Skip to content

Home

Jump to bottom Edit New page
Arnaud Loonstra edited this page Oct 5, 2025 · 16 revisions

Welcome to the sphaebian wiki! What follows are instructions for setting up services.

LDAP SERVER

Mostly from the Debian Wiki

sudo apt install slapd ldap-utils ldapscripts

Reconfigure the database and set your options (MDB backend):

sudo dpkg-reconfigure -plow slapd

Configure the server through an LDIF file:

# SSL support
dn: cn=config
# CA only needed when using custom CA (not provided by debian)
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/server-intermediate.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/server-key.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/server-cert.pem

Add these changes:

ldapmodify -Y EXTERNAL -H ldapi:/// -f ./config.ldif

Create containers for the users and groups and a user group

# users, example.org
dn: ou=users,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: users
# groups, example.org
dn: ou=groups,dc=example,dc=org
objectClass: organizationalUnit
objectClass: top
ou: groups
# users, groups, example.org
dn: cn=users,ou=groups,dc=example,dc=org
objectClass: top
objectClass: posixGroup
cn: users
gidNumber: 1000

Add these containers:

ldapadd -xWvD "cn=admin,dc=example,dc=org" -H ldapi:/// -f containers.ldif

Configure ldapscripts through /etc/ldapscripts/ldapscripts.conf, set BINDDN and other options you need. Then set the secret file:

echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd`
chmod 600 /etc/ldapscripts/ldapscripts.passwd

Now you can add users and groups:

  • Add user: sudo ldapadduser george pro
  • Change user's Password: sudo ldapsetpasswd george
  • Delete user: sudo ldapdeleteuser george
  • Add group: sudo ldapaddgroup testgroup
  • Add user to a group: sudo ldapaddusertogroup george testgroup
  • Remove user from a group: sudo ldapdeleteuserfromgroup george testgroup

LDAP Client

Just install libpam-ldapd it should ask all details, you might also want to install nslcd

SMTP Server

This postfix setup will use authentication! Also see the Debian Wiki. You'll need all steps or know what you are doing.

sudo apt install postfix sasl2-bin libsasl2-modules

In /etc/postfix/master.cf uncommment in the smtps service definition every line containing $mua

Add your domain to the config files, so others can't abuse your mailsystem:

postconf -e "myorigin = example.org"

Add your hostname (computer name). (Use command "hostname" at the command-line to display your hostname if not sure.)

postconf -e "myhostname=server1.example.org"

Enable mail delivery to users homedir using Maildir:

postconf -e "home_mailbox = .Maildir/"
postconf -e "mailbox_command = "

Or if you use dovecot you can use the dovecot delivery agent:

postconf -e "mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT""

Add TLS/SSL

postconf -e smtpd_tls_security_level=may
postconf -e smtp_tls_security_level=may
postconf -# smtpd_use_tls
postconf -# smtpd_enforce_tls

Enable authentication through sasl. Create a file /etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Setup a separate saslauthd process to be used from Postfix: Create a copy of saslauthd's config file

cp /etc/default/saslauthd /etc/default/saslauthd-postfix

and edit it

START=yes
DESC="SASL Auth. Daemon for Postfix"
NAME="saslauthd-postf"      # max. 15 char.
# Option -m sets working dir for saslauthd (contains socket)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"        # postfix/smtp in chroot()

Create required subdirectories in postfix chroot directory:

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

Add the user "postfix" to the group "sasl":

adduser postfix sasl

Restart saslauthd:

systemctl restart saslauthd

Edit Postfix configuration:

postconf -e 'smtpd_sasl_local_domain = $myhostname'
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'

Edit or add the following settings is /etc/postfix/main.cf and suit them to your setup

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.example.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/smtp.example.org/privkey.pem

If you have a relay server (i.e. your ISP mail server):

postconf -e "relayhost = smtp.xs4all.nl"

Setup some spam prevention by appending this to the /etc/postfix/main.cf:

smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_unknown_recipient_domain,
        reject_unauth_destination,
        check_sender_access hash:/etc/postfix/access,
        reject_rbl_client sbl.spamhaus.org,
        check_policy_service inet:127.0.0.1:10023,
        permit

smtpd_client_restrictions = permit_mynetworks, 
        check_client_access hash:/etc/postfix/access, 
        reject_rbl_client  dul.dnsbl.sorbs.net, 
        reject_rbl_client sbl-xbl.spamhaus.org

Since google.com is often listed on blacklists it might be convenient to add it to a whitelist. We can use the /etc/postfix/access file for this:

job.com REJECT
google.com OK

postmap /etc/postfix/access

Finally restart postfix and check the logs

systemctl restart postfix
journalctl -ef

Mapping other domains

postconf -e "virtual_maps = hash:/etc/postfix/virtual"

In /etc/postfix/virtual create a map as follows:

example.org    anything
@example.org   userfoo
foo.bar        anything
[email protected]   someuser
@foo.bar      userfoo #receives all addresses @foo.bar

Create the virtual hashmap and activate the config by reloading postfix

postmap /etc/postfix/virtual
systemctl reload postfix

DKIM

Todo: https://maxadamski.com/blog/2025/10/email.html

apt install opendkim

Generate a dkim keypair

sudo -u opendkim opendkim-genkey -D /etc/dkimkeys -d example.org -s dkimkey

Add or edit the following keys in /etc/opendkim.conf

Domain   example.org
Selector dkimkey
KeyFile  /etc/dkimkeys/dkimkey.private
Socket   inet:8891@localhost

postfix/main.cf add:

# DKIM
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

restart opendkim:

systemctl restart opendkim

You should publish the dkim public key in DNS:

TXT	example.org._domainkey	v=DKIM1; k=rsa; s=email; p=<pubkey>

IMAP Server

This is quite easy. The setup will use IMAP(s) and Maildir

Create /etc/dovecot/local.conf:

mail_location = maildir:~/.Maildir
#mail_debug=yes
passdb {
        driver = pam
}
protocols = imap
ssl = yes
ssl_cert = </etc/letsencrypt/live/imap.example.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/imap.example.org/privkey.pem
service auth {
        user = root
}
userdb {
        driver = passwd
}
protocol lda {
        mail_plugin_dir = /usr/lib/dovecot/modules
        mail_plugins = sieve
        postmaster_address = [email protected]
}

Optionally enable the dovecot deliver agent in Postfix:

postconf -e "mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT""
systemctl restart postfix

Restart dovecot:

systemctl restart dovecot

Add a custom footer
Clone this wiki locally