1

Topic: AD integration issues

==== Required information ====
- iRedMail version: latest one
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version:  Debian Wheezy
- Related log if you're reporting an issue:
====

Hi

I'm a Windows-based system engineer and for a while I'm trying to find my way in the Open Source (free) community.Because of my limited Linux background, I tried several alternatives to replace an Exchange-based messaging environment, but I wasn't able to configure any of them properly with my current setup.

Right now, this is what I have (all on ESXi):
* An SMTP relay server with spam filter (Xeams) in DMZ
* A SAMBA4 AD controller in the back-end (Sernet version)
* A messaging server in the back-end

This week, I installed iRedMail in an attempt to finally get the back-end messaging server operational without days of troubleshooting. And I got pretty far, in a sense that I can authenticate to the messaging server (with Thunderbird or through RoundCube). However, I'm having difficulties with the differences between the mail and AD domains.

My AD domain can be defined as internal.domain.com. All accounts in there have the format xxxyyy (hash based on the actual name). In their mail address field, their e-mail is defined as firstname.lastname@domain.com.

In RoundCube, I can login with xxxyyy (which is ok, although the a-mail address would be nice), but then it also shows the mailbox as xxxyyy@domain.com. So the suffix is already ok, but the username is not. When trying to send a mail in Thunderbird, I get an error "5.7.1 <firstname.lastname@domain.com>:Sender address rejected.: not owned by user xxxyyy@internal.domain.com".

So, basically I need to find a way to link both names to one entity. I guess this is something to fill in in the Postfix or Dovecot config files, but I can't find any post about this. Is this possible and if so, what would I need to specify?

Cheers

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: AD integration issues

tvbruwae wrote:

In RoundCube, I can login with xxxyyy (which is ok, although the a-mail address would be nice)

if you have a domain name set in below parameter in Roundcube config file /usr/share/apache2/roundcubemail/config/main.inc.php, Roundcube will append '@domain_name' after 'xxxyyy', so you're actually logging in as 'xxxyyy@domain_name' (a full email address). You can set it to empty to force users to login with full email address:

$rcmail_config['username_domain'] = '';

Also, check below parameter in Dovecot config file /etc/dovecot/dovecot.conf, it's same as above one in Roundcube.

auth_default_realm =

3

Re: AD integration issues

Thank you for the reply. I checked and indeed the domain name was set, I probably had entered the name values using one of the setup guides.

This explains the login item, but the main issue is still there. As the mailbox is shown as xxxyyy@domain.com, it's not really helpful since most people like to see the name of the person they're writing to. So I'd need to know if I can configure postfix/dovecot to link an xxxyyy account to a firstname.lastname value somehow. Can the AD "e-mail" field be used for this?

4

Re: AD integration issues

Roundcube shows the login username, not first name, last name. So, to make it work the way you preferred, try to use the email field as login username in Roundcube. And this is what i showed in wiki tutorial:
http://www.iredmail.org/wiki/index.php? … y.iRedMail

5

Re: AD integration issues

I did follow the tutorial, so that's why I'm already able to authenticate against AD. But as far as I see it does not mention cases where the AD domain names and mail domain names are different, or where the AD user name is different from the mail user name. In my case (xxxyyy@internal.domain.com in AD versus firstname.lastname@domain.com for mail), both are different. So I'm confused about which settings in the config files have to be adjusted to make this work transparently.

6

Re: AD integration issues

Please show us below config files on your server (Remove password before pasting):

- /etc/dovecot/dovecot-ldap.conf
- /etc/postfix/ad_sender_login_maps.cf
- /etc/postfix/ad_virtual_mailbox_maps.cf

Before you paste them, please compare them with our wiki tutorial again:
http://www.iredmail.org/wiki/index.php? … y.iRedMail

7

Re: AD integration issues

Here they are.

ad_sender_login_maps.cf

server_host     = dc1.internal.mydomain.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail@internal.mydomain.com
bind_pw         = pw
search_base     = dc=internal,dc=mydomain,dc=com
scope           = sub
query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel      = 0

ad_virtual_mailbox_maps.cf

server_host     = dc1.internal.mydomain.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail@internal.mydomain.com
bind_pw         = pw
search_base     = dc=internal,dc=mydomain,dc=com
scope           = sub
query_filter    = (&(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format   = %d/%u/Maildir/
debuglevel      = 0

dovecot-ldap.conf

hosts           = dc1.internal.mydomain.com:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail@internal.mydomain.com
dnpass          = pw
base            = dc=internal,dc=mydomain,dc=com
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/

The LDAP queries against AD from the tutorial work and I'm also able to configure Thunderbird with the mail server as IMAP + SMTP host, using my AD account. But when I authenticate using xxxyyy (AD account), I'm still not allowed to send mails using firstname.lastname@mydomain.com or firstname.lastname@internal.mydomain.com. Yet, firstname.lastname@mydomain.com is the address filled in the "e-mail" field in AD.

To avoid a possible issue with the domain name, I already changed the UPN xxxyyy@internal.mydomain.com into xxxyyy@mydomain.com (I first added the root domain as an UPN suffix in the AD forest). But the main issue seems to be the autentication with the xxxyyy account format and then requiring a link with e-mail firstname.lastname@something.com.

8

Re: AD integration issues

*) You can add multiple identities in Roundcube, when you send email, choose one of them as sender. NOTE: You have to update Roundcube config file /usr/share/apache2/roundcubemail/config.inc.php to allow multiple identities, and remove 'reject_sender_login_mismatch' in Postfix config file (/etc/postfix/main.cf).

*) Does it work if you login with your full email address directly?

tvbruwae wrote:

To avoid a possible issue with the domain name, I already changed the UPN xxxyyy@internal.mydomain.com into xxxyyy@mydomain.com (I first added the root domain as an UPN suffix in the AD forest). But the main issue seems to be the autentication with the xxxyyy account format and then requiring a link with e-mail firstname.lastname@something.com.

Dovecot (IMAP server) and Roundcube won't re-query SQL/LDAP to show another address as your account.

9

Re: AD integration issues

I started to test with a regular mail client, just to be sure it's not a Roundcube config issue. But the behavior so far is the same.

Right now I'm not able to login with my e-mail address firstname.lastname@mydomain.com, so I can't really check the result. In AD, firstname.lastname is not an account so this could make sense. Isn't it possible with iRedmail to define aliases and just make one of those aliases the primary address? If so, I could keep xxxyyy@mydomain.com as one of the adresses and just add firstname.lastname@mydomain.com for every account in AD. Then, if that one could be made primary, every user that configures his client would stil be able to send/receive from firstname.lastname@mydomain.com.

10

Re: AD integration issues

*) What's the value of LDAP attribute "userPrincipalName" in your AD? xxxyyy or full email address?
*) Does it work if you use the LDAP attribute name which has full email address as value in Postfix config files?

11

Re: AD integration issues

*) The UPN is xxxyyy@mydomain.com. While I still need to provision AD with around 350 users, I'd prefer to keep it that way. Firstname.Lastname is just way too long for many people to use as a login.

*) I'd like to try, but that's mainly why I'm here. :-) I'm not familiar with the way the config files (and LDAP queries) are constructed. Can you tell me how to adjust the files then?

12

Re: AD integration issues

*) Roundcube shows login username on top-right corner, it doesn't query SQL/LDAP again to get a new name.
*) Try to use the ldap attribute which stores email address in Postfix/Dovecot config file instead of "userPrincipalName".

Again, roundcube works this way, if it's not ok for you, i have no idea yet if i understand you correctly. You can try to ask in Roundcube mailing list to get advance help:
http://trac.roundcube.net/wiki/MailingLists

13

Re: AD integration issues

Hi ZhangHuangbin

I tried a few alternatives in the config files, but the result was never really satisfying. At some point I made the LDAP query look for either the UPN or sAMAccountname and then I was able to login with both xxxyyy and firstname.lastname. However, in the former case, I wasn't able to send out mails with the firstname.lastname@domain.com address (I got an error saying that the mailbox did not belong to xxxyyy)...

In the end, I modified the AD UPN of my accounts. Now that it's firstname.lastname@domain.com, I can keep the "original" config files from the tutorial. Since I can still use the pre-W2000 account (xxxyyy) to login to workstations, I guess this is the better approach for making it work.

In Thunderbird/Roundcube I can't login with my xxxyyy anymore, but since this is 100% e-mail related, users shouldn't complain about having to login with their e-mail address.

I'm already stumbling into additional questions, but I'll have a look at them first before opening another topic. Thanks for the assistance you provided!

14

Re: AD integration issues

tvbruwae wrote:

However, in the former case, I wasn't able to send out mails with the firstname.lastname@domain.com address (I got an error saying that the mailbox did not belong to xxxyyy)...

Removing 'reject_sender_login_mismatch' in Postfix main.cf will solve this issue.