From c30a18a741bd44df276c23cc454ab5097388d926 Mon Sep 17 00:00:00 2001 From: downtownallday Date: Wed, 3 Jun 2020 12:03:43 -0400 Subject: [PATCH] Reflect LDAP detail --- README.md | 125 ++++++++++++------------------------------------------ 1 file changed, 27 insertions(+), 98 deletions(-) diff --git a/README.md b/README.md index 630ce259..a9a77ddd 100644 --- a/README.md +++ b/README.md @@ -1,109 +1,38 @@ -Mail-in-a-Box -============= +Mail-in-a-Box w/LDAP +=================== +This is a version of [Mail-in-a-Box](https://mailinabox.email) with LDAP used as the user account database instead of sqlite. -By [@JoshData](https://github.com/JoshData) and [contributors](https://github.com/mail-in-a-box/mailinabox/graphs/contributors). +All features are supported - you won't find many visible differences. It's really an under-the-hood change. -Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box. +However it will allow a remote Nextcloud installation to authenticate users against Mail-in-a-Box using [Nextcloud's official LDAP support](https://nextcloud.com/usermanagement/). A single user account database shared with Nextcloud was originally the goal of the project which would simplify deploying a private mail and cloud service for a home or small business. But, there could be many other use cases as well. -**Please see [https://mailinabox.email](https://mailinabox.email) for the project's website and setup guide!** +To add a new account to Nextcloud, you'd simply add a new email account with MiaB-LDAP's admin interface. Quotas and other account settings are made within Nextcloud. -* * * +How to connect a remote Nextcloud \[scripts coming soon\] +-------------------------------------------------- -Our goals are to: +To fully integrate Mail-in-a-Box w/LDAP (MiaB-LDAP) with Nextcloud, changes must be made on both sides. -* Make deploying a good mail server easy. -* Promote [decentralization](http://redecentralize.org/), innovation, and privacy on the web. -* Have automated, auditable, and [idempotent](https://web.archive.org/web/20190518072631/https://sharknet.us/2014/02/01/automated-configuration-management-challenges-with-idempotency/) configuration. -* **Not** make a totally unhackable, NSA-proof server. -* **Not** make something customizable by power users. +1. MiaB-LDAP + * Remote LDAPS access: the default MiaB-LDAP installation doesn't allow any remote LDAP access, so for Nextcloud to access MiaB-LDAP, firewall rules must be loosened to the LDAPS port (636). This is a one-time change. Run something like this as root on MiaB-LDAP, where $ip is the ip-address of your Nextcloud server: `ufw allow proto tcp from $ip to any port ldaps` + * Roundcube and Z-Push (ActiveSync) changes: modify the MiaB-LDAP configuration to use the remote Nextcloud for contacts and calendar. A script to do this automatically will be available soon. +2. Remote Nextcloud + * Use MiaB-LDAP for user acccounts: a script to run on Nextcloud will be available soon that will enable the user-ldap app and utilize the user-ldap API to configure Nextcloud for you. This script will set all the required attributes and search parameters for use with MiaB-LDAP (there are quite a few), including use of the limited-rights LDAP service account generated just for Nextcloud by the MiaB-LDAP installation. -Additionally, this project has a [Code of Conduct](CODE_OF_CONDUCT.md), which supersedes the goals above. Please review it when joining our community. +All the setup-generated LDAP service account credentials are stored in /home/user-data/ldap/miab_ldap.conf. See that file for the Nextcloud service account distinguised name and password. -The Box -------- +Command-Line Searching +----------------------------------- +To perform command-line searches against your LDAP database, run setup/ldap -search "\", where _query_ could be a distinguished name to show all attributes of that dn, or an LDAP search enclosed in parenthesis. Some examples: + * `setup/ldap.sh -search "(mail=alice@mydomain.com)"` (show alice) + * `setup/ldap.sh -search "(|(mail=alice.*)(mail=bruce.*))"` (show all alices and bruces) + * `setup/ldap.sh -search "(objectClass=mailuser)"` (show all users) + * etc. -Mail-in-a-Box turns a fresh Ubuntu 18.04 LTS 64-bit machine into a working mail server by installing and configuring various components. +See the `conf/postfix.schema` file for more details on the LDAP schema. -It is a one-click email appliance. There are no user-configurable setup options. It "just works". +Cautionary Note +----------------------- +The setup will migrate your current installation to LDAP. Have good backups before running. -The components installed are: - -* SMTP ([postfix](http://www.postfix.org/)), IMAP ([dovecot](http://dovecot.org/)), CardDAV/CalDAV ([Nextcloud](https://nextcloud.com/)), and Exchange ActiveSync ([z-push](http://z-push.org/)) servers -* Webmail ([Roundcube](http://roundcube.net/)), mail filter rules (also using dovecot), and email client autoconfig settings (served by [nginx](http://nginx.org/)) -* Spam filtering ([spamassassin](https://spamassassin.apache.org/)) and greylisting ([postgrey](http://postgrey.schweikert.ch/)) -* DNS ([nsd4](https://www.nlnetlabs.nl/projects/nsd/)) with [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework), DKIM ([OpenDKIM](http://www.opendkim.org/)), [DMARC](https://en.wikipedia.org/wiki/DMARC), [DNSSEC](https://en.wikipedia.org/wiki/DNSSEC), [DANE TLSA](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities), [MTA-STS](https://tools.ietf.org/html/rfc8461), and [SSHFP](https://tools.ietf.org/html/rfc4255) policy records automatically set -* HTTPS TLS certificates are automatically provisioned using [Let's Encrypt](https://letsencrypt.org/) (needed for webmail, CardDAV/CalDAV, ActiveSync, MTA-STS policy, etc.). -* Backups ([duplicity](http://duplicity.nongnu.org/)), firewall ([ufw](https://launchpad.net/ufw)), intrusion protection ([fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page)), and basic system monitoring ([munin](http://munin-monitoring.org/)) - -It also includes system management tools: - -* Comprehensive health monitoring that checks each day that services are running, ports are open, TLS certificates are valid, and DNS records are correct -* A control panel for adding/removing mail users, aliases, custom DNS records, configuring backups, etc. -* An API for all of the actions on the control panel - -It also supports static website hosting since the box is serving HTTPS anyway. - -For more information on how Mail-in-a-Box handles your privacy, see the [security details page](security.md). - -Installation ------------- - -See the [setup guide](https://mailinabox.email/guide.html) for detailed, user-friendly instructions. - -For experts, start with a completely fresh (really, I mean it) Ubuntu 18.04 LTS 64-bit machine. On the machine... - -Clone this repository: - - $ git clone https://github.com/mail-in-a-box/mailinabox - $ cd mailinabox - -_Optional:_ Download Josh's PGP key and then verify that the sources were signed -by him: - - $ curl -s https://keybase.io/joshdata/key.asc | gpg --import - gpg: key C10BDD81: public key "Joshua Tauberer " imported - - $ git verify-tag v0.45 - gpg: Signature made ..... using RSA key ID C10BDD81 - gpg: Good signature from "Joshua Tauberer " - gpg: WARNING: This key is not certified with a trusted signature! - gpg: There is no indication that the signature belongs to the owner. - Primary key fingerprint: 5F4C 0E73 13CC D744 693B 2AEA B920 41F4 C10B DD81 - -You'll get a lot of warnings, but that's OK. Check that the primary key fingerprint matches the -fingerprint in the key details at [https://keybase.io/joshdata](https://keybase.io/joshdata) -and on his [personal homepage](https://razor.occams.info/). (Of course, if this repository has been compromised you can't trust these instructions.) - -Checkout the tag corresponding to the most recent release: - - $ git checkout v0.45 - -Begin the installation. - - $ sudo setup/start.sh - -For help, DO NOT contact Josh directly --- I don't do tech support by email or tweet (no exceptions). - -Post your question on the [discussion forum](https://discourse.mailinabox.email/) instead, where maintainers and Mail-in-a-Box users may be able to help you. - -Contributing and Development ----------------------------- - -Mail-in-a-Box is an open source project. Your contributions and pull requests are welcome. See [CONTRIBUTING](CONTRIBUTING.md) to get started. - - -The Acknowledgements --------------------- - -This project was inspired in part by the ["NSA-proof your email in 2 hours"](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/) blog post by Drew Crawford, [Sovereign](https://github.com/sovereign/sovereign) by Alex Payne, and conversations with @shevski, @konklone, and @GregElin. - -Mail-in-a-Box is similar to [iRedMail](http://www.iredmail.org/) and [Modoboa](https://github.com/tonioo/modoboa). - -The History ------------ - -* In 2007 I wrote a relatively popular Mozilla Thunderbird extension that added client-side SPF and DKIM checks to mail to warn users about possible phishing: [add-on page](https://addons.mozilla.org/en-us/thunderbird/addon/sender-verification-anti-phish/), [source](https://github.com/JoshData/thunderbird-spf). -* In August 2013 I began Mail-in-a-Box by combining my own mail server configuration with the setup in ["NSA-proof your email in 2 hours"](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/) and making the setup steps reproducible with bash scripts. -* Mail-in-a-Box was a semifinalist in the 2014 [Knight News Challenge](https://www.newschallenge.org/challenge/2014/submissions/mail-in-a-box), but it was not selected as a winner. -* Mail-in-a-Box hit the front page of Hacker News in [April](https://news.ycombinator.com/item?id=7634514) 2014, [September](https://news.ycombinator.com/item?id=8276171) 2014, [May](https://news.ycombinator.com/item?id=9624267) 2015, and [November](https://news.ycombinator.com/item?id=13050500) 2016. -* FastCompany mentioned Mail-in-a-Box a [roundup of privacy projects](http://www.fastcompany.com/3047645/your-own-private-cloud) on June 26, 2015. +Although I run this in production on my own servers, there are no guarantees that it will work for you.