local recipient
Je ne sais pas ce que tu veux sécuriser en plus.
Sécurité :
Tu utilises déjà du SSL pour les authentifications Postfix. Squirrelmail utilise https par défaut non ?
Robustesse :
Après tu peux toujours rajouter une base Slurpd pour redonder ton LDAP, utiliser SystemImager pour sauvegarder ta solution et utiliser Nagios pour tout monitorer.
Beamo
Hors ligne