Results 1 to 5 of 5

Thread: zimbraHideInGAL, Edge MTA, and LDAP

  1. #1
    Join Date
    Mar 2007
    Rep Power

    Default zimbraHideInGAL, Edge MTA, and LDAP

    My site is using an edge MTA to relay mail between Zimbra and the internet. We've configured the edge MTA to do an LDAP lookup on Zimbra to verify incoming email addresses. However, distribution lists marked as "Hide In GAL" (zimbraHideInGAL TRUE) do not appear in the LDAP query results, and consequently get bounced as 'Unknown user' by the edge MTA. This is bad.

    What is the correct way to query Zimbra's LDAP directory if we want to include hidden distribution lists in the results?

    Here's anonymous LDAP query we're currently using from the edge MTA:

    ldapsearch -LLL -D "" -h -b ou=people,dc=greatschools,dc=net -x '(objectClass=zimbraMailRecipient)' zimbraMailHost zimbraMailDeliveryAddress mail

    Thanks for suggestions,

  2. #2
    Join Date
    Mar 2007
    Rep Power

    Default use the LDAP query from postfix

    Anyone know how Zimbra's postfix queries LDAP when looking up valid email addresses? This would probably be the same query I need to run from the edge MTA.

    Any pointers?

  3. #3
    Join Date
    Mar 2007
    Rep Power

    Default partial ldap + sendmail solution

    In case this helps others, here's what I ended up doing. Disclaimer: Sendmail LDAP configuration is notoriously tricky and loosely documented. Please comment if you know a better way (ahem, adding Sendmail LDAP alias maps would make the partial solution complete).

    We run Zimbra behind a Sendmail edge MTA. Sendmail is the mail exchanger and relays all mail to/from the internet.

    To configure Sendmail on the edge MTA to verify email addresses against Zimbra's LDAP directory.

    I solved this using Sendmail's "LDAP Routing" feature with custom LDAP map definitions. See below for why this is only a partial solution.

    Add the following lines to Sendmail's

    define(`confLDAP_DEFAULT_SPEC', ` -w 3 -h -b ou=people,dc=example,dc=com')dnl
    dnl ---> There's LDAP trickery here in the -v return value...  Users have the zimbraMailHost attribute,
    dnl ---> while distribution lists and aliases have the zimbraMailAlias attribute.
    FEATURE(`ldap_routing',`ldap -1 -T<TMPF> -v zimbraMailHost -k (|(zimbraMailAlias=%0)(mail=%0))',`ldap -1 -T<TMPF> -v zimbraMailAlias -k (|(zimbraMailAlias=%0)(mail=%0))',`bounce',`preserve',`tempfail')dnl
    I've discovered one scenario in which this solution fails. Multiple aliases for a given Zimbra account will not be visible to sendmail using the above configuration and will generate a "User unknown" response from Sendmail. For example, if a Zimbra account "" exists and has two or more mail aliases, say "" and "", external email to either jd or johnny will be rejected by the Sendmail edge MTA as "user unknown". Mail to JohnDoe will be accepted as normal.

    On the other hand, if user "" has only one mail alias, say "", external mail to the alias will be accepted correctly.

    Sendmail expects the ldap query to return only one value for a given attribute. When a user has multiple aliases, the LDAP attribute zimbraMailAlias has multiple values, causing the sendmail ldap map to return "false". This behavior is supposed to be controlled by the "-1" flag to ldap (shown above as "ldap -1 -T..."). However, removing the -1 flag did not fix this problem in my tests.

    Use distribution lists instead of mail aliases in Zimbra.

    I'm not sure.... maybe configure Sendmail LDAP aliases?

  4. #4
    Join Date
    Sep 2008
    Rep Power


    As a bit of a follow-up to this in case anyone is interested :-)

    I have got this working with the latest build of FRANKLIN (as of last week) and Sendmail 8.14.3 and I haven't experienced the multiple aliases problem so I assume something has now been fixed in Sendmail???

    One problem I did experience, I have quite a few domains and have created an LDAPROUTE_DOMAIN_FILE with all of them in but of course the base DN is different for each domain so any queries for anything other than my primary domain fail (unless they are accounts in the primary domain who also have an alias within the secondary).

    I have it working at the moment by not setting a base DN and letting it search the ENTIRE LDAP database, I have two quite busy backup-mx's and my zimbra server is quite busy as well so I was a bit concerned about extra load on the slapd process but it seems OK, can anybody think of a way that I can set a different base DN for each domain?

    Also I have noticed that Distribution Lists don't appear to have a zimbraMailHost object, this doesn't appear to cause sendmail a problem as the address lookup works but I just wondered why???



  5. #5
    Join Date
    Sep 2005
    Rep Power


    Not using Sendmail, and a somewhat different application, but still the same basic question: how to remotely confirm the existence of an account that has zimbraHideInGal=TRUE? How does the Sendmail config get around that issue?

Similar Threads

  1. LDAP Replication Experiences
    By technikolor in forum Administrators
    Replies: 4
    Last Post: 11-11-2008, 11:52 PM
  2. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  3. Replies: 3
    Last Post: 05-04-2007, 03:22 PM
  4. Replies: 4
    Last Post: 11-15-2006, 11:16 AM
  5. Replies: 2
    Last Post: 05-24-2006, 10:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts