Loading ...
Sorry, an error occurred while loading the content.

Dovecot LDA - Active Directory userbase

Expand Messages
  • Peter von Nostrand
    Hi, I m testing Postfix using Dovecot LDA. The users data is on Active Directory. Users has different email addresses to their username on AD and they have
    Message 1 of 5 , Jan 30, 2013
    • 0 Attachment
      Hi,

      I'm testing Postfix using Dovecot LDA.
      The users data is on Active Directory.
      Users has different email addresses to their username on AD and they have aliases on proxyaddress field.

      Here is the AD query:

      server_host = dc1.intranet.local
      search_base = dc=intranet,dc=local
      version = 3
      query_filter = (&(objectclass=Person)(|(mail=%s)(proxyAddresses=%s)))
      result_attribute = sAMAccountName
      result_format = %u/Maildir/
      scope= sub
      bind = yes
      bind_dn = intranet\ldap
      bind_pw = somepassword

      And the result:

      #postmap -q diego@... ldap:/etc/postfix/ldap-users.cf
      diego.maradona/Maildir/

      But when I try to deliver a mail to diego@..., Dovecot tries to deliver it to the mail address and not the username. Returning with a "user unknown" message. It works OK if I edit a file with virtual aliases, mapping addresses to usernames, but I need to have all integrated on the AD.

      postconf -n:

      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      html_directory = no
      inet_interfaces = all
      inet_protocols = all
      mail_owner = postfix
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      mydestination = $myhostname, localhost.$mydomain, localhost
      mydomain = intranet.local
      myhostname = mail01.intranet.local
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
      sample_directory = /usr/share/doc/postfix-2.6.6/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtpd_sasl_local_domain = real.domain other-real.domain
      smtpd_sender_login_maps = ldap:/etc/postfix/ad_sender_login_maps.cf
      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = ldap:/etc/postfix/ad_virtual_group_maps.cf
      virtual_mailbox_domains = real.domain other-real.domain
      virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-users.cf
      virtual_transport = dovecot

      master relevant line:

      dovecot unix - n n - - pipe
        flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f ${sender} -d ${recipient}


      How can I send to Dovecot the username from the mail or proxyaddress alias field?

      --
      Peter
    • Wietse Venema
      ... perhaps surprisingly, this is described in the pipe(8) manpage. Wietse
      Message 2 of 5 , Jan 30, 2013
      • 0 Attachment
        Peter von Nostrand:
        > dovecot unix - n n - - pipe
        > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f
        > ${sender} -d ${recipient}
        >
        > How can I send to Dovecot the username from the mail or proxyaddress alias
        > field?

        perhaps surprisingly, this is described in the pipe(8) manpage.

        Wietse
      • Viktor Dukhovni
        ... This query is perhaps wrong, the proxyAddresses field in AD usually contains address forms with : prefixes, thus for SMTP addresses the content
        Message 3 of 5 , Jan 30, 2013
        • 0 Attachment
          On Wed, Jan 30, 2013 at 11:34:13AM -0300, Peter von Nostrand wrote:

          > The users data is on Active Directory.
          > Users has different email addresses to their username on AD and they have
          > aliases on proxyaddress field.
          >
          > Here is the AD query:
          >
          > server_host = dc1.intranet.local
          > search_base = dc=intranet,dc=local
          > version = 3
          > query_filter = (&(objectclass=Person)(|(mail=%s)(proxyAddresses=%s)))

          This query is perhaps wrong, the "proxyAddresses" field in AD usually
          contains address forms with <protocol>: prefixes, thus for SMTP addresses
          the content is usually "smtp:localpart@domain" not "localpart@domain".

          You should also set the "domain = " attribute in the map definition so
          that lookups are always for full addresses and don't waste cycles with
          addresses in domains that never have entries in AD.


          > result_attribute = sAMAccountName
          > result_format = %u/Maildir/

          The sAMAccountName attribut is username not email address valued, so
          there is no need to use %u here, use "%s".

          > scope= sub
          > bind = yes
          > bind_dn = intranet\ldap
          > bind_pw = somepassword
          >
          > And the result:
          >
          > #postmap -q diego@... ldap:/etc/postfix/ldap-users.cf
          > diego.maradona/Maildir/
          >
          > But when I try to deliver a mail to diego@..., Dovecot tries to
          > deliver it to the mail address and not the username. Returning with a "user
          > unknown" message. It works OK if I edit a file with virtual aliases,
          > mapping addresses to usernames, but I need to have all integrated on the AD.

          Since you're using Dovecot, the virtual_mailbox_maps table is only
          used for recipient validation, not for delivery, since that's done
          by Dovecot. Since you want to rewrite the envelope (Dovecot user
          address), you should use virtual_alias_maps instead, just change the
          result to:

          result_attribute = sAMAccountName
          result_format = %s@...

          with this the virtual_mailbox_domain is now a virtual_alias_domain,
          since all valid addresses are rewritten to <samaccountname>@....
          Use the resulting table in virtual_alias_maps, leaving virtual_mailbox_maps
          empty, since you're not using virtual(8) to do the deliveries and no longer
          using virtual_mailbox_domains.

          Then map the "dovecot.invalid" domain to the dovecot transport in
          transport_maps.

          transport:
          dovecot.invalid dovecot

          > master relevant line:
          >
          > dovecot unix - n n - - pipe
          > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f
          > ${sender} -d ${recipient}

          This will pass the user's rewritten email address to dovecot with
          an @... suffix. See pipe(8) for instructions on passing
          just the localpart.

          --
          Viktor.
        • btb@...
          ... i d encourage you to consider delivering to dovecot via lmtp[1] rather than pipe, and thus to consider using the relay domain class[2] instead of virtual.
          Message 4 of 5 , Jan 30, 2013
          • 0 Attachment
            On Jan 30, 2013, at 09.34, Peter von Nostrand wrote:

            > dovecot unix - n n - - pipe
            > flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f
            > ${sender} -d ${recipient}

            i'd encourage you to consider delivering to dovecot via lmtp[1] rather than pipe, and thus to consider using the relay domain class[2] instead of virtual. doing this has been beneficial for me in terms of logic and postfix concepts/terminology. additionally, there are often performance benefits as well.

            [1] http://wiki2.dovecot.org/LMTP
            [2] http://www.postfix.org/ADDRESS_CLASS_README.html

            -ben
          • Peter von Nostrand
            On Wed, Jan 30, 2013 at 1:29 PM, Viktor Dukhovni
            Message 5 of 5 , Jan 30, 2013
            • 0 Attachment
              On Wed, Jan 30, 2013 at 1:29 PM, Viktor Dukhovni <postfix-users@...> wrote:
              On Wed, Jan 30, 2013 at 11:34:13AM -0300, Peter von Nostrand wrote:

              > query_filter = (&(objectclass=Person)(|(mail=%s)(proxyAddresses=%s)))

              This query is perhaps wrong, the "proxyAddresses" field in AD usually
              contains address forms with <protocol>: prefixes, thus for SMTP addresses
              the content is usually "smtp:localpart@domain" not "localpart@domain".


              I don't have AD integrated with an Exchange so there is a field for proxyaddress without the use of the prefixes SMTP and smtp.
               
              You should also set the "domain = " attribute in the map definition so
              that lookups are always for full addresses and don't waste cycles with
              addresses in domains that never have entries in AD.


              > result_attribute = sAMAccountName
              > result_format = %u/Maildir/

              The sAMAccountName attribut is username not email address valued, so
              there is no need to use %u here, use "%s".

              > scope= sub
              > bind = yes
              > bind_dn = intranet\ldap
              > bind_pw = somepassword
              >
              > And the result:
              >
              > #postmap -q diego@... ldap:/etc/postfix/ldap-users.cf
              > diego.maradona/Maildir/
              >
              > But when I try to deliver a mail to diego@..., Dovecot tries to
              > deliver it to the mail address and not the username. Returning with a "user
              > unknown" message. It works OK if I edit a file with virtual aliases,
              > mapping addresses to usernames, but I need to have all integrated on the AD.

              Since you're using Dovecot, the virtual_mailbox_maps table is only
              used for recipient validation, not for delivery, since that's done
              by Dovecot. Since you want to rewrite the envelope (Dovecot user
              address), you should use virtual_alias_maps instead, just change the
              result to:

                      result_attribute = sAMAccountName
                      result_format = %s@...

              with this the virtual_mailbox_domain is now a virtual_alias_domain,
              since all valid addresses are rewritten to <samaccountname>@....
              Use the resulting table in virtual_alias_maps, leaving virtual_mailbox_maps
              empty, since you're not using virtual(8) to do the deliveries and no longer
              using virtual_mailbox_domains.

              Then map the "dovecot.invalid" domain to the dovecot transport in
              transport_maps.

                  transport:
                      dovecot.invalid         dovecot

              > master relevant line:
              >
              > dovecot unix - n n - - pipe
              >   flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/dovecot-lda -f
              > ${sender} -d ${recipient}

              This will pass the user's rewritten email address to dovecot with
              an @... suffix. See pipe(8) for instructions on passing
              just the localpart.

              --
                      Viktor.


              OK, it worked. Changed {recipient} for {user}. And thx Wietse for his sarcasm.
              I've tried that change before but using virtual_mailbox_maps instead of virtual_alias_maps.

              Thank you very much, Viktor.
              --
              Peter
            Your message has been successfully submitted and would be delivered to recipients shortly.