So, the mail server at work died on Wednesday. It was running Microsoft Exchange and died so utterly completely that even with several hours of premium support from Microsoft, they were unable to get it up and running again. Being one that comes in fairly early in the morning, and already am managing a few internal servers, I was asked to set up a new box using Linux or whatever.
Can’t be too difficult, huh?
Well, that depends. In this case, I needed to have it authenticate users against an Active Directory server and support mail aliases set up in its user database. After doing a fair amount of googling around, I found a few guides that helped me along the way. I started out with iRedMail and continued by configuring it to talk to the Active Directory server. Never having worked with AD or Kerberos before, it took me quite some time to get Kerberos working (tip: have a look at what the DNS thinks is the domain name of the KDC, in our case it was “BT.LOCAL” in all uppercase; use anything else as the Kerberos realm and all I got was cryptic error messages).
I had some hurdles to overcome, getting postfix to authenticate with Active Directory’s LDAP server was fairly easy once I a) had the unprivileged account that could do LDAP lookups (using the “Administrator” account for that does not work), and b) reduced the LDAP query so that it would actually find the users I was looking for (tip: make a dump of the LDAP directory and look at the lowest common denominator for the lookup keys).
Then I had the problem of Dovecot, which handles local mail delivery and IMAP/POP, could not read the mail that it had stored in mailboxes. It turned out that since I had set up Kerberos so that the AD users were available as Unix users, and had the recipient domain (“bt.local” from above) in “mydestination”, Postfix would always setuid the LDA. I had to remove the domain from there and add it to the list of virtual domains for that to work.
All in all, it took me about a day and half to get the thing set up. Not bad for the first time. I did set up Git to version-control all the important configuration files so that I can track my future mistakes and revert to a working configuration.