1

Topic: Active Directory aliases

==== Required information ====
- iRedMail version (check /etc/iredmail-release):  latest
- Linux/BSD distribution name and version: Ubuntu 16.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP - Windows AD
- Web server (Apache or Nginx):nginx
- Manage mail accounts with iRedAdmin-Pro? no
- Related log if you're reporting an issue:
====

Hi,

I have Windows Active Directory, let's call it: domain.local
Inside my company i build a server with iredmail, let's name it: mail.domain.local, and i've itegrated it with my AD.
I've also have outside server where we store our company page, let's call it: domain.com
On domain.com i've pointed my MX to mail.domain.com and then i've pointed mail.domain.com to mail.domain.local so users can login on mail.domain.com.
Users can log on without a domain alias by setting the parameter auth_default_realm = domain.local to dovecot.conf. Of course their mail address is @domain.com
In roundcube config.inc.php i've set $config['mail_domain'] = 'domain.com';
Everything works fine but with minor inconvenience.
Every time a new mail account is created I have to add an alias in / etc / postfix / aliases for example:
user: user@domain.local
Without an alias I can log into the mail but when I try to send or receive a message I get the message "Sender address rejected: User unknown in local recipient table"

How do I set alias for an entire domain? I would like every mail that comes on domain.com to be automatically redirected to domain.local?
I do not want to point each user individually in the aliasses file.
Below are my configuration files.


dovecot -n
# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
auth_default_realm = domain.local

cat /etc/dovecot/dovecot-ldap.conf
hosts           = domain.local:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail
dnpass          = password
base            = cn=users,dc=domain,dc=local
scope           = subtree
deref           = never

user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password

default_pass_scheme = CRYPT
user_attrs      = =home=/mail/%Ld/%Ln/Maildir/,=mail=maildir:/mail/%Ld/%Ln/Maildir/


postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mail_owner = postfix
mailq_path = /usr/bin/mailq
message_size_limit = 15728640
mydestination = $myhostname, localhost, localhost.localdomain, domain.com, mail.domain.local, domain.local
myhostname = mail.domain.com
mynetworks = 127.0.0.1 [::1]
myorigin = domain.com
newaliases_path = /usr/bin/newaliases
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = texthash:/etc/postfix/postscreen_dnsbl_reply
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[2..11]*3 b.barracudacentral.org=127.0.0.[2..11]*2
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_directory = /var/spool/postfix
recipient_bcc_maps =
recipient_delimiter = +
relay_domains =
relay_recipient_maps =
sender_bcc_maps =
sender_dependent_relayhost_maps = proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_user.cf proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_domain.cf
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp-amavis_destination_recipient_limit = 1
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated check_helo_access pcre:/etc/postfix/helo_access.pcre reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_recipient_restrictions = reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_local_domain = domain.local
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain reject_non_fqdn_sender reject_unlisted_sender permit_mynetworks permit_sasl_authenticated check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_dh1024_param_file = /etc/ssl/dh2048_param.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh512_param.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /mail/
virtual_mailbox_domains =
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000


cat /etc/postfix/ad_sender_login_maps.cf
server_host     = domain.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = 3C704bbade
search_base     = cn=users,dc=domain,dc=local
scope           = sub
query_filter    = (&(userPrincipalName=%u@domain.local)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName

cat /etc/postfix/ad_virtual_mailbox_maps.cf
server_host     = domain.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = 3C704bbade
search_base     = cn=users,dc=domain,dc=local
scope           = sub
query_filter    = (&(objectclass=person)(userPrincipalName=%u@domain.local))
result_attribute= userPrincipalName
result_format   = %d/%u/Maildir/
debuglevel      = 0

cat /etc/postfix/ad_virtual_group_maps.cf
server_host     = domain.local
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = 3C704bbade
search_base     = cn=users,dc=domain,dc=local
scope           = sub
query_filter    = (&(objectClass=group)(userPrincipalName=%u@domain.local))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel      = 0

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Active Directory aliases

sjurkiewicz wrote:

Users can log on without a domain alias by setting the parameter auth_default_realm = domain.local to dovecot.conf.

This is the problem.

You should update Postfix/Dovecot sql lookup files, to return the full email address  with '@domain.com' (not .local).

3

Re: Active Directory aliases

Thank you for your answer but i realy don't know what should i change.

My goal is:
1. The user logs into the Roundcube using only the domain user name. If this is not possible then they can log in using user@domain.local and send and receive mail as user@domain.com.

I have tried various combinations in the files ad _ * .cf, main.cf, dovecot.cf, dovecot-ldap.cf, and none of this combinations gave me the desired effect. Every time I need to manually create alliases.

Can you write what you mean by saying that I need to update Postfix/Dovecot sql lookup files, to return the full email address  with '@domain.com' (not .local) ?

4

Re: Active Directory aliases

sjurkiewicz wrote:

1. The user logs into the Roundcube using only the domain user name. If this is not possible then they can log in using user@domain.local and send and receive mail as user@domain.com.

Wrong again.

According to your explanation, you want "user@domain.com" everywhere, so please login as "user@domain.com", not "user@domain.local".