This guide will show you how to integrate Active Directory/LDAP into Postfix and Dovecot. In this page, you will learn how to enable Postfix to lookup email addresses in LDAP and how to enable Dovecot to authenticate to an LDAP server.

JXplorer Active DirectoryThis is what a typical Active Directory layout looks like.
JXplorer LDAPAnd here’s a sample OpenLDAP layout. See OpenLDAP Setup Howto for a guide in setting up OpenLDAP. Or better yet, use the 389 Directory Server.
NoteI used JXplorer to browse the LDAP servers, you’ll need the Java Runtime Environment to use it.

We will be using the following attributes

  • samaccountname or uid – User Name for Active Directory or OpenLDAP respectively.
  • mail – Email Address. For Active Directory users, you need to fill-up the E-mail field of the User.
  • othermailbox – For Active Directory only. We will use this field to store email aliases. Use ADSI Edit to update this field.

Create the Virtual Mail User Account

Since the Active Directory/OpenLDAP user names are not part of the Linux system, we will have to create a user that will be the owner for all the files belonging to the LDAP user names.

Create user vmail1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Learn how to use the User Manager application here.
User Manager2. Take note of the User ID and Home Directory of vmail.
User Manager3. Click the Groups tab and now note down the Group ID of vmail. We’ll be needing all of them later.

Postfix Active Directory/LDAP Integration

Postfix service1. Create the file /etc/postfix/ containing the lines below
server_host = your ldap server
search_base = your search base
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname
result_format = %s/Maildir/

If you are connecting to an Active Directory server and would like to have email alias capability, change the query filter to (&(objectclass=person)(|(mail=%s)(othermailbox=%s))) to include the othermailbox field in the search.

Change samaccountname to uid if you will be connecting to an OpenLDAP server. If your server requires authentication, add the lines below

bind = yes
bind_dn = cn=mailuser,dc=acme,dc=local
bind_pw = password

Replace the value of bind_dn and bind_pw with a valid user account and password respectively. If you will be connecting to an Active Directory server, bind_dn can also be

bind_dn = acme\mailuser


bind_dn = mailuser@acme.local
Postmap query2. Test your postfix configuration file by typing in the command
postmap -q bugsbunny@acme.local ldap:/etc/postfix/

in a terminal window. Replace bugsbunny@acme.local with a valid email address from your server. It should return the path to a mailbox file.

NoteIf you are querying a Windows 2003 Server and postmap does not seem to work, try enabling the Windows 2003 Active Directory anonymous ldap operations.
Edit main.cf3. Edit the postfix configuration file /etc/postfix/ and edit the line below
mydestination = $myhostname, localhost.$mydomain, localhost

and add the lines below

virtual_mailbox_domains = $mydomain
virtual_mailbox_base = /home/vmail/
virtual_mailbox_maps = ldap:/etc/postfix/
virtual_uid_maps = static:501
virtual_gid_maps = static:501

virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.

NoteMake sure $mydomain in mydestination has been removed, otherwise the lookup will not work and you will get a “User unknown in local recipient table” error.
Service Configuration4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.
Terminal5. You should now be able to send email to addresses found in your LDAP server. See Test Postfix using Telnet and try using LDAP email addresses instead of the system user names.

Dovecot Active Directory/LDAP Integration

ImportantIf you will be connecting to an Active Directory server, use Active Directory and Dovecot PAM Authentication which uses Kerberos authentication instead. The Kerberos authentication method is more reliable since it doesn’t require a persistent connection and you can gain fail-over capabilities if you have multiple Active Directory servers.
Edit dovecot-ldap.conf
1. Create a file containing the lines below using the filename specified below.
RHEL/CentOS VersionFilename
hosts = your ldap server
base = your search base
ldap_version = 3
auth_bind = yes

Depending on the LDAP server and the layout you are going query, you have 3 ways to enable Dovecot to authenticate to your LDAP server.

Option 1: Active Directory
Replace acme with your own domain name. Works only with Microsoft’s Active Directory.

auth_bind_userdn = acme\%u

Option 2: Distinguished Name Template
Change the sample value to one that is appropriate for your layout.

auth_bind_userdn = uid=%u,ou=people,dc=acme,dc=local

Option 3: Search Filter
This should work with any layout but requires an additional search operation to find the correct distinguished name. Change the sample value to one that is appropriate for your layout.

pass_filter = (&(objectclass=person)(uid=%u))
Edit dovecot.conf2. For RHEL/CentOS 5, edit the file /etc/dovecot.conf and change the value of the following keys below
auth_username_format = %Lu

passdb ldap {
  args = /etc/dovecot-ldap.conf

userdb static {
  args = uid=501 gid=501 home=/home/vmail/%u
Edit 10-auth.confFor RHEL/CentOS 6, edit the file /etc/dovecot/conf.d/10-auth.conf and add the lines below
auth_username_format = %Lu

passdb {
  driver = ldap
  args = /etc/dovecot/dovecot-ldap.conf

userdb {
  driver = static
  args = uid=501 gid=501 home=/home/vmail/%u

uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.

NoteComment out all the other passdb and userdb sections or include lines except for those specified above to ensure that nothing will conflict with our LDAP virtual accounts.
Service Configuration3. Restart the dovecot service. Learn how to start and stop services here.
Terminal4. You should now be able to login using the user names found in your LDAP server. See Test Dovecot using Telnet and try using LDAP user names instead of the system user names.
NoteIf you encounter any problems, check the log file at /var/log/maillog.

Related Pages

Visit the forum to ask for help or to give a comment.

Posted on 11/2/2007 and last updated on 8/29/2011
Filed under Active Directory , CentOS 5 , CentOS 6 , Dovecot , LDAP , Postfix , Red Hat Enterprise Linux 5 , Red Hat Enterprise Linux 6