subject:"\[Dovecot\] Dovecot\+Postfix\+Maildir with ActiveDirectory userbase"

[Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

2010-02-15 Thread Wayne Thursby

 Luigi Rosa li...@luigirosa.com uttered:
 Hi,
 has anyone implemented a mail server with maildir, Postfix and Dovecot
 using
 Active Directory ad userbase and password authentication?

 Do I need Samba to authenticate users?

 Can I use credential caching just like mysql?


 Ciao,
 luigi

 --
 /
 +--[Luigi Rosa]--
 \

Hi Luigi,
  I am running a Postfix/Dovecot setup that is authenticating against a
Windows 2000 domain. It is possible to authenticate several different
ways, including Kerberos/Winbind and NTLM via Samba.

I used the following article as a guide. It is for FreeBSD, but the
configuration instructions apply equally to any Postfix/Dovecot setup. I
am running mine on Ubuntu 8.10.

http://blog.al-shami.net/index.php/freebsd-postfix-dovecot-and-active-directory/

The above article covers most of the setup, however I have changed a few
things for my purposes.

In short, I am using LDAP to communicate with the Active Directory
server. I am looking up email addresses and aliases from AD in Postfix
and using Dovecot as LDA. Postfix uses Dovecot's SASL for
authentication, and Dovecot in turn authenticates against AD.

My Setup:
Postfix and Dovecot running on the same virtual machine on a Dell 2950
with 1x Xeon E5440 on ESXi 4. Maildirs served up by 10x146GB SCSI drives
on RAID-10 via direct attached Dell MD-1000.

Serving 600+ users, mailbox sizes up to 14GiB with constant heavy
searching (no fts yet) and filtering (sieve and IMAP clients). 80,000
messages delivered per week, 95,000 messages rejected, 17,000 spam. 15
minute Load average stays under .50 all day with 4 CPU cores.

IMAP clients include Outlook 2007, Thunderbird 2 and 3, in addition to
webmail via Group Office (yuck).

dovecot-ldap.conf:

# Include multiple domain controllers for redundancy, first one is
# at the same facility as the Dovecot server.
hosts = 10.0.1.12:389 10.0.2.12:389 10.0.3.12:389

# Specify the full DN of a user to authenticate against
dn = cn=Internal, ou=People, dc=example, dc=com
dnpass = some_secure_password
auth_bind = yes
ldap_version = 3
base = ou=People, dc=example, dc=com

# Specify the base storage for email here
user_attrs = sAMAccountName=home=/var/vmail/example.com/%$

# The following user_filter should all be on a single line.
# The ugly userAccountControl param means Exclude disabled users
user_filter =
((sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
pass_filter =
((sAMAccountName=%Ln)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

For the Postfix side of things, the article explains how to set Postfix
to use Dovecot's SASL for authentication. It also specifies separate
confs for Postfix to lookup users and aliases from.

For my purposes, I decided not to modify the AD schema, and to instead
utilize an unused field to store aliases in. This field had to be able
to store multiple values in a way that I could query easily via LDAP. I
chose the IP Phone field for this purpose. In the AD GUI it is easily
accessible, and allows for multiple values to be stored. Note its usage
in the queries that follow.

/etc/postfix/ldap-users.cf:

# Same list of DCs as in dovecot-ldap.conf
server_host =  ldap://10.0.1.12:389
ldap://10.0.2.12:389
ldap://10.0.3.12:389

search_base = dc=example, dc=com
bind = yes
bind_dn = EXAMPLE\internal
bind_pw = a_secure_password

# Use this lookup for email addresses matching the following domains
# corresponds with virtal_mailbox_domains in main.cf
domain = example.com, examplelegacy.com, exmple.com

# The following query has been modified a bit from the above article.
# First, the userAccountControl param specifies the exclusion of
# disabled users.
# The other change is from objectClass to objectCategory.
query_filter =
(((objectCategory=person)(sAMAccountName=%u))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute = sAMAccountName
version = 3

# I was having trouble with referrals not resolving properly due to a
# misconfigured domain controller. I turned this option off and have
# not had a problem since.
chase_referrals = no
result_format=example.com/%s/
debuglevel = 0
timeout = 30

/etc/postfix/ldap-aliases.cf:

# Same list of DCs as in dovecot-ldap.conf
server_host =  ldap://10.0.1.12:389
ldap://10.0.2.12:389
ldap://10.0.3.12:389

search_base = dc=example, dc=com
bind = yes
bind_dn = EXAMPLE\internal
bind_pw = a_secure_password
domain = example.com, examplelegacy.com, exmple.com

# This query looks up aliases from the otherIPPhone field.
query_filter =
(((objectCategory=person)(|(otherIPPhone=%u)(sAMAccountName=%u)))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
result_attribute = sAMAccountName
version = 3
chase_referrals = no
result_format...@example.com
debuglevel = 0
timeout = 30

The objectCategory replacement for objectClass is a *huge* performance
increase. objectClass is not indexed in Active Directory, forcing a lot
of CPU cycles to be wasted for every lookup. The

Re: [Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

2010-02-15 Thread Stan Hoeppner

Wayne Thursby put forth on 2/15/2010 10:24 AM:

 My Setup:
 Postfix and Dovecot running on the same virtual machine on a Dell 2950
 with 1x Xeon E5440 on ESXi 4. Maildirs served up by 10x146GB SCSI drives
 on RAID-10 via direct attached Dell MD-1000.

Interesting setup Wayne.

 Serving 600+ users, mailbox sizes up to 14GiB with constant heavy
 searching (no fts yet) and filtering (sieve and IMAP clients). 80,000
 messages delivered per week, 95,000 messages rejected, 17,000 spam. 15
 minute Load average stays under .50 all day with 4 CPU cores.

How many CPUs are listed in /proc/cpuinfo under that Ubuntu VM?  ESX by default
only exposes one CPU(core) to a VM guest OS.  Any chance you didn't tweak the VM
config and that your Ubuntu guest is only running on time slices of a single
core?  Your results are even more impressive if that's the case.

Also, are you seeing the classic system clock drift of ESX guests, and if so, is
it causing problems with smtp and imap?

-- 
Stan

Re: [Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

2010-02-15 Thread Wayne Thursby


Wayne Thursby put forth on 2/15/2010 10:24 AM:

 My Setup:
 Postfix and Dovecot running on the same virtual machine on a Dell 2950
 with 1x Xeon E5440 on ESXi 4. Maildirs served up by 10x146GB SCSI drives
 on RAID-10 via direct attached Dell MD-1000.

Interesting setup Wayne.



The same ESXi/RAID combo are also running several other VMs using 7 of its 8GB 
of RAM.



 Serving 600+ users, mailbox sizes up to 14GiB with constant heavy
 searching (no fts yet) and filtering (sieve and IMAP clients). 80,000
 messages delivered per week, 95,000 messages rejected, 17,000 spam. 15
 minute Load average stays under .50 all day with 4 CPU cores.

How many CPUs are listed in /proc/cpuinfo under that Ubuntu VM?  ESX by

 default only exposes one CPU(core) to a VM guest OS.  Any chance you didn't
 tweak the VM config and that your Ubuntu guest is only running on time slices
 of a single core?  Your results are even more impressive if that's the case.

Sorry if it's less impressive, but I've certainly configured the VM for 4 cores. 
The cores are shared equally between all VMs, I've done no prioritization 
because I've not had any performance issues related to resource contention.


Having 10x15k RPM spindles to seek across, and 512MB of cache on the controller, 
means I can give Postfix/Amavis/Dovecot 3GB of RAM to use, and 1GB of it is 
always used for cache, without ever dipping into swap. I get occasional spikes 
to 30ms of disk latency, but it stays below 5ms for most of the workday.


 Also, are you seeing the classic system clock drift of ESX guests,
 and if so, is it causing problems with smtp and imap?

Not at all, that's what the VMware tools are for. The ESXi host is configured to 
use our NTP server inside the VPN, and the VMware tools package synchronizes the 
guest clock with the host. I ran into this on our webmail client as well, then I 
discovered how easy it really is to install the VMware tools on Ubuntu, so it's 
no longer a problem.


Don't want to stray off topic, so I'll start a new thread, but I'm now 
attempting to bring High Availability to the mix, and could use some suggestions.


--
Wayne Thursby
System Administrator
Physicians Group, LLC

[Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

2010-02-13 Thread Luigi Rosa

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
has anyone implemented a mail server with maildir, Postfix and Dovecot using
Active Directory ad userbase and password authentication?

Do I need Samba to authenticate users?

Can I use credential caching just like mysql?


Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

This morning at breakfast, I noticed that Kellogg's have put a helpline
number on their cornflake packets. When you need a helpline for
breakfast cereals, it's time to start thinking about tearing down
civilisation and giving the ants a go.
   --Chris King

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt2wGAACgkQ3kWu7Tfl6ZR3qQCgv7+smY1v1YY3OAK+A2lH/adr
JtIAoIU+yd9zecP+iKoSxOAyaZJLnRfR
=KnFa
-END PGP SIGNATURE-

[Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

Re: [Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

Re: [Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

[Dovecot] Dovecot+Postfix+Maildir with ActiveDirectory userbase

4 matches

Site Navigation

Mail list logo

Footer information