Live Chat
773 598 5800
Search Results
  • Search Results

Table of Contents

3. Mail Server Architecture

3.1. Generic Server Configuration

3.1.1. Running Services

3.1.2. Other Generic Server Parameters

3.1.3. DNR Settings

3.2. Services and Modules

3.2.1. SMTP Receiving

3.2.2. Processing

3.2.3. SMTP Sending

3.2.4. POP3

3.2.5. IMAP

3.2.6. Logging

3.2.7. Reporting

3.2.7.1. Reporting Parameters

3.2.8. WebMail

3.2.9. Storage

3.2.10. FTP Backup Service

3.2.11. RPOP Service

3.3. Connectivity and Threading

3.3.1. Listeners

3.3.2. Rules

3.3.3. Threads

3.4. Clustering Support

3.4.1. Cluster Overview

3.4.1.1. LDAP Introduction

3.4.1.1.1. Basic Directory Setup

3.4.1.1.2. LDAP Entry Structure

3.4.1.1.3. LDAP Authentication

3.4.1.2. AXIGEN Mapping System

3.4.1.3. AXIGEN Authentication System

3.4.1.4. AXIGEN Front-End Services Setup

3.4.1.4.1. The SMTP Proxy

3.4.1.4.2. The IMAP and POP3 Proxies

3.4.1.4.3. The WebMail Proxy

3.4.1.4.4. Mapping Setup

3.4.1.5. AXIGEN Back-End Services Setup

3.4.2. LDAP Routing

3.4.2.1. Configuring Mapping Parameters

3.4.2.2. POP3 Proxy Service

3.4.2.3. IMAP Proxy Service

3.4.2.4. Webmail Proxy Service

3.4.3. AXIGEN LDAP Authentication

3.4.4. Integrating Active Directory into a cluster environment

3.4.5. Exotic Cluster Setups

3.5. Groupware and collaboration

3.5.1. Personal Organizer & AXIGEN Outlook Connector

3.5.2. Folders and permissions

Previous | Next | Up | Table of Contents

3.4.4. Integrating Active Directory into a cluster environment

Active Directory is treated by AXIGEN just like any other LDAP directory. However, this implies certain configuration changes from the standard LDAP connector settings used in a general directory setup. Active Directory has predefined property names and these have to be used for the authentication process to be successful.

The account name that needs to be matched against the AXIGEN internal user database is the "sAMAccountName" property. This property contains exactly the username required for the login procedure. Having this information will help us set up an LDAP search filter, later on, that will isolate a particular user in the Active Directory structure.

Active Directory doesn’t allow anonymous queries in its database. For this reason, any lookup should be performed by an already existing user in the AD. The returned information will then be forwarded to the proxy service and the authentication will be performed. This user may be a regular one (they have access to the database by default) or the domain administrator, as the one in the example below. In LDAP terms, the value of the Bind DN should reflect a user account that will have to be set up appropriately in the LDAP connector settings.

The search base, which is the top most organizational element, contains all entries we are querying and needs to be known beforehand. Common to all the users, we are trying to authenticate as, is the LDAP path. Since AXIGEN can perform recursive lookups in the directory structure, this top unit may contain any number of smaller organizational units that comprise the actual accounts.

The host name and port should be defined, in a similar manner, as for any other LDAP server. The default port on which the Active Directory can be contacted is the same, 389. The Bind DN field should contain a user account value similar to the one below:

CN=administrator,CN=Users,DC=example,DC=tld

The default location for the "administrator" account in the Active Directory is the "Users" container, right inside the root of the defined domain ("example.tld" in the above example). The password for the used account should be entered as the bind password.

NOTE: These settings are used only while performing the actual lookup in the directory. They do not refer to the authentication settings for this particular account.

To use a search base that will identify all accounts in the same container as the "administrator" account, the following type of string for its value should be set:

CN=Users,DC=example,DC=tld

The used search pattern must identify particular user entries in the directory. For this reason, the above mentioned value will be used to isolate particular accounts:

(sAMAccountName=%u)

For each database entry we are searching for, this attribute should have exactly the same value as the user name (%u). The variable "%u" will expand as the username.

The server should be configured to use only the first value found in the lookup. This should prevent errors if more than one match is found in a lookup.

NOTE: This option can generate issues and may block users logging in. To prevent such problems, all users have to be unique.

NOTE: The password field and the AXIGEN host (used in routing) should be left blank if only the Active Directory authentication is required.

Even if users are authenticated in Active Directory, they still need to exist on the back-end servers. If a user account does not exist, the authentication will be successful but the Inbox will not be selected. The only use for an Active Directory account that has no mailbox is to send emails through the SMTP service using authenticated credentials.

WARNING: This will enable any user to send authenticated messages even if they do not have an email account created.

If routing is used within the cluster environment (more than one node is present in the background), then a certain property must be defined for all the user accounts in the Active Directory. Any inactive property can be used for this purpose, but it is recommended that one of the extra added properties is used.

NOTE: In the default Active Directory schema, there are over 10 properties unused by common services running on the network. These were left out exactly for the purpose of expanding the directory service and be used in conjunction with other applications.

The property values should contain the IP address of the back-end server holding the account and the property name has to be set up in the LDAP connector settings. It is very important for all accounts to use the same property as all will be looked-up in the directory by the same connector.

WARNING: The IP address of the back-end node should be set, for all users, in the same property or the cluster will become inaccessible to the ones that use a different property for the AXIGEN mail host. Even if the session is correctly authenticated, the Inbox of some accounts will not be found because no destination back-end will be selected.

The routing process can be set up using a local file instead of the LDAP connector. This removes the need of manually editing the values in Active Directory and is relatively hassle-free. However, using local files to process the routing information can increase the proxy servers overhead. Moreover, if there is more than one proxy, the same file version must be used across all nodes to ensure the cluster integrity and stability. The synchronization process has to be performed manually after each change.

UPDATE: This may be subject to change in the future. The local files could be automatically redistributed.

Top | Previous | Next | Up | Table of Contents
Axigen is a powerful, award-winning Windows & Linux mail server. A free mail server software is available for immediate download and adds free support services, as well as the business mail server solution, which also includes features like personal organizer, antivirus, anti-spam or advanced security policies. The carrier-class ISP mail server solution completes the Axigen product range, with optional clustering support & delegated administration.
© Copyright 2005-2012 Gecad Technologies
All rights reserved

+1 (773) 598 5800 Sales Line (US): +44 (0) 207 193 2470 Sales Line (UK):
eStore Contact