Postfix, Dovecot and Active directory Integration

For Linux AD integration pls refer my earlier post (http://isvivek.blogspot.com/2013/05/redhat-linux-active-directory.html) & after AD integration proceed with this post for postfix mail server with AD authentication.

Postfix configuration

Change the below mentioned parameters, these are just basic parameters to run a postfix mail server, we can customize or enable more options as per the requirements

Step 1 :

[root@mail ~]# vim /etc/postfix/main.cf

myhostname = mail.isvivek.com  ## Enter your hostname here

mydomain = isvivek.com ## Enter your domain name here

myorigin = $mydomain ## Just uncomment this line

inet_interfaces = all  ## Uncomment and change it to all

mydestination = $myhostname, localhost.$mydomain, $mydomain  ##  Just uncomment this line

mynetworks = 192.168.248.0/24, 127.0.0.0/8 ## Uncomment and add the network which you want to allow

home_mailbox = Maildir/ ## Just uncomment this line

Save the /etc/postfix/main.cf after making the config changes.

Step 2 : Start the postfix service

Start postfix service

[root@mail ~]# /etc/init.d/postfix start

Starting postfix:                                          [  OK  ]

[root@mail ~]#

Step 3 : Test mail flow 

[root@mail ~]# telnet mail 25

Trying 192.168.248.128...

Connected to mail.

Escape character is '^]'.

220 mail.isvivek.com ESMTP Postfix

ehlo mail

250-mail.isvivek.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

mail from:isvivek@isvivek.com

250 2.1.0 Ok

rcpt to:user1@isvivek.com

250 2.1.5 Ok

data

354 End data with .

Hi

this is test mail

.

250 2.0.0 Ok: queued as CDDA142EDE

quit

221 2.0.0 Bye

Connection closed by foreign host.

[root@mail ~]#

[root@mail ~]# cd /home/ISVIVEK/user1/Maildir/new

[root@mail new]# ll

total 4

-rw------- 1 user1 domain users 456 May 31 14:25 1369990556.Vfd00I2558cM259259.mail.isvivek.com

[root@mail new]# cat 1369990556.Vfd00I2558cM259259.mail.isvivek.com

Return-Path:

X-Original-To: user1@isvivek.com

Delivered-To: user1@isvivek.com

Received: from mail (mail.isvivek.com [192.168.248.128])

        by mail.isvivek.com (Postfix) with ESMTP id CDDA142EDE

        for ; Fri, 31 May 2013 14:25:15 +0530 (IST)

Message-Id: <20130531085539 .cdda142ede="" mail.isvivek.com="">

Date: Fri, 31 May 2013 14:25:15 +0530 (IST)

From: isvivek@isvivek.com

To: undisclosed-recipients:;

Hi

this is test mail

[root@mail new]#

Dovecot configuration

Step 1: Conofigure Dovecot

[root@mail ~]# vim /etc/dovecot/dovecot.conf

protocols = imap pop3 lmtp  ## Uncomment this line

mail_location = maildir:~/Maildir  ## Add this line

Step 2 :  Start dovecot service

[root@mail ~]# /etc/init.d/dovecot start

Starting Dovecot Imap:                                     [  OK  ]

[root@mail ~]#

Step 3 : Check mail through imap/pop3

[root@mail ~]# telnet mail pop3

Trying 192.168.248.128...

Connected to mail.

Escape character is '^]'.

+OK Dovecot ready.

user user1

+OK

pass Welcome@123

+OK Logged in.

list

+OK 1 messages:

1 470

.

retr 1

+OK 470 octets

Return-Path:

X-Original-To: user1@isvivek.com

Delivered-To: user1@isvivek.com

Received: from mail (mail.isvivek.com [192.168.248.128])

        by mail.isvivek.com (Postfix) with ESMTP id CDDA142EDE

        for ; Fri, 31 May 2013 14:25:15 +0530 (IST)

Message-Id: <20130531085539 .cdda142ede="" mail.isvivek.com="">

Date: Fri, 31 May 2013 14:25:15 +0530 (IST)

From: isvivek@isvivek.com

To: undisclosed-recipients:;

Hi

this is test mail

.

quit

+OK Logging out.

Connection closed by foreign host.

[root@mail ~]#

Squirrelmail installation and configuration 

Download latest version of Squirrelmail from http://squirrelmail.org/download.php and copy the source file to linux box

Squirrelmail Configuration

Extract it to /usr/share

[root@mail share]# pwd

/usr/share

[root@mail share]# tar -xzvf /tmp/squirrelmail-webmail-1.4.22.tar.gz

[root@mail share]# mv  squirrelmail-webmail-1.4.22/  squirrelmail/

[root@mail share]# cd squirrelmail/

[root@mail squirrelmail]# ./configure

Select 1 & edit Organization Preferences

After entering all the details, enter R to return to main menu

Now select 2 & edit Server settings

After entering all the details, enter R to return to main menu

Rest of the options are optional & you can customize the look by editing Themes options in this menu. 

Save & quit from squirrelmail config menu

Apache Configuration

Step 1:  Add the below lines in /etc/httpd/conf/httpd.conf file

[root@mail ~]# vim /etc/httpd/conf/httpd.conf

Alias /webmail /usr/share/squirrelmail

    Options Indexes FollowSymLinks

    RewriteEngine On

    AllowOverride All

    DirectoryIndex index.php

    Order allow,deny

    Allow from all

Step 2 : Apache service restart

[root@mail ~]# /etc/init.d/httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

[root@mail ~]#

Mail ID creation

As we are using AD for authentication, users are created in AD & we just need login atleast once in Linux box with AD ID so that their profile gets created in Linux box and their mailbox will get created during mail login from webmail automatically.

We are using a simple shell scripts for single user ID & for multiple users,

Once user access user profile is created in Linux box, try to login through browser from client.

Now we have configured postfix, dovecot & squirrelmail with AD authentication. All the best... 

Auto creation of user home directory in Linux Server

Issue : User Home directory not getting created automatically, during LDAP & AD authentication of users

Cause : pam_mkhomedir.so shared object is missing

Solution :

Step 1 :

[root@mail ~]# yum install -y pam_mkhomedir.so

[root@mail ~]# yum install -y oddjob-mkhomedir

[root@mail ~]# chkconfig oddjobd on
[root@mail ~]# service oddjobd start
Starting oddjobd:                                          [  OK  ]
[root@mail ~]# authconfig --enablemkhomedir --update
Starting Winbind services:                                 [  OK  ]
Starting oddjobd:                                          [  OK  ]
[root@mail ~]#


Step 2 :

Verify the home directory creation

login as: isvivek
isvivek@192.168.248.128's password:
Creating home directory for isvivek.
Last login: Thu May 30 12:59:17 2013 from 192.168.248.1
[isvivek@mail ~]$ pwd
/home/ISVIVEK/isvivek
[isvivek@mail ~]$


If still it doesn't work after above changes...

check and add the below entry in "/etc/pam.d/system-auth" & "/etc/pam.d/sshd" files,

session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

This will fix the issue... All the best !!

Redhat Linux Active Directory Integration

I have used RHEL 6.2 (64 bit)  server and Windows 2003 Enterprise Edition server (Active Directory)

OS : RHEL 6.2 (64 bit)
Hostname : mail.isvivek.com
IP Addr : 192.168.248.128

OS : Windows 2003 Enterprise Server (64 bit)
Active Directory Server
Hostname : win2k3.isvivek.com
IP Addr : 192.168.248.129

First setup the active directory & make sure the server is ready for authenticating the client.

For active directory configuration refer http://www.youtube.com/watch?v=ihxSA-VYO_Q link


Step 1 :    Install samba package

[root@mail ~]# yum install -y samba*

[root@mail ~]# rpm -qa | grep samba

samba-common-3.5.10-114.el6.x86_64

samba-3.5.10-114.el6.x86_64

samba-winbind-3.5.10-114.el6.x86_64

samba-client-3.5.10-114.el6.x86_64

samba-winbind-clients-3.5.10-114.el6.x86_64

[root@mail ~]#

Step 2 :   Configure Linux box to authenticate from AD through Winbind & Kerberous

[root@mail ~]# authconfig-tui

enable Kerberous & Winbind authentication

 Enter Domain & AD server details

Select option "ads" and enter domain, AD server IP & select /bin/bash shell

Click ok.

Just for the reference, refer the samba & kerberous config file

[root@mail ~]# grep -v \# /etc/samba/smb.conf| grep -v ";"| sort -u
[global]
   idmap gid = 500-100000000
   idmap uid = 500-100000000
   password server = 192.168.248.129
   realm = ISVIVEK.COM
   security = ads
   template shell = /bin/bash
   winbind offline logon = false
   winbind use default domain = true
   workgroup = isvivek
[root@mail ~]#

[root@mail ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ISVIVEK.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 ISVIVEK.COM = {
  kdc = 192.168.248.129
  admin_server = 192.168.248.129
  kpasswd_server = 192.168.248.129
  default_domain = isvivek.com
 }

[domain_realm]
 isvivek.com = ISVIVEK.COM
 .isvivek.com = ISVIVEK.COM
[root@mail ~]#

Step 4 :  In /etc/nsswitch.conf file

Change below lines

passwd:     files winbind
shadow:     files winbind
group:      files winbind

to

passwd: compat  winbind
shadow: compat
group:  compat  winbind

Step 5 :

[root@mail ~]# /etc/init.d/winbind stop
Shutting down Winbind services:                            [  OK  ]
[root@mail ~]# /etc/init.d/smb restart
Shutting down SMB services:                                [  OK  ]
Starting SMB services:                                 [  OK  ]
[root@mail ~]# /etc/init.d/winbind start
Starting Winbind services:                                 [  OK  ]
[root@mail ~]#

Step 6 :  

Just to make sure that there is no kerberous live tickets execute below command to kill if so any

# kdestroy

Step 7 :

Add Linux box to AD

# net ads join -U administrator -k

(or)

# net join -S win2k3 -U ANYADUSER

Note : You will get below error if there is no proper dns server or dns record configured, this error can be ignored.
Error:
No DNS domain configured for hostname. Unable to perform DNS Update.
DNS update failed!

Step 8 :

Verification Steps :

Below command returns the AD membership status

[root@mail ~]# net ads testjoin

Join is OK

[root@mail ~]# 

Below command provide the AD memberships details

[root@mail ~]# net ads info

LDAP server: 192.168.248.129

LDAP server name: win2k3.isvivek.com

Realm: ISVIVEK.COM

Bind Path: dc=ISVIVEK,dc=COM

LDAP port: 389

Server time: Mon, 29 Apr 2013 16:09:51 IST

KDC server: 192.168.248.129

Server time offset: -126

[root@mail ~]#

Below command lists AD users

[root@mail ~]# wbinfo -u
administrator
guest
krbtgt
isvivek
sleodeepak
linuxmail
user1
user2
[root@mail ~]#

Step 9 :

Try to login by some AD user which doesn't exists in Local Linux box

login as: isvivek
isvivek@192.168.248.128's password:
Creating home directory for isvivek.
Last login: Thu May 30 12:59:17 2013 from 192.168.248.1
[isvivek@mail ~]$ pwd
/home/ISVIVEK/isvivek
[isvivek@mail ~]$ ll -a
total 28
drwxr-xr-x 4 isvivek domain users 4096 May 30 15:21 .
drwx--x--x 3 root    root         4096 May 30 15:20 ..
-rw-r--r-- 1 isvivek domain users   18 May 30 15:20 .bash_logout
-rw-r--r-- 1 isvivek domain users  176 May 30 15:21 .bash_profile
-rw-r--r-- 1 isvivek domain users  124 May 30 15:20 .bashrc
drwxr-xr-x 2 isvivek domain users 4096 May 30 15:20 .gnome2
drwxr-xr-x 4 isvivek domain users 4096 May 30 15:20 .mozilla
[isvivek@mail ~]$ grep -i isvivek /etc/passwd
[isvivek@mail ~]$


All the best...

rndc: connect failed: 127.0.0.1#953: connection refused

Error :  rndc: connect failed: 127.0.0.1#953: connection refused

Cause : rndc.key file doesnt exists, if exists already then its ownership issue

Step 1 : Check whether key file exists if not generate it.

[root@dns ~]# ll /etc/rndc.key
ls: cannot access /etc/rndc.key: No such file or directory
[root@dns ~]# rndc-confgen -a
wrote key file "/etc/rndc.key"
[root@dns ~]#

Step 2 : Change the ownership for rndc.key file from root to named

[root@dns ~]# rndc status
rndc: connect failed: 127.0.0.1#953: connection refused
[root@dns ~]# ll /etc/rndc.key
-rw------- 1 root root 77 May 28 11:07 /etc/rndc.key
[root@dns ~]# chown named:named /etc/rndc.key
[root@dns ~]# /etc/init.d/named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
[root@dns named]# rndc status
version: 9.7.3-P3-RedHat-9.7.3-8.P3.el6
CPUs found: 2
worker threads: 2
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@dns named]#