ShocKNetworK.COM

Sendmail Routing with LDAP

One of the reasons you might want to do this is if you just acquired a new company and want mail to be routed through your same old sendmail relays as you had previously or if you're running some kind of spam or virus scanner that requires sendmail or maybe you just want to have a relay in between your the Internet and your mail server for security purposes.

Note: In this case, this is for routing mail with sendmail and not accepting mail and putting mail into /var/mail on this machine. If you want the mail stored on this machine, you should be able to get on this machine with an 'su - uid' command. Otherwise, you will probably get the message, "User unknown".

You can use whatever directory server you want with whatever schema you want as long as you know what you are looking for and how to use the data.

You will need a version of sendmail that has ldap capabilities
compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.10+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all
work. Patches are available for those that don't.

In this example, we will use the ldap data from a SunONE Messaging server.

We first do a search to find a user so that we know what we will need.

Here, I pull the user's ldif data with this command:
/usr/sbin/ldapsearch -b 'o=isp' -p 4389 -h flash.atac.ebay.sun.com mail=alton@atac.ebay.sun.com

In this case, I'm looking for alton's user entry and using the mail attribute.

Here are my results:
uid=alton, ou=people, o=atac.ebay.sun.com, o=isp
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetOrgPerson
objectClass=inetUser
objectClass=ipUser
objectClass=nsManagedPerson
objectClass=userPresenceProfile
objectClass=inetMailUser
objectClass=inetLocalMailRecipient
mail=alton@atac.ebay.sun.com
mailUserStatus=active
mailHost=flash.atac.ebay.sun.com
givenName=alton
cn=alton yu
uid=alton
nsdaCapability=mailListCreate
sn=yu
inetUserStatus=active
mailDeliveryOption=mailbox
preferredLanguage=en
nswmExtendedUserPrefs=meDraftFolder=Drafts
nswmExtendedUserPrefs=meSentFolder=Sent
nswmExtendedUserPrefs=meTrashFolder=Trash
nswmExtendedUserPrefs=meInitialized=true
pabURI=ldap://flash.atac.ebay.sun.com:4389/ou=alton, ou=people, o=atac.ebay.sun.com, o=isp,o=pab

So now we know what kind of information to set up sendmail with, we will start tinkering with it.

In the sendmail.mc file, I add:

First, I go to /usr/lib/mail/cf

I make a backup of my old main.mc to create sendmail.mc

cp main.mc sendmail.mc

and then I open the file and add:
define(`confLDAP_DEFAULT_SPEC',`-h flash.atac.ebay.sun.com -b o=isp -p 4389')
LDAPROUTE_DOMAIN(`atac.ebay.sun.com')
FEATURE(`ldap_routing')

I then build the cf file with:
make sendmail.cf
and now I do my test.

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv alton@atac.ebay.sun.com
alton@atac.ebay.sun.com... User unknown

Hmmm.... I wonder why ...

I go to the ldap server access logs and find:
[25/Mar/2004:17:14:38 -0800] conn=347 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs=ALL
[25/Mar/2004:17:14:38 -0800] conn=347 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140
[25/Mar/2004:17:14:47 -0800] conn=348 op=0 BIND dn="" method=128 version=2
[25/Mar/2004:17:14:47 -0800] conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[25/Mar/2004:17:14:47 -0800] conn=348 op=1 SRCH base="o=isp" scope=2 filter="(&(objectClass=inetLocalMailRecipient)(maillocaladdress=alton@atac.ebay.sun.com))" attrs="mailRoutingAddress"
[25/Mar/2004:17:14:47 -0800] conn=348 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=2 SRCH base="o=isp" scope=2 filter="(&(objectClass=inetLocalMailRecipient)(maillocaladdress=alton@atac.ebay.sun.com))" attrs="mailHost"
[25/Mar/2004:17:14:47 -0800] conn=348 op=2 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=3 SRCH base="o=isp" scope=2 filter="(&(objectClass=inetLocalMailRecipient)(maillocaladdress=@atac.ebay.sun.com))" attrs="mailRoutingAddress"
[25/Mar/2004:17:14:47 -0800] conn=348 op=3 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=4 SRCH base="o=isp" scope=2 filter="(&(objectClass=inetLocalMailRecipient)(maillocaladdress=@atac.ebay.sun.com))" attrs="mailHost"
[25/Mar/2004:17:14:47 -0800] conn=348 op=4 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:14:47 -0800] conn=348 op=5 UNBIND
[25/Mar/2004:17:14:47 -0800] conn=348 op=5 fd=44 closed - U1

Okay. It looks like it's looking for maillocaladdress and mailRoutingAddress. I don't have either of those, so I think rather than changing it in the ldap server, I will make some changes in the sendmail.mc.

I change just
FEATURE(`ldap_routing')
to:
FEATURE(`ldap_routing',`ldap -1 -v mailHost -k (&(objectclass=inetorgperson)(mail=%0))')
So now instead of searching for maillocaladdress, I'm now searching for mail.

By doing that and rebuilding my sendmail.cf file, I now get:
/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv alton@atac.ebay.sun.com
alton@atac.ebay.sun.com... deliverable: mailer relay, host flash.atac.ebay.sun.com, user alton@atac.ebay.sun.com

Now this looks better. How's the ldap access log look?
[25/Mar/2004:17:39:03 -0800] conn=383 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140
[25/Mar/2004:17:39:03 -0800] conn=383 op=0 BIND dn="" method=128 version=2
[25/Mar/2004:17:39:03 -0800] conn=383 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[25/Mar/2004:17:39:03 -0800] conn=383 op=1 SRCH base="o=isp" scope=2 filter="(&(objectClass=inetLocalMailRecipient)(maillocaladdress=alton@atac.ebay.sun.com))" attrs="mailRoutingAddress"
[25/Mar/2004:17:39:03 -0800] conn=383 op=1 RESULT err=0 tag=101 nentries=0 etime=0
[25/Mar/2004:17:39:03 -0800] conn=383 op=2 SRCH base="o=isp" scope=2 filter="(&(objectClass=inetorgperson)(mail=alton@atac.ebay.sun.com))" attrs="mailHost"
[25/Mar/2004:17:39:03 -0800] conn=383 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[25/Mar/2004:17:39:03 -0800] conn=383 op=3 UNBIND
[25/Mar/2004:17:39:03 -0800] conn=383 op=3 fd=44 closed - U1

Okay. Good enough.

Hopefully this is enough to get you started on your journey in setting up your sendmail with ldap routing.