Re: [exim] verify rcpt at smtp time via ldap

Top Page
Delete this message
Reply to this message
Author: Wolfgang Kohnen (FEYERABEND)
Date:  
To: Paul Shields
CC: exim-users
Subject: Re: [exim] verify rcpt at smtp time via ldap
Hi there!

Paul Shields schrieb:

> You can do the recipient check in the rcpt ACL (before the message is
> accepted). This way you can issue your 550 for each recipient that
> doesn't exist, rather than generating a bounce after you've received
> the message. Is this what you're trying to do?



Yes, more or less. My idea was to do this in a special router, but
directly in an acl seems to be more elegant... but: there are two
redirect routers in my config, one does something like local aliasing
and the other does (remote and local) forwarding -- both use special
ldap attributes for this.

> acl_check_rcpt:
>
> # Only accept mail if mailbox/alias can be found in LDAP
>
>  deny message      = Administrative prohibition - unable to validate
> recipient
>       condition        = ${lookup ldap{LDAP_MANAGER \
>                            ldap:///ou=some,ou=ldap,dc=path,\

>
> dc=internal?cn?sub?(recipient=${quote_ldap:$local_part@$domain}) } {0}
> {1}}



This condition means, that $local_part@$domain for at least one rcpt in
the smtp chat has to be equal to one "recipient" from my ldap? Well, my
setup is a little bit different: my users have the attribute "mail" with
their addresses. So, I would have to write
...?cn?sub(mail=${quote_ldap:local_part@domain}) -- did I understand
this correctly so far?

What's about my two routers? One router rewrites matching
"alternateAddress" attributes to it's entry's "mail" value (aliasing)
and one rewrites matching "mail" attributes to it's "forwardingAddress"
values. Do I have to reflect these rewrites into that condition, i.e. I
need three different ldap lookups in the acl? How can I "or" them?

The alternative is my router idea, but I am not sure about that. I
could tell my cyrus_delivery router to "no_verify" and then I create a
new router "validate_local_user" which verifies $local_part@$domain
against "mail" values from my ldap but does nothing else than this
validation/verification. My hope is, that all routing stuff will be
calculated (i.e. my aliasing and local forwarding) and every child
address gets validated in my "validate_local_user" -- so I don't have to
reflect every ldap based routing (which may change, who knows) in the
acl section. My hope is further, that all these ldap lookups happen only
once -- at acl/verify time -- and are cached for the actual routing /
delivery.

But I am not sure, if I am thinking straight. I am new to exim and --
you remember -- I have to move my lips while thinking about exim stuff. :-)

I don't know how to setup this router. Which driver? Do I need "unseen"
or something similar? Where to put the lookup, into a data expansion?

I am curious,
Wollie