LDAP-Based Mail Routing Using Linux David Boyes Sine Nomine Associates Session L53.

LDAP-Based Mail RoutingUsing Linux

David BoyesSine Nomine Associates

Session L53

Presentation File Location

This presentation is not available on the IBM WWW site. It can be downloaded from:

http://www.sinenomine.net/downloads/

Agenda

Why Do LDAP-based Mail Routing? What Software is Needed What do the LDAP schemas look like? Example Implementation with sendmail

Why Do LDAP-Based Mail Routing

As organizations grow and change, user information and mailbox location often migrates between systems Chaotic behaviour Lost mail Lost productivity

Multiple mailbox systems Merger of authentication sources

Why?

LDAP becoming the basis for majority of enterprise directory servers Flexible implementation User-defined attributes Ubiquitous application client support

Trend toward “self-service” personal information management

Why?

LDAP based mail routing allows a central directory service to control the flow of mail delivery within an organization w/o hard-coded tables. Simple to implement Easy to change (if thought out)

OutsideWorld

MailRouter

Internal MailHost

Internal MailHost

Internal MailHost

Internal MailHost

SMTP

LDAPServer

LDA

PQ

uery

SMTP

Concept

Concept

Mail is delivered to user’s preferred location via SMTP

Preferred location is determined by LDAP lookup

Mail to non-existent users is rejected at mail router; aliases processed as special cases

Mail router also effective point to implement virus scans or spam detection w/o impacting individual mail host performance

What Software is Needed?

A LDAP-enabled mail transfer agent Sendmail 8.12.x or higher Postfix Exim Qmail (capable, but more difficult)

Berkeley NEWDB code db-3.2 or higher

What Software is Needed?

A LDAP server OpenLDAP Netscape Directory Server IBM Directory Server RACF LDAP Support

Note that user-defined fields are required to implement mail routing; some of the products listed above make this more difficult than others.

What Software is Needed?

A Linux or Unix system Debian SuSE Red Hat Other Generic Unix (Solaris, AIX, etc) USS (possible, but *very* difficult) – last

resort

Versions

Most Linux distributions are now shipping sendmail 8.12 as the default sendmail SuSE 8.x Red Hat Debian

Even if your distribution ships a LDAP-enabled sendmail RPM, you may need to compile from source to get all the options you want.

Places to Download

www.debian.org ftp.sendmail.org/pub/sendmail/sendmail8.

12.xx.tar.gz www.sleepycat.com/db/db-3.2.tar.gz

Building sendmail

Too complex to cover here; read README in the code package.

Configuration should include:

APPENDDEF(‘confMAPDEF’,’-DLDAPMAP’)APPENDDEF(‘confLIBS’,’-lldap’)

50,000 ft /etc/sendmail.cf Tutorial

Use the .mc macro files Create a local.mc file that includes the

architecture-specific and vendor specific .mc file (eg, SuSE-generic.mc)

Process local.mc with m4

m4 < local.mc > local.cf Move local.cf into place as /etc/sendmail.cf

Specific Config Options

FEATURE(‘ldap_routing’, <mailhost>, <mailRoutingAddress>,<bounce>,<detail>)

Enables LDAP routing code and defines a set of maps to be used for lookups

Looks for “mailRecipient” object class in LDAP entry to identify end user (if not present, entry is an alias)

Example FEATURE(‘ldap_routing’)

FEATURE(‘ldap_routing’, \‘ldap –l –v mailHost –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘ldap –l –v mailRoutingAddress –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘’, ‘’)dnl

Mailhost/mailRoutingAddressMailhost is mailRouting

Address isResult

Set to “local” host

Set Mail delivered to MRA

Set to “local” host

Not Set Delivered to original address

Set to remote host Set MRA relayed to mailhost

Set to remote host Not set Original address relayed to mailhost

Not set Set Mail delivered to MRA

Not set Not set Bounced

ALIAS_FILE

Defines location of alias file and lookups LDAP with traditional alias file as backup

Example:

define(‘ALIAS_FILE’, ‘ldap:-k \(&(objectClass=mailGroup)(!(objectClass=nisMap))\ (mail=&0)) –v mgrpRFC822MailMember,/etc/mail/aliases’)dnl

Aliases

LDAP entries w/o mailRecipient class in LDAP are considered aliases

Fallback to /etc/mail/aliases in case LDAP not available.

LDAPROUTE_DOMAIN

Primary o= value for domain to be handled by LDAP

LDAPROUTE_DOMAIN(‘foobar.com’)dnl

dnl LDAPROUTE_DOMAIN(‘/etc/mail/ldap-route’) dnl

Specifying LDAP Servers

define (‘confLDAP_DEFAULT_SPEC’, \‘-p 389 –h ‘ldap1 ldap2 ldap3’ \-b o=foobar.com’)dnl

Specify ldap search options note multiple server hosts in –h list -b indicates point in LDAP schema to begin search for

attributes

Example LDAP Entry

dn: uid=dboyes, ou=People, o=foobar.comobjectclass:topobjectclass:personobjectclass:organizationalPersonobjectclass:inetOrgPersonobjectclass:mailRecipientuid:dboyessn:Boyescn:David Boyesmail:[email protected]:[email protected]:mail.va.foobar.com

Example Alias Entry

dn: cn=alias, ou=aliases, ou=sendmail, ou=services, o=foobar.comobjectclass:topobjectclass:mailGroupcn:aliasmail:aliasmailhost:mail.va.foobar.commgrprfc822mailmember:[email protected]

An Example Implementation

dnl # example # dnldivert(0)dnlVERSIONID(‘$id, mailbox.mc, v 8.12.1 $’)OSTYPE(‘debian-linux’)dnlEXPOSED_USER(‘root’)dnlDOMAIN(‘generic’)dnlFEATURE(‘ldap_routing’, \‘ldap –l –v mailHost –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘ldap –l –v mailRoutingAddress –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘’, ‘’)dnldefine(‘ALIAS_FILE’, ‘ldap:-k \(&(objectClass=mailGroup)(!(objectClass=nisMap))\ (mail=&0)) –v mgrpRFC822MailMember,/etc/mail/aliases’)dnldefine(‘confLDAP_DEFAULT_SPEC’,’-p 389 –h “ldap1 ldap2 ldap3” –b o=foobar.com’)dnlLDAPROUTE_DOMAIN(‘foobar.com’)dnl

Questions

Contact Info

David BoyesSine Nomine Associates

[email protected]

www.sinenomine.net