1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
Dovecot imapc proxy
===================
Using Dovecot as a secure IMAP Proxy in front of Exchange, using Exchange
Authentication and IMAPC. This requires Dovecot 2.1.rc1 or newer.
Many thanks to Timo on the Dovecot mailing list for all his help!
This " <HowTo.txt>" is based on already having Dovecot already compiled and
installed.
1. Create an unprivileged, non-system account user and group for the proxy,
with a home directory. This needs to have a writable home directory, but no
other privileges.
---%<---------------------------------------------------------------------
[root@localhost]# useradd imapproxy
---%<---------------------------------------------------------------------
2. Verify that the user can not login:
---%<---------------------------------------------------------------------
[root@localhost]# grep imapproxy /etc/shadow
---%<---------------------------------------------------------------------
You should see something like:
---%<---------------------------------------------------------------------
imapproxy:!!:nnnn:0:nn:n:::
---%<---------------------------------------------------------------------
The important part is the "!!". This indicates that the account is locked.
If you don't see this, lockout the account (check man passwd)
3. Create '/etc/dovecot/dovecot.conf' or
('/usr/local/etc/dovecot/dovecot.conf') as appropriate:
---%<---------------------------------------------------------------------
## Dovecot configuration file
mail_uid = imapproxy
mail_gid = imapproxy
protocols = imap
listen = *, ::
mail_location = imapc:~/imapc
# Change the line below to reflect the IP address of your Exchange Server.
imapc_host = 10.1.2.3
imapc_port = 143
passdb {
driver = imap
# Change the line below to reflect the IP address of your Exchange
Server.
args = host=10.1.2.3
default_fields = userdb_imapc_user=%u userdb_imapc_password=%w
}
userdb {
driver = prefetch
}
# /home/imapproxy is the home directory for the imapproxy user, and
# %u is a subdir that will be automatically created for each IMAP user when
they connect
mail_home = /home/imapproxy/%u
auth_mechanisms = plain login
# This is the auth service used by Postfix to do dovecot auth.
service auth {
unix_listener auth-userdb {
}
inet_listener {
port = 12345
}
}
##
## SSL settings
##
# These will need to ba adjusted to point to *your* certificates, not mine
8-)
# The ssl_ca line refers to the intermediate certificate bundle which may
or may not be required by your SSL provider
ssl_cert = </etc/pki/tls/certs/machine.example.org.crt
ssl_key = </etc/pki/tls/private/machine.example.org.key
ssl_ca = </etc/pki/tls/certs/gd_bundle.crt
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
---%<---------------------------------------------------------------------
Start dovecot and test it with openssl as:
---%<-------------------------------------------------------------------------
openssl s_client -connect machine.example.org:143 -starttls imap
---%<-------------------------------------------------------------------------
You should see a whole bunch of SSL information, and the last line should say:
---%<-------------------------------------------------------------------------
. OK Pre-login capabilities listed, post-login capabilities have more.
---%<-------------------------------------------------------------------------
Next, type:
---%<-------------------------------------------------------------------------
01 LOGIN username badpassword
---%<-------------------------------------------------------------------------
You should then see:
---%<-------------------------------------------------------------------------
01 NO [AUTHENTICATIONFAILED] Authentication failed
---%<-------------------------------------------------------------------------
And should see a list similar to this:
---%<-------------------------------------------------------------------------
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT
SORT=DISPLAY THREAD=REFERENCES THREAD=REFS MULTIAPPEND UNSELECT CHILDREN
NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT
SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS FUZZY
02 OK Logged in
---%<-------------------------------------------------------------------------
If you get this far, the proxy is working and is authenticating against your
exchange server.
Postfix Configuration
---------------------
My configuration is for a closed server that will never allow inbound SMTP from
unauthenticated clients, and authenticates inbound SMTP TLS connections against
the above Dovecot auth service, which in turn authenticates against Exchange,
which authenticates against Active Directory.
This means that disabling an account in Active Directory, also disables inbound
and outbound mail access.
If this is what you want, add the following to you /etc/postfix/main.cf file.:
---%<-------------------------------------------------------------------------
smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:127.0.0.1:12345
smtpd_sasl_auth_enable = yes
smtpd_client_restrictions = permit_sasl_authenticated, reject
## Don't relay for anybody from or to anywhere, unless they authenticated
smtpd_recipient_restrictions = permit_sasl_authenticated reject
broken_sasl_auth_clients = yes
# Talk to outlook <= 2003 and O Express <=6
smtpd_tls_security_level = encrypt
smtpd_tls_received_header = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/machine.example.org.crt
smtpd_tls_key_file = /etc/pki/tls/private/machine.example.org.key
smtpd_tls_CAfile = /etc/pki/tls/certs/gd_bundle.crt
# If your Certification Authority requires intermediate certificates, the
bundle goes here.
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
# only allow auth if it's encrypted
---%<-------------------------------------------------------------------------
(This file was created from the wiki on 2019-06-19 12:42)
|
