Following on from getting Debian working with Active Directory for account authorisation I had need to set up Exim with Dovecot for a mail server. Obviously I want to use the Active Directory to keep all the accounts as before, but I also want it to keep all my email aliases.
So, if you haven’t seen how to get Debian working with Active Directory then you might want to read that first.
To make use of LDAP/Active Directory you will need to use the exim4-daemon-heavy package, not exim4-daemon-light as it has no LDAP support. I also set Exim to use the “multiple configuration files” option.
Dovecot
Dovecot is largely straight forward. Dovecot will use PAM and we have already got this working off the AD servers. We only want the IMAP server, so we installed the dovecot-imapd package with apt.
We have the following options specifically set in /etc/dovecot/dovecot.conf
ssl = required # requires either SSL or STARTTLS to be used. No unencrypted connections mail_location = maildir:~/Maildir # if you use maildirs this forces their use passdb pam { args = session=yes dovecot # this makes dovecot create the home directory }
You will need to restart Dovecot to apply these changes.
Exim
Using Dovecot’s deliver
Exim can use Dovecot’s delivery program which will automatically create the indexes that it uses. It is not required, but if you are using mbox (not maildir) there can be a delay as it rebuilds indexes after email delivery. There is less of a benefit when you’re using Maildir though
Create a file called /etc/exim4/conf.d/transport/30_exim4-config_dovecot_delivery with the contents:
dovecot_delivery: driver = pipe command = /usr/lib/dovecot/deliver message_prefix = message_suffix = log_output delivery_date_add envelope_to_add return_path_add #group = mail #mode = 0660 temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
Then edit /etc/exim4/update-exim4.conf.conf and modify the dc_localdelivery entry:
dc_localdelivery='dovecot_delivery'
You will then need to issue the command
update-exim4.conf
This will update the configuration and Exim should then use this without a restart.
Keeping email aliases in AD
This one took a bit of figuring out and I found only pieces from other people.
Active Directory setup
We are using Windows 2008 and this does not require us to add anything to the AD to support this
Using the Active Directory Users and Groups tool if you edit a user’s information and go to the Attribute Editor tab you can scroll to the otherMailbox entry. Editing this allows you to add and remove email addresses to the list. I use full email addresses, but I imagine it may work fine with simple usernames also
Exim configuration
A couple of configuration files are needed here. Firstly you need a file with all your LDAP configuration for which I create the file /etc/exim4/conf.d/main/04_exim4-config_ldap which contains:
ldap_default_servers = server1.int.inutility.net:server2.int.inutility.net
Obviously you should use the command “chmod 640 /etc/exim4/conf.d/main/04_exim4-config_ldap” so users cannot see the password in this file.
# Configuration for LDAP email aliases ldap_default_servers = server1.int.inutility.net:server2.int.inutility.net LDAPUSER = cn=ldapuser,cn=Users,dc=int,dc=inutility,dc=net LDAPPASS = ARealPassword LDAPSEARCHBASE = dc=int,dc=inutility,dc=net
Obviously you need to update your own values. Multiple AD servers can be specified separated by :. You will also need to make an LDAP account with limited privileges to be able to enumerate the aliases. It only needs to have limited access, but I’m afraid I won’t be covering the set up of this here.
The second file you need is /etc/exim4/conf.d/router/450_exim4-config_ldap_aliases and should contain:
ldap_aliases: debug_print = "R: ldap_aliases LDAP lookup for $local_part@$domain" driver = redirect domains = +local_domains condition = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE?mail?sub?(otherMailbox=*${quote_ldap:$local_part@$domain}*)}} data = ${lookup ldap {user=LDAPUSER pass=LDAPPASS ldap:///LDAPSEARCHBASE
Nothing should need to be changed in this file. You will then need to update your Exim config with the
update-exim4.conf
And then exim will use this configuration. You can use the command below to check the routing of email addresses and that the lookup is working correctly:
exim4 -bt <email address or alias>