As part of a migration project where I moved from an old Samba 3 PDC to a Samba 4 AD-DC I have to also migrate any system that uses the old LDAP lookups. This post covers changes to an email submission server that uses Postfix to receive messages from authenticated users and relays them to a smart host. It will also cover a smart host that uses LDAP to lookup the mailHost for each user as well as dereference group emails. This post will only cover the changes needed in the LDAP configuration.
I am using Postfix 3.3.2 and OpenLDAP 2.4 on Debian 9.6.
Names have been changed to protect the guilty.
Based on the setup for the squid proxy server I have managed to get ldapsearch to work on the email submission server using:
ldapsearch -D "CN=postfix-connect,CN=Users,DC=samdom,DC=example,dc=net" -w "password" -s sub -x -ZZ -LLL -v '(&(objectClass=user)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.903:=2))(cn=username))'
To fit into Microsoft’s LDAP attributes I need to use proxyAddresses rather than the mailLocalAddress attribute I have been using for more than a decade with other LDAP servers.
So the ldap_sender_login_maps_people.cf file needs to be updated. This file is used in Postfix’s main.cf file in the parameter smtpd_sender_login_maps The old file is:
server_host=192.168.0.16
query_filter=(&(objectclass=inetOrgPerson)(|(mail=%s)(mailLocalAddress=%s)))
search_base=ou=people,dc=example,dc=net
timeout=60
result_attribute=uid
bind=no
server_port=389
scope=one
version=3
I used information from the postfix web site for LDAP lookups and LDAP tables. I came up with the following config file and it seems to work.
server_host=192.168.0.24
query_filter=(&(objectclass=user)(mail=%s)(!(userAccountControl:1.2.840.113556.1.4.903:=2)))
search_base=cn=users,dc=samdom,dc=example,dc=net
timeout=60
result_attribute=sAMAccountName
bind=yes
bind_dn=cn=postfix-connect,cn=users,dc=samdom,dc=example,dc=net
bind_pw=password
server_port=389
scope=one
version=3
start_tls=yes
tls_require_cert=no
The server is used to support mobile phones and tablets, allowing them access to the internal email systems. So it proxies IMAP and uses Postfix for submission.
This configuration is supposed to return the user account that matches the email address supplied. The “(!(userAccountControl:1.2.840.113556.1.4.903:=2))” was taken from the samba wiki and is supposed to indicate the account is locked. In this case if the account has been locked out then the query will return no results for our lookup.
Altering the query_filter to:
(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.903:=2))(|(mail=%s)(proxyAddresses=smtp:%s)))
allows the server to lookup not only the main email address in the AD-DC but also the proxyAddresses that start with “smtp:”. Supposedly Microsoft Exchange uses this attribute with special meaning regarding the CASE. The mail attribute is supposed to be duplicated here but using and uppercase SMTP. Any other email addresses are to use a lowercase smtp.
using postmap -q to test the filter returns the expected results against both the mail and proxyAddresses attributes.
The next item to work at is the ldap aliases lookup as I allow users to send using a group email address if they belong to that group. The old LDAP file is:
server_host=192.168.0.16
query_filter=(&(objectClass=nisMailAlias)(mailLocalAddress=%s))
search_base=ou=Aliases,dc=example,dc=net
timeout=20
result_attribute=rfc822MailMember
bind=no
server_port=389
scope=one
As I have yet to create the mail aliases in the Samba AD-DC I can not test this yet but I already know a number of the required changes as they are the same as the user lookup above.
I do have one “Distribution Group” as it is called in Active Directory setup in my Users container for testing. I managed to get ldapsearch to return a result using:
ldapsearch -D "CN=postfix-connect,CN=Users,DC=samdom,DC=example,dc=net" -w "password" -s sub -x -ZZ -LLL -v '(&(objectClass=group)(!(userAccountControl:1.2.840.113556.1.4.903:=2))(cn=ap@example.net))'
So the query_filter should be (&(objectClass=group)(mail=%s)) and the result_attribute should be member. However, the member attribute is a full distinguished name in the directory not an account name or email address as found in the old LDAP configuration so further tests are required. So far I have the following config file:
server_host=192.168.0.24
query_filter=(&(objectclass=group)(mail=%s))
search_base=cn=users,dc=samdom,dc=example,dc=net
timeout=60
result_attribute=member
bind=yes
bind_dn=cn=postfix-connect,cn=users,dc=samdom,dc=example,dc=net
bind_pw=password
server_port=389
scope=one
version=3
start_tls=yes
tls_require_cert=no
The search_base will need to reflect the final AD-DC structure.
After more reading, testing, reading, testing, and more testing … I now have the following config file:
server_host=192.168.0.24
query_filter=(&(objectclass=group)(mail=%s))
search_base=cn=users,dc=samdom,dc=example,dc=net
timeout=60
result_attribute=sAMAccountName
special_result_attribute=member
bind=yes
bind_dn=cn=postfix-connect,cn=users,dc=samdom,dc=example,dc=net
bind_pw=password
server_port=389
scope=one
version=3
start_tls=yes
tls_require_cert=no
This will return a list of user accounts associated with the group email address. It does this using a recursive search since the member attribute contains a distinguished name in the AD-DC. This is made possible by the special_result_attribute entry.
In testing I found I also needed to change the saslauthd.conf file:
ldap_servers: ldap://192.168.0.24
ldap_search_base: cn=Users,dc=samdom,dc=example,dc=net
ldap_filter: (sAMAccountName=%U)
ldap_bind_dn: cn=postfix-connect,cn=Users,dc=samdom,dc=example,dc=net
ldap_bind_pw: password
ldap_use_sasl: no
ldap_referrals: yes
ldap_auth_method: bind
ldap_mech: simple
ldap_start_tls: yes
ldap_tls_check_peer: no
The biggest issue I found with the LDAP changes is to make sure to enable TLS but not validate the certificate. This is because Samba defaults to using a self-signed certificate and I have not yet made a dedicated certificate for it.
Now I need to test it live…
After this I need to conquer the mailHost issue.