HOWTO: Use Dovecot instead of Cyrus in Kolab 3.2

Update 2016: This blog article is outdated. It was written for Kolab 3.2. Please don't use it. There is Kolab 16 now. This article is not even complete for 3.2 as there is missing chwala file storing, missing roundcoube tasklist sharing, missing delegation, many roundcubebugs.

This HOWTO is for CentOS 6.5 and Kolab 3.2 Download the Kolab packages but don't run setup-kolab.

Dependencies

# yum install mercurial
# setup-kolab ldap

Look for the Cyrus Administrator Passwort. It is needed for the config of the master user in Dovecot. Also Directory Manager password is needed later in this HOWTO.

Install Dovecot 2.2.13 (stable at time of this HOWTO)

Install and erase old dovecot

# yum install dovecot
# yum erase dovecot

Build dependencies:

# yum install gcc gcc-c++ kernel-devel make
# yum install autoconf automake libtool pkg-config gettext
# yum install openssl-devel openldap-devel

# mkdir -p /root/dovecot && cd /root/dovecot

# hg clone http://hg.dovecot.org/dovecot-2.2/ && cd dovecot-2.2 && hg update -r c55c660d6e9d
# ./autogen.sh
# ./configure --enable-maintainer-mode --with-ldap --sysconfdir=/etc --prefix=/usr --localstatedir=/var --with-ssl=openssl
# make
# make install

Dovecot Startscript

Start Dovecot at boot: http://wiki2.dovecot.org/DovecotInit

Install Pigeonhole for Sieve filtering

# cd /root/dovecot
# hg clone http://hg.rename-it.nl/dovecot-2.2-pigeonhole/ && cd dovecot-2.2-pigeonhole && hg update -r 1c6130ff5dd6
# ./autogen.sh
# ./configure --with-dovecot=../dovecot-2.2 --sysconfdir=/etc --prefix=/usr --localstatedir=/var
# make
# make install

Create vmail user

# groupadd -g 5000 vmail
# useradd -g vmail -u 5000 vmail -d /var/vmail -m -s /sbin/nologin

Dovecot configuration

# cp -rf /usr/share/doc/dovecot/example-config/* /etc/dovecot/

Dovecot master user

For the htpasswd command use the password for cyrus-admin from the setup-kolab ldap.

# htpasswd -c -s /etc/dovecot/master-users cyrus-admin

When asked for New password type in the password of the cyrus admin twice.

# chown dovecot:dovecot /etc/dovecot/master-users
# chmod 600 /etc/dovecot/master-users

Edit /etc/dovecot/conf.d/auth-master.conf.ext

:

# Authentication for master users. Included from 10-auth.conf.

# By adding master=yes setting inside a passdb you make the passdb a list
# of "master users", who can log in as anyone else.
# <doc/wiki/Authentication.MasterUsers.txt>

# Example master user passdb using passwd-file. You can use any passdb though.
auth_master_user_separator = *
passdb {
  driver = passwd-file
  args = /etc/dovecot/master-users
  master = yes
  pass = yes
}
passdb {
  driver = shadow
}
userdb {
  driver = passwd
}

Dovecot Auth

Edit conf.d/10-auth.conf

write # in front of !include auth-system.conf.ext and remove the # before ldap and master

Dovecot LMTP and Auth

add lmtp to protocols in /etc/dovecot/dovecot.conf

/etc/dovecot/conf.d/10-master.conf

service lmtp {
  executable = lmtp

  unix_listener /var/spool/postfix/private/dovecot-lmtp {
    user = postfix
    group = postfix
    mode = 0660
  }

  # Create inet listener only if you can't use the above UNIX socket
  #inet_listener lmtp {
    # Avoid making LMTP visible for the entire internet
    #address =
    #port =
  #}
}

In same file uncomment the lines under Postfix smtp-auth

unix_listener /var/spool/postfix/private/auth {
    mode = 0666
  }

Dovecot metadata

In /etc/dovecot.conf

add

imap_metadata = yes
mail_attribute_dict = file:Maildir/dovecot-metadata

Dovecot SSL

# mkdir -p /etc/ssl/private
# openssl req -new -x509 -days 1000 -nodes -out "/etc/ssl/certs/dovecot.pem" -keyout "/etc/ssl/private/dovecot.pem"

Dovecot ldap

Edit dnpass = in this file to the Password of the Directory Manager.

/etc/dovecot/dovecot-ldap.conf.ext

:

# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext

# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/LDAP
#
# NOTE: If you're not using authentication binds, you'll need to give
# dovecot-auth read access to userPassword field in the LDAP server.
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
# already be something like this:

# access to attribute=userPassword
#        by dn="<dovecot's dn>" read # add this
#        by anonymous auth
#        by self write
#        by * none

# Space separated list of LDAP hosts to use. host:port is allowed too.
hosts = localhost

# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
#uris =

# Distinguished Name - the username used to login to the LDAP server.
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = cn=Directory Manager

# Password for LDAP server, if dn is specified.
dnpass = PASSWORD

# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower. Also note that SASL binds
# and auth_bind=yes don't work together.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
# SASL realm to use.
#sasl_realm =
# SASL authorization ID, ie. the dnpass is for this "master user", but the
# dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =

# Use TLS to connect to the LDAP server.
#tls = no
# TLS options, currently supported only with OpenLDAP:
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =
#tls_key_file =
# Valid values: never, hard, demand, allow, try
#tls_require_cert =

# Use the given ldaprc path.
#ldaprc_path =

# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
# to get enough output.
#debug_level = -1

# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
auth_bind = no

# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
# the filename is different in userdb's args). That way one connection is used
# only for LDAP binds and another connection is used for user lookups.
# Otherwise the binding is changed to the default DN before each user lookup.
#
# For example:
#   auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =

# LDAP protocol version to use. Likely 2 or 3.
#ldap_version = 3

# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = dc=example, dc=org

# Dereference: never, searching, finding, always
#deref = never
deref = searching

# Search scope: base, onelevel, subtree
scope = subtree

# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
#   uid - System UID
#   gid - System GID
#   home - Home directory
#   mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
user_attrs =uid= mail,uid=home=/var/vmail/%d/%{ldap:uid}


# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
#   %u - username
#   %n - user part in user@domain, same as %u if there's no domain
#   %d - domain part in user@domain, empty if user there's no domain
#user_filter = (&(objectClass=posixAccount)(uid=%u))
#user_filter = (|(&((uid=%u))(&(|(uid=%n)(mail=%u))(objectclass=kolabinetorgperson)))
#user_filter = (&(|(uid=%n)(mail=%u))(objectclass=kolabinetorgperson)) 
user_filter = (|(uid=%n)(mail=%u))



# Password checking attributes:
#  user: Virtual user name (user@domain), if you wish to change the
#        user-given username to something else
#  password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
#pass_attrs = uid=user,userPassword=password
pass_attrs = uid=user,userPassword=password,=user=%{ldap:mail}


# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,\
#  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid

# Filter for password lookups
#pass_filter = (&(objectClass=posixAccount)(uid=%u))
#pass_filter = (&(|(uid=%n)(mail=%u))(objectclass=kolabinetorgperson))
pass_filter = (|(uid=%n)(mail=%u))

# Attributes and filter to get a list of all users
#iterate_attrs = uid=user
#iterate_filter = (objectClass=posixAccount)
iterate_attrs = uid=user
iterate_filter = (objectClass=kolabinetorgperson)

# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
#default_pass_scheme = CRYPT
default_pass_scheme = SSHA

Dovecot 10-mail.conf

:

mail_uid = 5000
mail_gid = 5000

mail_location = maildir:~/Maildir

Postfix main.cf

replace lines with ".pem" with smtpd_tls_cert_file=/etc/ssl/certs/dovecot.pem smtpd_tls_key_file=/etc/ssl/private/dovecot.pem

SASL auth via dovecot. add to main.cf:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

Kolab setup

# setup-kolab mysql
# setup-kolab php
# setup-kolab mta
# setup-kolab kolabd
# setup-kolab roundcube
# setup-kolab syncroton
# setup-kolab freebusy

LMTP

edit /etc/postfix/ldap/transport_maps.cf

result_format = lmtp:unix:private/dovecot-lmtp

Dovecot ACL for sharing mailboxes

in 10-mail.conf change (if empty) mail_plugins to mail_plugins = $mail_plugins acl

add to doveconf.conf

protocol imap {
  mail_plugins = $mail_plugins imap_acl
}

plugin {
  # Without global ACLs:
  acl = vfile

  # With global ACL files in /etc/dovecot/dovecot-acls file (v2.2.11+):
  #acl = vfile:/etc/dovecot/dovecot-acl

  # With global ACLs in /etc/dovecot/acls/ directory (obsolete):
  #acl = vfile:/etc/dovecot/acls
}

Edit 10-mail.conf. Search for namespace inbox and change the seperator to /

Search for "shared namespace configuration".

Also change seperator to / and prefix = "Shared Folders/%%u/"

and location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u

Don't change the prefix Shared Folders or Roundcube won't recognize this as a shared folder for calendars or other types.

Example configuration:

    namespace inbox {

    :   \# Namespace type: private, shared or public \#type = private

        \# Hierarchy separator to use. You should use the same separator
        for all \# namespaces or some clients get confused. '/' is
        usually a good one. \# The default however depends on the
        underlying mail storage format. separator = /

        \# Prefix required to access this namespace. This needs to be
        different for \# all namespaces. For example "Public/". \#prefix
        =

        \# Physical location of the mailbox. This is in same format as
        \# mail\_location, which is also the default for it. \#location
        =

        \# There can be only one INBOX, and this setting defines which
        namespace \# has it. inbox = yes

        \# If namespace is hidden, it's not advertised to clients via
        NAMESPACE \# extension. You'll most likely also want to
        set list=no. This is mostly \# useful when converting from
        another server with different namespaces which \# you want to
        deprecate but still keep working. For example you can create \#
        hidden namespaces with prefixes "\~/mail/", "\~%u/mail/"
        and "mail/". \#hidden = no

        \# Show the mailboxes under this namespace with LIST command.
        This makes the \# namespace visible for clients that don't
        support NAMESPACE extension. \# "children" value lists child
        mailboxes, but hides the namespace prefix. \#list = yes

        \# Namespace handles its own subscriptions. If set to "no", the
        parent \# namespace handles them (empty prefix should always
        have this as "yes") \#subscriptions = yes

    } \# Example shared namespace configuration namespace { type =
    shared separator = / \# Mailboxes are visible under
    ["shared/user@domain/](mailto:"shared/user@domain/)" \# %%n, %%d and
    %%u are expanded to the destination user. \#prefix = shared/%%u/
    \#Kolab Prefix prefix = "Shared Folders/%%u/"

    > \# Mail location for other users' mailboxes. Note that %variables
    > and \~/ \# expands to the logged in user's data. %%n, %%d, %%u and
    > %%h expand to the \# destination user's data. location =
    > "maildir:%%h/Maildir:INDEX=\~/Maildir/Shared Folders/%%u"
    >
    > \# Use the default namespace for saving subscriptions.
    > \#subscriptions = no
    >
    > \# List the shared/ namespace only if there are visible
    > shared mailboxes. list = children

    }
# chown vmail:vmail /var/lib/dovecot
# mkdir -p /var/lib/dovecot/db
# chown vmail:vmail /var/lib/dovecot/db
# chmod 0770 /var/lib/dovecot/db
# touch /var/lib/dovecot/db/shared-mailboxes.db
# chown vmail:vmail /var/lib/dovecot/db/shared-mailboxes.db

Configure in conf.d/90-acl.conf if you want users to be able to share to users of all domains

plugin {
  acl_shared_dict = file:/var/lib/dovecot/db/shared-mailboxes.db
}

For multiple separated databases or to allow users to share to anyone: http://wiki2.dovecot.org/SharedMailboxes/Shared

Edit 10-master.conf look for auth-userdb and change it to this

:

unix_listener auth-userdb {
    #mode = 0666
    user = vmail
    group = vmail
  }

In 10-master.conf look for service dict change to:

:

service dict {
  # If dict proxy is used, mail processes should have access to its socket.
  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
  unix_listener dict { #0600
    mode = 0666
    user = vmail
    group = vmail
  }
}

Dovecot sieve

Edit 90-sieve.conf

change the following

sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve

Edit 20-managesieve.conf Uncomment protocols = $protocols sieve

Uncomment and edit:

service managesieve-login {
  inet_listener sieve {
     address = 127.0.0.1 ::1
     port = 4190
  }

  #inet_listener sieve_deprecated {
  #  port = 2000
  #}

  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  #service_count = 1

  # Number of processes to always keep waiting for more connections.
  #process_min_avail = 0

  # If you set service_count=0, you probably need to grow this.
  #vsz_limit = 64M
}

service managesieve {
  # Max. number of ManageSieve processes (connections)
  #process_limit = 1024
}

Since my managesieve only listens to localhost I had to edit /usr/share/roundcubemail/plugins/managesieve/config.inc.php

$config['managesieve_host'] = '127.0.0.1';

Edit Dovecot's 15-lda.conf and add sieve to mail_plugins

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}

Edit Dovecot's 15-lmtp.conf and add sieve to mail_plugins

protocol lda {
  # Space separated list of plugins to load (default is global mail_plugins).
  mail_plugins = $mail_plugins sieve
}

Comments !

social