[Exim] Address verification using Active Directory -- Summar…

Góra strony
Delete this message
Reply to this message
Autor: Peter Savitch
Data:  
Dla: Nathan Ollerenshaw
CC: exim-users
Temat: [Exim] Address verification using Active Directory -- Summary
This summary is addressed to all heterogeneous (M$ + UN*X) environments.
It's objective is to give the administrators the necessary information
to reduce billions of bounce messages traveling across the public
networks.
Find out more at www dot microsoft dot com.

2 Philip Hazel: long time, Philip, it's me again, sorry for the OpenLDAP
;)

1. ABSTRACT.
While M$ Exchange is widely used for intranets, Exim internet gateway
capabilities are still unmatched.

Active Directory proxyAddresses attribute could be queried, retrieved
and used by Exim for address verification to reject unknown mail during
SMTP phase. M$ Exchange servers (prior to 2003) are considered incapable
of such a functionality. Additional things like SPAMWARE/MALWARE/ETC are
beyond the scope of this memo.

In general, W2K Global Catalog stores the whole AD forest object's
properties marked in AD schema as `for replication in Global Catalog'.
In particular, attribute proxyAddresses does have this option turned on
and appears in Global Catalog.
See also: PSDK documentation at msdn dot microsoft dot com.

Active Directory proxyAddresses attribute is created only for
mail-enabled objects (like User, Group or Public Folder) and is subject
to change according to recipient policies (see Exchange docs).

Please note:
a) Disabling the mail capabilities (deleting mailbox while leaving
account active) DOES remove the proxyAddresses attribute.
b) Disabling the account itself while leaving it's mailbox DOES NOT
remove the proxyAddress attribute. Exchange would STILL produce mail
bounces in this case.

Attribute proxyAddresses has multi-valued syntax with case-less string
matching. The exact address is prefixed by protocol, like this:

# extended LDIF
dn: CN=Peter Savitch,OU=Unit,DC=DOMAIN,DC=ORG
# ...
proxyAddresses: SMTP:address1@???
proxyAddresses: smtp:aDdrEss2@???
proxyAddresses: X400: ...
# ...

NOTE: W2K administrator can use Active Directory Users and Computers
snap-in to view/modify the proxyAddresses attribute.

2. SETUP.
To utilize AD, Exim administrators should obtain the latest version of
Exim and enable it's LDAP support (Exim 4.4x is recommended, 4.3x is
okay, OpenLDAP 2.1.x is recommended, 2.0.27 should be okay).

An Active Directory account must be created for Exim. It's _full_
Distinguished Name is used for USER credential. It could be created in a
separate OU with restricted security policy:

CN=MTA,OU=Restricted,DC=domain,DC=ORG

*** DO NOT GIVE ANY NTFS/DB/ETC PERMISSIONS FOR THIS ACCOUNT ***
*** NEVER USE ADMINISTRATOR'S DN FOR EXIM CREDENTIALS ***

3. THE LOOKUP MACRO
W2K Global Catalog is an LDAP server that (usually) listens on TCP port
3268 on any domain controller in the forest. The best-practice approach
for multi-site topologies is to locate the closest GC. This could be
done even dynamically utilizing the new Exim 4.4x DNSDB SRV lookups
(additional ${extract}'s should be used, see Exim docs) and new
`cache-everything' design:

${lookup dnsdb{srv=_gc._tcp.domain.org}{$value}fail}

This returns something like:

0 100 3268 dc1.domain.org
0 100 3268 dc2.domain.org

One may prefer the static setup using serverless URI's in lookups of
this kind:

ldap_default_servers = <; dc1.domain.org:3268 ; dc2.domain.org:3268

One can declare LDAP_AD_BINDDN, LDAP_AD_PASS, LDAP_AD_BASE_DN macros.
Sample:
LDAP_AD_BINDDN = "CN=MTA,OU=Restricted,DC=DOMAIN,DC=ORG"
LDAP_AD_PASS = "VerySecret"
LDAP_AD_BASE_DN = "DC=DOMAIN,DC=ORG"

To verify address one can query AD Global Catalog for exact attribute
matching, using this macro (note serverless LDAP URI):

LDAP_AD_MAIL_RCPT = \
  user=LDAP_AD_BINDDN \
  pass=LDAP_AD_PASS \
  ldap:///LDAP_AD_BASE_DN\
  ?mail?sub?\
  (&\
    (|\
      (objectClass=user)\
      (objectClass=publicFolder)\
      (objectClass=group)\
    )\
    (proxyAddresses=SMTP:${quote_ldap:${local_part}@${domain}})\
  )



4. EXIM ROUTER
One can use the `redirect' router like this:

adsi_check:
  driver = redirect
  domains = +relay_domains
  allow_fail
  allow_defer
  forbid_file
  forbid_pipe
  redirect_router = adsi_okay
  data = ${lookup ldap {LDAP_AD_MAIL_RCPT}\
    {${local_part}@${domain}}{:fail: User unknown}}


It does not produce any transports, but simply passes the verified
address to another router called `adsi_okay' for precise routing.

5. SECURITY
Exim itself (but not the OpenLDAP client library) is not capable of any
LDAP authentication other than simple. This gives the big security
disadvantage when passwords are being stored and transmitted in clear
text. Even more, Exim shows the passwords during panic and when it's
being run with -d+lookup. Administrators should prevent unauthorized
access to Exim configuration file(s), it's log files, it's debugging
capabilities, and secure the transmitting channels. TLS/SSL could be
used, but it's beyond the scope of this summary.

Active Directory account given to Exim MTA should not have ANY
permission other than to query the global catalog. Administrators should
remove this account even from default Domain Users group (just make
another group and set it as primary).

6. AUTHOR NOTES
M$ Exchange server (at least Exchange 2000) applies more strict address
syntax checking. Exim administrators can modify ACL's to accomplish
this:


# Forbid the .address@??? and address.@domain.org
  deny          message =       Invalid address
                senders =       \N^\.|\.@\N



Additional setup could be made for locating the closest Exchange
bridgehead dynamically.