Results 1 to 5 of 5

Thread: zimbraHideInGAL, Edge MTA, and LDAP

  1. #1
    Join Date
    Mar 2007
    Posts
    24
    Rep Power
    8

    Default zimbraHideInGAL, Edge MTA, and LDAP

    My site is using an edge MTA to relay mail between Zimbra and the internet. We've configured the edge MTA to do an LDAP lookup on Zimbra to verify incoming email addresses. However, distribution lists marked as "Hide In GAL" (zimbraHideInGAL TRUE) do not appear in the LDAP query results, and consequently get bounced as 'Unknown user' by the edge MTA. This is bad.

    What is the correct way to query Zimbra's LDAP directory if we want to include hidden distribution lists in the results?

    Here's anonymous LDAP query we're currently using from the edge MTA:

    ldapsearch -LLL -D "" -h zimbra.greatschools.net -b ou=people,dc=greatschools,dc=net -x '(objectClass=zimbraMailRecipient)' zimbraMailHost zimbraMailDeliveryAddress mail

    Thanks for suggestions,
    Dane

  2. #2
    Join Date
    Mar 2007
    Posts
    24
    Rep Power
    8

    Default use the LDAP query from postfix

    Anyone know how Zimbra's postfix queries LDAP when looking up valid email addresses? This would probably be the same query I need to run from the edge MTA.

    Any pointers?

  3. #3
    Join Date
    Mar 2007
    Posts
    24
    Rep Power
    8

    Default partial ldap + sendmail solution

    In case this helps others, here's what I ended up doing. Disclaimer: Sendmail LDAP configuration is notoriously tricky and loosely documented. Please comment if you know a better way (ahem, adding Sendmail LDAP alias maps would make the partial solution complete).

    SITUATION
    We run Zimbra behind a Sendmail edge MTA. Sendmail is the mail exchanger and relays all mail to/from the internet.

    GOAL
    To configure Sendmail on the edge MTA to verify email addresses against Zimbra's LDAP directory.

    (PARTIAL) SOLUTION
    I solved this using Sendmail's "LDAP Routing" feature with custom LDAP map definitions. See below for why this is only a partial solution.

    Add the following lines to Sendmail's sendmail.mc:

    Code:
    dnl LDAP ROUTING
    dnl http://www.sendmail.org/doc/sendmail-current/cf/README
    dnl http://www.onlamp.com/pub/a/onlamp/excerpt/sendmailckbk_chap01/index.html
    define(`confLDAP_DEFAULT_SPEC', ` -w 3 -h zimbra.example.com -b ou=people,dc=example,dc=com')dnl
    LDAPROUTE_DOMAIN(`example.com')dnl
    dnl
    dnl ---> There's LDAP trickery here in the -v return value...  Users have the zimbraMailHost attribute,
    dnl ---> while distribution lists and aliases have the zimbraMailAlias attribute.
    FEATURE(`ldap_routing',`ldap -1 -T<TMPF> -v zimbraMailHost -k (|(zimbraMailAlias=%0)(mail=%0))',`ldap -1 -T<TMPF> -v zimbraMailAlias -k (|(zimbraMailAlias=%0)(mail=%0))',`bounce',`preserve',`tempfail')dnl
    dnl
    LIMITATIONS
    I've discovered one scenario in which this solution fails. Multiple aliases for a given Zimbra account will not be visible to sendmail using the above configuration and will generate a "User unknown" response from Sendmail. For example, if a Zimbra account "JohnDoe@example.com" exists and has two or more mail aliases, say "jd@example.com" and "johnny@example.com", external email to either jd or johnny will be rejected by the Sendmail edge MTA as "user unknown". Mail to JohnDoe will be accepted as normal.

    On the other hand, if user "JaneDoe@example.com" has only one mail alias, say "jane@example.com", external mail to the alias will be accepted correctly.

    WHY THE FAILURE?
    Sendmail expects the ldap query to return only one value for a given attribute. When a user has multiple aliases, the LDAP attribute zimbraMailAlias has multiple values, causing the sendmail ldap map to return "false". This behavior is supposed to be controlled by the "-1" flag to ldap (shown above as "ldap -1 -T..."). However, removing the -1 flag did not fix this problem in my tests.

    WORKAROUND
    Use distribution lists instead of mail aliases in Zimbra.

    REAL SOLUTION
    I'm not sure.... maybe configure Sendmail LDAP aliases?

  4. #4
    Join Date
    Sep 2008
    Posts
    4
    Rep Power
    7

    Default

    As a bit of a follow-up to this in case anyone is interested :-)

    I have got this working with the latest build of FRANKLIN (as of last week) and Sendmail 8.14.3 and I haven't experienced the multiple aliases problem so I assume something has now been fixed in Sendmail???

    One problem I did experience, I have quite a few domains and have created an LDAPROUTE_DOMAIN_FILE with all of them in but of course the base DN is different for each domain so any queries for anything other than my primary domain fail (unless they are accounts in the primary domain who also have an alias within the secondary).

    I have it working at the moment by not setting a base DN and letting it search the ENTIRE LDAP database, I have two quite busy backup-mx's and my zimbra server is quite busy as well so I was a bit concerned about extra load on the slapd process but it seems OK, can anybody think of a way that I can set a different base DN for each domain?

    Also I have noticed that Distribution Lists don't appear to have a zimbraMailHost object, this doesn't appear to cause sendmail a problem as the address lookup works but I just wondered why???

    Thanks

    Phil

  5. #5
    Join Date
    Sep 2005
    Posts
    47
    Rep Power
    10

    Default

    Not using Sendmail, and a somewhat different application, but still the same basic question: how to remotely confirm the existence of an account that has zimbraHideInGal=TRUE? How does the Sendmail config get around that issue?

Similar Threads

  1. LDAP Replication Experiences
    By technikolor in forum Administrators
    Replies: 4
    Last Post: 11-12-2008, 12:52 AM
  2. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 07:45 AM
  3. Replies: 3
    Last Post: 05-04-2007, 04:22 PM
  4. Replies: 4
    Last Post: 11-15-2006, 12:16 PM
  5. Replies: 2
    Last Post: 05-24-2006, 11:01 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •