sysadmin/linux/howto-sendmail_tls-imap_sasl-ldap-kerberosV.pod

######################################
#
#  $Id$
#
######################################
#
#  $Log$
#
#
######################################


=pod


=head2  Sendmail  TLS + Cyrus IMAP/SASL + LDAP + AMaViS + Kerberos V HowTo

Sebastian Utz    S<seut@netfrag.org>


B<last changes>

  Revision 1.1  2003/01/27 09:11:05  jonen
    + create new


=head3  Description

Install and configure Sendmail with TLS, Cyrus IMAP/SASL, LDAP, and Kerberos V support
  

The installation instructions described here are mainly debian only.
For detailed installation instructions take a look at L<Resources|resources>,
e.g. the "OpenLDAP, OpenSSL, SASL and KerberosV HOWTO" from Turbo Fredriksson explains a lot (great stuff!)...


=head3  Prerequisites

  To use all described features to sendmail the following have to be installed:
    
    - Cyrus SASL v1          http://asg.web.cmu.edu/cyrus/sasl/
    - Cyrus IMAP v1          http://asg.web.cmu.edu/cyrus/sasl/
    - OpenLDAP 2             http://www.openldap.org/
    - AMaViS (Milter)          http://www.amavis.org/
    - MIT Kerberos V          http://web.mit.edu/kerberos/www/
    - OpenSSL                   http://www.openssl.org/


=head3 AMaViS

=head4 install

  debian testing/unstable:
    
    - apt-get install amavis-milter

  debian woody/stable:

    - dowload latest amavis-milter_*.deb which could found at
        http://packages.debian.org/testing/mail/amavis-milter.html

    - dpkg -i amavis-milter_*.deb

  other systems

    sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
    
    will try write some docu here soon, too....


=head4 configure & start amavisd

    - edit /etc/amavid.conf to configure your local settings e.g. your used anti-virus scanner

    - start amavid with:  /etc/init.d/amavid start
    
    note: you should always start amavid *before* sendmail as the amavis docu explained...


=head3 Install Sendmail

=head4  debian
     
    - apt-get install sendmail

if software described at L<Prerequisites|prerequisites> isn't installed yet, look at 
    
      -  http://www.netfrag.org/~jonen/computing/install_cyrus_sasl_v1.html
      -  http://www.netfrag.org/~jonen/computing/mini-howto-cyrus_imapd_v1-pam-kerberosV.html
      -  others comming soon.....

    after installing required packages, run 
    
      - sendmail config
   
   or some more specifing scripts under '/usr/share/sendmail/' (e.g. /usr/share/update_auth to update SASL support)
   and follow the instructions printed, e.g. for updating TLS support:
   
      - run: /usr/share/sendmail/update_tls
      - insert at sendmail.mc
        - debian stable/testing:    include(`/etc/mail/starttls.m4')dnl
        - debian unstable:    include(`/etc/mail/tls/starttls.m4')dnl
      - cd /etc/mail
      - run: make
      - restart sendmail: /etc/init.d/sendmail restart

      - test supported features:
        - telnet localhost 25
        - enter: ehlo <servername>
        - should do some output like:
        
        250-mail.netfrag.org Hello localhost [127.0.0.1], pleased to meet you
        250-ENHANCEDSTATUSCODES
        250-PIPELINING
        250-EXPN
        250-VERB
        250-8BITMIME
        250-SIZE
        250-DSN
        250-ETRN
        250-AUTH GSSAPI CRAM-MD5 PLAIN LOGIN
        250-STARTTLS
        250-DELIVERBY
        250 HELP
    

      the 'AUTH GSSAPI CRAM-MD5 PLAIN LOGIN' and 'STARTTLS' is most important to us cause this means,
      gssapi, digestmd5 and plain authentication is supported and also TLS is enabled.

  
=head4  other systems

    sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
    
    will try write some docu here soon, too....


=head3 Configure Sendmail

=head4 general sendmail.mc configurations:

      comming soon....


=head3 Configure Sendmail  + SASL v1

=head4 debian

    - run /usr/share/sendmail/update_auth
    

=head4 sendmail.mc configurations(not needed at debian)

      TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
      define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl


=head3 Configure Sendmail + Cyrus IMAP v1

=head4 sendmail.mc configurations

    dnl # Cyrus Imap
    dnl #
    define(`confLOCAL_MAILER', `cyrus')
    define(`CYRUS_MAILER_FLAGS', `A5@/:|')dnl
    define(`CYRUS_MAILER_PATH', `/usr/sbin/cyrdeliver')dnl
    define(`CYRUS_MAILER_ARGS', `cyrdeliver -e -q -m $h -- $u ')dnl
    define(`CYRUS_MAILER_USER', `cyrus:mail')dnl
    define(`CYRUS_BB_MAILER_FLAGS', `')dnl
    define(`CYRUS_BB_MAILER_ARGS', `cyrdeliver -e -q -m $u ')dnl
    dnl #
    MAILER(cyrus)dnl

    LOCAL_CONFIG
    ## Custom configurations below (will be preserved)
    LOCAL_RULE_0
    R$=I                            $: $#cyrus $: $1
    R$=I < @ $=w . >                $: $#cyrus $: $1
    R$=I < @ $=R . >                $: $#cyrus $: $1
    Rbb + $+ < @ $=w . >            $#cyrusbb $: $1
  

=head3 Configure Sendmail  + TLS

=head4 debian

      - run /usr/share/sendmail/update_tls & place 'include(`/etc/mail/starttls.m4')dnl' at sendmail.mc
      - make & restart sendmail
      - see "Install Sendmail" for details...


=head4 other systems

      comming soon......

  
=head4 sendmail.mc configurations(not needed at debian)

      TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
      define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl


=head3 PAM + LDAP + MIT Kerberos V

=head4  Authentication/Authorizisation via pam_ldap

     - edit /etc/pam.d/smtp as follow:

        auth         reqired      pam_ldap.so
        account    required    pam_ldap.so


=head4  Authentication via MIT Kerberos V - gssapi and pam_krb5

=head5 Some note on MIT Kerberos V

      If SASL is compiled with 'gssapi' support, sendmail would support KerberosV/gssapi Authentication,
      but as I can't found any documentation about kerberosV support at up-to-date mail-clients (Evolution does kerberos4, but no gssapi... ;-(  ),
      i'm using pam_krb5 with a lots of drawbacks against real gssapi!

      Short quote from Kerberos V5 Installation Guide (http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.7/doc/install.html#SEC3):
        
          "Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC).
          The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key, 
          and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password.
          If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT, 
          which indicates proof of the client's identity."


      As you read, no passwords would go over the network, so security would be much improved!


=head5 pam_krb5

      If pam_krb5 is used, PAM will request a 'faked' ticket for the deamons which you want authenticate on.
      Also only PLAIN passwords are supported, which means, PLAIN passwords will go over your network
      what would be very unsecure!
      But if we are using TLS (which is always a good idea), passwords will go through a Secure Transport Layer
      which encrypts the whole connection, so pam_krb5 over TLS would be ok for now....
        
      - edit /etc/pam.d/smtp as follow:

          auth         required   pam_krb5.so
          account    required   pam_ldap.so


=head4 sendmail.mc configurations

     - read http://www.sendmail.org/m4/ldap_routing.html !!
     - i added an 'sendmail' user to ldap like followed which allows sendmail to query request:

        uid=sendmail,ou=People,dc=netfrag,c=org
        objectClass: top
        objectClass: account
        objectClass: possixAccount
        uid: sendmail
        cn: sendmail account
        uidNumber: 25
        gidNumber: 25
        homeDirectory: /etc/mail
        userPassword::
        
     
     - set default bind DN after ' -b'
     - set sendmail user, used for query requests after '-d'
     - other option, but still not tested/needed (kerberos5/gssapi supported ?)
     
        -m <authentication mechanism>  (none | simple | krb4)
        -P <passinfo>                             (/path/to/passwd_containing_file | /path/to/krb4_ticket)

    
      dnl  #  define LDAP server used for routing
      define(`confLDAP_DEFAULT_SPEC',`-h ldap.netfrag.org -b ou=Mail,dc=netfrag,dc=org -d uid=sendmail,ou=People,dc=netfrag,dc=org')dnl
      
      dnl  #  define path to file which includes routeabled domains
      LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
      
      dnl  # switch ldap routing on
      FEATURE(ldap_routing)dnl


    - example '/etc/mail/ldapdomains':
    
        netfrag.org
        example.com
        your-domain.com


=head4  query 'aliases' against ldap

      - To use the default schema, simply use(at sendmail.mc):

        define(`ALIAS_FILE', `ldap:')

      - By doing so, you will use the default schema which expands to a map declared as follows:

        ldap -k (&(objectClass=sendmailMTAAliasObject)
        (sendmailMTAAliasGrouping=aliases)
        (|(sendmailMTACluster=${sendmailMTACluster})
        (sendmailMTAHost=$j))
        (sendmailMTAKey=%0))
        -v sendmailMTAAliasValue
      
      - Example LDAP LDIF entries might be:

        dn: sendmailMTAKey=test-aliases, ou=Mail, dc=netfrag, dc=org
        objectClass: top
        objectClass: sendmailMTA
        objectClass: sendmailMTAAlias
        objectClass: sendmailMTAAliasObject
        sendmailMTAAliasGrouping: aliases
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAKey: test-aliases
        sendmailMTAAliasValue: jonen

        dn: sendmailMTAKey=postmaster, ou=Mail, dc=netfrag, dc=org
        objectClass: top
        objectClass: sendmailMTA
        objectClass: sendmailMTAAlias
        objectClass: sendmailMTAAliasObject
        sendmailMTAAliasGrouping: aliases
        sendmailMTACluster: Servers
        sendmailMTAKey: postmaster
        sendmailMTAAliasValue: jonen

  
=head4  query map definitions (e.g. virtusertable, mailertable, access_db, etc.) against ldap

      - read http://www.sendmail.org/m4/ldap.html  !!
      - example for 'virtusertable' (other map definitions goes near the same way..):
        
        - sendmail.mc:
        
        FEATURE(`virtusertable', `LDAP')

        - add sendmailMTAMapName (have to be created for each map definition!!)

        dn: sendmailMTAMapName=virtuser, ou=Mail, dc=netfrag, dc=org
        objectClass: top
        objectClass: sendmailMTA
        objectClass: sendmailMTAMap
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAMapName: virtuser
        
        - example virtuser entries:

        dn: sendmailMTAKey=test-virtuser@netfrag.com, ou=Mail, dc=netfrag, dc=org
        objectClass: sendmailMTA
        objectClass: sendmailMTAMap
        objectClass: sendmailMTAMapObject
        sendmailMTAMapName: virtuser
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAKey: test-virtuser@netfrag.org
        sendmailMTAMapValue: jonen

        dn: sendmailMTAKey=no-user@example.com, ou=Mail, dc=netfrag, dc=org
        objectClass: sendmailMTA
        objectClass: sendmailMTAMap
        objectClass: sendmailMTAMapObject
        sendmailMTAMapName: virtuser
        sendmailMTAHost: mail.netfrag.org
        sendmailMTAKey: no-user@example.com
        sendmailMTAMapValue: error: no-user@example.com doesn't exits here

   
=head3 Configure Sendmail Milter + AMaViS

=head4 sendmail.mc configurations

      define(`MILTER', 1)
      INPUT_MAIL_FILTER(`milter-amavis',`S=local:/var/run/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m')


=head3 Resources

=over

=item  Sendmail

    http://www.sendmail.org/


=item  LDAP Implementation HOWTO

    http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/


=item  OpenLDAP

    http://www.openldap.org/


=item  MIT Kerberos V5

    http://web.mit.edu/kerberos/www/


=item  Kerberos Authenticated SMTP Service Installation Instructions

    http://www.upenn.edu/computing/pennkey/sysadmin/d_install_unix/smtp.html


=item  sendmail with LDAP, TLS and AUTH

    http://logout.sh/computers/sendmail/


=item  Sendmail + LDAP HOWTO

    http://www.iconimaging.net/~jradford/sendmail/sendmail-ldap.html


=item  Sendmail mit Milter, AMaViS, Cyrus IMAP + SSL, Anti Spam

    http://wwwhomes.uni-bielefeld.de/schoppa/saia-howto.html


=item  Sendmail mit Milter, AMaViS, Anti Spam, Cyrus IMAP auf Debian woody Basis

    http://wwwhomes.uni-bielefeld.de/schoppa/saia-woody-howto.html


=item  AMaViS

    http://www.amavis.org/

=back


=head3 ToDo

  o seems NO mail-client currently supports kerberos V tickets, DO MORE RESEARCH!
  x so use pam_krb5
    o if so, seems only PLAIN password authentication works (no Digest-MD5 or others!)
    x so usage of TLS/SSL for secure trasport layer is recommend
  o docu installation for other distribution than Debian
  o check out Cyrus Imapd v2 and SASL v2 more and write howto
  o MORE docu !!
  

=cut
1	######################################
2	#
3	# $Id$
4	#
5	######################################
6	#
7	# $Log$
8	#
9	#
10	######################################
11
12
13	=pod
14
15
16
17	=head2 Sendmail TLS + Cyrus IMAP/SASL + LDAP + AMaViS + Kerberos V HowTo
18
19	Sebastian Utz S<seut@netfrag.org>
20
21
22	B<last changes>
23
24	Revision 1.1 2003/01/27 09:11:05 jonen
25	+ create new
26
27
28	=head3 Description
29
30	Install and configure Sendmail with TLS, Cyrus IMAP/SASL, LDAP, and Kerberos V support
31
32
33	The installation instructions described here are mainly debian only.
34	For detailed installation instructions take a look at L<Resources\|resources>,
35	e.g. the "OpenLDAP, OpenSSL, SASL and KerberosV HOWTO" from Turbo Fredriksson explains a lot (great stuff!)...
36
37
38	=head3 Prerequisites
39
40	To use all described features to sendmail the following have to be installed:
41
42	- Cyrus SASL v1 http://asg.web.cmu.edu/cyrus/sasl/
43	- Cyrus IMAP v1 http://asg.web.cmu.edu/cyrus/sasl/
44	- OpenLDAP 2 http://www.openldap.org/
45	- AMaViS (Milter) http://www.amavis.org/
46	- MIT Kerberos V http://web.mit.edu/kerberos/www/
47	- OpenSSL http://www.openssl.org/
48
49
50
51	=head3 AMaViS
52
53	=head4 install
54
55	debian testing/unstable:
56
57	- apt-get install amavis-milter
58
59	debian woody/stable:
60
61	- dowload latest amavis-milter_*.deb which could found at
62	http://packages.debian.org/testing/mail/amavis-milter.html
63
64	- dpkg -i amavis-milter_*.deb
65
66	other systems
67
68	sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
69
70	will try write some docu here soon, too....
71
72
73	=head4 configure & start amavisd
74
75	- edit /etc/amavid.conf to configure your local settings e.g. your used anti-virus scanner
76
77	- start amavid with: /etc/init.d/amavid start
78
79	note: you should always start amavid before sendmail as the amavis docu explained...
80
81
82	=head3 Install Sendmail
83
84	=head4 debian
85
86	- apt-get install sendmail
87
88	if software described at L<Prerequisites\|prerequisites> isn't installed yet, look at
89
90	- http://www.netfrag.org/~jonen/computing/install_cyrus_sasl_v1.html
91	- http://www.netfrag.org/~jonen/computing/mini-howto-cyrus_imapd_v1-pam-kerberosV.html
92	- others comming soon.....
93
94	after installing required packages, run
95
96	- sendmail config
97
98	or some more specifing scripts under '/usr/share/sendmail/' (e.g. /usr/share/update_auth to update SASL support)
99	and follow the instructions printed, e.g. for updating TLS support:
100
101	- run: /usr/share/sendmail/update_tls
102	- insert at sendmail.mc
103	- debian stable/testing: include(`/etc/mail/starttls.m4')dnl
104	- debian unstable: include(`/etc/mail/tls/starttls.m4')dnl
105	- cd /etc/mail
106	- run: make
107	- restart sendmail: /etc/init.d/sendmail restart
108
109	- test supported features:
110	- telnet localhost 25
111	- enter: ehlo <servername>
112	- should do some output like:
113
114	250-mail.netfrag.org Hello localhost [127.0.0.1], pleased to meet you
115	250-ENHANCEDSTATUSCODES
116	250-PIPELINING
117	250-EXPN
118	250-VERB
119	250-8BITMIME
120	250-SIZE
121	250-DSN
122	250-ETRN
123	250-AUTH GSSAPI CRAM-MD5 PLAIN LOGIN
124	250-STARTTLS
125	250-DELIVERBY
126	250 HELP
127
128
129	the 'AUTH GSSAPI CRAM-MD5 PLAIN LOGIN' and 'STARTTLS' is most important to us cause this means,
130	gssapi, digestmd5 and plain authentication is supported and also TLS is enabled.
131
132
133
134	=head4 other systems
135
136	sorry but I'm using Debian, for install instructions on other distributions look at 'Resource' section and always google.
137
138	will try write some docu here soon, too....
139
140
141	=head3 Configure Sendmail
142
143	=head4 general sendmail.mc configurations:
144
145	comming soon....
146
147
148	=head3 Configure Sendmail + SASL v1
149
150	=head4 debian
151
152	- run /usr/share/sendmail/update_auth
153
154
155	=head4 sendmail.mc configurations(not needed at debian)
156
157	TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
158	define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl
159
160
161
162
163	=head3 Configure Sendmail + Cyrus IMAP v1
164
165	=head4 sendmail.mc configurations
166
167	dnl # Cyrus Imap
168	dnl #
169	define(`confLOCAL_MAILER', `cyrus')
170	define(`CYRUS_MAILER_FLAGS', `A5@/:\|')dnl
171	define(`CYRUS_MAILER_PATH', `/usr/sbin/cyrdeliver')dnl
172	define(`CYRUS_MAILER_ARGS', `cyrdeliver -e -q -m $h -- $u ')dnl
173	define(`CYRUS_MAILER_USER', `cyrus:mail')dnl
174	define(`CYRUS_BB_MAILER_FLAGS', `')dnl
175	define(`CYRUS_BB_MAILER_ARGS', `cyrdeliver -e -q -m $u ')dnl
176	dnl #
177	MAILER(cyrus)dnl
178
179	LOCAL_CONFIG
180	## Custom configurations below (will be preserved)
181	LOCAL_RULE_0
182	R$=I $: $#cyrus $: $1
183	R$=I < @ $=w . > $: $#cyrus $: $1
184	R$=I < @ $=R . > $: $#cyrus $: $1
185	Rbb + $+ < @ $=w . > $#cyrusbb $: $1
186
187
188
189	=head3 Configure Sendmail + TLS
190
191	=head4 debian
192
193	- run /usr/share/sendmail/update_tls & place 'include(`/etc/mail/starttls.m4')dnl' at sendmail.mc
194	- make & restart sendmail
195	- see "Install Sendmail" for details...
196
197
198	=head4 other systems
199
200	comming soon......
201
202
203
204
205	=head4 sendmail.mc configurations(not needed at debian)
206
207	TRUST_AUTH_MECH(`GSSAPI PLAIN LOGIN')dnl
208	define(`confAUTH_MECHANISMS', `GSSAPI PLAIN LOGIN')dnl
209
210
211
212
213	=head3 PAM + LDAP + MIT Kerberos V
214
215	=head4 Authentication/Authorizisation via pam_ldap
216
217	- edit /etc/pam.d/smtp as follow:
218
219	auth reqired pam_ldap.so
220	account required pam_ldap.so
221
222
223	=head4 Authentication via MIT Kerberos V - gssapi and pam_krb5
224
225	=head5 Some note on MIT Kerberos V
226
227	If SASL is compiled with 'gssapi' support, sendmail would support KerberosV/gssapi Authentication,
228	but as I can't found any documentation about kerberosV support at up-to-date mail-clients (Evolution does kerberos4, but no gssapi... ;-( ),
229	i'm using pam_krb5 with a lots of drawbacks against real gssapi!
230
231	Short quote from Kerberos V5 Installation Guide (http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.7/doc/install.html#SEC3):
232
233	"Under Kerberos, a client (generally either a user or a service) sends a request for a ticket to the Key Distribution Center (KDC).
234	The KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client's password as the key,
235	and sends the encrypted TGT back to the client. The client then attempts to decrypt the TGT, using its password.
236	If the client successfully decrypts the TGT (i.e., if the client gave the correct password), it keeps the decrypted TGT,
237	which indicates proof of the client's identity."
238
239
240	As you read, no passwords would go over the network, so security would be much improved!
241
242
243	=head5 pam_krb5
244
245	If pam_krb5 is used, PAM will request a 'faked' ticket for the deamons which you want authenticate on.
246	Also only PLAIN passwords are supported, which means, PLAIN passwords will go over your network
247	what would be very unsecure!
248	But if we are using TLS (which is always a good idea), passwords will go through a Secure Transport Layer
249	which encrypts the whole connection, so pam_krb5 over TLS would be ok for now....
250
251	- edit /etc/pam.d/smtp as follow:
252
253	auth required pam_krb5.so
254	account required pam_ldap.so
255
256
257
258	=head4 sendmail.mc configurations
259
260	- read http://www.sendmail.org/m4/ldap_routing.html !!
261	- i added an 'sendmail' user to ldap like followed which allows sendmail to query request:
262
263	uid=sendmail,ou=People,dc=netfrag,c=org
264	objectClass: top
265	objectClass: account
266	objectClass: possixAccount
267	uid: sendmail
268	cn: sendmail account
269	uidNumber: 25
270	gidNumber: 25
271	homeDirectory: /etc/mail
272	userPassword::
273
274
275	- set default bind DN after ' -b'
276	- set sendmail user, used for query requests after '-d'
277	- other option, but still not tested/needed (kerberos5/gssapi supported ?)
278
279	-m <authentication mechanism> (none \| simple \| krb4)
280	-P <passinfo> (/path/to/passwd_containing_file \| /path/to/krb4_ticket)
281
282
283	dnl # define LDAP server used for routing
284	define(`confLDAP_DEFAULT_SPEC',`-h ldap.netfrag.org -b ou=Mail,dc=netfrag,dc=org -d uid=sendmail,ou=People,dc=netfrag,dc=org')dnl
285
286	dnl # define path to file which includes routeabled domains
287	LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldapdomains')dnl
288
289	dnl # switch ldap routing on
290	FEATURE(ldap_routing)dnl
291
292
293	- example '/etc/mail/ldapdomains':
294
295	netfrag.org
296	example.com
297	your-domain.com
298
299
300	=head4 query 'aliases' against ldap
301
302	- To use the default schema, simply use(at sendmail.mc):
303
304	define(`ALIAS_FILE', `ldap:')
305
306	- By doing so, you will use the default schema which expands to a map declared as follows:
307
308	ldap -k (&(objectClass=sendmailMTAAliasObject)
309	(sendmailMTAAliasGrouping=aliases)
310	(\|(sendmailMTACluster=${sendmailMTACluster})
311	(sendmailMTAHost=$j))
312	(sendmailMTAKey=%0))
313	-v sendmailMTAAliasValue
314
315	- Example LDAP LDIF entries might be:
316
317	dn: sendmailMTAKey=test-aliases, ou=Mail, dc=netfrag, dc=org
318	objectClass: top
319	objectClass: sendmailMTA
320	objectClass: sendmailMTAAlias
321	objectClass: sendmailMTAAliasObject
322	sendmailMTAAliasGrouping: aliases
323	sendmailMTAHost: mail.netfrag.org
324	sendmailMTAKey: test-aliases
325	sendmailMTAAliasValue: jonen
326
327	dn: sendmailMTAKey=postmaster, ou=Mail, dc=netfrag, dc=org
328	objectClass: top
329	objectClass: sendmailMTA
330	objectClass: sendmailMTAAlias
331	objectClass: sendmailMTAAliasObject
332	sendmailMTAAliasGrouping: aliases
333	sendmailMTACluster: Servers
334	sendmailMTAKey: postmaster
335	sendmailMTAAliasValue: jonen
336
337
338
339
340	=head4 query map definitions (e.g. virtusertable, mailertable, access_db, etc.) against ldap
341
342	- read http://www.sendmail.org/m4/ldap.html !!
343	- example for 'virtusertable' (other map definitions goes near the same way..):
344
345	- sendmail.mc:
346
347	FEATURE(`virtusertable', `LDAP')
348
349	- add sendmailMTAMapName (have to be created for each map definition!!)
350
351	dn: sendmailMTAMapName=virtuser, ou=Mail, dc=netfrag, dc=org
352	objectClass: top
353	objectClass: sendmailMTA
354	objectClass: sendmailMTAMap
355	sendmailMTAHost: mail.netfrag.org
356	sendmailMTAMapName: virtuser
357
358	- example virtuser entries:
359
360	dn: sendmailMTAKey=test-virtuser@netfrag.com, ou=Mail, dc=netfrag, dc=org
361	objectClass: sendmailMTA
362	objectClass: sendmailMTAMap
363	objectClass: sendmailMTAMapObject
364	sendmailMTAMapName: virtuser
365	sendmailMTAHost: mail.netfrag.org
366	sendmailMTAKey: test-virtuser@netfrag.org
367	sendmailMTAMapValue: jonen
368
369	dn: sendmailMTAKey=no-user@example.com, ou=Mail, dc=netfrag, dc=org
370	objectClass: sendmailMTA
371	objectClass: sendmailMTAMap
372	objectClass: sendmailMTAMapObject
373	sendmailMTAMapName: virtuser
374	sendmailMTAHost: mail.netfrag.org
375	sendmailMTAKey: no-user@example.com
376	sendmailMTAMapValue: error: no-user@example.com doesn't exits here
377
378
379
380	=head3 Configure Sendmail Milter + AMaViS
381
382	=head4 sendmail.mc configurations
383
384	define(`MILTER', 1)
385	INPUT_MAIL_FILTER(`milter-amavis',`S=local:/var/run/amavis/amavis-milter.sock, F=T, T=S:10m;R:10m;E:10m')
386
387
388
389	=head3 Resources
390
391	=over
392
393	=item Sendmail
394
395	http://www.sendmail.org/
396
397
398	=item LDAP Implementation HOWTO
399
400	http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/
401
402
403	=item OpenLDAP
404
405	http://www.openldap.org/
406
407
408	=item MIT Kerberos V5
409
410	http://web.mit.edu/kerberos/www/
411
412
413	=item Kerberos Authenticated SMTP Service Installation Instructions
414
415	http://www.upenn.edu/computing/pennkey/sysadmin/d_install_unix/smtp.html
416
417
418	=item sendmail with LDAP, TLS and AUTH
419
420	http://logout.sh/computers/sendmail/
421
422
423	=item Sendmail + LDAP HOWTO
424
425	http://www.iconimaging.net/~jradford/sendmail/sendmail-ldap.html
426
427
428	=item Sendmail mit Milter, AMaViS, Cyrus IMAP + SSL, Anti Spam
429
430	http://wwwhomes.uni-bielefeld.de/schoppa/saia-howto.html
431
432
433	=item Sendmail mit Milter, AMaViS, Anti Spam, Cyrus IMAP auf Debian woody Basis
434
435	http://wwwhomes.uni-bielefeld.de/schoppa/saia-woody-howto.html
436
437
438	=item AMaViS
439
440	http://www.amavis.org/
441
442	=back
443
444
445	=head3 ToDo
446
447	o seems NO mail-client currently supports kerberos V tickets, DO MORE RESEARCH!
448	x so use pam_krb5
449	o if so, seems only PLAIN password authentication works (no Digest-MD5 or others!)
450	x so usage of TLS/SSL for secure trasport layer is recommend
451	o docu installation for other distribution than Debian
452	o check out Cyrus Imapd v2 and SASL v2 more and write howto
453	o MORE docu !!
454
455
456
457
458	=cut
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26