Part 7. Alternative methods for storing user settings. Using Windows AD.
- Details
- Category: Mail Server
- Published: Friday, 21 June 2019 16:12
- Written by Super User
- Hits: 1918
In large organizations, mail servers and other services are often integrated with the Windows AD
Assume that we have Windows domain named the study.local and there is a special user mailadmin with the password mailadmin. And he has permissions to read from the LDAP tree. The domain controller has the address 192.168.0.10. Domain users must have aт attribute “mail” filled in. It should contain the mailing address of the user. Domain groups are created to work with mail aliases. They also fill in the attribute “mail”. Letters that arrive to such groups must be forwarded to all users who are their members.
Postfix configuring
First we will install LDAP support in Postfix
# apt install postfix-ldap
We will add support for the data in the LDAP database to the /etc/postfix/main.cf file
virtual_alias_maps = hash:/etc/postfix/virtual mysql:/etc/postfix/aliase.cf ldap:/etc/postfix/ldapalias
virtual_mailbox_maps = hash:/etc/postfix/vmailbox mysql:/etc/postfix/box-sql.cf ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf
Again, we do not disable previous settings, but add new data sources.
Next, you need to create LDAP query files.
To process the user's mailing addresses, we will create a file /etc/postfix/ldap_virtual_mailbox_maps.cf and write to it
server_host = 192.168.0.10
bind = yes
bind_dn = cn=mailadmin,cn=Users,dc=study,dc=local
bind_pw = mailadmin
search_base = cn=Users,dc=study,dc=local
query_filter = (&(mail=%s))
result_attribute = mail
result_format = %d/%u/
To process mail aliases, we will create a file /etc/postfix/ldapalias and write to it
server_host = 192.168.0.10
bind = yes
bind_dn = cn=mailadmin,cn=Users,dc=study,dc=local
bind_pw = mailadmin
search_base = cn=Users,dc=study,dc=local
query_filter = (&(objectClass=group)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member
Now Postfix can receive mail by reading data from the AD.
Dovecot configuring
First, we will install LDAP support in Dovecot
# apt install dovecot-ldap
Uncomment string in the file /etc/dovecot/conf.d/10-auth.conf
!include auth-ldap.conf.ext
And again, we do not disable old data sources, but just add a new one.
In the /etc/dovecot/dovecot-ldap.conf.ext file, we will provide information about connecting to the domain controller and queries.
hosts = 192.168.0.10
auth_bind = yes
ldap_version = 3
base = cn=Users,dc=study,dc=local
dn = cn=mailadmin,cn=Users,dc=study,dc=local
dnpass = mailadmin
deref = never
scope = subtree
user_filter = (&(ObjectClass=person)(sAMAccountName=%u))
pass_filter = (&(ObjectClass=person)(sAMAccountName=%u))
Note that passwords are stored in LDAP as a hash. Due to the fact that the hashing is not an inverse operation, it's impossible to convert a hash from one type to another. That is why we used PLAINTEXT authentication when setting up the mail server. To securely transfer logins and passwords, you must use encrypted client connections with the mail server.
You can buy the book "Mail server based on Postfix, Dovecot and RoundCube" in electronic form in the store