This guide will show you how to integrate Active Directory/LDAP into Postfix and Dovecot. In this page, you will learn how to enable Postfix to lookup email addresses in LDAP and how to enable Dovecot to authenticate to an LDAP server.
This is what a typical Active Directory layout looks like.
And here’s a sample OpenLDAP layout. See OpenLDAP Setup Howto for a guide in setting up OpenLDAP. Or better yet, use the Fedora Directory Server.
I used JXplorer to browse the LDAP servers, you’ll need the Java Runtime Environment to use it.
We will be using the following attributes
- samaccountname or uid - User Name for Active Directory or OpenLDAP respectively.
- mail - Email Address. For Active Directory users, you need to fill-up the E-mail field of the User.
- othermailbox - For Active Directory only. We will use this field to store email aliases. Use ADSI Edit to update this field.
Create the Virtual Mail User Account
Since the Active Directory/OpenLDAP user names are not part of the Linux system, we will have to create a user that will be the owner for all the files belonging to the LDAP user names.
1. Create a new user, we will call it vmail. Change the Login Shell to /sbin/nologin, this user account should not be used for logging in. Learn how to use the User Manager application here.
2. Take note of the User ID and Home Directory of vmail.
3. Click the Groups tab and now note down the Group ID of vmail. We’ll be needing all of them later.Postfix Active Directory/LDAP Integration
1. Create the file /etc/postfix/ldap-users.cf containing the lines belowserver_host = your ldap server search_base = your search base version = 3 query_filter = (&(objectclass=person)(mail=%s)) result_attribute = samaccountname result_format = %s/Maildir/
Change samaccountname to uid if you will be connecting to an OpenLDAP server. If your server requires authentication, add the lines below
If you are connecting to an Active Directory server and would like to have email alias capability, change the query filter to (&(objectclass=person)(|(mail=%s)(othermailbox=%s))) to include the othermailbox field in the search.
bind = yes bind_dn = cn=mailuser,dc=acme,dc=local bind_pw = password
Replace the value of bind_dn and bind_pw with a valid user account and password respectively. If you will be connecting to an Active Directory server, bind_dn can also be
bind_dn = acme\mailuser
or
bind_dn = mailuser@acme.local
2. Test your postfix configuration file by typing in the commandpostmap -q bugsbunny@acme.local ldap:/etc/postfix/ldap-users.cf
in a terminal window. Replace bugsbunny@acme.local with a valid email address from your server. It should return the path to a mailbox file.
If you are querying a Windows 2003 Server and postmap does not seem to work, try enabling the Windows 2003 Active Directory anonymous ldap operations.
3. Edit the postfix configuration file /etc/postfix/main.cf and edit the line belowmydestination = $myhostname, localhost.$mydomain, localhost
and add the lines below
virtual_mailbox_domains = $mydomain virtual_mailbox_base = /home/vmail/ virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf virtual_uid_maps = static:501 virtual_gid_maps = static:501
virtual_mailbox_base, virtual_uid_maps and virtual_gid_maps should contain the home directory, user id and group id of vmail respectively.
4. Restart the Postfix or MailScanner service if you have installed it. Learn how to start and stop services here.
5. You should now be able to send email to addresses found in your LDAP server. See Test Postfix using Telnet and try using LDAP email addresses instead of the system user names.Dovecot Active Directory/LDAP Integration
If you will be connecting to an Active Directory server, use Active Directory and Dovecot PAM Authentication which uses Kerberos authentication instead. The Kerberos authentication method is more reliable since it doesn’t require a persistent connection and you can gain fail-over capabilities if you have multiple Active Directory servers.
1. Create the file /etc/dovecot-ldap.conf containing the lines below
hosts = your ldap server base = your search base ldap_version = 3 auth_bind = yes
Depending on the LDAP server and the layout you are going query, you have 3 ways to enable Dovecot to authenticate to your LDAP server.
Option 1: Active Directory
Replace acme with your own domain name. Works only with Microsoft’s Active Directory.
auth_bind_userdn = acme\%u
Option 2: Distinguished Name Template
Change the sample value to one that is appropriate for your layout.
auth_bind_userdn = uid=%u,ou=people,dc=acme,dc=local
Option 3: Search Filter
This should work with any layout but requires an additional search operation to find the correct distinguished name. Change the sample value to one that is appropriate for your layout.
pass_filter = (&(objectclass=person)(uid=%u))
2. Edit the file /etc/dovecot.conf and change the value of the following keys below
passdb ldap {
args = /etc/dovecot-ldap.conf
}
userdb static {
args = uid=501 gid=501 home=/home/vmail/%u
}
uid, gid and home should contain the user id, group id and home directory respectively of the vmail user account.
Comment out all the other passdb and userdb sections except for those specified above to ensure that nothing will conflict with our LDAP virtual accounts.
3. Restart the dovecot service. Learn how to start and stop services here.4. You should now be able to login using the user names found in your LDAP server. See Test Dovecot using Telnet and try using LDAP user names instead of the system user names.If you encounter any problems, check the log file at /var/log/maillog.Related Pages
***
Posted on 11/2/2007 and last updated on 10/28/2008
Filed under Active Directory , CentOS 5 , Dovecot , LDAP , Postfix , Red Hat Enterprise Linux 5
Share This
January 2nd, 2008 at 1:30 pm
Hi,
I am not trying to configure my mail server with Virtual Mail account from Active directory (2003). My /etc/postfix/ldap-users.cf is as follows,
server_host = mymail.mydomain.local
search_base = dc=mydomain,dc=local
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = administrator
result_format = %s/Maildir/
bind = yes
bind_dn = cn=administrator,dc=mydomain,dc=local
bind_pw = password
When, i try to run a user mailbox test,
postmap -q mailtest@mydomain.local ldap:/etc/postfix/ldap-users.cf
It is unsuccessful. The log file shows,
Jan 2 19:27:32 postfix postfix/postmap[3099]: warning: dict_ldap_connect: Unable to bind to server ldap://mymail.mydomain.local:389 as cn=administrator,dc=mydomain,dc=local: 49 (Invalid credentials)
Pls help.
Mahmud
January 2nd, 2008 at 2:27 pm
Hi,
The “Invalid credentials” is the problem, since you are connecting to an active directory server, it would be better if you use “mydomain\administrator” instead of “cn=administrator,dc=mydomain,dc=local” so that you need not be concerned about where exactly administrator is located, it may be in “cn=administrator,cn=users,dc=mydomain,dc=local”
Next in your /etc/postfix/ldap-users.cf the correct line should be
result_attribute = samaccountname
not
result_attribute = administrator
Finally, if you will not be using the Virtual Mail accounts, you should not use ldap-users.cf above and instead follow the steps in Active Directory Integration with Samba for RHEL/CentOS 5, it shows a few test to ensure that your Active Directory entries from Samba should automatically work with Postfix and Dovecot.
January 3rd, 2008 at 8:26 am
Hi,
Thanks for ur reply.
I change my ldap-users.cf as per ur configuration. But now the “postmap -q mailtest@mydomain.local ldap:/etc/postfix/ldap-users.cf” shows nothing at maillog related to ldap authentication. Even if I put a invalid user account to test, it shows the same, nothing.
I am using CentOS 5.0.
I don’t know what is the problem.
Pls help.
Mahmud
January 3rd, 2008 at 9:21 am
Hi,
No problem.
I’m assuming you are now using Virtual Users. If no errors appear in maillog, this means that the configuration file is now working. The reason it shows nothing when you use a valid email address is because the E-mail field in Active Directory is empty. You could either fillup the E-mail field for every user you want to have a mail account or change the line in ldap-users.cf to query_filter = (&(objectclass=person)(samaccountname=%u)). I don’t recommend the other solution because all Active Directory accounts, including built in system accounts, will become valid email address.
January 3rd, 2008 at 9:38 am
thanks.
U r right. Authentication is successful, but don’t shows any log information. If I put wrong password, then it shows “Invalid credentials” at maillog.
Rgds,
Mahmud Jami
January 3rd, 2008 at 10:06 am
Need help again…
After ldap-users.cf configuration, when I did the SMTP testing using “telnet 127.0.0.1 25″ with a valid sender address and rcpt address, the maillog shows,
Jan 3 15:59:28 postfix postfix/smtp[3151]: 178374DF08C: to=, relay=none, delay=0.01, delays=0/0/0.01/0, dsn=5.4.6, status=bounced (mail for mydomain.local loops back to myself)
Pls help.
Rgds,
Mahmud Jami
January 3rd, 2008 at 10:16 am
i have fixed the loops back problem.
January 3rd, 2008 at 10:20 am
Now I am getting the following error:
Jan 3 16:17:49 postfix postfix/virtual[3477]: fatal: setrlimit: Permission denied
Jan 3 16:17:50 postfix postfix/master[3451]: warning: process /usr/libexec/postfix/virtual pid 3477 exit status 1
Jan 3 16:17:50 postfix postfix/master[3451]: warning: /usr/libexec/postfix/virtual: bad command startup — throttling
Pls help.
Mahmud Jami
January 3rd, 2008 at 1:39 pm
You probably did not disable SELinux. Leaving SELinux enabled causes a lot of problems including this one and disabling it does not make your system any less secure.
January 7th, 2008 at 8:54 am
Thanks.
I disabled SELinux and it is working fine now.
Rgds,
Mahmud Jami
January 22nd, 2008 at 2:48 am
Hi,
I cannot get this to work:
postmap -q cent50@centaur.local ldap:/etc/postfix/ldap-users.cf
here’s its contents:————-
server_host = centaur
search_base = dc=centaur,dc=local
version = 3
query_filter = (&(objectclass=inetOrgPerson)(mail=%s))
result_attribute = cent50
result_format = %s/Maildir/
bind = yes
bind_dn = cn=root,dc=centaur,dc=local
bind_pw = rootpw
here’s an ldif of my cent50 user (uid 500):
dn: cn=cent50,dc=centaur,dc=local
objectClass: inetOrgPerson
objectClass: top
cn: cent50
street: 123 main
telephoneNumber: 866-555-1212
mobile: 866-555-1212
givenName: cent50
mail: cent50@centaur.local
sn: cent50
l: park place
o: my org
postalCode: 90210
st: ca
BTW, I have trouble getting JXplore working. I’m using phpLDAPadmin. Any opinion on that software?
January 22nd, 2008 at 1:33 pm
Hi,
result_attribute should be cn, not cent50. That’s why it’s not working.
I haven’t tried phpLDAPadmin. I use mostly Windows that’s why I prefer desktop applications like JXplorer. And yes, JXplorer is very troublesome to setup due to the fact that the installer no longer works with the new Java 1.6.
If you still like to try JXplorer, download the platform independent version of JXplorer. That’s the one I’m using.
January 22nd, 2008 at 10:15 pm
That fixed it. Thanks.
WRT JXplorer, I had trouble even getting Java up and running as a plugin to FireFox. Turns out the install procedure on Sun’s site (and others’ sites) was wrong. The plugin doesn’t go in /usr/lib/mozilla, it goes in /usr/lib/firefox-2.0.0.11/plugins (my current version) directory. So once that was working, JXplorer wouldn’t install, complaining that the Java VM had to be in the PATH, but gave no explanation of how to do that. I tried various things: setenv PATH=$PATH:/usr/jre1.6.0_03/bin and a few others, but to no avail.
I’ll look into the platform independent version.
January 23rd, 2008 at 1:37 am
I’m using the vmail (uid:501) user account.
I added a virtual user named fuzzy, password wuzzy.
Here’s the OpenLDAP ldif output:
dn: cn=fuzzy,dc=centaur,dc=local
objectClass: inetOrgPerson
objectClass: top
cn: fuzzy
street: 123 main
postalCode: 90210
st: ca
givenName: fuzzy
l: nowhere
mail: fuzzy@centaur.local
o: my organization
sn: fuzzy
userPassword: {MD5}57rpZeO0+GnMPaOfefB4WA==
uid: fuzzy
Here is the file /etc/dovecot-ldap.conf:
hosts = centaur
base = dc=centaur,dc=local
auth_bind = yes
#auth_bind_userdn = uid=%u,ou=people,dc=centaur,dc=local
pass_filter = (&(objectclass=inetOrgPerson)(uid=%u))
I tried method 2 and 3. I made the appropriate changes to dovecot.conf and restarted the service.
When I try to log into squirrelmail with u: fuzzy, p: wuzzy, I get an error: Unknown user or password incorrect.
The /var/log/maillog says this:
Jan 22 19:27:00 centaur dovecot: auth(default): LDAP: binding failed (dn (none)): Protocol error
Jan 22 19:27:16 centaur dovecot: auth(default): LDAP: binding failed (dn (none)): Protocol error
Jan 22 19:27:16 centaur dovecot: imap-login: Aborted login: user=, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
What have I missed?
January 23rd, 2008 at 11:33 am
Your dn is cn=fuzzy,dc=centaur,dc=local which means auth_bind_userdn should be cn=%u,dc=centaur,dc=local
January 23rd, 2008 at 11:55 pm
I tried cn=%u,dc=centaur,dc=local, but get the same failed login and error in /var/log/maillog.
I did a search online for the error “LDAP: binding failed (dn(none)): Protocol error” and someone suggested allow_bind_v2 in slapd.conf, bu that didn’t work.
January 24th, 2008 at 1:05 pm
Ok, please confirm first that your ldap authentication is working. Try the following command ldapsearch -x -D “cn=fuzzy,dc=centaur,dc=local” -w wuzzy “cn=*”
If it works, try authenticating via POP3.
If it still works, at least we know that the problem is something about your IMAP configuration. I’ll think of something else, please try the above tests first.
January 25th, 2008 at 3:04 am
Ok. The ldapsearch worked. fuzzy is there. But the authentication via pop3 failed “ERR - Temporary authentication failure” after the “pass wuzzy”.
So I logged in to squirrelmail as cent50 (another user I used to send mail to fuzzy) and found that the mesg was returned: : Host or domain name not found. Name service error for name=centaur.local type=A: Host not found.
Could it be that the attribute I added for fuzzy’s password - userPassword: {MD5}57rpZeO0+GnMPaOfefB4WA== - is not correct? Is there a specific attribute name I must use for email passwords for objectClass: inetOrgPerson? Or should I not be using inetOrgPerson at all for objectClass?
January 25th, 2008 at 3:59 pm
ldapsearch worked. This means that the user passwords are stored correctly.
Now I get it, the only difference between the Postfix and Dovecot configuration is that Postfix has version = 3. To fix the problem, you can either add ldap_version = 3 in dovecot-ldap.conf or allow bind_v2 in slapd.conf (not allow_bind_v2).
January 25th, 2008 at 11:18 pm
As I said in comment 16 above, uncommenting allow bind_v2 in slapd.conf and restarting ldap (slapd), dovecot, and postfix, didn’t work.
So I added ldap_version = 3 in dovecot-ldap.conf, restarted dovecot and that works!
I see you’ve added this above in the instructions, but your picture doesn’t have it yet.
Again, thanks.
January 25th, 2008 at 11:57 pm
> uncommenting allow bind_v2
I see, I thought allow bind_v2 was not properly configured because my slapd.conf has it and it works.
> but your picture doesn’t have it yet.
I’ve updated the picture, you just need to refresh your browser a few times. It didn’t appear in mine too.
Thanks too, this is second page I’ve updated based on your comments.
February 11th, 2008 at 4:09 am
hi
“Replace the value of bind_dn and bind_pw with a valid user account and password respectively. If you will be connecting to an Active Directory server, bind_dn can also be”
i can’t understand this one. can u you please explain. username of the password for each user?
FYI. i’m configuring with AD
February 11th, 2008 at 3:10 pm
Hi,
Some LDAP server configurations (like Active Directory) does not allow anonymous connections, thus you need to specify a valid user name and password to be able to connect.
To be able to connect to the Active Directory server, I created an AD user account mailuser used specifically for authentication purposes only.
March 19th, 2008 at 2:02 am
I’m getting an error: Unknown user in recipient table when I attempt to send to an LDAP defined user. Sending from an LDAP user to any system user works fine, but the other way around fails every time. I have already logged in with the LDAP user and checked to make sure his directory has been created. I have SELinux disabled and have checked the /var/log/maillog file, it returns the same error.
Using:
OS: Fedora Core 8
Machine: VMware v.6.0.2 virtual machine
Any suggestions would be appreciated…
Aaron Thompson
March 19th, 2008 at 2:26 am
Sorry but you cannot have both LDAP and system user accounts because to enable the LDAP users we need to switch to virtual user accounts in Postfix. You need to migrate or export your system users to LDAP.
In mydestination, $mydomain should be removed.
The line
virtual_mailbox_domains = $mydomain
tells Postfix that $mydomain uses virtual users.
Your Postfix still uses the system accounts because the error should be “User unknown in virtual mailbox table” if virtual users is in use.
March 19th, 2008 at 2:08 pm
I changed the mydestination line to the one without $mydomain, now I don’t get an error, however, none of the mail I send internally gets received. A user can’t even send mail to him/her self.
Any advice would be appreciated…
Aaron Thompson
March 19th, 2008 at 6:13 pm
I have found the cause of the issue:
“virtual_mailbox_base = /home/vmail/” needs to have the trailing “/” dropped;
I also made an error in copying over some of the text.
You might want to update the site…
Thanks,
Aaron Thompson
March 20th, 2008 at 2:50 am
The trailing “/” in “virtual_mailbox_base = /home/vmail/” is intentionally there to enable the better Maildir format instead of the older Mbox format. If “/” is removed, dovecot will not work since it is also configured to look for a Maildir mailbox.
March 27th, 2008 at 11:15 pm
Hi,
I have already setup postfix to get user emails from active directory following the steps above, and also has setup dovecot to allow login from active directory users. I can send the mail to the user from active directory, but whenever I log-in with that user from pop3, it says that there’s no inbox for the user. Searching through the maillog, i found permission denied errors. This is it’s contents:
Mar 28 01:28:51 xmail dovecot: POP3(fmondia): mkdir(/var/mail/fmondia/Maildir/cur) failed: Permission denied
Mar 28 01:28:51 xmail dovecot: POP3(fmondia): Couldn’t open INBOX: Internal error occurred. Refer to server log for more information. [2008-03-28 01:28:51]
Mar 28 01:28:51 xmail dovecot: POP3(fmondia): No INBOX for user top=0/0, retr=0/0, del=0/0, size=0
I did manage to send email to a local account and it delivered it to the user’s mailbox just fine.
I didn’t see any “permission setting” in the guide. What could be wrong?
Centos 5
Postfix 2.3.3-2
dovecot-1.0-1.2.rc15.el5
March 28th, 2008 at 12:25 am
In Postfix SMTP Server Setup Howto, I configured Postfix to save incoming mail to [home directory]/Maildir by adding the line
home_mailbox = Maildir/.
Dovecot on the other hand should be configured to read mails from [home directory]/Maildir by adding the line virtual_mailbox_base = /home/vmail/. Configured this way, you should not encounter any permission problems.
I’ve updated the text above to ensure that Postfix stores its mails to [home directory]/Maildir.
March 28th, 2008 at 1:09 pm
Sorry, please disregard my previous comment, I got it all mixed up.
In Dovecot, make sure you have the line below
userdb static {
args = uid=501 gid=501 home=/home/vmail/%u
}
This takes care of the permission problem.
The mkdir(/var/mail/fmondia/Maildir/cur) failed: Permission denied means the above is not yet properly set and Dovecot is looking for mails at the wrong location.
March 28th, 2008 at 11:20 pm
Hi,
Got it to work now. Thanks. One thing though, i was tailing the log files and noticed that there is this line:
Mar 28 21:10:19 xmail MailScanner[11869]: Could not create SpamAssassin cache database /var/spool/MailScanner/incoming/SpamAssassin.cache.db
Is this normal?
March 28th, 2008 at 11:27 pm
Hi,
I would just like to hear your opinion on these matters.
I would like to have the user mailboxes on an NFS mounted partition so that I can just easily move them around if I run out of space. Is this a recommended solution to the problem I mentioned?
Also, how about maildir quotas? Is it just a matter of adding quota settings to the maildir partition or re-compile postfix with the quota patch?
March 29th, 2008 at 1:58 am
Re: Could not create SpamAssassin cache database
The above is not normal, SpamAssassin.cache.db should be owned by Postfix. To fix the problem, just delete the file /var/spool/MailScanner/incoming/SpamAssassin.cache.db
and restart MailScanner to automatically recreate the file with the correct owner.
March 29th, 2008 at 2:06 am
Re: NFS mounted partition mailboxes
This is possible with the setup we our using (maildir mailbox format) but I wouldn’t recommend it though. It adds a whole set of failure points to your mail server. The network switch could fail, the remote machine could go down, etc. etc. Hard disk space is cheap this days and it would be better to invest in a big one.
March 29th, 2008 at 2:13 am
Re: maildir quotas
You need to re-compile postfix with the quota patch. This gives a complete solution like individual mailbox quota and customizable “limit” message.
Postfix VDA - Postfix Quota Patch
March 29th, 2008 at 6:32 am
Hi,
I have fixed my aforementioned errors. Thanks for the help. I did get another strange message in my maillog:
Mar 29 01:29:53 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
What could be causing this? I could log-in with a user from the ldap server fine.
March 29th, 2008 at 6:44 am
It means dovecot can’t connect to the LDAP server. Did Postfix work? Can you telnet your LDAP server? Your LDAP server’s firewall might be blocking your connection.
March 29th, 2008 at 7:26 am
It’s on a Windows 2003 Active Directory Server. How do I test it if postfix works? If what you mean is that it’s able to send messages to accounts in the AD server, that’s a yes.
I can ping the LDAP server fine.
March 29th, 2008 at 7:32 am
Yes you can ping but can you telnet server ldap? Re postfix, I meant does postmap -q [email] ldap:/etc/postfix/ldap-users.cf work? If the postmap test work, you should be able to do the same with dovecot.
March 29th, 2008 at 8:01 am
In a way yes, postfix works. I used the test above after integrating postfix to ldap. But sending mail to an account found on the ldap server does not work. Ironically, I can log-in with the same account using dovecot.
What could be wrong?
March 29th, 2008 at 8:04 am
Update to my previous post, yes, postmap -q [email] ldap:/etc/postfix/ldap-users.cf works. I don’t have telnet running on the win2003 machine. Any other service I can try to connect to so that I can verify if it’s a firewall problem?
There’s nothing on the AD server logs that suggests it’s a firewall problem.
March 29th, 2008 at 1:51 pm
This means that dovecot is working.
You don’t have to install a telnet server in win2003. Just type telnet server ldap from the terminal window and the telnet client will attempt to connect to the server at port 389. Anyway, postfix and dovecot confirms that you can connect to the active directory server.
A lot of things might cause the sending problem.
1. Can you send to system accounts, if yes that is wrong. Read my comment to Aaron Thompson.
2. Before integrating Active Directory, did you check if your mail server is working. You might have misconfigured mailscanner or something. If mailscanner is misconfigured, mails will get stuck in the holding area.
March 30th, 2008 at 4:18 am
I was able to test the ldap server using telnet and it connected. One thing though, I can still send mail to system accounts. I checked your post to Aaron Thompson and my postfix was configured correctly.
I think it was a temporary problem I guess. I’m still running this setup on a win2003 box inside vmware server. I am already setting-up my “real” physical mail server. Hopefully I won’t be able to encounter these problems when I move to the physical server.
March 30th, 2008 at 6:14 am
I don’t know if this matters, but I have mail in /var/spool/postfix/incoming. This is mail that’s supposed to go to our existing mail server, but it’s not getting there. Any idea what might be causing this? It’s related I think to the ldap connect server problem I’m having. It has cropped-up in my logs again.
March 30th, 2008 at 6:48 am
Just as I thought. Whether you are installing into a VMWare or a real physical mail server should not make a difference. Actually, I’m using VMWare myself to get the screenshots and to experiment with several OS and configurations.
Since mails are in /var/spool/postfix/incoming and not in /var/spool/postfix/hold, this means that MailScanner is working properly. From incoming, Postfix should pickup the mail from there and transfer it to the proper mailbox.
Can you post the last few lines of your log. The answer probably lies in there.
March 31st, 2008 at 5:14 am
May I know what kinds of messages are you looking for? I have pretty much a lot of messages already in my log.
Some of the more suspect lines:
Mar 30 16:14:58 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 16:23:15 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 16:31:33 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 16:39:51 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 16:48:08 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 16:56:25 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 17:01:04 xmail update.bad.phishing.sites: Delaying cron job up to 600 seconds
Mar 30 17:03:29 xmail update.bad.phishing.sites: Phishing bad sites list updated
Mar 30 17:03:30 xmail update.virus.scanners: Delaying cron job up to 600 seconds
Mar 30 17:04:27 xmail update.virus.scanners: Found clamav installed
Mar 30 17:04:27 xmail update.virus.scanners: Running autoupdate for clamav
Mar 30 17:04:28 xmail ClamAV-autoupdate[25929]: ClamAV updater /usr/local/bin/freshclam cannot be run
Mar 30 17:04:30 xmail update.virus.scanners: Found generic installed
Mar 30 17:04:30 xmail update.virus.scanners: Running autoupdate for generic
Mar 30 17:04:47 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 17:13:08 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 17:21:27 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 17:29:48 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
Mar 30 17:38:09 xmail dovecot: auth(default): LDAP: ldap_result() failed: Can’t contact LDAP server
March 31st, 2008 at 1:44 pm
> Ironically, I can log-in with the same account using dovecot.
Can you still log into dovecot using LDAP accounts? It looks like it is not working based on your log.
Anyway, I’m guessing it’s just a configuration problem. Can you send your main.cf and dovecot.conf to consultant@linux-mail.info
April 1st, 2008 at 10:48 am
Hi, is there a to make postfix write the mailbox name in lowercase too? If my samaccountname is Offmct, postfix writes my mailbox as /home/vmail/Offmct/Maildir. This will not get matched with auth_username_format = %Lu in dovecot.
April 1st, 2008 at 2:26 pm
Sorry, postfix does not provide the ability to use lower case. I’ve removed auth_username_format = %Lu in dovecot to remain compatible to postfix.
April 6th, 2008 at 3:48 pm
Hello Consultant,
Ok, Will send you my logs in a day or two. Sorry for the delay, attended a two-day seminar and had some enrollment issues to attend to. Expect my mail tomorrow or the day after that.
April 7th, 2008 at 3:00 am
Just answer your previous question,
Yes, I can log-in to dovecote with LDAP accounts but the problem is it does not work after a while and then I start to see the LDAP errors from my logs.
April 17th, 2008 at 3:08 pm
Check out Active Directory and Dovecot PAM Authentication which uses Kerberos authentication. That should work.
April 18th, 2008 at 2:13 am
thanks for the neat howto
I managed to get things working,
however when i have to restart the domain controller (for updates and all) i am getting errors on my mail server because lookups against ad are failing,
i have two ad servers and per this howto have only configured one to be queried,
how would i set up for a failover scenario…
April 18th, 2008 at 1:58 pm
Use the instruction from Active Directory and Dovecot PAM Authentication instead. The Kerberos authentication method does not require a persistent connection plus you’ll also get fail-over capabilities.
April 22nd, 2008 at 3:31 pm
Hi,
I think we should clarify this line:
2. Test your postfix configuration file by typing in the command
postmap -q [email] ldap:/etc/postfix/ldap-users.cf
You should replace [email] with a valid user account on the server. Example:
postmap -q test@acme.local ldap:/etc/postfix/ldap-users.cf
Just to properly guide readers on the value of the [email] variable. Got me to some trouble testing the postfix AD integration part.
April 22nd, 2008 at 3:56 pm
Sorry about that. I never realized that the instruction was unclear since I was counting on the screenshot to clarify things. I’ve updated the text to make the instruction clearer. Thanks.
April 23rd, 2008 at 2:57 am
Hi,
How can i configure quota for users?
Where it need configure, at postfix or dovecot file?
I am using windows 2003 ADS authentication.
Rgds,
JAMI
April 23rd, 2008 at 1:33 pm
It should be configured on Postfix. Check out Postfix Quota
June 3rd, 2008 at 7:47 am
Need Help…
postmap: warning: dict_ldap_connect: Unable to bind to server ldap://www.maurag.com:389 as nalyrof@maurag.com: 34 (Invalid DN syntax)
[root@www ~]#
server_host = http://www.maurag.com
search_base = dc=maurag,dc=com
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname
result_format = %s/Maildir/
bind = yes
bind_dn = nalyrof@maurag.com
bind_pw = password
June 3rd, 2008 at 12:01 pm
nalyrof@maurag.com is applicable only to Active Directory. You’ll have to use something like uid=nalyrof,dc=maurag,dc=com Use JXplorer to get the actual distinguished name.
August 26th, 2008 at 7:20 am
HI
i need help on the dovecot integrated with LDAP . when the email user name with CAPITAL letter. it end up with the error on the webmail . any idea ?
ERROR: Connection dropped by IMAP server.
Query: CAPABILITY
August 28th, 2008 at 4:00 am
HI.
I’m using Postfix 2.5 on Cent OS 5.1 and try to use Active Directory is primary LDAP base to authentication Postfix mail.
I do follow with the steps above. I go to step: “2. Test your postfix configuration file by typing in the command” with command is:
postmap -q tudv@domain.corp ldap:/etc/postifx/ldap-users.cf
and result is: “longnc/Maildir”
but when I’m going to try step “test postfix using telnet”
I test SMTP. when type:
rcpt to tudv
I got message: “Recipient address rejected: User unknown in local recipient table”
I don’t know what is that? Could you help me?
August 28th, 2008 at 8:02 am
Excuse me,
Do we need install Postifx-ldap?
August 28th, 2008 at 2:03 pm
Hi davtup,
Please check if you did step 3 in Postfix Active Directory/LDAP Integration. This step changes the lookup from local recipient to virtual recipient. Also, check your result_format setting, I think you miss the last ‘/’. Finally, you don’t need to install Postfix-ldap, it is already included in the standard CentOS package.
October 5th, 2008 at 5:24 pm
Help me, I have this error in telnet pop3
mail dovecot: POP3(bugsbunny): mkdir(/home/bugsbunny/Maildir/cur) failed: Permission denied
mail dovecot: POP3(bugsbunny): Couldn’t open INBOX: Internal error occurred. Refer to server log for more information.
mail dovecot: POP3(bugsbunny): Couldn’t open INBOX top=0/0, retr=0/0, del=0/0, size=0
Please help me, I configured my dovecot.conf
passdb ldap {
args = /etc/dovecot-ldap.conf
}
userdb static {
args = uid=501 gid=501 home=/home/vmail/%u
}
October 5th, 2008 at 8:08 pm
Hi elXesar,
In your /etc/dovecot.conf, make sure you have the line below
mail_location = maildir:~/Maildir/
October 6th, 2008 at 3:25 am
Yes, my dovecto.con is configured the same as manual,
mail_location = maildir:~/Maildir/
Even so I have trouble
October 6th, 2008 at 12:18 pm
Hmm… According to your log, dovecot is looking for mail in /home/bugsbunny/Maildir/cur instead of /home/vmail/bugsbunny/Maildir/cur. Another possible cause of the problem is
userdb passwd {
}
still active. Thus, it is looking for bugsbunny in the Linux system account instead of the LDAP account. To be sure, comment off all userdb except for userdb static.
October 7th, 2008 at 1:15 am
Exactly, that was the problem, was uncommented
userdb passwd {
}
I commented on it and was OK
Thank you very much
October 25th, 2008 at 7:26 pm
Hi, I have this problem. I make this step:
postmap-q bugsbunny@acme.local ldap:/etc/postfix/ldap-users.cf
I returned “bugsbunny/Maildir”, but it really does not create the folder. Someone can help me.
Greetings,
October 25th, 2008 at 11:30 pm
Hi elXesar,
The bugsbunny/Maildir directory will be automatically created by Postfix if it receives a mail for bugsbunny. It will also be automatically created by Dovecot if bugsbunny checks his email.
October 27th, 2008 at 3:16 am
You’re right, now attempt auntenticar a user through POP3, but this message appears: “ERR - Temporary authentication failure”.
Add ldap_version = 3 in dovecot-ldap.conf, but even so remains the same.
October 27th, 2008 at 11:47 am
Please check /var/log/maillog to get a better idea on what the problem might be.
October 27th, 2008 at 11:24 pm
I’m trying another user called “lvasquez” added LDAP, I tested and works with SMTP, but the test does not work with POP3. In the log this message:
Oct 27 13:12:42 mail dovecot: auth(default): ldap(lvasquez,::ffff:127.0.0.1): ldap_bind() failed: Invalid DN syntax
Oct 27 13:15:39 mail dovecot: pop3-login: Disconnected: Inactivity: user=, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
October 28th, 2008 at 12:40 am
Please provide the dovecot setting you used.
October 28th, 2008 at 1:37 am
protocols = imap imaps pop3 pop3s
mail_location = maildir:~/Maildir/
protocol imap {
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
}
protocol pop3 {
pop3_uidl_format = %08Xu%08Xv
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
}
protocol lda {
postmaster_address = postmaster@example.com
}
auth default {
mechanisms = plain
passdb ldap {
args = /etc/dovecot-ldap.conf
}
userdb static {
args = uid=503 gid=503 home=/home/vmail/%u
}
user = root
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
October 28th, 2008 at 1:13 pm
Oh, I meant the dovecot-ldap.conf file. I want to see how you configured the distinguished name (DN)
October 28th, 2008 at 4:28 pm
hosts = localhost
base = dc=runiversal,dc=com
ldap_version = 3
auth_bind = yes
auth_bind_userdn = runiversal\%u
October 28th, 2008 at 4:35 pm
I have my mail server (postfix, dovecot, clamav, mailscanner and spamassassin) with LDAP server (virtual users)
October 28th, 2008 at 9:44 pm
Option 1 only works for Active Directory. You’ll have to use Option 2 or 3.
October 28th, 2008 at 11:13 pm
Ok, thanks
November 11th, 2008 at 2:40 pm
Hi,
I i want to know how to configure a mail server to authenticate to another ldap server. the scenario is i have one mail server an one ladp server i want hte mail server to authenticate to the LDAP server in ubuntu could you please help me on this.
November 11th, 2008 at 3:39 pm
No problem, just change hosts in /etc/dovecot-ldap.conf to wherever the ubuntu ldap server is.
November 18th, 2008 at 7:56 pm
Hi,
I am new in linux. i have install ubantu and install wibmin . i have one Active Directory Domain mycompany.local. we have parches 1000 mail id from windor. they have given SMTP and POP3 server ip information. we configure this in outlook and download mail from POP3 server. Because Microsoft Exchange server is very expive i go for linex postfix mail server, but i am not know how to configure postfix that work as getway for my mail. all internal mail still work if my Internet will down. and postfix will download all mail from POP3 server and diliver it to perticuler mail id . and also how to link my local mail id and internet mail id Please help me ASAP.
November 19th, 2008 at 4:31 am
Can JXplorer used on Fedora Core 9?if it can, how to install JXplorer to FC9?
November 19th, 2008 at 4:52 pm
Any manual to integrate mailbox quota in Postfix with LDAP?
November 19th, 2008 at 10:05 pm
Hi elXesar,
Yes, see Postfix Quota
November 19th, 2008 at 10:08 pm
Hi aKBaR,
See Java JRE Setup Howto, it’s for RHEL/CentOS but it might work with FC9.