How to integrate E.F.A with Active Directory before 3.0.0.5

Questions and answers about how to do stuff
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

How to integrate E.F.A with Active Directory before 3.0.0.5

Post by shawniverson »

Here's a small how-to to integrate with AD ;)

That's right, you can pull all of your email users into E.F.A. and authenticate against AD (probably any LDAP server)!

I plan on making this a configuration option in a later release of E.F.A.

For now, follow these steps.

1) Create a user and password (proxy service account) in AD to allow username lookups

2) Configure Mailwatch

Edit /var/www/html/mailscanner/conf.php

Code: Select all

// LDAP settings
define('USE_LDAP',                 '1');
define('LDAP_HOST',      'server.example.com');
define('LDAP_PORT',      '389');
define('LDAP_DN',        'DC=example,DC=com');
define('LDAP_USER',      'LDAPProxy@example.com');
define('LDAP_PASS',      'secret');
define('LDAP_SITE',      'default-first-site-name');
2) Add the following two lines (AD) to Mailwatch functions.php if using root of domain for username lookups

The following lines are needed in functions.php for this situation

Before this line (near line 2236 in function ldap_authenticate)

ldap_bind ($ds, LDAP_USER, LDAP_PASS);

Insert the following two lines immediately BEFORE:

Code: Select all

ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
3) MailWatch uses proxyaddresses field in format smtp:address. If you want to use a different LDAP field for email address, such as mail, modify functions.php as follows:

Edit this line from:

$r = ldap_search ($ds, LDAP_DN, "proxyaddresses=SMTP:$USER") or die ("Could not search");

and these lines:

if (isset ($result[0]['proxyaddresses'])) {
foreach ($result[0]['proxyaddresses'] as $email) {

to:

Code: Select all

$r = ldap_search ($ds, LDAP_DN, "mail=$USER") or die ("Could not search");

Code: Select all

 if (isset ($result[0]['mail'])) {
      foreach ($result[0]['mail'] as $email) {
Install php-ldap

Code: Select all

yum install php-ldap
That's it. Enjoy!
Last edited by shawniverson on 24 Jan 2014 21:50, edited 1 time in total.
Mr. Happy
Posts: 51
Joined: 03 Jan 2014 17:07

Re: How to integrate E.F.A with Active Directory

Post by Mr. Happy »

Can this also be used to create a relay_recipients list?
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory

Post by shawniverson »

This just instructs MailWatch to poll LDAP for a user if the user does not exist and then create the user.

So, you'll have to create your own relay_recipients list. At least for now.

Update: Read on for a method to populate relay_recipients.
Last edited by shawniverson on 09 Feb 2014 16:50, edited 1 time in total.
Mr. Happy
Posts: 51
Joined: 03 Jan 2014 17:07

Re: How to integrate E.F.A with Active Directory

Post by Mr. Happy »

OK. Thanks...
godson
Posts: 4
Joined: 07 Feb 2014 04:22

Re: How to integrate E.F.A with Active Directory

Post by godson »

Dear,

After install the E.F.A in new server, I'm can't create the AD mail address with following script, nothing display on result file, but the same script can run in old ESVA Server without any problem.

http://vnlinuxworld.blogspot.hk/2010/07 ... -maps.html

Thank!
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory

Post by shawniverson »

Did you happen to install Net::LDAP module? I don't think this module is currently part of EFA...
godson
Posts: 4
Joined: 07 Feb 2014 04:22

Re: How to integrate E.F.A with Active Directory

Post by godson »

Yes ~ I've already install Net::LDAP module, but the output file is blank. But same config and script work in my ESVA server.
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory

Post by shawniverson »

The script appears to have a problem with its default filter definition.

Code: Select all

# Play around with this to grab objects such as Contacts, Public Folders, etc.
# A minimal filter for just users with email would be:
# filter => "(&(sAMAccountName=*)(mail=*))"
         filter => "(& (mailnickname=*) (| (&(objectCategory=person)
                    (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
                    (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
                    (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
                    (objectCategory=group)(objectCategory=publicFolder) ))",
          control  => [ $page ],
          attrs  => "proxyAddresses",
When I comment out the filter block and add this filter instead...

Code: Select all

          filter => "(ObjectClass=user)",
          control  => [ $page ],
          attrs  => "proxyAddresses",
Viola! I have relay_recipients populated. :violin:
godson
Posts: 4
Joined: 07 Feb 2014 04:22

Re: How to integrate E.F.A with Active Directory

Post by godson »

>_<

I have try to fresh install the E.F.A and try again,
-----------------------------
[root@CYHK-EFA01 admin]# perl -MCPAN -e shell
Can't locate CPAN.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .).
BEGIN failed--compilation aborted.
-----------------------------
yum install perl-CPAN

Installed:
perl-CPAN.x86_64 0:1.9402-136.el6

Dependency Installed:
perl-Digest-SHA.x86_64 1:5.47-136.el6

Complete!
-----------------------------

OK Now install the Net:LDAP with default option.
perl -MCPAN -e shell
install Net::LDAP


MARSCHAP/perl-ldap-0.58.tar.gz
/usr/bin/make install -- OK
-----------------------------

Nothing happen with the script.............. only create the blank file only >_<

cpan[1]> install Net::LDAP::Control::Paged
Net::LDAP::Control::Paged is up to date (0.04).

cpan[2]> install Net::LDAP::Constant
Net::LDAP::Constant is up to date (0.22).
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory

Post by shawniverson »

Try installing this package:

Code: Select all

yum install perl-POE-Component-Client-LDAP
godson
Posts: 4
Joined: 07 Feb 2014 04:22

Re: How to integrate E.F.A with Active Directory

Post by godson »

Great ! fresh install server an then install recommended package the script work correctly!!!
Thank!!!

But I have found another issues of relay_recipients,

All income mail go the greylist first now, then process the relay_recipients, But I think relay_recipients check should process before the greylist, since if server don't have such recipients, we don't need to waste time to record those mail information.
ge2000
Posts: 28
Joined: 23 Jan 2013 19:27

Re: How to integrate E.F.A with Active Directory

Post by ge2000 »

godson wrote:....I think relay_recipients check should process before the greylist, since if server don't have such recipients, we don't need to waste time to record those mail information.
I prefer the way it is now. Suppose you are a spammer, if you are graylisted you still don't know if you have addressed a valid user. When you first check AD and get a user unknown you can fairly quickly do a brute force scan to identify valid users.

@developers: I vote for the way it is now.
tjg88

Re: How to integrate E.F.A with Active Directory

Post by tjg88 »

shawniverson wrote:The script appears to have a problem with its default filter definition.

Code: Select all

# Play around with this to grab objects such as Contacts, Public Folders, etc.
# A minimal filter for just users with email would be:
# filter => "(&(sAMAccountName=*)(mail=*))"
         filter => "(& (mailnickname=*) (| (&(objectCategory=person)
                    (objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))
                    (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)
                    (msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))
                    (objectCategory=group)(objectCategory=publicFolder) ))",
          control  => [ $page ],
          attrs  => "proxyAddresses",
When I comment out the filter block and add this filter instead...

Code: Select all

          filter => "(ObjectClass=user)",
          control  => [ $page ],
          attrs  => "proxyAddresses",
Viola! I have relay_recipients populated. :violin:
Shawn, what script is this? I'd like to set this up. Thanks! Tom
perforator
Posts: 8
Joined: 01 Aug 2013 09:17

Re: How to integrate E.F.A with Active Directory

Post by perforator »

Just want to confirm that this does work well with standard LDAP servers as well.

Environment Novell GroupWise and eDirectory, I guess any LDAP3 compliant source will work. ;)

/var/www/html/mailscanner/conf.php

Code: Select all

// LDAP settings
define('USE_LDAP',               '1');
define('LDAP_HOST',      'ldapserver.example.com');
define('LDAP_PORT',      '636');
define('LDAP_DN',        'ou=base-DN,o=organization');
define('LDAP_USER',      'cn=ldapproxy,ou=unit,o=organization');
define('LDAP_PASS',      'password');
define('LDAP_SITE',      'default');
And of course 636 or 389 is depending if one want security or not.

Also changed according to instructions in step 3) above, the email attribute to search for.

Thanks for a great job getting this project and server up and running again!!! :clap: :clap:
The best Anti-SPAM server out there!!! :D :D :D
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory

Post by shawniverson »

:clap:
colin
Posts: 99
Joined: 13 Feb 2014 16:09

Re: How to integrate E.F.A with Active Directory

Post by colin »

I have successfully integrated with LDAP on Windows 2008R2 on a couple of sites without any issues. However I am having real difficulties getting it to work with Small Business Server 2011. Are there any logs that I can look at to diagnose why it is not working?
If I set
define('USE_LDAP', '1');
Then I cannot login at all, either with AD accounts or with locally created ones.
If I reset it to
define('USE_LDAP', '0');
Then I can login again locally but obviously not with AD accounts
colin
Posts: 99
Joined: 13 Feb 2014 16:09

Re: How to integrate E.F.A with Active Directory

Post by colin »

I just found this in /etc/httpd/logs/error_log

[Sat Mar 29 21:36:04 2014] [error] [client 192.168.1.5] PHP Fatal error: Call to undefined function ldap_connect() in /var/www/html/mailscanner/functions.php on line 2294, referer: http://mailprotect/mailscanner/login.php
[Sat Mar 29 21:36:32 2014] [error] [client 192.168.1.5] PHP Fatal error: Call to undefined function ldap_connect() in /var/www/html/mailscanner/functions.php on line 2294, referer: http://mailprotect/mailscanner/checklogin.php
[Sat Mar 29 21:36:49 2014] [error] [client 192.168.1.5] PHP Fatal error: Call to undefined function ldap_connect() in /var/www/html/mailscanner/functions.php on line 2294, referer: http://mailprotect/mailscanner/checklogin.php

192.168.1.5 is the IP address of the Small Business Server

Line 2294 reads:
$ds = ldap_connect(LDAP_HOST, LDAP_PORT) or die ("Could not connect to " . LDAP_HOST);

Not sure if that helps
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory

Post by shawniverson »

Code: Select all

yum install php-ldap
colin
Posts: 99
Joined: 13 Feb 2014 16:09

Re: How to integrate E.F.A with Active Directory

Post by colin »

Already installed
User avatar
shawniverson
Posts: 3573
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory

Post by shawniverson »

Please try reinstalling this package.

Code: Select all

yum remove php-ldap

yum install php-ldap
This package should contain the code for the ldap_connect routine. For some reason your system is unable to locate it...
colin
Posts: 99
Joined: 13 Feb 2014 16:09

Re: How to integrate E.F.A with Active Directory

Post by colin »

Thanks for the suggestion. Before I implemented it I ran a quick check by changing "define('USE_LDAP', '0');" to define('USE_LDAP', '1'); and it started working.

This is the second site running SBS that I have seen this on now and working in computing I know these things just don't happen without a cause. Nothing has been changed or rebooted on either system as far as I know. So that leads me to consider that it may be a timing issue on SBS as that is the only difference between the installations that I have done (All non-SBS installations have worked straight away). But I also can't understand how SBS can be aware that it is being queried by LDAP and therefore make changes to itself.

In the last case it started working 4 or 5 days after the installation. By memory I think the other installation was a similar time scale. If anyone has any ideas or theories I would welcome them. I will keep you posted as other installations are implemented.
Giles Salle
Posts: 1
Joined: 08 May 2014 16:36

Re: How to integrate E.F.A with Active Directory

Post by Giles Salle »

shawniverson wrote:This just instructs MailWatch to poll LDAP for a user if the user does not exist and then create the user.

So, you'll have to create your own relay_recipients list of
e cig. At least for now.

Update: Read on for a method to populate relay_recipients.
I also create some user but this is not helpful at all. I am trying to make some extra assignment with them. I hope this will help me to create them positive.
kingramon0
Posts: 27
Joined: 28 Jun 2014 19:17

Re: How to integrate E.F.A with Active Directory

Post by kingramon0 »

So the instructions work pretty well for logging in to Mailwatch using AD credentials. The only thing missing is that the information it shows is only for the user's primary email address and does not include any of the proxyAddresses. I can even log in using a proxyAddress, but it still only shows the primary email address. For example, the Quarantine tab does not show messages that went to my proxyAddresses.
dodino
Posts: 2
Joined: 07 Oct 2014 08:41

Re: How to integrate E.F.A with Active Directory before 3.0.

Post by dodino »

It's possible to see all email addresses associated to an user with the proxyaddresses attribute? Now i can see only reports for the primary address, but we have more email addresses for a single user...

Thanks in advance,
Edoardo
Post Reply