dovecot - Sep 2007 - What's the best way to authenticate against Active Directory?

Hi all,
        I'm working on a replacement for a legacy linux mail server: courier
POP/IMAP, Postfix, OpenLDAP. One of the requirements of the new mail server is
to authenticate against our AD infrastructure (I'll still keep a userdb in
OpenLDAP). SSO is not required since most of the clients don't log into our
domain. The current system has about 1,000 concurrent users on it during the day
(almost all are IMAP users). Inbox size varies but is generally very high 1GB+.

        I'm considering dovecot as a replacement for courier IMAP on the new
server mainly for performance reasons. Cyrus was also considered but I'd
rather work with maildir format inboxes.

I'm in the process of installing a "proof of concept" server with
CentOS 5 and dovecot-1.0-1.2.rc15.el5. the production system will most likely
run on RHEL

Question:
What's the best way (most reliable/fastest) to authenticate dovecot to AD?
If someone is doing this in a production environment can you offer any hints on
configuration for performance or what to expect in general?

Thanks,
chrisj

* Chris Johnson <Chris.Johnson at
sekoworldwide.com>:
> Hi all,
>         I'm working on a replacement for a legacy linux mail server:
courier
>         POP/IMAP, Postfix, OpenLDAP. One of the requirements of the new
mail
>         server is to authenticate against our AD infrastructure (I'll
still
>         keep a userdb in OpenLDAP). SSO is not required since most of the
>         clients don't log into our domain. The current system has about
>         1,000 concurrent users on it during the day (almost all are IMAP
>         users). Inbox size varies but is generally very high 1GB+.
> 
>         I'm considering dovecot as a replacement for courier IMAP on
the new
So did we.
>         server mainly for performance reasons. Cyrus was also considered
but
>         I'd rather work with maildir format inboxes.
Same reason here.

> I'm in the process of installing a "proof of concept" server
with CentOS 5
> and dovecot-1.0-1.2.rc15.el5. the production system will most likely run on
> RHEL
Do yourself a favor and grab a (S)RPM from here
<http://atrpms.net/dist/el5/dovecot/> and build it for your own machine.
Worked out of the box for us.
> Question: What's the best way (most reliable/fastest) to authenticate
> dovecot to AD?  If someone is doing this in a production environment can
you
> offer any hints on configuration for performance or what to expect in
> general?
We use OpenLDAP to provide authentication and mail routing in a 25.000 user
mail system. The LDAP server has plenty of RAM and the database is cached into
it. So far - we're online since a week - no problems have arisen and I doubt
there will be since load stays low. We do use Dovecot in Proxymode though -
still the slave machines don't show any significant load either.

Initial benchmarks had shown we could have 1.000 cliens accessing the system
simultaneously without problems.

If was using AD I'd be getting myself a machine that replicates the AD and
query that to take the load of the DC in case of a dictionary attack or heavy
usage.

Good practice on the Postfix mailing list is not to query the LDAP/AD for
valid recipient domains, but have that read from a static map (which you can
build with a script from AD information on a regular basis).

p at rick

-- 
state of mind
Agentur f?r Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht M?nchen        Partnerschaftsregister PR 563