On Wed, Jul 02, 2025 at 02:22:37PM +0530, Burn Zero wrote:
> > If you really mean authentication, a key question is whether this is an
> > ActiveDirectory environment, or just some standalone (though networked)
> > Windows servers?
>
> It is an active directory environment. But the problem is emails will
> be sent from devices such as printers, servers and web applications.
> They are normally not tied with user accounts and they can have
> different "from" addresses (we have multiple domains).
My advice would be to add AD user accounts for these, so that you get to
manage the passwords in the same way as for any user. You can limit
their group memberships so that they can't actually login into any
servers or workstations, but can "authenticate". The details will depend
on which user OUs and groups you've implemented and how you manage
permissions.
> > How do you expect to manage the login accounts of the users that are to
> > be authenticated? Users in ActiveDirectory, or some ad hoc password
> > backend?
>
> As they are not in Active Directory, I am planning to create those in
> AD or maybe a MySQL server ( this is where I need help to decide)
The AD approach is IMHO more sensible.
> I am not sure how authentication is implemented for high traffic
> postfix servers.
Nothing special, SASL logins are very unlikely to be a bottleneck...
The most robust solution would be a use a SASL module that performs
a Kerberos login against AD, verified via saslauthd -a pam, with
a pam_krb5 module doing the work.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
