280 likes | 420 Vues
LDAP-Based Mail Routing Using Linux. David Boyes Sine Nomine Associates Session L53. Presentation File Location. This presentation is not available on the IBM WWW site. It can be downloaded from: http://www.sinenomine.net/downloads/. Agenda. Why Do LDAP-based Mail Routing?
E N D
LDAP-Based Mail RoutingUsing Linux David Boyes Sine Nomine Associates Session L53
Presentation File Location This presentation is not available on the IBM WWW site. It can be downloaded from: http://www.sinenomine.net/downloads/
Agenda • Why Do LDAP-based Mail Routing? • What Software is Needed • What do the LDAP schemas look like? • Example Implementation with sendmail
Why Do LDAP-Based Mail Routing • As organizations grow and change, user information and mailbox location often migrates between systems • Chaotic behaviour • Lost mail • Lost productivity • Multiple mailbox systems • Merger of authentication sources
Why? • LDAP becoming the basis for majority of enterprise directory servers • Flexible implementation • User-defined attributes • Ubiquitous application client support • Trend toward “self-service” personal information management
Why? • LDAP based mail routing allows a central directory service to control the flow of mail delivery within an organization w/o hard-coded tables. • Simple to implement • Easy to change (if thought out)
Concept • Mail is delivered to user’s preferred location via SMTP • Preferred location is determined by LDAP lookup • Mail to non-existent users is rejected at mail router; aliases processed as special cases • Mail router also effective point to implement virus scans or spam detection w/o impacting individual mail host performance
What Software is Needed? • A LDAP-enabled mail transfer agent • Sendmail 8.12.x or higher • Postfix • Exim • Qmail (capable, but more difficult) • Berkeley NEWDB code • db-3.2 or higher
What Software is Needed? • A LDAP server • OpenLDAP • Netscape Directory Server • IBM Directory Server • RACF LDAP Support Note that user-defined fields are required to implement mail routing; some of the products listed above make this more difficult than others.
What Software is Needed? • A Linux or Unix system • Debian • SuSE • Red Hat • Other Generic Unix (Solaris, AIX, etc) • USS (possible, but *very* difficult) – last resort
Versions • Most Linux distributions are now shipping sendmail 8.12 as the default sendmail • SuSE 8.x • Red Hat • Debian Even if your distribution ships a LDAP-enabled sendmail RPM, you may need to compile from source to get all the options you want.
Places to Download • www.debian.org • ftp.sendmail.org/pub/sendmail/sendmail8.12.xx.tar.gz • www.sleepycat.com/db/db-3.2.tar.gz
Building sendmail • Too complex to cover here; read README in the code package. • Configuration should include: APPENDDEF(‘confMAPDEF’,’-DLDAPMAP’)APPENDDEF(‘confLIBS’,’-lldap’)
50,000 ft /etc/sendmail.cf Tutorial • Use the .mc macro files • Create a local.mc file that includes the architecture-specific and vendor specific .mc file (eg, SuSE-generic.mc) • Process local.mc with m4m4 < local.mc > local.cf • Move local.cf into place as /etc/sendmail.cf
Specific Config Options FEATURE(‘ldap_routing’, <mailhost>, <mailRoutingAddress>,<bounce>,<detail>) • Enables LDAP routing code and defines a set of maps to be used for lookups • Looks for “mailRecipient” object class in LDAP entry to identify end user (if not present, entry is an alias)
Example FEATURE(‘ldap_routing’) FEATURE(‘ldap_routing’, \‘ldap –l –v mailHost –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘ldap –l –v mailRoutingAddress –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘’, ‘’)dnl
ALIAS_FILE • Defines location of alias file and lookups • LDAP with traditional alias file as backup Example: define(‘ALIAS_FILE’, ‘ldap:-k \(&(objectClass=mailGroup)(!(objectClass=nisMap))\ (mail=&0)) –v mgrpRFC822MailMember,/etc/mail/aliases’)dnl
Aliases • LDAP entries w/o mailRecipient class in LDAP are considered aliases • Fallback to /etc/mail/aliases in case LDAP not available.
LDAPROUTE_DOMAIN • Primary o= value for domain to be handled by LDAP LDAPROUTE_DOMAIN(‘foobar.com’)dnl dnl LDAPROUTE_DOMAIN(‘/etc/mail/ldap-route’) dnl
Specifying LDAP Servers define (‘confLDAP_DEFAULT_SPEC’, \‘-p 389 –h ‘ldap1 ldap2 ldap3’ \-b o=foobar.com’)dnl • Specify ldap search options • note multiple server hosts in –h list • -b indicates point in LDAP schema to begin search for attributes
Example LDAP Entry dn: uid=dboyes, ou=People, o=foobar.comobjectclass:top objectclass:person objectclass:organizationalPerson objectclass:inetOrgPerson objectclass:mailRecipient uid:dboyes sn:Boyes cn:David Boyes mail:dboyes@foobar.com mailroutingaddress:dboyes@mail.va.foobar.com mailhost:mail.va.foobar.com
Example Alias Entry dn: cn=alias, ou=aliases, ou=sendmail, ou=services, o=foobar.comobjectclass:topobjectclass:mailGroupcn:aliasmail:aliasmailhost:mail.va.foobar.commgrprfc822mailmember:alias@mail.va.foobar.com
An Example Implementation dnl # example # dnldivert(0)dnlVERSIONID(‘$id, mailbox.mc, v 8.12.1 $’)OSTYPE(‘debian-linux’)dnlEXPOSED_USER(‘root’)dnlDOMAIN(‘generic’)dnlFEATURE(‘ldap_routing’, \‘ldap –l –v mailHost –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘ldap –l –v mailRoutingAddress –k \(&(objectClass=MailRecipient)(mail=&0))’, \‘’, ‘’)dnl define(‘ALIAS_FILE’, ‘ldap:-k \(&(objectClass=mailGroup)(!(objectClass=nisMap))\ (mail=&0)) –v mgrpRFC822MailMember,/etc/mail/aliases’)dnl define(‘confLDAP_DEFAULT_SPEC’,’-p 389 –h “ldap1 ldap2 ldap3” –b o=foobar.com’)dnl LDAPROUTE_DOMAIN(‘foobar.com’)dnl
Contact Info David Boyes Sine Nomine Associates dboyes@sinenomine.net www.sinenomine.net