How to use Microsoft Active Directory with postfix

Some of you might know: Microsoft AD is a LDAP server. So we can use it to verify if a email address exists. This is especially useful for mailgateways. First we have to create a account for postfix, because the ADS does not allow anonymous binds. I called it "postfix" with password "4mail". In this example i assume that the AD Domainname is redflo.de and that i created a oganisational unit (ou) "misc" where the postfix user is located. Further i only want to accept mail for the ou "staff".

in the /etc/postfix/main.cf add/edit:
relay_recipient_maps = hash:/etc/postfix/relay_recipients, ldap:/etc/postfix/ldap-relay_recipients.cf

You can then add special accounts in the local table /etc/postfix/relay_recipients and also do ldap searches against your ADS. In the file /etc/postfix/ldap-relay_recipients.cf you put something like this:

server_host = ads-server.redflo.de
version = 3
search_base = ou=staff,dc=redflo,dc=de
query_filter = (&(objectClass=user)(mail=%s))
result_attribute = mail
bind_dn = cn=postfix,ou=misc,dc=redflo,dc=de
bind_pw = 4mail


Test your postfix server:
telnet postfix-server.redflo.de 25

220 postfix-server.redflo.de ESMTP Postfix

ehlo bla.de
250-postfix-server.redflo.de
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250 8BITMIME

mail from: <test@bla.de>
250 Ok

rcpt to: <someone@redflo.de>
250 Ok

rcpt to: <noone@redflo.de>
550 <noone@redflo.de>: Recipient address rejected: User unknown in relay recipient table

Errors should go to /var/log/mail or similar.

You can also use a secure connection to your ADS Server. See "man ldap_table"

---