Hi All!

I have mail server on linux with sendmail 8.14.1 at this time all mail
users are the system users, i.e. I have user john with email
john [at] domain.com all incoming mail to john [at] domain.com goes to /var/mail/
john.
Additionally I have 5 windows domains in AD - they are DOMAIN1,
DOMAIN2, etc. In every domain there are can be same users - for an
example DOMAIN1\john and DOMAIN2\john. At this time I'am have system
user john at linux mbox for DOMAIN1\john and system user john_sm for
DOMAIN2\john. I'm currently using SMTP authentication trough
saslauthd, saslauthd uses pam_winbind to authenticate users.
Additionally I didn't use default domain in winbind configuration,
because I have several domains, when user john wants to send email he
should use DOMAIN1\john as login.
Now I want to have an ability use winbind authentication for POP3/IMAP
users. I have configured popa3d to use pam_winbind - it's doing his
job fine, but when I use DOMAIN1\john login in POP3 session popa3d
tryes to open for me this mbox - /var/mail/DOMAIN1\\john - but I
haven't this mbox.
Additionally I want to remove all mailusers from linux box, but at
this time I haven't any ideas on how it should work.
Example:
1. I have removed user john from linux box, when I try to send mail to
john [at] domain.com - I get Unknown user, of corse, but when I try to send
mail to DOMAIN\john [at] domain.com sendmail are accept message and puts it
to /var/mail/DOMAINjohn. id DOMAIN\john works fine, thx to winbind, I
see guid and uid.
2. I have try to use virtusertable like this:
john [at] domain.com DOMAIN\john

but nothing, sendmail seems ignore all "\".

I have googling alot, sounds like I should use LDAP routing for my
task, but I didn't have all my AD users in same OU. They are all in
different domains, that is why I can't use ldap auth with saslauthd.

Any suggestions are welcome.

askon23 [at] gmail.com schrieb:
> I have mail server on linux with sendmail 8.14.1 [...]
> Additionally I want to remove all mailusers from linux box, but at
> this time I haven't any ideas on how it should work.

The "mbox" message store is tied to Unix/Linux system users.
You need a message store which is independent of the system user
database, for example Cyrus IMAP Server, which can be configured
to authenticate against AD.

HTH
T.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

In article <1192711414.229474.195440 [at] i38g2000prf.googlegroups.com>
askon23 [at] gmail.com writes:
>Now I want to have an ability use winbind authentication for POP3/IMAP
>users. I have configured popa3d to use pam_winbind - it's doing his
>job fine, but when I use DOMAIN1\john login in POP3 session popa3d
>tryes to open for me this mbox - /var/mail/DOMAIN1\\john - but I
>haven't this mbox.

Well, this has nothing to do with sendmail of course - maybe you can get
sendmail to ask the local mailer to deliver to mailboxes that have
backslashes in the name, and maybe you can get the local mailer to agree
to do that, but I really, really don't think you want to (see below). If
you used a pop3 server that could do some mapping username->mailbox (I
have no suggestions but I'm sure they exist), the whole problem goes
away.

>Additionally I want to remove all mailusers from linux box, but at
>this time I haven't any ideas on how it should work.

That seems to be another reason to not bother with trying to get the
backslash-mess to work.

>Example:
>1. I have removed user john from linux box, when I try to send mail to
>john [at] domain.com - I get Unknown user, of corse, but when I try to send
>mail to DOMAIN\john [at] domain.com sendmail are accept message and puts it
>to /var/mail/DOMAINjohn. id DOMAIN\john works fine, thx to winbind, I
>see guid and uid.
>2. I have try to use virtusertable like this:
>john [at] domain.com DOMAIN\john
>
>but nothing, sendmail seems ignore all "\".

It doesn't really, but just like in many other contexts in Unix, a
single backslash is "eaten" with various not-immediately-obvious
effects. E.g. in the shell it prevents interpretation of an immediately
following meta-char such as '$' but is otherwise ignored - with sendmail
it prevents aliasing/forwarding of the address.

You could try DOMAIN\\john, it might work for getting DOMAIN\john to the
local mailer, but it may well eat a single slash too in which case you
need DOMAIN\\\\john, but you said that the mailbox your pop3 server
wanted wasn't DOMAIN\john but DOMAIN\\john, so you'd end up with
DOMAIN\\\\\\\\john - and even if that would finally work, which I really
doubt, having filenames with backslashes in them is a big pain in
general.

--Per Hedeland
per [at] hedeland.org

On 20 oct, 03:24, p... [at] hedeland.org (Per Hedeland) wrote:
> Well, this has nothing to do with sendmail of course - maybe you can get
> sendmail to ask the local mailer to deliver to mailboxes that have
> backslashes in the name, and maybe you can get the local mailer to agree
> to do that, but I really, really don't think you want to (see below).

You are absolutely right! I have tried to change "\" to "+" as winbind
separator and all seems start to work!
Now I can use DOMAIN+john in virtusertable or aliases.
For example if I specify in virtusertable:
someuser [at] domain.com DOMAIN\+someuser

After first try to send email to someuser [at] domain.com mbox /var/mail/
DOMAIN+someuser will be created and I can get it via pop3 using AD
authentication as user DOMAIN+someuser. Fine! :)

Now I'm planing to improve this scheme:
I want that new AD users, that need mail added to virtusertable
automatically, I think it can be done via cron script that will check
'getent passwd' for new AD users every 30 minutes if script see new
users it will do ldapsearch for each of them and determine email
address from AD, also I think it is possible to get current user group
from AD - for example, emails will be only accepted for users in
"mailgroup" at AD.

But adding new users is only 50% of task. I also need time to time
disable some mail account for AD users - it's looks more difficult to
me because:
If user account are totally disabled/removed on AD - it is quite easy
to use same script that checks 'getent passwd' and removes users that
exists in virtusertable and didn't exists on AD. But how to check that
some user from AD already not part of AD "mailgroup"? I see only one
solve of this problem - check all AD users trough ldapsearch to see if
they still in "mailgroup". For system with 1000+ users do this check
every 30 minutes - bad idea, right?

Same troubles for SMTP auth - if I remove user from "mailgroup" it is
still can send mail, because winbind still authenticates this user. Is
there some way exists to check AD group membership of user at pam
level?

Maybe I'm trying to reinvent the wheel and all my "problems" are
already solved? Any ideas?

askon23 [at] gmail.com wrote:
> On 20 oct, 03:24, p... [at] hedeland.org (Per Hedeland) wrote:
>> Well, this has nothing to do with sendmail of course - maybe you can get
>> sendmail to ask the local mailer to deliver to mailboxes that have
>> backslashes in the name, and maybe you can get the local mailer to agree
>> to do that, but I really, really don't think you want to (see below).
>
> You are absolutely right! I have tried to change "\" to "+" as winbind
> separator and all seems start to work!
> Now I can use DOMAIN+john in virtusertable or aliases.
> For example if I specify in virtusertable:
> someuser [at] domain.com DOMAIN\+someuser
>
> After first try to send email to someuser [at] domain.com mbox /var/mail/
> DOMAIN+someuser will be created and I can get it via pop3 using AD
> authentication as user DOMAIN+someuser. Fine! :)
>
> Now I'm planing to improve this scheme:
> I want that new AD users, that need mail added to virtusertable
> automatically, I think it can be done via cron script that will check
> 'getent passwd' for new AD users every 30 minutes if script see new
> users it will do ldapsearch for each of them and determine email
> address from AD, also I think it is possible to get current user group
> from AD - for example, emails will be only accepted for users in
> "mailgroup" at AD.

You might as well try ldap routing, forcing the destination address to
be local. It might need some tweaking in the confLDAP_DEFAULT_SPEC and
the ldap routing feature, but there is some documentation in the archive.

cheers

Erich