1

Topic: External Domain with LDAP (AD) authentication

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): => Latest 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? => Installer
- Linux/BSD distribution name and version: => CentOS 7 (1810)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): => LDAP -> AD integration
- Web server (Apache or Nginx): => Nginx
- Manage mail accounts with iRedAdmin-Pro? => No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I've done countless google searches that bring me to different posts on this forum but still have not found a viable solution, if one exists. Here is the scenario I have been trying to accomplish for several weeks now over many different configurations:

(fictitious names in use)

I have a public domain name: thatoneguy.com
I have mx records pointing to a subdomain: mx.thatoneguy.com
I have an AD domain name: int.thatoneguy.com <- this is not publicly resolvable, only internal.
I have a user: john

I would like to sign into SOGo, authenticating against my AD domain -> john@int.thatoneguy.com
and be able to send and receive emails from my public domain -> john@thatoneguy.com

I know there's probably something simple that I just haven't tested but I'm losing track of what I have and have not tried. Hoping someone here might have worked this out if it is possible. If it will work with Roundcube, I'll try using that. I just preferred SOGo since it has a built-in calendar and the UI is nicer in my opinion.

Thanks,
  Kam

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: External Domain with LDAP (AD) authentication

It should be very easy by just following our tutorial here:
https://docs.iredmail.org/active.directory.html

Did you try it? Any issue?
We also offer paid support for AD integration, contact us if you need assistance:
https://www.iredmail.org/support.html

3

Re: External Domain with LDAP (AD) authentication

ZhangHuangbin wrote:

It should be very easy by just following our tutorial here:
https://docs.iredmail.org/active.directory.html

Did you try it? Any issue?
We also offer paid support for AD integration, contact us if you need assistance:
https://www.iredmail.org/support.html


The tutorial worked flawlessly, but only if I want to send/receive mail with the AD domain, '@int.thatoneguy.com'. My most recent configuration I tried, which was the closest I could get, had the 'result_attribute' set to 'mail' in all my ad_*_maps.cf as well as in /etc/sogo/sogo.conf, the mail field under LDAP backend for authentication and directory was set to 'mail' instead of userPrincipalName. With this setup I was able to login and get the desired email address (john@thatoneguy.com) to show up, but no emails would send out until I went into /etc/postfix/main.cf and commented out 'reject unlisted sender' and changed 'smtpd_reject_unlisted_sender' to yes because postfix would say john@thatoneguy.com is an 'unknown user not found in virtual mailbox table'.

So sending mail out would work but then when trying to receive it, postfix would say the same thing about the mail being rejected because it couldn't find the user (john@thatoneguy.com) in the virtual mailbox table.

4

Re: External Domain with LDAP (AD) authentication

You need to modify the query filter and return attribute(s) in /etc/postfix/ad_*.conf, to construct proper LDAP query and result.

For example, '%s' for full input, '%u' for user part of email address, '%d' for domain. '%u@int.thatoneguy.com' for semi-hard-coded address. etc.

5

Re: External Domain with LDAP (AD) authentication

I followed your advice and was able to get mail to send out from @thatoneguy.com to external domains, however when trying to send mail within the domain, postfix throws an unknown user error and bounces the mail back. I've added thatoneguy.com to /etc/hosts hoping that might help find the user, but still no luck.


journalctl -u postfix

-- Logs begin at Wed 2019-04-17 13:30:37 EDT, end at Wed 2019-04-17 13:50:06 EDT. --
Apr 17 13:31:12 mx systemd[1]: Starting Postfix Mail Transport Agent...
Apr 17 13:31:26 mx postfix/postfix-script[9670]: warning: /var/spool/postfix/etc/hosts and /etc/hosts differ
Apr 17 13:31:27 mx postfix/postfix-script[9684]: starting the Postfix mail system
Apr 17 13:31:27 mx postfix/master[9686]: daemon started -- version 2.10.1, configuration /etc/postfix
Apr 17 13:31:27 mx systemd[1]: Started Postfix Mail Transport Agent.
Apr 17 13:49:54 mx postfix/postscreen[11178]: CONNECT from [127.0.0.1]:50850 to [127.0.0.1]:25
Apr 17 13:49:54 mx postfix/postscreen[11178]: WHITELISTED [127.0.0.1]:50850
Apr 17 13:49:54 mx postfix/smtpd[11179]: connect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:54 mx postfix/smtpd[11179]: 44kqWQ5FKJz4xHTp: client=mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:54 mx postfix/cleanup[11183]: 44kqWQ5FKJz4xHTp: message-id=<25e6-5cb76780-1-7087f800@224628920>
Apr 17 13:49:54 mx postfix/smtpd[11179]: disconnect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:54 mx postfix/qmgr[9688]: 44kqWQ5FKJz4xHTp: from=<klayne@thatoneguy.com>, size=1000, nrcpt=1 (queue active)
Apr 17 13:49:55 mx postfix/10025/smtpd[11196]: connect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:55 mx postfix/10025/smtpd[11196]: 44kqWR3dtQz4xHV2: client=mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:55 mx postfix/cleanup[11183]: 44kqWR3dtQz4xHV2: message-id=<25e6-5cb76780-1-7087f800@224628920>
Apr 17 13:49:55 mx postfix/qmgr[9688]: 44kqWR3dtQz4xHV2: from=<klayne@thatoneguy.com>, size=2142, nrcpt=1 (queue active)
Apr 17 13:49:55 mx postfix/10025/smtpd[11196]: disconnect from mx.thatoneguy.com[127.0.0.1]
Apr 17 13:49:55 mx postfix/amavis/smtp[11190]: 44kqWQ5FKJz4xHTp: to=<test@thatoneguy.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.97, delays=0.18/0.04/0.01/0.74, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 44kqWR3dtQz4xHV2)
Apr 17 13:49:55 mx postfix/qmgr[9688]: 44kqWQ5FKJz4xHTp: removed
Apr 17 13:50:00 mx postfix/pipe[11197]: 44kqWR3dtQz4xHV2: to=<test@thatoneguy.com>, relay=dovecot, delay=4.7, delays=0/0.12/0/4.6, dsn=5.1.1, status=bounced (user unknown)
Apr 17 13:50:00 mx postfix/cleanup[11183]: 44kqWX1nDbz4xHTp: message-id=<44kqWX1nDbz4xHTp@mx.thatoneguy.com>
Apr 17 13:50:00 mx postfix/bounce[11229]: 44kqWR3dtQz4xHV2: sender non-delivery notification: 44kqWX1nDbz4xHTp
Apr 17 13:50:00 mx postfix/qmgr[9688]: 44kqWX1nDbz4xHTp: from=<>, size=4102, nrcpt=1 (queue active)
Apr 17 13:50:00 mx postfix/qmgr[9688]: 44kqWR3dtQz4xHV2: removed
Apr 17 13:50:06 mx postfix/pipe[11197]: 44kqWX1nDbz4xHTp: to=<klayne@thatoneguy.com>, relay=dovecot, delay=6, delays=0/0/0/6, dsn=5.1.1, status=bounced (user unknown)
Apr 17 13:50:06 mx postfix/qmgr[9688]: 44kqWX1nDbz4xHTp: removed

journalctl -u dovecot

-- Logs begin at Wed 2019-04-17 13:30:37 EDT, end at Wed 2019-04-17 13:50:06 EDT. --
Apr 17 13:31:12 mx systemd[1]: Starting Dovecot IMAP/POP3 email server...
Apr 17 13:31:15 mx systemd[1]: PID file /var/run/dovecot/master.pid not readable (yet?) after start.
Apr 17 13:31:15 mx dovecot[9119]: master: Dovecot v2.2.36 (1f10bfa63) starting up for pop3, imap, sieve, lmtp (core dumps disabled)
Apr 17 13:31:15 mx systemd[1]: Started Dovecot IMAP/POP3 email server.
Apr 17 13:47:42 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10322, secured, session=</o3Her2GULp/AAAB>
Apr 17 13:47:42 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=154 out=1468
Apr 17 13:47:54 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10400, secured, session=<zV+He72GbLp/AAAB>
Apr 17 13:47:54 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=219 out=1587
Apr 17 13:48:06 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10475, secured, session=<rGlJfL2Ghrp/AAAB>
Apr 17 13:48:06 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=146 out=1490
Apr 17 13:48:22 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10582, secured, session=<pGIxfb2Gprp/AAAB>
Apr 17 13:48:23 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=93 out=1128
Apr 17 13:48:34 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=10656, secured, session=<gnPrfb2Gvrp/AAAB>
Apr 17 13:48:35 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=93 out=1128
Apr 17 13:49:54 mx dovecot[9265]: imap-login: Login: user=<klayne@int.thatoneguy.com>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=11141, secured, session=<rsmhgr2GArt/AAAB>
Apr 17 13:49:54 mx dovecot[9265]: imap(klayne@int.thatoneguy.com): Logged out in=999 out=1739

I'm open to any other suggestions.
Thanks.

6

Re: External Domain with LDAP (AD) authentication

You need to tune the /etc/postfix/ad_*.conf again, verify it with command like this:

postmap -q '<email-address-here>' ldap:/etc/postfix/ad_xxx.conf

7

Re: External Domain with LDAP (AD) authentication

These are the results of running the postmap query against the login and mailbox maps.

[root@mx ~]# postmap -q klayne@thatoneguy.com ldap:/etc/postfix/ad_sender_login_maps.cf
klayne@thatoneguy.com
[root@mx ~]# postmap -q klayne@thatoneguy.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
thatoneguy.com/klayne/Maildir/

as well as my sender and mailbox maps

ad_sender_login_maps

server_host     = ldaps://ad.int.thatoneguy.com
server_port     = 636
version         = 3
bind            = yes
start_tls       = no
bind_dn         = CN=LDAP,OU=Service Accounts,OU=Accounts,DC=int,DC=thatoneguy,DC=com
bind_pw         = %ldap_password%
search_base     = DC=int,DC=thatoneguy,DC=com
scope           = sub
query_filter    = (&(mail=%s)(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=Mail,ou=Apps,dc=int,dc=thatoneguy,dc=com)(!(userAccountControl:1.2.840.1135$
result_attribute= mail
debuglevel      = 0

ad_virtual_mailbox_maps

server_host     = ldaps://ad.int.thatoneguy.com
server_port     = 636
version         = 3
bind            = yes
start_tls       = no
bind_dn         = CN=LDAP,OU=Service Accounts,OU=Accounts,DC=int,DC=thatoneguy,DC=com
bind_pw         = %ldap_password%
search_base     = DC=int,DC=thatoneguy,DC=com
scope           = sub
query_filter    = (&(objectclass=person)(mail=%s)(memberOf:1.2.840.113556.1.4.1941:=cn=Mail,ou=Apps,dc=int,dc=thatoneguy,dc=com))
result_attribute= mail
result_format   = %d/%u/Maildir/
debuglevel      = 0

I have also tried with result_attribute = userPrincipalName so the postmap query would return my internal domain info klayne@int.thatoneguy.com and int.thatoneguy.com/klayne/Maildir. However that would still result in bounced mail and user unknown.

8

Re: External Domain with LDAP (AD) authentication

ZhangHuangbin wrote:

You need to tune the /etc/postfix/ad_*.conf again, verify it with command like this:

postmap -q '<email-address-here>' ldap:/etc/postfix/ad_xxx.conf

When I run, this command, what result am I supposed to be expecting- internal AD or external domain?

Sorry for all the questions, but given the tutorial you provide for AD integration, it's almost nearly impossible to differentiate between the mail domain and the AD domain since they are the same "example.com".

9

Re: External Domain with LDAP (AD) authentication

"postmap" simulates the input address for LDAP query, and it will return the query result.
You must be clear what the input address is, and what address you expect to return.

And i can assure you that with this trick, you can get it working with different mail domain name and ad domain name -- because i successfully implemented it for client before, but i'm sorry that i didn't have the document right now, i know how it works, so it's easy for me to get it working again.

Since i cannot try it on your server, i'm sorry that what i can do now is showing you the direction and some hints, hope it helps.

10

Re: External Domain with LDAP (AD) authentication

So after some more tinkering I finally got it and was able to setup white/blacklisting as well. I want to thank you for your help. I will gladly buy you a coffee!

I will also post my process once I have it all documented. Thanks again.