Integration notes for ActiveDirectory

General eFa discussion
Post Reply
DJ_L
Posts: 4
Joined: 29 Nov 2014 01:47

Integration notes for ActiveDirectory

Post by DJ_L »

So, I had the privilege of dealing with an AD DC provided by Samba getting upgraded, which no longer allows insecure connections on 389 (or at least not by default anymore), so I went about things a bit differently. I had some particular difficulty in getting mailwatch to authenticate. I have a samba AD that uses the Exchange attributes, and SOGo over Postfix provides ActiveSync. Whether I just couldn't find the correct search terms or it's not here for ldaps, I figured I'd post what I did in the event that it can help somebody else. Feel free to add or link to the respective how-tos if applicable.

First, user verification can happen at SMTP time by the MTA, e.g.: mail comes to group@domain.tld, that needs to be expanded, or mail comes to user@internal.domain.tld it needs to go to user@domain.tld. This is achieved easily on the internal postfix, by verifying against the directory, so using the same on the EFA appliance seemed prudent (as opposed to starting an smtp transaction and killing it off for probing). Ultimately, no matter what is in the SMTP transaction, EFA can verify the address without doing the silly probe of the internal postfix server. This obviously can be sped up using other methods (e.g.: periodically poll the LDAP server to create a lookup table) but I'm dealing with less than 10K messages per day. The tradeoff was a no brainer as opposed to waiting x number of minutes for a change to become live by some cron job.

User verification:

Create /etc/postfix/ldap-alias.cf:

Code: Select all

# Directory settings
server_host = ldaps://<fqdn of AD Server>:636
search_base = dc=<subdomain>,dc=<domain>,dc=<tld>
scope = sub
version = 3

# User Binding
bind = yes
// cn=LDAPService,cn=Users,dc=domain,dc=tld
// or cn=ldap,ou=Service Users,dc=sub,dc=domain,dc=tld
bind_dn = cn=<ldap user>,<service users path>
bind_pw = <password for ldap user>

# Filter
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))
result_attribute = samaccountname
result_format = %s@<sub>.<domain>.<tld>

Group verification:

Create /etc/postfix/ldap-groups.cf:

Code: Select all

# Directory settings
server_host = ldaps://<fqdn of AD Server>:636
search_base = dc=<subdomain>,dc=<domain>,dc=<tld>
scope = sub
version = 3

# User Binding
bind = yes
// cn=LDAPService,cn=Users,dc=domain,dc=tld
// or cn=ldap,ou=Service Users,dc=sub,dc=domain,dc=tld
bind_dn = cn=<ldap username>,<service users path>
bind_pw = <password for ldap user>

# Filter
query_filter = (&(objectclass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail

Run the following command to implement the new checks for inbound mail:

Code: Select all

postconf -e virtual_alias_maps="ldap:/etc/postfix/ldap-alias.cf, ldap:/etc/postfix/ldap-groups.cf"


If you are using EFA as the outbound mail host, do similar for sender verification:

Create /etc/postfix/ldap-sender.cf

Code: Select all

# Directory settings
server_host = ldaps://<fqdn of AD Server>:636
search_base = dc=<subdomain>,dc=<domain>,dc=<tld>
scope = sub
version = 3

# User Binding
bind = yes
// cn=LDAPService,cn=Users,dc=domain,dc=tld
// or cn=ldap,ou=Service Users,dc=sub,dc=domain,dc=tld
bind_dn = cn=<ldap user>,<service users path> 
bind_pw = <password for ldap user>

# Filter
query_filter = (&(objectclass=person)(proxyAddresses=smtp:%s))
leaf_result_attribute = proxyAddresses
result_attribute = sAMAccountName
To enable sender verification with authentication, in master.cf, edit the "submission" entry and add/modify the configuration with the following switches (remove any duplicates):

Code: Select all

-o smtpd_sender_login_maps=ldap:/etc/postfix/ldap-sender.cf
-o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

As to mailwatch integration, I wanted to use the short username to log in, not the email address so in conf.php I have the following LDAP settings:

Code: Select all

// LDAP settings for authentication
define('USE_LDAP', true);
define('LDAP_SSL', true);
define('LDAP_HOST', 'ldaps://server3.home.lucasit.com');
define('LDAP_PORT', '636');
define('LDAP_DN', 'DC=<subdomain>,DC=<domain>,DC=<tld>');
define('LDAP_USER', 'cn=<ldap user>,<service users path>');
define('LDAP_PASS', '<password for ldap user>');
define('LDAP_FILTER', 'sAMAccountName=%s');
define('LDAP_PROTOCOL_VERSION', 3);
define('LDAP_EMAIL_FIELD', 'proxyaddresses');
define('LDAP_USERNAME_FIELD', 'distinguishedname');
define('LDAP_MS_AD_COMPATIBILITY', true);
The reason that we are using distinguishedName here (and note that attributes need to be lowercase) rather than providing a prefix with the cn and the search DN as the suffix should be obvious, but you can have users anywhere in the directory for more complex layouts.

Anyway, this worked for my unusual setup, so I wanted to post someplace in the hope that it helps somebody in the future (even is that somebody is me in a few years!) :-)
Post Reply