Postfix/Dovecot multiple authentication against Active Directory

centos active-directory postfix authentication dovecot
6,174

Solution was pretty simple.. Just as @sam_pan_mariusz sugested instead of IP address I've putted DNS name. Runned some testing and everything works as it should.

Share:
6,174

Related videos on Youtube

Martynas Smilgevičius
Author by

Martynas Smilgevičius

Updated on September 18, 2022

Comments

  • Martynas Smilgevičius
    Martynas Smilgevičius almost 2 years

    So I have working mail server which authenticates against active directory. Everything works fine until I try to add a secondary authentication backend..

    Server info:

    Server OS: CentOS 7.1.1503
Postfix version: 2.10.1
Dovecot version: 2.2.10

    At the moment mine configuration looks like this:

    Postfix Configuration files:

    /etc/postfix/main.cf

    virtual_mailbox_base = /homes/vmail/homes 
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf 
virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf
virtual_uid_maps = static:989 
virtual_gid_maps = static:987

    ldap-users-primary.cf

    server_host = 192.168.250.200
search_base = cn=Users, dc=domain, dc=local
version = 3
query_filter = (&(objectclass=person)(mail=%s))
result_attribute = samaccountname
result_format = %s/
bind = yes
bind_dn = [email protected]
bind_pw = password

    ldap-groups-primary.cf

    server_host = 192.168.250.200
search_base = ou=Email_Groups, dc=domain,dc=local
version = 3
query_filter = (&(objectclass=group)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member
bind = yes
bind_dn = [email protected]
bind_pw = password
start_tls = no

    Dovecot configuration files:

    /etc/dovecot/conf.d/10-auth.conf

    passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-primary.conf
}

userdb {
driver = static
args = uid=989 gid=987 home=/homes/vmail/homes/%u
}

    dovecot-ldap-primary.conf

    hosts = 192.168.250.200
base = cn=Users, dc=domain, dc=local
ldap_version = 3
auth_bind = yes
auth_bind_userdn = domain\%u

    All the above setup is working fine and doesn't cause any problems. Until I try to add secondary domain controller..

    To do that I have created new configuration files: ldap-users-secondary.cf, ldap-groups-secondary.cf, dovecot-ldap-secondary.conf.

    The only thing that is different in those files are and IP address of server (it just points to secondary domain controller). If I use those files alone everything works just fine. But if I modify /etc/postfix/main.cf like this:

    virtual_mailbox_base = /homes/vmail/homes 
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users-primary.cf, ldap:/etc/postfix/ldap-users-secondary.cf
virtual_alias_maps = ldap:/etc/postfix/ldap-groups-primary.cf, ldap:/etc/postfix/ldap-groups-secondary.cf
virtual_uid_maps = static:989 
virtual_gid_maps = static:987

    And /etc/dovecot/conf.d/10-auth.conf

    passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-primary.conf
}

passdb {
driver = ldap
args = /etc/dovecot/dovecot-ldap-secondary.conf
}

userdb {
driver = static
args = uid=989 gid=987 home=/homes/vmail/homes/%u
}

    It just stops working and starts giving out these errors:

    NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 451 4.3.0 <[email protected]>: Temporary lookup failure;

    Anyone can help me with this?

    • sam_pan_mariusz
      sam_pan_mariusz over 8 years
      So this is a secondary controller of the same domain, am I right? So why don't you just put a DNS name instead of IP address? This way you're gonna provide redundancy without introducing another config file.
    • Martynas Smilgevičius
      Martynas Smilgevičius over 8 years
      Yes, you're right... And probably this is going to fix this issue since in this case DNS will take care of which server is getting requests.. Feeling a bit stupid tho that I didn't came up with such a simple solution. Going to test it later to see if it works as it should.
    • user145837
      user145837 about 7 years
      i'm sorry, but there are arguments against just using dns as a crutch here. the original question is much more interesting. why does postfix not allow multiple ldap sources? at least dovecot allows multiple ldap hosts in a config file. DNS round-robin'ing actually will just hand out the ip of the dead LDAP server 1/number-of-servers of the time.
  • user145837
    user145837 about 7 years
    this is more of a bad work-around than a solution.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cent OS 6.6 enable Plaintext authentication on dovecot and postfix
How to I authenticate with Dovecot + IMAP + PAM on CentOS?
PostFix and Dovecot - fatal: no SASL authentication
CentOS 6.5 Webmail Server: warning: SASL: Connect to private/auth failed: No such file or directory
Dovecot creates folder, Postfix expects file
How do I read Maildir RFC822 messages from the CentOS 7 terminal?
Mail Server on CentOS - Relay access denied
realm join unable to create computer account
Centos Postfix/Dovecot - Permission problems after migration upgrade
Postfix + Dovecot with MySQL backend: md5-hashed passwords and CRAM-MD5 auth