[Gllug] Postfix mail relay & LDAP email address lookups

John Edwards john at cornerstonelinux.co.uk
Wed Jan 7 23:31:03 UTC 2009 

On Wed, Nov 12, 2008 at 06:55:54PM +0000, John Edwards wrote:
> Hi
> 
> Just fishing for ideas.
> 
> 
> A lot of email that goes through mail relays gets bounced by
> the final email server when the email address is incorrect.
> 
> As these email addresses are already stored in a LDAP tree I
> reckoned there ought to be a way for postfix on the mail relay
> to check the LDAP tree to see if the 
> 
> 
> 1) Remove the relay domain from standard 'relay_domains' list.
> 
> 2) Add:
>     check_recipient_access ldap:/etc/postfix/ldap_lookup.cf
> 
> to Postfix 'smtpd_recipient_restrictions' section above the
> 'reject_unauth_destination' line, and after any DNS blacklists.
> 
> 
> 3) The ldap_lookup.cf file would contain something like:
> version = 3
> server_host = ldap://ldap_server_1 ldap://ldap_server_2
> search_base = ou=People,dc=cornerstonelinux,dc=co,dc=uk
> start_tls = yes
> bind = no
> query_filter = (&(mail=%s)(objectClass=posixAccount))
> result_attribute = mail
> result_format = OK %s
> 
> I added 'objectClass=posixAccount' to the search to exclude non-user
> LDAP entries such as address books.
> 
> Which seems to work OK on a test network, it accepts emails in LDAP
> and rejects others. So in effect we have relay for email addresses
> instead of whole domains.
> 
> 
> The next step is to see if this works with Active Directory.
> I don't see any reason why not as I can already do normal LDAP
> lookups on Active Directory using 'ldapsearch'.
> 
> 
> I seem to remember several years ago someone on GLLUG did a similar
> trick with exim that had to use SMTP to the final server to check if
> the email was valid. But I can't see a way to do this with Postfix.
> 
> Other people seem to use a Perl script to dump email address to a
> text file every day, which does not seem very elegant:
>     http://www-personal.umich.edu/~malth/gaptuning/postfix/
>     http://thelowedown.wordpress.com/2008/02/16/postfix-gateway-to-exchange/
> 
> Comment 12 at the bottom of the last article shows a way of using
> virtual_maps for something similar, but which can rewrite email
> addresses (which I don't want to do).
> 
> 
> Am I barking up the wrong tree, or could this actually be useful?

Just to finish this up - the better way is to use Postfix's
relay_recipient_maps instead of step 2 above.

The format of the ldap lookup file is the same except that the
result_format = %s OK


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20090107/7fe96756/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list