RE: [Exim] OT: Problem with recipient verification to an exc…

Top Page
Delete this message
Reply to this message
Author: Peter Savitch
Date:  
To: Nathan Ollerenshaw
CC: exim-users
Subject: RE: [Exim] OT: Problem with recipient verification to an exchange server
Hello Nathan,

You DO NOT need the X2003, transport event sinks, and so on ;-)
What you need is a base familiarity with LDAP.

Just use Exim's LDAP lookup in a way something like this:
1) LDAP objectClass equal matching with either
    `user', `group' or `publicFolder'
2) LDAP proxyAddresses equal matching with
    SMTP:${quote_ldap:${local_part}@${domain}


You need an Active Directory account called `exim mailer', located in
Users OU or somewhere else. Do not give this account any permission
other than query AD. If you have multiple DC's or multiple exchange (or
multiple exim's), you could use DNSDB SRV and more complex setup, but
that's out of scope of this message. Making an exchange bridgehead is a
good option.

So, LDAP setup might look like this.

=cut
# somewhere in the global section
ldap_default_servers = your-dc.domain.org

INTERIOR_MX = your-exchange-bridgehead.domain.org
LDAP_AD_BINDDN = "cn=exim mailer,ou=Users,dc=domain,dc=org"
LDAP_AD_PASS = "VerySecretPassword"
LDAP_AD_BASE_DN = "dc=domain,dc=org"

LDAP_AD_MAIL_RCPT = \
  user=LDAP_AD_BINDDN \
  pass=LDAP_AD_PASS \
  ldap:///LDAP_AD_BASE_DN\
  ?mail?sub?\
  (&\
    (|\
      (objectClass=user)\
      (objectClass=publicFolder)\
      (objectClass=group)\
    )\
    (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
  )
=cut


Then, use the lookups in a router. This router DOES NOT produce
transports. You need an additional router called `interior' that does
this. Just make it (driver = manualroute) and you're in.

=cut
# somewhere in routers section
adsi:
  driver = redirect
  domains = +relay_domains
  allow_fail
  allow_defer
  forbid_file
  forbid_pipe
  redirect_router = interior
  data = ${lookup ldap {LDAP_AD_MAIL_RCPT}\
    {${local_part}@${domain}}{:fail: User unknown}}
=cut


That's almost all. It works just great, you do not need to touch the
Exim, only AD. Again, if your DC is down, no mail will pass in. But you
can make as many DC's as you like, and ask Exim to query them all,
fail-safe redundant setup.

Take care.

-----Original Message-----
From: exim-users-admin@??? [mailto:exim-users-admin@exim.org] On
Behalf Of Nathan Ollerenshaw
Sent: Wednesday, August 18, 2004 12:19 PM
To: Exim users list
Subject: [Exim] OT: Problem with recipient verification to an exchange
server

I'm trying to get recipient verification working on one of our mail
relays that I just installed exim on.

I have a bunch of domains that need to have their recipient address
changed to $local_part@SOMEDOMAIN and sent to a specific server (our
exchange server).