HAUT

Configuration de Postfix, Dovecot, PostfixAdmin et Roundcube sous Debian Wheezy utilisant Postgresql

Nous allons configurer l’ensemble des services (SMTP, SMTPD, SASL, POP3, IMAP ) qui permettent d’avoir son propre système d’email sur son serveur Gnu/Linux Debian Wheezy. Nous ne traiterons pas dans cet article du quota et du répondeur automatique, cela sera le sujet d’un article ultérieur. Pour commencer, utilisons le classique « apt-get install » des paquets :

\r\n\r\n

# apt-get install postfix postfix-pgsql dovecot-pop3d dovecot-imapd dovecot-pgsql libsasl2-modules-sql

\r\n

Éventuellement, vous pouvez installer le serveur postgresql, si celui-ci se trouve sur le même serveur, c’est le cas de notre exemple (Si cela n’était pas le cas, nous vous conseillons d’activer le SSL sur celui-ci).

\r\n\r\n

# apt-get install postgresql-9.1

\r\n

Vous pouvez aussi installer les paquets concernant roundcube et postfixadmin, mais nous préfèrons les utiliser à partir des sources.\r\nNous commençons par posgresql, en créant deux utilisateurs de la base qui contiendra l’ensemble des informations liées au serveur SMTP. Ces utilisateur ne dois pas pouvoir créer de base, ni être un superutilisateur et ni créer des rôles. Mais, un des utilisateur possède tous les droits sur la base, cet utilisateur sera l’utilisateur pour PostfixAdmin, et l’autre utilisateur n’aura que le droit de lecture, cet utilisateur sera l’utilisateur pour Postfix et Dovecot :

\r\n\r\n

 # su - postgres\r\npostgres@localhost:~$ createdb NOMBASE\r\npostgres@localhost:~$ createdb NOMBASEROUNDCUBE\r\npostgres@localhost:~$ createuser NOMUTILISATEURPOSTFIXADMINRNDC -P\r\npostgres@localhost:~$ createuser NOMUTILISATEURPOSTFIXDOVECOT -P\r\npostgres@localhost:~$ pgsql VOTREBASE\r\nNOMBASE=# GRANT SELECT ON ALL TABLES IN SCHEMA public TO NOMUTILISATEURPOSTFIXDOVECOT;

\r\n

Maintenant nous allons configurer PostfixAdmin pour initialiser la base de données qui sera utilisée dans le cadre de la fourniture des services SMTP, SMTPD, POP3 et IMAP. Vous pouvez télécharger la dernière version de PostfixAdmin sur le lien suivant : PostfixAdmin. Nous supposons que vous pouvez utiliser PostfixAdmin et Roundcube en ayant configuré votre serveur Web avec PHPet vous devez boligatoirement prévoir le HTTPS pour les accès à ces applications. Maintenant, Nous vous donnons la liste des paramêtres à vérifier et configurer :\r\nconfig.inc.php

\r\n\r\n

// Contiendra le HASH du mot de passe de configuration obtenu avec et le setup.php de PostfixAdmin.\r\n$CONF['setup_password']\r\n// Mettre l'URL d'accès principal à PostfixAdmin.\r\n$CONF['postfix_admin_url']\r\n$CONF['default_language'] = 'fr';\r\n$CONF['database_type'] = 'pgsql';\r\n$CONF['database_host'] = 'localhost';\r\n$CONF['database_user'] = 'NOMUTILISATEURPOSTFIXADMINRNDC';\r\n$CONF['database_password'] = 'VOTREMOTDEPASSESECRET';\r\n$CONF['database_name'] = 'NOMBASE';\r\n// vous pouvez choisir un prefix aux noms des tables de la bases. Pour améliorer la sécurité.\r\n$CONF['database_prefix'] = 'PREFIX';\r\n// Le postmaster de votre domain principal qui sert à l'url de PostfixAdmin par exemple. \r\n$CONF['admin_email']\r\n$CONF['smtp_server'] = 'localhost';\r\n$CONF['smtp_port'] = '25';\r\n/* Pour le moment c'est le mode le plus pratique et relativement sécurisé car le niveau de sécurité principalement remis en cause dans ce mode est celui de l'ingénieurie social. Il y a de la littérature à ce sujet, notamment sur le site du serveur XMPP "ejabberd". Mais dès que le codage SCRAM-SHA-1 sera supporté, nous l'utiliserons à tous les niveaux de service ( Pour information, nous utilisons notamment la même base pour l'authentification d'autres services que ceux évoqués dans cet article). Mais, la meilleure alternative est de générer automatiquement le compte et le mot de passe pour vos utilisateurs, mais cela n'est pas encore possible dans le contexte que nous utilisons.  */\r\n$CONF['encrypt'] = 'cleartext';\r\n$CONF['min_password_length'] = 4;\r\n// VOTRE répertoire/domain.tld/username@domain.tld : un répertoire par domaine.\r\n$CONF['domain_path'] = 'YES';

\r\n

Si tout se passe bien, PostfixAdmin, créera les tables de la base de données, et vous pourrez commencer à définir vos utilisateurs via l’interface web (Nous vous conseillons de supprimer ‘setup.php’, même si celui-ci est sécurisé par le mot de passe administration mis dans le config.inc.php de PostfixAdmin).\r\nMaintenant nous passons à la configuration de postfix. Nous utilisons postfix dans tout le contexte SMTP et SMTPD, il n’y a pas d’utilisation de Dovecot pour la délivrance du mail, Postfix est utilisé pour toute la chaîne de ces services, qu’il rend très bien depuis bien longtemps.\r\nTout d’abord quelques paramètres globaux à définir pour le service :

\r\n\r\n

# groupadd -g 2000 vmail\r\n# useradd -g vmail -u 2000 vmail -d /srv/vmail -m\r\n# mkdir -p /srv/vmail\r\n# chown vmail:vmail /srv/vmail\r\n# chmod 0700 /srv/vmail\r\n# mkdir /etc/postfix/sasl\r\n# mkdir /etc/postfix/pgsql

\r\nMaintenant passons à la configuration de postfix, /etc/postfix/mains.cf :\r\n

# See /usr/share/postfix/main.cf.dist for a commented, more complete version\r\n\r\n# Debian specific:  Specifying a file name will cause the first\r\n# line of that file to be used as the name.  The Debian default\r\n# is /etc/mailname.\r\nmyorigin = /etc/mailname\r\n\r\nsmtpd_banner = SMTPD Ready.\r\nbiff = no\r\nrecipient_delimiter = +\r\nluser_relay =\r\n\r\n# appending .domain is the MUA's job.\r\nappend_dot_mydomain = no\r\nappend_at_myorigin = yes\r\n\r\nreadme_directory = no\r\n\r\n# Si vous avez plusieurs interfaces des réseaux différents\r\nsmtp_bind_address=A.B.C.D\r\nsmtp_bind_address6=AAAA:BBBB:CCCC:DDDD\r\n\r\n# important dans le cas de résolutions local via /etc/hosts (et la présence de denyhost)\r\nsmtp_host_lookup = native, dns\r\n\r\n# TLS SMTP\r\nsmtp_tls_security_level = may\r\nsmtp_tls_ciphers = high\r\nsmtp_tls_protocols = !SSLv2, !SSLv3\r\nsmtp_tls_CAfile = /etc/ssl/certs/cacert.org.pem  # Utilisez CACERT ! http://www.cacert.org\r\nsmtp_tls_key_file = /etc/ssl/private/LACLEDUCERTIFICAT.key\r\nsmtp_tls_cert_file = /etc/ssl/private/LECERTIFICAT.crt\r\nsmtp_tls_session_cache_timeout = 3600s\r\nsmtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache\r\n\r\nmyhostname = MONNOMDESERVEURCOMPLET # celui inscrit dans le DNS au niveau MX.\r\nalias_maps = hash:/etc/aliases\r\nalias_database = hash:/etc/aliases\r\nmydestination = MONNOMDESERVEURCOMPLET, localhost.MONDOMAINE, localhost\r\nrelayhost = \r\nmynetworks =  127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 \r\nmailbox_command = procmail -a "$EXTENSION"\r\nmailbox_size_limit = 0\r\nrecipient_delimiter = +\r\ninet_interfaces =  all\r\ninet_protocols = all\r\n\r\n# CONTROL DELIVER\r\ndefault_destination_concurrency_limit = 20\r\nlocal_destination_concurrency_limit = 2\r\nin_flow_delay = 1s\r\n\r\nmessage_size_limit = 102400000\r\nbounce_size_limit = 1000   \r\n\r\n# CONTROL DELIVRANCE\r\nallow_untrusted_routing = no\r\nsmtp_recipient_limit = 25   \r\ndisable_vrfy_command = yes  \r\nstrict_rfc821_envelopes = yes\r\nshow_user_unknown_table_name = no\r\nallow_percent_hack = no\r\nswap_bangpath = no\r\n\r\n### Tarpit jusqu'au RCPT TO: \r\nsmtpd_delay_reject = yes\r\n\r\n### Tarpit bots/clients/spammers \r\nsmtpd_error_sleep_time = 15\r\nsmtpd_soft_error_limit = 1\r\nsmtpd_hard_error_limit = 3\r\nsmtpd_junk_command_limit = 2\r\n\r\n### Reject codes == 554\r\naccess_map_reject_code = 554\r\ninvalid_hostname_reject_code = 554\r\nmaps_rbl_reject_code = 554\r\nmulti_recipient_bounce_reject_code = 554\r\nnon_fqdn_reject_code = 554\r\nplaintext_reject_code = 554\r\nreject_code = 554\r\nrelay_domains_reject_code = 554\r\nunknown_address_reject_code = 554\r\nunknown_client_reject_code = 450\r\nunknown_hostname_reject_code = 450\r\nunknown_local_recipient_reject_code = 554\r\nunknown_relay_recipient_reject_code = 554\r\nunknown_virtual_alias_reject_code = 554\r\nunknown_virtual_mailbox_reject_code = 554\r\nunverified_recipient_reject_code = 554\r\nunverified_sender_reject_code = 554\r\n\r\n# header_checks = regexp:/etc/postfix/maps/header_checks\r\n# body_checks = regexp:/etc/postfix/maps/body_checks\r\n\r\nsmtpd_client_restrictions = permit_mynetworks\r\n                            reject_invalid_hostname\r\n                            reject_unknown_client\r\n			    permit\r\n\r\nsmtpd_helo_required = yes\r\n\r\n# Obligation pour l'emetteur\r\nsmtpd_sender_restrictions =  permit_sasl_authenticated\r\n                             permit_mynetworks\r\n                             reject_unauth_destination\r\n			     reject_non_fqdn_sender\r\n                             reject_unknown_sender_domain\r\n			     reject_unknown_address\r\n			     reject_rhsbl_sender dsn.rfc-ignorant.org\r\n                             permit\r\n\r\nsmtpd_etrn_restrictions = permit_mynetworks\r\n                          reject\r\n\r\nsmtpd_data_restrictions = reject_unauth_pipelining\r\n                          reject_multi_recipient_bounce\r\n                          permit\r\n\r\nsmtpd_recipient_restrictions = reject_invalid_hostname\r\n                               reject_non_fqdn_sender\r\n                               reject_non_fqdn_recipient\r\n			       permit_mynetworks\r\n			       permit_sasl_authenticated\r\n			       reject_unauth_pipelining\r\n			       reject_unknown_sender_domain\r\n			       reject_unknown_recipient_domain\r\n			       reject_unauth_destination\r\n			       reject_unknown_client\r\n       			       reject_rbl_client   zen.spamhaus.org\r\n			       reject_rbl_client   cbl.abuseat.org\r\n			       reject_rhsbl_client multi.surbl.org\r\n			       reject_rhsbl_sender multi.surbl.org\r\n			       reject_rhsbl_sender dbl.spamhaus.org\r\n			       reject_rhsbl_client dbl.spamhaus.org\r\n			       reject_rhsbl_sender dsn.rfc-ignorant.org\r\n			       permit\r\n\r\n# SASL\r\nsmtpd_use_tls=yes\r\nsmtpd_tls_security_level = may\r\nsmtpd_tls_mandatory_ciphers = high\r\nsmtpd_tls_mandatory_protocols = !SSLv2\r\nsmtpd_tls_ask_ccert = yes\r\nsmtpd_tls_CAfile = /etc/ssl/certs/cacert.org.pem\r\nsmtpd_tls_key_file = /etc/ssl/private/lacleducertificat.key\r\nsmtpd_tls_cert_file = /etc/ssl/private/lecertificat.crt\r\nsmtpd_tls_loglevel = 0\r\nsmtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache\r\nsmtpd_tls_session_cache_timeout = 3600s  \r\n\r\nbroken_sasl_auth_clients = yes\r\nsmtpd_sasl_auth_enable = yes\r\nsmtpd_sasl_local_domain = $myhostname\r\nsmtpd_sasl_security_options = noanonymous, noplaintext\r\nsmtpd_sasl_tls_security_options = noanonymous\r\n#smtpd_tls_auth_only = yes\r\n\r\nsmtpd_sasl_authenticated_header = no\r\n\r\nrelay_domains = proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf\r\nvirtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf\r\nvirtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_domains_maps.cf\r\nvirtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf\r\nvirtual_mailbox_base = /srv/vmail\r\nvirtual_mailbox_limit = 512000000\r\nvirtual_minimum_uid = 1999\r\nvirtual_transport = virtual\r\nvirtual_uid_maps = static:2000\r\nvirtual_gid_maps = static:2000\r\nlocal_transport = virtual\r\nlocal_recipient_maps = $virtual_mailbox_maps\r\n# Plutard pour la gestion du répondeur même si le répondeur est une très mauvaise idée, sauf pour les spammeurs.\r\n# transport_maps = hash:/etc/postfix/transport

\r\nle fichier /etc/postfix/master.cf\r\n

#\r\n# Postfix master process configuration file.  For details on the format\r\n# of the file, see the master(5) manual page (command: "man 5 master").\r\n#\r\n# Do not forget to execute "postfix reload" after editing this file.\r\n#\r\n# ==========================================================================\r\n# service type  private unpriv  chroot  wakeup  maxproc command + args\r\n#               (yes)   (yes)   (yes)   (never) (100)\r\n# ==========================================================================\r\nsmtp      inet  n       -       -       -       -       smtpd\r\nsubmission inet n       -       -       -       -       smtpd\r\n  -o smtpd_sasl_auth_enable=yes\r\n  -o smtpd_tls_security_level=may\r\n  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3\r\n  -o smtpd_sasl_security_options=noanonymous,noplaintext\r\n  -o smtpd_sasl_tls_security_options=noanonymous\r\n  -o smtpd_sasl_authenticated_header=no\r\n  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\r\n#  -o milter_macro_daemon_name=ORIGINATING\r\n#smtps     inet  n       -       -       -       -       smtpd\r\n#  -o smtpd_tls_security_level=encrypt\r\n#  -o smtpd_tls_wrappermode=yes\r\n#  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3\r\n#  -o smtpd_sasl_auth_enable=yes\r\n#  -o smtpd_tls_auth_only=yes\r\n#  -o smtpd_sasl_authenticated_header=no\r\n#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject\r\n#  -o milter_macro_daemon_name=ORIGINATING\r\n#628      inet  n       -       -       -       -       qmqpd\r\npickup    fifo  n       -       -       60      1       pickup\r\ncleanup   unix  n       -       -       -       0       cleanup\r\nqmgr      fifo  n       -       n       300     1       qmgr\r\n#qmgr     fifo  n       -       -       300     1       oqmgr\r\ntlsmgr    unix  -       -       -       1000?   1       tlsmgr\r\nrewrite   unix  -       -       -       -       -       trivial-rewrite\r\nbounce    unix  -       -       -       -       0       bounce\r\ndefer     unix  -       -       -       -       0       bounce\r\ntrace     unix  -       -       -       -       0       bounce\r\nverify    unix  -       -       -       -       1       verify\r\nflush     unix  n       -       -       1000?   0       flush\r\nproxymap  unix  -       -       n       -       -       proxymap\r\nproxywrite unix -       -       n       -       1       proxymap\r\nsmtp      unix  -       -       -       -       -       smtp\r\n# When relaying mail as backup MX, disable fallback_relay to avoid MX loops\r\nrelay     unix  -       -       -       -       -       smtp\r\n	-o smtp_fallback_relay=\r\n#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5\r\nshowq     unix  n       -       -       -       -       showq\r\nerror     unix  -       -       -       -       -       error\r\nretry     unix  -       -       -       -       -       error\r\ndiscard   unix  -       -       -       -       -       discard\r\nlocal     unix  -       n       n       -       -       local\r\nvirtual   unix  -       n       n       -       -       virtual\r\nlmtp      unix  -       -       -       -       -       lmtp\r\nanvil     unix  -       -       -       -       1       anvil\r\nscache    unix  -       -       -       -       1       scache\r\n#\r\n# ====================================================================\r\n# Interfaces to non-Postfix software. Be sure to examine the manual\r\n# pages of the non-Postfix software to find out what options it wants.\r\n#\r\n# Many of the following services use the Postfix pipe(8) delivery\r\n# agent.  See the pipe(8) man page for information about ${recipient}\r\n# and other message envelope options.\r\n# ====================================================================\r\n#\r\n# maildrop. See the Postfix MAILDROP_README file for details.\r\n# Also specify in main.cf: maildrop_destination_recipient_limit=1\r\n#\r\nmaildrop  unix  -       n       n       -       -       pipe\r\n  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}\r\n#\r\n# See the Postfix UUCP_README file for configuration details.\r\n#\r\nuucp      unix  -       n       n       -       -       pipe\r\n  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)\r\n#\r\n# Other external delivery methods.\r\n#\r\nifmail    unix  -       n       n       -       -       pipe\r\n  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)\r\nbsmtp     unix  -       n       n       -       -       pipe\r\n  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient\r\nscalemail-backend unix	-	n	n	-	2	pipe\r\n  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}\r\nmailman   unix  -       n       n       -       -       pipe\r\n  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py\r\n  ${nexthop} ${user}

\r\n

Le fichier pour Sasl (« PREFIX » est le préfixe des tables de la base de données définit dans le fichier de configuration de PostfixAdmin. ) /etc/postfix/sasl/smptd.conf

\r\n\r\n

pwcheck_method: auxprop\r\nmech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 \r\nminimum_layer: 0\r\nauxprop_plugin: sql\r\n# 0 aucun log, 1  log erreurs (défaut), 2 log toutes les erreurs d'authentification, 3 log non-fatal warnings, 4 de plus en plus verbose jusqu'au 5-6-7 Trace programme \r\nlog_level: 2  \r\nsql_engine: pgsql\r\nsql_hostnames: localhost\r\nsql_user: NOMUTILISATEURPOSTFIXDOVECOT\r\nsql_database: NOMBASE\r\nsql_passwd: VOTREMOTDEPASSESECRET\r\nsql_mda: sha1\r\nsql_usessl: no # Oui si le serveur est distant.\r\nsql_select: select password from "PREFIX"mailbox where username = '%u@%r'

\r\nLes fichiers pour l’accès à la base postgresql qui dans notre cas est en locale :\r\n/etc/postfix/pgsql/relay_domains.cf\r\n

user = VOTREUTILISATEURPOSTFIXDOVECOT\r\npassword = VOTREMOTDEPASSESECRET\r\nhosts = localhost\r\ndbname = NOMBASE\r\nquery = SELECT domain FROM "PREFIX"domain WHERE domain='%s' and backupmx = true

\r\n/etc/postfix/pgsql/virtual_domain_maps.cf\r\n

user = VOTREUTILISATEURPOSTFIXDOVECOT\r\npassword = VOTREMOTDEPASSESECRET\r\nhosts = localhost\r\ndbname = NOMBASE\r\nquery = SELECT domain FROM "PREFIX"domain WHERE domain='%s' and backupmx = false and active = true

\r\n/etc/postfix/pgsql/virtual_alias_maps.cf\r\n

user = VOTREUTILISATEURPOSTFIXDOVECOT\r\npassword = VOTREMOTDEPASSESECRET\r\nhosts = localhost\r\ndbname = NOMBASE\r\nquery = SELECT goto FROM "PREFIX"alias WHERE address='%s' AND active = true

\r\n/etc/postfix/pgsql/virtual_mailbox_maps.cf\r\n

user = VOTREUTILISATEURPOSTFIXDOVECOT\r\npassword = VOTREMOTDEPASSESECRET\r\nhosts = localhost\r\ndbname = NOMBASE\r\nquery =  SELECT maildir FROM "PREFIX"mailbox WHERE username='%s' AND active = true

\r\n

Il nous reste à configurer Dovecot pour permettre la récupération des mails via le service POP3 ou imap. La configuration est pour une version de Dovecot 2 et supérieure. Cette configuration est la même que celle à réaliser avec le paquet Dovecot fournit via le dépôt Backports de la Gnu/Linux Debian Squeeze. La configuration de Dovecot reste simple mais les fichiers de configuration se sont un peu éparpillés par rapport à la version précédente :\r\n/etc/dovecot/dovecot.conf

\r\n\r\n

## Dovecot configuration file\r\n# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration\r\n\r\n# '#' character and everything after it is treated as comments. Extra spaces\r\n# and tabs are ignored. If you want to use either of these explicitly, put the\r\n# value inside quotes, eg.: key = "# char and trailing whitespace  "\r\n\r\n# Default values are shown for each setting, it's not required to uncomment\r\n# those. These are exceptions to this though: No sections (e.g. namespace {})\r\n# or plugin settings are added by default, they're listed only as examples.\r\n# Paths are also just examples with the real defaults being based on configure\r\n# options. The paths listed here are for configure --prefix=/usr\r\n# --sysconfdir=/etc --localstatedir=/var\r\n\r\n# Enable installed protocols\r\n!include_try /usr/share/dovecot/protocols.d/*.protocol\r\n\r\n# A comma separated list of IPs or hosts where to listen in for connections. \r\n# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.\r\n# If you want to specify non-default ports or anything more complex,\r\n# edit conf.d/master.conf.\r\nlisten = *, ::\r\n\r\n# Base directory where to store runtime data.\r\nbase_dir = /var/run/dovecot/\r\n\r\n# Name of this instance. In multi-instance setup doveadm and other commands\r\n# can use -i  to select which instance is used (an alternative\r\n# to -c ). The instance name is also added to Dovecot processes\r\n# in ps output.\r\ninstance_name = dovecot\r\n\r\n# Greeting message for clients.\r\nlogin_greeting = Mail ready.\r\n\r\n# Should all processes be killed when Dovecot master process shuts down.\r\n# Setting this to "no" means that Dovecot can be upgraded without\r\n# forcing existing client connections to close (although that could also be\r\n# a problem if the upgrade is e.g. because of a security fix).\r\nshutdown_clients = yes\r\n\r\n# Most of the actual configuration gets included below. The filenames are\r\n# first sorted by their ASCII value and parsed in that order. The 00-prefixes\r\n# in filenames are intended to make it easier to understand the ordering.\r\n!include conf.d/*.conf\r\n\r\nprotocols = pop3 imap\r\n\r\n# A config file can also tried to be included without giving an error if\r\n# it's not found:\r\n!include_try local.conf

\r\n/etc/dovecot/dovecot-sql.conf.ext\r\n

# This file is opened as root, so it should be owned by root and mode 0600.\r\n#\r\n# http://wiki2.dovecot.org/AuthDatabase/SQL\r\n#\r\n\r\n# Database driver: mysql, pgsql, sqlite\r\ndriver = pgsql \r\n\r\n# Connect Database Server\r\nconnect = host=localhost dbname=NOMBASE user=NOMUTILISATEURPOSTFIXDOVECOT password=MOTDEPASSETRESSECRET\r\n\r\n# Default password scheme.\r\n# List of supported schemes is in\r\n# http://wiki2.dovecot.org/Authentication/PasswordSchemes\r\n# en attendant mieux....\r\ndefault_pass_scheme = PLAIN\r\n\r\n# passdb query to retrieve the password. It can return fields:\r\npassword_query = \\r\n  SELECT username, password \\r\n  FROM "PREFIX"mailbox WHERE username = '%u' AND active = '1'\r\n\r\n# userdb query to retrieve the user information. It can return fields:\r\nuser_query = \\r\n  SELECT CONCAT('/srv/vmail/', maildir) as home, 2000 as uid, 2000 as gid \\r\n  FROM "PREFIX"mailbox WHERE username = '%u' AND active = '1'

\r\n/etc/dovecot/conf.d/10-master.conf\r\n

service imap-login {\r\n  inet_listener imap {\r\n    port = 143\r\n  }\r\n  inet_listener imaps {\r\n    port = 993\r\n    ssl = yes\r\n  }\r\n\r\n  # Number of connections to handle before starting a new process. Typically\r\n  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0\r\n  # is faster. <doc/wiki/LoginProcess.txt>\r\n  service_count = 1\r\n\r\n}\r\n\r\nservice pop3-login {\r\n  inet_listener pop3 {\r\n    port = 110\r\n  }\r\n  inet_listener pop3s {\r\n    port = 995\r\n    ssl = yes\r\n  }\r\n}\r\n\r\nservice imap {\r\n  # Max. number of IMAP processes (connections)\r\n  process_limit = 1024\r\n}\r\n\r\nservice pop3 {\r\n  # Max. number of POP3 processes (connections)\r\n  process_limit = 1024\r\n}

\r\n/etc/dovecot/conf.d/10-mail.conf\r\n

##\r\n## Mailbox locations and namespaces\r\n##\r\n# <doc/wiki/MailLocation.txt>\r\n#\r\nmail_location = maildir:~/\r\n\r\nnamespace inbox {\r\n# There can be only one INBOX, and this setting defines which namespace\r\n# has it.\r\ninbox = yes\r\n}\r\n\r\n# System user and group used to access mails. If you use multiple, userdb\r\n# can override these by returning uid or gid fields. You can use either numbers\r\n# or names. <doc/wiki/UserIds.txt>\r\nmail_uid = vmail\r\nmail_gid = vmail

\r\n/etc/dovecot/conf.d/10-auth.conf\r\n

##\r\n## Authentication processes\r\n##\r\n# Disable LOGIN command and all other plaintext authentications unless\r\n# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP\r\n# matches the local IP (ie. you're connecting from the same computer), the\r\n# connection is considered secure and plaintext authentication is allowed.\r\ndisable_plaintext_auth = yes\r\nauth_mechanisms = plain login cram-md5 digest-md5\r\n\r\n# User database specifies where mails are located and what user/group IDs\r\n# own them. For single-UID configuration use "static" userdb.\r\n# <doc/wiki/UserDatabase.txt>\r\n\r\n#!include auth-deny.conf.ext\r\n#!include auth-master.conf.ext\r\n#!include auth-system.conf.ext\r\n!include auth-sql.conf.ext\r\n#!include auth-ldap.conf.ext\r\n#!include auth-passwdfile.conf.ext\r\n#!include auth-checkpassword.conf.ext\r\n#!include auth-vpopmail.conf.ext\r\n#!include auth-static.conf.ext

\r\n/etc/dovecot/conf.d/10-ssl.conf\r\n

##\r\n## SSL settings\r\n##\r\n# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>\r\nssl = yes\r\n\r\n# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before\r\n# dropping root privileges, so keep the key file unreadable by anyone but\r\n# root. Included doc/mkcert.sh can be used to easily generate self-signed\r\n# certificate, just make sure to update the domains in dovecot-openssl.cnf\r\nssl_cert = /etc/ssl/private/LECERTIFICAT.crt\r\nssl_key = /etc/ssl/private/LACLEDUCERTIFICAT.key\r\n\r\n# SSL protocols to use\r\nssl_protocols = !SSLv2\r\n\r\n# SSL ciphers to use\r\nssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

\r\n/etc/dovecot/conf.d/auth-sql.conf.ext\r\n

# Authentication for SQL users. Included from auth.conf.\r\n# <doc/wiki/AuthDatabase.SQL.txt>\r\npassdb {\r\n  driver = sql\r\n  # Path for SQL configuration file, see example-config/dovecot-sql.conf.ext\r\n  args = /etc/dovecot/dovecot-sql.conf.ext\r\n}\r\n\r\nuserdb {\r\n  driver = sql\r\n  args = /etc/dovecot/dovecot-sql.conf.ext\r\n}

\r\n

Maintenant, nous devons configurer Roundcube, le webmail. Nous le configurons avec le plugin ‘password’ qui permet aux utilisateurs de changer leur mot de passe sans passer par l’interface de PostfixAdmin. Pour récupérer la dernière version stable de Roundcube GPL Dépendent, il suffit de suivre le lien suivant : Roundcube Webmail Stable. Pour le configurer , vous devez suivre la procédure de configuration habituelle et veiller à mettre les valeurs aux paramètres suivants :\r\nconfig/db.inc.php

\r\n\r\n

$rcmail_config['db_dsnw'] = 'pgsql://UTILISATEURPOSTFIXADMINRNDC:VOTREMOTDEPASSESECRET@localhost/NOMBASEROUNDCUBE';\r\n$rcmail_config['db_max_length'] = 512000; \r\n$rcmail_config['db_persistent'] = false;

\r\n

Pour le moment, Roundcube prévoit de définir le nom des tables, mais n’a pas prévu de « PREFIX », il est donc fastidieux de modifier une à une le nom des tables de la base de Roundcube.\r\nconfig/main.inc.php

\r\n\r\n

$rcmail_config['log_driver'] = 'syslog';\r\n$rcmail_config['smtp_log'] = true;\r\n$rcmail_config['default_host'] = 'localhost';\r\n$rcmail_config['default_port'] = 143;\r\n$rcmail_config['imap_auth_type'] = 'DIGEST-MD5';\r\n$rcmail_config['smtp_server'] = 'localhost';\r\n$rcmail_config['smtp_port'] = 587;\r\n$rcmail_config['smtp_user'] = '%u';\r\n$rcmail_config['smtp_pass'] = '%p';\r\n$rcmail_config['smtp_auth_type'] = 'DIGEST-MD5';\r\n$rcmail_config['enable_installer'] = false;\r\n$rcmail_config['force_https'] = true;  //Accès uniquement https !\r\n$rcmail_config['plugins'] = array('password');  // le plugin password permet à vos utilisateurs de changer leur mot de passe.

\r\n

Voici, les derniers paramètres à mettre en place, ils concernent le plugin ‘Password’ qui est disponible par défaut dans Roundcube.\r\nplugins/password/config.inc.php

\r\n\r\n

$rcmail_config['password_driver'] = 'sql';\r\n$rcmail_config['password_confirm_current'] = true;\r\n$rcmail_config['password_minimum_length'] = 4;\r\n$rcmail_config['password_db_dsn'] = 'pgsql://NOMTUILISATEURPOSTFIXADMINRNDC:VOTREMOTDEPASSETRESSECRET@localhost/NOMBASEPOSTFIXADMIN';

\r\n

Et voilà, nous avons fait le tour des différentes configurations qui vous permettront de fournir un service de mail pour une petite structure ou communauté d’amis. N’hésitez pas à nous faire part de vos commentaires et si cela vous est possible, n’oubliez pas de contribuer, même modestement à notre activité.

\r\n\r\nRéférences :\r\nPostfix v2.9\r\nDovecot v2.1\r\nPostgresql v9.1\r\nPostfixAdmin v2.3.5\r\nRouncube Webmail GPL (dependent) v0.8.1\r\nGnu/Linux Debian 7.0 Wheezy

Les commentaires sont fermés.