在CentOS 5.x上针对Active Directory的Postfix / Dovecot身份验证
本文档介绍了如何将Postfix / Dovecot与Microsoft Active Directory集成到CentOS 5.x上,您可以管理Microsoft Active Directory中的邮件用户。 您将学习如何使Postfix在Active Directory中查找电子邮件地址,以及如何启用Dovecot对Microsoft Active Directory进行身份验证。
1要求
- 安装并运行Active Directory的Microsoft Windows(2000/2003 / 2003R2 / 2008 / 2008R2)服务器,监听端口389(
ldap://
)或636(ldaps://
)。 - 安装了OpenLDAP的工作邮件服务器。 您可以参考本教程: http : //www.youcl.com/iredmail-build-a-full-featured-mail-server-with-ldap-postfix-roundcube-dovecot-clamav-dkim-spf-on-centos -5.x
2初步说明
在本教程中,我们使用两个服务器。
Linux邮件服务器
- Linux邮件服务器主机名:
mail.example.com
- IP地址:
192.168.1.10
- LDAPPostfix(root dn):
dc = example,dc = com
- 第一个虚拟域:
example.com
Windows Server with Active Directory:
- 主机名:
ad.example.com
- IP地址:
192.168.1.20
3在AD中为LDAP查询创建用户帐户
使用iRedMail + OpenLDAP,我们只有一个低权限帐户“cn = vmail,dc = example,dc = com”仅用于查询。 所以我们在AD中创建一个相同的帐户vmail
,密码复杂。
Dovecot会将字符视为内部“#”后的注释,因此请勿在密码中使用“#”。
使用ldap命令行工具测试AD查询:
# ldapsearch -x -h ad.example.com -D 'vmail' -W -b 'cn=users,dc=example,dc=com'
Enter password: password_of_vmail
4使用Active Directory启用Postfix查询
修改/etc/postfix/mail.cf中的Postfix配置,让它查询AD而不是OpenLDAP。
现在编辑/etc/openldap/server.conf
:
# # Unused iRedMail special settings. #Set them to empty value OR comment these lines. # virtual_alias_maps = virtual_mailbox_domains = sender_bcc_maps = recipient_bcc_maps = relay_domains = # # Add your mail domain in "smtpd_sasl_local_domain" and "virtual_mailbox_domains". # smtpd_sasl_local_domain = example.com virtual_mailbox_domains = example.com # # Change some settings. # #Transport maps. transport_maps = hash:/etc/postfix/transport #remove iRedAPD related settings in Postfix,comment the lines. check_policy_service inet:127.0.0.1:7777. # # AD query. # # Note: We will create these 3 files later. # # Used to verify sender. smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ad_sender_login_maps.cf # Used to query mail users. virtual_mailbox_maps = proxy:ldap:/etc/postfix/ad_virtual_mailbox_maps.cf # Used to query mail lists/groups. virtual_alias_maps = proxy:ldap:/etc/postfix/ad_virtual_group_maps.cf
编辑/ etc / postfix / transport
:
example.com dovecot
运行'postmap',以便postfix可以读取它:
# postmap hash:/etc/postfix/transport
创建文件/etc/postfix/ad_sender_login_maps.cf
:
server_host = ad.example.com server_port = 389 version = 3 bind = yes start_tls = no bind_dn = vmail bind_pw = password_of_vmail search_base = cn=users,dc=example,dc=com scope = sub query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl=514))) result_attribute= userPrincipalName debuglevel = 0
创建文件ad_virtual_mailbox_maps.cf
:
server_host = ad.example.com server_port = 389 version = 3 bind = yes start_tls = no bind_dn = vmail bind_pw = passwd_of_vmail search_base = cn=users,dc=example,dc=com scope = sub query_filter = (&(objectclass=person)(userPrincipalName=%s)) result_attribute= userPrincipalName result_format = %d/%u/Maildir/ debuglevel = 0
创建文件/etc/postfix/ad_virtual_group_maps.cf
:
server_host = ad.example.com server_port = 389 version = 3 bind = yes start_tls = no bind_dn = vmail bind_pw = password_of_vmail search_base = cn=users,dc=example,dc=com scope = sub query_filter = (&(objectClass=group)(mail=%s)) special_result_attribute = member leaf_result_attribute = mail result_attribute= userPrincipalName debuglevel = 0
注意:如果您的用户在“邮件”和“userPrincipalName”中都有电子邮件地址,您将获得重复的结果。 评论'leaf_result_attribute'可以解决它。
5在Postfix中验证AD的LDAP查询
查询邮件用户:
# postmap -q user@example.com ldap:/etc/postfix/ad_virtual_mailbox_maps.cf
example.com/user/Maildir/
验证发件人登录检查:
# postmap -q user@example.com ldap:/etc/postfix/ad_sender_login_maps.cf
user@example.com
Active Directory具有一种称为通讯组的分组,仅用作电子邮件分发列表。验证步骤:
- 在AD中创建一个组,如
testgroup@example.com
。 - 将至少一个成员分配给此组。
- 在iRedMail服务器上执行以下命令,以验证它是否可以获取成员。
# postmap -q testgroup@example.com ldap:/etc/postfix/ad_virtual_group_maps.cf
member01@example.com
member02@example.com
6在Dovecot中启用AD的LDAP查询
修改/etc/dovecot-ldap.conf
:
让dovecot查询AD而不是本地的OpenLDAP服务器。 修改后,您需要重新启动dovecot服务以使其立即工作。
hosts = ad.example.com:389 ldap_version = 3 auth_bind = yes dn = vmail dnpass = passwd_of_vmail base = cn=users,dc=example,dc=com scope = subtree deref = never user_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl=514))) pass_filter = (&(userPrincipalName=%u)(objectClass=person)(!(userAccountControl=514))) pass_attrs = userPassword=password default_pass_scheme = CRYPT user_attrs = =home=/var/vmail/vmail1/%Ld/%Ln/Maildir/,=mail=maildir:/var/vmail/vmail1/%Ld/%Ln/Maildir/
在Dovecot中使用AD验证LDAP查询:
# telnet localhost 143
[...] Dovecot准备好了。
。 login user@example.com password_of_user#< - 键入
。
[...]登录
#< - 使用“Ctrl +]退出telnet,然后键入”quit“。
7在Roundcube WebMail中启用全局LDAP地址簿WiTh AD
编辑roundcube配置文件/var/www/roundcubemail/config/main.inc.php
。 您可以删除存储在OpenLDAP中的现有LDAP通讯录,并使用AD添加新的LDAP通讯录。
# # "sql" is personal address book stored in roundcube database. # "example.com" is new LDAP address book with AD, we will create it below. # $rcmail_config['autocomplete_addressbooks'] = array("sql", "example.com"); # # Global LDAP Address Book with AD. # $rcmail_config['ldap_public']["example.com"] = array( 'name' => 'Global Address Book', 'hosts' => array("ad.example.com"), // <- Set AD hostname or IP address here. 'port' => 389, 'use_tls' => false, // <- Set to true if you want to use LDAPS. Change port to 636 on above line too. // ---- Used to search accounts only in the same domain. ---- 'user_specific' => false, 'base_dn' => "cn=users,dc=example,dc=com", // <- Set base dn in AD 'bind_dn' => "vmail", # <- bind dn 'bind_pass' => "password_of_vmail", // <- bind password 'writable' => false, # <- Do not allow mail user write data back to AD. 'ldap_version' => "3", // ---- Search ---- //'search_fields' => array('displayname', 'userprincipalname', 'sn', 'givenname',), // <- fields to search in 'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'), //'name_field' => 'displayname', 'name_field' => 'cn', //'email_field' => 'userprincipalname', 'email_field' => 'mail', 'surname_field' => 'sn', //'firstname_field' => 'givenname', 'firstname_field' => 'givenName', //'sort' => 'displayname', 'sort' => 'cn', 'scope' => 'sub', //'filter' => "(&(objectclass=person)(!(userAccountControl=514)))", 'filter' => "(mail=*@*)", 'fuzzy_search' => true );
8链接
- 讨论区: http : //www.iredmail.org/forum/
- Integration / Active.Directory.iRedMail: http : //www.iredmail.org/wiki/index.php?title= Integration/ Active.Directory.iRedMail
- iRedMail项目主页: http : //code.google.com/p/iredmail/