Sendmail Routing with LDAP

Sendmail Routing with LDAP

One of the reasons you might want to do this is if you just acquired a new company and want mail to be routed through your same old sendmail relays as you had previously or if you’re running some kind of spam or virus scanner that requires sendmail or maybe you just want to have a relay in between your the Internet and your mail server for security purposes.

Note: In this case, this is for routing mail with sendmail and not accepting mail and putting mail into /var/mail on this machine. If you want the mail stored on this machine, you should be able to get on this machine with an ‘su – uid’ command. Otherwise, you will probably get the message, “User unknown”.

You can use whatever directory server you want with whatever schema you want as long as you know what you are looking for and how to use the data.

You will need a version of sendmail that has ldap capabilities

compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.10+Sun

Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all

work. Patches are available for those that don’t.

In this example, we will use the ldap data from a SunONE Messaging server.

We first do a search to find a user so that we know what we will need.

Here, I pull the user’s ldif data with this command:

/usr/sbin/ldapsearch -b ‘o=isp’ -p 4389 -h flash.atac.ebay.sun.com [email protected]

In this case, I’m looking for alton’s user entry and using the mail attribute.

Here are my results:

uid=alton, ou=people, o=atac.ebay.sun.com, o=isp

objectClass=top

objectClass=person

objectClass=organizationalPerson

objectClass=inetOrgPerson

objectClass=inetUser

objectClass=ipUser

objectClass=nsManagedPerson

objectClass=userPresenceProfile

objectClass=inetMailUser

objectClass=inetLocalMailRecipient

[email protected]

mailUserStatus=active

mailHost=flash.atac.ebay.sun.com

givenName=alton

cn=alton yu

uid=alton

nsdaCapability=mailListCreate

sn=yu

inetUserStatus=active

mailDeliveryOption=mailbox

preferredLanguage=en

nswmExtendedUserPrefs=meDraftFolder=Drafts

nswmExtendedUserPrefs=meSentFolder=Sent

nswmExtendedUserPrefs=meTrashFolder=Trash

nswmExtendedUserPrefs=meInitialized=true

pabURI=ldap://flash.atac.ebay.sun.com:4389/ou=alton, ou=people, o=atac.ebay.sun.com, o=isp,o=pab

So now we know what kind of information to set up sendmail with, we will start tinkering with it.

In the sendmail.mc file, I add:

First, I go to /usr/lib/mail/cf

I make a backup of my old main.mc to create sendmail.mc

cp main.mc sendmail.mc

and then I open the file and add:

define(`confLDAP_DEFAULT_SPEC’,`-h flash.atac.ebay.sun.com -b o=isp -p 4389′)

LDAPROUTE_DOMAIN(`atac.ebay.sun.com’)

FEATURE(`ldap_routing’)

I then build the cf file with:

make sendmail.cf

and now I do my test.

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… User unknown

Hmmm…. I wonder why …

I go to the ldap server access logs and find:

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 SRCH base=”” scope=0 filter=”(objectClass=*)” attrs=ALL

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 UNBIND

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 fd=44 closed – U1

Okay. It looks like it’s looking for maillocaladdress and mailRoutingAddress. I don’t have either of those, so I think rather than changing it in the ldap server, I will make some changes in the sendmail.mc.

I change just

FEATURE(`ldap_routing’)

to:

FEATURE(`ldap_routing’,`ldap -1 -v mailHost -k (&(objectclass=inetorgperson)(mail=%0))’)

So now instead of searching for maillocaladdress, I’m now searching for mail.

By doing that and rebuilding my sendmail.cf file, I now get:

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… deliverable: mailer relay, host flash.atac.ebay.sun.com, user [email protected]

Now this looks better. How’s the ldap access log look?

[25/Mar/2004:17:39:03 -0800] conn=383 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetorgperson)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 UNBIND

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 fd=44 closed – U1

Okay. Good enough.

Hopefully this is enough to get you started on your journey in setting up your sendmail with ldap routing.

3 thoughts on “Sendmail Routing with LDAP

  1. Hi.
    I found your article and have gotten this to work so far (still in test lab).
    I have two questions:
    1 – Can it be configured to drop without sending an NDR?
    (The problem is invalid addresses hardcoded into sales applications and the developers wont go back and remove them which gernerates an ENORMOUS amount of traffic between bounce backs)

    2 – Is there a way to have it automatically resolve the DN of the Exchange server correctly without populating mailertable with all of them?
    (We have many and normally I just point Sendmail to a Front End\Bridgehead server and let Exchange do the rest.

    Thanks!
    Rich

  2. I’m not really a mail admin anymore, so I can’t/haven’t tested answers to these questions. We’ve since migrated to Postfix and are just grabbing a full list of the ldap every 5 minutes – sort of a directory sync so that it doesn’t do an ldap call each time it receives an email.

    to answer #1, I would maybe write a filter (using milter) to just remove all mails from postmaster. Alternatively, maybe just doing a grep for postmaster from the /var/spool/mqueue directory and just removing those files.

    2) Just use the Bridgehead server. If you have a load balancer, use it. You don’t need all Exchange servers in the list.

  3. One more quick question:

    Were you able to get this to work with AD Groups?

    Currently it only queries users and I do not see anywhere in the code where it is limiting by objectclass.

    Thanks,
    Rich

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.