1 Topic by sahmed1 (edited by sahmed1 2018-06-21 21:35:59)

  • sahmed1
  • Member
  • Offline
  • Registered: 2018-06-21
  • Posts: 5

Topic: iRedmail with AD auth

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 OPENLDAP edition.
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap?
- Web server (Apache or Nginx): nginx - iRedAdmin v0.9 (LDAP)
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
postmap: fatal: open database domain.local/user1/Maildir/.db: No such file or directory
====


I wanted to use iRedmail with AD so the mail is held on the mail server but users can login using their AD creds to retrieve mail.
Is this possible? 
I followed https://docs.iredmail.org/active.directory.html

At section: Verify LDAP query with AD in Postfix

I can verify mail groups but not mail users.
From the error above, its looking for a Maildir/.db but I am not sure where this should be.
Locally on my mail server or as an attribute in AD?

Some assistance needed please.

Thanks all.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: iRedmail with AD auth

Please check log in Postfix to figure it out. You may need to increase log level in Postfix AD lookup files (/etc/postfix/ad_*.cf) to get detailed log.

3 Reply by sahmed1

  • sahmed1
  • Member
  • Offline
  • Registered: 2018-06-21
  • Posts: 5

Re: iRedmail with AD auth

I have ldap working.
I can now log in to roundcube using AD creds.

AD domain = ad.domain.com
mail domain = domain.com

When I logged in and tried to send an email, my address was shown as user@ad.domain.com instead of user@domain.com

So I clicked on edit identities and changed this.

I could still log on after this change. 
I can send mail.

But any inbound mail gets bounced.

I get user@domain.com>: user unknown
This is when replying to a mail received from user@domain.com to user@gmail.com

An extract from maillog: ip and mail addresses changed

Jul 31 13:25:46 my-server amavis[6880]: (06880-08) Passed CLEAN {RelayedInbound}, [10.10.20.2]:60556 [172.16.20.10] <user@gmail.com> -> <user@domain.com>, Queue-ID: C79D3101472, Message-ID: <5b605547.1c69fb81.8a252.5867@mx.google.com>, mail_id: Q8b-JTE9J2-J, Hits: -, size: 4427, queued_as: 21F9A101476, dkim_sd=20161025:gmail.com, 241 ms
Jul 31 13:25:46 my-server postfix/pipe[27935]: 21F9A101476: to=<user@domain.com>, relay=dovecot, delay=0.13, delays=0.05/0/0/0.08, dsn=5.1.1, status=bounced (user unknown)
Jul 31 13:25:46 my-server postfix/amavis/smtp[27860]: C79D3101472: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.47, delays=0.16/0/0/0.31, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 21F9A101476)
Jul 31 13:25:46 my-server postfix/qmgr[27239]: C79D3101472: removed
Jul 31 13:25:46 my-server postfix/proxymap[27747]: dict_ldap_debug: ldap_search_ext
Jul 31 13:25:46 my-server postfix/proxymap[27747]: dict_ldap_debug: put_filter: "(&(objectClass=group)(mail=user@gmail.com))"
Jul 31 13:25:46 myserver postfix/proxymap[27747]: dict_ldap_debug: put_filter: AND
Jul 31 13:25:46 my-server postfix/proxymap[27747]: dict_ldap_debug: put_filter_list "(objectClass=group)(mail=user@gmail.com)"
Jul 31 13:25:46 my-server postfix/proxymap[27747]: dict_ldap_debug: put_filter: "(objectClass=group)"
Jul 31 13:25:46 my-server postfix/proxymap[27747]: dict_ldap_debug: put_filter: simple
Jul 31 13:25:46 my-server postfix/proxymap[27747]: dict_ldap_debug: put_simple_filter: "objectClass=group"

does this mean dovecot isn't picking up the correct AD info and not finding the user or its trying to find gmail info in AD ldap?

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: iRedmail with AD auth

sahmed1 wrote:

Jul 31 13:25:46 my-server postfix/pipe[27935]: 21F9A101476: to=<user@domain.com>, relay=dovecot, delay=0.13, delays=0.05/0/0/0.08, dsn=5.1.1, status=bounced (user unknown)

You need to update LDAP query settings in Postfix, make sure you query correct LDAP attribute name and format them with the real domain name.

5 Reply by sahmed1

  • sahmed1
  • Member
  • Offline
  • Registered: 2018-06-21
  • Posts: 5

Re: iRedmail with AD auth

Thanks found an error in ad_virtual_mailbox_maps.cf

Now have it as:

server_host     = 10.10.10.10
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = binduser
bind_pw         = password
search_base     = ou=users,dc=ad,dc=domain,dc=com
scope           = sub
query_filter    = (&(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format   = %d/%u/Maildir/
debuglevel      = 1

Now I am getting

NOQUEUE: reject: RCPT from unknown[10.10.10.20]: 550 5.1.1 <user@domain.com>: Recipient address rejected: User unknown in virtual mailbox table

I have my test user in AD, in the correct ou and the mail address is set to user@domain.com

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: iRedmail with AD auth

Try to query the user with postmap command:

postmap -v -q '<email-here>' ldap:/etc/postfix/ad_virtual_mailbox_maps.cf

It will print the LDAP filter, then compare the ldap attribute name/value pairs with the user in AD. Do they match?

7 Reply by sahmed1

  • sahmed1
  • Member
  • Offline
  • Registered: 2018-06-21
  • Posts: 5

Re: iRedmail with AD auth

OK resolved this

If anyone else has the same issue, where the AD domain and mail domain differ, this is what I have done:

ad_virtual_mailbox_maps.cf:
query_filter    = (&(objectclass=person)(mail=%s))
result_attribute= mail
result_format   = %d/%u/Maildir

ad_virtual_group_maps.cf:
query_filter    = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName

ad_sender_login_maps.cf:
query_filter    = (&(mail=%s)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute= mail

dovecot-ldap.conf 
user_filter     = (&(samaccountname=%n)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter     = (&(samaccountname=%n)(objectClass=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_attrs      = userPassword=password

Now mail is delivered to user@domain.com and login as user@domain.com - not user@ad.domain.com

Hope this helps someone else.