[Dovecot] What's the best way to authenticate against Active Directory?

Patrick Ben Koetter p at state-of-mind.de
Wed Sep 19 09:27:08 EEST 2007


* Chris Johnson <Chris.Johnson at sekoworldwide.com>:
> Hi all,
>         I'm working on a replacement for a legacy linux mail server: courier
>         POP/IMAP, Postfix, OpenLDAP. One of the requirements of the new mail
>         server is to authenticate against our AD infrastructure (I'll still
>         keep a userdb in OpenLDAP). SSO is not required since most of the
>         clients don't log into our domain. The current system has about
>         1,000 concurrent users on it during the day (almost all are IMAP
>         users). Inbox size varies but is generally very high 1GB+.
> 
>         I'm considering dovecot as a replacement for courier IMAP on the new

So did we.

>         server mainly for performance reasons. Cyrus was also considered but
>         I'd rather work with maildir format inboxes.

Same reason here.


> I'm in the process of installing a "proof of concept" server with CentOS 5
> and dovecot-1.0-1.2.rc15.el5. the production system will most likely run on
> RHEL

Do yourself a favor and grab a (S)RPM from here
<http://atrpms.net/dist/el5/dovecot/> and build it for your own machine.
Worked out of the box for us.

> Question: What's the best way (most reliable/fastest) to authenticate
> dovecot to AD?  If someone is doing this in a production environment can you
> offer any hints on configuration for performance or what to expect in
> general?

We use OpenLDAP to provide authentication and mail routing in a 25.000 user
mail system. The LDAP server has plenty of RAM and the database is cached into
it. So far - we're online since a week - no problems have arisen and I doubt
there will be since load stays low. We do use Dovecot in Proxymode though -
still the slave machines don't show any significant load either.

Initial benchmarks had shown we could have 1.000 cliens accessing the system
simultaneously without problems.

If was using AD I'd be getting myself a machine that replicates the AD and
query that to take the load of the DC in case of a dictionary attack or heavy
usage.

Good practice on the Postfix mailing list is not to query the LDAP/AD for
valid recipient domains, but have that read from a static map (which you can
build with a script from AD information on a regular basis).

p at rick

-- 
state of mind
Agentur für Kommunikation, Design und Softwareentwicklung

Patrick Koetter            Tel: 089 45227227
Echinger Strasse 3         Fax: 089 45227226
85386 Eching               Web: http://www.state-of-mind.de

Amtsgericht München        Partnerschaftsregister PR 563


More information about the dovecot mailing list