1 Topic by snpz (edited by snpz 2011-12-07 17:14:22)

  • snpz
  • Member
  • Offline
  • Registered: 2011-12-05
  • Posts: 11

Topic: iredmail + Samba 4

Hi there!

I'm new to iredmail. Right now i'm using Zimbra and authorization against Samba 4 domain works perfect. But Zimbra is pretty heavy, so decided to try out iredmail on OpenVZ (Ubuntu 10.04, iredmail 0.7.3).
Followed this (http://www.iredmail.org/wiki/index.php? … y.iRedMail) manual and could log in, but i have some missunderstandings.
1) i have a Samba 4 AD domain test.ministry.gov.net and domain users test\name.surname (name.surname@ad.ministry.gov.net);
2) users has e-mails like this - name.surname@ministry.gov.net.
3) right now zimbra allows to login using  name.surname@ministry.gov.net;
4) i can login iredmail, but only using name.surname@ad.ministry.gov.net.
Is there any option to configure authorization the way i could log in using users e-mail address or just name.surname?

Sorry for my pure english!:(
Update:
Besides there is some things that didnt work out for me with samba4 domain:

ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'

Modified code, that works:

ldapsearch -x -h ad.example.com  -D 'vmail@ad.example.com' -W -b 'cn=users,dc=example,dc=com'

The same is in:
/etc/postfix/ad_virtual_mailbox_maps.cf
/etc/postfix/ad_virtual_group_maps.cf
/etc/postfix/ad_sender_login_maps.cf
where 

dn = vmail
dnpass = vmail_passwd

should be

dn = vmail@ad.example.com or ad\vmail
dnpass = vmail_passwd

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: iredmail + Samba 4

snpz wrote:

Is there any option to configure authorization the way i could log in using users e-mail address or just name.surname?

Sure.

In Dovecot POP3/IMAP server, configure /etc/dovecot/dovecot-ldap.conf, hard-code your domain name instead of use user input name. For example:

# File: /etc/dovecot/dovecot-ldap.conf
# Original settings.
#user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
#pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# Modified settings.
user_filter     = (&(userPrincipalName=%n@ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%n@ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

With above modification, you can now login (via IMAP/POP3) with user email address.

Then modify /etc/dovecot/dovecot.conf, change "auth_default_realm" like this:

auth_default_realm = ministry.gov.net

Now you can login (via IMAP/POP3) with just name.surname.

Same modification is required in Postfix AD queries for SMTP authentication. For example:

# File: /etc/postfix/ad_sender_login_maps.cf
# Original settings.
#query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# Modified settings.
query_filter    = (&(userPrincipalName=%u@ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Note: In Dovecot, '%n' will be expanded to local part of email address, it's same as '%u' in Postfix LDAP/AD lookup.
References:
- http://wiki.dovecot.org/Variables
- http://www.postfix.org/ldap_table.5.html

3 Reply by snpz (edited by snpz 2011-12-07 18:38:01)

  • snpz
  • Member
  • Offline
  • Registered: 2011-12-05
  • Posts: 11

Re: iredmail + Samba 4

Thanks! Will try out these settings!
Update:
It works - now i can login using name.surname and e-mail shows up as name.surname@ministry.gov.net
Tryed to send a test email message and got SMTP error (250). Any ideas?
/etc/postfix/ad_sender_login_maps.cf has a line query_filter    = (&(userPrincipalName=%u@ad.ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) and "postmap -q name.surname ldap:/etc/postfix/ad_sender_login_maps.cf" returns name.surname@ad.ministry.gov.net With userPrincipalName=%u@ministry.gov.net it doesnt return anything at all! sad
/etc/dovecot/dovecot-ldap.conf has user_filter     = (&(userPrincipalName=%n@ad.ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%n@ad.ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) and login works just fine!
Update No.2:
Just had to restart server - now there is no problem with sending e-mails smile Yay!


One more thing:
how does these lines should look like?
As "postconf -e smtpd_sasl_local_domain='ad.ministry.gov.net'" or "postconf -e smtpd_sasl_local_domain='ministry.gov.net'"
As "postconf -e virtual_mailbox_domains='ad.ministry.gov.net'" or "postconf -e virtual_mailbox_domains='ministry.gov.net'"
As far as i understand, than this should nothing to do with authorization itself! Am i right?
I'm sorry if this is a stupid question, but i'm just starting to get familiar with dovecot, postfix etc. smile


ZhangHuangbin wrote:
snpz wrote:

Is there any option to configure authorization the way i could log in using users e-mail address or just name.surname?

Sure.

In Dovecot POP3/IMAP server, configure /etc/dovecot/dovecot-ldap.conf, hard-code your domain name instead of use user input name. For example:

# File: /etc/dovecot/dovecot-ldap.conf
# Original settings.
#user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
#pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# Modified settings.
user_filter     = (&(userPrincipalName=%n@ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%n@ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

With above modification, you can now login (via IMAP/POP3) with user email address.

Then modify /etc/dovecot/dovecot.conf, change "auth_default_realm" like this:

auth_default_realm = ministry.gov.net

Now you can login (via IMAP/POP3) with just name.surname.

Same modification is required in Postfix AD queries for SMTP authentication. For example:

# File: /etc/postfix/ad_sender_login_maps.cf
# Original settings.
#query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# Modified settings.
query_filter    = (&(userPrincipalName=%u@ministry.gov.net)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Note: In Dovecot, '%n' will be expanded to local part of email address, it's same as '%u' in Postfix LDAP/AD lookup.
References:
- http://wiki.dovecot.org/Variables
- http://www.postfix.org/ldap_table.5.html

==== Provide basic information to help troubleshoot and get quick answer ====
- iRedMail version:
- Linux/BSD distribution name and version:
- Any related log? Log is helpful for troubleshooting.
====

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: iredmail + Samba 4

snpz wrote:

One more thing:
how does these lines should look like?
As "postconf -e smtpd_sasl_local_domain='ad.ministry.gov.net'" or "postconf -e smtpd_sasl_local_domain='ministry.gov.net'"
As "postconf -e virtual_mailbox_domains='ad.ministry.gov.net'" or "postconf -e virtual_mailbox_domains='ministry.gov.net'"
As far as i understand, than this should nothing to do with authorization itself! Am i right?
I'm sorry if this is a stupid question, but i'm just starting to get familiar with dovecot, postfix etc.

With commands you mentioned, we hard-coded mail domain name(s) in Postfix config file.

Normally, we store mail domains and accounts in MySQL/OpenLDAP, so we need Postfix to query MySQL/OpenLDAP server to get all hosted mail domains/accounts. But we have only one mail domain in AD, so we hard-code domain name directly.