How to integrate E.F.A with Active Directory before 3.0.0.5

[shawniverson]

Here's a small how-to to integrate with AD

That's right, you can pull all of your email users into E.F.A. and authenticate against AD (probably any LDAP server)!

I plan on making this a configuration option in a later release of E.F.A.

For now, follow these steps.

1) Create a user and password (proxy service account) in AD to allow username lookups

2) Configure Mailwatch

Edit /var/www/html/mailscanner/conf.php

Code: Select all

// LDAP settings
define('USE_LDAP',                 '1');
define('LDAP_HOST',      'server.example.com');
define('LDAP_PORT',      '389');
define('LDAP_DN',        'DC=example,DC=com');
define('LDAP_USER',      'LDAPProxy@example.com');
define('LDAP_PASS',      'secret');
define('LDAP_SITE',      'default-first-site-name');

2) Add the following two lines (AD) to Mailwatch functions.php if using root of domain for username lookups

The following lines are needed in functions.php for this situation

Before this line (near line 2236 in function ldap_authenticate)

ldap_bind ($ds, LDAP_USER, LDAP_PASS);

Insert the following two lines immediately BEFORE:

Code: Select all

ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

3) MailWatch uses proxyaddresses field in format smtp:address. If you want to use a different LDAP field for email address, such as mail, modify functions.php as follows:

Edit this line from:

$r = ldap_search ($ds, LDAP_DN, "proxyaddresses=SMTP:$USER") or die ("Could not search");

and these lines:

if (isset ($result[0]['proxyaddresses'])) {
foreach ($result[0]['proxyaddresses'] as $email) {

to:

Code: Select all

$r = ldap_search ($ds, LDAP_DN, "mail=$USER") or die ("Could not search");

Code: Select all

 if (isset ($result[0]['mail'])) {
      foreach ($result[0]['mail'] as $email) {

Install php-ldap

Code: Select all

yum install php-ldap

That's it. Enjoy!

[Mr. Happy]

Can this also be used to create a relay_recipients list?

[shawniverson]

This just instructs MailWatch to poll LDAP for a user if the user does not exist and then create the user.

So, you'll have to create your own relay_recipients list. At least for now.

Update: Read on for a method to populate relay_recipients.

[Mr. Happy]

OK. Thanks...

[godson]

Dear,

After install the E.F.A in new server, I'm can't create the AD mail address with following script, nothing display on result file, but the same script can run in old ESVA Server without any problem.

http://vnlinuxworld.blogspot.hk/2010/07 ... -maps.html

Thank!

[shawniverson]

Did you happen to install Net::LDAP module? I don't think this module is currently part of EFA...

[godson]

Yes ~ I've already install Net::LDAP module, but the output file is blank. But same config and script work in my ESVA server.

[shawniverson]

The script appears to have a problem with its default filter definition.

Code: Select all

# Play around with this to grab objects such as Contacts, Public Folders, etc.
# A minimal filter for just users with email would be:
# filter => "(&(sAMAccountName=*)(mail=*))"
         filter => "(& (mailnickname=*) (| (&(objectCategory=person)
                    (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
                    (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
                    (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
                    (objectCategory=group)(objectCategory=publicFolder) ))",
          control  => [ $page ],
          attrs  => "proxyAddresses",

When I comment out the filter block and add this filter instead...

Code: Select all

          filter => "(ObjectClass=user)",
          control  => [ $page ],
          attrs  => "proxyAddresses",

Viola! I have relay_recipients populated.

[godson]

>_<

I have try to fresh install the E.F.A and try again,
-----------------------------
[root@CYHK-EFA01 admin]# perl -MCPAN -e shell
Can't locate CPAN.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .).
BEGIN failed--compilation aborted.
-----------------------------
yum install perl-CPAN

Installed:
perl-CPAN.x86_64 0:1.9402-136.el6

Dependency Installed:
perl-Digest-SHA.x86_64 1:5.47-136.el6

Complete!
-----------------------------

OK Now install the Net:LDAP with default option.
perl -MCPAN -e shell
install Net::LDAP

MARSCHAP/perl-ldap-0.58.tar.gz
/usr/bin/make install -- OK
-----------------------------

Nothing happen with the script.............. only create the blank file only >_<

cpan[1]> install Net::LDAP::Control::Paged
Net::LDAP::Control::Paged is up to date (0.04).

cpan[2]> install Net::LDAP::Constant
Net::LDAP::Constant is up to date (0.22).

[shawniverson]

Try installing this package:

Code: Select all

yum install perl-POE-Component-Client-LDAP

[godson]

Great ! fresh install server an then install recommended package the script work correctly!!!
Thank!!!

But I have found another issues of relay_recipients,

All income mail go the greylist first now, then process the relay_recipients, But I think relay_recipients check should process before the greylist, since if server don't have such recipients, we don't need to waste time to record those mail information.

[ge2000]

....I think relay_recipients check should process before the greylist, since if server don't have such recipients, we don't need to waste time to record those mail information.

I prefer the way it is now. Suppose you are a spammer, if you are graylisted you still don't know if you have addressed a valid user. When you first check AD and get a user unknown you can fairly quickly do a brute force scan to identify valid users.

@developers: I vote for the way it is now.

[tjg88]

The script appears to have a problem with its default filter definition.

Code: Select all

# Play around with this to grab objects such as Contacts, Public Folders, etc.
# A minimal filter for just users with email would be:
# filter => "(&(sAMAccountName=*)(mail=*))"
         filter => "(& (mailnickname=*) (| (&(objectCategory=person)
                    (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
                    (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
                    (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
                    (objectCategory=group)(objectCategory=publicFolder) ))",
          control  => [ $page ],
          attrs  => "proxyAddresses",

When I comment out the filter block and add this filter instead...

Code: Select all

          filter => "(ObjectClass=user)",
          control  => [ $page ],
          attrs  => "proxyAddresses",

Viola! I have relay_recipients populated.

Shawn, what script is this? I'd like to set this up. Thanks! Tom

[shawniverson]

http://vnlinuxworld.blogspot.hk/2010/07 ... -maps.html

[perforator]

Just want to confirm that this does work well with standard LDAP servers as well.

Environment Novell GroupWise and eDirectory, I guess any LDAP3 compliant source will work.

/var/www/html/mailscanner/conf.php

Code: Select all

// LDAP settings
define('USE_LDAP',               '1');
define('LDAP_HOST',      'ldapserver.example.com');
define('LDAP_PORT',      '636');
define('LDAP_DN',        'ou=base-DN,o=organization');
define('LDAP_USER',      'cn=ldapproxy,ou=unit,o=organization');
define('LDAP_PASS',      'password');
define('LDAP_SITE',      'default');

And of course 636 or 389 is depending if one want security or not.

Also changed according to instructions in step 3) above, the email attribute to search for.

Thanks for a great job getting this project and server up and running again!!!
The best Anti-SPAM server out there!!!

[shawniverson]

[colin]

I have successfully integrated with LDAP on Windows 2008R2 on a couple of sites without any issues. However I am having real difficulties getting it to work with Small Business Server 2011. Are there any logs that I can look at to diagnose why it is not working?
If I set
define('USE_LDAP', '1');
Then I cannot login at all, either with AD accounts or with locally created ones.
If I reset it to
define('USE_LDAP', '0');
Then I can login again locally but obviously not with AD accounts

[colin]

I just found this in /etc/httpd/logs/error_log

[Sat Mar 29 21:36:04 2014] [error] [client 192.168.1.5] PHP Fatal error: Call to undefined function ldap_connect() in /var/www/html/mailscanner/functions.php on line 2294, referer: http://mailprotect/mailscanner/login.php
[Sat Mar 29 21:36:32 2014] [error] [client 192.168.1.5] PHP Fatal error: Call to undefined function ldap_connect() in /var/www/html/mailscanner/functions.php on line 2294, referer: http://mailprotect/mailscanner/checklogin.php
[Sat Mar 29 21:36:49 2014] [error] [client 192.168.1.5] PHP Fatal error: Call to undefined function ldap_connect() in /var/www/html/mailscanner/functions.php on line 2294, referer: http://mailprotect/mailscanner/checklogin.php

192.168.1.5 is the IP address of the Small Business Server

Line 2294 reads:
$ds = ldap_connect(LDAP_HOST, LDAP_PORT) or die ("Could not connect to " . LDAP_HOST);

Not sure if that helps

[shawniverson]

Code: Select all

yum install php-ldap

[colin]

Already installed

[shawniverson]

Please try reinstalling this package.

Code: Select all

yum remove php-ldap

yum install php-ldap

This package should contain the code for the ldap_connect routine. For some reason your system is unable to locate it...

[colin]

Thanks for the suggestion. Before I implemented it I ran a quick check by changing "define('USE_LDAP', '0');" to define('USE_LDAP', '1'); and it started working.

This is the second site running SBS that I have seen this on now and working in computing I know these things just don't happen without a cause. Nothing has been changed or rebooted on either system as far as I know. So that leads me to consider that it may be a timing issue on SBS as that is the only difference between the installations that I have done (All non-SBS installations have worked straight away). But I also can't understand how SBS can be aware that it is being queried by LDAP and therefore make changes to itself.

In the last case it started working 4 or 5 days after the installation. By memory I think the other installation was a similar time scale. If anyone has any ideas or theories I would welcome them. I will keep you posted as other installations are implemented.

[Giles Salle]

This just instructs MailWatch to poll LDAP for a user if the user does not exist and then create the user.

So, you'll have to create your own relay_recipients list of e cig. At least for now.

Update: Read on for a method to populate relay_recipients.

I also create some user but this is not helpful at all. I am trying to make some extra assignment with them. I hope this will help me to create them positive.

[kingramon0]

So the instructions work pretty well for logging in to Mailwatch using AD credentials. The only thing missing is that the information it shows is only for the user's primary email address and does not include any of the proxyAddresses. I can even log in using a proxyAddress, but it still only shows the primary email address. For example, the Quarantine tab does not show messages that went to my proxyAddresses.

[dodino]

It's possible to see all email addresses associated to an user with the proxyaddresses attribute? Now i can see only reports for the primary address, but we have more email addresses for a single user...

Thanks in advance,
Edoardo