sysadmin/linux/howto-sendmail_tls-imap_sasl-ldap-kerberosV.pod

######################################
#
#  $Id$
#
######################################
#
#  $Log$
#
#
######################################


=pod


=head2  Sendmail  TLS + Cyrus IMAP/SASL + LDAP + AMaViS + Kerberos V HowTo

Sebastian Utz    S<seut@netfrag.org>


B<last changes>

  Revision 1.1  2003/01/27 09:11:05  jonen
    + create new


=head3  Description

Install and configure Sendmail with TLS, Cyrus IMAP/SASL, LDAP, and Kerberos V support
  

The installation instructions described here are mainly debian only.
For detailed installation instructions take a look at L<Resources|resources>,
e.g. the "OpenLDAP, OpenSSL, SASL and KerberosV HOWTO" from Turbo Fredriksson explains a lot (great stuff!)...


=head3  Prerequisites

  To use all described features to sendmail the following have to be installed:
    
    - Cyrus SASL v1          http://asg.web.cmu.edu/cyrus/sasl/
    - Cyrus IMAP v1          http://asg.web.cmu.edu/cyrus/sasl/
    - OpenLDAP 2             http://www.openldap.org/
    - AMaViS (Milter)          http://www.amavis.org/
    - MIT Kerberos V          http://web.mit.edu/kerberos/www/
    - OpenSSL                   http://www.openssl.org/


=head3 AMaViS

=head4 install

  debian testing/unstable:
    
    - apt-get install amavis-milter

  debian woody/stable:

    - dowload latest amavis-milter_*.deb which could found at
        http://packages.debian.org/testing/mail/amavis-milter.html

    - dpkg -i amavis-milter_*.deb

  other systems

    sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
    
    will try write some docu here soon, too....


=head4 configure & start amavisd

    - edit /etc/amavid.conf to configure your local settings e.g. your used anti-virus scanner

    - start amavid with:  /etc/init.d/amavid start
    
    note: you should always start amavid *before* sendmail as the amavis docu explained...


=head3 Install Sendmail

=head4  debian
     
    - apt-get install sendmail

if software described at L<Prerequisites|prerequisites> isn't installed yet, look at 
    
      -  http://www.netfrag.org/~jonen/computing/install_cyrus_sasl_v1.html
      -  http://www.netfrag.org/~jonen/computing/mini-howto-cyrus_imapd_v1-pam-kerberosV.html
      -  others comming soon.....

    after installing required packages, run 
    
      - sendmail config
   
   or some more specifing scripts under '/usr/share/sendmail/' (e.g. /usr/share/update_auth to update SASL support)
   and follow the instructions printed, e.g. for updating TLS support:
   
      - run: /usr/share/sendmail/update_tls
      - insert at sendmail.mc
        - debian stable/testing:    include(`/etc/mail/starttls.m4')dnl
        - debian unstable:    include(`/etc/mail/tls/starttls.m4')dnl
      - cd /etc/mail
      - run: make
      - restart sendmail: /etc/init.d/sendmail restart

      - test supported features:
        - telnet localhost 25
        - enter: ehlo <servername>
        - should do some output like:
        
        250-mail.netfrag.org Hello localhost [127.0.0.1], pleased to meet you
        250-ENHANCEDSTATUSCODES
        250-PIPELINING
        250-EXPN
        250-VERB
        250-8BITMIME
        250-SIZE
        250-DSN
        250-ETRN
        250-AUTH GSSAPI CRAM-MD5 PLAIN LOGIN
        250-STARTTLS
        250-DELIVERBY
        250 HELP
    

      the 'AUTH GSSAPI CRAM-MD5 PLAIN LOGIN' and 'STARTTLS' is most important to us cause this means,
      gssapi, digestmd5 and plain authentication is supported and also TLS is enabled.

  
=head4  other systems

    sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
    
    will try write some docu here soon, too....


=head3 Configure Sendmail

=head4 general sendmail.mc configurations:

      comming soon....


=head3 Configure Sendmail  + SASL v1

=head4 debian

    - run /usr/share/sendmail/update_auth
    

=head4 sendmail.mc configurations(not needed at debian)

      TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
      define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl


=head3 Configure Sendmail + Cyrus IMAP v1

=head4 sendmail.mc configurations

    dnl # Cyrus Imap
    dnl #
    define(`confLOCAL_MAILER', `cyrus')
    define(`CYRUS_MAILER_FLAGS', `A5@/:|')dnl
    define(`CYRUS_MAILER_PATH', `/usr/sbin/cyrdeliver')dnl
    define(`CYRUS_MAILER_ARGS', `cyrdeliver -e -q -m $h -- $u ')dnl
    define(`CYRUS_MAILER_USER', `cyrus:mail')dnl
    define(`CYRUS_BB_MAILER_FLAGS', `')dnl
    define(`CYRUS_BB_MAILER_ARGS', `cyrdeliver -e -q -m $u ')dnl
    dnl #
    MAILER(cyrus)dnl

    LOCAL_CONFIG
    ## Custom configurations below (will be preserved)
    LOCAL_RULE_0
    R$=I                            $: $#cyrus $: $1
    R$=I < @ $=w . >                $: $#cyrus $: $1
    R$=I < @ $=R . >                $: $#cyrus $: $1
    Rbb + $+ < @ $=w . >            $#cyrusbb $: $1
  

=head3 Configure Sendmail  + TLS

=head4 debian

      - run /usr/share/sendmail/update_tls & place 'include(`/etc/mail/starttls.m4')dnl' at sendmail.mc
      - make & restart sendmail
      - see "Install Sendmail" for details...


=head4 other systems

      comming soon......

  
=head4 sendmail.mc configurations(not needed at debian)

      TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
      define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl


=head3 PAM + LDAP + MIT Kerberos V

=head4  Authentication/Authorizisation via pam_ldap

     - edit /etc/pam.d/smtp as follow:

        auth         reqired      pam_ldap.so
        account    required    pam_ldap.so


=head4  Authentication via MIT Kerberos V - gssapi and pam_krb5

=head5 Some note on MIT Kerberos V

      If SASL is compiled with 'gssapi' support, sendmail would support KerberosV/gssapi Authentication,
      but as I can't found any documentation about kerberosV support at up-to-date mail-clients (Evolution does kerberos4, but no gssapi... ;-(  ),
      i'm using pam_krb5 with a lots of drawbacks against real gssapi!

      Short quote from Kerberos V5 Installation Guide (http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.7/doc/install.html#SEC3):
        
          "Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC).
          The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, 
          and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password.
          If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, 
          which indicates proof of the client's identity."


      As you read, no passwords would go over the network, so security would be much improved!


=head5 pam_krb5

      If pam_krb5 is used, PAM will request a 'faked' ticket for the deamons which you want authenticate on.
      Also only PLAIN passwords are supported, which means, PLAIN passwords will go over your network
      what would be very unsecure!
      But if we are using TLS (which is always a good idea), passwords will go through a Secure Transport Layer
      which encrypts the whole connection, so pam_krb5 over TLS would be ok for now....
        
      - edit /etc/pam.d/smtp as follow:

          auth         required   pam_krb5.so
          account    required   pam_ldap.so


=head4 sendmail.mc configurations

     - read http://www.sendmail.org/m4/ldap_routing.html !!
     - i added an 'sendmail' user to ldap like followed which allows sendmail to query request:

        uid=sendmail,ou=People,dc=netfrag,c=org
        objectClass: top
        objectClass: account
        objectClass: possixAccount
        uid: sendmail
        cn: sendmail account
        uidNumber: 25
        gidNumber: 25
        homeDirectory: /etc/mail
        userPassword::
        
     
     - set default bind DN after ' -b'
     - set sendmail user, used for query requests after '-d'
     - other option, but still not tested/needed (kerberos5/gssapi supported ?)
     
        -m <authentication mechanism>  (none | simple | krb4)
        -P <passinfo>                             (/path/to/passwd_containing_file | /path/to/krb4_ticket)

    
      dnl  #  define LDAP server used for routing
      define(`confLDAP_DEFAULT_SPEC',`-h ldap.netfrag.org -b ou=Mail,dc=netfrag,dc=org -d uid=sendmail,ou=People,dc=netfrag,dc=org')dnl
      
      dnl  #  define path to file which includes routeabled domains
      LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
      
      dnl  # switch ldap routing on
      FEATURE(ldap_routing)dnl


    - example '/etc/mail/ldapdomains':
    
        netfrag.org
        example.com
        your-domain.com


=head4  query 'aliases' against ldap

      - To use the default schema, simply use(at sendmail.mc):

        define(`ALIAS_FILE', `ldap:')

      - By doing so, you will use the default schema which expands to a map declared as follows:

        ldap -k (&(objectClass=sendmailMTAAliasObject)
        (sendmailMTAAliasGrouping=aliases)
        (|(sendmailMTACluster=${sendmailMTACluster})
        (sendmailMTAHost=$j))
        (sendmailMTAKey=%0))
        -v sendmailMTAAliasValue
      
      - Example LDAP LDIF entries might be:

        dn: sendmailMTAKey=test-aliases, ou=Mail, dc=netfrag, dc=org
        objectClass: top
        objectClass: sendmailMTA
        objectClass: sendmailMTAAlias
        objectClass: sendmailMTAAliasObject
        sendmailMTAAliasGrouping: aliases
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAKey: test-aliases
        sendmailMTAAliasValue: jonen

        dn: sendmailMTAKey=postmaster, ou=Mail, dc=netfrag, dc=org
        objectClass: top
        objectClass: sendmailMTA
        objectClass: sendmailMTAAlias
        objectClass: sendmailMTAAliasObject
        sendmailMTAAliasGrouping: aliases
        sendmailMTACluster: Servers
        sendmailMTAKey: postmaster
        sendmailMTAAliasValue: jonen

  
=head4  query map definitions (e.g. virtusertable, mailertable, access_db, etc.) against ldap

      - read http://www.sendmail.org/m4/ldap.html  !!
      - example for 'virtusertable' (other map definitions goes near the same way..):
        
        - sendmail.mc:
        
        FEATURE(`virtusertable', `LDAP')

        - add sendmailMTAMapName (have to be created for each map definition!!)

        dn: sendmailMTAMapName=virtuser, ou=Mail, dc=netfrag, dc=org
        objectClass: top
        objectClass: sendmailMTA
        objectClass: sendmailMTAMap
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAMapName: virtuser
        
        - example virtuser entries:

        dn: sendmailMTAKey=test-virtuser@netfrag.com, ou=Mail, dc=netfrag, dc=org
        objectClass: sendmailMTA
        objectClass: sendmailMTAMap
        objectClass: sendmailMTAMapObject
        sendmailMTAMapName: virtuser
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAKey: test-virtuser@netfrag.org
        sendmailMTAMapValue: jonen

        dn: sendmailMTAKey=no-user@example.com, ou=Mail, dc=netfrag, dc=org
        objectClass: sendmailMTA
        objectClass: sendmailMTAMap
        objectClass: sendmailMTAMapObject
        sendmailMTAMapName: virtuser
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAKey: no-user@example.com
        sendmailMTAMapValue: error: no-user@example.com doesn't exits here

   
=head3 Configure Sendmail Milter + AMaViS

=head4 sendmail.mc configurations

      define(`MILTER', 1)
      INPUT_MAIL_FILTER(`milter-amavis',`S=local:/var/run/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m')


=head3 Resources

=over

=item  Sendmail

    http://www.sendmail.org/


=item  LDAP Implementation HOWTO

    http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/


=item  OpenLDAP

    http://www.openldap.org/


=item  MIT Kerberos V5

    http://web.mit.edu/kerberos/www/


=item  Kerberos Authenticated SMTP Service Installation Instructions

    http://www.upenn.edu/computing/pennkey/sysadmin/d_install_unix/smtp.html


=item  sendmail with LDAP, TLS and AUTH

    http://logout.sh/computers/sendmail/


=item  Sendmail + LDAP HOWTO

    http://www.iconimaging.net/~jradford/sendmail/sendmail-ldap.html


=item  Sendmail mit Milter, AMaViS, Cyrus IMAP + SSL, Anti Spam

    http://wwwhomes.uni-bielefeld.de/schoppa/saia-howto.html


=item  Sendmail mit Milter, AMaViS, Anti Spam, Cyrus IMAP auf Debian woody Basis

    http://wwwhomes.uni-bielefeld.de/schoppa/saia-woody-howto.html


=item  AMaViS

    http://www.amavis.org/

=back


=head3 ToDo

  o seems NO mail-client currently supports kerberos V tickets, DO MORE RESEARCH!
  x so use pam_krb5
    o if so, seems only PLAIN password authentication works (no Digest-MD5 or others!)
    x so usage of TLS/SSL for secure trasport layer is recommend
  o docu installation for other distribution than Debian
  o check out Cyrus Imapd v2 and SASL v2 more and write howto
  o MORE docu !!
  

=cut
1	jonen	1.1	######################################
2			#
3			# $Id$
4			#
5			######################################
6			#
7			# $Log$
8			#
9			#
10			######################################
11
12
13			=pod
14
15
16
17			=head2 Sendmail TLS + Cyrus IMAP/SASL + LDAP + AMaViS + Kerberos V HowTo
18
19			Sebastian Utz S<seut@netfrag.org>
20
21
22			B<last changes>
23
24			Revision 1.1 2003/01/27 09:11:05 jonen
25			+ create new
26
27
28			=head3 Description
29
30			Install and configure Sendmail with TLS, Cyrus IMAP/SASL, LDAP, and Kerberos V support
31
32
33			The installation instructions described here are mainly debian only.
34			For detailed installation instructions take a look at L<Resources\|resources>,
35			e.g. the "OpenLDAP, OpenSSL, SASL and KerberosV HOWTO" from Turbo Fredriksson explains a lot (great stuff!)...
36
37
38			=head3 Prerequisites
39
40			To use all described features to sendmail the following have to be installed:
41
42			- Cyrus SASL v1 http://asg.web.cmu.edu/cyrus/sasl/
43			- Cyrus IMAP v1 http://asg.web.cmu.edu/cyrus/sasl/
44			- OpenLDAP 2 http://www.openldap.org/
45			- AMaViS (Milter) http://www.amavis.org/
46			- MIT Kerberos V http://web.mit.edu/kerberos/www/
47			- OpenSSL http://www.openssl.org/
48
49
50
51			=head3 AMaViS
52
53			=head4 install
54
55			debian testing/unstable:
56
57			- apt-get install amavis-milter
58
59			debian woody/stable:
60
61			- dowload latest amavis-milter_*.deb which could found at
62			http://packages.debian.org/testing/mail/amavis-milter.html
63
64			- dpkg -i amavis-milter_*.deb
65
66			other systems
67
68			sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
69
70			will try write some docu here soon, too....
71
72
73			=head4 configure & start amavisd
74
75			- edit /etc/amavid.conf to configure your local settings e.g. your used anti-virus scanner
76
77			- start amavid with: /etc/init.d/amavid start
78
79			note: you should always start amavid before sendmail as the amavis docu explained...
80
81
82			=head3 Install Sendmail
83
84			=head4 debian
85
86			- apt-get install sendmail
87
88			if software described at L<Prerequisites\|prerequisites> isn't installed yet, look at
89
90			- http://www.netfrag.org/~jonen/computing/install_cyrus_sasl_v1.html
91			- http://www.netfrag.org/~jonen/computing/mini-howto-cyrus_imapd_v1-pam-kerberosV.html
92			- others comming soon.....
93
94			after installing required packages, run
95
96			- sendmail config
97
98			or some more specifing scripts under '/usr/share/sendmail/' (e.g. /usr/share/update_auth to update SASL support)
99			and follow the instructions printed, e.g. for updating TLS support:
100
101			- run: /usr/share/sendmail/update_tls
102			- insert at sendmail.mc
103			- debian stable/testing: include(`/etc/mail/starttls.m4')dnl
104			- debian unstable: include(`/etc/mail/tls/starttls.m4')dnl
105			- cd /etc/mail
106			- run: make
107			- restart sendmail: /etc/init.d/sendmail restart
108
109			- test supported features:
110			- telnet localhost 25
111			- enter: ehlo <servername>
112			- should do some output like:
113
114			250-mail.netfrag.org Hello localhost [127.0.0.1], pleased to meet you
115			250-ENHANCEDSTATUSCODES
116			250-PIPELINING
117			250-EXPN
118			250-VERB
119			250-8BITMIME
120			250-SIZE
121			250-DSN
122			250-ETRN
123			250-AUTH GSSAPI CRAM-MD5 PLAIN LOGIN
124			250-STARTTLS
125			250-DELIVERBY
126			250 HELP
127
128
129			the 'AUTH GSSAPI CRAM-MD5 PLAIN LOGIN' and 'STARTTLS' is most important to us cause this means,
130			gssapi, digestmd5 and plain authentication is supported and also TLS is enabled.
131
132
133
134			=head4 other systems
135
136			sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
137
138			will try write some docu here soon, too....
139
140
141			=head3 Configure Sendmail
142
143			=head4 general sendmail.mc configurations:
144
145			comming soon....
146
147
148			=head3 Configure Sendmail + SASL v1
149
150			=head4 debian
151
152			- run /usr/share/sendmail/update_auth
153
154
155			=head4 sendmail.mc configurations(not needed at debian)
156
157			TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
158			define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl
159
160
161
162
163			=head3 Configure Sendmail + Cyrus IMAP v1
164
165			=head4 sendmail.mc configurations
166
167			dnl # Cyrus Imap
168			dnl #
169			define(`confLOCAL_MAILER', `cyrus')
170			define(`CYRUS_MAILER_FLAGS', `A5@/:\|')dnl
171			define(`CYRUS_MAILER_PATH', `/usr/sbin/cyrdeliver')dnl
172			define(`CYRUS_MAILER_ARGS', `cyrdeliver -e -q -m $h -- $u ')dnl
173			define(`CYRUS_MAILER_USER', `cyrus:mail')dnl
174			define(`CYRUS_BB_MAILER_FLAGS', `')dnl
175			define(`CYRUS_BB_MAILER_ARGS', `cyrdeliver -e -q -m $u ')dnl
176			dnl #
177			MAILER(cyrus)dnl
178
179			LOCAL_CONFIG
180			## Custom configurations below (will be preserved)
181			LOCAL_RULE_0
182			R$=I $: $#cyrus $: $1
183			R$=I < @ $=w . > $: $#cyrus $: $1
184			R$=I < @ $=R . > $: $#cyrus $: $1
185			Rbb + $+ < @ $=w . > $#cyrusbb $: $1
186
187
188
189			=head3 Configure Sendmail + TLS
190
191			=head4 debian
192
193			- run /usr/share/sendmail/update_tls & place 'include(`/etc/mail/starttls.m4')dnl' at sendmail.mc
194			- make & restart sendmail
195			- see "Install Sendmail" for details...
196
197
198			=head4 other systems
199
200			comming soon......
201
202
203
204
205			=head4 sendmail.mc configurations(not needed at debian)
206
207			TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
208			define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl
209
210
211
212
213			=head3 PAM + LDAP + MIT Kerberos V
214
215			=head4 Authentication/Authorizisation via pam_ldap
216
217			- edit /etc/pam.d/smtp as follow:
218
219			auth reqired pam_ldap.so
220			account required pam_ldap.so
221
222
223			=head4 Authentication via MIT Kerberos V - gssapi and pam_krb5
224
225			=head5 Some note on MIT Kerberos V
226
227			If SASL is compiled with 'gssapi' support, sendmail would support KerberosV/gssapi Authentication,
228			but as I can't found any documentation about kerberosV support at up-to-date mail-clients (Evolution does kerberos4, but no gssapi... ;-( ),
229			i'm using pam_krb5 with a lots of drawbacks against real gssapi!
230
231			Short quote from Kerberos V5 Installation Guide (http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.7/doc/install.html#SEC3):
232
233			"Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC).
234			The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key,
235			and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password.
236			If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT,
237			which indicates proof of the client's identity."
238
239
240			As you read, no passwords would go over the network, so security would be much improved!
241
242
243			=head5 pam_krb5
244
245			If pam_krb5 is used, PAM will request a 'faked' ticket for the deamons which you want authenticate on.
246			Also only PLAIN passwords are supported, which means, PLAIN passwords will go over your network
247			what would be very unsecure!
248			But if we are using TLS (which is always a good idea), passwords will go through a Secure Transport Layer
249			which encrypts the whole connection, so pam_krb5 over TLS would be ok for now....
250
251			- edit /etc/pam.d/smtp as follow:
252
253			auth required pam_krb5.so
254			account required pam_ldap.so
255
256
257
258			=head4 sendmail.mc configurations
259
260			- read http://www.sendmail.org/m4/ldap_routing.html !!
261			- i added an 'sendmail' user to ldap like followed which allows sendmail to query request:
262
263			uid=sendmail,ou=People,dc=netfrag,c=org
264			objectClass: top
265			objectClass: account
266			objectClass: possixAccount
267			uid: sendmail
268			cn: sendmail account
269			uidNumber: 25
270			gidNumber: 25
271			homeDirectory: /etc/mail
272			userPassword::
273
274
275			- set default bind DN after ' -b'
276			- set sendmail user, used for query requests after '-d'
277			- other option, but still not tested/needed (kerberos5/gssapi supported ?)
278
279			-m <authentication mechanism> (none \| simple \| krb4)
280			-P <passinfo> (/path/to/passwd_containing_file \| /path/to/krb4_ticket)
281
282
283			dnl # define LDAP server used for routing
284			define(`confLDAP_DEFAULT_SPEC',`-h ldap.netfrag.org -b ou=Mail,dc=netfrag,dc=org -d uid=sendmail,ou=People,dc=netfrag,dc=org')dnl
285
286			dnl # define path to file which includes routeabled domains
287			LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
288
289			dnl # switch ldap routing on
290			FEATURE(ldap_routing)dnl
291
292
293			- example '/etc/mail/ldapdomains':
294
295			netfrag.org
296			example.com
297			your-domain.com
298
299
300			=head4 query 'aliases' against ldap
301
302			- To use the default schema, simply use(at sendmail.mc):
303
304			define(`ALIAS_FILE', `ldap:')
305
306			- By doing so, you will use the default schema which expands to a map declared as follows:
307
308			ldap -k (&(objectClass=sendmailMTAAliasObject)
309			(sendmailMTAAliasGrouping=aliases)
310			(\|(sendmailMTACluster=${sendmailMTACluster})
311			(sendmailMTAHost=$j))
312			(sendmailMTAKey=%0))
313			-v sendmailMTAAliasValue
314
315			- Example LDAP LDIF entries might be:
316
317			dn: sendmailMTAKey=test-aliases, ou=Mail, dc=netfrag, dc=org
318			objectClass: top
319			objectClass: sendmailMTA
320			objectClass: sendmailMTAAlias
321			objectClass: sendmailMTAAliasObject
322			sendmailMTAAliasGrouping: aliases
323			sendmailMTAHost: mail.netfrag.org
324			sendmailMTAKey: test-aliases
325			sendmailMTAAliasValue: jonen
326
327			dn: sendmailMTAKey=postmaster, ou=Mail, dc=netfrag, dc=org
328			objectClass: top
329			objectClass: sendmailMTA
330			objectClass: sendmailMTAAlias
331			objectClass: sendmailMTAAliasObject
332			sendmailMTAAliasGrouping: aliases
333			sendmailMTACluster: Servers
334			sendmailMTAKey: postmaster
335			sendmailMTAAliasValue: jonen
336
337
338
339
340			=head4 query map definitions (e.g. virtusertable, mailertable, access_db, etc.) against ldap
341
342			- read http://www.sendmail.org/m4/ldap.html !!
343			- example for 'virtusertable' (other map definitions goes near the same way..):
344
345			- sendmail.mc:
346
347			FEATURE(`virtusertable', `LDAP')
348
349			- add sendmailMTAMapName (have to be created for each map definition!!)
350
351			dn: sendmailMTAMapName=virtuser, ou=Mail, dc=netfrag, dc=org
352			objectClass: top
353			objectClass: sendmailMTA
354			objectClass: sendmailMTAMap
355			sendmailMTAHost: mail.netfrag.org
356			sendmailMTAMapName: virtuser
357
358			- example virtuser entries:
359
360			dn: sendmailMTAKey=test-virtuser@netfrag.com, ou=Mail, dc=netfrag, dc=org
361			objectClass: sendmailMTA
362			objectClass: sendmailMTAMap
363			objectClass: sendmailMTAMapObject
364			sendmailMTAMapName: virtuser
365			sendmailMTAHost: mail.netfrag.org
366			sendmailMTAKey: test-virtuser@netfrag.org
367			sendmailMTAMapValue: jonen
368
369			dn: sendmailMTAKey=no-user@example.com, ou=Mail, dc=netfrag, dc=org
370			objectClass: sendmailMTA
371			objectClass: sendmailMTAMap
372			objectClass: sendmailMTAMapObject
373			sendmailMTAMapName: virtuser
374			sendmailMTAHost: mail.netfrag.org
375			sendmailMTAKey: no-user@example.com
376			sendmailMTAMapValue: error: no-user@example.com doesn't exits here
377
378
379
380			=head3 Configure Sendmail Milter + AMaViS
381
382			=head4 sendmail.mc configurations
383
384			define(`MILTER', 1)
385			INPUT_MAIL_FILTER(`milter-amavis',`S=local:/var/run/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m')
386
387
388
389			=head3 Resources
390
391			=over
392
393			=item Sendmail
394
395			http://www.sendmail.org/
396
397
398			=item LDAP Implementation HOWTO
399
400			http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/
401
402
403			=item OpenLDAP
404
405			http://www.openldap.org/
406
407
408			=item MIT Kerberos V5
409
410			http://web.mit.edu/kerberos/www/
411
412
413			=item Kerberos Authenticated SMTP Service Installation Instructions
414
415			http://www.upenn.edu/computing/pennkey/sysadmin/d_install_unix/smtp.html
416
417
418			=item sendmail with LDAP, TLS and AUTH
419
420			http://logout.sh/computers/sendmail/
421
422
423			=item Sendmail + LDAP HOWTO
424
425			http://www.iconimaging.net/~jradford/sendmail/sendmail-ldap.html
426
427
428			=item Sendmail mit Milter, AMaViS, Cyrus IMAP + SSL, Anti Spam
429
430			http://wwwhomes.uni-bielefeld.de/schoppa/saia-howto.html
431
432
433			=item Sendmail mit Milter, AMaViS, Anti Spam, Cyrus IMAP auf Debian woody Basis
434
435			http://wwwhomes.uni-bielefeld.de/schoppa/saia-woody-howto.html
436
437
438			=item AMaViS
439
440			http://www.amavis.org/
441
442			=back
443
444
445			=head3 ToDo
446
447			o seems NO mail-client currently supports kerberos V tickets, DO MORE RESEARCH!
448			x so use pam_krb5
449			o if so, seems only PLAIN password authentication works (no Digest-MD5 or others!)
450			x so usage of TLS/SSL for secure trasport layer is recommend
451			o docu installation for other distribution than Debian
452			o check out Cyrus Imapd v2 and SASL v2 more and write howto
453			o MORE docu !!
454
455
456
457
458			=cut
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26