From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id E7DBC6326C for ; Mon, 14 Feb 2022 14:16:32 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DEBCE22CF8 for ; Mon, 14 Feb 2022 14:16:32 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 1FBC722CEE for ; Mon, 14 Feb 2022 14:16:32 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id E3C4C40458 for ; Mon, 14 Feb 2022 14:16:31 +0100 (CET) From: Dylan Whyte To: pmg-devel@lists.proxmox.com Date: Mon, 14 Feb 2022 14:16:26 +0100 Message-Id: <20220214131626.87515-1-d.whyte@proxmox.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.383 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_FILL_THIS_FORM_FRAUD_PHISH 0.01 Answer suspicious question(s) T_FILL_THIS_FORM_SHORT 0.01 Fill in a short form with personal information T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pmg-devel] [PATCH pmg-docs] Fix 3645: Improve LDAP docs X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2022 13:16:33 -0000 - Be clearer about the fact that LDAP is only for spam quarantine access. - Specify spam quarantine url and that users must log in with their email. Signed-off-by: Dylan Whyte --- pmg-administration.adoc | 4 +++- pmgconfig.adoc | 27 ++++++++++++++++++++------- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/pmg-administration.adoc b/pmg-administration.adoc index 2eae2ba..fe1eae1 100644 --- a/pmg-administration.adoc +++ b/pmg-administration.adoc @@ -72,6 +72,7 @@ output. Quarantine ---------- +[[pmgadministration_spam_quarantine]] Spam ~~~~ @@ -85,7 +86,8 @@ code (attacking your operating system or email client) is removed by {pmg}. Users can get access to their personalized quarantine via the daily -spam report or by logging in with their LDAP credentials. +spam report or by navigating to `https://:8006/quarantine` and logging +in with their LDAP credentials (email address and password). You can additionally enable user self-service for sending an access link from the Quarantine Login page. diff --git a/pmgconfig.adoc b/pmgconfig.adoc index b19cbb5..fea26db 100644 --- a/pmgconfig.adoc +++ b/pmgconfig.adoc @@ -902,20 +902,33 @@ LDAP/Active Directory [thumbnail="pmg-gui-ldap-user-config.png", big=1] +With {pmg}, users can use LDAP and Active directory as authentication methods to +access their individual xref:pmgadministration_spam_quarantine[Spam Quarantine]. +Additionally, if users have extra email aliases defined in the LDAP directory, +they will have a single spam quarantine for all of these. + +NOTE: Authentication via LDAP must first be enabled using the `Authentication +mode` (`authmode`) parameter in the +xref:pmgconfig_spamdetector_quarantine[Spam Detector's Quarantine configuration settings]. + You can specify multiple LDAP/Active Directory profiles, so that you can -create rules matching those users and groups. +create rules matching particular users and groups. Creating a profile requires (at least) the following: -* profile name -* protocol (LDAP or LDAPS; LDAPS is recommended) -* at least one server -* a username and password (if your server does not support anonymous binds) +* `Profile Name`: The name assigned to the LDAP profile. +* `Protocol`: LDAP, LDAPS, or LDAP+STARTTLS (LDAP+STARTTLS is recommended). +* `Server`: The domain name/IP address of the LDAP server. A fallback can also + be configured using the second field. +* `User name`: The Bind DN for authentication on the LDAP server. + This is required if your server does not support anonymous binds. +* `Password`: Password for the Bind DN user. +* `Base DN`: The directory which users are searched under. All other fields should work with the defaults for most setups, but can be used to customize the queries. -The settings are saved to `/etc/pmg/ldap.conf`. Details for the options +The settings are saved to `/etc/pmg/ldap.conf`. Details about the options can be found here: xref:pmg_ldap_configuration_file[ldap.conf] Bind user @@ -926,7 +939,7 @@ LDAP server only has permission to query the server. For LDAP servers (for example OpenLDAP or FreeIPA), the username has to be of a format like 'uid=username,cn=users,cn=accounts,dc=domain', where the specific fields depend on your setup. For Active Directory servers, the format should be -like 'username@domain' or 'domain\username'. +'username@domain' or 'domain\username'. Sync ^^^^ -- 2.30.2