Sendmail LDAP verification questions
Rich Gomes
verification configuration:
http://www.shocknetwork.com/forum/post35.html
Works very well with two exceptions. Hoping someone can help.
Queries against groups (with known SMTP addresses) fails with 'User
Unknown' (same as an invalid user)
How can I get it to query Groups as well as users?
Additionally, I would prefer it to simply drop the email rather than
send an NDR. How can that be changed?
Thanks in advance
Rich
Rich Gomes
I have a small update:
Hard-coding the Expansion Server on a Distribution List works.
This however, is not a good idea with a distributed Exchange
enviroment.
Is there anyway to configure Sendmail to query Groups as well as
Users?
The sendmail.schema file perhaps?
Erich Titl
a tad late, but nevetheless....
Rich Gomes wrote:
> On Nov 5, 4:24 pm, Rich Gomes <richgo...@gmail.com> wrote:
>> I have been testing out the following Sendmail and Active Directory
>> verification configuration:http://www.shocknetwork.com/forum/post35.html
>>
I have not looked into that hack, so I don't know why it is needed at
all....
>> Works very well with two exceptions. Hoping someone can help.
>>
>> Queries against groups (with known SMTP addresses) fails with 'User
>> Unknown' (same as an invalid user)
>> How can I get it to query Groups as well as users?
Typically by modifying the ldap lookup.
This here works for me....
# LDAP routing maps
Kldapmh null
Kldapmra ldap -1 -T<TMPF> -v mail -k
(&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))
>>
>> Additionally, I would prefer it to simply drop the email rather than
>> send an NDR. How can that be changed?
That may require a hack or you could define a mail sink and route it there.
cheers
Erich
Andrzej Adam Filip
> Hi
>
> a tad late, but nevetheless....
>
> Rich Gomes wrote:
>> On Nov 5, 4:24 pm, Rich Gomes <richgo...@gmail.com> wrote:
>>> I have been testing out the following Sendmail and Active Directory
>>> verification configuration:http://www.shocknetwork.com/forum/post35.html
>>>
>
> I have not looked into that hack, so I don't know why it is needed at
> all....
>
>>> Works very well with two exceptions. Hoping someone can help.
>>>
>>> Queries against groups (with known SMTP addresses) fails with 'User
>>> Unknown' (same as an invalid user)
>>> How can I get it to query Groups as well as users?
>
> Typically by modifying the ldap lookup.
>
> This here works for me....
>
> # LDAP routing maps
> Kldapmh null
>
> Kldapmra ldap -1 -T<TMPF> -v mail -k
> (&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))
Do you mean the following
define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))')
FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
URL(s):
http://www.sendmail.org/m4/ldap_routing.html
>>> Additionally, I would prefer it to simply drop the email rather than
>>> send an NDR. How can that be changed?
>
> That may require a hack or you could define a mail sink and route it there.
--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com
P.S. I suppose I really should be nicer to people today, considering
I'll be singing in Billy Graham's choir tonight... :-)
-- Larry Wall in <1997092617...@wall.org>
Erich Titl
> Erich Titl <erich...@think.ch> wrote:
>> Hi
>>
>> a tad late, but nevetheless....
>>
>> Rich Gomes wrote:
>>> On Nov 5, 4:24 pm, Rich Gomes <richgo...@gmail.com> wrote:
>>>> I have been testing out the following Sendmail and Active Directory
>>>> verification configuration:http://www.shocknetwork.com/forum/post35.html
>>>>
>> I have not looked into that hack, so I don't know why it is needed at
>> all....
>>
>>>> Works very well with two exceptions. Hoping someone can help.
>>>>
>>>> Queries against groups (with known SMTP addresses) fails with 'User
>>>> Unknown' (same as an invalid user)
>>>> How can I get it to query Groups as well as users?
>> Typically by modifying the ldap lookup.
>>
>> This here works for me....
>>
>> # LDAP routing maps
>> Kldapmh null
>>
>> Kldapmra ldap -1 -T<TMPF> -v mail -k
>> (&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))
>
> Do you mean the following
> define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))')
> FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
in m4speak, yes
Andrzej Adam Filip
Do you expect most people asking/searching for help here to be highly
`m4 literate'? I do not :-)
--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com
Open-Sendmail: http://open-sendmail.sourceforge.net/
Rumor travels faster, but it don't stay put as long as truth.
-- Will Rogers (1879-1935)
Erich Titl
Naaahh ... so sorry
Rich Gomes
and compiled it:
define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)
(objectclass=group))(proxyAddresses=smtp:%0))')
FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
Having the FEATURE line in there seems to disable any LDAP queries.
Commenting it out works but the groups query still does not.
The only addresses the query can find is the groups that have had
their ExpansionServerhardcoded
Should I be adding this in additino to exsting line or replacing
existing lines?
Thoughts?
Erich Titl
Use ldapsearch to determine the correct syntax for your query. Then
insert that syntax to your LDAPMRA definition in your .mc file somehow
like below.
dnl
dnl LDAP Configuration
dnl
define(`confLDAP_DEFAULT_SPEC', `-h "mmmmm.yyy.dom.ain" -b
"DC=COMPANY,DC=GROUP" -d "CN=mycommon,OU=ressourcen,DC=COMPANY,DC=GROUP"
-MLDAP_AUTH_SIMPLE -P/etc/mail/ldap_pass')dnl
dnl
LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldap_route_domains')dnl
dnl
FEATURE(`ldap_routing', `null', `ldap -1 -T<TMPF> -v mail -k
(&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))',
`bounce')dnl
cheers
Erich
Rich Gomes
Ok, I am confused, I already had those lines in my sendmail.mc file, I
only added the line mentioning the object class.
For reference, here is how it looks currently (sanitized of course):
LDAPROUTE_DOMAIN(`domain1.com')dnl # what domain to do ldap lookups
for.
LDAPROUTE_DOMAIN(`domain2.com')dnl # alternate domain to do ldap
lookups for.
LDAPROUTE_DOMAIN(`domain3.com')dnl # alternate domain to do ldap
lookups for.
LDAPROUTE_DOMAIN(`domain4.com')dnl # alternate domain to do ldap
lookups for.
define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d
"cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1,
dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"')
dnl ###Added for Groups verification
define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)
(objectclass=group))(proxyAddresses=smtp:%0))')
dnl FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
Thoughts?
Andrzej Adam Filip
> [...]
> Ok, I am confused, I already had those lines in my sendmail.mc file, I
> only added the line mentioning the object class.
> For reference, here is how it looks currently (sanitized of course):
>
> LDAPROUTE_DOMAIN(`domain1.com')dnl # what domain to do ldap lookups for.
> LDAPROUTE_DOMAIN(`domain2.com')dnl # alternate domain to do ldap lookups for.
> LDAPROUTE_DOMAIN(`domain3.com')dnl # alternate domain to do ldap lookups for.
> LDAPROUTE_DOMAIN(`domain4.com')dnl # alternate domain to do ldap lookups for.
> define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d "cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"')
> dnl ###Added for Groups verification
> dnl FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
>
> Thoughts?
"dnl" in m4 language means "comment to end of the line"
=> You have "commented out" the key FEATURE(`ldap_routing',...)
--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com
I have learned silence from the talkative,
toleration from the intolerant, and kindness from the unkind.
-- Kahlil Gibran
Rich Gomes
> Rich Gomes <richgo...@gmail.com> wrote:
> > [...]
> > Ok, I am confused, I already had those lines in my sendmail.mc file, I
> > only added the line mentioning the object class.
> > For reference, here is how it looks currently (sanitized of course):
>
> > LDAPROUTE_DOMAIN(`domain1.com')dnl # what domain to do ldap lookups for.
> > LDAPROUTE_DOMAIN(`domain2.com')dnl # alternate domain to do ldap lookups for.
> > LDAPROUTE_DOMAIN(`domain3.com')dnl # alternate domain to do ldap lookups for.
> > LDAPROUTE_DOMAIN(`domain4.com')dnl # alternate domain to do ldap lookups for.
> > define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d "cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"')
> > dnl ###Added for Groups verification
> > define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))')
> > dnl FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
>
> > Thoughts?
>
> "dnl" in m4 language means "comment to end of the line"
> => You have "commented out" the key FEATURE(`ldap_routing',...)
>
> --
> I have learned silence from the talkative,
> toleration from the intolerant, and kindness from the unkind.
> -- Kahlil Gibran
See my previous post, having that line in there seems to disable the
ldapqueries, thats why it was commented out
Erich Titl
You are using multiple LDAPROUTE_DOMAIN definitions. I am not sure if
they are all consulted or if the last one just takes precedence. If you
need to look up multiple domains I would suggest to use
LDAPROUTE_DOMAIN_FILE instead. Look into your .cf file to see if each of
the domains are looked up.
Also you absolutely need the ldap routing feature, else nothing works.
cheers
Erich
Andrzej Adam Filip
> [...]
> You are using multiple LDAPROUTE_DOMAIN definitions. I am not sure if
> they are all consulted or if the last one just takes precedence.
They add name(s) to $={LDAPRoute} class => They accumulate.
<quote src="cf/m4/cfhead.m4">
define(`LDAPROUTE_DOMAIN', `PUSHDIVERT(5)C{LDAPRoute}$1
</quote>
> If you need to look up multiple domains I would suggest to use
> LDAPROUTE_DOMAIN_FILE instead. Look into your .cf file to see if each
> of the domains are looked up.
It is good idea anyway.
> Also you absolutely need the ldap routing feature, else nothing works.
AFAIR he uses modified FEATURE(`ldap_routing',...) converted into HACK file.
--
[pl>en Andrew] Andrzej Adam Filip : an...@onet.eu : Andrze...@gmail.com
Open-Sendmail: http://open-sendmail.sourceforge.net/
A narcissist is someone better looking than you are.
-- Gore Vidal
Erich Titl
> Erich Titl <erich...@think.ch> wrote:
>> [...]
>> You are using multiple LDAPROUTE_DOMAIN definitions. I am not sure if
>> they are all consulted or if the last one just takes precedence.
>
> They add name(s) to $={LDAPRoute} class => They accumulate.
>
> <quote src="cf/m4/cfhead.m4">
> define(`LDAPROUTE_DOMAIN', `PUSHDIVERT(5)C{LDAPRoute}$1
> </quote>
>
>> If you need to look up multiple domains I would suggest to use
>> LDAPROUTE_DOMAIN_FILE instead. Look into your .cf file to see if each
>> of the domains are looked up.
>
> It is good idea anyway.
>
>> Also you absolutely need the ldap routing feature, else nothing works.
>
> AFAIR he uses modified FEATURE(`ldap_routing',...) converted into HACK file.
>
Whoooo.... then why not call it a HACK, I vaguely recall having used
this many years ago. http://www.sendmail.org/m4/hacks.html
Erich
Rich Gomes
The method I currently am using works well except for two exceptions:
1 - Does not query AD Groups
2 - Sends NDR to Sender address (I'd like the option of dropping the
messages without and NDR)
I want to keep the current config, but be able to query groups without
hard-coding the Expansion Server in Exchange.
The dropping of messages is really secondary to this.
In response to some of the statements made:
Yes, it is a HACK, not a FEATURE in the config I am using (http://
www.shocknetwork.com/forum/post35.html)
The multiple LDAPROUTE_DOMAIN lines is because we have several SMTP
domains and each one needs to be specified with a separate line.
I only posted the lines I thought were relevant (i.e.. AD-specific)
but I can include the entire section on the .mc file for reference
So, keeping the current config, is there a way to also query Groups?
Thanks!
FEATURE(`mailertable')dnl # determine where to deliver special
domains and Exchange servers, ie, planetci and csg-tech.bm
dnl HACK(`AD_ldap_routing')dnl # Route mail via ldap lookups to
Active Directory inaddition to aliases file.
dnl # Use a hack version of the
ldap_routing feature as the field names
dnl # differ from those used in standard
m4 file.
HACK(`AD_ldap_routing')
LDAPROUTE_DOMAIN(`domain1.com')dnl # what domain to do ldap lookups
for.
LDAPROUTE_DOMAIN(`domain2.com')dnl # alternate domain to do ldap
lookups for.
LDAPROUTE_DOMAIN(`domain3')dnl # alternate domain to do ldap lookups
for.
LDAPROUTE_DOMAIN(`domain4')dnl # alternate domain to do ldap lookups
for.
define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d
"cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1,
dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"')
dnl ###Added for Groups verification
dnl define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|
(objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))')
dnl FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
LOCAL_NET_CONFIG
R$* < @ $=m . > $* $#esmtp $@ $2 $: $1 < @ $2 . >
$3 internal addr delivered to host
R$* < @ $+ . $=m . > $* $#esmtp $@ $2 . $3 $: $1 < @ $2 .$3 .
> $4 internal w/host
# Begin custom LDAP rule set.
# the following lines are essentually copied from the proto.m4 file.
They are entered here to maintain the proper,
# original flow control but process the Active Directory response
properly.
# pass names that still have a host to a smarthost (if defined)
R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 >
$3 glue on smarthost name
# deal with other remote names
R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3
us...@host.domain
# handle locally delivered names
R$=L $#local $: @ $1 special local
names
R$+ $#local $: $1 regular local
names
SLDAPExpand
#do the LDAP lookup for the Exchange Mail Host
R<$+><$+><$*> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> <
$3>
# if mailRoutingAddress (targetAddress) and local or non-existant
mailHost,
# return the new mailRoutingAddress
R<$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1
R<$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1
# fix hostname in Mailertable, relay from there
R<$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$2> $>canonify $1
# if no mailRoutingAddress and local mailHost,
# return original address
R<> <$=w> <$+> <$+> <$*> $@ $2
# if no mailRoutingAddress and non-local mailHost,
# relay to mailHost (Exchange Server) with original address
# "de-AD" response at same time
# You'll need to do the query manually the find the proper stuff to
pull out
R<> < / o=AUCA / ou=First Administrative Group / cn=Configuration /
cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2
# if still no mailRoutingAddress and no mailHost,
# try @domain
R<> <> <$+> <$+ @ $+> <$*> $@ $>LDAPExpand <$1> <@ $3> <$4>
# if no mailRoutingAddress and no mailHost and this was a domain
attempt,
# return the original address
R<> <> <$+> <@ $+> <$*> $@ $1
# End of custom LDAPExpand rule set
Erich Titl
Rich Gomes wrote:
> Ok, I think we are starting to get a little off track here.
The solution I presented you is based on the original feature, not on
the hacked version, so the hacked version might not work.
>
> The method I currently am using works well except for two exceptions:
> 1 - Does not query AD Groups
> 2 - Sends NDR to Sender address (I'd like the option of dropping the
> messages without and NDR)
The hack and the feature might not play nicely together.
>
> I want to keep the current config, but be able to query groups without
> hard-coding the Expansion Server in Exchange.
> The dropping of messages is really secondary to this.
The original feature will query for users and groups according to the
ldap query you pass to it.
>
> In response to some of the statements made:
>
> Yes, it is a HACK, not a FEATURE in the config I am using (http://
> www.shocknetwork.com/forum/post35.html)
Sure, this is just off the beaten track and might do things a bit
differently than provided for in the sendmail distro. It might not work
with the different ldap query and you might not find much support. Maybe
someone at shocknetwork knows.
>
> The multiple LDAPROUTE_DOMAIN lines is because we have several SMTP
> domains and each one needs to be specified with a separate line.
No need if you use a LDAPROUTE_DOMAIN_FILE.
>
> I only posted the lines I thought were relevant (i.e.. AD-specific)
> but I can include the entire section on the .mc file for reference
>
>
> So, keeping the current config, is there a way to also query Groups?
Your config uses a HACK instead of the original sendmail FEATURE. The
generated .cf file will probably look a bit different and behave
differently.
I would use the original FEATURE and adapt the lookup for your solution.
cheers
Erich
Rich Gomes
HACK to FEATURE)?
Just these three lines?
define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d
"cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1,
dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"')
define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)
(objectclass=group))(proxyAddresses=smtp:%0))')
FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
What about everything under LOCAL_NET_CONFIG?
Also can LDAPROUTE_DOMAIN_FILE be pinted to local-host-names or such?
Thanks
Erich Titl
> So, in theory, what will I need for this to work (if I switch from
> HACK to FEATURE)?
>
> Just these three lines?
>
> define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d
> "cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1,
> dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"')
> define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)
> (objectclass=group))(proxyAddresses=smtp:%0))')
> FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
That is what I do. It is specific to our AD setup of course. Use
ldapsearch to determine the exact LDAP query for your set up.
>
>
> What about everything under LOCAL_NET_CONFIG?
I have no clue if and what the HACK places under LOCAL_NET_CONFIG
>
> Also can LDAPROUTE_DOMAIN_FILE be pinted to local-host-names or such?
I don't think you want your MTA name in there, but yes, these two files
may have little difference.
cheers
Erich
Rich Gomes
the 3 I mentioned in the .mc file:
Groups can now be queried without hard-coding the Expansion Server in
Exchange
HOWEVER: Only the Primary SMTP address can be queried, not any
additional SMTP addresses.
Users addresses all show up as valid and deliverable, even the
purposely invalid ones.
Help!!
Erich Titl
This is weird, check your LDAP syntax. The <bounce> should inhibit this.
cheers
Erich
Erich Titl
> Ok, here are my results if I coment out the HACK lines and only have
> the 3 I mentioned in the .mc file:
>
> Groups can now be queried without hard-coding the Expansion Server in
> Exchange
> HOWEVER: Only the Primary SMTP address can be queried, not any
> additional SMTP addresses.
Then the query must be adapted to your needs. We are using the
proxyAddresses=smtp:%0 syntax and this works with multiple addresses.
>
> Users addresses all show up as valid and deliverable, even the
> purposely invalid ones.
How are they invalidated? If a query returns something in the mail
attribute for a given 'proxyAddresses=smtp:f...@bar.com' query, then the
destination is valid.
cheers
Erich
Rich Gomes
> Rich Gomes wrote:
> > Ok, here are my results if I coment out the HACK lines and only have
> > the 3 I mentioned in the .mc file:
>
> > Groups can now be queried without hard-coding the Expansion Server in
> > Exchange
> > HOWEVER: Only the Primary SMTP address can be queried, not any
> > additional SMTP addresses.
>
> Then the query must be adapted to your needs. We are using the
> proxyAddresses=smtp:%0 syntax and this works with multiple addresses.
proxyAddresses attribute contains all the smtp aliases fro the group,
however, the query only seems to look for what is in the 'mail'
attribute (the primary SMTP alias)
>
> > Users addresses all show up as valid and deliverable, even the
> > purposely invalid ones.
>
> How are they invalidated? If a query returns something in the mail
> attribute for a given 'proxyAddresses=smtp:f...@bar.com' query, then the
> destination is valid.
Thats's the issue, they're not being invalidated. Known bad addresses
show up as deliverable.
The orignal HACK that I posted worked great with user addresses, just
not groups. How can I get the HACK version to query groups?
Rich
Erich Titl
> On Dec 1, 10:34 am, Erich Titl <erich.t...@think.ch> wrote:
>> Rich Gomes wrote:
>>> Ok, here are my results if I coment out the HACK lines and only have
>>> the 3 I mentioned in the .mc file:
>>> Groups can now be queried without hard-coding the Expansion Server in
>>> Exchange
>>> HOWEVER: Only the Primary SMTP address can be queried, not any
>>> additional SMTP addresses.
>> Then the query must be adapted to your needs. We are using the
>> proxyAddresses=smtp:%0 syntax and this works with multiple addresses.
>
> proxyAddresses attribute contains all the smtp aliases fro the group,
> however, the query only seems to look for what is in the 'mail'
> attribute (the primary SMTP alias)
No, the mail attribute is used as forwarding address. It only makes
limited sense to have more than one one forwarding address peer user. If
you need to distribute the mail to groups, then use a group address to
forward to.
>
>>> Users addresses all show up as valid and deliverable, even the
>>> purposely invalid ones.
>> How are they invalidated? If a query returns something in the mail
>> attribute for a given 'proxyAddresses=smtp:f...@bar.com' query, then the
>> destination is valid.
>
> Thats's the issue, they're not being invalidated. Known bad addresses
> show up as deliverable.
Somehow you will neet to mark them as invalid, else the LDAP query will
return something. What is the reason to keep invalid addresses in your AD?
>
>
> The orignal HACK that I posted worked great with user addresses, just
> not groups. How can I get the HACK version to query groups?
You can analyze the HACK and see what query is used.
cheers
Erich
Erich Titl
Please let us keep this in the sendmail newsgroup, as it might be of
genereal interest.
Rich Gomes wrote:
> The addresses arent in AD, thats the issue. When I employ the FEATURE
> method, and I query for a bad address, it returns a result of deliverable.
Have you tried to query your AD for an address and looked at the result.
Please find out, what your query retuns in the mail attribute, as this
is the one that is used by sendmail, when you use the feature the way I
documented.
>
>
> I have looked at the HACK query to see where it is only looking for
> users and not groups and there is nothing ( as explained in OP)
There is probably an invocation of ldapmap which returns something. As I
have not looked at the hack (and don't intend to, because I classify it
as such) I cannot give you details on how the author solved the lookup
problem. All I can tell you is that the ldap routing feature as
distributed in the standard sendmail distribution allows you to specify
a query which returns a result, which can then be used to qualify a user
to have a valid recipient address, and thus mail can be forwarded to.
This method works fine for the AD in the company I work for, invalid
users are rejected, user and group addresses are queried and the results
are satisfactory.
I am using this query script to verify an account in our LDAP directory
to see if the query returns something meaningful.
ldapsearch -h my.ldap.server -b "DC=MY,DC=COMPANY,DC=COM" -x -D
"CN=query,CN=Users,DC=MY,DC=COMPANY,DC=COM" -w "queryuser"
"(&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:$1))"
mail mailNickname mailPrincipalname userPrincipalName proxyAddresses
The following shows the sanitized result of my query, as you see the
mail attribute holds a single destination address whereas the
proxyAdddresses hold multiple values.
------------------------------------------
administrator@mta1:~> sh ldap_query admini...@my.company.com
# extended LDIF
#
# LDAPv3
# base <DC=MY,DC=COMPANY,DC=COM> with scope subtree
# filter:
(&(|(objectclass=user)(objectclass=group))(proxyAddresses=smtp:admini...@my.company.com))
# requesting: mail mailNickname mailPrincipalname userPrincipalName
proxyAddresses
#
# Administrator, Users, my.company.com
dn: CN=Administrator,CN=Users,DC=MY,DC=COMPANY,DC=COM
proxyAddresses: SMTP:postm...@my.company.com
proxyAddresses: smtp:Admini...@my.company.com
proxyAddresses: smtp:mon...@my.company.com
proxyAddresses: smtp:postm...@my.company.com
proxyAddresses: X400:c=COM;a= ;p=company;o=Exchange;s=Administrator;
mailNickname: Administrator
mail: postm...@my.company.com
# search reference
ref:
ldap://DomainDnsZones.my.company.com/DC=DomainDnsZones,DC=MY,DC=COMPANY,DC=COM
# search reference
ref:
ldap://ForestDnsZones.my.company.com/DC=ForestDnsZones,DC=MY,DC=COMPANY,DC=COM
# search reference
ref: ldap://my.company.com/CN=Configuration,DC=MY,DC=COMPANY,DC=COM
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
--------------------------------------------
Using the same query in a sendmail context achieves the desired result. YMMV
cheers
Erich
Rich Gomes
ldapsearch if the addresses in question are valid or not?
Erich Titl
> At this point in the discussion, am I being asked to verify thru
> ldapsearch if the addresses in question are valid or not?
>
>
Yes and no, the verification is to prove if your ldap query returns a
result that is of any use to you, or if the query can be modified to
provide the result you need.
Rich Gomes
I was using known invalid addresses, that was not the issue.
I couldnt figure out why it was not working so I decided to start from
scratch.
I removed all of my LDAP configuration and added only the 3 lines
define(`confLDAP_DEFAULT_SPEC',`-h dc01.domain.com -M simple -d
"cn=serviceacount, ou=Administration, dc=domain, dc=com" -P /etc/mail/
ldap.passwd -p 389 -b "dc=domain, dc=com"')
define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user)
(objectclass=group))(proxyAddresses=smtp:%0))')
FEATURE(`ldap_routing', `null', LDAPMRA, `bounce')
Still didnt work so I added the following right above those three
linesto tell the config which domains to verify.
LDAPROUTE_DOMAIN(`domain1.com')dnl # what domain to do ldap lookups
for.
LDAPROUTE_DOMAIN(`domain2.com')dnl # alternate domain to do ldap
lookups for.
LDAPROUTE_DOMAIN(`domain3.com')dnl # alternate domain to do ldap
lookups for.
LDAPROUTE_DOMAIN(`domain4.com')dnl # alternate domain to do ldap
lookups for.
Now it all works great.
Thanks for all your assistance!
Rich
Erich Titl
Ah, yes you need to define for which domains you want to do the lookup
I suggest to use
LDAPROUTE_DOMAIN_FILE if you have multiple domains to look up. Within
that file you would just write
domain1.com
domain2.com
domain3.com
domain4.com
This allows you to add more domains if needed without recompiling your
.mc file.
>
> Now it all works great.
>
Good
Erich