Re: [Exim] exim exchange2000 ldap

Top Page
Delete this message
Reply to this message
Author: Bruce Richardson
Date:  
To: Exim Users
Subject: Re: [Exim] exim exchange2000 ldap
On Mon, Apr 05, 2004 at 05:14:28PM +0200, Bauer, Felix wrote:
> > Q: Do the exchange server and exim box share a domain, so that an
> > account somebody@??? might be on one or the other? Or do they
> > have entirely separate domains?
>
> A: Yes, they are in the same subnet, both with the same dns-suffix and
> no somebody@??? only exists on AD/Exchange. The exim-mailserver
> is setup on my companies firewall for initial testing and will move to
> a DMZ later, but will never carry users mailboxes only act as relay for
> spam/virus checking.


Well, assuming you can configure Exchange to reject mail for invalid
accounts at the smtp conversation stage, then you can, if you like,
avoid ldap altogether and use smtp callout verification. The way this
works is, when Exim is receiving a message, it checks each recipient
with the machine that it will ultimately deliver the message to. If the
destination machine rejects the message, Exim rejects it.

Now, if you can't configure Exchange to do that, read no further.
According to a recent thread in this list, Exchange 2003 can do it quite
easily while (iirc) Exchange 2000 can be persuaded with a bit of
kicking. If you manage that, then a config something like this will
work:

-----------------------------------------------------------------------
domainlist relay_domains = main.mail.domain
domainlist local_domains = @ : @[]
domainlist lan_hosts = internal : hosts : allowed.to.send

acl_smtp_rcpt = check_recipient
primary_hostname = dns.name.for.this.box

begin acl

check_recipient:
  accept  hosts = :
  deny    local_parts = ^.*[@%!/|] : ^\\.
  accept  local_parts = postmaster
          domains = +local_domains : +relay_domains
  deny    hosts = !+lan : *
         !verify = sender
  deny    domains = +relay_domains
         !verify = recipient/defer_ok/callout=no_cache
  accept  domains = +local_domains
  accept  domains = +relay_domains
  accept  hosts = +lan_hosts
  deny    message = relay not permitted


begin routers

this_machine:
driver = redirect
domains = +local_domains
local_parts = postmaster : root
data = admin.address@???
no_more

main_domain:
driver = manualroute
domains = +relay_domains
route_list = * exchange.box.name.or.address
transport = remote_smtp

external_mail:
driver = dnslookup
domains = ! +local_domains : ! +relay_domains
transport = direct_smtp


begin transports:

direct_smtp:
driver = smtp
-------------------------------------------------------------------------


Now, this is a very minimal configuration that does what your current
set-up requires. It doesn't deliver any mail locally: mail for root or
postmaster on the local machine is redirected to an administrative
address somewhere else (e.g. your exchange box). The key point is the
work done by these two lines:

  deny    domains = +relay_domains
         !verify = recipient/defer_ok/callout=no_cache


What that does is tell Exim to check with the Exchange box for every
incoming recipient and see if it will be accepted. If not, it rejects
that recipient. Since only valid recipients are accepted, you don't
have to worry at the router stage about doing any testing. Anything
with your main domain address that makes it to the main_domain router is
kosher.

A few notes:

    * the defer_ok means that it should accept mail if it can't
          find the Exchange box to verify.
    * The =nocache option is there just because of a bug in the
      latest version of Exim.  If you are using an earlier version
      than 4.31, you don't need it.
    * If your internal mail system becomes any more complex, this
      will need some reworking
        * This example config does no virus checking or any serious spam
          filtering.
        * I have not tested this config


But it does do what you want, with no LDAP lookups.

--
Bruce

Hierophant: someone who remembers, when you are on the way down,
everything you did to them on the way up.