This series of tutorials will guide you on how to integrate iRedMail installed on a CentOS 7 machine with a Samba4 Active Directory Domain Controller in order for domain accounts to send or receive mail via Thunderbird desktop client or via Roundcube web interface.
The CentOS 7 server where iRedMail will be installed will allow SMTP or mail routing services via ports 25 and 587 and will also serve as a mail delivery agent through Dovecot, providing POP3 and IMAP services, both secured with self-signed certificates issued on the installation process.
The recipient mailboxes will be stored on the same CentOS server along with the webmail user agent provided by Roundcube. Samba4 Active Directory will be used by iRedMail to query and authenticate recipient accounts against the realm, to create mail lists with the help of Active Directory groups and to control the mail accounts via Samba4 AD DC.
Requirements:
Step 1: Install iRedMail in CentOS 7
1. Before starting with iRedMail installation first make sure you have a fresh CentOS 7 operating system installed on your machine using the instructions provided by this guide:
2. Also, assure that the system is up-to-date with the latest security and packages updates by issuing the below command.
# yum update
3. The system will also need a FQDN hostname set by issuing the below command. Replace mail.tecmint.lan variable with your own custom FQDN.
# hostnamectl set-hostname mail.tecmint.lan
Verify system hostname with the below commands.
# hostname -s # Short name # hostname -f # FQDN # hostname -d # Domain # cat /etc/hostname # Verify it with cat command
4. Map the machine FQDN and short name against the machine loopback IP address by manually editing /etc/hosts file. Add the values as illustrated below and replace mail.tecmint.lan and mail values accordingly.
127.0.0.1 mail.tecmint.lan mail localhost localhost.localdomain
5. iRedMail technicians recommends that SELinux should be completely disabled. Disable SELinux by editing /etc/selinux/config file and set SELINUX parameter from permissive to disabled as illustrated below.
SELINUX=disabled
Reboot the machine to apply new SELinux policies or run setenforce with 0 parameter to force SELinux to instantly disable.
# reboot OR # setenforce 0
6. Next, install the following packages that will come in-handy later for system administration:
# yum install bzip2 net-tools bash-completion wget
7. In order to install iRedMail, first go to the download page http://www.iredmail.org/download.html and grab the latest archive version of the software by issuing the below command.
# wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.9.6.tar.bz2
8. After the download finishes, extract the compressed archive and enter the extracted iRedMail directory by issuing the following commands.
# tar xjf iRedMail-0.9.6.tar.bz2 # cd iRedMail-0.9.6/ # ls
9. Start the installation process by executing iRedMail shell script with the following command. From now on a series of questions will be asked by the installer.
# bash iRedMail.sh
10. On the first welcome prompt hit on Yes to proceed further with the installation.
11. Next, choose the location where all the mail will be stored. The default directory that iRedMail uses to store mailboxes is /var/vmail/ system path.
If this directory is located under a partition with enough storage to host mail for all your domain accounts then hit on Next to continue.
Otherwise change the default location with a different directory in case if you’ve configured a larger partition dedicated to mail storage.
12. On the next step choose the frontend web server through which you will interact with iRedMail. iRedMail administration panel will be completely disabled later, so we will use the frontend web server only to access accounts mail via Roundcube web panel.
If you don’t have thousands of mail accounts per hour accessing the webmail interface you should go with Apache web server do to its flexibility and easy management.
13. On this step choose OpenLDAP backend database for compatibility reasons with Samba4 domain controller and hit Next to continue, although we won’t use this OpenLDAP database later once we’ll integrate iRedMail to Samba domain controller.
14. Next, specify your Samba4 domain name for LDAP suffix as illustrated on the image below and hit Next to continue.
15. On the next prompt enter your domain name only and hit Next to move on. Replace tecmint.lan value accordingly.
16. Now, setup a password for [email protected] administrator and hit Next to continue.
17. Next, choose from the list the optional components you want to integrate with your mail server. I strongly recommend to install Roundcube in order to provide a web interface for domain accounts to access mail, although Roundcube can be installed and configured on a different machine for this task in order to free mail server resources in case of high loads.
For local domains with restricted internet access and especially while we’re using domain integration the other components are not very useful, except Awstats in case you need mail analysis.
18. On the next review screen type Y in order to apply configuration and start the installation process.
19. Finally, accept iRedMail scripts to automatically configure your machine firewall and MySQL configuration file by typing yes for all questions.
20. After the installation finishes the installer will provide some sensitive information, such as iRedAdmin credentials, web panel URL addresses and the file location with all parameters used at the installation process.
Read the displayed information above carefully and reboot the machine in order to enable all mail services by issuing the following command.
# init 6
21. After the system reboots, login with an account with root privileges or as root and list all network sockets and their associated programs your mail server listens on by issuing the following command.
From the socket list you will see that your mail server covers almost all services required by a mail server to properly function: SMTP/S, POP3/S, IMAP/S and antivirus along with spam protection.
# netstat -tulpn
22. In order to view the location of all configuration files iRedMail has modified and the credentials used by iRedMail during the installation process for database administration, mail admin account and other accounts, display the contents of iRedMail.tips file.
The file is located in the directory where you’ve initially extracted the installation archive. Be aware that you should move and protect this file because it contains sensitive information about your mail server.
# less iRedMail-0.9.6/iRedMail.tips
23. The file mentioned above which contain details about your mail server will also be automatically mailed to the mail server administrator account, represented by the postmaster account.
The webmail can be accessed securely via HTTPS protocol by typing your machine IP address in a browser. Accept the error generated in browser by the iRedMail self-signed web certificate and log in with the password chosen for postmaster@your_domain.tld account during the initial installation. Read and store this e-mail to a safe mailbox.
https://192.168.1.254
That’s all! By now, you’ll have a full mail server configured on your premises which operates on its own, but not yet integrated with Samba4 Active Directory Domain Controller services.
On the next part we will see how to tamper iRedMail services (postfix, dovecot and roundcube configuration files) in order to query domain accounts, send, receive and read mail.
Hello, how you add new e-mail adress ?Thank you
You add user to AD server. The AD database will be queried by the mail server.
… like postmaster user mention by you at point 16? OR without this user in AD we can finish the ssetup ?
That user is just a local user used by iRedMail to manage the mail system. Once you’ll be integrated into AD you won’t need or ever use this local postmaster user to maintain accounts database. All your accounts will be managed from Samba Active Directory.
It works with as many users your AD has defined, no limit so far. This design is destined for LANs access only. You can setup a domain such as domain.com to be accessed from LAN only, as long as the domain is not registered officially with a domain register. If you don’t want the mail system iredMail to read all mail users you can simply setup a OU or groups of users and query only those specific groups or OUs.
Hello Matei, it would be nice to add this statement at the beginning of your tutorial – “This design is destined for LANs access only, and not to send/receive mails to/from Internet”, so anybody can understood this restriction from the beginning.
Also if someone want to communicate with others Internet mail server. it is very possible to use a separate mail server (like a proxy), who can route mails to/from iredMail server to others Internet mail servers.
This proxy mail server, will must know only the emails address used by iredMail, without any passwords. This kind of setup is very common for the guys who use Exchange (internal LAN mail server) and a postfix/what-ever as a proxy server.
If you have a registered domain with a domain register behind a public IP address than you can use this setup to send/receive mail. The domain in this can is a private .local domain.
Please try to use very specific terms, so I can be sure, when you speak about DNS domain, and when you speak about AD domain. These are different things. So if I understood correctly, you say, that we can have an AD domain like .local, and an DNS like example.com?
No, I didn’t say that! I’ve said you can setup an AD with a private .local domain name or with a registered domain name such as .com domain. Anyway, AD domains work hand in hand with a DNS server.
So, you say something like this:
1. You can use iRedMail using ldap from an AD (private) like .local and send/receive emails to/from any Internet mail server (without any other services/servers, like a mail relay or whatever)
2. You can use iRedMail using ldap from an AD like .example.com and send/receive emails from any Internet mail server(without any other services/servers, like a mail relay or whatever)
For 2. I agree with you, it is possible, but like I said, if this AD is the only AD in this environment, it is not a very wise idea. Even if you create a separated OU only for persons who will use this mail server(in this case you will lose SingleSignOn advantage).
For 1., yes I see many broken mail servers that were trying to send mail from an address like [email protected], or others funny things like this.
Have a nice day Matei!
What I am trying to say is the fact that any piece of software could be setup so it can work in many ways, but in some cases, it is not wise/secure to try something like this. You can for example to use a logon http page, it is working, but it is not safe, and sometimes you could have big problems if you use http instead of https.
kindly clear me, how many users iRedmail 0.9.6 free version support, unlimited or limited users?
one more thing, its working fine with windows 7 and via web access, but not working in windows xp with MS Outlook. any good suggestion for windows xp outlook client?
If I remember (not so sure) you need some specific options in dovecot server. But if you can provide some logs from iredmail/dovecot/postfix, maybe I can help. What is not working (smtp and/or imap/pop), and how do you configure Faultlook (express or Mico?)
its working fine with MS outlook 2007 in win7 and win10, only xp OS ms oulook connecting problem
Thx Matei/ Multumesc Matei
You forget to say the most important thing, like the fact, that this setup will work only in Lan, not over Internet. Or maybe you do not say that from your point of view, it is a good idea to have a AD like tecmint.com so this dns domain could be resolved from lan but also from internet.
From my point of view this is very bad. Any AD must be resolve only from lan. Any Internet host must be resolved by any dns server connected on Internet. It is not a good idea to put all your eggs in the same basket ;)
Also if my memory is ok, in a previous tutorial wrote by you, you say you need to use some un-exising dns domain name for AD. Now you have another opinion. From another point of view is not ok that any very secure system(mail is not) to read your ALL your AD users. But I can say your tutorial is very useful.
Let say iredmail is ok, if you do not need nothing special… but if you want some simple things like … lets say a new transport entry in postfix, you must dig … and maybe you will find this not so easy.
What is your test case? For 20 users is ok? Any iredmail must be warned. .. this is an elephant. Apache, Mysql, postfix, and so on.
Do you need an elephant? Can you ?