1 (edited by hata_ph 2014-06-20 13:07:19)

Topic: iredapd with AD

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: centos 6.5
- Related log if you're reporting an issue:
====

I have successfully authenticate iRedMail with AD. I notice that iredapd will not work directly with AD due to AD is missing some schema attribute from the iRedMail schema.

But is that possible that if I replace the schema attribute under the iredapd's plugins scripts with the available attributes at AD, will iredapd work? Or add the iRedMail's schema attributes like amavisdBlackListSender to AD, will it work?

http://technet.microsoft.com/en-us/libr … 10%29.aspx

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: iredapd with AD

hata_ph wrote:

But is that possible that if I replace the schema attribute under the iredapd's plugins scripts with the available attributes at AD, will iredapd work?

Should be fine. Don't forget to update related LDAP query filter.

3

Re: iredapd with AD

It seem amavisd need to connect to ldap to work.  For temporary solution I have to disable amavisd first, will report in after i dig more in amavisd.

Jun 20 17:44:47 mail1 postfix/qmgr[3039]: DBECB429AF: from=<test1@example.lan>, size=533, nrcpt=1 (queue active)
Jun 20 17:44:47 mail1 amavis[2296]: (02296-01) (!)connect_to_ldap: unable to connect to host 127.0.0.1
Jun 20 17:44:47 mail1 amavis[2296]: (02296-01) (!!)TROUBLE in process_request: connect_to_ldap: unable to connect at (eval 115) line 149, <DATA> line 522.
Jun 20 17:44:47 mail1 amavis[2296]: (02296-01) (!)Requesting process rundown after fatal error
Jun 20 17:44:47 mail1 postfix/smtp[3048]: DBECB429AF: to=<test1@example.lan>, relay=127.0.0.1[127.0.0.1]:10024, delay=163, delays=163/0.01/0/0.01, dsn=4.3.2, status=deferred (host 127.0.0.1[127.0.0.1] said: 421 4.3.2 Service shutting down, closing channel (in reply to MAIL FROM command))

4

Re: iredapd with AD

I have manually add mailBlacklistRecipient and mailWhitelistRecipient to AD but it seem iredapd have a custom search filter, where can I edit the query filter?

[root@mail1 ~]# ldapsearch -x -h adsvr -b dc=example,dc=lan -D cn=administrator,cn=users,dc=example,dc=lan -W '(&(mail=test1@fatimah.lan))'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=lan> with scope subtree
# filter: (&(mail=test1@example.lan))
# requesting: ALL
#

# test1, Users, example.lan
dn: CN=test1,CN=Users,DC=example,DC=lan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test1
givenName: test1
distinguishedName: CN=test1,CN=Users,DC=example,DC=lan
instanceType: 4
whenCreated: 20140617024241.0Z
whenChanged: 20140620095619.0Z
displayName: test1
uSNCreated: 24629
memberOf: CN=testgroups1,CN=Users,DC=example,DC=lan
uSNChanged: 45166
name: test1
objectGUID:: RIyuPNU/BkSScwP6R19SaQ==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 130476996560631676
lastLogoff: 0
lastLogon: 130476996600162926
maxStorage: 104857600
pwdLastSet: 130474465616476520
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAzdjOygP05JxXYveYVgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test1
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=example,DC=lan
dSCorePropagationData: 20140617061111.0Z
dSCorePropagationData: 20140617024241.0Z
dSCorePropagationData: 16010101000001.0Z
lastLogonTimestamp: 130474467710343708
mail: test1@example.lan
mailBlacklistRecipient: @example.lan
mailWhitelistRecipient: test2@example.lan

# search reference
ref: ldap://ForestDnsZones.example.lan/DC=ForestDnsZones,DC=example,DC=lan

# search reference
ref: ldap://DomainDnsZones.example.lan/DC=DomainDnsZones,DC=example,DC=lan

# search reference
ref: ldap://example.lan/CN=Configuration,DC=example,DC=lan

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3
[root@mail1 ~]#
2014-06-20 18:09:34 INFO Starting iRedAPD (version: 1.4.3, backend: ldap), listening on 127.0.0.1:7777.
2014-06-20 18:09:34 INFO Loading plugin: ldap_amavisd_block_blacklisted_senders
2014-06-20 18:09:34 INFO Loading plugin: ldap_recipient_restrictions
2014-06-20 18:09:34 DEBUG Forking first child.
2014-06-20 18:09:34 DEBUG Creating new session
2014-06-20 18:09:34 DEBUG Forking second child.
2014-06-20 18:09:34 DEBUG Setting umask
2014-06-20 18:09:34 DEBUG Changing working directory to "/"
2014-06-20 18:09:34 DEBUG Redirecting file descriptors
2014-06-20 18:10:11 DEBUG Connect from 127.0.0.1, port 43924.
2014-06-20 18:10:11 DEBUG smtp session: request=smtpd_access_policy
2014-06-20 18:10:11 DEBUG smtp session: protocol_state=RCPT
2014-06-20 18:10:11 DEBUG smtp session: protocol_name=ESMTP
2014-06-20 18:10:11 DEBUG smtp session: client_address=127.0.0.1
2014-06-20 18:10:11 DEBUG smtp session: client_name=mail1.example.lan
2014-06-20 18:10:11 DEBUG smtp session: reverse_client_name=mail1.example.lan
2014-06-20 18:10:11 DEBUG smtp session: helo_name=10.10.1.50
2014-06-20 18:10:11 DEBUG smtp session: sender=test2@example.lan
2014-06-20 18:10:11 DEBUG smtp session: recipient=test1@example.lan
2014-06-20 18:10:11 DEBUG smtp session: recipient_count=0
2014-06-20 18:10:11 DEBUG smtp session: queue_id=
2014-06-20 18:10:11 DEBUG smtp session: instance=ef3.53a40883.6d8bc.0
2014-06-20 18:10:11 DEBUG smtp session: size=0
2014-06-20 18:10:11 DEBUG smtp session: etrn_domain=
2014-06-20 18:10:11 DEBUG smtp session: stress=
2014-06-20 18:10:11 DEBUG smtp session: sasl_method=LOGIN
2014-06-20 18:10:11 DEBUG smtp session: sasl_username=test2@example.lan
2014-06-20 18:10:11 DEBUG smtp session: sasl_sender=
2014-06-20 18:10:11 DEBUG smtp session: ccert_subject=
2014-06-20 18:10:11 DEBUG smtp session: ccert_issuer=
2014-06-20 18:10:11 DEBUG smtp session: ccert_fingerprint=
2014-06-20 18:10:11 DEBUG smtp session: ccert_pubkey_fingerprint=
2014-06-20 18:10:11 DEBUG smtp session: encryption_protocol=TLSv1
2014-06-20 18:10:11 DEBUG smtp session: encryption_cipher=ECDHE-RSA-AES256-SHA
2014-06-20 18:10:11 DEBUG smtp session: encryption_keysize=256
2014-06-20 18:10:11 DEBUG LDAP connection initialied success.
2014-06-20 18:10:11 DEBUG LDAP bind success.
2014-06-20 18:10:11 DEBUG --> Apply plugin: ldap_amavisd_block_blacklisted_senders
2014-06-20 18:10:11 DEBUG <-- Result: DUNNO (No recipient LDIF data)
2014-06-20 18:10:11 DEBUG [+] Getting LDIF data of account: test2@example.lan
2014-06-20 18:10:11 DEBUG search filter: (&(|(mail=test2@example.lan)(shadowAddress=test2@example.lan))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2014-06-20 18:10:11 DEBUG search attributes: ['objectClass', 'mailBlacklistRecipient', 'mailWhitelistRecipient']
2014-06-20 18:10:11 DEBUG <!> ERROR, result: {'info': '000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1', 'desc': 'Operations error'}
2014-06-20 18:10:11 DEBUG --> Apply plugin: ldap_recipient_restrictions
2014-06-20 18:10:11 DEBUG <-- Result: DUNNO (No sender LDIF data)
2014-06-20 18:10:11 INFO [127.0.0.1] test2@example.lan -> test1@example.lan, DUNNO
2014-06-20 18:10:11 DEBUG Connection closed
2014-06-20 18:10:11 DEBUG Close LDAP connection.

5

Re: iredapd with AD

For the amavisd issue,

Edit amavisd.conf with your AD credential and modify the search filter work

# Integrate Amavisd-new with OpenLDAP.
$enable_ldap    = 1;    # 1 -> enable, 0 -> disable.
$default_ldap   = {
    hostname    => "adsvr.example.lan",
    port            => 389,
    version         => 3,
    tls             => 0,
    inet6           => 0,
    timeout         => 120,
    base    => "dc=fatimah,dc=lan",
    scope           => "sub",
    #query_filter    => "(&(objectClass=mailUser)(objectClass=amavisAccount)(accountStatus=active)(|(mail=%m)(shadowAddress=%m)))",
    query_filter => "(&(mail=%m)(objectClass=person))",
    bind_dn    => "cn=administrator,cn=users,dc=example,dc=lan",
    bind_password => "password",
};

6

Re: iredapd with AD

Hi hata_ph,

I suggest you leave this iRedAPD plugin (ldap_amavisd_block_blacklisted_senders). Check my post for more details:
http://www.iredmail.org/forum/topic7420 … rvice.html

7

Re: iredapd with AD

Ok. Do amavisd need ldap support to work on iRedMail-0.8.7? Will amavisd still work if I disable ldap amavisd.conf?

8

Re: iredapd with AD

hata_ph wrote:

Do amavisd need ldap support to work on iRedMail-0.8.7?

No, it's optional.

hata_ph wrote:

Will amavisd still work if I disable ldap amavisd.conf?

Yes, of course.

9

Re: iredapd with AD

Thanks for the clarification smile