If your using CLEO as your broadband provider they will offer you a web based email solution.
Ok, here's my problem, as it stands the pupils have no email system here and the IT teachers want them to be able to email work in from home and also email it to the teachers. It should be easy enough to set up, until my current email setup comes into play for the staff.
currently, all staff emails that are addressed to *@nordenhighschool.co.uk get forwarded to 1 mailbox at lancsngfl.ac.uk, then all the mail is pulled down from there using a pop3 collector and passed to our exchange server. Bit long winded but that was how it was set up when I started here and it worked so I left it.
All staff have an email address = *@nordenhighschool.co.uk we have paid for the domain name.
My main question is how do I setup the email accounts for the kids on a linux based email server, I don't want to buy cals for exchange if I can help it. Also, due to the redirection of the @nordenhighschool.co.uk addresses i'm guessing that the students will have to have a different address after the @ symbol, what should I use, will I have to buy a new domain name like "norden.edu" or something so the pupils can have "firstname.lastname@example.org" or whatever?
Would I be able to add a way of connecting to the exchange box from the linux box if a pupil sends an email to a member of staff, or vice versa?
As you can probably guess, this is my first setup of something like this so as much advice as possible will be helpful.
If your using CLEO as your broadband provider they will offer you a web based email solution.
It will take a bit of jigging around but the way I would do it is to:
Put the Linux Mail server in front of your exchange server and use it for the kids and map the staff accounts to be handed off to the exchange.
If you use something like MailScanner on the Linux box it can also act a protection unit for you exchange box:
Typical set up we would build for this is
OS - Ubuntu LTS 6.06
Postfix - MailScanner-Spamassassin-CLAMAV as the MTA combo
Cyrus IMAP as the storage medium for the kids email
Squirrelmail as the web access for the kids
You can either have OpenLDAP running on the box for kids user details or get the box to auth against AD
As I say, it may take a little re modelling of the current setup but should be easy enough
@dezt: Keep things simple... speak to Westfield and get your schoolname.lancs.sch.uk domain sorted out first. Once that is done you have options, either bung a mailserver in onsite and Westfield will sort out mail forwarding for you or simply use the CLEO mail solution.
If you are unsure, simply ring up Westfield and they will tell you your options.
My way is more fun
For the domain you could get away with using @student.nordenhighschool.co.uk
As another option I would agree with Geoff. Zimbra rocks
We have just moved the company email to it. Very very nice
Last edited by linescanner; 17th April 2008 at 10:31 AM. Reason: pants typing
+1 for Zimbra - just completed migration to it here for both staff and students and feedback is very positive so far.
How about using Google Apps? Takes all the processing troubles out of your hands. Excellent spam filter, good control for the admin (not as much as a linux box obviously though). Works very nicely.
We use Zimbra for students. The accounts are created automatically from Active Directory. There are a couple of pre-requisites for the way we do it.
1) the username must be 'sensible' - no apostrophes, dashes etc otherwise my scripts break
2)The students employeeTypemust be set to STUDENT in active directory
3) you have an ldap bind account
4) the account is enabled
5) there is a 'banned' group - and the student isn't in it
6) you need to read the script really
I run this from cron.daily
and I wrote this python script to create/ban the accountsCode:#!/bin/sh /usr/bin/python /usr/local/sbin/zimbra.py | mail -s "Zimbra account creation" email@example.com
We use another random linux server as a relay to relay between the internal zimbra server and legacy exchange (for staff email). We don't need to do it that way because zimbra could take care of it - there are details on the zimbra website called a 'split domain' IIRC . The relay (sendmail - still) auto generates the aliases file from an AD LDAP query using a perl script.Code:#!/usr/bin/python # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; GPLv3 # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # To obtain a copy of the GNU General Public License, write to the Free Software Foundation, # Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # #-------------------------------------------------------------------------------------------------- # Notes: # This script automatically creates zimbra accounts from active directory, the actrive directory account must have # the employeeType=STUDENT attributed set. If accounts are in the 'banned' active directory group then the # account will automatically be locked when the script is run, and unlocked if they are no longer in the AD # banned group #-------------------------------------------------------------------------------------------------- # Variables can be changed here: banned = 'CN=Banned,CN=yourschool,DC=sch,DC=uk' # an OU for banned users scope = 'ou=users,dc=yourschool,dc=sch,dc=uk' #the search scope domain = "yourschool.sch.uk" # "example.com" ldapserver="server1" #ldap server port="389" #ldap port (389 default) emaildomain="yourschool.sch.uk" #the email domain ldapbinddomain="student-domain" #the domain of the ldap bind account ldapbind="ldap" #the account name of the account to bind to ldap ldappassword="password" #the ldap password pathtozmprov="/opt/zimbra/bin/zmprov" #-------------------------------------------------------------------------------------------------- import ldap, string, os, time, sys #output the list of all accounts from zmprov gaa (get all accounts) f = os.popen(pathtozmprov +' gaa') zmprovgaa=  zmprovgaa = f.readlines() l=ldap.initialize("ldap://"+ldapserver+"."+domain+":"+port) l.simple_bind_s(ldapbinddomain+"\\"+ldapbind,ldappassword) #bind to the ldap server using name/password try: res = l.search_s(scope, ldap.SCOPE_SUBTREE, "(&(ObjectCategory=user) (userAccountControl=512)(employeeType=STUDENT))", ['sAMAccountName','givenName','sn','memberOf']) #userAccountControl 512 = normal , 514 = disabled account for (dn, vals) in res: accountname = vals['sAMAccountName'].lower() try: sirname = vals['sn'].lower() except: sirname = vals['sAMAccountName'].lower() try: givenname = vals['givenName'] except: givenname = vals['sAMAccountName'].lower() try: groups = vals['memberOf'] except: groups = 'none' initial = givenname[:1].upper() sirname = sirname.replace(' ', '') sirname = sirname.replace('\'', '') sirname = sirname.replace('-', '') sirname = sirname.capitalize() name = initial + "." + sirname accountname = accountname + "@" + emaildomain password = " \'\' " sys.stdout.flush() # if the account doesn't exist in the output of zmprov gaa create the account if accountname +"\n" not in zmprovgaa: print accountname," exists in active directory but not in zimbra, the account is being created\n" time.sleep(1) os.system(pathtozmprov +' ca %s %s displayName %s' % (accountname,password,name)) # if the account is in the group 'banned' check to see if account already locked if banned in groups: zmprovga = os.popen(pathtozmprov + ' ga %s' % (accountname)) ga=  ga = zmprovga.readlines() locked = "zimbraAccountStatus: locked\n" if locked not in ga: #if account not locked then lock it print accountname, " has been BANNED from the internet. The email account has been locked " os.system(pathtozmprov + ' ma %s zimbraAccountStatus locked' % (accountname)) time.sleep(1) else: print accountname, " has a locked email account because they are in the 'banned' group" #set any accounts to 'active' if they are not in the banned group and the account is currently locked else: zmprovga = os.popen(pathtozmprov + ' ga %s' % (accountname)) ga=  ga = zmprovga.readlines() locked = "zimbraAccountStatus: locked\n" if locked in ga: os.system(pathtozmprov + ' ma %s zimbraAccountStatus active' % (accountname)) time.sleep(1) print accountname, " is no longer in the 'banned' group, therefore the account has been activated" except ldap.LDAPError, error_message: print error_message l.unbind_s()
ps. - I don't consider myself a very good programmer - so everyone feel free to improve this and post back modifications.
webman (23rd April 2008)
That script looks relatively straight-forward CyberNerd, thanks.
As we have one Zimbra server for both staff and students; my method of mailbox creation is slightly different.
It involves a VBScript on the server to pull the info from AD and put into a CSV file (display names, staff distribution list assignments, COS settings, enabled/disabled status etc).
The Perl script on the Zimbra side retrieves the CSV file, parses it, and translates it into zmprov (Zimbra provisioning CLI tool) commands. It does some checking and a diff to process only changed accounts though. Admittedly it's a bit long-winded but it seems to work well and any changes in the AD for names etc are reflected in Zimbra.
The Perl script
Looking at CyberNerd's Python script makes me think I could do it all in one go if I can manage to do LDAP in Perl.
Last edited by webman; 28th April 2008 at 12:59 PM.
CyberNerd (24th April 2008)
There are currently 1 users browsing this thread. (0 members and 1 guests)