Email Server/Courier Authlib
Views:
Part of the Email Server documentation
Contents |
Introduction
This page describes installing and configuring Courier Authlib for use in a linux virtual domain Email Server.
Courier Authlib will be used with Courier Imap and Courier Maildrop and will be backed by a database
Courier Authlib provides a daemon, authdaemond, which will provide authentication and and account information for both Courier Imap and Courier Maildrop.
Dependancies
Authlib can work with Postgresql or Mysql. We're using a mysql database because we're using the CentOS version of postfix, which only supports MySql.
You'll need the development libraries installed:
# yum install mysql-devel
Installing
Courier Authlib does not come with CentOS 5, here we're building it from source, other distro's might have it available
You need to have a user to run authdaemond:
# useradd -rmd /var/lib/authlib authlib
Find the url for the latest version of Courier Authlib from http://www.courier-mta.org/download.php, we're using 0.60.5 in this example.
$ cd /usr/local/src $ wget http://prdownloads.sourceforge.net/courier/courier-authlib-0.60.5.tar.bz2 $ tar jxvf courier-authlib-0.60.5.tar.bz2 $ cd courier-authlib-0.60.5 $ ./configure --with-mailuser=authlib --with-mailgroup=authlib --localstatedir=/var/lib/authlib $ make $ su # make install # make install-configure
Configuration
The "make install-configure" step, above, will create your basic configuration files in /usr/local/authlib, a lot of the settings in there are important, you'll want to copy the *.dist files to remove the .dist extension and then tweak the contents of the files.
/usr/local/etc/authlib/authdaemonrc needs to have the authmodulelist and DEBUG_LOGIN settings changed. Your file should look something like this:
authmodulelist="authmysql" ##NAME: authmodulelistorig:3 # # This setting is used by Courier's webadmin module, and should be left # alone authmodulelistorig="authuserdb authpam authldap authmysql authcustom authpipe" daemons=5 ##NAME: authdaemonvar:2 # # authdaemonvar is here, but is not used directly by authdaemond. It's # used by various configuration and build scripts, so don't touch it! authdaemonvar=/var/lib/authlib ##NAME: DEBUG_LOGIN:0 # # Dump additional diagnostics to syslog # # DEBUG_LOGIN=0 - turn off debugging # DEBUG_LOGIN=1 - turn on debugging # DEBUG_LOGIN=2 - turn on debugging + log passwords too # # ** YES ** - DEBUG_LOGIN=2 places passwords into syslog. # # Note that most information is sent to syslog at level 'debug', so # you may need to modify your /etc/syslog.conf to be able to see it. DEBUG_LOGIN=2 DEFAULTOPTIONS="" LOGGEROPTS=""
You did notice the comment above about what DEBUG_LOGIN=2 means don't you? You'll want to flush out your maillog/debuglog/securelog once you're happy everything is working and set DEBUG_LOGIN to either 0 or 1.
Next authdaemond needs to know about the database. Your /usr/local/etc/authlib/authdaemonmysqltrc should look similar to this, with appropriate details for MYSQL_USERNAME, MYSQL_PASSWORD and MYSQL_DATABASE. The MySql user only needs to have read access to the account_auth view in the database.
MYSQL_SERVER localhost
MYSQL_USERNAME <DATABASE USER>
MYSQL_PASSWORD <PASSWORD>
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_OPT 0
MYSQL_DATABASE <DATABASE>
MYSQL_USER_TABLE account_auth
MYSQL_CRYPT_PWFIELD cryptpw
##NAME: MYSQL_CLEAR_PWFIELD:0
# We're not using the clear password, you would only want to store the clear password in the
# database if you're offering CRAM-MD5 authentication
#
#MYSQL_CLEAR_PWFIELD clearpw
MYSQL_UID_FIELD uid
MYSQL_GID_FIELD gid
MYSQL_LOGIN_FIELD username
# All of the accounts are stored under one tree in the filesystem. You could set each account to have
# a distinguished path stored in the database, not sure why you'd want to do that though.
MYSQL_HOME_FIELD CONCAT('/var/mail/virtualdomains/', home)
MYSQL_NAME_FIELD name
MYSQL_MAILDIR_FIELD maildir
##NAME: MYSQL_QUOTA_FIELD:0
#
# if there is no quota to enforce, then you just want an empty string, other wise you want to
# append an 'S' to signify the quota is a Size quota (the other way is 'C' for Count, the total
# number of emails
#
MYSQL_QUOTA_FIELD IF(quota, CONCAT(quota, 'S'), '') AS quota
Init Script
You'll need an init script to start authdaemond. Here's one suitable for CentOS, it's chkconfig compatible and makes use of the CentOS "functions" for init scripts. It's shouldn't be too difficult to adapt this to work for other distros.
Copy the init script to /etc/rc.d/init.d/authdaemond and make it executable
#! /bin/bash
# This file: /etc/rc.d/init.d/authdaemond
#
# authdaemond Start/Stop the Courier Authlib authentication daemon.
#
# chkconfig: - 71 05
# description: authdaemond is a server process which handles plaintext \
# authentication requests on behalf of the courier authlib \
# library.
# processname: authdaemond
# Source function library.
. /etc/init.d/functions
RETVAL=0
# Set up some common variables before we launch into what might be
# considered boilerplate by now.
prog=authdaemond
path=/usr/local/sbin/authdaemond
pidfile=/usr/local/var/spool/authdaemon/pid
start() {
echo -n $"Starting $prog: "
daemon $path start
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
$path stop
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
[ $RETVAL -eq 0 ] && rm -f $pidfile
[ $RETVAL -eq 0 ] && success $"$base shutdown" || failure $"$base shutdown"
echo
return $RETVAL
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
status -p $pidfile $path
;;
condrestart)
[ -f /var/lock/subsys/$prog ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|status|reload|restart|condrestart}"
exit 1
esac
exit $?
# chmod +x /etc/rc.d/init.d/authdaemond
Once the script is in place, you'll want to start it and make sure that it starts automatically
# service authdaemond start # chkconfig authdaemond on
Filesystem Permissions
The Courier Authlib configuration should not be world readable because it contains the mysql user name and password.
I would recommend setting the user owner to root, group owner to authlib and set permissions to 0640.
# chown root:authlib /usr/local/etc/authlib/* # chmod 0640 /usr/local/etc/authlib/*
