{"id":272,"date":"2011-05-25T15:19:17","date_gmt":"2011-05-25T13:19:17","guid":{"rendered":""},"modified":"2016-02-22T12:48:43","modified_gmt":"2016-02-22T11:48:43","slug":"mail-delivery-configuration-ldap","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/mail-delivery-configuration-ldap\/","title":{"rendered":"Mail delivery configuration with LDAP"},"content":{"rendered":"

Last time I wrote about users’ authentication in LDAP directory to allow them receiving and sending e-mails. Now is time to configure Postfix for mail delivery to appropriate mailboxes.
\nIf you compile Postfix themselves, you need to remember to add support for LDAP. My description is based on Ubuntu, so I only need to install postfix-ldap package:<\/p>\n

\r\n$ sudo -i\r\n# apt-get install postfix-ldap\r\n<\/pre>\n
This will add support for ldap:<\/code> maps in Postfix.<\/p>\n
Now we go to Postfix configuration:<\/p>\n
\r\n# cd \/etc\/postfix\r\n# vi main.cf\r\n<\/pre>\n
<\/p>\n
In main.cf<\/code> we need to add something like this (you need to replace example.com with your domain name):<\/p>\n
\r\nldap_bind_dn = cn=admin,dc=example,dc=com\r\nldap_bind_pw = secret\r\nldap_search_base = o=hosting,dc=example,dc=com\r\nldap_domain = dc=example,dc=com\r\nldap_server_host = localhost\r\nldap_server_port = 389\r\nldap_version = 3\r\n\r\n# Accounts\r\naccounts_server_host = $ldap_server_host\r\naccounts_search_base = $ldap_search_base\r\naccounts_query_filter = (&(objectClass=mailUser)(mail=%s))\r\naccounts_result_attribute = mailMessageStore\r\naccounts_cache = no\r\naccounts_bind = yes\r\naccounts_bind_dn = $ldap_bind_dn\r\naccounts_bind_pw = $ldap_bind_pw\r\naccounts_version = $ldap_version\r\n\r\naccountsmap_server_host = $ldap_server_host\r\naccountsmap_search_base = $ldap_search_base\r\naccountsmap_query_filter = (&(objectClass=mailUser)(mail=%s))\r\naccountsmap_result_attribute = mail\r\naccountsmap_cache = no\r\naccountsmap_bind = yes\r\naccountsmap_bind_dn = $ldap_bind_dn\r\naccountsmap_bind_pw = $ldap_bind_pw\r\naccountsmap_version = $ldap_version\r\n\r\n# aliases\r\naliases_server_host = $ldap_server_host\r\naliases_search_base = $ldap_search_base\r\naliases_query_filter = (&(objectClass=mailAlias)(mail=%s))\r\naliases_result_attribute = mailForwardingAddress\r\naliases_bind = yes\r\naliases_cache = no\r\naliases_bind_dn = $ldap_bind_dn\r\naliases_bind_pw = $ldap_bind_pw\r\naliases_version = $ldap_version\r\n\r\n# transports\r\ntransport_server_host = $ldap_server_host\r\ntransport_search_base = $ldap_search_base\r\ntransport_query_filter = (&(objectClass=mailDomain)(domainName=%s))\r\ntransport_result_attribute = mtaTransport\r\ntransport_cache = no\r\ntransport_bind = yes\r\ntransport_scope = one\r\ntransport_bind_dn = $ldap_bind_dn\r\ntransport_bind_pw = $ldap_bind_pw\r\ntransport_version = $ldap_version\r\n\r\n# transport_maps\r\nmaildrop_destination_concurrency_limit = 2\r\nmaildrop_destination_recipient_limit = 1\r\ntransport_maps = ldap:transport\r\nvirtual_alias_maps = ldap:aliases, ldap:accountsmap\r\n\r\n# virtual accounts for delivery\r\nvirtual_mailbox_domains = ldap:transport\r\nvirtual_mailbox_base = \/vdhome\r\nvirtual_mailbox_maps = ldap:accounts\r\nvirtual_minimum_uid = 501\r\nvirtual_uid_maps = static:501\r\nvirtual_gid_maps = static:501\r\n\r\nlocal_recipient_maps = $alias_maps $virtual_mailbox_maps\r\n<\/pre>\n
The lines above should be enough for mail delivery. I tried to simplify this, so I do not chceck account status (active\/nonactive) etc. There is no need to configure cn=admin to read directory also (security), you should define another user for this purpose, but it will be sufficient for now.<\/p>\n
Now we need to restart Postfix and check logs for errors. If Postfix is running, we can leave it and go to mail configuration in LDAP directory. You can use description from Mail system authentication in LDAP<\/a>, but I will add new domain virtdomain.com<\/b>, user jsmith<\/b> and alias postmaster<\/b>, which will point to jsmith<\/b>. You can create this in phpLDAPadmin or another utility, or you can import LDIF like this:<\/p>\n
\r\ndn: domainName=virtdomain.com,o=hosting,dc=example,dc=com\r\ndomainname: virtdomain.com\r\nmtatransport: virtual\r\nobjectclass: mailDomain\r\nobjectclass: top\r\n\r\ndn: uid=jsmith,domainName=virtdomain.com,o=hosting,dc=example,dc=com\r\ncn: John Smith\r\ngivenname: John\r\nhomedirectory: \/vdhome\/virtdomain.com\/jsmith\r\nmail: jsmith@virtdomain.com\r\nmailmessagestore: virtdomain.com\/jsmith\/Maildir\/\r\nobjectclass: inetOrgPerson\r\nobjectclass: top\r\nobjectclass: mailUser\r\nsn: Smith\r\nuid: jsmith\r\nuserpassword: {MD5}XD9034sf8w83sfoXXg==\r\n\r\ndn: mail=postmaster@virtdomain.com,domainName=virtdomain.com,o=hosting,dc=example,\r\n dc=com\r\ncn: Postmaster\r\nmail: postmaster@virtdomain.com\r\nmailforwardingaddress: jsmith@virtdomain.com\r\nobjectclass: mailAlias\r\nobjectclass: top\r\n<\/pre>\n
If you add this with phpLDAPadmin, then you need to choose inetOrgPerson<\/code> as structural objectClass, and then add mailUser<\/code> object Class and needed attributes. As RDN you can choose mail<\/code> attribute, so you do not need to add uid<\/code> then.<\/p>\n
Please note homeDirectory<\/code> and mailMessageStore<\/code> attributes. The last one contains relative<\/b> path to user’s mailbox. Base directory is added by Postfix, which gets it from virtual_mailbox_base<\/code> variable. Dovecot in contrast uses homeDirectory<\/code> attribute and stick \/Maildir<\/code> on the end. This is not good situation, and later I will write how to eliminate it. But it should work for now.<\/p>\n
Let’s check if postfix resolves LDAP maps properly:<\/h3>\n
\r\n# postmap -q "virtdomain.com" ldap:transport\r\nvirtual\r\n# postmap -q "postmaster@virtdomain.com" ldap:aliases\r\njsmith@virtdomain.com\r\n# postmap -q "jsmith@virtdomain.com" ldap:accounts\r\nvirtdomain.com\/jsmith\/Maildir\/\r\n# postmap -q "jsmith@virtdomain.com" ldap:accountsmap\r\njsmith@virtdomain.com\r\n<\/pre>\n
You should see something like this above. If you do not have any results or you have connection to LDAP error, then you should check logs and improve configuration.<\/p>\n
If everything is fine, you can send message to yourself, and it should be delivered to mailbox. If you see in logs message like this:<\/p>\n
\r\nstatus=bounced (mail for example.com loops back to myself)\r\n<\/pre>\n
then there is a problem with transport. Note: you will find many results and solutions for this problem, but many of them suggest that you should your domain (example.com) to mydestination<\/code>, this is not good solution!<\/b> In Postfix documentation, section VIRTUAL_README<\/a> Vietse wrote:<\/p>\n
\r\nNEVER list a virtual MAILBOX domain name as a mydestination domain!\r\nNEVER list a virtual MAILBOX domain name as a virtual ALIAS domain!\r\n<\/pre>\n
in the other words: if domain is virtual, then should be virtual, Postfix will receive mail for this domain, you need only point him where to deliver.<\/p>\n
<\/p>","protected":false},"excerpt":{"rendered":"
Sorry, this entry is only available in Polish<\/a>. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.<\/p>\n
Ostatnim razem pisa\u0142em o uwierzytelnianiu u\u017cytkownik\u00f3w w katalogu LDAP aby umo\u017cliwia\u0107 im odbieranie i nadawanie poczty. Teraz nadszed\u0142 czas aby skonfigurowa\u0107 Postfixa aby dostarcza\u0142 poczt\u0119 do w\u0142a\u015bciwych skrzynek.
\nJe\u015bli sam kompilujesz Postfixa musisz pami\u0119ta\u0107 o dodaniu do niego wsparcia dla LDAP. M\u00f3j opis tym razem bazuje na Ubuntu, wi\u0119c trzeba tylko zainstalowa\u0107 odpowiedni pakiet postfix-ldap:
\n[bash]
\n$ sudo -i
\n# apt-get install postfix-ldap
\n[\/bash]
\nTo za\u0142atwi spraw\u0119 wsparcia map ldap:<\/code> w Postfixie.
\nTeraz idziemy do konfiguracji Postfixa:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115,110],"tags":[6,22,44,11],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-4o","jetpack-related-posts":[{"id":232,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-dostarczania-poczty-w-oparciu-o-ldap\/","url_meta":{"origin":272,"position":0},"title":"Konfiguracja dostarczania poczty w oparciu o LDAP","author":"drfugazi","date":"Saturday December 18th, 2010","format":false,"excerpt":"Ostatnio pisa\u0142em o konfiguracji uwierzytelniania u\u017cytkownik\u00f3w w katalogu LDAP aby mogli odbiera\u0107 i wysy\u0142a\u0107 poczt\u0119. Teraz czas na konfiguracj\u0119 Postfixa aby t\u0119 poczt\u0119 dostarcza\u0142 do w\u0142a\u015bciwych domen i skrzynek. Je\u015bli kompilujecie\/instalujecie Postfixa samodzielnie, to nale\u017cy pami\u0119ta\u0107 o wkompilowaniu wsparcia dla LDAP oraz wskazaniu \u015bcie\u017cki do bibliotek LDAP. Ja p\u00f3jd\u0119 na\u2026","rel":"","context":"In \"LDAP\"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/tag\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":374,"url":"https:\/\/drfugazi.eu.org\/en\/mail-system-implementation\/","url_meta":{"origin":272,"position":1},"title":"Mail system implementation","author":"drfugazi","date":"Thursday August 16th, 2012","format":false,"excerpt":"My experience, which I gained during implementation of different systems shows, that implementation should be done in stages. Then, at each stage you can see if it works, if there are some fields to improve and then go to the next stage of implementation. Mail system implementation is not exception.\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":231,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja-uwierzytelniania-poczty-w-ldap\/","url_meta":{"origin":272,"position":2},"title":"Konfiguracja uwierzytelniania poczty w LDAP","author":"drfugazi","date":"Friday December  3rd, 2010","format":false,"excerpt":"Zak\u0142adam, \u017ce Dovecot i Postfix ju\u017c dzia\u0142aj\u0105 i mo\u017cna odebra\u0107 i wys\u0142a\u0107 poczt\u0119 loguj\u0105c si\u0119 na u\u017cytkownika systemowego (patrz poprzednie wpisy). Nadszed\u0142 zatem czas na uruchomienie uwierzytelniania w naszym katalogu LDAP (patrz konfiguracja LDAP). Wykorzystanie LDAPa do uwierzytelniania u\u017cytkownik\u00f3w pozwala na elastyczne zarz\u0105dzanie hostingiem poczty i nie tylko. LDAP jest\u2026","rel":"","context":"In \"Dovecot\"","block_context":{"text":"Dovecot","link":"https:\/\/drfugazi.eu.org\/en\/tag\/dovecot\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":373,"url":"https:\/\/drfugazi.eu.org\/en\/budowa-systemu-pocztowego\/","url_meta":{"origin":272,"position":3},"title":"Building mail system","author":"drfugazi","date":"Monday August 13th, 2012","format":false,"excerpt":"This description is based on my experience, which I gained during mail system implementation on University of Silesia (Katowice\/Poland). In the first stage there was about 3 000 of users, now the system is handling about 40 k of mail users. Whole system (exluding Sophos AV) is based on Open\u2026","rel":"","context":"In "Mail system"","block_context":{"text":"Mail system","link":"https:\/\/drfugazi.eu.org\/en\/category\/mail-system\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":692,"url":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-autofs-client-configuration\/","url_meta":{"origin":272,"position":4},"title":"Solaris LDAP autofs client configuration","author":"drfugazi","date":"Thursday December 15th, 2016","format":false,"excerpt":"Last time I wrote about autofs configuration on LDAP server, now it is time to configure autofs client in Solaris. I assume that in DUAConfigProfile, objectClasses and attributes are already defined. You can check this with simply commands: [bash] % ldaplist -l auto_master dn: automountMapName=auto_master,ou=service,dc=mycompany,dc=com automountMapName: auto_master objectClass: automountMap objectClass:\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/02\/Solaris_OS_logo.png?fit=800%2C393&ssl=1&resize=700%2C400 2x"},"classes":[]},{"id":641,"url":"https:\/\/drfugazi.eu.org\/en\/solaris-ldap-client-configuration\/","url_meta":{"origin":272,"position":5},"title":"Solaris LDAP client configuration","author":"drfugazi","date":"Tuesday June 21st, 2016","format":false,"excerpt":"Oracle Solaris has native LDAP support built in OS, so there is no need to install third-party software to configure Solaris to use LDAP as users\/groups and other repository. You can use different ways to do this, and I will describe few of them. If secure communication is required, and\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"LDAP DIT","src":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=525%2C300 1.5x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=700%2C400 2x, https:\/\/i0.wp.com\/drfugazi.eu.org\/wp-content\/uploads\/2016\/06\/LDAP-DIT.jpg?fit=1200%2C1016&ssl=1&resize=1050%2C600 3x"},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/272"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=272"}],"version-history":[{"count":3,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/272\/revisions"}],"predecessor-version":[{"id":595,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/272\/revisions\/595"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=272"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=272"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=272"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}