LDAP_ROUTE feature with access db
am 08.11.2007 20:59:13 von Jim McCullars
Greetings:
We make extensive use of the LDAP_ROUTE feature of sendmail to allow our
users to have firstname.lastname@uah.edu email addresses when their username
on our email server (Solaris) can have only eight-character usernames. This
has worked well for us but I have noticed one thing not working as I expected
and wondered if this was a bug or just the way it works.
When someone leaves, we will disable their email account and prevent them
from receiving new messages by putting something like this in the access file:
To:vanilla1@ REJECT
before actually deleting their account. But what I found is that if mail is
routed to that host and the address has an LDAP_ROUTE domain and the lookup
resolves to that address, it will deliver anyway. In other words:
/usr/lib/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter
> /map ldapmra vanilla.test@uah.edu
map_lookup: ldapmra (vanilla.test@uah.edu) returns vanilla1@email.uah.edu (0)
If I connect to email.uah.edu and try to deliver to recipient
vanilla1@email.uah.edu, it returns an error. But if I send to
vanilla.test@uah.edu, it will deliver the mail to the vanilla1 inbox, even
though I reject that address in the access file. Is that the way it should
be working? Thanks...
Jim McCullars
University of Alabama in Huntsville
Re: LDAP_ROUTE feature with access db
am 09.11.2007 16:10:05 von pwadas
On 8 Lis, 19:59, Jim McCullars wrote:
> Greetings:
>
> We make extensive use of the LDAP_ROUTE feature of sendmail to allow our
> users to have firstname.lastn...@uah.edu email addresses when their username
> on our email server (Solaris) can have only eight-character usernames. This
> has worked well for us but I have noticed one thing not working as I expected
> and wondered if this was a bug or just the way it works.
>
> When someone leaves, we will disable their email account and prevent them
> from receiving new messages by putting something like this in the access file:
>
> To:vanilla1@ REJECT
>
> before actually deleting their account. But what I found is that if mail is
> routed to that host and the address has an LDAP_ROUTE domain and the lookup
> resolves to that address, it will deliver anyway. In other words:
>
> /usr/lib/sendmail -bt
> ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
> Enter > /map ldapmra vanilla.t...@uah.edu
>
> map_lookup: ldapmra (vanilla.t...@uah.edu) returns vanil...@email.uah.edu (0)
>
> If I connect to email.uah.edu and try to deliver to recipient
> vanil...@email.uah.edu, it returns an error. But if I send to
> vanilla.t...@uah.edu, it will deliver the mail to the vanilla1 inbox, even
> though I reject that address in the access file. Is that the way it should
> be working? Thanks...
>
> Jim McCullars
> University of Alabama in Huntsville
I use customized LDAP_ROUTE and/or virtuser lookup, e.g. with
-k '(&(customAttributeUserIsActive=TRUE)(sendmailMTAKey=%0))'
So when user leaves, I change above to "FALSE", and since
ldap query returns no objects, so User Unknown is returned, and
email is rejected on first hop on mail routing trace.
Note, that you can store accessdb in ldap too, just like:
FEATURE(`access_db',`ldap: -T -o -h 127.0.0.1 -w3 -p389
-b `dc=access,dc=maps,dc=foo'
-Msimple -P `/etc/sendmail-ldap-secret'
-d `cn=someSendmailLookupOnlyUser,dc=foo'
-k `(&(isActive=TRUE)(objectClass=sendmailMTAMapObject)
(sendmailMTAMapName=access)(sendmailMTAKey=%0))'
-v `sendmailMTAMapValue'')dnl
http://www.sendmail.org/m4/ldap.html
Regards,
Piotr
Re: LDAP_ROUTE feature with access db
am 10.11.2007 12:31:50 von Andrzej Filip
Jim McCullars writes:
> Greetings:
>
> We make extensive use of the LDAP_ROUTE feature of sendmail to
> allow our users to have firstname.lastname@uah.edu email addresses
> when their username on our email server (Solaris) can have only
> eight-character usernames. This has worked well for us but I have
> noticed one thing not working as I expected and wondered if this
> was a bug or just the way it works.
>
> When someone leaves, we will disable their email account and
> prevent them from receiving new messages by putting something like
> this in the access file:
>
> To:vanilla1@ REJECT
>
> before actually deleting their account. But what I found is that if
> mail is routed to that host and the address has an LDAP_ROUTE domain
> and the lookup resolves to that address, it will deliver anyway. [...]
Have you considered using
* aliases to mark invalid addresses
* virtusertable to specify custom error message
aliases file:
vanilla1: no-longer-valid@localhost.localdomain
virtusertable:
no-longer-valid@localhost.localdomain error:nouser No longer valid email
In short: AFAIK access checks email presented in "RCPT TO:" command in
SMTP session.
--
[pl>en: Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
Open-Sendmail: http://open-sendmail.sourceforge.net/