delegation feature in debian etch

"Eleni Postantzi" <lenapostantzigmail.com> writes:

> Hi Gunnar,
>
> As far no answer from the debian group :/
>
> however,i've managed to get it work better... at least
now i can see in the logs that the kolabpolicy is called...
>
> now, here's my config :
>
> /etc/postfix/main.cf
>
> # Debian specific:  Specifying a file name will cause
the first
> # line of that file to be used as the name.  The Debian
default
> # is /etc/mailname.
> #myorigin = /etc/mailname
>
> smtpd_banner = $myhostname ESMTP $mail_name
(Debian/GNU)
> biff = no
>
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
>
> # Uncomment the next line to generate "delayed
mail" warnings
> #delay_warning_time = 4h
>
> # TLS parameters
> smtpd_tls_cert_file=/var/smtp/mail.pem
> smtpd_tls_key_file=/var/smtp/mail.key
> smtpd_use_tls=yes
> smtpd_tls_session_cache_database =
btree:$/smtpd_scache
> smtp_tls_session_cache_database =
btree:$/smtp_scache
>
> # See /usr/share/doc/postfix/TLS_README.gz in the
postfix-doc package for
> # information on enabling SSL in the smtp client.
>
> myhostname = myhost.mydomain.org
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = myhost.mydomain.org, mydomain.org,
localhost
> relayhost =
> mynetworks = 127.0.0.0/8
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> recipient_delimiter = +
> inet_interfaces = all
>
> virtual_alias_maps =
ldap:/etc/postfix/kolab-ldapdistlist.cf,ldap:/etc/postfix/ko
lab-ldapvirtual.cf
> # transport_maps =
ldap:/etc/postfix/kolab-ldaptransport.cf
>
> mailbox_transport = kolabmailboxfilter
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> # Support broken clients like Microsoft Outlook Express
4.x which expect AUTH=LOGIN instead of AUTH LOGIN
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,reject_unauth_destination,
reject_unlisted_recipient, check_policy_service
unix:private/kolabpolicy
> #smtpd_sender_restrictions = permit_mynetworks,
check_policy_service unix:private/kolabpolicy
>
> relay_domains=
>
> kolabpolicy_time_limit = 3600
> kolabpolicy_max_idle = 20
>
>
------------------------------------------------------------
----------
>
> /etc/postfix/master.cf
>
> #
> # Postfix master process configuration file.  For
details on the format
> # of the file, see the master(5) manual page (command:
"man 5 master").
> #
> #
============================================================
==============
> # service type  private unpriv  chroot  wakeup  maxproc
command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> #
============================================================
==============
> smtp      inet  n       -       n       -       -      
smtpd
> #submission inet n       -       -       -       -     
 smtpd
> #  -o smtpd_enforce_tls=yes
> #  -o smtpd_sasl_auth_enable=yes
> #  -o
smtpd_client_restrictions=permit_sasl_authenticated,reject
> smtps     inet  n       -       n       -       -      
smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_sasl_auth_enable=yes
>   -o
smtpd_client_restrictions=permit_sasl_authenticated,reject
> #628      inet  n       -       -       -       -      
qmqpd
> pickup    fifo  n       -       -       60      1      
pickup
> cleanup   unix  n       -       -       -       0      
cleanup
> qmgr      fifo  n       -       n       300     1      
qmgr
> #qmgr     fifo  n       -       -       300     1      
oqmgr
> tlsmgr    unix  -       -       -       1000?   1      
tlsmgr
> rewrite   unix  -       -       -       -       -      
trivial-rewrite
> bounce    unix  -       -       -       -       0      
bounce
> defer     unix  -       -       -       -       0      
bounce
> trace     unix  -       -       -       -       0      
bounce
> verify    unix  -       -       -       -       1      
verify
> flush     unix  n       -       -       1000?   0      
flush
> proxymap  unix  -       -       n       -       -      
proxymap
> smtp      unix  -       -       -       -       -      
smtp
> # When relaying mail as backup MX, disable
fallback_relay to avoid MX loops
> relay     unix  -       -       -       -       -      
smtp
>     -o fallback_relay=
> #       -o smtp_helo_timeout=5 -o
smtp_connect_timeout=5
> showq     unix  n       -       -       -       -      
showq
> error     unix  -       -       -       -       -      
error
> discard   unix  -       -       -       -       -      
discard
> local     unix  -       n       n       -       -      
local
> virtual   unix  -       n       n       -       -      
virtual
> lmtp      unix  -       -       -       -       -      
lmtp
> anvil     unix  -       -       -       -       1      
anvil
> scache      unix    -    -    -    -    1    scache
> #
> #
============================================================
========
> #
============================================================
========
> # Interfaces to non-Postfix software. Be sure to
examine the manual
> # pages of the non-Postfix software to find out what
options it wants.
> #
> # Many of the following services use the Postfix
pipe(8) delivery
> # agent.  See the pipe(8) man page for information
about $
> # and other message envelope options.
> #
============================================================
========
> #
> # maildrop. See the Postfix MAILDROP_README file for
details.
> # Also specify in main.cf:
maildrop_destination_recipient_limit=1
> #
> maildrop  unix  -       n       n       -       -      
pipe
>   flags=DRhu user=vmail argv=/usr/bin/maildrop -d
$
> #
> # See the Postfix UUCP_README file for configuration
details.
> #
> uucp      unix  -       n       n       -       -      
pipe
>   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender -
$nexthop!rmail ($recipient)
> #
> # Other external delivery methods.
> #
> ifmail    unix  -       n       n       -       -      
pipe
>   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r
$nexthop ($recipient)
> bsmtp     unix  -       n       n       -       -      
pipe
>   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp
-t$nexthop -f$sender $recipient
> scalemail-backend unix    -    n    n    -    2   
pipe
>   flags=R user=scalemail
argv=/usr/lib/scalemail/bin/scalemail-store $
$ $
> mailman   unix  -       n       n       -       -      
pipe
>   flags=FR user=list
argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>   $ $
> kolabfilter     unix  -       n       n       -       -
      pipe user=nobody null_sender= argv=/usr/bin/php
>    -c /etc/php4/cli/php.ini
>    -f
/usr/share/kolab-resource-handlers/kolabfilter.php
>    --
>    -h myhost.mydomain.org
>    -s $
>    -r $
>    -c $
>
> kolabmailboxfilter     unix  -       n       n       - 
     -       pipe user=nobody null_sender=
argv=/usr/bin/php
>    -c /etc/php4/cli/php.ini
>    -f
/usr/share/kolab-resource-handlers/kolabmailboxfilter.php
>    --
>    -h myhost.mydomain.org
>    -s $
>    -r $
>    -c $
> kolabpolicy    unix  -       n       n       -       - 
     spawn user=kolab argv=/usr/sbin/kolab_smtpdpolicy -v
>
>
------------------------------------------------------------

>
> and finally,
>
> /etc/kolab/kolab_smtpdpolicy.conf
>
> ldap_uri: ldap://127.0.0.1:389
> basedn: dc=mydomain,dc=org
> binddn: cn=manager,cn=internal,dc=mydomain,dc=org
> bindpw: mypassword
> domain: mydomain.org
> allow_unauth: 1
> permithosts: localhost
>
> Do these config files seem good to you?

What might be more important is the cyrus imapd
configuration. 

>From what you reported so far I'm not certain if the
delegation fails
within postfix or the IMAP server.

For Cyrus IMAPD you should have:

postuser: kolab
userprefix: user
sharedprefix: shared


For postfix you could also try the fix I suggested here:

http
s://www.intevation.de/roundup/kolab/issue828

Cheers,

Gunnar

>
> i can't understand why when putting allow_unauth: 0
then i get the following error when i send a mail from an
external user to a kolab user
>
> Feb 20 21:47:47 mailhost
/usr/sbin/kolab_smtpdpolicy[18637]: Checking
sender="megmail.com",
recipient="kolabusermydomain.org",
username="", domains= permithosts=localhost,
> conf_allowunauth=0
> Feb 20 21:47:47 mailhost
/usr/sbin/kolab_smtpdpolicy[18637]: LDAP search returned 0
objects
> Feb 20 21:47:47 mailhost
/usr/sbin/kolab_smtpdpolicy[18637]: Attempt to fake address
megmail.com
> Feb 20 21:47:47 mailhost
/usr/sbin/kolab_smtpdpolicy[18637]: Action: REJECT Invalid
sender
> Feb 20 21:47:47 mailhost postfix/smtpd[18631]: NOQUEUE:
reject: RCPT from myserver.gmail.com: 554 5.7.1 <megmail.com>: Sender address rejected: Invalid
sender; from=<
> megmail.com> to=<olabusermydomain.org>
proto=ESMTP helo=<smtp.gmail.com>
>
> When i send a mail directly from Horde (which is on the
same server) the policy is not called to treat the
message... I suppose that it has something to do with the
order of
> parameters in smtpd_recipient_restrictions ?
>
> Many thanks for your help,
>
> Eleni
>
> _______________________________________________
> Kolab-users mailing list
> Kolab-userskolab.org
> https:
//kolab.org/mailman/listinfo/kolab-users

-- 
______ http://kdab.com
_______________ http://kolab-konsortium.c
om _

prdus Kolab work is funded in part by KDAB and the
Kolab Konsortium

____ http://www.pardus.de
_________________ http://gunnarwrobel.de _
E-mail : prdus.de                                 Dr. Gunnar
Wrobel
Tel.   : +49 700 6245 0000                         
Bundesstrasse 29
Fax    : +49 721 1513 52322                          D-20146
Hamburg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~
   >> Mail at ease - Rent a kolab groupware server at
prdus <<                 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~

_______________________________________________
Kolab-users mailing list
Kolab-userskolab.org
https:
//kolab.org/mailman/listinfo/kolab-users

"Eleni Postantzi" <lenapostantzigmail.com> writes:

> yes and i'm rather surprised that it works that well...
some fine tuning will be needed of course, but horde's doc
is not that bad 
>
> the only think that still doesn't work is delegation
:/
> does anyone have some docs or selfmade notes maybe? so
i can better understand how that feature works in kolab.

The delegation feature is primarily handled by the
kolab_smtpdpolicy
script.

Postfix needs in master.cf:

kolabpolicy    unix  -       n       n       -       -      
spawn user=kolabtest-n
argv=/kolab/etc/kolab/kolab_smtpdpolicy 

And in main.cf:

smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
        reject_unauth_destination,
reject_unlisted_recipient,
        check_policy_service unix:private/kolabpolicy
smtpd_sender_restrictions = permit_mynetworks,
        check_policy_service unix:private/kolabpolicy
kolabpolicy_time_limit = 3600
kolabpolicy_max_idle = 20


Cheers,

Gunnar

>
> many thanks,
>
> --
> Eleni
>
> On Thu, Feb 21, 2008 at 7:32 PM, Paul Douglas Franklin
<pdfyugm.org> wrote:
>
>     Horde runs on a separate system?  I have not tried
to add Horde to my
>     setup yet because I fear messing with my live
server until the package
>     is stable.  But if I could run Horde on another
box, I'd be interested.
>     Is this doable?
>     --Paul
>    
>     Adam Katz wrote:
>     > I'm on the same Debian Etch setup as you (same
koalbd package version,
>     > though my kernel is 2.6.18-6-686 (i386, not
amd64 and horde runs on a
>     > separate system).
>     > -Adam
>     >
>    
>     --
>     Paul Douglas Franklin
>     Computer Manager, Union Gospel Mission of Yakima,
Washington
>     Husband of Danette
>     Father of Laurene, Miriam, Tycko, Timothy,
Sarabeth, Marie, Dawnita, Anna Leah, Alexander, and Caleb
>    
>     _______________________________________________
>     Kolab-users mailing list
>     Kolab-usersintevation.de
>     https://lists.intevation.de/mailman/listinfo/kolab-users

>
> _______________________________________________
> Kolab-users mailing list
> Kolab-userskolab.org
> https:
//kolab.org/mailman/listinfo/kolab-users

-- 
______ http://kdab.com
_______________ http://kolab-konsortium.c
om _

prdus Kolab work is funded in part by KDAB and the
Kolab Konsortium

____ http://www.pardus.de
_________________ http://gunnarwrobel.de _
E-mail : prdus.de                                 Dr. Gunnar
Wrobel
Tel.   : +49 700 6245 0000                         
Bundesstrasse 29
Fax    : +49 721 1513 52322                          D-20146
Hamburg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~
   >> Mail at ease - Rent a kolab groupware server at
prdus <<                 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~

_______________________________________________
Kolab-users mailing list
Kolab-userskolab.org
https:
//kolab.org/mailman/listinfo/kolab-users

Adam Katz <adamkhopis.com> writes:

> Paul Douglas Franklin wrote:
>> Horde runs on a separate system?  I have not tried
to add Horde to my 
>> setup yet because I fear messing with my live
server until the package 
>> is stable.  But if I could run Horde on another
box, I'd be interested.
>> Is this doable?
>
> Horde's support for SSL is complete crap, and it simply
didn't support
> the odd authentication options in kolab. 

You are referring to IMAP here? That area might actually
still need
some work. I noticed some problems myself but didn't work on
fixing it
yet since the whole IMAP thing in the Horde::Kolab module
still has
some structural issues that will be solved in Horde 4.

> Kolab also doesn't seem to
> use LDAPS (LDAP with SSL on port 636), so I had some
trouble getting
> this to work securely across the internet. 

Any normal Kolab box should definitely support LDAPS
otherwise it is
incorrectly configured.

Cheers,

Gunnar

> I ended up using an SSH
> tunnel with a dummy user and installing it as a service
running with
> autossh.  The tunnel port-forwards all the non-SSL
ports needed, so
> the horde server has access to everything as if it were
local.  Just
> be consistent in port numbers (I simply added a high
number to the
> real number; 50025 for SMTP, 50143 for IMAP, etc), as
you'll have to
> enter them in a dozen or so places in the Horde config.
 You'll also
> have to examine every drop-down box in setup for a
kolab option.
> Don't forget to add the admin accounts (e.g. manager
and
> youdomain.com) to the authentication section's
"treat as
> administrators" box.
>
> I couldn't get turba2 working on my Debian Etch box,
but everything
> else is pretty smooth.  ... note, some dependencies
aren't listed in
> Debian, so there's some simple guesswork involved.  (I
regret not
> having taken notes.)
>
> _______________________________________________
> Kolab-users mailing list
> Kolab-userskolab.org
> https:
//kolab.org/mailman/listinfo/kolab-users

-- 
______ http://kdab.com
_______________ http://kolab-konsortium.c
om _

prdus Kolab work is funded in part by KDAB and the
Kolab Konsortium

____ http://www.pardus.de
_________________ http://gunnarwrobel.de _
E-mail : prdus.de                                 Dr. Gunnar
Wrobel
Tel.   : +49 700 6245 0000                         
Bundesstrasse 29
Fax    : +49 721 1513 52322                          D-20146
Hamburg
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~
   >> Mail at ease - Rent a kolab groupware server at
prdus <<                 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~

_______________________________________________
Kolab-users mailing list
Kolab-userskolab.org
https:
//kolab.org/mailman/listinfo/kolab-users