Exim & Dovecot mailserver with Active Directory

Posted on by Al

Following on from getting Debian working with Active Directory for account authorisation I had need to set up Exim with Dovecot for a mail server. Obviously I want to use the Active Directory to keep all the accounts as before, but I also want it to keep all my email aliases.

So, if you haven’t seen how to get Debian working with Active Directory then you might want to read that first.

To make use of LDAP/Active Directory you will need to use the exim4-daemon-heavy package, not exim4-daemon-light as it has no LDAP support. I also set Exim to use the “multiple configuration files” option.

Dovecot

Dovecot is largely straight forward. Dovecot will use PAM and we have already got this working off the AD servers. We only want the IMAP server, so we installed the dovecot-imapd package with apt.

We have the following options specifically set in /etc/dovecot/dovecot.conf

ssl = required # requires either SSL or STARTTLS to be used. No unencrypted connections

mail_location = maildir:~/Maildir # if you use maildirs this forces their use

passdb pam {
  args = session=yes dovecot #  this makes dovecot create the home directory 
}

You will need to restart Dovecot to apply these changes.

Exim

Using Dovecot’s deliver

Exim can use Dovecot’s delivery program which will automatically create the indexes that it uses. It is not required, but if you are using mbox (not maildir) there can be a delay as it rebuilds indexes after email delivery. There is less of a benefit when you’re using Maildir though

Create a file called /etc/exim4/conf.d/transport/30_exim4-config_dovecot_delivery with the contents:

dovecot_delivery:
  driver = pipe
  command = /usr/lib/dovecot/deliver
  message_prefix =
  message_suffix =
  log_output
  delivery_date_add
  envelope_to_add
  return_path_add
  #group = mail
  #mode = 0660
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

Then edit /etc/exim4/update-exim4.conf.conf and modify the dc_localdelivery entry:

dc_localdelivery='dovecot_delivery'

You will then need to issue the command

update-exim4.conf

This will update the configuration and Exim should then use this without a restart.

Keeping email aliases in AD

This one took a bit of figuring out and I found only pieces from other people.

Active Directory setup

We are using Windows 2008 and this does not require us to add anything to the AD to support this

Using the Active Directory Users and Groups tool if you edit a user’s information and go to the Attribute Editor tab you can scroll to the otherMailbox entry. Editing this allows you to add and remove email addresses to the list. I use full email addresses, but I imagine it may work fine with simple usernames also

Exim configuration

A couple of configuration files are needed here. Firstly you need a file with all your LDAP configuration for which I create the file /etc/exim4/conf.d/main/04_exim4-config_ldap which contains:

ldap_default_servers = server1.int.inutility.net:server2.int.inutility.net

Obviously you should use the command “chmod 640 /etc/exim4/conf.d/main/04_exim4-config_ldap” so users cannot see the password in this file.

# Configuration for LDAP email aliases
ldap_default_servers = server1.int.inutility.net:server2.int.inutility.net
LDAPUSER = cn=ldapuser,cn=Users,dc=int,dc=inutility,dc=net
LDAPPASS = ARealPassword
LDAPSEARCHBASE = dc=int,dc=inutility,dc=net

Obviously you need to update your own values. Multiple AD servers can be specified separated by :. You will also need to make an LDAP account with limited privileges to be able to enumerate the aliases. It only needs to have limited access, but I’m afraid I won’t be covering the set up of this here.

The second file you need is /etc/exim4/conf.d/router/450_exim4-config_ldap_aliases and should contain:

ldap_aliases:
        debug_print = "R: ldap_aliases LDAP lookup for $local_part@$domain"
        driver = redirect
        domains = +local_domains
        condition = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE?mail?sub?(otherMailbox=*${quote_ldap:$local_part@$domain}*)}}
        data = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE

Nothing should need to be changed in this file.  You will then need to update your Exim config with the

update-exim4.conf

And then exim will use this configuration. You can use the command below to check the routing of email addresses and that the lookup is working correctly:

exim4 -bt <email address or alias>