1 Topic by alu (edited by alu 2018-03-08 18:54:12)

  • alu
  • Member
  • Offline
  • Registered: 2018-02-01
  • Posts: 7

Topic: Change default Maildir with AD integrated/iRedAdmin Login not working

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7 OPENLDAP edition
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
I have the problem that I can't figure out where to change the settings that all old and new AD users get a specific home and Maildir.
I'm running the iRedMail Mailserver, the Samba Active Diretory Server and a Fileserver all on Ubuntu 16.04, all servers have a NFS share from the Fileserver mapped on /home/domainname_without_toplevel/profiles/. I installed iRedMail normally on an AD joined server and later configured AD connect with the official guide.
I want that the default homedir=/home/domainname_without_toplevel/profiles/username_without_domain and the maildir=/home/domainname_without_toplevel/profiles/username_without_domain/Maildir.
I tried many different settings in postfix(main.cf, ad***.cf) and dovecot(dovecot.conf, settings.py,default_settings.py, iredutils.py)  but still the home and maildir are set to /var/vmail/vmail1/...
I'm using vmail as AD connect user with Domain Admin permissions and full rights on the mapped NFS share.
Best would be to extract the home/maildir from the AD account itself but I doubt it is possible?

Extract of the dovecot.log from first login of a new AD user:

Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Module loaded: /usr/lib/dovecot/modules/lib20_mailbox_alias_plugin.so
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Added userdb setting: mail=maildir:/var/vmail/vmail1/domain.tld/mail2/Maildir/
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Effective uid=2000, gid=2000, home=/var/vmail/vmail1/domain.tld/mail2/Maildir/
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Home dir not found: /var/vmail/vmail1/domain.tld/mail2/Maildir/
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Quota root: name=user backend=dict args=:proxy::quotadict
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Quota rule: root=user mailbox=* bytes=1073741824 messages=0
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Quota warning: bytes=1073741824 (100%) messages=0 reverse=no command=quota-warning 100 mail2@domain.tld
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Quota warning: bytes=1020054732 (95%) messages=0 reverse=no command=quota-warning 95 mail2@domain.tld
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Quota warning: bytes=966367641 (90%) messages=0 reverse=no command=quota-warning 90 mail2@domain.tld
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Quota warning: bytes=912680550 (85%) messages=0 reverse=no command=quota-warning 85 mail2@domain.tld
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Quota grace: root=user bytes=107374182 (10%)
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: dict quota: user=mail2@domain.tld, uri=proxy::quotadict, noenforcing=0
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Namespace : type=private, prefix=, sep=/, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/var/vmail/vmail1/domain.tld/mail2/Maildir/
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: maildir++: root=/var/vmail/vmail1/domain.tld/mail2/Maildir, index=, indexpvt=, control=, inbox=/var/vmail/vmail1/domain.tld/mail2/Maildir, alt=
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Namespace : /var/vmail/vmail1/domain.tld/mail2/Maildir doesn't exist yet, using default permissions
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Namespace : Using permissions from /var/vmail/vmail1/domain.tld/mail2/Maildir: mode=0700 gid=default
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: acl: initializing backend with data: vfile
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: acl: acl username = mail2@domain.tld
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: acl: owner = 1
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: acl vfile: Global ACLs disabled
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: Namespace : type=shared, prefix=Shared/%u/, sep=/, inbox=no, hidden=no, list=children, subscriptions=yes location=maildir:/home/domain/profiles/mail2@domain.tld/Maildir/:INDEX=/home/domain/profiles/mail2@domain.tld/Maildir/Shared/%Ld/%Ln
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: shared: root=/var/run/dovecot, index=, indexpvt=, control=, inbox=, alt=
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: acl: initializing backend with data: vfile
Feb  1 15:04:00 mailserver dovecot: imap(mail2@domain.tld): Debug: acl: acl username = mail2@domain.tld

Output of :~# doveadm user -u mail2@domain.tld
userdb: mail2@domain.tld
  user      : mail2@domain.tld
  home      : /var/vmail/vmail1/domain.tld/mail2/Maildir/
  mail      : maildir:/var/vmail/vmail1/domain.tld/mail2/Maildir/

I hope someone can help me in this,
Thanks in advance!
Alu

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

With AD integration, the maildir path is hard-coded in Dovecot config file (dovecot-ldap.conf).

3 Reply by alu

  • alu
  • Member
  • Offline
  • Registered: 2018-02-01
  • Posts: 7

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

Thanks, now the dirs are working, I just need to figure out to set the correct permissions on new created files and folders.
Is there a setting or solution to use the owner of the parent folder as user for new files and folders under maildir?
Althought I have inheritance enabled I see only uid and gid 2000 as owner.

Kind Regards
Alu

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

All mailboxes created by Dovecot will be set to owner/group "vmail:vmail" with permission 0700.
Please make sure the base directory of your mailboxes is owned by "vmail:vmail" and permission 0700.

5 Reply by alu

  • alu
  • Member
  • Offline
  • Registered: 2018-02-01
  • Posts: 7

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

Hi,
my problem with permissions is that the homedir is mapped via nfs from the fileserver to the mailserver. The fileserver doesn't know the local system account and group vmail:vmail so my current solution is, setting on the mailserver the uid and gid of vmail to the same as the vmail domain account and "Domain Admins" group, which results in correct permissions on both, the mailserver and fileserver side.
This is the only working solution atm.
mail_uid and mail_gid in dovecot.conf are also set to the domain IDs.

Although the user vmail is a domain admin and domain admins have full permissions on all files and folders, it is not working if I set vmail as file and folder owner for Maildir(on the fileserver home files and folders) with all permissions.

I haven't tried change settings on the mapped folders directly on the mailserver because I don't want do manually change permissions every time for new users or destroy my ACLs.

Regads
Alu

6 Reply by alu (edited by alu 2018-03-08 01:16:44)

  • alu
  • Member
  • Offline
  • Registered: 2018-02-01
  • Posts: 7

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

Hi,
I just recognized a new problem and I didn't want to open a new thread for this issue.

Currently I can't login to iredadmin Webpage with the postmaster user, I only get the error message:
Error: {'desc': "Can't contact LDAP server"}

I haven't tried logging in to this adminsite since my Active Directory domain join but before it was working.
So do I missing any config strings and where can I find logfiles for this special website?

Thanks and Regards
Alu

7 Reply by alu (edited by alu 2018-03-08 18:58:36)

  • alu
  • Member
  • Offline
  • Registered: 2018-02-01
  • Posts: 7

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

Hi,
I edited the following lines in the config file /opt/www/iRedAdmin-0.8/settings.py:

ldap_uri = "ldap://ad02.domain.com:389"

ldap_basedn = "ou=user,ou=domain,dc=domain,dc=com"
ldap_domainadmin_dn = "ou=Domain_Admins,ou=user,ou=domain,dc=domain,dc=com"

ldap_bind_dn = "vmail@domain.com"
ldap_bind_password = "Password"

but now I get the error "Error: Username or password is incorrect." although I copied the username and pw from the postfix ldap config files and tested these with the ldapsearch tool. Also I'm using the normal postmaster@domain.com account for login to the admin site with the correct password.

Any help for this issue?
thx
Alu

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

Hi Alu,

If you integrated AD in iRedMail by following our tutorial, OpenLDAP is not used anymore, and iRedAdmin-Pro doesn't work with AD, so you cannot access iRedAdmin-Pro.

9 Reply by alu

  • alu
  • Member
  • Offline
  • Registered: 2018-02-01
  • Posts: 7

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

Hi Zhang,

I installed the free version of iRedAdmin, not the Pro version. Is this opensource version also restricted to openldap?
Greetings
Alu

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,789

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

alu wrote:

I installed the free version of iRedAdmin, not the Pro version. Is this opensource version also restricted to openldap?

YES.

11 Reply by alu

  • alu
  • Member
  • Offline
  • Registered: 2018-02-01
  • Posts: 7

Re: Change default Maildir with AD integrated/iRedAdmin Login not working

Ok, Thanks for your fast reply, then I don't need to spend any further efforts in this issue.
Regards
Alu