Inbound SMTP routing with postfix

Hi,

Recently, I needed to route incoming emails to different SMTP servers for a customer. Specifically, I had to route various incoming emails to different SMTP servers, each managing their own domains, all behind one public IP address.

For example, I needed to route emails addressed to @mybeautifulcompany.com to server A and emails addressed to @othercompany.com to server B.

How can this be achieved with Postfix?

1/Install postfix, I won't go into details here 2/Create or import certificate for your postfix server 3/Edit the postfix main conf

nano /etc/postfix/main.cf

4/ the file looks like this :

smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt
smtpd_tls_key_file = /etc/ssl/private/postfix.key
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_received_header = yes
smtpd_tls_auth_only = yes
transport_maps = hash:/etc/postfix/transport
smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    permit_auth_destination
    reject_unauth_destination

mynetworks = 127.0.0.0/8

relay_domains = yourdomaina.com, yourotherdomain.com, etc...

5/Create a transport conf file :

nano /etc/postfix/transport

In this file specify your different smtp servers for your different domain where postfix will relay your emails like this :

   domainA.com   smtp:[10.0.0.1]
   domainB.com   smtp:[10.0.0.2]

6/ update the postfix transport database :

postmap /etc/postfix/transport

Works like a charm!

To add resilience, I created a Postfix cluster using Keepalived to handle failures.

Incoming traffic on port 80 is NATed to a virtual IP shared by two different Postfix instances. If the master fails, the backup takes over seamlessly.

Tutorial Setup Keycloak User federation with OpenLDAP (docker & portainer)

Hi

In this tutorial I show you how to run openldap docker container together with keycloak to do user federation

First the openldap stack I used with portainer :

version: '2'
services:
  openldap:
    image: osixia/openldap:1.5.0
    container_name: openldap
    environment:
      LDAP_LOG_LEVEL: "256"
      LDAP_ORGANISATION: "secureit"
      LDAP_DOMAIN: "secure.it"
      #LDAP_BASE_DN: ""
      LDAP_ADMIN_PASSWORD: "secureit"
      LDAP_CONFIG_PASSWORD: "secureit"
      LDAP_READONLY_USER: "false"
      #LDAP_READONLY_USER_USERNAME: "readonly"
      #LDAP_READONLY_USER_PASSWORD: "readonly"
      LDAP_RFC2307BIS_SCHEMA: "false"
      LDAP_BACKEND: "mdb"
      LDAP_TLS: "false"
      #LDAP_TLS_CRT_FILENAME: "ldap.crt"
      #LDAP_TLS_KEY_FILENAME: "ldap.key"
      #LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
      #LDAP_TLS_CA_CRT_FILENAME: "ca.crt"
      #LDAP_TLS_ENFORCE: "false"
      #LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
      #LDAP_TLS_VERIFY_CLIENT: "demand"
      LDAP_REPLICATION: "false"
      #LDAP_REPLICATION_CONFIG_SYNCPROV: 'binddn="cn=admin,cn=config" bindmethod=simple credentials="$$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_DB_SYNCPROV: 'binddn="cn=admin,$$LDAP_BASE_DN" bindmethod=simple credentials="$$LDAP_ADMIN_PASSWORD" searchbase="$$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical'
      #LDAP_REPLICATION_HOSTS: "#PYTHON2BASH:['ldap://ldap.example.org','ldap://ldap2.example.org']"
      KEEP_EXISTING_CONFIG: "false"
      LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
      LDAP_SSL_HELPER_PREFIX: "ldap"
    tty: true
    stdin_open: true
    volumes:
      - openldap_data:/var/lib/ldap
      - openldap_slapd:/etc/ldap/slapd.d
      - openldap_certs:/container/service/slapd/assets/certs/
    ports:
      - "389:389"
      #- "636:636"
    # For replication to work correctly, domainname and hostname must be
    # set correctly so that "hostname"."domainname" equates to the
    # fully-qualified domain name for the host.
    domainname: "secure.it"
    hostname: "ldap-server"
  phpldapadmin:
    image: osixia/phpldapadmin:latest
    container_name: phpldapadmin
    environment:
      PHPLDAPADMIN_LDAP_HOSTS: "openldap"
      PHPLDAPADMIN_HTTPS: "false"
    ports:
      - "9444:80"
    depends_on:
      - openldap
volumes:
  openldap_data:
    driver: local
  openldap_slapd:
    driver: local
  openldap_certs:
    driver: local

then the Keycloak stack I used for Keycloak + Postgres

version: '3'

volumes:
  postgres_data:
      driver: local
  keycloak:
      driver: local

services:
  postgres:
      image: postgres
      container_name: KEYCLOAK-DB
      restart: always
      volumes:
        - postgres_data:/var/lib/postgresql/data
      environment:
        POSTGRES_DB: keycloak
        POSTGRES_USER: keycloak
        POSTGRES_PASSWORD: keycloak
  keycloak:
      image: quay.io/keycloak/keycloak
      container_name: KEYCLOAK
      restart: always
      ports:
        - 9445:8080
      environment:
        KC_DB_URL: jdbc:postgresql://postgres/keycloak
        KC_DB_PORT: 5432
        KC_DB_DATABASE: keycloak
        KC_DB_USER: keycloak
        KC_DB_PASSWORD: keycloak
        KEYCLOAK_ADMIN: admin
        KEYCLOAK_ADMIN_PASSWORD: keycloak
        KC_HTTP_ENABLED: "true"
        KC_HTTPS_ENABLED: "false"
        KC_PROXY: edge
        KC_HOSTNAME_STRICT: "false"
      entrypoint: ["/bin/sh", "-c", "/opt/keycloak/bin/kc.sh build --db postgres && /opt/keycloak/bin/kc.sh start --optimized"]
      depends_on:
        - postgres

Then in Keycloak : Go to User Federation and add a new federation enter image description here

Update to synchronise users

Then go to Mappers and add a group mapper :

enter image description here

You're ready to go

Tutorial pGina integration with Synology LDAP

Hi

Today I would like to show you how to log in to windows using pGina with a Synology LDAP server (openldap)

Also I configured the "groups" membership to automatically give to my users the Administrator role when they belong to a certain group like admin

1- Download pGina http://pgina.org/

2- Activate LDAP Plugin : Authentication & Gateway

enter image description here

3- Then configure pGina in order to retrieve Users & Groups from your Synology LDAP Server

enter image description here

  • Search DN : uid=root,cn=users,dc=yourdomain,dc=local
  • Search password : Synology ldap root password
  • Group DN pattern : uid=%u,cn=users,dc=yourdomain,dc=local
  • User DN Pattern : uid=%u,cn=users,dc=yourdomain,dc=local
  • Member Attribute : member

4 - Go to Gateway TAB

And map the group

If member of LDAP group "admins" (ldap group name) add to local group "Administrators" for instance