WARNING:
This is currently work in progress. The server(s) are not protected via TLS and both LDAP clients (dovecot and postfix) authenticate currently as the admin user. Unless these issues were solved, this system must not be reachable by a public IP Address
Aim of the project is a full fledged email subsystem, that can be deployed in Ranger and can be administered via LDAP.
Open issues:
- additional LDAP User for querying database
- description of LDAP Schema
- shared
dh-2048.pemfor all components - TLS for imap and smtp
- automatically add postmaster@, abuse@, webmaster@, admin@ and root@ to all local domains
- add clamav-milter (ensure that freshclam is started first)
- Imap shared folders
- postscreen for incoming mail
- LDAP authentication for IMAP and SMTP (submission)
- Mail aliases in LDAP
- DKIM signature with private key stored in LDAP
- single dovecot instance for local mail storage
- add opendmarc
- add clamav
- deploy to rancher (using private registry)
Nice to have:
- ensure that
From:address is an authenticated mail alias of the user - change project structure to make it rancher-catalog compatible
- add opendmarc sql-database
- add automatic sending of dmarc reports
- allow optional solr reference for
fts_solr - Allow multiple instances of postfix
Not really needed:
- split postfix into MDA and MTA
- TLS for ldap
- enable ldap-tls in postfix
saslauthd.confanddovecot-ldap.conf - TLS for lmtps with local CA, see https://sys4.de/en/blog/2014/11/17/sicheres-lmtp-mit-starttls-in-dovecot/
- save mails of each user with different user-id in filesystem
- allow DKIM on per-user basis
Discussion Backlog:
- make mail unique within LDAP (or not?)
- use own bind9 for the DNSBL in postfix (without breaking the name resolving of docker, )
export SLAPD_DOMAIN='i-i-l.de'
export SLAPD_PASSWORD=ulterrednEsSer87
export BASE_DN='dc=i-i-l,dc=de'
export DEFAULT_DOMAIN='i-i-l.de'
export DEFAULT_USER='wolle'
export DEFAULT_CN='Wolfgang Jung'
export DEFAULT_SN='Jung'
export SERVERNAME="localdock"
export POSTMASTER="${DEFAULT_USER}@localhost"
docker-compose build
docker-compose updn: ou=___POSTFIX_DOMAIN___,ou=mail,___BASE_DN___
objectClass: DKIM
objectClass: organizationalUnit
objectClass: top
DKIMKey:: LS0...=
DKIMSelector: mail
ou: ___POSTFIX_DOMAIN___
DKIMDomain: ___POSTFIX_DOMAIN___
in DKIM-Key, the base64 encoded RSA private key is expected, e.g. generated by
opendkim-genkey --domain=i-i-l.de --selector mail
cat mail.private | base64 the selector must match the DKIMSelector in LDAP and the DNS entry:
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; p=MIG....QAB" ) ;
dn: cn=Wolfgang Jung,ou=___POSTFIX_DOMAIN___,ou=mail,___BASE_DN___
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Wolfgang Jung
sn: Jung
mail: w.jung@___POSTFIX_DOMAIN___
mail: wolfgang.jung@___POSTFIX_DOMAIN___
uid: wolle@localhost
userPassword:: e3NzaGF9K202dUVLZE0zaGNHa1Z1dFozeDVZV0xlQ1pPTDRUUGs4eFlSZUE9P
Q==
the uid is the local delivery part (directory under which the mail is stored).
TBD
not yet defined