1

Topic: integration with Windows Domain

Hi there,

First of all. This is my first post here! Welcome you guys! Ive been using iredmail for the last 2 years and Im still impressed how easy and smooth it is. I dont know how I was able to set up mail server before without it!

The question: For the first time, I would like to integrate iredmail with Windows Active Directory. It will be used to authenticate mail users against windows domain. Ive red the document regarding the integration located here: http://www.iredmail.org/wiki/index.php? … y.iRedMail but I still dont get one thing. The document assumes that the windows domain and mail domain is the same (example.com). What should I change or take into consideration, if my windows domain is: mydomain.local and the mail domain is: myotherdomain.com? What if I have two mail domains and all users should be able to recieve emails from both domains?

regards,
Adrian

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: integration with Windows Domain

aaddiikk wrote:

What should I change or take into consideration, if my windows domain is: mydomain.local and the mail domain is: myotherdomain.com?

You have to modify LDAP query files of Postfix (/etc/postfix/ad_*.cf) and Dovecot (/etc/dovecot-ldap.conf).
For example, in Postfix LDAP query file:
- '%s' will be substituted by full email address
- '%u' is local  part of the email address
- '%d' is domain part of the email address

So, to use (and hard-code) a different mail domain name, please replace '%s' in Postfix LDAP query files by '%u@myotherdomain.com'.

Reference:
- Postfix manual page, ldap_table(5): http://www.postfix.org/ldap_table.5.html
- Dovecot Variables: http://wiki.dovecot.org/Variables (It's %u, %n (the same as %u in Postfix), %d).

aaddiikk wrote:

What if I have two mail domains and all users should be able to recieve emails from both domains?

I didn't test it before, you can give it a try. But i think you have to use '%s' in Postfix to query full email address instead of '%u@myotherdomain.com' to avoid hard-coded domain name.

3

Re: integration with Windows Domain

Hello all,

I'm in the same case.

I want to totally finish the "local integration" (tests, tests, and tests) to spent time on this "problem".

It seems, as usual, ZhangHuangbin had the solution, or can help us : you're the best smile

I'm gonna follow this thread and bring my bricks to the wall, if I can help.

Thanks guys smile

4

Re: integration with Windows Domain

Hey all,

I have been trying to implement this with no luck at all... the only login that is working is my AD FQD ending in ".lan"

Here's how I've adjusted the config for a separate domain.  I've repeated this in the 3 ad_*.cf

query_filter    = (&(userPrincipalName=%u@domain.ca)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

This is the Dovecot config

user_filter     = (&(userPrincipalName=%n@domain.ca)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%n@domain.ca)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

5 (edited by nicolasfo 2013-02-08 18:50:28)

Re: integration with Windows Domain

Hello,

In my case, my AD domain is called "domain.lan" and my externals domains are called "domain2.fr", "domain3.com", "domain4.biz"

So, I've made an OU called "domains" at the root of my AD tree (under "domain.lan") and I've made others OU under "domains", one for each domains I'm supposed to manage.

After this, in Dovecot :

/etc/dovecot/dovecot-ldap.conf :

hosts           = dc.domain.lan:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail@domain.lan
dnpass          = password_of_vmail
base            = ou=domains,dc=domain,dc=lan
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/path_to_your_storage/%Ld/%Ln/Maildir/,=mail=maildir:/path_to_your_storage/mail/%Ld/%Ln/Maildir/

With this config, users must authenticate with, as username, the full email address.

Use the same config in Postfix, but beware to add the line "result_attribute= userPrincipalName" in each 3 files *_maps.cf" (I've modified only those files), beacause you'll had duplicates results with the tests commands mentionned in the howto.

Had I answered to your problem ?

Nicolas

6

Re: integration with Windows Domain

That didn't work for me. I know I must be missing something.

7

Re: integration with Windows Domain

What is you /var/log/mail.log ?

What isn't working as expected ? Did you try tests commands as mentionned in the howto ?

8 (edited by opiateESP 2013-02-14 02:21:02)

Re: integration with Windows Domain

Ok, so I have it accepting logins now but the problem is it will accept ANY login so long as the username is from AD.  I have entered the OpenLDAP query's as:

%u@domain.lan for postfix and %n@domain.lan for dovecot.  This allows user@ANYNAME.COM to login successfully.  I guess this is a semi-victory as I can now use my desired domain.  Now I just need to restrict this to only allow the domain that I wish to use.

Any thoughts?

9

Re: integration with Windows Domain

Can you post your confs files...?

With the method I've mentionned before, it cannot login using a domain wich isn't in the specified OU... Therefore, I can't help you if you don't use this trick, because I only know this one.

10

Re: integration with Windows Domain

Here's my configs. It does work, in either this format or with %s.  This allows me to choose any domain name which is not to desirable but at least it works.  I fail to understand what I should put in the 'domains' OU in active directory.  Do I put in specific OU's?  Do i place the users in the OU's? (ie. ou=Domains\ou=domain.ca\%users%).  Your help is appreciated and thanks!

Dovecot

hosts           = ad.domain.lan:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail
dnpass          = Password
base            = ou=DomainUsers,dc=domain,dc=lan
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%n@domain.lan)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(userPrincipalName=%n@domain.lan)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/ 

Postfix

server_host     = ad.domain.lan
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = Password
search_base     = ou=DomainUsers,dc=domain,dc=lan
scope           = sub
query_filter    = (&(userPrincipalName=%u@domain.lan)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= userPrincipalName
debuglevel      = 0

11

Re: integration with Windows Domain

other question,

how did u guys add alias adresses ?

12

Re: integration with Windows Domain

Frankstar wrote:

how did u guys add alias adresses ?

You can add alias addresses manually, or with iRedAdmin-Pro (http://www.iredmail.org/admin_panel.html).

13

Re: integration with Windows Domain

i tought, that doesnt work if i use full Microsoft AD integration ?

14

Re: integration with Windows Domain

Hi Frankstar,
If you use AD, please use it's default "group" as mail list.

15

Re: integration with Windows Domain

The tutorial works fine with Samba 4 AD DS as well. Another way to serve other mail domains then the DNS name of the AD is to add uPNSuffixes. Either like this: http://support.microsoft.com/kb/243629 or by adding a uPNSuffix to an OU. I chose the latter. When using uPNSuffixes you don't have lock-in in the LDAP-searchstrings and makes the iRedmail suite somewhat more flexible.

First I added an modified account for iRedmail suite: vmailer@example.org instead of vmail@example.org.

I also did some changes to some of the files mentioned in the integration how-to:
Edit /etc/amavis/conf.d/50-user (at the bottom):
$default_ldap   = {
    hostname        => "127.0.0.1",
    port            => 389,
    version         => 3,
    tls             => 0,
    timeout         => 120,
    base            => "ou=%d,dc=example,dc=org",
    scope           => "sub",
    query_filter    => "(&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))",
    result_attribute => "userPrincipalName",
    bind_dn         => "cn=vmailer,cn=users,dc=example,dc=org",
    bind_password   => "Pa$$w0rd",
};

Minor changes to /etc/postfix/ad_sender_login_maps.cf, /etc/postfix/ad_virtual_group_maps.cf and /etc/postfix/ad_virtual_mailbox_maps.cf:
search_base = cn=users,dc=example,dc=org -> search_base = dc=example,dc=org

Changed the following line in/etc/dovecot/dovecot-ldap.conf
base = cn=User,dc=example,dc=org -> base = ou=%d,dc=example,dc=org

Add the mail domain to /etc/postfix/transport.
Continue with editing /etc/default/slapd. Uncomment #SLAPD_NO_START=1.

Thank you
Davor

16

Re: integration with Windows Domain

Hello all,

  My domain is corp.example.com, and mail is example.com.  Can we just change the userPrincipalName attribute to mail attribute and define in ad such as emacri@example.com?

   I had this working is Postfix but couldn't get Dovecot accept login.  I have tried the above methods but no Dovecot.  I am starting over fresh with just corp.example.com to make sure all is working before I start changing things again.

Thank you, Ed

17

Re: integration with Windows Domain

You can try to hard-code mail domain name in Dovecot/Postfix config files, it's mentioned in the wiki tutorial.

18 (edited by edwardmacri 2014-06-11 02:49:00)

Re: integration with Windows Domain

Thank you for great product and support, I appreciate your fast and helpful response.

    I couldn't get hard code to work, but changing userPrincipalName attribute to mail attribute is working.  I think my original problem was dovecot doesn't like base = dc=corp,dc=example,dc=com, but since I have everything in an OU it works with base = ou=ExampleOU,dc=corp,dc=example,dc=com

Should I also edit /etc/amavis/conf.d/50-user accordingly?


Thank you, Ed

19

Re: integration with Windows Domain

edwardmacri wrote:

Should I also edit /etc/amavis/conf.d/50-user accordingly?

Yes.

BTW, Please post your own question in a new forum topic, do not hijack other's thread.