ldap-based mail routing using linux david boyes sine nomine associates session l53
TRANSCRIPT
Presentation File Location
This presentation is not available on the IBM WWW site. It can be downloaded from:
http://www.sinenomine.net/downloads/
Agenda
Why Do LDAP-based Mail Routing? What Software is Needed What do the LDAP schemas look like? Example Implementation with sendmail
Why Do LDAP-Based Mail Routing
As organizations grow and change, user information and mailbox location often migrates between systems Chaotic behaviour Lost mail Lost productivity
Multiple mailbox systems Merger of authentication sources
Why?
LDAP becoming the basis for majority of enterprise directory servers Flexible implementation User-defined attributes Ubiquitous application client support
Trend toward “self-service” personal information management
Why?
LDAP based mail routing allows a central directory service to control the flow of mail delivery within an organization w/o hard-coded tables. Simple to implement Easy to change (if thought out)
OutsideWorld
MailRouter
Internal MailHost
Internal MailHost
Internal MailHost
Internal MailHost
SMTP
LDAPServer
LDA
PQ
uery
SMTP
Concept
Concept
Mail is delivered to user’s preferred location via SMTP
Preferred location is determined by LDAP lookup
Mail to non-existent users is rejected at mail router; aliases processed as special cases
Mail router also effective point to implement virus scans or spam detection w/o impacting individual mail host performance
What Software is Needed?
A LDAP-enabled mail transfer agent Sendmail 8.12.x or higher Postfix Exim Qmail (capable, but more difficult)
Berkeley NEWDB code db-3.2 or higher
What Software is Needed?
A LDAP server OpenLDAP Netscape Directory Server IBM Directory Server RACF LDAP Support
Note that user-defined fields are required to implement mail routing; some of the products listed above make this more difficult than others.
What Software is Needed?
A Linux or Unix system Debian SuSE Red Hat Other Generic Unix (Solaris, AIX, etc) USS (possible, but *very* difficult) – last
resort
Versions
Most Linux distributions are now shipping sendmail 8.12 as the default sendmail SuSE 8.x Red Hat Debian
Even if your distribution ships a LDAP-enabled sendmail RPM, you may need to compile from source to get all the options you want.
Places to Download
www.debian.org ftp.sendmail.org/pub/sendmail/sendmail8.
12.xx.tar.gz www.sleepycat.com/db/db-3.2.tar.gz
Building sendmail
Too complex to cover here; read README in the code package.
Configuration should include:
APPENDDEF(‘confMAPDEF’,’-DLDAPMAP’)APPENDDEF(‘confLIBS’,’-lldap’)
50,000 ft /etc/sendmail.cf Tutorial
Use the .mc macro files Create a local.mc file that includes the
architecture-specific and vendor specific .mc file (eg, SuSE-generic.mc)
Process local.mc with m4
m4 < local.mc > local.cf Move local.cf into place as /etc/sendmail.cf
Specific Config Options
FEATURE(‘ldap_routing’, <mailhost>, <mailRoutingAddress>,<bounce>,<detail>)
Enables LDAP routing code and defines a set of maps to be used for lookups
Looks for “mailRecipient” object class in LDAP entry to identify end user (if not present, entry is an alias)
Example FEATURE(‘ldap_routing’)
FEATURE(‘ldap_routing’, \‘ldap –l –v mailHost –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘ldap –l –v mailRoutingAddress –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘’, ‘’)dnl
Mailhost/mailRoutingAddressMailhost is mailRouting
Address isResult
Set to “local” host
Set Mail delivered to MRA
Set to “local” host
Not Set Delivered to original address
Set to remote host Set MRA relayed to mailhost
Set to remote host Not set Original address relayed to mailhost
Not set Set Mail delivered to MRA
Not set Not set Bounced
ALIAS_FILE
Defines location of alias file and lookups LDAP with traditional alias file as backup
Example:
define(‘ALIAS_FILE’, ‘ldap:-k \(&(objectClass=mailGroup)(!(objectClass=nisMap))\ (mail=&0)) –v mgrpRFC822MailMember,/etc/mail/aliases’)dnl
Aliases
LDAP entries w/o mailRecipient class in LDAP are considered aliases
Fallback to /etc/mail/aliases in case LDAP not available.
LDAPROUTE_DOMAIN
Primary o= value for domain to be handled by LDAP
LDAPROUTE_DOMAIN(‘foobar.com’)dnl
dnl LDAPROUTE_DOMAIN(‘/etc/mail/ldap-route’) dnl
Specifying LDAP Servers
define (‘confLDAP_DEFAULT_SPEC’, \‘-p 389 –h ‘ldap1 ldap2 ldap3’ \-b o=foobar.com’)dnl
Specify ldap search options note multiple server hosts in –h list -b indicates point in LDAP schema to begin search for
attributes
Example LDAP Entry
dn: uid=dboyes, ou=People, o=foobar.comobjectclass:topobjectclass:personobjectclass:organizationalPersonobjectclass:inetOrgPersonobjectclass:mailRecipientuid:dboyessn:Boyescn:David Boyesmail:[email protected]:[email protected]:mail.va.foobar.com
Example Alias Entry
dn: cn=alias, ou=aliases, ou=sendmail, ou=services, o=foobar.comobjectclass:topobjectclass:mailGroupcn:aliasmail:aliasmailhost:mail.va.foobar.commgrprfc822mailmember:[email protected]
An Example Implementation
dnl # example # dnldivert(0)dnlVERSIONID(‘$id, mailbox.mc, v 8.12.1 $’)OSTYPE(‘debian-linux’)dnlEXPOSED_USER(‘root’)dnlDOMAIN(‘generic’)dnlFEATURE(‘ldap_routing’, \‘ldap –l –v mailHost –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘ldap –l –v mailRoutingAddress –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘’, ‘’)dnldefine(‘ALIAS_FILE’, ‘ldap:-k \(&(objectClass=mailGroup)(!(objectClass=nisMap))\ (mail=&0)) –v mgrpRFC822MailMember,/etc/mail/aliases’)dnldefine(‘confLDAP_DEFAULT_SPEC’,’-p 389 –h “ldap1 ldap2 ldap3” –b o=foobar.com’)dnlLDAPROUTE_DOMAIN(‘foobar.com’)dnl
Contact Info
David BoyesSine Nomine Associates
www.sinenomine.net