Linux Mail Server Setup and Howto Guide

How I wish it wasn't possible, consultant. Unfortunately, out of spite for the impossible, I always find a way. I really suck. Here's some cmd prompt output using Joe's unlock tool mentioned above:

C:\Perl\scripts>unlock . *

Unlock V02.01.00cpp Joe Richards (joe@joeware.net) August 2004

Processed at qrn-fs1.qrn.local

Default Naming Context: DC=qrn,DC=local

1: andrew.tayler 04/19/2010-09:20:28 LOCKED UNLOCKED

2: dirsearch 04/19/2010-09:21:31 LOCKED UNLOCKED

Note that dirsearch is our bind accout. Before this, only the user andrew.tayler was locked out. He tried with the wrong email password two or three more times and eventually dirsearch was locked out. No one can check mail at this point.

Your post on Conficker is good insight as well; this is what we thought the problem was at first. Seems like there are several worms out there that cause account lockouts. This is one of the effects of the Conficker worm; lots of account lockouts because it tries to log in to network shares with weak administrator passwords. Right about the time we did all this transitioning, we also transitioned from CA eTrust (which is just horrible in my opinion) to Avira based on it's performance in independent av comparative site tests & reviews (I use the free version on my personal windows box). We've run f-secure's Conficker removal tool, daily Avira scans, Windows' malicious software removal tool, etc. etc. I could be wrong, but I am fairly certain it is not malware causing the lockouts. Besides, the lockouts are anything but random. In fact, if you know when a person has forgotten their password, they are extremely predictable.

This could also be solved if Windows Server 2003 allowed more than one account lockout policy per domain. I've almost considered upgrading to Server 2008 just because the fine-grain policies would allow us to specify a different lockout policy for this account, but even this wouldn't be a true fix. I'd like to know what's causing the account lockout in the first place!

postconf -n:

qrn-email home # postconf -n
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = //usr/lib64/postfix
data_directory = /var/lib/postfix
disable_vrfy_command = yes
empty_address_recipient = MAILER-DAEMON
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix-2.6.5/html
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = qrn.local
mynetworks = 127.0.0.0/8 10.0.0.0/24
mynetworks_style = subnet
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.5/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name NO UCE
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient,       reject_non_fqdn_sender, warn_if_reject reject_non_fqdn_hostname,        warn_if_reject reject_invalid_hostname, reject_unknown_sender_domain,     reject_unknown_recipient_domain,        permit_mynetworks,      permit_sasl_authenticated,      reject_unauth_destination,      check_recipient_access hash:/etc/postfix/roleaccount_exceptions, check_helo_access pcre:/etc/postfix/helo_checks, check_policy_service inet:[127.0.0.1]:2501,     check_sender_mx_access cidr:/etc/postfix/bogus_mx
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_checks,        permit
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/server/server.pem
smtpd_tls_key_file = /etc/ssl/server/server.key
smtpd_tls_received_header = yes
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = ldap:/etc/postfix/ldap-groups.cf
virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/./
virtual_mailbox_domains = $mydomain, qrn.inc.com
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_uid_maps = static:500
qrn-email home #

dovecot.conf:

protocols = pop3 pop3s imap imaps managesieve

listen = *

disable_plaintext_auth = yes

shutdown_clients = yes

ssl_listen = *

ssl = required

ssl_cert_file = /etc/ssl/server/server.pem

ssl_key_file = /etc/ssl/server/server.key

ssl_ca_file = /etc/ssl/certs/ca-certificates.crt

ssl_verify_client_cert = no

ssl_parameters_regenerate = 168

ssl_cipher_list = ALL:!LOW:!SSLv2

verbose_ssl = no

login_process_size = 64

login_process_per_connection = yes

login_processes_count = 3

login_max_processes_count = 256

login_max_connections = 256

mail_location = maildir:/./%Ln/Maildir/

mail_debug = no

first_valid_uid = 500

last_valid_uid = 500

first_valid_gid = 500

last_valid_gid = 500

valid_chroot_dirs = /var/mail:/home

protocol imap {

imap_client_workarounds = delay-newmail outlook-idle

}

protocol pop3 {

pop3_uidl_format = %08Xu%08Xv

pop3_save_uidl = no

pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

}

protocol managesieve {

}

protocol lda {

postmaster_address = postmaster@qrn.inc.com

mail_plugins = quota

quota_full_tempfail = yes

auth_socket_path = /var/run/dovecot/auth-master

}

auth_username_format = %Ln

auth_verbose = no

auth_debug = no

auth_gssapi_hostname = qrn-email.qrn.local

auth_krb5_keytab = /etc/krb5.keytab

auth default {

mechanisms = plain login

passdb pam {

args = "*"

}

userdb static {

args = uid=vmail gid=vmail home=/home/vmail/./%Ln

}

user = root

socket listen {

master {

path = /var/run/dovecot/auth-master

mode = 0600

user = vmail

group = vmail

}

client {

path = /var/spool/postfix/private/auth

mode = 0660

user = postfix

group = postfix

}

}

}

dict {

}

plugin {

}

dovecot-ldap.conf:

hosts = qrn-fs1.qrn.local

dn = cn=LDAP User,ou=System Accounts,ou=QRN Users,dc=qrn,dc=local

dnpass = kd;akoeo993;@1

auth_bind = yes

auth_bind_userdn = QRN_INC\%n

ldap_version = 3

base = ou=QRN Users, dc=qrn, dc=local

scope = subtree

user_attrs = sAMAccountName=home

user_filter = (&(objectClass=person)(sAMAccountName=%n))

pass_filter = (&(objectClass=person)(sAMAccount=%n))

ldap-users.cf:

server_host = 10.0.0.21

search_base = ou=QRN Users, dc=qrn, dc=local

version = 3

query_filter = (&(objectclass=user)(|(mail=%s)(othermailbox=%s)))

result_attribute = samaccountname

result_format = %u/Maildir/

bind = yes

bind_dn = cn=LDAP User,ou=System Accounts,ou=QRN Users,dc=qrn,dc=local

bind_pw = kd;akoeo993;@1

If there's anything else I need to throw out here that would help, please let me know. While posting these I thought about group membership. The LDAP User/dirsearch account is a member of Domain Users and nothing else. This should be sufficient, right? I only have a few hairs in my head left to pull out, but I am going to keep trucking.