Qmail-ldap Install Instructions ...
Sep 27, 2007


From Qmail-LDAP Wiki

Jump to: navigation, search

QMAIL_LDAP by Andre Oppermann <opi@nrg4u.com>, Claudio Jeker <jeker@n-r-g.com> and Boris Lutz <lutz@n-r-g.com> (c) 1998-2004 Internet Business Solutions AG

The qmail-ldap patch for qmail comes with NO WARRANTY.

This patch is under the BSD license. See LICENSE.

RELEASE: current ($Date: 2005/04/01 13:18:30 $)


INSTALL how to install the patch

CONFIG FILES all about the extra config file

DEFAULT LDAP FIELDS all about the fields in ldap

EXAMPLES example ldif and slapd.conf

MAILINGLIST, BUGS & PROBLEMS How to help us helping you






  • From release 20030901 on we broke certain backwards compatibility with

release 20030801 and prior releases for clarity and cleanup reasons!!

  • New qmailGroup attribute "bounceadmin", see QLDAPGROUP for more info

and as always a lot of smaller patches see QLDAPNEWS



1. Make sure you have fairly good knowledge of qmail and LDAP


2. Read this document. THIS IS IMPORTANT, this is no

  ./configure; make; make install software.
If you are not familiar with compiling software you should definitifly
read http://www.lifewithqmail.org/ldap/ first.

3. You need the following compiled and installed

   - OpenLDAP 2.x or higher (others might also work)
OpenLDAP releases < 2.0 should no longer be used (you have been warned).
- OpenSSL 0.9.4 or higher if you want TLS SMTP encrytion
  We recommend also using Dan Bernstein's toolset daemontools-0.76,
ucspi-tcp-0.88 and djbdns-1.05 to run qmail.
  If you have problems with OpenLDAP look into their FAQ. The same for
You NEED knowledge of LDAP so READ their FAQ and/or man pages.

4. Apply the qmail-ldap patches to a clean qmail-1.03 source tree

  normaly "cd qmail-1.03_source_tree; patch -p1 < location_of_patch"
works ;-). There seems to be a problem with the original patch utility
on Solaris based systems, use the gnu patch utility instead.
A pre-compiled binary should be available at http://www.sunfreeware.com/
or on many mirrors around the world.
  NOTE: the qmail-ldap patches need to be applied to a clean qmail-1.03 tree
not netqmail. All netqmail patches have been integrated into qmail-ldap
a long time ago.

5. Edit the conf-* files and the top of the Makefile (only the top ;-) )

  You can set/change:
-DALTQUEUE (to enable alternate queue selection via environment
variable QMAILQUEUE. Also known as qmailqueue patch.)
-DBIGBROTHER (turn on per address queue extra feature see the
section about the ~control/bigbrother control file)
-DBIGTODO (to enable the big todo patch, can be used together
-DBIND_8_COMPAT needed on system with new incompatible
bind9 header files. Currently this is necessary on MacOS X 10.3.
-DCLEARTEXTPASSWD (for cleartext passwords in ldap, bad idea)
-DDASH_EXT (turn on dash_ext support see 5.3)
-DDATA_COMPRESS (to enable smtp on the fly data compression.
It is needed to set ZLIB accordingly.)
-DEXTERNAL_TODO (to use the external high-performancer
-DQLDAP_CLUSTER (turns the cluster support on)
todo processing)
-DQMQP_COMPRESS (to enable QMQP on the fly data compression.
Can be used in clusters. It is needed to set ZLIB accordingly.
IMPORTANT: this breaks compatibility with the stock qmqp
protocol. So either all qmail-qmqpc/-qmqpd use the on the fly
compression or non.)
-DSMTPEXECCHECK (to enable Russell Nelsons antivirus patch

for qmail-smtpd. To turn it on set the REJECTEXEC env-var.)

              -DDUPEALIAS (to make migration from some X.400 messaging
systems easier. See QLDAPNEWS 20031101 for more information.)
  - LDAPLIBS: the libraries you need for ldap, e.g. -lldap -llber
NOTE: on Solaris Systems you probably need also -lnsl -lsocket
newer OpenLDAP libs my need also -lresolv (DNS support).
It is also good to set the ld runpath with the -R switch
for more info ld(1) or gcc(1) and
- LDAPINCLUDES: perhaps you need a special include-path for ldap
NOTE: if you need this you may run into shared library problems
see http://www.lifewithqmail.org/ldap/.
  - ZLIB is used when DATA_COMPRESS and QMAP_COMPRESS is defined. Normaly
-lz should work, if libz is installed in a different location use
-L/path/to/zlibdir -lz
- MNW=-DMAKE_NETSCAPE_WORK (turns on the patch that fixes the problem
with the Netscape download progress bar and qmail-pop3d)
  - MDIRMAKE=-DAUTOMAILDIRMAKE (turns the auto-MAILdir-make-patch on)
- HDIRMAKE=-DAUTOHOMEDIRMAKE (compiles the auto-HOMEdir-make-patch
into the release, you need the ~control/dirmaker file to turn the
patch on, see CONFIG FILES)
  - SHADOWLIBS=-lcrypt is needed on most systems (except my OpenBSD box :-) )
SHADOWLIBS=-lcrypt -lshadow , SHADOWOPTS=-DPW_SHADOW are needed on some
Systems (Solaris, Linux) for local password lookups
(just like the original djb-checkpassword. See Makefile.)
- DEBUG=-DDEBUG (compiles debugging into the auth modules and qmail-ldap,
see also 10.)
- TLS* stuff for TLS (SMTP encryption) mostly self explaining

5.1 Have a look at qmail-ldap.h, perhaps you want to change something there.

    LDAP_CATCH_ALL: used for catching mails for a specific domain.
Also used for extension nameing with DASH_EXT.
QUOTA_WARNING_LEVEL: triger level for quotawarning in percent.
*ID_{MAX,MIN}: upper and lower limit for uid's and gid's.
RESTRICT_PROG: restrict delivery programm pathes to non special shell
characters. See also next section 5.2
ALIASDEVNULL: replacement for the std. aliasempty for user with
neither homeDirectory nor mailMessageStore defined.
QLDAP_TIMEOUT: Default ldap search timeout. In seconds.
LDAP_*: Names of the ldap fields used for lookups.
DOTMODE_*: Names for the different dot modes.
MODE_*: Names for the different delivery modes.
ISACTIVE_*: Names for the account status.

5.2 Have a look at check.c if you want to change the ldap field check behaviour

   In the standart patch we check for this (in regexp form):
user: [a-zA-Z0-9@_.][a-zA-Z0-9@_.-]* (for the LDAP_UID field)
path: [a-zA-Z0-9@_./:=][a-zA-Z0-9@_.-/:=]*
prog: [a-zA-Z0-9@_./:=\\\t\n "'+,][a-zA-Z0-9@_.-/:=\\\t\n "'+,]*
then most shell escape characters are also allowed. e.g [$#!%&()*;])

5.3 Note on DASH_EXT:

   Finally we added a variation of Henning Brauer's dash-ext patch. The main
difference is the way it handels the extensions.
Example lookup scheme:
where CATCHALL is replaced with the value of LDAP_CATCH_ALL defined
in qmail-ldap.h. If CATCHALL is set to "default" instead of the standart
"catchall" it is almost stock qmails behaviour.
Note: Only up to four levels of dash extensions are checked to prevent
DoS attacks. You can change that in qmail-ldap.h via DASH_EXT_LEVELS.

6. Compile and install the stuff (it's the same as in standard qmail

   install -> HINT: read the INSTALL and the FAQ file!!! :) ).
Now everything should be installed with correct permissions.

6.1 If "make setup check" fails with an error like this:

      /usr/local/lib/libldap.so: undefined reference to `res_query' 
/usr/local/lib/libldap.so: undefined reference to `dn_expand'
collect2: ld returned 1 exit status
make: *** [qmail-lspawn] Error 1
You have forgotten to add -lresolv to LDAPLIBS.

6.2 If using TLS you can use 'make cert' or 'make cert-req' to create TLS


7. Create the LDAP user database and start the LDAP server

   See qmail.schema for definition of all fields for OpenLDAP 2.x

8. Create the proper ~control/ldap* files for qmail-ldap

   At least ldapserver and ldapbasedn must exist (and also 'me')

9. Test and Enjoy!

10. Debugging: as said befor you can compile qmail-lspawn and the auth modules

   with a flexible debugging facility (option DEBUG).
The debug output gets logged through splogger or your favorite logging tool
connected to stderr for tcpserver-pop/imap chain.
To turn on debugging you need only to define the LOGLEVEL environment
variable (e.g. with env, env LOGLEVEL=3 qmail-start ...)
There are these LOGLEVEL:
LOGLEVEL=1 -> Errors
LOGLEVEL=2 -> Warnings
LOGLEVEL=4 -> Info
LOGLEVEL=8 -> Info^2
LOGLEVEL=16 -> Debug
LOGLEVEL=32 -> Debug^2
LOGLEVEL=128 -> LDAP Debug^2
LOGLEVEL=256 -> PASSWD, this level is normaly off because it shows
critical data (unencrypted and crypted passwords). To
turn it on edit checkpassword.c and increase the level
for init_debug().
    WARNING: on production machines don't use levels higher 3 or you will get 
incredible huge logfiles.
NOTE: too high debuglevels are reduced to the maximum allowed debug level
if the level parameter in init_debug() is smaler.
The LOGLEVEL is compare with a bit mask, so that
LOGLEVEL=3 will report warnings and errors but LOGLEVEL=2 will
only report warnings.
With the new log support the environment variable is LOGLEVEL but
the old DEBUGLEVEL is still supported.
The new log support will no longer add the log output to bounce

11. NOTE ABOUT POP/IMAP services

   The stock qmail recomends that you use a program by the name 'checkpassword'
to do the authentication, like this:
      pop3 stream tcp nowait root \
/var/qmail/bin/qmail-popup qmail-popup \
YOURHOST /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir
   With the use of the LDAP patch, this have been slightly altered. We now use
a program by the name 'auth_pop' instead... Something like this (replacement
inetd.conf line):
      pop3 stream tcp nowait root \
/var/qmail/bin/qmail-popup qmail-popup \
YOURHOST /var/qmail/bin/auth_pop /var/qmail/bin/qmail-pop3d Maildir


   Same goes for the command 'auth_imap' if your IMAP server can use an 
external program for authentication. auth_imap was designed for
courier-IMAP and should work with it out of the box.
There is also a auth_ldap modul in courier-imap that should work too.
You can get courier-imap from http://www.inter7.com
   auth_pop and auth_imap are part of this patch and will be installed with the
other qmail programs.

Page 1 of 1

create discussion Create Discussion