Carl Byington wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 03 Oct 2006 19:49:55 -0700, k3ithtaylor wrote:
>
> > ugh. I think my thread's been hijacked. Does anyone have a
> > recommendation or a link to execute what I described above?
>
> man ldapsearch
>
> That can do arbitrary queries, so you just need to know your schema, and
> the attribute names that contain the email user name. A bit of
> 'awk/sed/grep' should mash it into a format acceptable to write to
> /etc/mail/access, followed by (cd /etc/mail; make) or the equivalent on
> your system to rebuild the access hash map.
>
> If you want to use smtp-ahead style, rather than ldap, then
> <http://www.five-ten-sg.com/dnsbl/> can do that.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
>
> iD8DBQFFIy61L6j7milTFsERAv6uAJwMmXdIiJZq+W0CfgOoJD fLyLnG9gCcDU1G
> UX45szX6a3GyjBI21/0YfYg=
> =t4Jk
> -----END PGP SIGNATURE-----

Thank you for this info. I really like the option of dumping the
output from ldap to a file and cleaning it. However, there is really
no good place I've found to put this locally on the sendmail server for
lookups. The access db looks tailored to relays "from". In other
words, deciding who can relay against the "MAIL FROM:" argument. I'd
like to do the same but instead use the "RCPT TO:" argument to decide
whether or not to relay it.

LDAP routing is ok but a little confusing. Since my server on the
inside doesn't have the attributes ldap-routing seems to want. I've
tinkered with the attributes and filters unsuccesfully. I guess I
could setup another LDAP, export an LDIF from my current LDAP, cleanse
it for the new schema, and import is daily but this seems more
vulnerable to problems.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 10 Oct 2006 20:22:29 -0700, k3ithtaylor wrote:


> Carl Byington wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On Tue, 03 Oct 2006 19:49:55 -0700, k3ithtaylor wrote:
>>
>> > ugh. I think my thread's been hijacked. Does anyone have a
>> > recommendation or a link to execute what I described above?
>>
>> man ldapsearch
>>
>> That can do arbitrary queries, so you just need to know your schema, and
>> the attribute names that contain the email user name. A bit of
>> 'awk/sed/grep' should mash it into a format acceptable to write to
>> /etc/mail/access, followed by (cd /etc/mail; make) or the equivalent on
>> your system to rebuild the access hash map.
>>

> Thank you for this info. I really like the option of dumping the output
> from ldap to a file and cleaning it. However, there is really no good
> place I've found to put this locally on the sendmail server for lookups.
> The access db looks tailored to relays "from". In other words, deciding
> who can relay against the "MAIL FROM:" argument. I'd like to do the same
> but instead use the "RCPT TO:" argument to decide whether or not to relay
> it.

Hm, rather than /etc/mail/access, I think I meant /etc/mail/virtusertable,
possibly coupled with

VIRTUSER_DOMAIN_FILE(`/etc/mail/virtual-host-domains')

in your sendmail.mc. That allows you to have non-local (not in class W)
domains for which you are relaying (with targets specified in
mailertable), and the user list specified in the virtusertable. Unknown
users (not listed in virtusertable) should be rejected as 'user unknown'.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFFLHJ2L6j7milTFsERAgmMAJ4r9ubB2/qBH+is6jzREs8Zvnr2PQCfZNig
x+ww2yxlguHfr2XotNgv+IA=
=RtpV
-----END PGP SIGNATURE-----

In article <1160536949.557856.265070@h48g2000cwc.googlegroups .com>
"k3ithtaylor" <k3ithtaylor@gmail.com> writes:
>
>Thank you for this info. I really like the option of dumping the
>output from ldap to a file and cleaning it. However, there is really
>no good place I've found to put this locally on the sendmail server for
>lookups. The access db looks tailored to relays "from". In other
>words, deciding who can relay against the "MAIL FROM:" argument. I'd
>like to do the same but instead use the "RCPT TO:" argument to decide
>whether or not to relay it.

Actually you'll have to go out of your way to have sendmail consider
"MAIL FROM:" when it comes to relay-allow, and it's specifically
disrecommended in the documentation. What is used is the identity of the
client (IP address, or host name found from IP address) - and "RCPT TO:"
- but only the domain-part of the recipient address. You can get it to
look up the complete recipient address for relay-allow by using the
undocumented

define(`_RELAY_FULL_ADDR_', `1')

in your .mc file.

>LDAP routing is ok but a little confusing. Since my server on the
>inside doesn't have the attributes ldap-routing seems to want. I've
>tinkered with the attributes and filters unsuccesfully.

The attributes are completely configurable via the map arguments to
ldap_routing, there is really only one restriction: There must be an
attribute that has the complete user@domain recipient address, if only
the "user" part is available, ldap_routing can't work. If you don't have
this problem, and can provide some detail about your setup, we might be
able to .

It's also possible to use ldap_routing without actually using LDAP for
the lookup, i.e. it can be told to use local file map(s) instead. Those
file maps could in turn be built from data you've downloaded from LDAP -
i.e. this could be an alternative to the access db if you prefer to use
"output from ldap dumped to a file".

--Per Hedeland
per@hedeland.org

In article <pan.2006.10.11.04.26.50.168023@five-ten-sg.com> Carl
Byington <carl@five-ten-sg.com> writes:
>
>Hm, rather than /etc/mail/access, I think I meant /etc/mail/virtusertable,
>possibly coupled with
>
>VIRTUSER_DOMAIN_FILE(`/etc/mail/virtual-host-domains')
>
>in your sendmail.mc. That allows you to have non-local (not in class W)
>domains for which you are relaying (with targets specified in
>mailertable), and the user list specified in the virtusertable. Unknown
>users (not listed in virtusertable) should be rejected as 'user unknown'.

But only if you have an explicit catch-all entry in the virtusertable
mapping to the error mailer. Otherwise those users will "fall through"
to "normal" delivery - which depending on the rest of the config may
result in having them sent onwards to the internal server after all.

--Per Hedeland
per@hedeland.org

> It's also possible to use ldap_routing without actually using LDAP for
> the lookup, i.e. it can be told to use local file map(s) instead. Those
> file maps could in turn be built from data you've downloaded from LDAP -
> i.e. this could be an alternative to the access db if you prefer to use
> "output from ldap dumped to a file".
>
> --Per Hedeland
> per@hedeland.org

Since you've all been so patient I'll give you all the details...
Backend mail system is Domino. Domino allows only one "mail" attribute
per user so aliases have to go in the username (cn) field. While
Domino is able to recognize only fully qualified aliases in the
username field, an ldap query will give me all the cn's (user,
user@domain.com, usersalias, usersalias@domain.com).

I've executed an ldapsearch to dump all the cn and mail attributes for
every valid user. Then I have that pumped through awk/sed etc. into a
file that's just email addresses, then I append a tab and a bang to
each line. Finally, I append all my valid relay domains "@domain.com
error:nouser 550 No Such User", hashmap to virtusertable.db, and
restart sendmail. Only problem is that only the first domain in the
virtusertable rejects the message if the virtuser is not found. All
others are relayed without scrutiny.

If I left out anything critical or if there's a better way at this I'm
all ears.

- Keith

k3ithtaylor wrote:

> I've executed an ldapsearch to dump all the cn and mail attributes for
> every valid user. Then I have that pumped through awk/sed etc. into a
> file that's just email addresses, then I append a tab and a bang to
> each line. Finally, I append all my valid relay domains "@domain.com
> error:nouser 550 No Such User", hashmap to virtusertable.db, and
> restart sendmail. Only problem is that only the first domain in the
> virtusertable rejects the message if the virtuser is not found. All
> others are relayed without scrutiny.
>
> If I left out anything critical or if there's a better way at this I'm
> all ears.

I guess you didn't define the class {VirtHost}. This class defines
the domains that will be looked up in te virtusertable.
The first domain in your table (the one that _is_ looked up) is
probably a member of the class {w} (a class with local host names
and domains that should be handled as if these were local names).
You can show those classes with:
echo "$=w" | sendmail -bt
echo "$={VirtHost}" | sendmail -bt


See the README file in the sendmail config dir:

All the host names on the left hand side (foo.com, bar.com,
and baz.org) must be in class {w} or class {VirtHost}. The
latter can be defined by the macros VIRTUSER_DOMAIN or
VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and
MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or
VIRTUSER_DOMAIN_FILE is used, then the entries of class
{VirtHost} are added to class {R}, i.e., relaying is allowed
to (and from) those domains. The default map definition is:

--
Kees Theunissen.

Kees Theunissen wrote:
> k3ithtaylor wrote:
>
> > I've executed an ldapsearch to dump all the cn and mail attributes for
> > every valid user. Then I have that pumped through awk/sed etc. into a
> > file that's just email addresses, then I append a tab and a bang to
> > each line. Finally, I append all my valid relay domains "@domain.com
> > error:nouser 550 No Such User", hashmap to virtusertable.db, and
> > restart sendmail. Only problem is that only the first domain in the
> > virtusertable rejects the message if the virtuser is not found. All
> > others are relayed without scrutiny.
> >
> > If I left out anything critical or if there's a better way at this I'm
> > all ears.
>
> I guess you didn't define the class {VirtHost}. This class defines
> the domains that will be looked up in te virtusertable.
> The first domain in your table (the one that _is_ looked up) is
> probably a member of the class {w} (a class with local host names
> and domains that should be handled as if these were local names).
> You can show those classes with:
> echo "$=w" | sendmail -bt
> echo "$={VirtHost}" | sendmail -bt
>
>
> See the README file in the sendmail config dir:
>
> All the host names on the left hand side (foo.com, bar.com,
> and baz.org) must be in class {w} or class {VirtHost}. The
> latter can be defined by the macros VIRTUSER_DOMAIN or
> VIRTUSER_DOMAIN_FILE (analogously to MASQUERADE_DOMAIN and
> MASQUERADE_DOMAIN_FILE, see below). If VIRTUSER_DOMAIN or
> VIRTUSER_DOMAIN_FILE is used, then the entries of class
> {VirtHost} are added to class {R}, i.e., relaying is allowed
> to (and from) those domains. The default map definition is:
>
> --
> Kees Theunissen.

Right on. That get's it done. SUCCESS. Thanks ALL.