1

Topic: External Domain with LDAP (AD) authentication

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): => Latest 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? => Installer
- Linux/BSD distribution name and version: => CentOS 7 (1810)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): => LDAP -> AD integration
- Web server (Apache or Nginx): => Nginx
- Manage mail accounts with iRedAdmin-Pro? => No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I've done countless google searches that bring me to different posts on this forum but still have not found a viable solution, if one exists. Here is the scenario I have been trying to accomplish for several weeks now over many different configurations:

(fictitious names in use)

I have a public domain name: thatoneguy.com
I have mx records pointing to a subdomain: mx.thatoneguy.com
I have an AD domain name: int.thatoneguy.com <- this is not publicly resolvable, only internal.
I have a user: john

I would like to sign into SOGo, authenticating against my AD domain -> john@int.thatoneguy.com
and be able to send and receive emails from my public domain -> john@thatoneguy.com

I know there's probably something simple that I just haven't tested but I'm losing track of what I have and have not tried. Hoping someone here might have worked this out if it is possible. If it will work with Roundcube, I'll try using that. I just preferred SOGo since it has a built-in calendar and the UI is nicer in my opinion.

Thanks,
  Kam

2

Re: External Domain with LDAP (AD) authentication

It should be very easy by just following our tutorial here:
https://docs.iredmail.org/active.directory.html

Did you try it? Any issue?
We also offer paid support for AD integration, contact us if you need assistance:
https://www.iredmail.org/support.html

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

3

Re: External Domain with LDAP (AD) authentication

ZhangHuangbin wrote:

It should be very easy by just following our tutorial here:
https://docs.iredmail.org/active.directory.html

Did you try it? Any issue?
We also offer paid support for AD integration, contact us if you need assistance:
https://www.iredmail.org/support.html


The tutorial worked flawlessly, but only if I want to send/receive mail with the AD domain, '@int.thatoneguy.com'. My most recent configuration I tried, which was the closest I could get, had the 'result_attribute' set to 'mail' in all my ad_*_maps.cf as well as in /etc/sogo/sogo.conf, the mail field under LDAP backend for authentication and directory was set to 'mail' instead of userPrincipalName. With this setup I was able to login and get the desired email address (john@thatoneguy.com) to show up, but no emails would send out until I went into /etc/postfix/main.cf and commented out 'reject unlisted sender' and changed 'smtpd_reject_unlisted_sender' to yes because postfix would say john@thatoneguy.com is an 'unknown user not found in virtual mailbox table'.

So sending mail out would work but then when trying to receive it, postfix would say the same thing about the mail being rejected because it couldn't find the user (john@thatoneguy.com) in the virtual mailbox table.

4

Re: External Domain with LDAP (AD) authentication

You need to modify the query filter and return attribute(s) in /etc/postfix/ad_*.conf, to construct proper LDAP query and result.

For example, '%s' for full input, '%u' for user part of email address, '%d' for domain. '%u@int.thatoneguy.com' for semi-hard-coded address. etc.

----

Does my reply help a little? How about buying me a cup of coffee ($5) as an encouragement?

buy me a cup of coffee

5

Re: External Domain with LDAP (AD) authentication

I followed your advice and was able to get mail to send out from @thatoneguy.com to external domains, however when trying to send mail within the domain, postfix throws an unknown user error and bounces the mail back. I've added thatoneguy.com to /etc/hosts hoping that might help find the user, but still no luck.


journalctl -u postfix

-- Logs begin at Wed 2019-04-17 13:30:37 EDT, end at Wed 2019-04-17 13:50:06 EDT. --
Apr 17 13:31:12 mx systemd[1]: Starting Postfix Mail Transport Agent...
Apr 17 13:31:26 mx postfix/postfix-script[9670]: warning: /var/spool/postfix/etc/hosts and /etc/hosts differ
Apr 17 13:31:27 mx postfix/postfix-script[9684]: starting the Postfix mail system
Apr 17 13:31:27 mx postfix/master[9686]: daemon started -- version 2.10.1, configuration /etc/postfix
Apr 17 13:31:27 mx systemd[1]: Started Postfix Mail Transport Agent.
Apr 17 13:49:54 mx postfix/postscreen[11178]: CONNECT from [127.0.0.1]:50850 to [127.0.0.1]:25
Apr 17 13:49:54 mx postfix/postscreen[11178]: WHITELISTED [127.0.0.1]:50850
Apr 17 13:49:54 mx postfix/smtpd[11179]: connect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:54 mx postfix/smtpd[11179]: 44kqWQ5FKJz4xHTp: client=mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:54 mx postfix/cleanup[11183]: 44kqWQ5FKJz4xHTp: message-id=<25e6-5cb76780-1-7087f800@224628920>
Apr 17 13:49:54 mx postfix/smtpd[11179]: disconnect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:54 mx postfix/qmgr[9688]: 44kqWQ5FKJz4xHTp: from=<klayne@thatoneguy.com>, size=1000, nrcpt=1 (queue active)
Apr 17 13:49:55 mx postfix/10025/smtpd[11196]: connect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:55 mx postfix/10025/smtpd[11196]: 44kqWR3dtQz4xHV2: client=mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:55 mx postfix/cleanup[11183]: 44kqWR3dtQz4xHV2: message-id=<25e6-5cb76780-1-7087f800@224628920>
Apr 17 13:49:55 mx postfix/qmgr[9688]: 44kqWR3dtQz4xHV2: from=<klayne@thatoneguy.com>, size=2142, nrcpt=1 (queue active)
Apr 17 13:49:55 mx postfix/10025/smtpd[11196]: disconnect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:55 mx postfix/amavis/smtp[11190]: 44kqWQ5FKJz4xHTp: to=<test@thatoneguy.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.97, delays=0.18/0.04/0.01/0.74, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 44kqWR3dtQz4xHV2)
Apr 17 13:49:55 mx postfix/qmgr[9688]: 44kqWQ5FKJz4xHTp: removed
Apr 17 13:50:00 mx postfix/pipe[11197]: 44kqWR3dtQz4xHV2: to=<test@thatoneguy.com>, relay=dovecot, delay=4.7, delays=0/0.12/0/4.6, dsn=5.1.1, status=bounced (user unknown)
Apr 17 13:50:00 mx postfix/cleanup[11183]: 44kqWX1nDbz4xHTp: message-id=<44kqWX1nDbz4xHTp@mx.thatoneguy.com>
Apr 17 13:50:00 mx postfix/bounce[11229]: 44kqWR3dtQz4xHV2: sender non-delivery notification: 44kqWX1nDbz4xHTp
Apr 17 13:50:00 mx postfix/qmgr[9688]: 44kqWX1nDbz4xHTp: from=<>, size=4102, nrcpt=1 (queue active)
Apr 17 13:50:00 mx postfix/qmgr[9688]: 44kqWR3dtQz4xHV2: removed
Apr 17 13:50:06 mx postfix/pipe[11197]: 44kqWX1nDbz4xHTp: to=<klayne@thatoneguy.com>, relay=dovecot, delay=6, delays=0/0/0/6, dsn=5.1.1, status=bounced (user unknown)
Apr 17 13:50:06 mx postfix/qmgr[9688]: 44kqWX1nDbz4xHTp: removed

journalctl -u dovecot

-- Logs begin at Wed 2019-04-17 13:30:37 EDT, end at Wed 2019-04-17 13:50:06 EDT. --
Apr 17 13:31:12 mx systemd[1]: Starting Dovecot IMAP/POP3 email server...
Apr 17 13:31:15 mx systemd[1]: PID file /var/run/dovecot/master.pid not readable (yet?) after start.
Apr 17 13:31:15 mx dovecot[9119]: master: Dovecot v2.2.36 (1f10bfa63) starting up for pop3, imap, sieve, lmtp (core dumps disabled)
Apr 17 13:31:15 mx systemd[1]: Started Dovecot IMAP/POP3 email server.
Apr 17 13:47:42 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10322, secured, session=</o3Her2GULp/AAAB>
Apr 17 13:47:42 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=154 out=1468
Apr 17 13:47:54 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10400, secured, session=<zV+He72GbLp/AAAB>
Apr 17 13:47:54 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=219 out=1587
Apr 17 13:48:06 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10475, secured, session=<rGlJfL2Ghrp/AAAB>
Apr 17 13:48:06 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=146 out=1490
Apr 17 13:48:22 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10582, secured, session=<pGIxfb2Gprp/AAAB>
Apr 17 13:48:23 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=93 out=1128
Apr 17 13:48:34 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10656, secured, session=<gnPrfb2Gvrp/AAAB>
Apr 17 13:48:35 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=93 out=1128
Apr 17 13:49:54 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=11141, secured, session=<rsmhgr2GArt/AAAB>
Apr 17 13:49:54 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=999 out=1739

I'm open to any other suggestions.
Thanks.