Results 1 to 6 of 6

Thread: Sophos Email Appliance

  1. #1
    Join Date
    Jun 2007
    Location
    Chicago
    Posts
    19
    Rep Power
    8

    Default Sophos Email Appliance

    I am currently testing a Sophos Email Appliance, and would like to connect it to Zimbra for account authentication. I have made some guesses, but have been unsuccessful in making the connection. I have 9 fields that need info:

    Does anyone have ideas about what attributes are for the following:

    Server: FQHN
    Port: 389

    Email attribute: ??? The object attribute for email addresses in Directory Services. The default is "mail".

    DN to authenticate: ??? If required, the distinguished name (DN) used to connect to the Directory Services server to query the DN of the user the system is attempting to authenticate.
    Password: ***

    Email alias attribute: ??? The object attribute for proxy addresses in Directory Services. The default is "proxyAddresses".

    Base DN for users/groups: ??? The top Directory Services node from which searches are performed.

    Account attribute: ??? The Directory Services object attribute that is queried when logging into the End User Web Interface (EUWI). The default is "sAMAccountName".

    Group name attribute
    : ??? The Directory Services object attribute that specifies the group name for a group entry.

    Thanks for any help!

    Todd

  2. #2
    Join Date
    Aug 2007
    Location
    outside Philadelphia
    Posts
    214
    Rep Power
    8

    Default

    Why not just grab a copy of ldapadmin (or other such tool) and peruse the Zimbra ldap tree yourself? Some guesses below:

    Quote Originally Posted by klinet View Post
    I am currently testing a Sophos Email Appliance, and would like to connect it to Zimbra for account authentication. I have made some guesses, but have been unsuccessful in making the connection. I have 9 fields that need info:

    Does anyone have ideas about what attributes are for the following:

    Server: FQHN
    Port: 389

    Email attribute: ??? The object attribute for email addresses in Directory Services. The default is "mail".

    that seems right

    DN to authenticate: ??? If required, the distinguished name (DN) used to connect to the Directory Services server to query the DN of the user the system is attempting to authenticate.
    Password: ***

    so use an existing account, or create one, like "ldapquery"
    uid=ldapquery,ou=people,dc=YOURDOMAIN,dc=COM


    Email alias attribute: ??? The object attribute for proxy addresses in Directory Services. The default is "proxyAddresses".

    ?

    Base DN for users/groups: ??? The top Directory Services node from which searches are performed.

    ou=people,dc=YOURDOMAIN,dc=COM

    Account attribute: ??? The Directory Services object attribute that is queried when logging into the End User Web Interface (EUWI). The default is "sAMAccountName".


    ?

    Group name attribute
    : ??? The Directory Services object attribute that specifies the group name for a group entry.

    any object where objectClass = ZimbraDistributionList

    Thanks for any help!

    Todd

  3. #3
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    this should get you going

    Server: zimbraserver.yourdomain.com
    Port: 389
    Email Attribute: mail
    DN To Authenticate: uid=zimbra,cn=admins,cn=zimbra
    Password: the result of the command zmlocalconfig -s | grep zimbra_ldap_password
    Email Alias Attribute: zimbraMailAlias
    Base DN for users/groups: ou=people,dc=yourdomain,dc=com
    Account Attribute: probably use uid

    not sure about the group thing

    as gnyce suggests, for proudction you may want to create a ldapquery user with less privelages than the zimbra user.

    we use puremessage, which i think is the software the e-mail appliance runs. it's pretty nice, and can integrate more with zimbra than just authentication. Heres 2 more ways you can integrate it

    1. valid users - you can produce a list of valid addresses from zimbra for sophos, which it will use to produce undeliverable dsn messages at the gateway instead of passing it onto zimbra and making zimbra reject it.

    2. address maps - if you're using the self service quarantine, you need to make sure sophos knows that spam it catches for a user's alias should be presented to the user when they login. so it needs to map myalias1@domain.com myalias2@domain.com to my actual acount myaccount@domain.com

    You can set this up to do it live via ldap, but sophos support doesn't recommend this. instead, you can run scripts on the sohpos server to import this data via ldap every x minutes to keep it updated. this way even if your zimbra server is down, sophos has everything it needs in it's databases already.

  4. #4
    Join Date
    Jun 2007
    Location
    Chicago
    Posts
    19
    Rep Power
    8

    Default

    Thanks for the suggestions, they have been very helpful. I am starting with the zimbra user and after all is working I will change to a different account.

    When I try to log into the spam quarantine section of the appliance as a users, I see two errors in the Zimbra log...

    Mar 30 10:53:30 mail2 slapd[3902]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied
    Mar 30 10:53:30 mail2 slapd[3902]: conn=124636 op=1 do_bind: invalid dn (CN=toddkline,CN=Users,)

    I am not sure if this is an issue with the LDAP attributes that i have added to the appliance or an issue on the Zimbra side.

    Thanks
    Todd

  5. #5
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    wierd for some reason your appliance is trying to authenticate to zimbra using otp which i think is like those RSA password token generators. not sure where that setting would be but i dont think zimbra supports it which is why you're getting that error.

  6. #6
    Join Date
    Sep 2008
    Posts
    71
    Rep Power
    7

    Smile

    I am not yet sure if groups are working as expected, but the following seems to work okay for user authentication and alias mapping...

    It may certainely need some more understanding and evaluation in a production environment (not only a 12h test drive), but take it as a start:

    DN to authenticate: uid=zimbra,cn=admins,cn=zimbra

    Valid recipients: (&(objectClass=zimbraAccount)(zimbraMailStatus=ena bled))
    Aliases:(&(objectClass=zimbraAccount)(zimbraMailSt atus=enabled))
    Retrieve user: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zi mbraMailStatus=enabled))
    User groups: (&(objectClass=zimbraDistributionList)(zimbraMailS tatus=enabled))
    Members of a group: (&(uid=%%GROUP_DN%%)(objectClass=zimbraDistributio nList)(zimbraMailStatus=enabled))
    SMTP Authentication: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zi mbraMailStatus=enabled))
    Attached Images Attached Images

Similar Threads

  1. [SOLVED] mailboxmanager does not start
    By jrefl5 in forum Administrators
    Replies: 18
    Last Post: 01-30-2012, 10:40 PM
  2. [SOLVED] Moving Zimbra to a new server
    By krolen in forum Administrators
    Replies: 109
    Last Post: 02-05-2009, 10:38 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. upgrade to 4.0.3 antispam does'nt work
    By lucanannipieri in forum Administrators
    Replies: 14
    Last Post: 11-07-2006, 02:56 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •