Betacode 19991007 by Andre Oppermann , Claudio Jeker and Boris Lutz (c) 1998,1999 Internet Business Solutions Ltd. This LDAP patches for qmail come with NO WARRANTY. These patches are under the BSD license. TODO: ongoing - Debugging and testing, testing, testing ongoing - The big qmail-ldap picture done - support for mail clusters planned - full code review planned - splitting the patch into smaler separate pieces NEWS: Added signal-handler for qmail-lspawn, now with a SIGHUP the qmail-lspawn parent process reloads the his settings ( via the ~control files ) Added cluster support, use -DQLDAP_CLUSTER for enabling. Removed PWOPTS=-DLOOK_UP_PASSWD because it was only for checkpassword and with ldaplocaldelivery you get the same result on the fly. Few minor bug fixes (qmail-qmqpd.c, qmail-qmtpd.c, receive.c) Updated QLDAPINSTALL and added new QLDAPNEWS because QLDAPINSTALL was getting to long. Changed the make process, now with "make setup check" also the qmail-ldap parts are build and installed. Have fun ... Few minor bug fixes (accountStatus, AUTO_MAILDIRMAKE) Hack in the LDAP serch filter escape function due to a bug in most LDAP servers. Instead of escapeing the wildchars we replace them with '_' as long as -DLDAP_ESCAPE_BUG is present. (see Makefile) a catch all mail for one domain system is now available. The default catchall account is "catchall@domain.com". You can change that to any other sting in qmail-ldap.h at compile time. LDAP wildcards are not allowed. Due to a bug in the LDAP servers wildcards escaping does not work, so pay attention. INSTALL: 1. Make sure you have fairly good knowledge of qmail and LDAP 2. Read this document 3. You need the following compiled and installed - OpenLDAP 1.2/1.2.1 (others might also work) - Netscape LDAP sdk (tested libldapssl30 on Solaris 2.6) If you have problems with OpenLDAP look into their FAQ. 4. Apply the qmail-ldap patches to a clean qmail-1.03 source tree normaly "cd qmail-1.03_source_tree; patch -p1 < location_of_patch" works ;-). There seems to be a problem with the original patch utility on Solaris based systems, use the gnu patch utility instead. A pre-compiled binary should be available at http://www.sunfreeware.com/ 5. Edit the conf-* files and the top of the Makefile (only the top ;-) ) You can set/change: - LDAPON=-DQLDAP (turns qmail-ldap on and off) + -DQLDAP_CLUSTER (turns the cluster support on) + -DLDAP_ESCAPE_BUG (see NOTE) NOTE: at the moment -DLDAP_ESCAPE_BUG is also defined, this should be added as long as the ldap servers have problems with the escapeing of LDAP filters - LDAPLIBS: the libraries you need for ldap, e.g. -lldap -llber - LDAPINCLUDES: perhaps you need a special include-path for ldap - MNW=-DMAKE_NETSCAPE_WORK (turns the patch on that fixes the problem with the Netscape download progress bar and qmail-pop3d) - MDIRMAKE=-DAUTOMAILDIRMAKE (turns the auto-MAILdir-make-patch on) - HDIRMAKE=-DAUTOHOMEDIRMAKE (compiles the auto-HOMEdir-make-patch into the release, you need the ~control/dirmaker file to turn the patch on, see CONFIG FILES) - QLDAPBIND=-DQLDAP_BIND (when password are checked trought the ldap-server (not checkpassword)) - SHADOWLIBS=-lshadow, SHADOWOPTS=-DPW_SHADOW are needed on some Systems (Solaris, Linux) for local password lookups (just like the original djb-checkpassword) - DEBUG=-DQLDAPDEBUG (turns debugging of checkpassword on, see 6.1) - LSPAWN_LOG=-DQLSPAWN_LOG -DLOG_LEVEL=3 (qmail-lspawn compiled with LSPAWN_LOG enabled does now some lspawn logging, only the number after -DLOG_LEVEL= has to be changed) WARNING: this Infos are logged throught splogger to the syslog AND when a message is bounced the same informations are also included. Do not use DEBUG_LEVEL/INFO_LEVEL on production machines. 5.1 Have a look at qmail-ldap.h, perhaps you want to change something there. 6. Compile and install the stuff (it's the same as in standard qmail install -> read the INSTALL file !!!). Now everything should be installed. 6.1 Enable DEBUG in the Makefile remove checkpassword.o and compile checkpassword again, this is for debugging your LDAP setup. Use make checkpassword to compile checkpassword again WARNING: don't make the debug version accessible to other users 7. Create the LDAP user database and start the LDAP server 8. Create the proper ~control/ldap* files for qldap 9. Test, Debug and Enjoy! CONFIG FILES: ~control/ldapserver Space separated list of Hostnames or IP addresses of LDAP servers Required Example: ldap.nrg4u.com ~control/ldapbasedn The base DN from where the search in the LDAP tree begins Default: NULL Example: o=Internet Pipeline, c=CH Note: Referrals are ignored ~control/ldaplogin Username for the LDAP server connection Default: NULL Note: The user must have enough rights to lookup all user information ~control/ldappassword Password for the LDAP server connection Default: NULL Note: The password is in clear text ~control/ldaplocaldelivery If on lookup local passwd in qmail-lspawn and checkpassword if the LDAP lookup finds nothing Default: enabled Example: 1 Note: boolean, use 0 (zero) or 1 (one) ~control/ldapdefaultquota The default amount of space one user can use Default: unlimited Example: 1000 Note: Is written in KBytes, is overridden by mailQuota ~control/ldapdefaultdotmode The default interpretation of .qmail files Default: ldaponly Example: both Values: both, dotonly, ldaponly, ldapwithprog, none Note: Works only for deliveries based on LDAP lookups ~control/ldapmessagestore The default added path for mailMessageStore without trailing / Default: NULL Example: /maildisk/ Note: Used in virtual users environments the / at the end is needed! ~control/ldapusername The default username used in virtual users environments Default: NULL Example: popusers Note: Must be an existing username ~control/ldapuid The default UID used in virtual users environments Default: NULL Example: 1010 Note: Must match the username, must be above 100 ~control/ldapgid The default GID used in virtual users environments Default: NULL Example: 1010 Note: Must match the username, must be above 100 ~control/custombouncetext Additional custom text in bounce messages, e.g. for providing contact information of your ISP or messages in your language Default: NULL Example: You can contact us at (555) 555 5555 Note: Multiline ~control/quotawarning Custom text in quota warning message, e.g. for providing contact information of your ISP Default: NULL Example: You can contact us at (555) 555 5555 Note: Multiline. Needs to be present to make qmail-quotawarn work ~control/ldappasswdappend XXX: not the right thing, will be removed somewhen. The default appendix to homedir-pathes form local passwd lookups Default: ./ Example: ./Maildir/ Note: Only needed if you start qmail with something other and overwrite this with a .qmail file in every homedir ~control/tarpitcount Tarpitcount is the number of RCPT TOs you accept before you start tarpitting Default: 0 (which means no tarpitting) Example: 5 Note: You can override tarpitcount by setting TARPITCOUNT in qmail-smtpd's environment (with tcpserver). ~control/tarpitdelay Tarpitdelay is the number of seconds of delay to introduce after each subsequent RCPT TO. Default: 5 Example: 10 Note: You can override tarpitdelay by setting TARPITDELAY in qmail-smtpd's environment (with tcpserver). ~control/badrcptto This file lists recipient addresses that should be rejected. Default: none Example: user@domain or @domain Note: This can be useful if a spammer sends lots of messages to a nonexistant user from an invalid address, as otherwise, postmaster will get lots of double bounces. ~control/dirmaker Absolute path to your program/script that creates missing homedirs Default: none (off) Example: /var/qmail/bin/create_homedir Note: the script is executeded after the setuid/gid, it isn't running under root for security reasons. The command is executed with execve not system (so mkdir --mode=700 -p does not work!) use a shell script. $1 is the homedir-path and $2 is aliasempty. Possible very simple shell script: -cut- #!/bin/sh mkdir -m 700 -p $1 #EOF -cut- DEFAULT LDAP PARAMETER FIELDS: NOTE: keywords have to match exactly, so pay attention. All fieldnames and keywords can be changed at compile time. Just have a look at qmail-ldap.h. mail The users email address Required Example: jdoe@foo.bar mailAlternateAddress Secondary (alias) mailaddresses for the same user Example: jd@foo.bar qmailUser Username of the user on the mailsystem Example: jdoe Note: Can be omitted in a virtual users environment qmailUID UID of the user on the mailsystem Example: 1010 Note: Can be omitted in a virtual users environment qmailGID GID of the user on the mailsystem Example: 1010 Note: Can be omitted in a virtual users environment mailMessageStore Path to the maildir/mbox on the mail system Example: /home/jdoe/ Note: Can be written relative in a virtual users environment XXX: at the moment mailMessageStore has to point to a directory and has to end with a / (for checkpassword only). So Mailfiles are possible only via the aliasempty argument of qmail-lspawn mailQuota The amount of space the user can use until all further msg get bounced Example: 1000 Note: In KBytes, overrides ldapdefaultquota mailForwardingAddress Addresses to forward all incoming messages, multi field Example: jdoe@new.place Note: mailHost On which qmail server the messagestore of this user is located Example: qmail3.nrg4u.com Note: Must be equal to the ~control/me hostname on the homeserver of the user. deliveryProgramPath Program to execute with all incoming messages, multi field Example: /usr/bin/program -c -s Note: the same as |/usr/bin/program -c -s in .qmail Works only with qmailDotMode set to ldapwithprog or both with ldaponly set deliveryProgramPath is silently ignored deliveryMode multi field entries of these keywords - normal: resets to the normal .qmail behavior (Maildir/box delivery only if no forwards or programs are executed) - forwardonly: is equal to set the execute bit of .qmail so only forwards are allowed - nombox: ignor all maildir/mbox deliveries - localdelivery: forces maildir/mbox delivery (into $HOME/$ALIASEMPTY) - reply: send also an auto_reply mail with text from mailReplyText - echo: something very strange, just echo the message (nothing else) Default: no QMAILMODE is eq to QMAILMODE=normal other stuff is ignored (with warning) Note: echo exits immediatly after the "echoing" (only useful for testing purposes). reply is executed directly and does not interfere with the other settings. "normal", "nombox", "localdelivery" and "forwardonly" are set one after the other (i.e. "nombox,localdelivery,normal" resets to a "normal" delivery). There are some strange behavior when localdelivery and nombox/forwardonly are set, so handle them with care. mailReplyText A reply text for every incoming message (multiline) Example: I'm on vacation until next monday Note: works only if deliveryMode is set to reply qmailDotMode The default interpretation of .qmail files Values: both, dotonly, ldaponly, ldapwithprog, none (just Maildir/box delivery) Default: set by file ~control/ldapdefaultdotmode Note: Works only for deliveries based on LDAP lookups, overrides ldapdefaultdotmode uid The username for POP3 delivery Example: jdoe Note: userPassword The password for POP3 delivery Example: testit Note: Can be encrypted with {SHA}, {MD4}, {MD5}, {NS-MTA-MD5}, {crypt} or crypt/cleartext (but should not be used) accountStatus The status of a user account. Values: active (no restrictions), nopop (only mail delivery but no pop access), disabled (bounce incoming messages) Default: no accountStatus is equal to active EXAMPLE QLDAP LDIF FILE: dn: cn=Andre Oppermann, o=Internet Pipeline, c=CH cn: Andre Oppermann sn: Oppermann objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: qmailUser mail: opi@opi.flirtbox.ch mailHost: opi.flirtbox.ch mailMessageStore: /usr/home/opi/Maildir/ mailQuota: 1000 qmailUser: opi qmailUID: 1001 qmailGID: 1001 uid: opi userPassword: {MD5}b28a87511da157f147ed4766b0474a8a EXAMPLE SLAPD.CONF FILE: include /usr/local/etc/ldap/slapd.at.conf include /usr/local/etc/ldap/slapd.oc.conf schemacheck on #referral ldap://ldap.itd.umich.edu ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "o=Internet Pipeline, c=CH" directory /var/qmail/users rootdn "cn=root, o=Internet Pipeline, c=CH" rootpw secret index mail,mailAlternateAddress,uid index default none ADD THIS SCHEMA TO SLAPD.OC.CONF objectclass qmailUser requires objectclass, mail, mailMessageStore, uid, userPassword allows mailAlternateAddress, qmailUser, qmailUID, qmailGID, mailQuota, mailForwardingAddress, mailHost, deliveryProgramPath, deliveryMode, mailReplyText, qmailDotMode, accountStatus