Sendmail Routing with LDAP
One of the reasons you might want to do this is if you just acquired a new company and want mail to be routed through your same old sendmail relays as you had previously or if you’re running some kind of spam or virus scanner that requires sendmail or maybe you just want to have a relay in between your the Internet and your mail server for security purposes.
Note: In this case, this is for routing mail with sendmail and not accepting mail and putting mail into /var/mail on this machine. If you want the mail stored on this machine, you should be able to get on this machine with an ‘su – uid’ command. Otherwise, you will probably get the message, “User unknown”.
You can use whatever directory server you want with whatever schema you want as long as you know what you are looking for and how to use the data.
You will need a version of sendmail that has ldap capabilities
compiled into it. You can check this with:
/usr/lib/sendmail -d0.11 < /dev/null
Version 8.12.10+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
When you see LDAPMAP, you know that it will work. Solaris 7-9 should all
work. Patches are available for those that don’t.
In this example, we will use the ldap data from a SunONE Messaging server.
We first do a search to find a user so that we know what we will need.
Here, I pull the user’s ldif data with this command:
/usr/sbin/ldapsearch -b ‘o=isp’ -p 4389 -h flash.atac.ebay.sun.com [email protected]
In this case, I’m looking for alton’s user entry and using the mail attribute.
Here are my results:
uid=alton, ou=people, o=atac.ebay.sun.com, o=isp
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetOrgPerson
objectClass=inetUser
objectClass=ipUser
objectClass=nsManagedPerson
objectClass=userPresenceProfile
objectClass=inetMailUser
objectClass=inetLocalMailRecipient
mailUserStatus=active
mailHost=flash.atac.ebay.sun.com
givenName=alton
cn=alton yu
uid=alton
nsdaCapability=mailListCreate
sn=yu
inetUserStatus=active
mailDeliveryOption=mailbox
preferredLanguage=en
nswmExtendedUserPrefs=meDraftFolder=Drafts
nswmExtendedUserPrefs=meSentFolder=Sent
nswmExtendedUserPrefs=meTrashFolder=Trash
nswmExtendedUserPrefs=meInitialized=true
pabURI=ldap://flash.atac.ebay.sun.com:4389/ou=alton, ou=people, o=atac.ebay.sun.com, o=isp,o=pab
So now we know what kind of information to set up sendmail with, we will start tinkering with it.
In the sendmail.mc file, I add:
First, I go to /usr/lib/mail/cf
I make a backup of my old main.mc to create sendmail.mc
cp main.mc sendmail.mc
and then I open the file and add:
define(`confLDAP_DEFAULT_SPEC’,`-h flash.atac.ebay.sun.com -b o=isp -p 4389′)
LDAPROUTE_DOMAIN(`atac.ebay.sun.com’)
FEATURE(`ldap_routing’)
I then build the cf file with:
make sendmail.cf
and now I do my test.
/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]
[email protected]… User unknown
Hmmm…. I wonder why …
I go to the ldap server access logs and find:
[25/Mar/2004:17:14:38 -0800] conn=347 op=2 SRCH base=”” scope=0 filter=”(objectClass=*)” attrs=ALL
[25/Mar/2004:17:14:38 -0800] conn=347 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140
[25/Mar/2004:17:14:47 -0800] conn=348 op=0 BIND dn=”” method=128 version=2
[25/Mar/2004:17:14:47 -0800] conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””
[25/Mar/2004:17:14:47 -0800] conn=348 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”
[25/Mar/2004:17:14:47 -0800] conn=348 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”
[25/Mar/2004:17:14:47 -0800] conn=348 op=2 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=3 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”
[25/Mar/2004:17:14:47 -0800] conn=348 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=4 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”
[25/Mar/2004:17:14:47 -0800] conn=348 op=4 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=5 UNBIND
[25/Mar/2004:17:14:47 -0800] conn=348 op=5 fd=44 closed – U1
Okay. It looks like it’s looking for maillocaladdress and mailRoutingAddress. I don’t have either of those, so I think rather than changing it in the ldap server, I will make some changes in the sendmail.mc.
I change just
FEATURE(`ldap_routing’)
to:
FEATURE(`ldap_routing’,`ldap -1 -v mailHost -k (&(objectclass=inetorgperson)(mail=%0))’)
So now instead of searching for maillocaladdress, I’m now searching for mail.
By doing that and rebuilding my sendmail.cf file, I now get:
/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]
[email protected]… deliverable: mailer relay, host flash.atac.ebay.sun.com, user [email protected]
Now this looks better. How’s the ldap access log look?
[25/Mar/2004:17:39:03 -0800] conn=383 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140
[25/Mar/2004:17:39:03 -0800] conn=383 op=0 BIND dn=”” method=128 version=2
[25/Mar/2004:17:39:03 -0800] conn=383 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””
[25/Mar/2004:17:39:03 -0800] conn=383 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”
[25/Mar/2004:17:39:03 -0800] conn=383 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:39:03 -0800] conn=383 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetorgperson)([email protected]))” attrs=”mailHost”
[25/Mar/2004:17:39:03 -0800] conn=383 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[25/Mar/2004:17:39:03 -0800] conn=383 op=3 UNBIND
[25/Mar/2004:17:39:03 -0800] conn=383 op=3 fd=44 closed – U1
Okay. Good enough.
Hopefully this is enough to get you started on your journey in setting up your sendmail with ldap routing.
Hi.
I found your article and have gotten this to work so far (still in test lab).
I have two questions:
1 – Can it be configured to drop without sending an NDR?
(The problem is invalid addresses hardcoded into sales applications and the developers wont go back and remove them which gernerates an ENORMOUS amount of traffic between bounce backs)
2 – Is there a way to have it automatically resolve the DN of the Exchange server correctly without populating mailertable with all of them?
(We have many and normally I just point Sendmail to a Front End\Bridgehead server and let Exchange do the rest.
Thanks!
Rich
I’m not really a mail admin anymore, so I can’t/haven’t tested answers to these questions. We’ve since migrated to Postfix and are just grabbing a full list of the ldap every 5 minutes – sort of a directory sync so that it doesn’t do an ldap call each time it receives an email.
to answer #1, I would maybe write a filter (using milter) to just remove all mails from postmaster. Alternatively, maybe just doing a grep for postmaster from the /var/spool/mqueue directory and just removing those files.
2) Just use the Bridgehead server. If you have a load balancer, use it. You don’t need all Exchange servers in the list.
One more quick question:
Were you able to get this to work with AD Groups?
Currently it only queries users and I do not see anywhere in the code where it is limiting by objectclass.
Thanks,
Rich