Weblog entry #2 for alfadir

See all weblog entries made by alfadir.

XML logo

#2
exim + ldap
Posted by alfadir on Tue 1 Jul 2008 at 08:45
Tags: ,

I have been working along with my server, and it is running. Lately I have been attacking the only real peice that is missing. Email.

I picked exim4 as it is the standard mail server in debian.

I am running two domains on one server. example.net and example.com

I have created a ldap route (using split configuration) 

850_exim4-config_ldap_user
ldap_user:
  debug_print = "R: ldap_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
  local_parts = ${extract {uid}{${lookup ldap {USER_LOOKUP} {$value} fail }}}@$domain
  transport = LOCAL_DELIVERY

But the problem is the $domain ends up beeing debian.example.com for an email to user@example.com. The actual lookup works if the correct domain is supplied.

The paniclog shows the expanded query : 

ldaps://ldap.example.com/ou=people,dc=debian,dc=example?uid,uidNumber?sub?(&(mail=user@debian.example.com)(uidNumber=*))

What fails is the dc=debian which is constructed by 

dc=${extract{1}{.}{${lc:$domain}}}

It is not possible to set up matching if the local hostname is used. What am I doing wrong ? How can I access the the server part of the incommming email ? Do I have to set up one ldap router per domain ?

The second problem is how to treat SMTP auth. How does that work with virtual servers ? One option is to have the user supply the full mail address as username. I guess apache like dns matching is not possible.. user X loging in to mail.example.net becomes authenticated under X@example.net and user Y loggint into mail.example.com becomes authenticated under Y@example.com.

Thirdly what options and permissions do one has to set to have directories created ?

Want to store all mails to /srv/mail/$domain/$local_parts/Maildir and have created /srv/mail with owner Debian-exim. 

MAILDIR_HOME_MAILDIR_LOCATION = /srv/mail/${lc:$domain}/${lc:$local_part}/Maildir
MAILDIR_HOME_CREATE_DIRECTORY = true
MAILDIR_HOME_CREATE_FILE = anywhere
are set but I get : 
(13): Permission denied: stat(
) error for /srv/mail/example.com/user/Maildir: Permission denied
(strangly gives the ${lc:$domain} here example.com and not debian.example.com.

Otherwise I am working on a write up of all my experiences with other programs on the server. Everything else is nicely controlled by LDAP. I will publish it once I have a propper draft.

[ 3 Comments | Add Comment | XML logo ]
<<< Previous

 

Comments on this Entry

#1
Re: exim + ldap
Posted by alfadir (129.69.xx.xx) on Tue 1 Jul 2008 at 09:47
[ Send Message | View Weblogs ]
First problem solved... I think

The problem was that exim tried to send back bounces to my swaks test message
from localhost. As from user@debian.example.com was used.

Now the LDAP lookup is working :

exim -bt -d+route user@example.com helped to find the problems.


ldap_user:
debug_print = "R: ldap_user for $local_part@$domain"
driver = accept
domains = +local_domains
local_parts = ${extract {uid}{${lookup ldap {USER_LOOKUP} {$value} fail }}}
transport = LOCAL_DELIVERY

now works..

[ Parent | Reply to this comment ]

#2
Re: exim + ldap
Posted by Anonymous (213.251.xx.xx) on Mon 14 Jul 2008 at 19:09
So... in fine, what is the clean way to use Exim against an LDAP server?

[ Parent | Reply to this comment ]

#3
Re: exim + ldap
Posted by mbl (87.96.xx.xx) on Sat 2 Aug 2008 at 14:09
[ Send Message ]
This is how I do it against a Windows 2003 domain controller in a split config environment. (The important part beeing that this router is placed immediately before the router "dnslookup_relay_to_domains".) /MBL 
### router/199_exim4-config_primary
#################################
# This file holds the address valitation stuff that has to be
# performed before delivery of nonlocal mails is considered.


.ifdef DCconfig_internet
# configtype=internet
#

# The BINDDN of the account doing the lookups...
LDAP_AD_BINDDN = "CN=ldap-lookup-account,OU=ServiceAccounts,OU=Labrats,DC=example, DC=com"
# ... and its password.
LDAP_AD_PASS = "password"
# The domain, forest or whatever the Windows terminology calls it in which to lookup.
# Wierd quotation uh? With ordinary quotation mark strange errors occur.
LDAP_AD_BASE_DN = ${quote_ldap:DC=example,DC=com}

LDAP_AD_MAIL_RCPT = \
  user=LDAP_AD_BINDDN \
  pass=LDAP_AD_PASS \
  ldap://dc.example.com/LDAP_AD_BASE_DN\
  ?mail?sub?\
  (&\
    (|\
      (objectClass=user)\
      (objectClass=publicFolder)\
      (objectClass=group)\
    )\
    (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
  )

dnslookup_relay_to_domains__address_check:
  debug_print = "R: dnslookup_relay_to_domains__address_check for $local_part@$domain"
  driver = redirect
  domains = ! +local_domains : +relay_to_domains
  allow_fail
  allow_defer
  forbid_file
  forbid_pipe
  redirect_router = dnslookup_relay_to_domains
  data = ${lookup ldap {LDAP_AD_MAIL_RCPT}\
    {${local_part}@${domain}}{:fail: User unknown}}

.endif

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Mail Filtering

Quick Site Search