How to integrate E.F.A with Active Directory on 3.0.0.5

Questions and answers about how to do stuff
Post Reply
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

How to integrate E.F.A with Active Directory on 3.0.0.5

Post by shawniverson »

Here's a small how-to to integrate with AD ;)

That's right, you can pull all of your email users into E.F.A. and authenticate against AD (probably any LDAP server)!

I plan on making this a configuration option in a later release of E.F.A.

For now, follow these steps.

1) Create a user and password (proxy service account) in AD to allow username lookups

2) Configure Mailwatch

Edit /var/www/html/mailscanner/conf.php

Code: Select all

// LDAP settings
define('USE_LDAP',                 '1');
define('LDAP_HOST',      'server.example.com');
define('LDAP_PORT',      '389');
define('LDAP_DN',        'DC=example,DC=com');
define('LDAP_USER',      'LDAPProxy@example.com');
define('LDAP_PASS',      'secret');
define('LDAP_SITE',      'default-first-site-name');
Further down in the same file...change 'proxyaddresses' to 'mail' depending on your LDAP implementation.

Code: Select all

define('LDAP_EMAIL_FIELD', 'mail');
2) Add the following two lines (AD) to Mailwatch functions.php if using root of domain for username lookups

The following lines are needed in functions.php for this situation

Before this line (near line 2280 in function ldap_authenticate)

$ds = ldap_connect(LDAP_HOST, LDAP_PORT) or die ("Could not connect to " . LDAP_HOST);

Insert the following two lines immediately BEFORE:

Code: Select all

ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
3) Install php-ldap

Code: Select all

yum install php-ldap
That's it. Enjoy!
Last edited by shawniverson on 24 Jan 2014 21:50, edited 1 time in total.
User avatar
mcgearytech
Posts: 9
Joined: 08 Sep 2014 17:01

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by mcgearytech »

I just wanted to say what a great product you guys have here. I have integrated and used Trend IMSVA exclusively at my job running on vmware for years. I needed a new virtual spam filter for my home mail server and I have no budget for corporate spam filtering solutions. I used ASSP in the past but setup was always very difficult and getting everything to work properly together was a very tedious job. With EFA everything is self contained and I can honestly say I was up and running with the out of the box config in 15 minutes or less on my vmware 5.5 server. I did need to increase the default amount of ram from 2 gigs to 4 gigs as I was running out of memory on the VM for some reason. I just finished integrating with me AD using LDAP. The interface is simple and very effective. Even a novice linux user like myself is able to get everything working with minimal difficulty. Thanks again for all your great work on such an exciting product and I will be recommending this product to others.

Len M
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by shawniverson »

:text-bravo:
bryanyoung
Posts: 6
Joined: 10 Oct 2014 20:20

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by bryanyoung »

Just wondering... does this configuration do AD/LDAP lookups for valid receipents? If not, is there a way to do that?
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by shawniverson »

Sure is.

Take a look at this post further down....

/viewtopic.php?f=14&t=433
DJ_L
Posts: 4
Joined: 29 Nov 2014 01:47

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by DJ_L »

shawniverson wrote:<snip>I plan on making this a configuration option in a later release of E.F.A.</snip>
Any interest in doing something like this as well?

http://mailwatch.sourceforge.net/doku.p ... _from_ldap

Warning: don't try and use that verbatim, it is broken currently.
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by shawniverson »

Absolutely :D
azuercher
Posts: 10
Joined: 03 Feb 2015 20:08

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by azuercher »

I followed these steps to implement LDAP logins against a eDirectory server. the LDAP login worked right away but when I tried to turn on SSL i ran into some bumps. I was getting a error "Could not Search". I did a LDAP trace on my edirectory server and saw this error:

Code: Select all

TLS accept failure 1 on connection 0x13bfca80, setting err = -5875. Error stack:
   error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
after after much troubleshooting and trail and error I got it to work successfully by changing the server value in conf.php from 'host.domain.com' to 'ldaps://host.domain.com" after that it sucessfully logged in.

I may have also done some stuff with self signed SSL certs. But that change above was what make it work for me. Hopefully this helps someone else out if they have a similar problem.

Thanks for the software!
phideauxx
Posts: 17
Joined: 26 Feb 2015 18:21

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by phideauxx »

I got this to work using one of the domains in my forest, but when I try to use the root domain of the forest and authenticate for other domains in the forest I can't get it to work. It will only authenticate for the forest root domain. I put in the two lines of code in the functions.php as instructed, but I'm not sure if that's only for the root of single tree domains and not for a forest. Anyone else able to get it working for an entire forest?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by pdwalker »

mcgearytech wrote:...I used ASSP in the past but setup was always very difficult and getting everything to work properly together was a very tedious job...
I was looking at both EFA and ASSP at the same time. Your observation about ASSP is both correct and completely understated. I did manage to get it working after dealing with trying to get just the right perl modules installed. I think it took me about three days to get it right. It's a very picky installation. EFA took a couple of hours, but most of that time was spent doing the centos netinstall.

I'm curious. Len, given your experience with ASSP, have you noticed any antispam features in ASSP that do not exist in EFA? Assuming everything is installed properly, does appear to work better than the other for you?
frank67de
Posts: 4
Joined: 04 Mar 2016 08:06

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by frank67de »

Hi

thanks for this instruction. I've got some errors after install yum install php-ldap and can't login (bad site):

PHP Fatal error: Call to undefined function ldap_connect() in /var/www/html/mailscanner/functions.php on line 2338, referer: http://EFA/mailscanner/login.php

I think apache has to restart to recognize php-ldap :)

Please add:

4.) /etc/init.d/httpd restart

Thanks, Frank
tpospeshil
Posts: 8
Joined: 05 Mar 2016 00:05

Re: How to integrate E.F.A with Active Directory on 3.0.0.5

Post by tpospeshil »

I'm getting an error 500:
The website encountered an error while retrieving http://EFADevice/mailscanner/checklogin.php. It may be down for maintenance or configured incorrectly.

I've uninstalled and reinstalled php-ldap, and restarted httpd services a few times, but no luck.

Looking in the /var/log/httpd/error_log I see [Mon Mar 14 14:52:01 2016] [error] [client 10.5.5.5] PHP Fatal error: Call to undefined function ldap_set_options() in /var/www/html/mailscanner/functions.php on line 2339, referer: http://10.5.4.58/mailscanner/login.php? ... typassword

I'm using a password for this test user

Update: I was also unable to log in with the efaadmin account I'd created. I went back to the original conf.php file and was able to log on with efaadmin
Post Reply