Integrating Postfix with LDAP/Active Directory for Centralized Authentication on Ubuntu 22.04

Introduction

In production environments, companies do not create mail users manually inside Postfix.
Instead, they use centralized authentication like LDAP or Active Directory.
This allows one username and password to be used across multiple services (mail, login, applications).
In this guide, we will integrate Postfix mail server on Ubuntu 22.04 with LDAP/AD for centralized user authentication.

Why Use LDAP/AD with Postfix?

  • Single Sign-On: Users use the same password for mail and system login.
  • Central Management: Admins manage accounts from one place.
  • Scalability: Easy to manage thousands of users across multiple mail servers.
  • Security: Disable one account in LDAP/AD and it stops everywhere (mail, web, login).

Step 1: Install LDAP Support Packages

On the Postfix server, install LDAP client packages:

sudo apt update
sudo apt install -y libsasl2-modules-ldap ldap-utils

Step 2: Verify LDAP/AD Server

Check that LDAP server (bitscentric.local) is reachable:

ldapsearch -x -H ldap://ldap.bitscentric.local -b "dc=bitscentric,dc=local"

If using Active Directory:

ldapsearch -x -H ldap://ad.bitscentric.local -D "cn=Administrator,cn=Users,dc=bitscentric,dc=local" -W

Step 3: Configure Postfix to Use LDAP

Edit Postfix main configuration:

sudo nano /etc/postfix/main.cf

Add or update these parameters:

# Enable LDAP lookups
virtual_mailbox_domains = ldap:/etc/postfix/ldap-domains.cf
virtual_mailbox_maps    = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps      = ldap:/etc/postfix/ldap-aliases.cf

Step 4: Create LDAP Lookup Files

Create /etc/postfix/ldap-domains.cf:

server_host = ldap://ldap.bitscentric.local
search_base = dc=bitscentric,dc=local
query_filter = (|(mail=*@%s)(mailAlternateAddress=*@%s))
result_attribute = mail
bind = yes
bind_dn = cn=admin,dc=bitscentric,dc=local
bind_pw = YourPassword

Create /etc/postfix/ldap-users.cf:

server_host = ldap://ldap.bitscentric.local
search_base = dc=bitscentric,dc=local
query_filter = (mail=%s)
result_attribute = uid
bind = yes
bind_dn = cn=admin,dc=bitscentric,dc=local
bind_pw = YourPassword

Create /etc/postfix/ldap-aliases.cf:

server_host = ldap://ldap.bitscentric.local
search_base = dc=bitscentric,dc=local
query_filter = (mailAlias=%s)
result_attribute = mail
bind = yes
bind_dn = cn=admin,dc=bitscentric,dc=local
bind_pw = YourPassword

Step 5: Secure Permissions

Only root should read these files because they contain LDAP bind password:

sudo chmod 600 /etc/postfix/ldap-*.cf

Step 6: Restart Postfix

Restart Postfix to load LDAP configuration:

sudo systemctl restart postfix

Step 7: Test LDAP Authentication

Send a test query to check if Postfix can fetch users from LDAP:

postmap -q "user1@bitscentric.local" ldap:/etc/postfix/ldap-users.cf

If it returns a valid UID, the integration works.

Step 8: Integrating with Dovecot (Optional)

If you are using Dovecot for IMAP/POP3, configure it to use LDAP as well:

sudo nano /etc/dovecot/conf.d/10-auth.conf

Enable:

!include auth-ldap.conf.ext

Edit /etc/dovecot/dovecot-ldap.conf.ext:

hosts = ldap.bitscentric.local
dn = cn=admin,dc=bitscentric,dc=local
dnpass = YourPassword
base = dc=bitscentric,dc=local
user_attrs = uid=home=/var/mail/%$,=uid=5000,=gid=5000
user_filter = (&(objectClass=person)(mail=%u))
pass_filter = (&(objectClass=person)(mail=%u))

Best Practices for Production

  • Use LDAPS (port 636) instead of plain LDAP for secure communication.
  • Do not store plain LDAP passwords in configs – use restricted bind accounts.
  • Limit Postfix to query only required attributes (mail, uid, alias).
  • Use access control lists in LDAP/AD to restrict which apps can query users.
  • Monitor Postfix logs (/var/log/mail.log) for authentication issues.
  • Enable fail2ban to block brute force login attempts.

Concept Summary

By integrating Postfix with LDAP/Active Directory, we achieve centralized authentication.
This allows all users stored in LDAP/AD to send and receive emails without creating local Linux accounts.
This setup is widely used in production for large companies where thousands of users need email access.

Conclusion

We have successfully integrated Postfix with LDAP/Active Directory on Ubuntu 22.04.
Now, your Postfix server can authenticate users from bitscentric.local domain.
This setup is production-ready and teaches students how enterprise mail systems work in real life.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Trends

Prometheus and Grafana Interview Questions and Answers
Force Linux User to Change Password at First Login and Periodically on Rocky Linux/RHEL-8
Create Bulk Zimbra Users Using Shell Script
Setup NFS Server and Client in Rocky Linux 8