Hi all,

Here's what I try to accomplish:

I have two sendmail machines, different locations (locations are
connected via a VPN) and completely under my control.

These sendmail machines relay inbound mail to one (1) Exchange
server (2003).

I would like to verify on these sendmail machines if a user exists
within Exchange, and preferably through LDAP.

What I do not want to happen is that if the Exchange machine is down
or unreachable (in case of a VPN failure) mail is rejected.

A link to good documentation (howto) would be appreciated.

Thanks in advance.

Peter
--
Those of you who think you know everything are very annoying to those
of us who do.

MSN/Mail: pboosten at hotmail dot com
http://zwanger.can-this.be (Dutch)

Peter Boosten wrote:
> Hi all,

> I would like to verify on these sendmail machines if a user exists
> within Exchange, and preferably through LDAP.
>
> What I do not want to happen is that if the Exchange machine is down
> or unreachable (in case of a VPN failure) mail is rejected.
>
> A link to good documentation (howto) would be appreciated.

IMHO, the best solution (but some people don't like it), is to periodically dump
the list of valid users (from LDAP) on a flat file and create a hash table.

Create a virtualuser table with the list of valid users and end with an entry :

[at] domain.com error:550:5.1.1:Who ??? Don't know !

This don't cause problems when your LDAP or Exchange server is down (it usually
is when it is running 8-).

Peter Boosten wrote:
> Hi all,
>
> Here's what I try to accomplish:
>
> I have two sendmail machines, different locations (locations are
> connected via a VPN) and completely under my control.
>
> These sendmail machines relay inbound mail to one (1) Exchange
> server (2003).
>
> I would like to verify on these sendmail machines if a user exists
> within Exchange, and preferably through LDAP.
>
> What I do not want to happen is that if the Exchange machine is down
> or unreachable (in case of a VPN failure) mail is rejected.
>
> A link to good documentation (howto) would be appreciated.
>
> Thanks in advance.
>
> Peter

I set out to do this as well and finally found that for political as
well as technical reasons I got what I needed more quickly by using
milter-ahead rather than LDAP. When mail comes in it makes a connection
to the exchange system and verifies the addresses is valid or not. The
results are cached locally and after a time all valid addresses are
found and cached. It's found at snert.com. It is easy to implement,
fast, and has been very reliable, and I didn't have to hack together an
LDAP proxy or train anyone on keeping AD and my LDAP server in sync. It
has required zero attention from me and my team.

dp

Dennis Peterson <dennispe [at] inetnw.com> wrote:
>
> I set out to do this as well and finally found that for political as
> well as technical reasons I got what I needed more quickly by using
> milter-ahead rather than LDAP. When mail comes in it makes a connection
> to the exchange system and verifies the addresses is valid or not. The
> results are cached locally and after a time all valid addresses are
> found and cached. It's found at snert.com. It is easy to implement,
> fast, and has been very reliable, and I didn't have to hack together an
> LDAP proxy or train anyone on keeping AD and my LDAP server in sync. It
> has required zero attention from me and my team.
>
> dp


Thnx Dennis... I'll give it a try.

Peter
--
Those of you who think you know everything are very annoying to those
of us who do.

MSN/Mail: pboosten at hotmail dot com

Peter

Peter Boosten wrote:
> Hi all,
>
> Here's what I try to accomplish:
>
> I have two sendmail machines, different locations (locations are
> connected via a VPN) and completely under my control.
>
> These sendmail machines relay inbound mail to one (1) Exchange
> server (2003).
>
> I would like to verify on these sendmail machines if a user exists
> within Exchange, and preferably through LDAP.

That is feasible through LDAP to AD using the LDAP routing feature.

>
> What I do not want to happen is that if the Exchange machine is down
> or unreachable (in case of a VPN failure) mail is rejected.

What else would you want to do, accept it?

>
> A link to good documentation (howto) would be appreciated.

This is what I set in my .mc file

define(`confLDAP_DEFAULT_SPEC', `-h "adserver.my.dom.ain" -b
"DC=MY,DC=DOM,DC=AIN" -d "CN=query,CN=Users,DC=MY,DC=DOM,DC=AIN"
-MLDAP_AUTH_SIMPLE -P/etc/mail/ldap_pass')dnl

LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldap_route_domains')dnl

FEATURE(`ldap_routing', `null', `ldap -1 -v mail -k
(&(|(objectclass=user)(objectclass=group))(proxyAddresses=sm tp:%0))',
`bounce')dnl

If you use passthru instead of bounce I believe you will get what you want.

HTH

Erich





>
> Thanks in advance.
>
> Peter

mega <erich.titl [at] think.ch> wrote:
>>
>> What I do not want to happen is that if the Exchange machine is down
>> or unreachable (in case of a VPN failure) mail is rejected.
>
> What else would you want to do, accept it?
>

I don't want the mail to get bounced (ie that an NDR is produced any
time the Exchange-boys decide to reboot the nasty thingy).

>
> This is what I set in my .mc file
>
> define(`confLDAP_DEFAULT_SPEC', `-h "adserver.my.dom.ain" -b
> "DC=MY,DC=DOM,DC=AIN" -d "CN=query,CN=Users,DC=MY,DC=DOM,DC=AIN"
> -MLDAP_AUTH_SIMPLE -P/etc/mail/ldap_pass')dnl
>
> LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldap_route_domains')dnl
>
> FEATURE(`ldap_routing', `null', `ldap -1 -v mail -k
> (&(|(objectclass=user)(objectclass=group))(proxyAddresses=sm tp:%0))',
> `bounce')dnl
>
> If you use passthru instead of bounce I believe you will get what you want.
>

I'll have a look at that one as well. Thanks for your answer.

Peter

--
Those of you who think you know everything are very annoying to those
of us who do.

MSN/Mail: pboosten at hotmail dot com

mega <erich.titl [at] think.ch> writes:

> Peter
>
> Peter Boosten wrote:
> > Hi all,
> >
> > Here's what I try to accomplish:
> >
> > I have two sendmail machines, different locations (locations are
> > connected via a VPN) and completely under my control.
> >
> > These sendmail machines relay inbound mail to one (1) Exchange
> > server (2003).
> >
> > I would like to verify on these sendmail machines if a user exists
> > within Exchange, and preferably through LDAP.
>
> That is feasible through LDAP to AD using the LDAP routing feature.
>
> >
> > What I do not want to happen is that if the Exchange machine is down
> > or unreachable (in case of a VPN failure) mail is rejected.
>
> What else would you want to do, accept it?
>
> >
> > A link to good documentation (howto) would be appreciated.
>
> This is what I set in my .mc file
>
> define(`confLDAP_DEFAULT_SPEC', `-h "adserver.my.dom.ain" -b
> "DC=MY,DC=DOM,DC=AIN" -d "CN=query,CN=Users,DC=MY,DC=DOM,DC=AIN"
> -MLDAP_AUTH_SIMPLE -P/etc/mail/ldap_pass')dnl
>
> LDAPROUTE_DOMAIN_FILE(`/etc/mail/ldap_route_domains')dnl
>
> FEATURE(`ldap_routing', `null', `ldap -1 -v mail -k
> (&(|(objectclass=user)(objectclass=group))(proxyAddresses=sm tp:%0))',
> `bounce')dnl
>
> If you use passthru instead of bounce I believe you will get what you want.

It may be that if ldap server is down, it causes tempfail -error condition.

That is probably what questioner wants.

/ Kari Hurtta

In article <dodthl$on7$1 [at] news5.zwoll1.ov.home.nl> nobody [at] nowhere.invalid
(Peter Boosten) writes:
>mega <erich.titl [at] think.ch> wrote:
>>>
>>> What I do not want to happen is that if the Exchange machine is down
>>> or unreachable (in case of a VPN failure) mail is rejected.
>>
>> What else would you want to do, accept it?
>>
>
>I don't want the mail to get bounced (ie that an NDR is produced any
>time the Exchange-boys decide to reboot the nasty thingy).

This (i.e. what you want) should be the default for any nework-based map
(see the description of the -t flag in doc/op/op.*) - if the server
can't be reached, it should generate a 4xx temp failure, causing the
sender to queue the message and retry later.

Easy enough to test even if you can't rely on the Exchange-boys, just
configure your LDAP spec with an IP address that isn't assigned and see
what happens.

--Per Hedeland
per [at] hedeland.org

nobody [at] nowhere.invalid (Peter Boosten) writes:

> mega <erich.titl [at] think.ch> wrote:
> >>
> >> What I do not want to happen is that if the Exchange machine is down
> >> or unreachable (in case of a VPN failure) mail is rejected.
> >
> > What else would you want to do, accept it?
> >
>
> I don't want the mail to get bounced (ie that an NDR is produced any
> time the Exchange-boys decide to reboot the nasty thingy).
> [...]

AFAIK eaxchange admin program can export all data necessary for
sendmail [list of all valid (SMTP) email addresses]. AFAIR default "set
of columns" does not include the required data so you must create file
with "first line" (names of columns to export) you want.

Simple perl (or awk) script (<10 lines) can convert the above mentioned
file to virtusertable format.

P.S.
I tested it "a few years" ago but I have no MS Exchange at hand to
recollect the MS Exchange part.

--
[en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
http://www.sendmail.org/faq/ http://www.sendmail.org/m4/readme.html
http://anfi.homeunix.net/sendmail/ Netcraft Site Rank: 511526

Kari Hurtta <hurtta [at] attruh.keh.iki.fi> wrote:
>
> It may be that if ldap server is down, it causes tempfail -error condition.
>
> That is probably what questioner wants.
>

Yup, indeed.

Thanks all for your answers. I'll have to enough to experiment with.

Peter

--
Those of you who think you know everything are very annoying to those
of us who do.

MSN/Mail: pboosten at hotmail dot com

Kari Hurtta wrote:
> mega <erich.titl [at] think.ch> writes:
>
>
....

>>
>>If you use passthru instead of bounce I believe you will get what you want.
>
>
> It may be that if ldap server is down, it causes tempfail -error condition.
>
> That is probably what questioner wants.

Mhhh.... that would require some modification to the LDAP routing
feature. I am not sure if a map can distinguish between a failure and a
missing entry.

Can someone with deeper insight in the map mechanism elaborate on that?

Thanks

Erich

mega wrote:

> Mhhh.... that would require some modification to the LDAP routing
> feature. I am not sure if a map can distinguish between a failure and a
> missing entry.

It can.

--
David.

David F. Skoll wrote:
> mega wrote:
>
>
>>Mhhh.... that would require some modification to the LDAP routing
>>feature. I am not sure if a map can distinguish between a failure and a
>>missing entry.
>
>
> It can.

How?

mega wrote:

> David F. Skoll wrote:

>> [A map] can [distinguish between failure and a missing entry]

> How?

In the case of the LDAP routing feature, for example, the standard
map definition has a "-T<TMPF>" argument, which lets Sendmail's
rulesets detect and handle temporary failures.

In the case of a SOCKETMAP map type, the socketmap protocol provides
for a TEMP reply code to indicate temporary failure.

--
David.

David F. Skoll wrote:
....
>
> In the case of the LDAP routing feature, for example, the standard
> map definition has a "-T<TMPF>" argument, which lets Sendmail's
> rulesets detect and handle temporary failures.
>
> In the case of a SOCKETMAP map type, the socketmap protocol provides
> for a TEMP reply code to indicate temporary failure.

I see, the original map contains this flag. I should have stuck closer
to the original map.

Thanks

Erich