LDAP for Postfix with Courier IMAP minor updates in Appendix: f. 22 Feb 2003 minor updates in document on 09 Apr 2003. Disclaimer: Use at your own risk. There are some problems with this howto. Most Problems are documented in the Appendix. Copyright ---------- This document is (c) Copyright 2002, T. Knab and contributors. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation. A copy of the license is available from the Free Software Foundation. I. Introduction ---------- Welcome to the PCL HOW-TO -- P(ostfix) + C(ourier) on L(DAP) . IMAP is a mature and comprehensive protocol that defines mail storage and client/server retrieval of email. If you are not sure what IMAP is both Hotmail and Yahoo are examples of IMAP sites. The advantage of using IMAP is that most email clients use it, and it is very efficient. For example, IMAP only transfers what is being read. When a client connects, they get the headers. When the client select the mail header, they get the entire message. All mail is safely stored on your stable server, accessible by you wherever you have am appropriate client. Courier IMAP provides a very fast, reliable and secure IMAP server. Unlike other mail servers, Courier IMAP provides IMAP access to the more robust Maildir mailbox format. This IMAP server does NOT handle traditional mailbox files (/var/spool/mail, and derivatives), it was written for the specific purpose of providing IMAP access to Maildir. Recently native LDAP support has been added to Courier IMAP, this makes it the easiest to use for LDAP authentication. As an added bonus, CourierIMAP can also provide POP3 support and both POP3 and IMAP over SSL, but that is beyond the scope of this HOW-TO. LDAP is increasing being used for authentication and centralized logins. LDAP is like a database, but its strength is faster read times (about 10 times faster) and a standardized interface.. Although directories can hold anything placed in a logical hierarchy, Open-LDAP in this implementation is simply used for authentication and storing client parameters. For more examples look at http://www.openldap.org/. With LDAP providing all the logins for a network, only one password and one uid need to be produced. Although not covered in the scope of this how-to, Kerberos can provide an extra level of security with LDAP. Once the LDAP server is in place, an MTA is still needed to move mail to and from our IMAP server. Because of its extensive functionality, superior performance and secure design, the Postfix MTA is an excellent choice for a mail system. For more information on the above packages used in this how-to please check the web sites. Postfix http://www.postfix.org/ Pop-Before-SMTP http://popbsmtp.sourceforge.net/ Courier IMAP http://www.inter7.com/courierimap/ Open-LDAP http://www.openldap.org/ II. System Requirements: ---------- Before beginning one should have a system that will handle the load of mail and IMAP. For simplicity, we will assume you will be running the Postfix MTA and Courier IMAP server on the same machine. Although the horsepower needed in the hardware can be reduced by good administration and/or tuning system requirements are more influenced by (1) the software components themselves, (2) the the anticipated traffic Your System needs: ---------- Get at least one machine with 2GB of RAM and a 1000MHz CPU for every 1500 users. Configuring a journaled file-system, XFS is the preferred file-system for performance, while EXT3 is the simplest to setup. Preferably, the machine will have 3-6 high speed (15K RPM) SCSI drives in a RAID, and at tape backup. Mail-store space should provide at least 10M - 50M of mail storage space for every user. For more information on securing and configuring your system refer to this document: http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html III. LDAP ---------- In this project, configuring LDAP should be the first step. LDAP is the database or the heart of the project. It also the most complicated part of the project. Understanding LDAP is crucial in understanding how the system works. LDAP stores everything in this mail-suite except for the mail messages. It holds uids, mail aliases, mail forwarding addresses, passwords and the company address (or campus directory). LDAP can also hold vacation notices if GNARWL or some creative scripts are created to pull the info. With a mailhub, Mail is routed via Postfix after successful queries to the LDAP directory. [Internet] ------> Mailhub ------> IMAP SERVER (with Postfix) mailhub.mycoll.edu imap.mycoll.edu /var/imap/mycoll/myuser/Maildir/ With a single machine or the final IMAP destination, mail is written directly to Maildir. Courier only lets people into their mail if the password they provide matches the password stored in the LDAP directory for their uid. Mail is routed via Postfix after successful queries to the LDAP directory. Courier only lets people into their mail if the password they provide matches the password stored in the LDAP directory for their uid. A. LDAP Install : ---------- LDAP is confusing because there are a million ways to use it. Too make things simple and workable keep it simple ! Limit your schema at the start this will help limit what you can do and your confusion. Although I have found at least 20 different schema files, and 10 different ways to use courier with LDAP, you only need the authdaemon.schema with the basic schemas to make it work. Before any thing else is done, LDAP needs to be setup. For LDAP you will need the following Debian Linux packages: ii libldap2 2.0.23-3 OpenLDAP libraries. ii libpam-ldap 138-1 Pluggable Authentication Module allowing LDAP ii openldap-guide 19991007-3 OpenLDAP Admin Guide ii openldap-utils 1.2.12-1 OpenLDAP utilities. ii slapd 2.0.23-3 OpenLDAP server (slapd). Although the Guide is optional, it provides some documentation of the details I may not provide you. After installing the required packages, setup your slapd server. Much of this came from the OpenLDAP quick and dirty howto. B. Configure LDAP ---------- 1. Edit ldap.conf ---------- #used by (server) ldap client programs #to connect to the ldap server BASE dc=mycoll, dc=edu HOST localhost pam_crypt local 2. Edit slapd.conf ---------- This file should NOT be world readable. # include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema #Postfix / Qmail include /etc/ldap/schema/qmail.schema #courier IMAP include /etc/ldap/schema/authldap.schema schemacheck on pidfile /var/run/slapd.pid argsfile /var/run/slapd.args ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=mycoll, dc=edu" rootdn "cn=admin, dc=mycoll, dc=edu" rootpw notsecret replogfile /var/lib/ldap/replication.log directory /var/lib/ldap/ #for performance loglevel 0 # for debuggin #loglevel 4 #1 trace function calls #2 debug packet handling #4 heavy trace debugging #8 connection management #16 print out packets sent and received #32 search filter processing #64 configuration file processing #128 access control list processing #256 stats log connections/operations/results #512 stats log entries sent #1024 print communication with shell backends #2048 entry parsing defaultaccess read #items to index for speed index cn,sn,mail,givenname,uid eq #squirrelmail LDAP plug-in uses this index objectClass eq ############################################################### #access Control list ############################################################### #tcp wrappers and iptables prevent outsiders from accessing slapd daemon #prevents users from looking at passwords access to attr=userpassword,clearpassword,ldappassword by anonymous auth by self write by dn="cn=admin,dc=mycoll,dc=edu" write by dn="cn=courier,dc=mycoll,dc=edu" read by * none #filters need access to this access to attr=accountstatus by dn="cn=courier,dc=mycoll,dc=edu" read by dn="cn=postfix,dc=mycoll,dc=edu" read #prevents users from viewing employeenumber access to attr=employeeNumber by dn="cn=admin,dc=mycoll,dc=edu" write by * none access to * by dn="cn=admin, dc=mycoll, dc=edu" write by users read by self write by * read #EOF 3. Run LDAP ---------- With the above files configured, Start your slapd daemon. In Debian, run /etc/init.d/slapd start. Now you can begin adding in data: 4. Add your LDAP DATA ---------- Data in an LDAP database goes in Top down. You have to define the top level organization first before moving on. mycoll.edu:/etc/openldap/good# cat mycoll-top.ldif dn: dc=mycoll, dc=edu objectclass: top objectclass: organization o: my college description: top level of directory dn: ou=people, dc=mycoll, dc=edu objectclass: top objectclass: organizationalunit ou: people description: people within my college (AKA ADDRESS-BOOK). dn: ou=mailaccounts, dc=mycoll, dc=edu objectclass: top objectclass: organizationalunit ou: mailaccounts description: people with mailaccounts at my college. dn: ou=daemons, dc=mycoll, dc=edu objectclass: top objectclass: organizationalunit ou: daemons description: daemons that run programs To give a graphical description of the structure: mycoll.edu \ ou: mailaccounts (user mail accounts) ou: daemons (names of daemons used) +postfix +courier ou: people (personal information) (option address book) Once the top level is defined the container info can be dropped in. ldapadd -w secret -D "cn=admin, dc=mycoll, dc=edu" -f mytop.ldif -x (See Note 4 in the Appendix if this does not work.) The courier LDAP documentation defines a unit which is similar to this (See Note 1 in the Appendix) dn: uid=tadmin2,ou=people,dc=mycoll,dc=edu uid: tadmin2 cn: Theodore J. Admin cn: Ted Admin sn: Admin givenName: Ted o: My College ou: staff title: Systems Engineer physicalDeliveryOfficeName: OIT mail: tadmin2@mycoll.edu employeeNumber: 9999999 telephoneNumber: 410-810-7400 homePostalAddress: 55 Regatta Bay Ct, Apt 656, Baracuda, MD 21901 homePhone: 410-571-8288 objectClass: Person objectClass: OrganizationalPerson objectClass: inetOrgPerson creatorsName: cn=admin, dc=mycoll, dc=edu createTimestamp: 20020514233724Z modifiersName: cn=admin, dc=mycoll, dc=edu modifyTimestamp: 20020514233724Z dn: uid=tadmin2,ou=mailaccounts,dc=mycoll,dc=edu uid: tadmin2 cn: Theodore J. Admin mail: Theodore.Admin@mycoll.edu mail: Ted.Admin@mycoll.edu mail: TAdmin2@mycoll.edu mail: theo@mycoll.edu mail: tadmin2@imap.mycoll.edu mail: Theodore.Admin@imap.mycoll.edu uidNumber: 1100 gidNumber: 1001 mailHost: imap.mycoll.edu homeDirectory: /var/imap/mycoll/tadmin2 mailMessageStore: /var/imap/mycoll/tadmin2/Maildir mailQuota: 200000000S, 20000C mailbox: tadmin2/Maildir/ objectClass: qmailuser objectClass: couriermailaccount userPassword: {crypt}hidden accountStatus: active mailForwardingAddress: tadmin2@imap.mycoll.edu LDAP References ---------- * Multiple LDAP Databases ---------- http://www.openldap.org/lists/openldap-general/199907/msg00018.html http://www.openldap.org/lists/openldap-bugs/199909/msg00001.html * Brad Marshal's LDAP Tutorial ---------- http://staff.pisoftware.com/bmarshal/publications/ldap_tut.html * Optimizing LDAP for performance ---------- http://www.linuxdoc.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap26sec213.html IV POSTFIX and Pop-before-SMTP ---------- Postfix is a secure full-featured MTA that does work well with the Maildir format used in Courier IMAP. Postfix writes directly to the /Maildir. Each mail message becomes a unique file in the /Maildir. Although Postfix is secure in that it is not easily exploited, SMTP the prefered protocol to send and receive mail is not very secure. One way to secure your Postfix SMTP mailer is to require authentification. Generally, speaking SMTP does not require authentification to send mail. Thus many organizations get black listed when they employ SMTP will all the features enabled. The Pop-before-smtp daemon is add on software that works very well with Postfix. It allows authorized users that have successufully logged in to IMAP or POP to send mail from outside your network. Although the Pop-before-smtp daemon is written in Perl, it is very powerful, and it can help prevent sites from becoming open-relays. The way that Pop-before-smtp works is that it tails the a log file (either mail.log or syslog). A hash file is created from the log file and Postfix uses this hash file to allow users to send mail. In effect, users must authenticate to either the POP or the IMAP server before they can send mail. From here on most of the examples I will show will be coming from the LDAP documention in Postfix. More specifically, I used the VIRTUAL_README.txt http://www.oav.net/~kiwi/postfix/VIRTUAL_README.txt Rather than going in great detail about how to install Postfix, I am simply adding my config file. This config file is for a server that is behind a firewall. Only one server is allowed to send it mail. The following config file will work with virtual users. There is not SPAM protection in this config file. Note that each item does a query. This is not very efficient, but it works. If you find a more efficient way to combine the querries into one, please let me know. A. A generic LDAP config file that I use with the following packages: ii pop-before-smt 1.28-6 watch log for pop/imap auth, notify Postfix ii postfix 1.1.4-2 A high-performance mail transport agent ii postfix-doc 1.1.4-2 Postfix documentation ii postfix-ldap 1.1.4-2 LDAP map support for Postfix ii postfix-pcre 1.1.4-2 PCRE map support for Postfix ii postfix-tls 1.1.4+tls0.7.1 TLS and SASL support for Postfix /etc/postfix/main.cf ---------- biff = no smtpd_banner = $myhostname ESMTP NO UCE (NO SPAM PLEASE) debug_peer_level = 2 delay_warning_time = 4 command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix program_directory = /usr/lib/postfix mail_owner = postfix myhostname = imap.mycoll.edu mydomain = mycoll.edu myorigin = $mydomain mydestination = $myhostname, $mydomain, localhost.$mydomain mynetworks = 127.0.0.0/8 #This transforms the real domain of imap.mycoll.edu to mycoll.edu # the user will get mail with mycoll.edu # This is needed in my case because we have multiple servers handling mail # dns allows for this. You may not need it. # # tjk@sentry:~$ host -t mx imap.mycoll.edu #imap.mycoll.edu mail is handled by 20 imap.mycoll.edu. #tjk@sentry:~$ host -t mx mycoll.edu #mycoll.edu mail is handled by 10 mailhub.mycoll.edu. masquerade_domains = $mydomain masquerade_exceptions= root,mailer-daemon,postmaster local_transport = virtual local_recipient_maps = $virtual_mailbox_maps recipient_limit =1 message_size_limit = 10280000 mailbox_size_limit = 20480000 virtual_uid_maps = ldap:ldapuid #for globing vmail uid = 1001 #virtual_uid_maps = static:1001 #glob gid virtual_gid_maps = static:1001 virtual_recipient_maps = ldap:ldapsource virtual_mailbox_size_limit = ldap:ldapquota virtual_minimum_uid = 500 virtual_mailbox_base =/var/imap/mycoll virtual_result_attribute = mailbox virtual_mailbox_maps = ldap:ldapsource virtual_maildir_extended = yes ldapquota_timeout = 10 ldapquota_server_host = ldap.mycoll.edu ldapquota_search_base = ou=mailaccounts,dc=mycoll,dc=edu ldapqouta_server_port = 389 ldapqouta_domain = mycoll.edu, hash:/etc/postfix/searchdomains ldapquota_query_filter = (&(mail=%s)(accountstatus=active)) ldapquota_result_attribute = mailquota ldapquota_bind = yes ldapquota_bind_dn = cn=postfix,dc=mycoll,dc=edu ldapquota_bind_pw = yoursecret ldapuid_timeout = 10 ldapuid_server_host = ldap.mycoll.edu ldapuid_search_base = ou=mailaccounts,dc=mycoll,dc=edu ldapuid_server_port = 389 ldapuid_domain = mycoll.edu, hash:/etc/postfix/searchdomains ldapuid_query_filter = (&(mail=%s)(accountstatus=active)) ldapuid_result_attribute = uidnumber ldapuid_bind = yes ldapuid_bind_dn = cn=postfix,dc=mycoll,dc=edu ldapuid_bind_pw = yoursecret ldapsource_timeout = 10 ldapsource_server_host = ldap.mycoll.edu ldapsource_search_base = ou=mailaccounts,dc=mycoll,dc=edu ldapsource_server_port = 389 ldapsource_domain = mycoll.edu, hash:/etc/postfix/searchdomains ldapsource_query_filter = (&(mail=%s)(accountstatus=active)) ldapsource_result_attribute = mailbox ldapsource_bind = yes ldapsource_bind_dn = cn=postfix,dc=mycoll,dc=edu ldapsource_bind_pw = yoursecret #Some basic restrictions for SMTP #Documented in the postfix documents smtpd_client_restrictions = smtpd_helo_restrictions = smtpd_sender_restrictions = #classic way to configure postfix to use pop-before-smtp smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, check_client_access hash:/var/lib/pop-before-smtp/hosts, check_relay_domains, reject_unauth_pipelining, reject_non_fqdn_recipient, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_invalid_hostname, reject_non_fqdn_hostname, permit B. Testing Postifx ---------- To test the LDAP directory with Postfix run tail -f /var/log/mail.log Then manually send a message to your imap server telnet imap.mycoll.edu 25 helo mailtest.com mail from: rcpt to: data subject: I love chicken. test. The time is 14:35PM. . . C. Configuring Pop-Before-SMTP for Courier IMAP ---------- ii pop-before-smtp 1.28-6 watch log for pop/imap auth, notify Postfix configation files to edit 1) /etc/pop-before-smtp/pop-before-smtp.conf #These matching patterns use Perl's regular expressions #to get the ip from the logs on each mail send #If the ip does not match it does not allow the mail to be sent. pat = '^(... .. ..:..:..) \S+ (?:ipop3d|imapd)\[\d+\]: (?:Login|Authenticated|Auth) user=\S+ host=(?:\S+ )?\[(\d+\.\d+\.\d+\.\d+)\](?: nmsgs=\d+/\d+)?$' pat2 = '^(... .. ..:..:..) \S+ imaplogin: LOGIN, user=\S+, ip=\[(\d+\.\d+\.\d+\.\d+)\]$' 2) /etc/postfix/main.cf #classic way to configure postfix to use pop-before-smtp smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, check_client_access hash:/var/lib/pop-before-smtp/hosts, check_relay_domains 3) pop-before-smtp.pl If this file exists edit it, otherwise look at the /usr/sbin/pop-before-smtp perl program to see if it using the log file you want. From the pop-before-smtp quickstart guide: #Set the log file we will watch for pop3d/imapd records. #$file_tail{'name'} = '/var/log/maillog'; V Courier IMAP install: ---------- The nice thing about Courier is that the developers have created packages for the courier IMAP server almost as quickly as a new release comes out. Additionally, after trying Cyrus IMAP, I feel Courier has the best LDAP support. LDAP is part of Courier. LDAP with Cyrus requires the admin to Patch it. Unless you are like to give yourself an unneeded challenge, I would recommend using the packages for your favorite OS. Most package developers add in all the patches needed to run the program with the least hang-ups. For The server I build, I used Debian (Woody). ii courier-authdaemon 0.37.3-2 Courier Mail Server authentication daemon ii courier-base 0.37.3-1 Courier Mail Server Base System ii courier-doc 0.37.3-1 Documentation for the Courier Mail Server ii courier-imap 1.4.3-2 IMAP daemon with PAM and Maildir support ii courier-ldap 0.37.3-1 LDAP support for Courier Mail Server ii courier-debug .0.37.3-1 Debugging Tools for Courier Mail Server #to be installed and configured later #ii courier-imap-ssl 1.4.3-1 IMAP daemon with SSL, PAM and Maildir support #ii courier-ssl 0.37.3-1 Courier Mail Server SSL Package The install of each package is well documented in the packages. /usr/doc/ or /usr/share/doc directory Courier IMAP Documents worth noting: Courier Doc - the most important piece is the directions. These documents explain how to use the package once it is installed. Courier LDAP - This part works with the authdaemon to provide LDAP authentication. Read the README.ldap be aware of the authldap.schema is part of this package. Prior to running Courier you will need to configure virtual user account: Multiple virtual users (users without shell accounts) can be controlled by one entry in the /etc/password file. This simplifies system administration. But, this setup also can result in problems. More specifically, mail quotas gave me a problem with the virtual users. I had to create each user with a uidnumber for file-system quotas to work. I will cover this later on in the Quota section. vi /etc/courier/authldaprc #create a vmail user and group useradd -d /var/lib/courier vmail groupadd vmail #allow changing dir chown vmail:vmail -R /var/lib/courier/ You need to change Courier configuration files. Replace existing entries and add missing entries to match: **** **** **** Warning Note **** **** **** Be careful when modifying the config files in courier. The "##" characters followed by a UPPERCASE word are reserved for the system. Do not remove the ## characters in the config files. For example you may not this type of entry: ##NAME: LDAP_BINDDN:0 These ## characters are used for system updates. Removing the ## characters or placing extra characters on the same line could result in problems upgrading. #################### #################### ### NEEDS TO BE EDITTED ### USE AT OWN RISK #################### #################### A. /etc/courier/imapd: ADDRESS=0 PORT=143 MAXDAEMONS=1000 MAXPERIP=8 PIDFILE=/var/run/courier/imapd.pid TCPDOPTS="-nodnslookup -noidentlookup" AUTHMODULES="authdaemon" AUTHMODULES_ORIG="authdaemon" IMAP_CAPABILITY="IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT" IMAP_CAPABILITY_ORIG="IMAP4rev1 CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT AUTH=CRAM-MD5 AUTH=CRAM-SHA1 IDLE" IMAP_IDLE_TIMEOUT=60 IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN" IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN" IMAP_DISABLETHREADSORT=0 IMAP_CHECK_ALL_FOLDERS=0 IMAP_OBSOLETE_CLIENT=0 IMAP_ULIMITD=65536 IMAP_USELOCKS=0 IMAP_EMPTYTRASH=Trash:1 IMAP_MOVE_EXPUNGE_TO_TRASH=1 IMAPDSTART=YES B. /etc/courier/authdaemonrc: authmodulelist="authldap" authmodulelistorig="authcustom authcram authuserdb authldap authmysql authpam" daemons=5 version="" authdaemonvar=/var/run/courier/authdaemon C. /etc/courier/authldaprc: #for everyone owned by vmail #LDAP_GLOB_UID vmail LDAP_SERVER ldap.mycoll.edu LDAP_PORT 389 LDAP_BASEDN ou=mailaccounts,dc=mycoll,dc=edu LDAP_BINDDN cn=courier,dc=mycoll,dc=edu LDAP_BINDPW yoursecret LDAP_TIMEOUT 15 LDAP_MAIL mail LDAP_DOMAIN mycoll.edu LDAP_GLOB_GID vmail LDAP_HOMEDIR homeDirectory LDAP_MAILDIR mailDir LDAP_MAILDIRQUOTA maildirQuota LDAP_FULLNAME cn LDAP_CRYPTPW userPassword LDAP_UID uidNumber LDAP_DEREF never LDAP_TLS 0 start courier IMAP /etc/init.d/courier-imap start If your install goes well telneting to localhost 143 will produce an output like this: ted@imap-mail:/usr/doc$ telnet localhost 143 Trying 127.0.0.1... Connected to imap. Escape character is '^]'. * OK Courier-IMAP ready. Copyright 1998-2002 Double Precision, Inc. See COPYING for distribution information. type . logout . logout * BYE Courier-IMAP server shutting down . OK LOGOUT completed Connection closed by foreign host. X Notes: ---------- 1. Disclaimer: Use unique info when creating the LDAP key. My database is flawed because I use a name based uid for the LDAP key. This will cause problems when the name changes. For example, let us look at the LDAP key or the 'dn:' entry for a uid based key. This user is unique. No problem until they change their name. dn:uid=myusername2,dc=mycoll,dc=edu uid: myusername2 It might be best to generate a uidnumber and reference the records by the number. To change the name in the above the whole data element needs to be copied, deleted, and then recreated. It is too much work to say the least. The key is not suppose to change. Thus, it will require the admin to remove the record and then recreate it. Using a number as part of the dn: would be a better way to create a record, for it would allow more flexibility. Use the /etc/passwd file as an example. All users are referenced by a number. myname:x:1001:1001::/var/imap/mycoll/myname2:/bin/false dn:uidnumber=1001,dc=mycoll,dc=edu uid: myname2 2. Thing to do. a. document using filesytem quotas Throw in the script I used for this. b. add in the ldap user generation scripts c. get the vacation noices working. Vacation notices has taken me to look into http://www.postfix.org/addon.html Auto-reply software gnarwl auto-reply utility, uses LDAP instead of .foward+vacation. I think that gnarwl will work with the qmail schema. d. document how webmail works with this Squirrel Mail or Silkymail (IMP derivative) e. Recent notes 2/22/2003 Although not all parts of my system are documented in this howto, it is very similar to my current setup which has been in use for over 6 months. Parts of this Howto that need to be rewritten. 1. LDAP (minor changes) a. need to describe how to use Filters to prevent some data from being viewable b. need to describe how to use MD5 rather than {crypt} passwords. 2. Postfix (Major Changes) a. need to describe how to use the local delivery agent with the vitual or maildrop as a fallback transport. When the local delivery agent fails, postfix will deliver to another if present. This works good for alias delivering. b. need to describe how to use the vacation program with Postfix. 3. Filesystem Quotas (Major Changes) Filesystem quotas create extra administrative work for the admin. Problem: Some people do not delete mail. IMAP move all mail deletes to Inbox.Trash. If people do not delete mail and kernel level quotas are in place with virtual accounts, people that never delete mail can render their own mail account unusable. It is best to use maildrop for virtual users. Filesystems quotas with Ext3 are very slow. It seems that everytime a mail comes in the kernel writes to a file keeping track of quotas if a high volume of mail comes in this locking will cause degradations in preformace on the server. I am not sure how XFS quotas work in this situation but it appears that XFS is better designed than EXT3. 4. User Administration ( Major Changes) All user creation and user maintaince can be automated with Perl and the Perl Net::LDAP module. 3. How I keep everything formated fmt 77 -c postfix-courier-howto.txt -s 4. Version Problems Open LDAP utilites command syntax seem to change in newer version. Read the man pages if something does not work. I was using (Woody Stable) version of LDAP Server here. slapd 2.0.23-6.3 OpenLDAP server (slapd). ldap-utils 2.0.23-6.3 OpenLDAP utilities. XI Acknowledgments ---------- Thanks to Ron Shannon and MikeM for assistance with editing the document.