From: "Goutam Baul" on
Hello Everybody,

I am facing a scenario where the client needs a mailing solution while the
user information will be kept in a Microsoft Active Directory server. I was
trying to search for any material that talks about whether it is possible to
make postfix and courier-imap talk to Microsoft ADS. I have done
implementation with Open LDAP but not with ADS. Another work around might be
to have LDAP for the mailing solution and create an application for user
management that ensures that the LDAP and the MDS are always in sync. This
would not be an elegant one and it would be great if the mailing solution
(postfix,courier-imap,courier-authlib all in Linux] could talk to the ADS.
May I request for some pointer please?

With regards,

Goutam

From: Stewart Walters on
lst_hoe02(a)kwsoft.de wrote:
> Zitat von Goutam Baul <goutam.baul(a)cesc.co.in>:
>
>> Hello Everybody,
>>
>> I am facing a scenario where the client needs a mailing solution
>> while the
>> user information will be kept in a Microsoft Active Directory server.
>> I was
>> trying to search for any material that talks about whether it is
>> possible to
>> make postfix and courier-imap talk to Microsoft ADS. I have done
>> implementation with Open LDAP but not with ADS. Another work around
>> might be
>> to have LDAP for the mailing solution and create an application for user
>> management that ensures that the LDAP and the MDS are always in sync.
>> This
>> would not be an elegant one and it would be great if the mailing
>> solution
>> (postfix,courier-imap,courier-authlib all in Linux] could talk to the
>> ADS.
>> May I request for some pointer please?
>
>
> For user authentication Postfix uses SASL which in turn can use PAM
> which is able to do NTLM (Windows authentication) against a windows
> domain.
> For routing information you can query the DCs with LDAP if you have
> the necessary fields stored there (normaly the case if MS-Exchange is
> used as mailstore).
>
> I have done it some time ago but the details are lost :-(
>
> Regards
>
> Andreas

There are several ways I know how you could do this on Linux:

1. Use "389 Directory Server" (formerly Fedora Directory Server,
which is formerly the Netscape Directory Server) to regularly sync
the AD users and groups to a local replication store, and use
ordinary pam_ldap/libnss_ldap to authenticate your postfix
straight to the 389 directory server.
2. Use Samba + Winbind + pam_winbind to extract and provide
usernames/groups, UID/GIDs to postfix.
3. Assuming your active directory is schema version 31 or above (the
schema that comes in Windows Server 2003 R2), you can enable RFC
2307 information directly in AD and use pam_krb5 and pam_ldap have
your postfix box pull that information straight out of AD
(instructions from Scott Lowe's blog at
http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/)
4. If your AD schema is not version 31 or above (Windows Server 2003,
Windows SBS Server 2003 R2 and below) use Scott Lowe's
instructions for getting the same thing happening, using Services
For Unix
(http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/)
5. Purchase a proprietary product to authenticate Linux directly to
AD (such as the Quest Authentication Services
http://www.quest.com/active-directory/directory-consolidation.aspx;
CA might also have one as a part of their Unicentre TNG suite,
Centrify have toolsets as well)


I've deployed options 2, 3 & 4 in production environments before.
Option 2 was a multitude of times easier to get working than options 3 &
4, but in some distributions winbindd has some severe bugs (RHEL 4.4,
4.5, 4.6). If you can't move off these platforms because your vendor
wont support their application, your forced to go another route.

Although I've never deployed it before, Option 1 in theory is also a
sound way to go.

Of course, option 5 is another way to go, if you're willing to pay the
licensing fees.

Regards,

Stewart

From: Zhang Huangbin on

On Mar 12, 2010, at 2:59 PM, Goutam Baul wrote:

> Hello Everybody,
>
> I am facing a scenario where the client needs a mailing solution while the user information will be kept in a Microsoft Active Directory server. I was trying to search for any material that talks about whether it is possible to make postfix and courier-imap talk to Microsoft ADS. I have done implementation with Open LDAP but not with ADS. Another work around might be to have LDAP for the mailing solution and create an application for user management that ensures that the LDAP and the MDS are always in sync. This would not be an elegant one and it would be great if the mailing solution (postfix,courier-imap,courier-authlib all in Linux] could talk to the ADS. May I request for some pointer please?

You can try Postfix + Dovecot + Windows Active Directory 2003 + Roundcube webmail. I deployed one for customer based on iRedMail, works like a charm.

Postfix and Dovecot can auth user against AD directly, include normal user, mail list, and Roundcube can use AD as global LDAP address book too. :)

--
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
CentOS, Debian, Ubuntu, FreeBSD: http://www.iredmail.org/

From: mouss on
Goutam Baul a �crit :
> Hello Everybody,
>
>
>
> I am facing a scenario where the client needs a mailing solution while
> the user information will be kept in a Microsoft Active Directory
> server. I was trying to search for any material that talks about whether
> it is possible to make postfix and courier-imap talk to Microsoft ADS. I
> have done implementation with Open LDAP but not with ADS. Another work
> around might be to have LDAP for the mailing solution and create an
> application for user management that ensures that the LDAP and the MDS
> are always in sync. This would not be an elegant one and it would be
> great if the mailing solution (postfix,courier-imap,courier-authlib all
> in Linux] could talk to the ADS. May I request for some pointer please?
>
>

use a script to dump AD data to a file. addresses do not change that
often, so why insist on a direct AD lookup?

otherwise, postfix supports LDAP. if AD isn't LDAP compliant, you know
what you should do...

 | 
Pages: 1
Prev: Bounced mails
Next: Bounced mail's From is null