I cannot write How-to but someone may find it useful and post it...

Discussion in 'HOWTO-Related Questions' started by linch_y, Jun 28, 2007.

  1. linch_y

    linch_y New Member

    How to setup live address verification against MS AD in Postfix.

    I searched the internet a lot on how to implement live LDAP lookups for valid recipients (in case the postfix serves relay on the border). The only article I found were with perl scripts to import the addresses into a local file.

    I knew that the live lookups are possible so I dug deeper into the documentation and I got it.

    It is simpler than it may look like.

    I made it on four Ubuntu Server versions: 6.04, 6.10, 7.04 and 7.04 (with the Postfix distribution files from 7.10(Gutsy)).

    I assume the postfix is already configured to accept the mail flow and to forward it to the internal mail server, also the postfix-ldap module is already in place.

    You need to set the relay_recipient_maps like:

    relay_recipient_maps = ldap:/etc/postfix/relay_recipients

    The /etc/postfix/relay_recipients file does not need to postmapped and contains the LDAP server configuration.

    The file should contain (at least) the following fields:

    server_host = <IP>:3268
    search_base = dc=example, dc=com
    query_filter = (|(mail=%s)(proxyAddresses=smtp\3A%s))
    bind_dn = CN=Administrator,CN=Users,DC=example,DC=com
    bind_pw = <password>
    leaf_result_attribute = mail
    special_result_attribute = memberdn
    result_attribute = proxyAddresses

    The :3268 after the IP address of the LDAP server represent the port AD Global Catalog port. I would advise you to use the Global Catalog port for the AD as often the member DC (listens on port 389) does not have the whole information about the users. (In addition, the port should be open on the DMZ firewall)

    The search base represents the parent internal domain (DC=com or DC=local).

    The query filter extracts the primary email (mail) attribute and all the secondary email addresses that the users have (proxyAddresses).

    The bind-dn and bind_pw are required for MS AD (Other LDAP implementations do not require authentication). The user name may not be the domain admin. However, if you have another username there you should use the DN of the user:
    DN=user,OU=Service Accounts, DC=example, DC=com (assuming the OU is not in another OU)
    If the OU is in another OU - it may look like this:
    DN=user,OU=Service Accounts, OU=Parent, DC=example, DC=com

    With this configuration all existing addresses are verified as valid and the you do not have to maintain the Postfix users locally (you do not have to wait for the next cron job to import the new users).

    The configuration for other LDAP implementations (Domino, Open LDAP, eDirectory and so on...) need to use their specific LDAP property fields.

    I hope it will help the other people out there.

  2. linch_y

    linch_y New Member

    A mistake with the DNs

    The DN should be starting with CN=user instead of the DN= as I wrote it.

    Sorry for the mistake.

Share This Page