针对Active Directory的Postfix / Dovecot验证在CentOS 5.x上

在CentOS 5.x上针对Active Directory的Postfix / Dovecot身份验证

本文档介绍了如何将Postfix / Dovecot与Microsoft Active Directory集成到CentOS 5.x上,您可以管理Microsoft Active Directory中的邮件用户。 您将学习如何使Postfix在Active Directory中查找电子邮件地址,以及如何启用Dovecot对Microsoft Active Directory进行身份验证。

1要求

2初步说明

在本教程中,我们使用两个服务器。

Linux邮件服务器

  • Linux邮件服务器主机名: mail.example.com
  • IP地址: 192.168.1.10
  • LDAPPostfix(root dn): dc = example,dc = com
  • 第一个虚拟域: example.com

Windows Server with Active Directory:

  • 主机名: ad.example.com
  • IP地址: 192.168.1.20

3在AD中为LDAP查询创建用户帐户

使用iRedMail + OpenLDAP,我们只有一个低权限帐户“cn = vmail,dc = example,dc = com”仅用于查询。 所以我们在AD中创建一个相同的帐户vmail ,密码复杂。

Dovecot会将字符视为内部“#”后的注释,因此请勿在密码中使用“#”。

使用ldap命令行工具测试AD查询:

# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
Enter password: password_of_vmail

4使用Active Directory启用Postfix查询

修改/etc/postfix/mail.cf中的Postfix配置,让它查询AD而不是OpenLDAP。

现在编辑/etc/openldap/server.conf

#
# Unused iRedMail special settings.
#Set them to empty value OR comment these lines.
#

virtual_alias_maps =
virtual_mailbox_domains =
sender_bcc_maps =
recipient_bcc_maps =

relay_domains =


#
# Add your mail domain in "smtpd_sasl_local_domain" and "virtual_mailbox_domains".
#
smtpd_sasl_local_domain = example.com
virtual_mailbox_domains = example.com

#
# Change some settings.
#
#Transport maps.
transport_maps = hash:/etc/postfix/transport

#remove iRedAPD related settings in Postfix,comment the lines.
check_policy_service inet:127.0.0.1:7777. 

#
# AD query.
#
# Note: We will create these 3 files later.
#
# Used to verify sender.
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf

# Used to query mail users.
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf

# Used to query mail lists/groups.
virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf


编辑/ etc / postfix / transport

example.com dovecot

运行'postmap',以便postfix可以读取它:

# postmap hash:/etc/postfix/transport

创建文件/etc/postfix/ad_sender_login_maps.cf

server_host     = ad.example.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = password_of_vmail
search_base     = cn=users,dc=example,dc=com
scope           = sub
query_filter    = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl=514)))
result_attribute= userPrincipalName
debuglevel      = 0

创建文件ad_virtual_mailbox_maps.cf

server_host     = ad.example.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = passwd_of_vmail
search_base     = cn=users,dc=example,dc=com
scope           = sub
query_filter    = (&(objectclass=person)(userPrincipalName=%s))
result_attribute= userPrincipalName
result_format   = %d/%u/Maildir/
debuglevel      = 0

创建文件/etc/postfix/ad_virtual_group_maps.cf

server_host     = ad.example.com
server_port     = 389
version         = 3
bind            = yes
start_tls       = no
bind_dn         = vmail
bind_pw         = password_of_vmail
search_base     = cn=users,dc=example,dc=com
scope           = sub
query_filter    = (&(objectClass=group)(mail=%s))
special_result_attribute = member
leaf_result_attribute = mail
result_attribute= userPrincipalName
debuglevel      = 0

注意:如果您的用户在“邮件”和“userPrincipalName”中都有电子邮件地址,您将获得重复的结果。 评论'leaf_result_attribute'可以解决它。

5在Postfix中验证AD的LDAP查询

查询邮件用户:

# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
example.com/user/Maildir/

验证发件人登录检查:

# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
user@example.com

Active Directory具有一种称为通讯组的分组,仅用作电子邮件分发列表。验证步骤:

  • 在AD中创建一个组,如testgroup@example.com
  • 将至少一个成员分配给此组。
  • 在iRedMail服务器上执行以下命令,以验证它是否可以获取成员。
# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
member01@example.com
member02@example.com

6在Dovecot中启用AD的LDAP查询

修改/etc/dovecot-ldap.conf

让dovecot查询AD而不是本地的OpenLDAP服务器。 修改后,您需要重新启动dovecot服务以使其立即工作。

hosts           = ad.example.com:389
ldap_version    = 3
auth_bind       = yes
dn              = vmail
dnpass          = passwd_of_vmail
base            = cn=users,dc=example,dc=com
scope           = subtree
deref           = never
user_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl=514)))
pass_filter     = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl=514)))
pass_attrs      = userPassword=password
default_pass_scheme = CRYPT
user_attrs      = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/

在Dovecot中使用AD验证LDAP查询:

# telnet localhost 143

[...] Dovecot准备好了。

login user@example.com password_of_user#< - 键入
[...]登录
#< - 使用“Ctrl +]退出telnet,然后键入”quit“。

7在Roundcube WebMail中启用全局LDAP地址簿WiTh AD

编辑roundcube配置文件/var/www/roundcubemail/config/main.inc.php 。 您可以删除存储在OpenLDAP中的现有LDAP通讯录,并使用AD添加新的LDAP通讯录。

#
# "sql" is personal address book stored in roundcube database.
# "example.com" is new LDAP address book with AD, we will create it below.
#
$rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com");

#
# Global LDAP Address Book with AD.
#
$rcmail_config['ldap_public']["example.com"] = array(
    'name'          => 'Global Address Book',
    'hosts'         => array("ad.example.com"),     // <- Set AD hostname or IP address here.
    'port'          => 389,
    'use_tls'       => false,                 // <- Set to true if you want to use LDAPS. Change port to 636 on above line too.

    // ---- Used to search accounts only in the same domain. ----
    'user_specific' => false,
    'base_dn'       => "cn=users,dc=example,dc=com",   // <- Set base dn in AD
    'bind_dn'       => "vmail",                     # <- bind dn
    'bind_pass'     => "password_of_vmail",                    // <- bind password
    'writable'      => false,                       # <- Do not allow mail user write data back to AD.
    'ldap_version'  => "3",

    // ---- Search ----
    //'search_fields' => array('displayname', 'userprincipalname', 'sn', 'givenname',),  // <- fields to search in
    'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
    //'name_field'    => 'displayname',
    'name_field'    => 'cn',
    //'email_field'   => 'userprincipalname',
    'email_field'   => 'mail',
    'surname_field' => 'sn',
    //'firstname_field' => 'givenname',
    'firstname_field' => 'givenName',
    //'sort'          => 'displayname',
    'sort'          => 'cn',
    'scope'         => 'sub',
    //'filter'        => "(&(objectclass=person)(!(userAccountControl=514)))",
    'filter'        => "(mail=*@*)",
    'fuzzy_search'  => true
);

8链接

赞(52) 打赏
未经允许不得转载:优客志 » 系统运维
分享到:

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏