First, user verification can happen at SMTP time by the MTA, e.g.: mail comes to group@domain.tld, that needs to be expanded, or mail comes to user@internal.domain.tld it needs to go to user@domain.tld. This is achieved easily on the internal postfix, by verifying against the directory, so using the same on the EFA appliance seemed prudent (as opposed to starting an smtp transaction and killing it off for probing). Ultimately, no matter what is in the SMTP transaction, EFA can verify the address without doing the silly probe of the internal postfix server. This obviously can be sped up using other methods (e.g.: periodically poll the LDAP server to create a lookup table) but I'm dealing with less than 10K messages per day. The tradeoff was a no brainer as opposed to waiting x number of minutes for a change to become live by some cron job.
User verification:
Create /etc/postfix/ldap-alias.cf:
Code: Select all
# Directory settings
server_host = ldaps://<fqdn of AD Server>:636
search_base = dc=<subdomain>,dc=<domain>,dc=<tld>
scope = sub
version = 3
# User Binding
bind = yes
// cn=LDAPService,cn=Users,dc=domain,dc=tld
// or cn=ldap,ou=Service Users,dc=sub,dc=domain,dc=tld
bind_dn = cn=<ldap user>,<service users path>
bind_pw = <password for ldap user>
# Filter
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))
result_attribute = samaccountname
result_format = %s@<sub>.<domain>.<tld>
Group verification:
Create /etc/postfix/ldap-groups.cf:
Code: Select all
# Directory settings
server_host = ldaps://<fqdn of AD Server>:636
search_base = dc=<subdomain>,dc=<domain>,dc=<tld>
scope = sub
version = 3
# User Binding
bind = yes
// cn=LDAPService,cn=Users,dc=domain,dc=tld
// or cn=ldap,ou=Service Users,dc=sub,dc=domain,dc=tld
bind_dn = cn=<ldap username>,<service users path>
bind_pw = <password for ldap user>
# Filter
query_filter = (&(objectclass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
Run the following command to implement the new checks for inbound mail:
Code: Select all
postconf -e virtual_alias_maps="ldap:/etc/postfix/ldap-alias.cf, ldap:/etc/postfix/ldap-groups.cf"
If you are using EFA as the outbound mail host, do similar for sender verification:
Create /etc/postfix/ldap-sender.cf
Code: Select all
# Directory settings
server_host = ldaps://<fqdn of AD Server>:636
search_base = dc=<subdomain>,dc=<domain>,dc=<tld>
scope = sub
version = 3
# User Binding
bind = yes
// cn=LDAPService,cn=Users,dc=domain,dc=tld
// or cn=ldap,ou=Service Users,dc=sub,dc=domain,dc=tld
bind_dn = cn=<ldap user>,<service users path>
bind_pw = <password for ldap user>
# Filter
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))
leaf_result_attribute = proxyAddresses
result_attribute = sAMAccountName
Code: Select all
-o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-sender.cf
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
As to mailwatch integration, I wanted to use the short username to log in, not the email address so in conf.php I have the following LDAP settings:
Code: Select all
// LDAP settings for authentication
define('USE_LDAP', true);
define('LDAP_SSL', true);
define('LDAP_HOST', 'ldaps://server3.home.lucasit.com');
define('LDAP_PORT', '636');
define('LDAP_DN', 'DC=<subdomain>,DC=<domain>,DC=<tld>');
define('LDAP_USER', 'cn=<ldap user>,<service users path>');
define('LDAP_PASS', '<password for ldap user>');
define('LDAP_FILTER', 'sAMAccountName=%s');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'proxyaddresses');
define('LDAP_USERNAME_FIELD', 'distinguishedname');
define('LDAP_MS_AD_COMPATIBILITY', true);
Anyway, this worked for my unusual setup, so I wanted to post someplace in the hope that it helps somebody in the future (even is that somebody is me in a few years!)