ldap verify, not route

My sendmail is in front of an exchange-server.

mail for mycompany.com is sent to exchange.mycompany.com via mailertable,
and outgoing mail is sent to my isp's smarthost with a
define(``SMART_HOST'....)

I need to verify the incoming adresses against exchange.
From my php testscript, I can do a query:

$sr=ldap_search($ds, "ou=My Company, c=US", "mail=me@mycompany.com");

I get a result, if the adress exists, and none if the emailadress doesn't.

Fine, but the result doesn't contain the adress of the exchange, at least
not in a form usable for sendmail.

Sendmail.mc
FEATURE(ldap_routing)dnl
LDAPROUTE_DOMAIN(mydomain.com)dnl
define(`confLDAP_DEFAULT_SPEC', `-h exchange.mydomain.com -b
dc=mydomain,dc=com')


Sendmail.cf
# LDAP routing maps
Kldapmh ldap -1 -T -v mailHost -k
(&(objectClass=inetLocalMailRecipient)(mailLocalAddress=%0))
Kldapmra ldap -1 -T -v mailRoutingAddress -k
(&(objectClass=inetLocalMailRecipient)(mailLocalAddress=%0))

Doing a sendmail -v -d -bv my@mycompany.com
map_lookup(ldapmra, me@mycompany.com) => NOT FOUND (68)
map_lookup(ldapmh, me@mycompany.com) => NOT FOUND (68)

map_lookup(ldapmra, @mycompany.com) => NOT FOUND (68)
map_lookup(ldapmh, @mycompany.com) => NOT FOUND (68)

Is it correct sendmail is looking for a mailHost and a mailRoutingAddress?
Neither is contained in the answer from the exchange ldap.

I can not change the contents of the ldap-server.

As far as I can see, all the examples i can find, queries the ldap-server
for routing information.
I only want to accept mail if the adress exists in ldap, I already know how
to route it, and reject if it doesn't

Surely that is possible?

Leif

Re: ldap verify, not route

In article "Leif Neland"
writes:
>My sendmail is in front of an exchange-server.
>
>mail for mycompany.com is sent to exchange.mycompany.com via mailertable,
>and outgoing mail is sent to my isp's smarthost with a
>define(``SMART_HOST'....)
>
>I need to verify the incoming adresses against exchange.
>From my php testscript, I can do a query:
>
> $sr=ldap_search($ds, "ou=My Company, c=US", "mail=me@mycompany.com");
>
>I get a result, if the adress exists, and none if the emailadress doesn't.
>
>Fine, but the result doesn't contain the adress of the exchange, at least
>not in a form usable for sendmail.

Well, there are many ways to use LDAP from sendmail, ldap_routing is an
implementation of a specific way to do it, it may not work in all
cases. Still, it's pretty tweakable, and as far as results go only
requires that you get *either* an e-mail address *or* a mailhost (or
both) back from LDAP.

Most people trying to use it towards an Exchange server run into the
problem that the actual user@domain "input" address is nowhere to be
found in the LDAP attributes, there's only uid=user or somesuch, which
makes it impossible to use ldap_routing. But apparently that's not your
problem.

>Sendmail.mc
>FEATURE(ldap_routing)dnl
>LDAPROUTE_DOMAIN(mydomain.com)dnl
>define(`confLDAP_DEFAULT_SPEC', `-h exchange.mydomain.com -b
>dc=mydomain,dc=com')
>
>
>Sendmail.cf
># LDAP routing maps
>Kldapmh ldap -1 -T -v mailHost -k
>(&(objectClass=inetLocalMailRecipient)(mailLocalAddress=%0) )
>Kldapmra ldap -1 -T -v mailRoutingAddress -k
>(&(objectClass=inetLocalMailRecipient)(mailLocalAddress=%0) )

Yes, the defaults obviously won't work. I don't know if you have
something more-or-less equivalent to the
objectClass=inetLocalMailRecipient stuff, but you clearly do have an
attribute (mail) with the fully-qualified "input" address
(me@mycompany.com) which you apparently know how to route, so getting
that returned for "mail routing address" and nothing for "mail host"
should work for you.

The following is rather silly, since you aren't really using the
ldap_routing functionality, but it may be preferrable to writing a few
custom rules:

FEATURE(`ldap_routing', `null', `ldap -1 -T -v mail -k mail=%0', `bounce')

I.e. you specify the "null" map (undocumented, always fails) for
, and just ask to get the "mail" attribute back for
. (You may want to add objectClass or somesuch in an
appropriate form to the filter.) Assuming that your actual routing is
then based on MX or mailertable for the domain, it should "just work"
(the result of ldap_routing is looked up in mailertable as of 8.12.0).

>Is it correct sendmail is looking for a mailHost and a mailRoutingAddress?
>Neither is contained in the answer from the exchange ldap.

Yes it is, see above - you're just not asking for it.

>I can not change the contents of the ldap-server.
>
>As far as I can see, all the examples i can find, queries the ldap-server
>for routing information.
>I only want to accept mail if the adress exists in ldap, I already know how
>to route it, and reject if it doesn't

You can find an example of this in

http://groups.google.com/groups?selm=bt6avm%247b8%241@hedela nd.org

--Per Hedeland
per@hedeland.org

Re: ldap verify, not route

Per Hedeland wrote:
> In article "Leif Neland"
> writes:
>> My sendmail is in front of an exchange-server.
>>
>> mail for mycompany.com is sent to exchange.mycompany.com via
>> mailertable, and outgoing mail is sent to my isp's smarthost with a
>> define(``SMART_HOST'....)
>>
>> I need to verify the incoming adresses against exchange.
>> From my php testscript, I can do a query:
>>
>> $sr=ldap_search($ds, "ou=My Company, c=US", "mail=me@mycompany.com");
>>
> The following is rather silly, since you aren't really using the
> ldap_routing functionality, but it may be preferrable to writing a few
> custom rules:
>
> FEATURE(`ldap_routing', `null', `ldap -1 -T -v mail -k
> mail=%0', `bounce')
>
> I.e. you specify the "null" map (undocumented, always fails) for
> , and just ask to get the "mail" attribute back for
> . (You may want to add objectClass or somesuch in
> an appropriate form to the filter.) Assuming that your actual routing
> is
> then based on MX or mailertable for the domain, it should "just work"
> (the result of ldap_routing is looked up in mailertable as of 8.12.0).

Thanks, it worked. I did not want to add objectClass, why would I?

Leif

Re: ldap verify, not route

In article "Leif Neland"
writes:
>Per Hedeland wrote:
>> In article "Leif Neland"
>> writes:
>>> My sendmail is in front of an exchange-server.
>>>
>>> mail for mycompany.com is sent to exchange.mycompany.com via
>>> mailertable, and outgoing mail is sent to my isp's smarthost with a
>>> define(``SMART_HOST'....)
>>>
>>> I need to verify the incoming adresses against exchange.
>>> From my php testscript, I can do a query:
>>>
>>> $sr=ldap_search($ds, "ou=My Company, c=US", "mail=me@mycompany.com");
>>>
>> The following is rather silly, since you aren't really using the
>> ldap_routing functionality, but it may be preferrable to writing a few
>> custom rules:
>>
>> FEATURE(`ldap_routing', `null', `ldap -1 -T -v mail -k
>> mail=%0', `bounce')
>>
>> I.e. you specify the "null" map (undocumented, always fails) for
>> , and just ask to get the "mail" attribute back for
>> . (You may want to add objectClass or somesuch in
>> an appropriate form to the filter.) Assuming that your actual routing
>> is
>> then based on MX or mailertable for the domain, it should "just work"
>> (the result of ldap_routing is looked up in mailertable as of 8.12.0).
>
>Thanks, it worked. I did not want to add objectClass, why would I?

A discussion of the purpose of this for the LASER schema can be found
towards the end of the "Overview" section in the Internet-Draft (long
expired, but can be found e.g. at http://www.sendmail.org/m4/laser.txt).
Whether the usage of objectClass in your Exchange server, or some other
attribute, fits that description - or whether there is any need for it
given the contents of your database - is a question only you can answer,
I think. (The need to avoid lookups for other domains should already be
covered by sendmail's LDAPROUTE_DOMAIN[_FILE]() macros.)

--Per Hedeland
per@hedeland.org