Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Postfix LDAP and aliases
1,237 views
Skip to first unread message
br...@geach.eu
Jun 5, 2014, 6:01:26 AM6/5/14
to
Hi
Ive trawled search engines and struggling with active directory and getting postfix to return the correct user when sending to the alias address.
My setup is:
Active Directory M$ 2012:
The AD domain name is for eg ad-domain.com.
User aliases are stored in proxyaddresses - aliases are in the form user...@domain.com and al...@domain.com
User name obviously I want to use to check for valid user is samaccountname.
Dovecot:
Connected through to active directory. Users are able to login to IMAP without any issues.
Postfix:
Ive tried numerous configuration scenarios and I keep getting back to same error of unknown user.
- I tried using
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
But this again was returning only the recipient alias as the lookup and of course failed
in my master.cf I have/had
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}
this would return an error like:
Jun 05 07:36:30 lda: Error: user alias: Auth USER lookup failed
This is probably something in dovecot I needed to sort out but I thought it may be better to let postfix do this so I removed the dovecot transport and turned my attention to postfix ldap.
this is my current main.cf
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = tempfail
mydestination = mail.domain.com, localhost.example.com, localhost, domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_milters = unix:/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/private/gb-bundle.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/ad-domain.COM.crt
smtpd_tls_key_file = /etc/ssl/private/ad-domain.COM.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_gid_maps = static:5000
virtual_mailbox_base = /srv/mail/
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_uid_maps = static:5000
my ldap-aliases.conf
# Directory settings
domain = domain.com
server_host = ad01.ct.ad-domain.com
search_base = dc=ad-domain, dc=com
version = 3
# User Binding
bind = yes
bind_dn = Admini...@ad-domain.com
bind_pw = password
# Filter
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))
leaf_result_attribute = samaccountname
result_attribute = samaccountname
result_format = /srv/mail/%u/Maildir/
verbose = 1
I probably have some invalid or duplicated entries like leaf_result and result but thats from hours of testing different scenarios.
But as it stands now when I send an email into postfix it seems to be looking up on the entire recipient with domain eg
Jun 5 11:50:40 mail postfix/virtual[32553]: C3A5953C0B00: to=<us...@domain.com>, relay=virtual, delay=0.7, delays=0.64/0/0/0.05, dsn=5.1.1, status=bounced (unknown user: "us...@domain.com")
when sending to the username address.
Or
Jun 5 11:54:09 mail postfix/virtual[32581]: 5231C53C0B30: to=<al...@domain.com>, relay=virtual, delay=0.34, delays=0.27/0/0/0.07, dsn=5.1.1, status=bounced (unknown user: "al...@domain.com")
So its taking the full recipient address and looking up on that when what Im wanting is for it to lookup the user from samaccountname and base its lookup on that.
now when I test the ldap-aliaes.cf with postmap -q it returns correctly so Im a bit baffled where Im going wrong.
postmap -v -q al...@domain.com ldap:/etc/postfix/ldap-users.cf
postmap: dict_ldap_connect: Binding to server ldap://192.168.0.30:389 with dn Admini...@ad-domain.com
postmap: dict_ldap_connect: Successful bind to server ldap://192.168.0.30:389 with dn Admini...@ad-domain.com
postmap: dict_ldap_connect: Cached connection handle for LDAP source /etc/postfix/ldap-users.cf
postmap: dict_ldap_lookup: /etc/postfix/ldap-users.cf: Searching with filter (&(objectclass=person)(proxyAddresses=smtp:al...@domain.com))
postmap: dict_ldap_get_values[1]: Search found 1 match(es)
postmap: dict_ldap_get_values[1]: search returned 1 value(s) for requested result attribute sAMAccountName
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned /srv/mail/user/Maildir/
/srv/mail/user/Maildir/
postmap: dict_ldap_close: Closed connection handle for LDAP source /etc/postfix/ldap-users.cf
which is exactly what Im wanting and seems to work correctly or am I missing something?
Thanks for looking
Brent
Ive trawled search engines and struggling with active directory and getting postfix to return the correct user when sending to the alias address.
My setup is:
Active Directory M$ 2012:
The AD domain name is for eg ad-domain.com.
User aliases are stored in proxyaddresses - aliases are in the form user...@domain.com and al...@domain.com
User name obviously I want to use to check for valid user is samaccountname.
Dovecot:
Connected through to active directory. Users are able to login to IMAP without any issues.
Postfix:
Ive tried numerous configuration scenarios and I keep getting back to same error of unknown user.
- I tried using
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
But this again was returning only the recipient alias as the lookup and of course failed
in my master.cf I have/had
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/dovecot-lda -f ${sender} -d ${user}
this would return an error like:
Jun 05 07:36:30 lda: Error: user alias: Auth USER lookup failed
This is probably something in dovecot I needed to sort out but I thought it may be better to let postfix do this so I removed the dovecot transport and turned my attention to postfix ldap.
this is my current main.cf
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
biff = no
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
milter_connect_macros = j {daemon_name} v {if_name} _
milter_default_action = tempfail
mydestination = mail.domain.com, localhost.example.com, localhost, domain.com
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = reject_unknown_client_hostname
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_invalid_helo_hostname
smtpd_milters = unix:/clamav/clamav-milter.ctl
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/ssl/private/gb-bundle.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/private/ad-domain.COM.crt
smtpd_tls_key_file = /etc/ssl/private/ad-domain.COM.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_gid_maps = static:5000
virtual_mailbox_base = /srv/mail/
virtual_mailbox_domains = hash:/etc/postfix/virtual-mailbox-domains
virtual_uid_maps = static:5000
my ldap-aliases.conf
# Directory settings
domain = domain.com
server_host = ad01.ct.ad-domain.com
search_base = dc=ad-domain, dc=com
version = 3
# User Binding
bind = yes
bind_dn = Admini...@ad-domain.com
bind_pw = password
# Filter
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))
leaf_result_attribute = samaccountname
result_attribute = samaccountname
result_format = /srv/mail/%u/Maildir/
verbose = 1
I probably have some invalid or duplicated entries like leaf_result and result but thats from hours of testing different scenarios.
But as it stands now when I send an email into postfix it seems to be looking up on the entire recipient with domain eg
Jun 5 11:50:40 mail postfix/virtual[32553]: C3A5953C0B00: to=<us...@domain.com>, relay=virtual, delay=0.7, delays=0.64/0/0/0.05, dsn=5.1.1, status=bounced (unknown user: "us...@domain.com")
when sending to the username address.
Or
Jun 5 11:54:09 mail postfix/virtual[32581]: 5231C53C0B30: to=<al...@domain.com>, relay=virtual, delay=0.34, delays=0.27/0/0/0.07, dsn=5.1.1, status=bounced (unknown user: "al...@domain.com")
So its taking the full recipient address and looking up on that when what Im wanting is for it to lookup the user from samaccountname and base its lookup on that.
now when I test the ldap-aliaes.cf with postmap -q it returns correctly so Im a bit baffled where Im going wrong.
postmap -v -q al...@domain.com ldap:/etc/postfix/ldap-users.cf
postmap: dict_ldap_connect: Binding to server ldap://192.168.0.30:389 with dn Admini...@ad-domain.com
postmap: dict_ldap_connect: Successful bind to server ldap://192.168.0.30:389 with dn Admini...@ad-domain.com
postmap: dict_ldap_connect: Cached connection handle for LDAP source /etc/postfix/ldap-users.cf
postmap: dict_ldap_lookup: /etc/postfix/ldap-users.cf: Searching with filter (&(objectclass=person)(proxyAddresses=smtp:al...@domain.com))
postmap: dict_ldap_get_values[1]: Search found 1 match(es)
postmap: dict_ldap_get_values[1]: search returned 1 value(s) for requested result attribute sAMAccountName
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned /srv/mail/user/Maildir/
/srv/mail/user/Maildir/
postmap: dict_ldap_close: Closed connection handle for LDAP source /etc/postfix/ldap-users.cf
which is exactly what Im wanting and seems to work correctly or am I missing something?
Thanks for looking
Brent
0 new messages