Performing an attempt of migration from Windows SBS to UCS

Gents,
I’m trying to build following configuration:

• MS AD on Windows SBS2003 (yes, it’s deep legacy, that’s why slowly moving from it)
• UCS as MS AD member (still member, but if it’s ok we’re planning to make it PDC)
• MS AD domain domain0 .local, NETBIOS name DOMAIN0
• MS AD email domain domain0 .com (space is because “new user can not put more than two links in a post”)
• UCS email domain domain1 .com (when we will migrate, the goal is multihome UCS server with possibility to send messages both from domain0 .com and from domain1 .com, while storing messages in a single storage)
• UCS upon installation is configured with the name new-pdc. domain0. local
• DNS records seems to be OK on UCS
• UCS is NATed perfectly from external network
• users have their primary email address set on domain0 .com and this cannot be changed on UCS
• UCS is set with Mail domain domain1 .com
• users must be able to receive on their domain0 .com on MS AD and on domain1 .com on UCS

So, when I nslookup to UCS server and look for domain1 .com, it points me to UCS server. This means that if an external connection is looking for mail exchanger for domain1 .com, it finds UCS (as it is perfectly NATed) and a message to a username@ domain1 .com is successfully delivered. Further UCS will forward immediately the message to MS AD Exchange server. I guess this is due to the fact that username’s primary address is username@ domain0 .com. If I login via WebApp and send myself a message the same happens. So, on UCS no message will remain. Update: But this can be corrected if I set domain0 .com on UCS in Domain/Mail module along with domain1 .com.

Other behavior that don’t suite my configuration is that Kopano won’t authenticate/authorize a user over SMTP at all, although IMAP is OK. I’m not proficient and think that this happens on Postfix level, but I can’t understand how this can be worked on UCS.

I was advised to authenticate with primary email address instead of ADdomain\username (or username@ ADdomain), but this didn’t work.

So, is it possible to make Kopano not forward the messages to MS AD and leave them on UCS and also authenticate users on SMTP?

n.b. To be mentioned, the goal is to build a multihome LDAP server with 2 (may be 3) email domains delivering to a single email storage, with possibility of sending from addresses in two different email domain. UCS seemed to be perfect for a SOHO, but it looks like it’s not that simple to achieve this.

Any help is highly appreciated!

OK, looks like I have to dig the issues by myself and work them. No probs, just tell me that I’m on the right way.

In the other thread I have described what I’ve found regard authentication - there is an issue in my config with saslauthd. Here it is the thread:
https://help.univention.com/t/postfix-authentication-unavail/15783/3

Well, if somebody is kind enough to teach me how to enable the saslauthd for postfix after a reboot, I would be very, but VERY grateful!
Besides, I’m concerned is this workaround safe for all other services on UCS? Especially, if we take into account the strange issue below found in mail.log:

UCS-PDC postfix/smtpd[8802]: connect from unknown[192.168.1.95]
UCS-PDC postfix/smtpd[8802]: 96C2083FAA: client=unknown[192.168.1.95], sasl_method=LOGIN, sasl_username=username@domain0.com
UCS-PDC postfix/cleanup[8805]: 96C2083FAA: message-id=< some very long string @domain1.com>
UCS-PDC postfix/qmgr[2000]: 96C2083FAA: from=<username@domain1.com>, size=3537, nrcpt=1 (queue active)
UCS-PDC postfix/smtpd[8809]: connect from localhost[127.0.0.1]
UCS-PDC postfix/smtpd[8809]: C7DBF846BC: client=localhost[127.0.0.1], orig_queue_id=96C2083FAA, orig_client=unknown[192.168.1.95]
UCS-PDC postfix/cleanup[8805]: C7DBF846BC: message-id=< some very long string @domain1.com>
UCS-PDC postfix/qmgr[2000]: C7DBF846BC: from=<username@domain1.com>, size=4017, nrcpt=1 (queue active)
UCS-PDC amavis[2742]: (02742-01) Passed CLEAN {RelayedOutbound}, LOCAL [192.168.1.95]:64581 <username@domain1.com> -> <somebody@gmail.com>, Queue-ID: 96C2083FAA, Message-ID: < some very long string @domain1.com>, mail_id: KAGfh0RsM9yC, Hits: -0.899, size: 3536, queued_as: C7DBF846BC, 163 ms
UCS-PDC postfix/smtpd[8809]: disconnect from localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1 commands=6
UCS-PDC postfix/smtp[8806]: 96C2083FAA: to=<somebody@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.24, delays=0.06/0.01/0.01/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C7DBF846BC)
UCS-PDC postfix/qmgr[2000]: 96C2083FAA: removed
UCS-PDC postfix/smtp[8810]: C7DBF846BC: to=<somebody@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.69.26]:25, delay=1.2, delays=0.02/0.02/0.6/0.59, dsn=2.0.0, status=sent (250 2.0.0 OK  1596821329 r26si5637366ejz.728 - gsmtp)
UCS-PDC postfix/cleanup[8805]: 084AD846C8: message-id=<20200807172849.084AD846C8@UCS-PDC.DOMAIN0.LOCAL>
UCS-PDC postfix/qmgr[2000]: 084AD846C8: from=<>, size=3360, nrcpt=1 (queue active)
UCS-PDC postfix/bounce[8811]: C7DBF846BC: sender delivery status notification: 084AD846C8
UCS-PDC postfix/qmgr[2000]: C7DBF846BC: removed'
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.'
UCS-PDC postfix/lmtp[8812]: 084AD846C8: to=<username@domain0.com>, orig_to=<username@domain1.com>, relay=127.0.0.1[127.0.0.1]:2003, delay=0.23, delays=0.01/0.01/0.05/0.17, dsn=2.1.5, status=sent (250 2.1.5 username@domain0.com Ok)
UCS-PDC postfix/qmgr[2000]: 084AD846C8: removed
UCS-PDC postfix/smtpd[8802]: disconnect from unknown[192.168.1.95] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8'
UCS-PDC kopano-server[1558]: LDAP search error: Can`t contact LDAP server. Will unbind, reconnect and retry.'

What I really don’t like is the strings highlighted with red, and you? Does anybody know what’s happening?

this error you can ignore - it only tells that kopano-server reconnects to ldap - that occurs on all kopano installs i know

rg
Christian

Thanks Christian!
I bet you know it better than me. So, I shall let it this way, right?

Please tell me, how/what shall I configure for IMAP client (MS OL2010) to connect smoothly without restart while moving outside the LAN? I mean that when I was at my workplace and inside the LAN, the connection was OK. But when I moved with my laptop to my home LAN (just sending it to sleep during the trip), it refused to connect until a restart of the application.
Is it because of SSL certificate pointing to the internal UCS hostname?

Yes it’s the certificate, you should use a official ssl cert - if you’re able to nat port 80 and 443 to your internal UCS mail server you can install let’s encrypt app from appcenter on the host and get a cert for your external DNS name - then create an additional DNS forwarding zone on your UCS dns server e.g. external.my.domain with the internal IP of your UCS mail server and use this external FQDN for your outlook mail settings

rg
Christian

Thanks, Christian!
I can’t confirm that this is it, but have to admit. After configuring and running let’s encrypt it didn’t stuck with the statement “Not connected” anymore.

Now I’m wondering if there is a possibility to set up the server in such a way that I can send messages from two separate email domains: domain0.com and domain1.com (both external domains belonging to me), and receive messages in one single mail storage.

Mates!
Here I have a problem. The UCS did not fetch all the AD users, only 10. Why this?