Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
postfix & Exchange 2000 verifiying a user exists
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
-Craig-
Guru
Guru


Joined: 03 Jun 2004
Posts: 333

PostPosted: Mon May 07, 2007 3:31 pm    Post subject: postfix & Exchange 2000 verifiying a user exists Reply with quote

Hi!
I got a postfix server with an mx record for our domain which does filter mail and then forwards it to our exchange server.
I want postfix not forward mails to users that do not exist on that server.

I read this:
http://postfix.wiki.xs4all.nl/index.php?title=Relay_recipient_maps_using_LDAP_against_Active_Directory

/etc/postfix/main.cf:
Code:

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
myhostname = postfix.xxx.com
mydomain = xxx.com
inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

local_recipient_maps =
unknown_local_recipient_reject_code = 550

mynetworks_style = subnet
mynetworks = 192.168.x.0/24, 127.0.0.0/8, x.x.x.x/26

relay_domains = hash:/etc/postfix/relay_domains
in_flow_delay = 1s
header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = $myhostname ESMTP
debug_peer_level = 2

sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.4.1/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.4.1/readme
home_mailbox = .maildir/

default_recipient_limit = 25
relay_recipient_maps =          ldap:/etc/postfix/ldap.cf

smtpd_client_restrictions =     permit_mynetworks,
                                reject_rbl_client zen.spamhaus.org,
                                reject_rbl_client dnsbl.sorbs.net,
                                reject_rbl_client list.dsbl.org,
                                reject_rbl_client bl.spamcop.net

smtpd_helo_restrictions =       permit_mynetworks, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname

smtpd_sender_restrictions =     permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain,
                                check_sender_access hash:/etc/postfix/sender_access ,
                                check_policy_service inet:127.0.0.1:10030

smtpd_recipient_restrictions =  permit_mynetworks, reject_unauth_destination

content_filter = smtp-amavis:[127.0.0.1]:10024
transport_maps = hash:/etc/postfix/transport


/etc/postfix/ldap.cf:
Code:

server_host =  exchange.xxx.com
search_base = dc=xxx,dc=com
version = 3

bind = yes
bind_dn = CN=postfix,CN=Users,DC=xxx,DC=com
bind_pw = xxxxxxx

query_filter = (proxyAddresses=smtp:%s)
result_attribute = mail


I can verify that the ldap part works with:

postfix # /usr/sbin/postmap -q "nonexistent@xxx.com" ldap:/etc/postfix/ldap.cf
postfix # /usr/sbin/postmap -q "me@xxx.com" ldap:/etc/postfix/ldap.cf
me@xxx.com
postfix #

But the postfix config doesn't, it never queries the exchange/ldap server. Any idea would be very cool ... :)
Back to top
View user's profile Send private message
nobspangle
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1318
Location: Manchester, UK

PostPosted: Mon May 07, 2007 4:13 pm    Post subject: Reply with quote

Presuming you've done all the usual stuff (restart postfix etc.) can't really help with your ldap config, what I do is use this perl script http://www-personal.umich.edu/~malth/gaptuning/postfix/ which just grabs the entire list of emails and then postmaps it.
Back to top
View user's profile Send private message
igno2k
n00b
n00b


Joined: 13 Mar 2004
Posts: 29

PostPosted: Mon May 07, 2007 4:33 pm    Post subject: Reply with quote

If your exchange server supports the VRFY command, you can use reject_unverified_recipient under smtpd_recipient_restrictions.

If you use LDAP the performance could be very poor because there are more queries than on a simple hash file. Its better to extract the recipients from the LDAP to a simple hash file with this format:

foo@domain.tld OK

Then you can use the hash file with relay_recipient_maps and you should be fine.

Best regards
igno :)
Back to top
View user's profile Send private message
-Craig-
Guru
Guru


Joined: 03 Jun 2004
Posts: 333

PostPosted: Mon May 07, 2007 6:33 pm    Post subject: Reply with quote

@nobspangle: Fetching the adresses works, but relay_recipient_maps = hash:/etc/postfix/your_recipients also doesn't work for some reason. It's very strange.

@igno2k: The server does not support VRFY, but it would be safe to enable it, as it's not directly reachable from the internet. I read about it, but the performance is worse than LDAP.

I'd absolutely prefer querying LDAP.
Back to top
View user's profile Send private message
igno2k
n00b
n00b


Joined: 13 Mar 2004
Posts: 29

PostPosted: Tue May 08, 2007 5:58 am    Post subject: Reply with quote

I use VRFY - it's fast enough for 5.000 mailboxes ;)

BTW: Shouldn't the LDAP file have a format like this:
user@domain.tld OK

This could be the problem.

Regards
igno
Back to top
View user's profile Send private message
-Craig-
Guru
Guru


Joined: 03 Jun 2004
Posts: 333

PostPosted: Tue May 08, 2007 9:27 am    Post subject: Reply with quote

Hmm, well. I wanted to give VRFY a try, BUT for some reason the registry key mentioned here: http://support.microsoft.com/default.aspx?scid=kb;en-us;289521 (MSExchangeIMC) does not exist. So how did you enable it? We're using an exchange 5.5 with win 2000:
Code:

252 2.1.5 Cannot VRFY user, but will take message for <existing@xxx.com>
252 2.1.5 Cannot VRFY user, but will take message for <nonexistent@xxx.com>


:/

Back to postfix, my example_recipients:
Code:

existent@xxx.com   OK


Code:

postfix # postmap example_recipients
postfix # postmap -q existent@xxx.com hash:/etc/postfix/example_recipients
OK
postfix # postmap -q nonexistent@xxx.com hash:/etc/postfix/example_recipients
postfix #


Yet, it doesn't work, postfix happily accepts messages to nonexistent@xxx.com
It's also strange, that the ldap module return the username and not "OK".
Back to top
View user's profile Send private message
igno2k
n00b
n00b


Joined: 13 Mar 2004
Posts: 29

PostPosted: Tue May 08, 2007 9:49 am    Post subject: Reply with quote

-Craig- wrote:
Hmm, well. I wanted to give VRFY a try, BUT for some reason the registry key mentioned here: http://support.microsoft.com/default.aspx?scid=kb;en-us;289521 (MSExchangeIMC) does not exist. So how did you enable it? We're using an exchange 5.5 with win 2000:
Code:

252 2.1.5 Cannot VRFY user, but will take message for <existing@xxx.com>
252 2.1.5 Cannot VRFY user, but will take message for <nonexistent@xxx.com>



No M$ here ;)
Strange thing - no other options available in Exchange server?

-Craig- wrote:

Back to postfix, my example_recipients:
Code:

existent@xxx.com   OK


Code:

postfix # postmap example_recipients
postfix # postmap -q existent@xxx.com hash:/etc/postfix/example_recipients
OK
postfix # postmap -q nonexistent@xxx.com hash:/etc/postfix/example_recipients
postfix #


Yet, it doesn't work, postfix happily accepts messages to nonexistent@xxx.com
It's also strange, that the ldap module return the username and not "OK".


You did a postfix reload after a postmap /etc/postfix/example_recipients ? Then it should work...

Regards
igno
Back to top
View user's profile Send private message
-Craig-
Guru
Guru


Joined: 03 Jun 2004
Posts: 333

PostPosted: Tue May 08, 2007 10:20 am    Post subject: Reply with quote

I tested from 192.168.0.x, which is not in "mynetworks" so I'm external.
I guess I found out, what's wrong:

/etc/postfix/transport:
Code:

xxx.com              smtp:192.168.2.11
yyy.com              smtp:192.168.2.11


I think it might immediately forward and ignore relay_recipient_maps?!
I also tried a few things with virtual_transport etc. but I failed :/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum