Академический Документы
Профессиональный Документы
Культура Документы
alexandrob
19/02/2008
Após algum tempo estudando a forma de conectar os serviços de correio em uma base LDAP/AD,
observei enumeros modos ou maneiras de preparar os serviços e colocá-los em pleno funcionamento.
Toda a documentação vista e revista, por mim, e que estão disponibilizadas na internet, poucas buscam
de forma clara e direta, ajustar os serviços de correio com uma base LDAP/AD, apresentando assim
várias camadas de software, tornando uma configuração muito extensa e podendo ter problemas de
segurança no futuro.
Com este, tento ser o mais breve e simples na configuração para os serviços de correio. Utilizando os
pacotes de conexão LDAP/AD dos serviços utilizados, eliminando configurações em softwares
adicionais e desnecessários.
Obs.: O foco de deste tem referência na integração com AD, acredita-se que já esteja configurado o
DOMÍNIO AD e o serviço de DNS ativo e funcionando, o tópico referente ao bind9 é meramente
ilustrativo e para conhecimento.
Requisitos:
# apt-get update
# apt-get upgrade
# apt-get install ssh vim ntpdate gcc g++ openssl gpm make libncurses5-dev
Configurar o ambiente:
# vi /etc/hosts
• auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.255.255.0
network 10.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.2
•
# vi /etc/resolv.conf
• domain dominio.org
search dominio.org
nameserver 10.0.0.1
nameserver 127.0.0.1
•
# vi /etc/nsswitch.conf
Estou instalando o Bind neste servidor pois irei utilizar o serviço DNS dele, porém, pode-se
utilizar o DNS no server onde o LDAP/AD está alocado, caso isto ocorra pule as configurações
do BIND.
# apt-get install bind9 apache2 php5 php5-gd php5-pgsql php5-cli php5-common php5-
cgi php5-ldap php5-mcrypt php-log php-fpdf php-pear php5-imap
• Configurar o bind9
• Edite o arquivo:
# vi /etc/bind/named.conf.local
• zone "dominio.org"{
type master;
file "/etc/bind/arquivo/dominio.org.db";
};
zone "0.0.10.in-addr.arpa"{
type master;
file "/etc/bind/arquivo/dominio.org.rev";
};
•
Edite o arquivo:
# vi /etc/bind/named.conf.options
• directory "/etc/bind";
version "Not avaliable";
transfer-format many-answers;
query-source address * port 53;
•
# mkdir -p /etc/bind/arquivo
# vi /etc/bind/arquivo/dominio.db
• $TTL 43200
• @ IN SOA nome.dominio.org hostmaster.dominio.org. (
• 2008010301 ; serial
• 1H ; refresh
• 15M ; retry
• 14D ; expire
• 12H ; default_ttl
• )
• @ IN NS nome.dominio.org.
• @ IN MX 1 mail.dominio.org
• @ IN A 10.0.0.1
• @ IN TXT "v=spf1 ip4:10.0.0.1 mx -all"
• nome.dominio.org IN TXT "v=spf1 a -all"
• ;
• ;IPS INTERNOS
• ;nome IN A IP
• nome IN A 10.0.0.1
• www IN A 10.0.0.1
•
Crie e edite o arquivo:
# vi /etc/bind/arquivo/dominio.rev
• $TTL 43200
• @ IN SOA nome.dominio.org hostmaster.dominio.org. (
• 2008010301 ; serial
• 1H ; refresh
• 15M ; retry
• 14D ; expire
• 12H ; default_ttl
• )
• @ IN NS nome.dominio.org.
• @ IN A 10.0.0.1
• ;
• ;IPS INTERNOS
• ;000 IN PTR nome.dominio.
• 1 IN PTR nome.dominio.org.
•
# chown -R bind:bind /etc/bind/arquivo
# /etc/init.d/bind9 restart
Configurando o Apache2
• Configurar o apache2:
# mkdir -p /home/www/dominio
# chown -R www-data:www-data /home/www/dominio
# cp /etc/apache2/sites-available/default /etc/apache2/sites-available/dominio
# vi /etc/apache2/sites-available/dominio
• NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /home/www/dominio/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /home/www/dominio/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Directory>
ErrorLog /var/log/apache2/error.log
</VirtualHost>
•
# a2ensite
dominio
# rm /etc/apache2/sites-enabled/000-default
# /etc/init.d/apache2 restart
Edite e altere:
# vi /etc/postgresql/8.2/main/postgresql.conf
• listen_addresses = '*'
password_encryption = on
autovacuum_naptime = 1min
autovacuum_vacuum_threshold = 500
autovacuum_analyze_threshold = 250
autovacuum_vacuum_scale_factor = 0.2
autovacuum_analyze_scale_factor = 0.1
autovacuum_freeze_max_age = 200000000
autovacuum_vacuum_cost_delay = -1
autovacuum_vacuum_cost_limit = -1
•
# vi /etc/postgresql/8.2/main/pg_hba.conf
# /etc/init.d/postgresql-8.2 restart
# vi /etc/php5/apache2/php.ini
mbstring.func_overload = 7
magic_quotes_gpc = Off
# /etc/init.d/apache2 restart
# pear install Auth_SASL-1.0.2.tgz
(pode ser baixado em http://pear.php.net/package/Auth_SASL)
# mkdir -p /home/egroup/files
# mkdir -p /home/egroup/backup
# chown -R www-data:www-data /home/egroup/
Configurar o sasl:
START=yes
MECHANISMS="ldap"
# vi /etc/saslauthd.conf
Criar e editar:
ldap_servers: ldap://10.0.0.250
ldap_version: 3
ldap_search_base: dc=dominio,dc=org
ldap_auth_method: bind
ldap_bind_dn: usuarioAD@dominio.org
ldap_bind_pw: senha
ldap_filter: (&(objectClass=user)(sAMAccountName=%u))
# /etc/init.d/saslauthd restart
# testsaslauthd -u usuarioAD -p senha -s smtp
# chmod 600 /etc/saslauthd.conf
Configurar o postfix:
# vi /etc/postfix/main.cf
myhostname = nome.dominio.org
mydomain = dominio.org
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
mydestination = $mydomain, $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8, 10.0.0.0/8
####################################
default_privs = vmail
mail_spool_directory = /home/vmail
######### SASL ###################
smtpd_tls_loglevel = 1
smtpd_sasl_local_domain = $mydestination
smtpd_tls_auth_only = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
# vi /etc/mailname
dominio.org
# vi /etc/postfix/ldap-aliases.cf
server_host = 10.0.0.250
search_base = dc=dominio,dc=org
version = 3
scope = sub
query_filter = (&(objectclass=user)(sAMAccountName=%u))
result_attribute = sAMAccountName
#%U=minusculo / %u=Maiusculo - para criação e utilização dos diretórios dos usuários
result_format = /home/vmail/%U/Maildir/
bind = yes
bind_dn = cn=usuarioAD,cn=Users,dc=dominio,dc=org
bind_pw = senha
# chmod 600 /etc/postfix/ldap-aliases.cf
# /etc/init.d/postfix restart
# vi /etc/dovecot/dovecot.conf
protocols = imap
disable_plaintext_auth = no
log_path = /var/log/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
ssl_disable = no
ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem
mail_location = maildir:~/Maildir
mail_extra_groups = vmail
protocol imap {
mail_plugins = quota imap_quota
mail_plugin_dir = /usr/lib/dovecot/modules/imap
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh tb-extra-mailbox-sep
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
}
auth_username_format = %Lu
auth default {
mechanisms = plain
passdb pam {
}
passdb ldap {
args = /etc/dovecot/dovecot-ldap.conf
}
userdb passwd {
}
userdb static {
args = uid=vmail gid=vmail home=/home/vmail/%u
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
plugin {
quota = maildir:storage=5120
}
# vi /etc/dovecot/dovecot-ldap.conf
hosts = 10.0.0.250
uris = ldap://10.0.0.250
dn = cn=usuarioAD,cn=Users,dc=dominio,dc=org
dnpass = senha
auth_bind = yes
ldap_version = 3
base = dc=dominio,dc=org
deref = never
scope = subtree
pass_attrs = sAMAccountName=%u
pass_filter = (&(objectClass=user)(sAMAccountName=%u))
default_pass_scheme = PLAIN-MD5
user_global_uid = vmail
user_global_gid = vmail
# /etc/init.d/dovecot restart
# /etc/init.d/dovecot restart
# vi /etc/postfix/main.cf
content_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappings
# vi /etc/postfix/master.cf
# vi /etc/clamsmtpd.conf
OutAddress: 10026
Listen: 127.0.0.1:10025
Header: X-AV-Checked: ClamAV using ClamSMTP
# /etc/init.d/clamsmtp restart
# /etc/init.d/postfix restart
Montar agendamento para o clamav usando o comando /usr/bin/freshclam e assim atualizar a base do
antivírus.
# vi /etc/default/spamassassin
ENABLED=1
HOME="/home/spamd"
OPTIONS="-c -m 5 -u spamd -H $HOME -s $HOME/spamd.log"
# vi /etc/spamassassin/local.cf
# vi /etc/postfix/master.cf
# vi /etc/postfix/main.cf
# /etc/init.d/postfix restart
apache2-mpm-event apache2-threaded-dev
Suggested packages:
apache2-doc
libaprutil1 libpq5
...fail!
cups-pdf
hal
gnome-power-manager
gnome-session
gnome-core
gnome-mount
gnome-volume-manager
sound-juicer
gnome-desktop-environment
hal-cups-utils
hwdb-client-common
hwdb-client-gnome
hal-device-manager
network-manager
network-manager-gnome
update-notifier
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@CBA-SAMBA:/# cd home
root@CBA-SAMBA:/home# ls
root@CBA-SAMBA:/home# cd ..
Done.
root@CBA-SAMBA:/# cp /etc/a
root@CBA-SAMBA:/# vi /etc/apache2/sites-available/brasilamarras
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /home/www/brasilamarras
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/brasilamarras>
AllowOverride None
Order allow,deny
</Directory>
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Order allow,deny
</Directory>
ErrorLog /var/log/apache2/error.log
# alert, emerg.
LogLevel warn
ServerSignature On
<Directory "/usr/share/doc/">
Order deny,allow
</Directory>
</VirtualHost>
root@CBA-SAMBA:/# a2ensite
root@CBA-SAMBA:/# rm /etc/apache2/sites-enable/000-default
root@CBA-SAMBA:/# rm /etc/apache2/sites-enabled/000-default
...fail!
root@CBA-SAMBA:/# vi /etc/apache2/sites-available/brasilamarras
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /home/www/brasilamarras
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/brasilamarras>
AllowOverride None
Order allow,deny
</Directory>
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Order allow,deny
</Directory>
ErrorLog /var/log/apache2/error.log
# alert, emerg.
LogLevel warn
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
AllowOverride None
Order deny,allow
</Directory>
...fail!
root@CBA-SAMBA:/# vi /etc/apache2/sites-enabled/brasilamarras
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /home/www/brasilamarras
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/brasilamarras>
AllowOverride None
Order allow,deny
</Directory>
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Order allow,deny
26 </Directory>
27
28 ErrorLog /var/log/apache2/error.log
29
31 # alert, emerg.
32 LogLevel warn
33
35 ServerSignature On
36
38 <Directory "/usr/share/doc/">
40 AllowOverride None
41 Order deny,allow
44 </Directory>
45
46 </VirtualHost>
47
...fail!
root@CBA-SAMBA:/# vi /etc/apache2/sites-available/brasilamarras
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /home/www/brasilamarras
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/brasilamarras>
AllowOverride None
Order allow,deny
</Directory>
<Directory "/usr/lib/cgi-bin">
AllowOverride None
</Directory>
ErrorLog /var/log/apache2/error.log
# alert, emerg.
LogLevel warn
ServerSignature On
<Directory "/usr/share/doc/">
AllowOverride None
Order deny,allow
</Directory>
</VirtualHost>
root@CBA-SAMBA:/# vi /etc/apache2/sites-enabled/brasilamarras
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
DocumentRoot /home/www/brasilamarras
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/brasilamarras>
AllowOverride None
Order allow,deny
</Directory>
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Order allow,deny
</Directory>
ErrorLog /var/log/apache2/error.log
# alert, emerg.
LogLevel warn
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
AllowOverride None
Order deny,allow
</Directory>
</VirtualHost>
apache2: Could not reliably determine the server's fully qualified domain name, using
192.168.0.6 for ServerName
apache2: Could not reliably determine the server's fully qualified domain name, using
192.168.0.6 for ServerName
...done.
Suggested packages:
ident-server
Recommended packages:
libdbd-pg-perl
...done.
Setting up postgresql-contrib-8.2 (8.2.11-0ubuntu0.7.10) ...
cups-pdf
hal
gnome-power-manager
gnome-session
gnome-core
gnome-mount
gnome-volume-manager
sound-juicer
gnome-desktop-environment
hal-cups-utils
hwdb-client-common
hwdb-client-gnome
hal-device-manager
network-manager
network-manager-gnome
update-notifier
root@CBA-SAMBA:/#
root@CBA-SAMBA:/# vi /etc/postgresql/8.2/main/postgresql.conf
# -----------------------------
# -----------------------------
# name = value
#
# (The '=' is optional.) White space may be used. Comments are introduced
# with '#' anywhere on a line. The complete list of option names and
# Any option can also be given as a command line switch to the server,
# This file is read on server startup and when the server receives a
# SIGHUP. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, or use "pg_ctl reload". Some
# settings, which are marked below, require a server shutdown and restart
# to take effect.
#---------------------------------------------------------------------------
# FILE LOCATIONS
#---------------------------------------------------------------------------
# The default values of these variables are driven from the -D command line
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Connection Settings -
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
password_encryption = on
#db_user_namespace = off
# Kerberos
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Memory -
# - Background writer -
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Settings -
# open_datasync
# fdatasync
# fsync
# fsync_writethrough
# open_sync
# - Checkpoints -
# - Archiving -
#---------------------------------------------------------------------------
# QUERY TUNING
#---------------------------------------------------------------------------
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#effective_cache_size = 128MB
#geqo = on
#geqo_threshold = 12
#constraint_exclusion = off
#from_collapse_limit = 8
# JOINs
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Where to Log -
/autovacuum
#stats_command_string = on
#update_process_title = on
#stats_block_level = off
stats_row_level = on
# - Statistics Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#---------------------------------------------------------------------------
# AUTOVACUUM PARAMETERS
#---------------------------------------------------------------------------
# vacuum
# analyze
# vacuum
# analyze
# vacuum_cost_delay
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Statement Behavior -
# the default
#check_function_bodies = on
#default_transaction_read_only = off
#statement_timeout = 0 # 0 is disabled
#vacuum_freeze_min_age = 100000000
# environment setting
root@CBA-SAMBA:/#
root@CBA-SAMBA:/# vi /etc/postgresql/8.2/main/postgresql.conf
# -----------------------------
# -----------------------------
#
# name = value
# (The '=' is optional.) White space may be used. Comments are introduced
# with '#' anywhere on a line. The complete list of option names and
# Any option can also be given as a command line switch to the server,
# This file is read on server startup and when the server receives a
# SIGHUP. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, or use "pg_ctl reload". Some
# settings, which are marked below, require a server shutdown and restart
# to take effect.
#---------------------------------------------------------------------------
# FILE LOCATIONS
#---------------------------------------------------------------------------
# The default values of these variables are driven from the -D command line
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Connection Settings -
#---------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#---------------------------------------------------------------------------
# - Connection Settings -
password_encryption = on
#db_user_namespace = off
# Kerberos
# - TCP Keepalives -
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Memory -
# - Background writer -
#---------------------------------------------------------------------------
# - Settings -
# open_datasync
# fdatasync
# fsync
# fsync_writethrough
# open_sync
# - Checkpoints -
# - Archiving -
#---------------------------------------------------------------------------
# QUERY TUNING
#---------------------------------------------------------------------------
#enable_bitmapscan = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_indexscan = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
#effective_cache_size = 128MB
#geqo = on
#geqo_threshold = 12
#constraint_exclusion = off
#from_collapse_limit = 8
# JOINs
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Where to Log -
/autovacuum
#stats_command_string = on
#update_process_title = on
#stats_block_level = off
stats_row_level = on
#stats_reset_on_server_start = off # (change requires restart)
# - Statistics Monitoring -
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#log_statement_stats = off
#---------------------------------------------------------------------------
# AUTOVACUUM PARAMETERS
#---------------------------------------------------------------------------
# vacuum
# analyze
# vacuum
# analyze
# vacuum_cost_delay
# vacuum_cost_limit
#---------------------------------------------------------------------------
#---------------------------------------------------------------------------
# - Statement Behavior -
# the default
#check_function_bodies = on
#default_transaction_read_only = off
#statement_timeout = 0 # 0 is disabled
#vacuum_freeze_min_age = 100000000
# environment setting
root@CBA-SAMBA:/# vi /etc/postgresql/8.2/main/pg
pgdata/ pg_hba.conf pg_ident.conf
root@CBA-SAMBA:/# vi /etc/postgresql/8.2/main/pg_hba.conf
# ===================================================
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# USER can be "all", a user name, a group name prefixed with "+", or
# you can also write a file name prefixed with "@" to include names from
# a separate file.
#
# the number of significant bits in the mask. Alternatively, you can write
# OPTION is the ident map or the name of the PAM service, depending on METHOD.
# Database and user names containing spaces, commas, quotes and other special
# "samerole" makes the name lose its special character, and just match a
# This file is read on server startup and when the postmaster receives
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can use
# ----------------------------------
# "host" records. In that case you will also need to make PostgreSQL listen
#
# a SIGHUP signal. If you edit the file on a running system, you have
# to SIGHUP the postmaster for the changes to take effect. You can use
# ----------------------------------
# "host" records. In that case you will also need to make PostgreSQL listen
# DO NOT DISABLE!
# If you change this first entry you will need to make sure that the
# database
# super user can access the database using some other method.
# Noninteractive
root@CBA-SAMBA:/#
root@CBA-SAMBA:/# su - postgres
\q to quit
ALTER ROLE
postgres=# \q
postgres@CBA-SAMBA:~$ logout
...done.
root@CBA-SAMBA:/#
root@CBA-SAMBA:/# su - postgres
createdb: database creation failed: ERROR: role "egroupware" does not exist
Enter it again:
Shall the new role be allowed to create more new roles? (y/n) n
CREATE ROLE
CREATE DATABASE
postgres@CBA-SAMBA:~$ logout
root@CBA-SAMBA:/#