Sendmail LDAP verification questions
in [Sendmail]
|
Prev: Unable to receive mails on the solaris server
Next: how to restrict 500 messages not to go in mqueue
From: Rich Gomes on 25 Nov 2009 18:10 Ok, I think we are starting to get a little off track here. The method I currently am using works well except for two exceptions: 1 - Does not query AD Groups 2 - Sends NDR to Sender address (I'd like the option of dropping the messages without and NDR) I want to keep the current config, but be able to query groups without hard-coding the Expansion Server in Exchange. The dropping of messages is really secondary to this. In response to some of the statements made: Yes, it is a HACK, not a FEATURE in the config I am using (http:// www.shocknetwork.com/forum/post35.html) The multiple LDAPROUTE_DOMAIN lines is because we have several SMTP domains and each one needs to be specified with a separate line. I only posted the lines I thought were relevant (i.e.. AD-specific) but I can include the entire section on the .mc file for reference So, keeping the current config, is there a way to also query Groups? Thanks! FEATURE(`mailertable')dnl # determine where to deliver special domains and Exchange servers, ie, planetci and csg-tech.bm dnl HACK(`AD_ldap_routing')dnl # Route mail via ldap lookups to Active Directory inaddition to aliases file. dnl # Use a hack version of the ldap_routing feature as the field names dnl # differ from those used in standard m4 file. HACK(`AD_ldap_routing') LDAPROUTE_DOMAIN(`domain1.com')dnl # what domain to do ldap lookups for. LDAPROUTE_DOMAIN(`domain2.com')dnl # alternate domain to do ldap lookups for. LDAPROUTE_DOMAIN(`domain3')dnl # alternate domain to do ldap lookups for. LDAPROUTE_DOMAIN(`domain4')dnl # alternate domain to do ldap lookups for. define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d "cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"') dnl ###Added for Groups verification dnl define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(| (objectclass=user)(objectclass=group))(proxyAddresses=smtp:%0))') dnl FEATURE(`ldap_routing', `null', LDAPMRA, `bounce') LOCAL_NET_CONFIG R$* < @ $=m . > $* $#esmtp $@ $2 $: $1 < @ $2 . > $3 internal addr delivered to host R$* < @ $+ . $=m . > $* $#esmtp $@ $2 . $3 $: $1 < @ $2 .$3 . > $4 internal w/host # Begin custom LDAP rule set. # the following lines are essentually copied from the proto.m4 file. They are entered here to maintain the proper, # original flow control but process the Active Directory response properly. # pass names that still have a host to a smarthost (if defined) R$* < @ $* > $* $: $>MailerToTriple < $S > $1 < @ $2 > $3 glue on smarthost name # deal with other remote names R$* < @$* > $* $#esmtp $@ $2 $: $1 < @ $2 > $3 user(a)host.domain # handle locally delivered names R$=L $#local $: @ $1 special local names R$+ $#local $: $1 regular local names SLDAPExpand #do the LDAP lookup for the Exchange Mail Host R<$+><$+><$*> $: <$(ldapmra $2 $: $)> <$(ldapmh $2 $: $)> <$1> <$2> < $3> # if mailRoutingAddress (targetAddress) and local or non-existant mailHost, # return the new mailRoutingAddress R<$+> <$=w> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 R<$+> <> <$+> <$+> <$*> $@ $>Parse0 $>canonify $1 # fix hostname in Mailertable, relay from there R<$+> <$+> <$+> <$+> <$*> $>LDAPMailertable <$2> $>canonify $1 # if no mailRoutingAddress and local mailHost, # return original address R<> <$=w> <$+> <$+> <$*> $@ $2 # if no mailRoutingAddress and non-local mailHost, # relay to mailHost (Exchange Server) with original address # "de-AD" response at same time # You'll need to do the query manually the find the proper stuff to pull out R<> < / o=AUCA / ou=First Administrative Group / cn=Configuration / cn=Servers / $+> <$+> <$+> <$*> $>LDAPMailertable <$1> $2 # if still no mailRoutingAddress and no mailHost, # try @domain R<> <> <$+> <$+ @ $+> <$*> $@ $>LDAPExpand <$1> <@ $3> <$4> # if no mailRoutingAddress and no mailHost and this was a domain attempt, # return the original address R<> <> <$+> <@ $+> <$*> $@ $1 # End of custom LDAPExpand rule set
From: Erich Titl on 26 Nov 2009 09:40 Hi Rich Rich Gomes wrote: > Ok, I think we are starting to get a little off track here. The solution I presented you is based on the original feature, not on the hacked version, so the hacked version might not work. > > The method I currently am using works well except for two exceptions: > 1 - Does not query AD Groups > 2 - Sends NDR to Sender address (I'd like the option of dropping the > messages without and NDR) The hack and the feature might not play nicely together. > > I want to keep the current config, but be able to query groups without > hard-coding the Expansion Server in Exchange. > The dropping of messages is really secondary to this. The original feature will query for users and groups according to the ldap query you pass to it. > > In response to some of the statements made: > > Yes, it is a HACK, not a FEATURE in the config I am using (http:// > www.shocknetwork.com/forum/post35.html) Sure, this is just off the beaten track and might do things a bit differently than provided for in the sendmail distro. It might not work with the different ldap query and you might not find much support. Maybe someone at shocknetwork knows. > > The multiple LDAPROUTE_DOMAIN lines is because we have several SMTP > domains and each one needs to be specified with a separate line. No need if you use a LDAPROUTE_DOMAIN_FILE. > > I only posted the lines I thought were relevant (i.e.. AD-specific) > but I can include the entire section on the .mc file for reference > > > So, keeping the current config, is there a way to also query Groups? Your config uses a HACK instead of the original sendmail FEATURE. The generated .cf file will probably look a bit different and behave differently. I would use the original FEATURE and adapt the lookup for your solution. cheers Erich
From: Rich Gomes on 26 Nov 2009 11:32 So, in theory, what will I need for this to work (if I switch from HACK to FEATURE)? Just these three lines? define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d "cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1, dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"') define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user) (objectclass=group))(proxyAddresses=smtp:%0))') FEATURE(`ldap_routing', `null', LDAPMRA, `bounce') What about everything under LOCAL_NET_CONFIG? Also can LDAPROUTE_DOMAIN_FILE be pinted to local-host-names or such? Thanks
From: Erich Titl on 27 Nov 2009 02:06 Rich Gomes wrote: > So, in theory, what will I need for this to work (if I switch from > HACK to FEATURE)? > > Just these three lines? > > define(`confLDAP_DEFAULT_SPEC',`-h server.domain1.com -M simple -d > "cn=accountname, ou=serviceacountou, ou=administrationou, dc=domain1, > dc=com" -P /etc/mail/ldap.passwd -p 389 -b "dc=domain1, dc=com"') > define(`LDAPMRA',`ldap -1 -T<TMPF> -v mail -k (&(|(objectclass=user) > (objectclass=group))(proxyAddresses=smtp:%0))') > FEATURE(`ldap_routing', `null', LDAPMRA, `bounce') That is what I do. It is specific to our AD setup of course. Use ldapsearch to determine the exact LDAP query for your set up. > > > What about everything under LOCAL_NET_CONFIG? I have no clue if and what the HACK places under LOCAL_NET_CONFIG > > Also can LDAPROUTE_DOMAIN_FILE be pinted to local-host-names or such? I don't think you want your MTA name in there, but yes, these two files may have little difference. cheers Erich
From: Rich Gomes on 30 Nov 2009 16:03 Ok, here are my results if I coment out the HACK lines and only have the 3 I mentioned in the .mc file: Groups can now be queried without hard-coding the Expansion Server in Exchange HOWEVER: Only the Primary SMTP address can be queried, not any additional SMTP addresses. Users addresses all show up as valid and deliverable, even the purposely invalid ones. Help!!
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 5 Prev: Unable to receive mails on the solaris server Next: how to restrict 500 messages not to go in mqueue |