[Dovecot] Configuration advice needed.
Hello,
First, thanks for this great piece of software.
I'm new to dovecot and i've just converted my old courier configuration on pop/imap server side, everithing is working just fine on this side and speed gain expected was found (not enough for our busy servers :).
Setup is done with 3 dovecot virtual servers load balanced with a Hardware load balancer (this part is a big point of the question). Postfix and dovecot servers use an NFS share on a NetApp for mail, Postfix servers are writting directly to inbox maildirs.
Load balanced is maintaining afinity betwen client and server so i've got no problem with this for the moment.
Now, i want to setup postfix (3 HW load balanced) for local delivery with LMTP on deovecot servers, and here come my questions.
Afinity can't be maintained between IMAP and LMTP for a user with my load balancer so mail can be delivered on dovecot01 and read on dovecot02, from what i've read this can be an issue with indexes.
I think i need to setup a director to maintain LMTP and IMAP afinity between users and servers but on imap servers i'm identifying user with their UID, and LMTP need to see emails. Does dovecot see the same user or 2 users with the same homedir?
So my question is: could you point me to the right direction with this setup, do you have any advice on this config.
Actual configurations: (postlogin not in real use, just a touch on (imap/pop3)_last_login)
POP/IMAP server:
dovecot01# doveconf -n # 2.1.15: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 8.3-RELEASE-p3 amd64 auth_cache_negative_ttl = 0 auth_cache_size = 10 M auth_mechanisms = plain login auth_verbose = yes default_client_limit = 1500 default_process_limit = 500 default_vsz_limit = 1 G disable_plaintext_auth = no dotlock_use_excl = no lock_method = dotlock mail_fsync = always mail_gid = vmail mail_location = maildir:%h/Maildir:INDEX=/mail_index%h mail_nfs_index = yes mail_nfs_storage = yes mail_plugins = " stats" mail_uid = vmail mmap_disable = yes namespace { inbox = yes location = prefix = INBOX. separator = . } passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { stats_refresh = 30 secs stats_track_cmds = yes } protocols = imap pop3 service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } user = $default_internal_user } service imap-postlogin { executable = script-login /usr/local/bin/imap-postlogin.sh user = vmail } service imap { executable = imap imap-postlogin process_limit = 1024 } service pop3-postlogin { executable = script-login /usr/local/bin/pop3-postlogin.sh user = vmail } service pop3 { executable = pop3 pop3-postlogin process_limit = 1024 } service stats { fifo_listener stats-mail { mode = 0600 user = vmail } } ssl_cert = </etc/ssl/cert/mail.univ-angers.fr.pem ssl_key = </etc/ssl/cert/mail.univ-angers.fr.key userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocol imap { mail_plugins = " stats imap_stats" }
Postfix Test Server:
%doveconf -n # 2.1.15: /usr/local/etc/dovecot/dovecot.conf # OS: FreeBSD 8.3-RELEASE-p3 amd64 auth_debug = yes auth_mechanisms = plain login auth_verbose = yes default_client_limit = 1500 default_process_limit = 500 default_vsz_limit = 512 M disable_plaintext_auth = no dotlock_use_excl = no lock_method = dotlock mail_fsync = always mail_gid = vmail mail_location = maildir:%h/Maildir:INDEX=/mail_index%h mail_nfs_index = yes mail_nfs_storage = yes mail_uid = vmail mmap_disable = yes namespace { inbox = yes location = prefix = INBOX. separator = . } passdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap } protocols = lmtp service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0666 user = postfix } unix_listener auth-userdb { user = vmail } user = $default_internal_user } service imap-postlogin { executable = script-login /usr/local/bin/imap-postlogin.sh user = vmail } service imap { executable = imap imap-postlogin process_limit = 1024 } service lmtp { inet_listener lmtp { address = * :: port = 24 } process_min_avail = 20 user = vmail } service pop3-postlogin { executable = script-login /usr/local/bin/pop3-postlogin.sh user = vmail } service pop3 { executable = pop3 pop3-postlogin process_limit = 1024 } ssl_cert = </etc/ssl/cert/mail.univ-angers.fr.pem ssl_key = </etc/ssl/cert/mail.univ-angers.fr.key userdb { args = /usr/local/etc/dovecot/dovecot-ldap.conf.ext driver = ldap }
File dovecot-ldap.conf.ext
uris = ldap://ldap.uang dn = cn=acces-smtp, ou=access, dc=univ-angers, dc=fr dnpass = ********** base = ou=people, dc=univ-angers, dc=fr user_attrs = homeDirectory=home user_filter = (&(|(uid=%u) (mail=%u) (auaAliasEmail=%u))(|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant))) pass_attrs = uid=user,userPassword=password pass_filter = (&(|(uid=%u) (mail=%u) (auaAliasEmail=%u)) (|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso) (auaStatut=perso-sortant))) iterate_attrs = uid=user iterate_filter = (|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant)) default_pass_scheme = MD5-CRYPT
I'm trying to finish my dovecot setup but things are unclear for me.
I want director proxying mapping to same server for LMTP and POP/IMAP connections. My authdb is LDAP and LMTP user are queried with mail adress (ldap mail attribute) while IMAP/POP users are identified with uid (ldap uid attribute) wich is completly different.
So i end up defining my ldap querys mapping ldap mail attribute to user in *_attrs (best choice for future use than uid for our setup) with this configuration in dovecot-ldap.conf.ext:
uris = ldap://ldap.uang dn = cn=acces-smtp, ou=access, dc=univ-angers, dc=fr dnpass = ********* base = ou=people, dc=univ-angers, dc=fr user_attrs = mail=user,homeDirectory=home user_filter = (&(|(uid=%u) (mail=%u) (auaAliasEmail=%u))(|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant))) pass_attrs = mail=user,userPassword=password pass_filter = (&(|(uid=%u) (mail=%u) (auaAliasEmail=%u)) (|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant))) iterate_attrs = mail=user iterate_filter = (|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant)) default_pass_scheme = MD5-CRYPT
Is it the correct method, or do i miss something?
Le 31/05/2013 12:52, Olivier Girard a écrit :
Hello,
First, thanks for this great piece of software.
I'm new to dovecot and i've just converted my old courier configuration on pop/imap server side, everithing is working just fine on this side and speed gain expected was found (not enough for our busy servers :).
Setup is done with 3 dovecot virtual servers load balanced with a Hardware load balancer (this part is a big point of the question). Postfix and dovecot servers use an NFS share on a NetApp for mail, Postfix servers are writting directly to inbox maildirs.
Load balanced is maintaining afinity betwen client and server so i've got no problem with this for the moment.
Now, i want to setup postfix (3 HW load balanced) for local delivery with LMTP on deovecot servers, and here come my questions.
Afinity can't be maintained between IMAP and LMTP for a user with my load balancer so mail can be delivered on dovecot01 and read on dovecot02, from what i've read this can be an issue with indexes.
I think i need to setup a director to maintain LMTP and IMAP afinity between users and servers but on imap servers i'm identifying user with their UID, and LMTP need to see emails. Does dovecot see the same user or 2 users with the same homedir?
So my question is: could you point me to the right direction with this setup, do you have any advice on this config.
On Mon, Jun 03, 2013 at 03:47:08PM +0200, Olivier Girard wrote:
I'm trying to finish my dovecot setup but things are unclear for me.
I want director proxying mapping to same server for LMTP and POP/IMAP connections. My authdb is LDAP and LMTP user are queried with mail adress (ldap mail attribute) while IMAP/POP users are identified with uid (ldap uid attribute) wich is completly different.
So i end up defining my ldap querys mapping ldap mail attribute to user in *_attrs (best choice for future use than uid for our setup) with this configuration in dovecot-ldap.conf.ext:
uris = ldap://ldap.uang dn = cn=acces-smtp, ou=access, dc=univ-angers, dc=fr dnpass = ********* base = ou=people, dc=univ-angers, dc=fr user_attrs = mail=user,homeDirectory=home user_filter = (&(|(uid=%u) (mail=%u) (auaAliasEmail=%u))(|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant))) pass_attrs = mail=user,userPassword=password pass_filter = (&(|(uid=%u) (mail=%u) (auaAliasEmail=%u)) (|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant))) iterate_attrs = mail=user iterate_filter = (|(auaStatut=etu)(auaStatut=etu-sortant)(auaStatut=perso)(auaStatut=perso-sortant)) default_pass_scheme = MD5-CRYPT
Is it the correct method, or do i miss something?
It's a bit hard to tell what's unclear to you. This all looks perfectly fine to me. I run a similar configuration, except:
- I don't have any ldap config on the directors, just a static
passdb:
passdb {
args = proxy=y nopassword=y
driver = static
}
- I use auth binds, instead having dovecot do the
authentication. IMHO that's better, since then there's no
easy way to extract all the hashes from the dovecot side.
auth_bind = yes
auth_bind_userdn = uid=%n,ou=people,o=%d,o=ISP,o=example,c=NO
- I haven't configured any
iterate_attrs/iterate_filter/pass_attrs/iterate_filter or
default_pass_scheme. Have too many users to ever want to
iterate over them all :-)
-jf
participants (2)
-
Jan-Frode Myklebust
-
Olivier Girard