How to Integrate iRedMail Roundcube with Samba4 AD DC – Part 12

Roundcube, one of the most used webmail user agent in Linux, offers a modern web interface for end users to interact with all mail services in order to read, compose and send e-mails. Roundcube supports a variety of mail protocols, including the secured ones, such IMAPS, POP3S or submission.

In this topic we’ll discuss how to configure Roundcube in iRedMail with IMAPS and submission secured ports to retrieve and send emails for Samba4 AD accounts, how to access iRedMail Roundcube web interface from a browser and add a web address alias, how to enable Samba4 AD integration for Global LDAP Address Book and how to disable some unneeded iRedMail services.

Requirements

  1. How to Install iRedMail on CentOS 7 for Samba4 AD Integration
  2. Configure iRedMail on CentOS 7 for Samba4 AD Integration

Step 1: Declare E-mail Address for Domain Accounts in Samba4 AD DC

1. In order send and receive mail for Samba4 AD DC domain accounts, you need to edit each user account and explicitly set email filed with the proper e-mail address by opening ADUC tool from a Windows machine with RSAT tools installed and joined to Samba4 AD as illustrated in the below image.

Add Email Account to Join Samba4 AD DC
Add Email Account to Join Samba4 AD DC

2. Similarly, to use mail lists, you need to create groups in ADUC, add the corresponding e-mail address for each group and assign the proper user accounts as members of the group.

With this setup created as a mail list, all members mailboxes of a Samba4 AD group will receive mail destined for an AD group e-mail address. Use the below screenshots as a guide to declare e-mail filed for a Samba4 group account and add domain users as members of the group.

Make sure all accounts members added to a group have their e-mail address declared.

Create Group Admin for Samba4 AD DC
Create Group Admin for Samba4 AD DC
Add Users to Group
Add Users to Group

In this example, all mails sent to [email protected] e-mail address declared for ‘Domain Admins’ group will be received by each member mailbox of this group.

3. An alternative method that you can use to declare the e-mail address for a Samba4 AD account is by creating a user or a group with samba-tool command line directly from one of the AD DC console and specify the e-mail address with the --mail-address flag.

Use one of the following command syntax to create a user with e-mail address specified:

# samba-tool user add  [email protected]  --surname=your_surname  --given-name=your_given_name  your_ad_user

Create a group with e-mail address specified:

# samba-tool group add  [email protected]  your_ad_group

To add members to a group:

# samba-tool group addmembers your_group user1,user2,userX

To list all available samba-tool command fields for a user or a group use the following syntax:

# samba-tool user add -h
# samba-tool group add -h

Step 3: Secure Roundcube Webmail

4. Before modifying Roundcube configuration file, first, use netstat command piped through egrep filter to list the sockets that Dovecot and Postfix listen to and assure that the properly secured ports (993 for IMAPS and 587 for submission) are active and enabled.

# netstat -tulpn| egrep 'dovecot|master'

5. To enforce mail reception and transfer between Roundcube and iRedMail services on secured IMAP and SMTP ports, open Roundcube configuration file located in /var/www/roundcubemail/config/config.inc.php and make sure you change the following lines, for localhost in this case, as shown in the below excerpt:

// For IMAPS
$config['default_host'] = 'ssl://127.0.0.1';
$config['default_port'] = 993;
$config['imap_auth_type'] = 'LOGIN';

// For SMTP
$config['smtp_server'] = 'tls://127.0.0.1';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
$config['smtp_auth_type'] = 'LOGIN';

This setup is highly recommended in case Roudcube is installed on a remote host than the one that provides mail services (IMAP, POP3 or SMTP daemons).

6. Next, don’t close the configuration file, search and make the following small changes in order for Roundcube to be visited only via HTTPS protocol, to hide the version number and to automatically append the domain name for accounts who login in the web interface.

$config['force_https'] = true;
$config['useragent'] = 'Your Webmail'; // Hide version number
$config['username_domain'] = 'domain.tld'

7. Also, disable the following plugins: managesieve and password by adding a comment (//) in front of the line that starts with $config[‘plugins’].

Users will change their password from a Windows or Linux machine joined to Samba4 AD DC once they login and authenticate to the domain. A sysadmin will globally manage all sieve rules for domain accounts.

// $config['plugins'] = array('managesieve', 'password');

8. Finally, save and close the configuration file and visit Roundcube Webmail by opening a browser and navigate to iRedMail IP address or FQDN/mail location via HTTPS protocol.

The first time when you visit Roundcube an alert should appear on the browser due to the Self-Signed Certificate the web server uses. Accept the certificate and login with a Samba AD account credentials.

https://iredmail-FQDN/mail
Roundcube Webmail Login
Roundcube Webmail Login

Step 3: Enable Samba AD Contacts in Roundcube

9. To configure Samba AD Global LDAP Address Book to appear Roundcube Contacts, open Roundcube configuration file again for editing and make the following changes:

Navigate to the bottom of the file and identify the section that begins with ‘# Global LDAP Address Book with AD’, delete all its content until the end of the file and replace it with the following code block:

# Global LDAP Address Book with AD.
#
$config['ldap_public']["global_ldap_abook"] = array(
    'name'          => 'tecmint.lan',
    'hosts'         => array("tecmint.lan"),
    'port'          => 389,
    'use_tls'       => false,
    'ldap_version'  => '3',
    'network_timeout' => 10,
    'user_specific' => false,

    'base_dn'       => "dc=tecmint,dc=lan",
    'bind_dn'       => "[email protected]",
    'bind_pass'     => "your_password",
    'writable'      => false,

    'search_fields' => array('mail', 'cn', 'sAMAccountName', 'displayname', 'sn', 'givenName'),
	
    'fieldmap' => array(
        'name'        => 'cn',
        'surname'     => 'sn',
        'firstname'   => 'givenName',
        'title'       => 'title',
        'email'       => 'mail:*',
        'phone:work'  => 'telephoneNumber',
        'phone:mobile' => 'mobile',

        'department'  => 'departmentNumber',
        'notes'       => 'description',

    ),
    'sort'          => 'cn',
    'scope'         => 'sub',
    'filter' => '(&(mail=*)(|(&(objectClass=user)(!(objectClass=computer)))(objectClass=group)))',
    'fuzzy_search'  => true,
    'vlv'           => false,
    'sizelimit'     => '0',
    'timelimit'     => '0',
    'referrals'     => false,
);

On this block of code replace name, hosts, base_dn, bind_dn and bind_pass values accordingly.

10. After you’ve made all the required changes, save and close the file, login to Roundcube webmail interface and go to Address Book menu.

Hit on your Global Address Book chosen name and a contact list of all domain accounts (users and groups) with their specified e-mail address should be visible.

Roundcube User Contact List
Roundcube User Contact List

Step 4: Add an Alias for Roundcube Webmail Interface

11. To visit Roundcube at a web address with the following form https://webmail.domain.tld instead of the old address provided by default by iRedMail you need to make the following changes.

From a joined Windows machine with RSAT tools installed, open DNS Manager and add a new CNAME record for iRedMail FQDN, named webmail, as illustrated in the following image.

DNS Webmail Properties
DNS Webmail Properties

12. Next, on iRedMail machine, open Apache web server SSL configuration file located in /etc/httpd/conf.d/ssl.conf and change DocumentRoot directive to point to /var/www/roundcubemail/ system path.

file /etc/httpd/conf.d/ssl.conf excerpt:

DocumentRoot “/var/www/roundcubemail/”

Restart Apache daemon to apply changes.

# systemctl restart httpd

13. Now, point the browser to the following address and Roundcube interface should appear. Accept the Self-Signed Cerificate error to continue to login page. Replace domain.tld from this example with your own domain name.

https://webmail.domain.tld

Step 5: Disable iRedMail Unused Services

14. Since iRedMail daemons are configured to query Samba4 AD DC LDAP server for account information and other resources, you can safely stop and disable some local services on iRedMail machine, such as LDAP database server and iredpad service by issuing the following commands.

# systemctl stop slapd iredpad
# systemctl disable slapd iredpad

15. Also, disable some scheduled tasks performed by iRedMail, such as LDAP database backup and iRedPad tracking records by adding a comment (#) in front of each line from crontab file as illustrated on the below screenshot.

# crontab -e
Disable iRedMail Tasks
Disable iRedMail Tasks

Step 6: Use Mail Alias in Postfix

16. To redirect all locally generated mail (destined for postmaster and subsequently redirected to root account) to a specific Samba4 AD account, open Postfix aliases configuration file located in /etc/postfix/aliases and modify root line as follows:

root: 	[email protected]

17. Apply the aliases configuration file so that Postfix can read it in its own format by executing newaliases command and test if the mail gets sent to the proper domain e-email account by issuing the following command.

# echo “Test mail” | mail -s “This is root’s email” root

18. After the mail has been sent, login to Roundcube webmail with the domain account you’ve setup for mail redirection and verify the previously sent mail should be received in your account Inbox.

Verify User Mail
Verify User Mail

That’all! Now, you have a fully working mail server integrated with Samba4 Active Directory. Domain accounts can send and receive mail for their internal domain or for other external domains.

The configurations used in this tutorial can be successfully applied to integrate an iRedMail server to a Windows Server 2012 R2 or 2016 Active Directory.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Matei Cezar
I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

2 Comments

Leave a Reply
  1. Excellent article!

    If possible write an article about how to integrate (authenticate) Very Secure FTP Daemon (vsftpd) with Samba4 AD DC users.

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.