Sophos Email Appliance

[klinet]

I am currently testing a Sophos Email Appliance, and would like to connect it to Zimbra for account authentication. I have made some guesses, but have been unsuccessful in making the connection. I have 9 fields that need info:

Does anyone have ideas about what attributes are for the following:

Server: FQHN
Port: 389

Email attribute: ??? The object attribute for email addresses in Directory Services. The default is "mail".

DN to authenticate: ??? If required, the distinguished name (DN) used to connect to the Directory Services server to query the DN of the user the system is attempting to authenticate.
Password: ***

Email alias attribute: ??? The object attribute for proxy addresses in Directory Services. The default is "proxyAddresses".

Base DN for users/groups: ??? The top Directory Services node from which searches are performed.

Account attribute: ??? The Directory Services object attribute that is queried when logging into the End User Web Interface (EUWI). The default is "sAMAccountName".

Group name attribute: ??? The Directory Services object attribute that specifies the group name for a group entry.

Thanks for any help!

Todd

[gnyce]

Why not just grab a copy of ldapadmin (or other such tool) and peruse the Zimbra ldap tree yourself? Some guesses below:

Quote:

Originally Posted by klinet

I am currently testing a Sophos Email Appliance, and would like to connect it to Zimbra for account authentication. I have made some guesses, but have been unsuccessful in making the connection. I have 9 fields that need info:

Does anyone have ideas about what attributes are for the following:

Server: FQHN
Port: 389

Email attribute: ??? The object attribute for email addresses in Directory Services. The default is "mail".

that seems right

DN to authenticate: ??? If required, the distinguished name (DN) used to connect to the Directory Services server to query the DN of the user the system is attempting to authenticate.
Password: ***

so use an existing account, or create one, like "ldapquery"
uid=ldapquery,ou=people,dc=YOURDOMAIN,dc=COM

Email alias attribute: ??? The object attribute for proxy addresses in Directory Services. The default is "proxyAddresses".

?

Base DN for users/groups: ??? The top Directory Services node from which searches are performed.

ou=people,dc=YOURDOMAIN,dc=COM

Account attribute: ??? The Directory Services object attribute that is queried when logging into the End User Web Interface (EUWI). The default is "sAMAccountName".


?

Group name attribute: ??? The Directory Services object attribute that specifies the group name for a group entry.

any object where objectClass = ZimbraDistributionList

Thanks for any help!

Todd

[bdial]

this should get you going

Server: zimbraserver.yourdomain.com
Port: 389
Email Attribute: mail
DN To Authenticate: uid=zimbra,cn=admins,cn=zimbra
Password: the result of the command zmlocalconfig -s | grep zimbra_ldap_password
Email Alias Attribute: zimbraMailAlias
Base DN for users/groups: ou=people,dc=yourdomain,dc=com
Account Attribute: probably use uid

not sure about the group thing

as gnyce suggests, for proudction you may want to create a ldapquery user with less privelages than the zimbra user.

we use puremessage, which i think is the software the e-mail appliance runs. it's pretty nice, and can integrate more with zimbra than just authentication. Heres 2 more ways you can integrate it

1. valid users - you can produce a list of valid addresses from zimbra for sophos, which it will use to produce undeliverable dsn messages at the gateway instead of passing it onto zimbra and making zimbra reject it.

2. address maps - if you're using the self service quarantine, you need to make sure sophos knows that spam it catches for a user's alias should be presented to the user when they login. so it needs to map myalias1@domain.com myalias2@domain.com to my actual acount myaccount@domain.com

You can set this up to do it live via ldap, but sophos support doesn't recommend this. instead, you can run scripts on the sohpos server to import this data via ldap every x minutes to keep it updated. this way even if your zimbra server is down, sophos has everything it needs in it's databases already.

[klinet]

Thanks for the suggestions, they have been very helpful. I am starting with the zimbra user and after all is working I will change to a different account.

When I try to log into the spam quarantine section of the appliance as a users, I see two errors in the Zimbra log...

Mar 30 10:53:30 mail2 slapd[3902]: OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied
Mar 30 10:53:30 mail2 slapd[3902]: conn=124636 op=1 do_bind: invalid dn (CN=toddkline,CN=Users,)

I am not sure if this is an issue with the LDAP attributes that i have added to the appliance or an issue on the Zimbra side.

Thanks
Todd

[bdial]

wierd for some reason your appliance is trying to authenticate to zimbra using otp which i think is like those RSA password token generators. not sure where that setting would be but i dont think zimbra supports it which is why you're getting that error.

[catnipper]

I am not yet sure if groups are working as expected, but the following seems to work okay for user authentication and alias mapping...

It may certainely need some more understanding and evaluation in a production environment (not only a 12h test drive), but take it as a start:

DN to authenticate: uid=zimbra,cn=admins,cn=zimbra

Valid recipients: (&(objectClass=zimbraAccount)(zimbraMailStatus=ena bled))
Aliases:(&(objectClass=zimbraAccount)(zimbraMailSt atus=enabled))
Retrieve user: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zi mbraMailStatus=enabled))
User groups: (&(objectClass=zimbraDistributionList)(zimbraMailS tatus=enabled))
Members of a group: (&(uid=%%GROUP_DN%%)(objectClass=zimbraDistributio nList)(zimbraMailStatus=enabled))
SMTP Authentication: (&(uid=%%USERNAME%%)(objectClass=zimbraAccount)(zi mbraMailStatus=enabled))