Intro

The official Dovecot wiki should be your go to for setting up mail quotas, but here I am describing how I setup mail-user specific quotas to work with my LDAP environment.

Setup

I included a quota configuration for user_attrs in my dovecot-ldap.conf.ext consisting of the following

user_attrs = mailHomeDirectory=home,mailStorageDirectory=mail,mailUidNumber=uid,mailGidNumber=gid,mailQuota=quota_rule=*:bytes=%$

The quota limit is in the mailQuota field: mailQuota=quota_rule=*:bytes=%$

Once Dovecot has been restarted with the above quota limit, we can then add the mailQuota attribute with a value using a preferred metric unit. For example, a mail user record might have a quota limit of 250 MB.

mailQuota: 250MB

The above quota is user-specific so this will end up overriding the global quota.

Verify Quota

I use a lot of aliases to save time, so putting this in your user profile is recommended.

alias quota='doveadm quota get -u $1 '

$ quota johndoe
Quota name Type    Value  Limit                                             %
User quota STORAGE     0 256000                                             0
User quota MESSAGE     0      -                                             0

See the doveadm-quota wiki for additional options.

Intro

Although Dovecot provides it's own SASL, I opted for Cyrus SASL. It is fairly simple to configure both, but in this post I will demonstrate what worked for me.

/etc/saslauthd.conf

ldap_servers: ldap://ldap.example.net
ldap_version: 3
ldap_search_base: ou=Mail,dc=example,dc=net
ldap_scope: sub
ldap_filter: (&(uid=%u)(mailEnabled=TRUE))
ldap_auth_method: bind
ldap_timeout: 10
ldap_time_limit: 10

For LDAP authentication the above options worked in my environment. To use the mailEnabled attribute make sure postfix-book.schema is loaded into your LDAP implementation like OpenLDAP. With this we're basically saying users who have Enabled accounts are allowed to authenticate.

/etc/conf.d/saslauthd

SASLAUTHD_OPTS="-a ldap"

/usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

Once everything is in place a simple systemctl restart saslauthd is all that is needed. You should now be able to add your LDAP account credentials to any mail application's SMTP settings.

Intro

The Dovecot wiki does a really good job at explaining how to have Dovecot and OpenLDAP work together, but in this post I will describe the steps I took to configure Dovecot to work with OpenLDAP on a Linux host.

LDAP authentication

As described in the wiki - Dovecot offers two ways to perform LDAP authentication, but I chose LDAP password lookups. This is recommended over authentication binds.

10-auth.conf

Normally !include auth-system.conf.ext is enabled, but this should be commented and !include auth-ldap.conf.ext uncommented.

auth-ldap.conf.ext

passdb {
  driver = ldap
}

userdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf.ext
  default_fields = home=/home/vmail/%d/%u
}

Here we're simply telling Dovecot to use LDAP instead of PAM or MySQL, respectively. For default_fields I'm using a domain/user structure as referenced by the %d and %u variables you can pass to Dovecot. Following this was configuring the relevant options in dovecot-ldap.conf.ext.

dovecot-ldap.conf.ext

hosts = ldap.domain.net ldap.domain2.net ldap.domain3.net
auth_bind = no
dn = uid=dovecot,ou=System,dc=domain,dc=net
dnpass = MyP@sswd
ldap_version = 3
base = ou=Mail,dc=domain,dc=net
deref = never
scope = subtree
default_pass_scheme = SSHA

# user filter
user_attrs = mailHomeDirectory=home,mailStorageDirectory=mail,mailUidNumber=uid,mailGidNumber=gid,mailQuota=quota_rule=*:bytes=%$
user_filter = (&(objectClass=inetOrgPerson)(uid=%n)(mailEnabled=TRUE))

# password filter
pass_attrs  = mail=user,userPassword=password
pass_filter = (&(objectClass=inetOrgPerson)(uid=%n))

iterate_attrs = mail=user
iterate_filter = (objectClass=inetOrgPerson)

Because I am using specific LDAP attributes shown in both user_attrs and user_filter I needed to get postfix-book.schema loaded into OpenLDAP.

Quota

While I use a global quota I also like the option of setting user specific quotas. Since I'm using postfix-book.schema in OpenLDAP, mailQuota=quota_rule=*:bytes=%$ works just fine so that the mailQuota attribute can be added to mail user records.

dovecot.conf

PAM

One last thing I needed to do was tell PAM that Dovecot should use LDAP for authentication. This involved editing /etc/pam.d/dovecot with the following

auth    required        pam_ldap.so nullok
account required        pam_ldap.so

Final

Once everything has been verified the last thing is to restart Dovecot. With systemd one can execute systemctl restart dovecot. It's also a good idea to verify no errors are shown in the mail log usingtail -f /path/to/mail.log.

Intro

There are many ways to configure a virtual mail environment using postfix, but in this post I will describe the steps I took to configure postfix to work with OpenLDAP on a Linux host. The end goal was to utilize LDAP lookup tables for virtual domains, mailboxes and aliases.

LMTP

First, instead of LDA I chose LMTP as my local delivery agent. As described in Dovecot's LMTP wiki, I changed virtual_transport = dovecot to = lmtp:unix:private/dovecot-lmtp

master.cf should also contain an external delivery method for LMTP similar to

dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/lmtp -f ${sender} -d ${recipient}

Next, I included the following 8 virtual lines in main.cf

virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_minimum_uid = 5000
virtual_mailbox_domains = ldap:/etc/postfix/ldap/ldap-virtual-domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap/ldap-vmailbox.cf
virtual_alias_maps = ldap:/etc/postfix/ldap/ldap-aliases.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_base = /home/vmail/

Notice I have specified ldap: instead of the more common hash: database with the absolute path to 3 files needed for domains, mailboxes and aliases.

Domains

ldap-virtual-domains.cf

server_host = ldap://ldap.example.net/
search_base = ou=Domains,dc=example,dc=net
version = 3
bind = no
query_filter = (&(ObjectClass=dNSDomain)(dc=%s))
result_attribute = dc

Verify domain in LDAP queries successfully

postmap -q domain1.net ldap:/etc/postfix/ldap/ldap-virtual-domains.cf

will return domain1.net

If there is no result the domain may not be in LDAP. To add domains in LDAP see this page.

Mailboxes

ldap-vmailbox.cf

server_host = ldap://ldap.example.net/
search_base = ou=Mail,dc=example,dc=net
version = 3
bind = no
query_filter = (&(objectclass=inetOrgPerson)(mail=%s))
result_attribute = mail

Verify user mailbox in LDAP queries successfully

postmap -q johndoe@domain1.net ldap:/etc/postfix/ldap/ldap-vmailbox.cf

will return johndoe@domain1.net

If there is no result make sure the email address exists as the primary mail account and not a mail alias. See this page on how you can add new mail user records in LDAP.

Aliases

ldap-aliases.cf

server_host = ldap://ldap.example.net/
search_base = ou=Mail,dc=example,dc=net
version = 3
bind = no
query_filter = (&(objectclass=PostfixBookMailAccount)(mailAlias=%s))
result_attribute = mail

Verify user mail alias in LDAP queries successfully

postmap -q superjohn@domain2.me ldap:/etc/postfix/ldap/ldap-aliases.cf

will return johndoe@domain1.net

Notice when you query an alias the primary email address is returned and not the actual alias.

If all queries return expected results for mail domains, mailboxes and aliases we can proceed with configuring Dovecot to work with LDAP.