Document information

Document ID:4680
Subject:Active Directory Integration in Xeams
Creation date:12/14/15 4:35 PM
Last modified on:12/14/15 4:35 PM

Active Directory Integration

Starting from build 5771 administrators can integrate Xeams with an existing Active Directory in their company. If integrated, Xeams will use AD lookup when:
  • A new user needs to be created
  • To authenticate existing users
  • Reject invalid users when accepting inbound emails

Steps to enable Active Directory

  • Login as admin
  • Click Active Directory Integration under Server Configuration
  • Fill in the form on the following page. The fields are:
    • Enable AD Integration: None of the other fields matter if this is NOT checked
    • Integrate Users: Check if you want Xeams to create users based on AD. Read below for more details.
    • Reject Invalid Users: If checked, recipients email is validated with AD before accepting an incoming email.
    • Host Name/IP: Host name or IP address of your domain controller.
    • AD Domain Name: This is the local domain name. For example: yourcompany.local
    • Base DN: Leave this blank initially. Xeams will attempt to fetch this value from the server. Occasionally, you may see more than one value for this field. In that case, you will have to pick the appropriate value.
    • Administrator's User ID: User ID that has enough privilege to perform an AD lookup. This is typically set to Administrator
    • Password: Password for the user

Creating and authenticating new users

Xeams will create new user accounts automatically when AD integration is enabled AND the check box for Integrate Users is checked (see above). No additional steps are required for user creation. Consider the following scenario as an example:
  • This is a new install and no users exist in Xeams
  • A user named John Doe, who has a valid account in your AD tries to connect to Xeams's Admin Console. John's User ID is john.doe
  • He puts john.doe for login ID and his password to connect in Xeams.
  • Upon a successful authentication through AD, Xeams will automatically create an account for John in Xeams. Note: Ensure an valid email address is associated with John's account in your AD. Xeams will pull his email and automatically create an association with this new account.
  • Xeams will NOT store John's password. Whenever a password is needed, Xeams will query AD.
  • From now on, John can use his AD credentials to login to Xeams' Admin Console.

Rejecting invalid users

If you use the Regular SMTP server to receive in-bound emails, Xeams can query AD before accepting emails. This reduces the number of overall email accepted by Xeams since invalid users will be rejected right at the door step. One additional benefit is that Xeams will not have to generate an NDR (non-delivery report) for this message. It is the responsibility of the sending SMTP server to generate an NDR.

To enable this feature, check Reject Invalid Users under Server Configuration/Active Directory Integration

NOTE: AD lookup is NOT performed when SMTP Proxy Server is used. This is because in case of the Proxy, the acceptance of incoming email is delegated to your actual email server, which could be either MS Exchange, or any other SMTP server. Therefore, to reject incoming emails for invalid users you must configure the SMTP server that Xeams is proxying for.

User comments

Posted by andreas on 3/19/15 2:56 AM

There are two topics I want to mention additionally: 1.)Since the User just needs to read AD one does not enter the credentials of the domain admins into the Administrator's User ID field. A standard user with domain user membershio is sufficient. 2.) If you want to add redundancy for the AD connection, just create a A record in DNS like "" and then configure DNS round robin and point the dom xeamsad record to the domain controllers like mentioned in:

Posted by Denth on 9/29/16 10:51 AM

I was wondering if there is a way to pull from just a selected OU in the AD? I have a user OU that I only want Xeams to pull from.

Posted by Alessandro Pernasili on 11/20/15 3:08 AM

Lotus Domino also is an LDAP server and work on the 389 TCP port. Is possibile an integration like AD for authentication and retrieve false negative email by end users ? THX in advance Alessandro Pernasili

Posted by andreas on 3/19/15 2:07 AM

Just updated and had the issue that AD Authentication was not working in an W2012 R2 AD. The Workaround was to disable ldap signing in the Default Domain Controller Policy - Probably something to be adressed in a future update

Posted by Jared on 2/13/17 3:25 PM

Is there a way to use this with OpenLDAP? If not are there any plans in the future for this functionality? Thanks

Posted by Hafiz Rafiyev on 1/12/16 5:07 AM

Thank you for useful add-on,my question is: Anyway to make domain based address check and reject invalid users by quering any kind of ldap servers.By changing parameters it will query ActiveDirectory,Lotus or another LDAP based server.It have to be domain based ,because Xeams may relay multiple domains to multiple mail servers.

Posted by jeelan on 9/3/15 1:17 AM

no comment its really good product.

Posted by Edgard Febrero on 8/19/16 11:14 AM

HI i want to know if is possible in use module AD to work with zimbra ldap ?

Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters