[Gllug] Postfix mail relay & LDAP email address lookups

John Edwards john at cornerstonelinux.co.uk
Wed Nov 12 18:55:54 UTC 2008 

Hi

Just fishing for ideas.


A lot of email that goes through mail relays gets bounced by
the final email server when the email address is incorrect.

As these email addresses are already stored in a LDAP tree I
reckoned there ought to be a way for postfix on the mail relay
to check the LDAP tree to see if the 


1) Remove the relay domain from standard 'relay_domains' list.

2) Add:
    check_recipient_access ldap:/etc/postfix/ldap_lookup.cf

to Postfix 'smtpd_recipient_restrictions' section above the
'reject_unauth_destination' line, and after any DNS blacklists.


3) The ldap_lookup.cf file would contain something like:
version = 3
server_host = ldap://ldap_server_1 ldap://ldap_server_2
search_base = ou=People,dc=cornerstonelinux,dc=co,dc=uk
start_tls = yes
bind = no
query_filter = (&(mail=%s)(objectClass=posixAccount))
result_attribute = mail
result_format = OK %s

I added 'objectClass=posixAccount' to the search to exclude non-user
LDAP entries such as address books.

Which seems to work OK on a test network, it accepts emails in LDAP
and rejects others. So in effect we have relay for email addresses
instead of whole domains.


The next step is to see if this works with Active Directory.
I don't see any reason why not as I can already do normal LDAP
lookups on Active Directory using 'ldapsearch'.


I seem to remember several years ago someone on GLLUG did a similar
trick with exim that had to use SMTP to the final server to check if
the email was valid. But I can't see a way to do this with Postfix.

Other people seem to use a Perl script to dump email address to a
text file every day, which does not seem very elegant:
    http://www-personal.umich.edu/~malth/gaptuning/postfix/
    http://thelowedown.wordpress.com/2008/02/16/postfix-gateway-to-exchange/

Comment 12 at the bottom of the last article shows a way of using
virtual_maps for something similar, but which can rewrite email
addresses (which I don't want to do).


Am I barking up the wrong tree, or could this actually be useful?


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20081112/a4dca29f/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list