Chris Johnson
2007-Sep-18 22:25 UTC
[Dovecot] What's the best way to authenticate against Active Directory?
Hi all, I'm working on a replacement for a legacy linux mail server: courier POP/IMAP, Postfix, OpenLDAP. One of the requirements of the new mail server is to authenticate against our AD infrastructure (I'll still keep a userdb in OpenLDAP). SSO is not required since most of the clients don't log into our domain. The current system has about 1,000 concurrent users on it during the day (almost all are IMAP users). Inbox size varies but is generally very high 1GB+. I'm considering dovecot as a replacement for courier IMAP on the new server mainly for performance reasons. Cyrus was also considered but I'd rather work with maildir format inboxes. I'm in the process of installing a "proof of concept" server with CentOS 5 and dovecot-1.0-1.2.rc15.el5. the production system will most likely run on RHEL Question: What's the best way (most reliable/fastest) to authenticate dovecot to AD? If someone is doing this in a production environment can you offer any hints on configuration for performance or what to expect in general? Thanks, chrisj
Patrick Ben Koetter
2007-Sep-19 06:27 UTC
[Dovecot] What's the best way to authenticate against Active Directory?
* Chris Johnson <Chris.Johnson at sekoworldwide.com>:> Hi all, > I'm working on a replacement for a legacy linux mail server: courier > POP/IMAP, Postfix, OpenLDAP. One of the requirements of the new mail > server is to authenticate against our AD infrastructure (I'll still > keep a userdb in OpenLDAP). SSO is not required since most of the > clients don't log into our domain. The current system has about > 1,000 concurrent users on it during the day (almost all are IMAP > users). Inbox size varies but is generally very high 1GB+. > > I'm considering dovecot as a replacement for courier IMAP on the newSo did we.> server mainly for performance reasons. Cyrus was also considered but > I'd rather work with maildir format inboxes.Same reason here.> I'm in the process of installing a "proof of concept" server with CentOS 5 > and dovecot-1.0-1.2.rc15.el5. the production system will most likely run on > RHELDo yourself a favor and grab a (S)RPM from here <http://atrpms.net/dist/el5/dovecot/> and build it for your own machine. Worked out of the box for us.> Question: What's the best way (most reliable/fastest) to authenticate > dovecot to AD? If someone is doing this in a production environment can you > offer any hints on configuration for performance or what to expect in > general?We use OpenLDAP to provide authentication and mail routing in a 25.000 user mail system. The LDAP server has plenty of RAM and the database is cached into it. So far - we're online since a week - no problems have arisen and I doubt there will be since load stays low. We do use Dovecot in Proxymode though - still the slave machines don't show any significant load either. Initial benchmarks had shown we could have 1.000 cliens accessing the system simultaneously without problems. If was using AD I'd be getting myself a machine that replicates the AD and query that to take the load of the DC in case of a dictionary attack or heavy usage. Good practice on the Postfix mailing list is not to query the LDAP/AD for valid recipient domains, but have that read from a static map (which you can build with a script from AD information on a regular basis). p at rick -- state of mind Agentur f?r Kommunikation, Design und Softwareentwicklung Patrick Koetter Tel: 089 45227227 Echinger Strasse 3 Fax: 089 45227226 85386 Eching Web: http://www.state-of-mind.de Amtsgericht M?nchen Partnerschaftsregister PR 563