Bind openLDAP Postfix dovecot-sasl Dovecot Roundcube

Installing a mailserver is a quite complex matter because several components are involved. Since there are many different operational scenarios, there are many different possible configurations, thus lots of different howtos around the internet. In this howto I’m going to describe the basic configuration of a mail server which has the following characteristics:

• Everything runs on CentOS 6.7
• All software packages are taken from the repository (no compiling necessary)
• The server is directly connected to the internet using a static IP address
• Users don’t have system accounts on the Unix machine
• User accounts are virtual accounts stored in an LDAP
• Users with a valid LDAP account can …
  • Send and receive mail via POP3/IMAP
  • Send and receive mail via Web Interface

Spam and virus protection (amavis, clamav, spamassasin) is not covered by this howto.

Graphical overview of the set-up:

image.png

These are the necessary components:

• Postfix as MTA (Mail Transfer Agent) –> This is the SMTP server. It accepts incoming mail (after a successful LDAP lookup of the recipient address) and passes it to Dovecot. It forwards outgoing mail (after the user successfully authenticated) to the next responsible SMTP server.
• Dovecot as LDA (Local Delivery Agent) –> This is the POP3 and IMAP server. It accepts incoming mail from Postfix and stores it in virtual mailboxes. It is connected to the LDAP for user authentication and lookups.
• Cyrus SASL –> Provides authentication for the SMTP server (since users are only allowed to send mail after they authenticated). User and password verification is done via LDAP.
• LDAP –> This is the directory service that stores the (virtual) user accounts for the mail server. It uses the postfix-book scheme. [UPDATE 2017-11-17: The original postfix-book scheme seems to be no longer available, but there is one on Github]
• Roundcube –> This is a web interface that lets users access their mail via web browser instead of a mail client (Mail User Agent). In addition to a webserver (i.e. Apache) Roundcube requires a database to store user settings (i.e. MySQL).

As for this howto, everything is running on a single machine. In real life (especially when you have to deal with a lot of users), it might be better to have dedicated machines for certain services. If you use dedicated machines, however, you have to make sure that the communication between these is secure!

Basic Prerequisites

1. Connectivity

The server must be connected to the internet and should be accessible through the following ports:

• 25 (SMTP)
• 80 (HTTP)
• 110 (POP3)
• 143 (IMAP)
• 443 (HTTPS)

If you have any firewalls, don’t forget to open the necessary ports.

2. System Time

The server should have an accurate system time, i.e. by using NTP.

3. Hostname

The server needs a fully-qualified hostname (i.e. mail.example.com), because otherwise foreign mail servers might not accept mails from it. This can be checked with the following command: hostname -f

The hostname can be configured in the following config files:

• /etc/hostname
• /etc/hosts

4. DNS Resolution

The server must be configured to use a working DNS server. Traditionally, DNS servers have to be added to /etc/resolv.conf, but on Ubuntu these are configured via the Network Manager. Preferably by using the GUI, or by manually editing the config file in /etc/NetworkManager/system-connections.

5. DNS Records

The hostname needs to be resolvable in both directions (hostname –> ip & ip –> hostname), so your provider needs to set the following DNS Records for you:

• A Record (forward lookup, resolvs a hostname to an IPv4 address)
• AAAA Record (forward lookup, resolvs a hostname to an IPv6 address)
• PTR Record (reverse lookup, resolvs an IP address to a hostname)
• MX Record (provides the hostname of a domain’s mail server)

This can be checked with the following commands:

dig mail.example.com A +short # should return your server's IPv4 address
dig mail.example.com AAAA +short # should return your server's IPv6 address, if configured
dig -x +short # should return your fully-qualified hostname
dig example.com MX +short # should return your mail server's fully-qualified hostname

6. Logging

For troubleshooting it is important that the logging service is working. This is rsyslogd by default, the configuration can be found in /etc/rsyslog.d. By default, mail-related log will go to /var/log/mail.log.

refer link: http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/

Install DNS

sudo yum install -y bind bind-chroot bind-utils

sudo service named start

sudo tail -n 100 /var/log/messages

sudo vim /etc/named.rfc1912.zones

*...*

*zone "[tst.com](http://tst.com/)" IN {*

*        type master;*

*        file "[named.tst.com](http://named.tst.com/)";*

*        allow-update { none; };*

*};*

*zone "[ttt.com](http://ttt.com/)" IN {*

*        type master;*

*        file "[named.ttt.com](http://named.ttt.com/)";*

*        allow-update { none; };*

*};*

sudo cp /var/named/named.localhost /var/named/named.tst.com

sudo ls -al /var/named

sudo vim /var/named/named.tst.com

*$TTL 1D*

*@       IN SOA  @ rname.invalid. (*

*                                        0       ; serial*

*                                        1D      ; refresh*

*                                        1H      ; retry*

*                                        1W      ; expire*

*                                        3H )    ; minimum*

*        NS      @*

*        A       10.20.0.30*

*        AAAA    ::1*

*        MX      10 [exchange1.tst.com](http://exchange1.tst.com/).*

*[exchange1.tst.com](http://exchange1.tst.com/). A 10.20.0.30*

sudo cp /var/named/named.tst.com /var/named/named.ttt.com

sudo chown root.named /var/named/named.tst.com

sudo chown root.named /var/named/named.ttt.com

sudo vim /etc/resolv.conf

*# Generated by NetworkManager*

*search [tst.com](http://tst.com/)*

*nameserver 127.0.0.1*

*nameserver 10.10.0.28*

sudo service named restart

dig -t mx ttt.com

dig -t mx tst.com

配置DNS说明

添加域名的A记录 和 反向解析的配置

sudo vim named.rfc1912.zones

zone "webdev06.ttt.com." IN {
  type master;
  file "webdev06.ttt.com.zone";
  allow-update { none; };
}; 

zone "0.20.10.in-addr.arpa" IN {
  type master;
  file "0.20.10.zone";
  allow-update { none; };
}; 

新建zone文件在 /var/named下

cp -a named.localhost webdev06.ttt.com.zone
cp -a named.localhost 0.20.10.zone

vim webdev06.ttt.com.zone

@        NS    webdev06.sstparts.com
ns        A      10.3.0.6 mail     A      10.3.0.6
@        MX   10   webdev06.sstparts.com 

如果邮件服务器的域名没有多个，那么MX优先级可以随便写（反正只有一个），最高1，最低50，当优先级高的解析无效时，就会去解析低的。

vim 0.20.10.zone

@        NS    webdev06.sstparts.com 6          PTR  webdev06.sstparts.com

在配置A和MX记录后，再添加一则txt记录作为SPF(Sender Policy Framework)。关于SPF的格式可以去http://www.openspf.org/SPF_Record_Syntax 查看。
就是除了我的A记录和MX记录外，如果有其他域发出邮件的话，那都是伪造的。

启动named进程

sudo chkconfig named on
sudo service named start

测试

dig -t mx webdev06.ttt.com

配置 openLdap

首先安装openLDAP和phpLdapAdmin，参考OpenLdap

为了能建立邮箱账号，需要做如下修改

sudo vim /usr/local/etc/openldap/slapd.conf

include         /usr/local/etc/openldap/schema/core.schema include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema

...

database        mdb maxsize         1073741824
suffix          "dc=webdev06,dc=sstparts,dc=com"
rootdn          "cn=Manager,dc=webdev06,dc=sstparts,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}e8yXV//3JJQv+SJpgN5UArhb1QGQ79EG
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /usr/local/var/openldap-data
# Indices to maintain
index   objectClass     eq

loglevel -1

password-hash   {SSHA}

注：include是包含相关的schema，这样才能通过phpLdapAdmin通过template 'Courier Mail: Account'来添加objectClass=inetOrgPerson的邮箱账号

postfix的相关schema可以参考：https://github.com/variablenix/ldap-mail-schema

配置Postfix

首先安装Postfix，参考Postfix

sudo install postfix postfix-ldap

Postfix把域名分为以下几类：

canonical domains（权威域、正式域）包括运行Postfix的主机名（hostnames）、IP地址，或者主机的父域名，称作权威域（canonical domains）。
权威域在Postfix中以 local_domain 实现。

hosted domains（托管域）如果作为目标投递地址（final destination），又不是权威域的话，就称为托管域（hosted domains）。
托管域在Postfix中以 virtual_alias_domain 或 virtual_mailbox_domain 实现。

relay domains（中转域、中继域）如果不是目标投递地址（not the finaly destination），需要转发（forwards），则成为中继域（relay domains）。
中继域在Postfix中以 relay_domain 实现。

在/usr/local目录下创建vmail目录以存放maildirs格式的邮箱

sudo mkdir /usr/local/vmail
sudo chmod 700 /usr/local/vmail

因为我们使用的虚拟的用户作为邮件账号，所以要创建一个系统账号作为映射，把邮件集中收到这个系统用户的家目录中

sudo groupadd --gid 5000 vmail
sudo useradd -s /sbin/nologin --group vmail --gid 5000 --uid 5000 --home-dir /usr/local/vmail vmail

sudo vim /etc/main.cf

###############################
# basic
###############################

myhostname = webdev06.ttt.com
mydomain = webdev06.ttt.com
myorigin = $mydomain
mydestination =
#mynetworks = 10.20.0.0/24 127.0.0.1/8
mynetworks_style = host
debug_peer_level = 1024
inet_interfaces = all
# mail_spool_directory = /var/spool/mail
home_mailbox = Maildir/
smtpd_banner = Welcome using Postfix Esmtp Service

###############################
# sasl auth & smtp auth
###############################
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, 
message_size_limit = 157286400
mailbox_size_limit = 314572800

###############################
# virtual for using ldap accounts
###############################

virtual_transport= dovecot dovecot_destination_recipient_limit = 1 virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_base = /usr/local/vmail virtual_alias_maps = proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf
[virtual_uid_maps = static:5000 virtual_gid_maps = static:5000 virtual_mailbox_limit = 314572800](http://ldap/etc/postfix/ldap_virtual_aliases.cf)

注： mydestination要保持空，不然会调用postfix本身的LDA来投递邮件，这里是用dovecot来作为virtual domain的LDA

因为这里virtual_transport的值是dovecot，即使用dovecot来投递虚拟邮箱，所以需要在master.cf的最后加入dovecot的服务定义

sudo vim /etc/postfix/master.cf

dovecot   unix  -       n       n       -       -       pipe

  flags=ODRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -e -f ${sender} -d ${recipient}

sudo vim /etc/postfix/virtual_domains

webdev06.ttt.com   OK

sudo vim /etc/postfix/ldap_virtual_aliases.cf

bind = yes bind_dn = cn=Manager,dc=webdev06,dc=ttt,dc=com
bind_pw = asdf
server_host = 127.0.0.1
search_base = dc=webdev06,dc=ttt,dc=com
query_filter = (&(|(objectClass=inetOrgPerson)(objectClass=posixGroup))(cn=%s))
result_attribute = memberUid,alias
result_format = %s

测试：

postmap -q [email protected] ldap:/etc/postfix/ldap_virtual_aliases.cf

如果正确会返回： [email protected]

重新启动 postfix

sudo service postfix restart

**配置Postfix ****TLS **

With the current configuration, the mail server only offers plaintext (and login) authentication. This is good, because all clients support this and the passwords can be stored encrypted in the LDAP. Other authentication methods would require storing the passwords in plaintext. To make the authentication process secure (and not have the passwords trasferred in plaintext) the session needs to be encrypted — this is done with TLS.

1. Certificate Files & Permissions

Save your certificate and key files in /etc/postfix/certs (see main.cf for filenames). Also save the Diffie-Hellman files (for perfect forward secrecy) in this folder. These can be created as follows:

openssl dhparam -2 -out dh_512.pem 512

openssl dhparam -2 -out dh_1024.pem 1024

Set the permissions to:

chown -R root:root /etc/postfix/certs/

chmod -R 600 /etc/postfix/certs/

2. Activate TLS

sudo vim /etc/postfix/main.cf

smtpd_use_tls = yes smtpd_tls_security_level= may smtpd_tls_auth_only = yes smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
tls_random_source = dev:/dev/urandom
[smtpd_tls_loglevel = 2 smtpd_client_new_tls_session_rate_limit = 10 smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_session_cache
smtpd_tls_exclude_ciphers=  EXP
 ECH-RSA-DES-CBC-SHA
 ADH-DES-CBC-SHA
 DES-CBC-SHA
 SEED-SHA
smtpd_tls_dh512_param_file = ${config_directory}/certs/dh_512.pem smtpd_tls_dh1024_param_file = ${config_directory}/certs/dh_1024.pem](http://dev/dev/urandom)

注：这里/etc/ssl/certs/ca-bundle.crt是系统本身的文件，smtpd_tls_cert_file和smtpd_tls_key_file是借用dovecot的证书文件

sudo vim /etc/postfix/master.cf

submission inet n       -       n       -       -       smtpd   -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

注：需要保持注释-o smtpd_client_restrictions=permit_sasl_authenticated,reject，否则可能会出现类似如下错误
Client host rejected: Access denied

3. TLS Test

With the following command you can connect to the server using STARTTLS:

openssl s_client -CAfile certs/example-cacert.pem -starttls smtp -connect localhost:25

Then you can talk to the server like in a Telnet session, but do not type a capital “R” since this will trigger a Renegotiation. If you want to send a mail, use “rcpt to:” instead of “RCPT TO:”.

This also works from external hosts (just change the -connect value to your mail server name). The -CAfile parameter is optional and can be omitted for a quick test.

可以通过foxmail的账号设置，端口号465, 点选Secure Connection，如果可以正常发送邮件即可
再查看日志可以看到：

sudo tail -n 50 /var/log/maillog

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: initializing the server-side TLS engine

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: warning: request to update table [btree:/etc/postfix/smtpd_session_cache](http://btree/etc/postfix/smtpd_session_cache) in non-postfix directory /etc/postfix

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: open smtpd TLS cache [btree:/var/lib/postfix/smtpd_session_cache](http://btree/var/lib/postfix/smtpd_session_cache)

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: connect from unknown[10.3.1.62]

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: setting up TLS connection from unknown[10.3.1.62]

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: unknown[10.3.1.62]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!EXP:!ECH-RSA-DES-CBC-SHA:!ADH-DES-CBC-SHA:!DES-CBC-SHA:!SEED-SHA"

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:before/accept initialization

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read client hello B

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write server hello A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write certificate A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write key exchange A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write server done A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 flush data

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read client key exchange A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 read finished A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write change cipher spec A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 write finished A

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: SSL_accept:SSLv3 flush data

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: unknown[10.3.1.62]: save session D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps to smtpd cache

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: put smtpd session id=D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps [data 153 bytes]

Apr 18 16:10:17 webdev06 postfix/tlsmgr[10219]: write smtpd TLS cache entry D61301D600CA2B2CA8572CAA30604180F5AD4803703CED14B5DA7F2318C7D206&s=smtps: time=1524039017 [data 153 bytes]

Apr 18 16:10:17 webdev06 postfix/smtpd[10217]: Anonymous TLS connection established from unknown[10.3.1.62]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

配置Postfix的STMP账号认证

SMTP 认证，简单地说就是要求必须在提供了账户名和密码之后才可以登录 SMTP 服务器，这就使得那些垃圾邮件的散播者无可乘之机。
增加 SMTP 认证的目的是为了使用户避免受到垃圾邮件的侵扰。

SASL（Simple Authentication and Security Layer）是由RFC 2222所描述的一种认证架构，是为基于连接的协议提供辅助认证支持的一种方法。使用SASL认证时，应用层协议通过插入相关的认证命令来获得服务器的访问授权，同时也可一协商协议交互时使用（或不使用）增强保护措施。SASL有多种实现，在Linux中，通常使用的是CyrusSASL，这是美国卡内基-梅隆（Carnegie Mellon，简称CMU）大学的一种软件。

查看Postfix支持何种SASL实现：

# postconf -a
cyrus
dovecot

可见当前的Postfix版本支持Cyrus SASL和Dovecot SASL 2中SASL的实现。

配置 cyrus-sasl 使用 ldap验证

saslauthd是Cyrus SASL的后台程序。查看当前运行的saslauthd运行模式：

# ps awx|grep sasl
3244 ?        Ss     0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow sasldb
...

这里涉及到2个参数：

-m设置saslauthd的工作路径。-a设置saslauthd的认证模式。

以上，saslauthd的工作路径是/var/run/saslauthd，认证模式是shadow。

可以通过修改/etc/sysconfig/saslauthd来配置saslauthd的运行时参数：

sudo vim /etc/sysconfig/saslauthd

SOCKETDIR=/var/run/saslauthd
MECH=ldap
FLAGS=

这个配置文件包括几个常见参数：SOCKETDIR设置了工作路径（saslauthd用于监听的socket路径），也就是-m设置的路径。

saslauthd通常用UNIX域协议与其他进程通信，因此必须确保Postfix SMTP Server在saslauthd的工作路径有可读和可执行的权限：

ls -ld /var/run/saslauthd/

drwxr-xr-x 2 root root 4096 7月 28 18:02 /var/run/saslauthd/

以下是Cyrus SASL的一个配置示例：

log_level: 3 pwcheck_method: saslauthd
mech_list: plain login

pwcheck_method的值可以设置为：saslauthd或auxprop。

saslauthd是最基本的验证方式，如果设置为saslauthd，则mech_list就只能是plain, login，而这两种认证机制（plain和login）都是以不加密方式发送认证信息（credentials），应该用TLS来加密认证信息。

使用testsaslauthd来测试saslauthd认证模式：

testsaslauthd -u bailing -p MYCORRECTPWD
0: OK "Success."

而如果设置为auxprop（Auxiliary Property Plugins），则需要添加另一个选项：auxprop_plugin。Cyrus SASL支持插件的方式来扩展libsasl，详情可参考：http://www.berlinix.com/net/postfix.php

编辑 /etc/saslauthd.conf, If the saslauthd.conf file does not exist, create it. The saslauthd.conf file usually resides in the /etc folder.
If specifying a different file path, see the -O option of saslauthd.

sudo vim /etc/saslauthd.conf

ldap_servers: ldap://localhost
ldap_bind_dn: cn=Manager,dc=webdev06,dc=sstparts,dc=com
ldap_bind_pw: asdf
ldap_timeout: 10
ldap_time_limit: 10
ldap_scope: sub
ldap_search_base: dc=webdev06,dc=sstparts,dc=com
ldap_auth_method: bind
ldap_filter: (cn=%u)
ldap_debug: 0
ldap_verbose: off
ldap_ssl: no
ldap_starttls: no
ldap_referrals: yes

启动 saslauthd
sudo service saslauthd restart
sudo chkconfig saslauthd on

测试：

testsaslauthd -u lzhang -p asdfgh

0: OK "Success."

OK, 使用cyrus-sasl使用ldap验证测试成功

注：因为saslauthd验证方式是不加密的，所以如果ldap中的密码不是clear格式的，则验证不会成功
也因为这样，所以推荐使用第二种方式即dovecot-sasl方式来验证

Postfix配置cyrus-SASL

sudo vim /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_unauth_pipelining

配置dovecot-sasl使用ldap验证

Since version 2.3, Postfix supports SMTP AUTH through Dovecot SASL as introduced in the Dovecot 1.0 series. If using Postfix obtained from a binary (such as a .rpm or .deb file), you can check if Postfix was compiled with support for Dovecot SASL by running the command:

postconf -a

Console output:

cyrus
dovecot

Once you have verified that your installation of Postfix supports Dovecot SASL, it's very simple to configure:

在Postfix配置文件main.cf中添加或修改下面几行，以启用dovecot-sasl

sudo vim /etc/postfix/main.cf

smtpd_sasl_type= dovecot smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions=   permit_mynetworks,   permit_sasl_authenticated,   reject_unauth_destination

If Postfix and Dovecot are running on separate servers, you can also authenticate via TCP. For Dovecot set up an inet_listener:

service auth {
inet_listener {
port = 12345
}
}

And configure Postfix to use it:

smtpd_sasl_path = inet:dovecot.example.com:12345
smtpd_sasl_type = dovecot

以上就是需要配置dovecot-sasl认证，需要继续下面完成常规的Dovecot配置，即支持账号验证、imap、pop

配置Dovecot

sudo vim /etc/dovecot/conf.d/10-master.conf

 service auth {
 ...
   unix_listener /var/spool/postfix/private/auth {
     mode = 0660
     # Assuming the default Postfix user and group
     user = postfix
     group = postfix        
   }
   ...
 }

Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:

auth_mechanisms = plain login

sudo vim /etc/dovecot/conf.d/10-auth.conf

!include auth-ldap.conf.ext

在/etc/dovecot目录下创建 dovecot-ldap.conf.ext，这个文件配置的是dovecot的账号验证，

是在/etc/dovecot/conf.d/auth-ldap.conf.ext的userdb和passdb中指定的配置文件，即包括postfix的smtp验证、imap验证、pop验证。

sudo vim /etc/dovecot/dovecot-ldap.conf.ext

hosts = localhost dn = cn=Manager,dc=webdev06,dc=sstparts,dc=com
dnpass = asdf
ldap_version = 3
base = dc=webdev06,dc=sstparts,dc=com
scope = subtree
user_attrs = mailStorageDirectory=mail
user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(mail=%u))
default_pass_scheme = CRYPT

注：mail=user这个设置将使用邮箱地址做为user去搜索用户的信息和%u的值，这样才能在/usr/local/vmail下以全域名的格式建立maildir格式的邮箱 在phpldapadmin里lzhang账号的密码也必需是CRYPT加密

sudo vim /etc/dovecot/conf.d/10-mail.conf

mail_location = maildir:/usr/local/vmail/%u/Maildir
...
mail_uid = 5000
mail_gid = 5000

Activate logging in /etc/dovecot/conf.d/10-logging.conf:

log_path = syslog

syslog_facility = mail auth_debug = yes

重新启动 dovecot服务

sudo service dovecot restart

通过imap登录来测试

[lzhang@webdev06 dovecot]$ telnet localhost 143

Trying ::1...

Connected to localhost.

Escape character is '^]'.

• OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

a login [email protected] asdfgh

a OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS] Logged in

输出以上信息即为成功

如果出现错误使用日志来诊断错误信息

sudo tail -n 500 /var/log/maillog

也可以使用outlook或postfix来验证

maillog:

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011lip=::1#011rip=::1#011lport=143#011rport=56299#011resp=

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): pass search: base=dc=webdev06,dc=sstparts,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/))) fields=mail,userPassword

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): result: userPassword(password)= mail(user)=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: client out: OK#0111#011user=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: master in: REQUEST#0114013686785#01129815#0111#01127e51606ab079738bd43fffbaeb4fe36

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): user search: base=dc=webdev06,dc=sstparts,dc=com scope=subtree filter=(&(objectClass=inetOrgPerson)(mail=lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/))) fields=mailStorageDirectory

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: ldap(lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/),::1): no fields returned by the server

Apr 18 10:29:11 webdev06 dovecot: auth: Debug: master out: USER#0114013686785#011lzhang@[webdev06.sstparts.com](http://webdev06.sstparts.com/)

Apr 18 10:29:11 webdev06 dovecot: imap-login: Login: user=, method=PLAIN, rip=::1, lip=::1, mpid=29831, secured

refer links:

https://wiki.dovecot.org/HowTo/DovecotOpenLdap

https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL

https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains

配置Roundcube

RoundCube Webmail是一个基于浏览器，支持多国语言的IMAP客户端，操作界面看起像一个桌面应用程序。

它提供一个e-mail客户端应该具备的所有功能包括MIME支持,地址薄，文件夹操作，信息搜索和拼写检查。RoundCube Webmail采用PHP+Ajax开发并且需要MySQL数据库来存储数据。 用户界面采用XHTML+CSS2设计。

开源免费

先到官网下载：https://roundcube.net/download/

下载完后解压缩，得到的目录里有INSTALL、README文件，安装前看看先，尤其是INSTALL文件里的内容，是否和你的PHP、Mysql有所不同。

1.Decompress and put this folder somewhere inside your document root

wget https://github.com/roundcube/roundcubemail/releases/download/1.1.10/roundcubemail-1.1.10.tar.gz

tar -xzvf roundcubemail-1.1.10.tar.gz

sudo mv roundcubemail-1.1.10 /usr/local/roundcube

cd /usr/local/roundcube

more INSTALL

2.Install dependencies using composer:

• get composer from https://getcomposer.org/download/

• rename the composer.json-dist file into composer.json

• if you want to use LDAP address books, enable the LDAP libraries in your

  composer.json file by moving the items from "suggest" to the "require"

  section (remove the explanation texts after the version!).

• run php composer.phar install --no-dev

3.Make sure that the following directories (and the files within)

are writable by the webserver

• /temp

• /logs

4.Create a new database and a database user for Roundcube (see DATABASE SETUP)

• MySQL

---

Setting up the mysql database can be done by creating an empty database,

importing the table layout and granting the proper permissions to the

roundcube user. Here is an example of that procedure:

mysql

CREATE DATABASE roundcubemail /*!40101 CHARACTER SET utf8 COLLATE utf8_general_ci */;

GRANT ALL PRIVILEGES ON roundcubemail.* TO roundcube@localhost

IDENTIFIED BY 'password';

quit

mysql -u root -p roundcubemail < SQL/mysql.initial.sql

Note 1: 'password' is the master password for the roundcube user. It is strongly

recommended you replace this with a more secure password. Please keep in

mind: You need to specify this password later in 'config/db.inc.php'.

5. update some configs

cp config/config.inc.php.sample config/config.inc.php

sudo vim config/config.inc.php

then add one line after the sentence '$config = array();'

$config['enable_installer'] = true;

and update the db name and password, like:

$config['db_dsnw'] = 'mysql://roundcube:pass@localhost/roundcubemail';

6. Point your browser to http://url-to-roundcube/installer/

7. Follow the instructions of the install script (or see MANUAL CONFIGURATION)

There will be some problems after you viewing the web install page. like php5.3.3 should upgrade to version than 5.3.7, now I upgrade to 5.6.35

sudo yum remove php55w.x86_64 php55w-cli.x86_64 php55w-common.x86_64 php55w-gd.x86_64 php55w-ldap.x86_64 php55w-mbstring.x86_64 php55w-mcrypt.x86_64 php55w-mysql.x86_64 php55w-pdo.x86_64 php55w-xml.x86_64

yum list installed | grep php

sudo rpm -Uvh http://mirror.webtatic.com/yum/el6/latest.rpm

sudo yum install php56w.x86_64 php56w-cli.x86_64 php56w-common.x86_64 php56w-gd.x86_64 php56w-ldap.x86_64 php56w-mbstring.x86_64 php56w-mysql.x86_64 php56w-pdo.x86_64 php56w-odbc.x86_64

yum list installed | grep php

php -v

sudo service httpd restart

refer link: https://blog.csdn.net/na_beginning/article/details/53414122

sudo yum install php56w-xml.x86_64

sudo yum install php56w-pecl-memcache.x86_64

sudo yum install php56w-pear

sudo pear install Net_SMTP --alldeps

sudo pear install Mail_Mime

sudo pear install channel://pear.php.net/Net_IDNA2-0.2.0

sudo pear install Auth_SASL

sudo yum install phpldapadmin.noarch

yum list installed | grep php

php56w.x86_64 5.6.35-1.w6 @webtatic

php56w-cli.x86_64 5.6.35-1.w6 @webtatic

php56w-common.x86_64 5.6.35-1.w6 @webtatic

php56w-gd.x86_64 5.6.35-1.w6 @webtatic

php56w-ldap.x86_64 5.6.35-1.w6 @webtatic

php56w-mbstring.x86_64 5.6.35-1.w6 @webtatic

php56w-mysql.x86_64 5.6.35-1.w6 @webtatic

php56w-odbc.x86_64 5.6.35-1.w6 @webtatic

php56w-pdo.x86_64 5.6.35-1.w6 @webtatic

php56w-pear.noarch 1:1.10.4-1.w6 @webtatic

php56w-pecl-memcache.x86_64

php56w-process.x86_64 5.6.35-1.w6 @webtatic

php56w-xml.x86_64 5.6.35-1.w6 @webtatic

phpldapadmin.noarch 1.2.3-10.el6 @epel

sudo vim config/config.inc.php

//$config['enable_installer'] = true;

mv installer installer_done

refer link:

http://acidx.net/wordpress/2014/06/installing-a-mailserver-with-postfix-dovecot-sasl-ldap-roundcube/