[exim] Exim + AD (trouble)

Pàgina inicial
Delete this message
Reply to this message
Autor: Alexandr Kobzarenko
Data:  
A: exim-users
Assumpte: [exim] Exim + AD (trouble)



Hi people.
First, forgive me for my bad English.
NOw i tryed configure Exim to work with 2008 serrver AD (LDAP) users.
But have some trouble, and dont know how to fix it..
When i try send mail from zerg@??? to zerg@???
i see the error in log

2013-03-02 16:00:13 [21494] End queue run: pid=21494
2013-03-02 16:00:17 [21509] 1UBmz3-0005av-UQ SA: Debug: SAEximRunCond
expand returned: '1'
2013-03-02 16:00:17 [21509] 1UBmz3-0005av-UQ SA: Debug: check succeeded,
running spamc
2013-03-02 16:00:19 [21509] 1UBmz3-0005av-UQ SA: Action: scanned but
message isn't spam: score=-0.0 required=5.0 (scanned in 2/2 secs |
Message-Id: E1UBmz3-0005av-UQ@???). From
<root@???> (local) for kobzar@???
2013-03-02 16:00:19 [21509] 1UBmz3-0005av-UQ <= root@???
U=root P=local S=754 T="Test" from <root@???> for
kobzar@???
2013-03-02 16:00:19 [21513] 1UBmz3-0005av-UQ == kobzar@???
R=ldap_EXTdistrib_group defer (-1): condition check lookup defer

As i undestand, i have error in this sections in my config
"ldap_EXTdistrib_group"
But in global i have error on ldap filters. May be some one can show me
to my mistake.

My exim config and perl script

######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
primary_hostname = mx.emorion.com.ua
domainlist local_domains = @
domainlist relay_to_domains = emorion.com.ua
domainlist trust_domains = kuz.com.ua
hostlist local_net = 172.16.16.0/24 : 172.16.100.0/24
hostlist nonauth_hosts = 172.16.16.10

acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

ldap_default_servers = 172.16.16.2::3268 : 172.16.16.4::3268

LDAP_AUTH = user="unix_ldap@???" pass="Пароль"
LDAP_BASE_SEARCH = ldap:///DC=jsp,DC=local
LDAP_DOMAIN = jsp.local
LDAP_MAIL_FILTER =
(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(mail=${quote_ldap:$local_part}${quote_ldap:@}${quote_ldap:$domain}))

av_scanner = clamd:/var/run/clamav/clamd.sock
spamd_address = 127.0.0.1 783

#SMTP SSL
# Какой порт будет слушать демон Exim
tls_advertise_hosts = *
tls_certificate = /usr/local/etc/exim/ssl/exim.crt
tls_privatekey = /usr/local/etc/exim/ssl/exim.key
tls_on_connect_ports = 465
daemon_smtp_ports = 25:465

exim_user = mailnull
exim_group = mailnull

never_users = root

host_lookup = !+local_net
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 45m
timeout_frozen_after = 1d
split_spool_directory = true
helo_accept_junk_hosts = +local_net
smtp_banner = $primary_hostname ESMTP server
smtp_receive_timeout = 3m
smtp_accept_max = 100
smtp_accept_max_per_host = 10
smtp_accept_max_per_connection = 10
remote_max_parallel = 15
recipients_max = 120
message_size_limit = 10M
auth_advertise_hosts = +local_net : localhost

log_selector = \
+all \
-arguments \
-smtp_connection \
-all_parents \
-ident_timeout \
-incoming_port \
-outgoing_port \
-queue_time \
-queue_time_overall

syslog_timestamp = no
log_file_path = /var/log/exim/%s-%D.log
system_filter = /usr/local/etc/exim/filters/system-filter
system_filter_pipe_transport = address_pipe
system_filter_user = mailnull
system_filter_group = mailnull

# Скрипт для встроенного Perl. Использую для групп рассылок.
perl_startup = do '/usr/local/etc/exim/scripts/group_distrib_AD.pl'

######################################################################
# ACL CONFIGURATION #
# Specifies access control lists for incoming SMTP mail #
######################################################################
begin acl

acl_check_rcpt:
accept hosts = :
deny message = Restricted characters in address
domains = +relay_to_domains
local_parts = ^[.] : ^.*[@%!/|]
delay = 30s

deny message = Restricted characters in address
domains = !+relay_to_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
delay = 30s

accept hosts = !+local_net : !localhost
domains = +relay_to_domains
condition = ${lookup{$sender_address_domain}wildlsearch\
{/usr/local/etc/exim/db/whitelist}{yes}{no}}
logwrite = OK! The host $sender_address_domainis in the WHITE list

accept hosts = +nonauth_hosts
domains = +relay_to_domains

warn set acl_c1 = 0

warn condition = ${if eq{$sender_helo_name}{}{yes}{no}}
logwrite = SPAM. Send HELO/EHLO and your name first
set acl_c1 = ${eval:$acl_c1+1}

deny message = You are not allowed to send mail outside the own domain.
hosts = +local_net : localhost
domains = !+relay_to_domains
condition = ${if eqi{LD}{${lookup ldapm{LDAP_AUTH \
LDAP_BASE_SEARCH?physicalDeliveryOfficeName?sub?\
(samaccountName=$sender_address_local_part)}}}{yes}{no}}

accept hosts = +local_net : localhost
authenticated = *
control = dkim_disable_verify

drop message = Forbidden to send mail on behalf of users domain \
$sender_address_domain
hosts = !+local_net : !localhost
condition = ${if match_domain{$sender_address_domain}\
{$primary_hostname : +local_domains : +relay_to_domains}\
{yes}{no}}

warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
condition = ${if or {{ isip{$sender_helo_name}}\
{eq{$sender_helo_name}{[$sender_host_address]}}}{yes}{no}}
logwrite = SPAM. Forbidden to use IP-address instead of the host name in
HELO
set acl_c1 = ${eval:$acl_c1+2}

warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
condition = ${if match_domain{$sender_helo_name}\
{$primary_hostname : +local_domains : +relay_to_domains}{yes}{no}}
logwrite = SPAM. In HELO a name of our server
set acl_c1 = ${eval:$acl_c1+3}

warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
condition = ${if eq{$host_lookup_failed}{1}{yes}{no}}
logwrite = SPAM. Yours PTR and A records DNS do not conform
set acl_c1 = ${eval:$acl_c1+4}

warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
condition = ${lookup{$sender_host_name}wildlsearch\
{/usr/local/etc/exim/db/blacklist}{yes}{no}}
logwrite = SPAM. $sender_host_name in our local blacklist
set acl_c1 = ${eval:$acl_c1+6}

warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
condition = ${if and {{match{$sender_host_name}\
{\N(?>[^.]+[.]){5,}|(?>[^-]+[\-]){4,}\N}}\
{!match{$sender_host_name}{\N\.yahoo\.com$\N}}}{yes}{no}}
logwrite = SPAM. Too many point or hyphens in the hostname
($sender_host_name)
set acl_c1 = ${eval:$acl_c1+7}


warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
condition = ${if !match{$sender_host_name}{\N\.yahoo\.com$\N}{yes}{no}}
condition = ${lookup{$sender_host_name}\
wildlsearch{/usr/local/etc/exim/db/dialup_hosts}{yes}{no}}
logwrite = SPAM. $sender_host_name possibly represents dialup host
set acl_c1 = ${eval:$acl_c1+8}


warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
dnslists = cbl.abuseat.org : sbl-xbl.spamhaus.org : bl.spamcop.net
logwrite = SPAM. You in blacklist - $dnslist_domain --> $dnslist_text; \
$dnslist_value
set acl_c1 = ${eval:$acl_c1+9}

warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
spf = fail
logwrite = SPAM. SPF check failed: $sender_host_address is not allowed
to\
send mail from $sender_address_domain
set acl_c1 = ${eval:$acl_c1+10}

warn hosts = !+local_net : !localhost
condition = ${if eq{$acl_c1}{0}{yes}{no}}
!verify = sender/no_details/callout=15s
logwrite = SPAM. $acl_verify_message: $sender_address - does not exist
set acl_c1 = ${eval:$acl_c1+11}

warn hosts = !+local_net : !localhost
delay = 20s

accept domains = +relay_to_domains
hosts = !+local_net : !localhost

drop message = Access deny - this not open relay!


###################################################################################
### Проверяем тело письма ###
acl_check_data:

deny message = contains $found_extension file (blacklisted)
demime = com:vbs:bat:cmd:pif:scr:exe

deny malware = *
message = This message contains a virus ($malware_name).

deny message = This message contains a MIME error $demime_reason
demime = *
condition = ${if >{$demime_errorlevel}{2}{yes}{no}}

deny message = Incorrect headers syntax
hosts = !+local_net
!verify = header_syntax


accept
######################################################################
# ROUTERS CONFIGURATION #
# Specifies how addresses are handled #
######################################################################
begin routers

dnslookup:
driver = dnslookup
domains = !+relay_to_domains : !+local_domains
transport = remote_smtp
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
more = no
cannot_route_message = Remote domain not found in DNS

ldap_EXTdistrib_group:
driver = redirect
domains = +relay_to_domains
allow_fail
allow_defer
condition = ${if eqi{${quote:$local_part}@$domain}{${lookup
ldapdn{LDAP_AUTH
ldap:///DC=jsp,DC=local?mail?sub?(objectClass=group)}}}{no}{yes}}
data = ${perl{get_mail_lists}{${quote:$local_part}@$domain}}

ldap_INTdistrib_group:
driver = redirect
domains = +relay_to_domains
allow_fail
allow_defer
condition = ${if and{{match{$local_part}{\N^dg_\N}}{match_domain\
{$sender_address_domain}{+relay_to_domains : +trust_domains}}}}
data = ${perl{get_mail_lists}{${quote:$local_part}@$domain}}


ldap_aliases:
driver = redirect
domains = +relay_to_domains
allow_fail
allow_defer
data = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH\
?mail?sub?(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))\
(objectClass=user)(url=${quote_ldap:$local_part}\
${quote_ldap:@}${quote_ldap:$domain}))}}

ldap_forwarding:
driver = redirect
domains = +relay_to_domains
allow_fail
allow_defer
data = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH?otherTelephone?sub?\
(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))\
(objectClass=user)(mail=${quote_ldap:$local_part}${quote_ldap:@}\
${quote_ldap:$domain}))}},${quote:$local_part}@${quote:$domain}

ldap_dovecot:
debug_print = "R: ldap_local_user for $local_part@$domain"
driver = accept
domains = +relay_to_domains
condition = ${if eq{}{${lookup ldapdn{LDAP_AUTH LDAP_BASE_SEARCH\
??sub?LDAP_MAIL_FILTER}}}{no}{yes}}
transport = dovecot_lda
router_home_directory = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH\
?samaccountName?sub?LDAP_MAIL_FILTER}{/mail/$value/}}
user = 26
group = 26
more = no
cannot_route_message = Unknown address

system_aliases:
driver = redirect
domains = +local_domains
allow_fail
allow_defer
data = ${lookup{$local_part}lsearch{/etc/aliases}}
user = mailnull
group = mail
file_transport = address_file
pipe_transport = address_pipe

localuser:
driver = accept
domains = +local_domains
check_local_user
transport = local_delivery
cannot_route_message = Unknown address


######################################################################
# TRANSPORTS CONFIGURATION #
######################################################################
begin transports

remote_smtp:
driver = smtp

dovecot_lda:
driver = pipe
command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = mailnull
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

local_delivery:
driver = appendfile
file = /mail/UNIX/$local_part
delivery_date_add
envelope_to_add
return_path_add
group = mail
user = $local_part
mode = 0660
no_mode_fail_narrower

address_pipe:
driver = pipe
return_output

address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add

address_reply:
driver = autoreply

######################################################################
# RETRY CONFIGURATION #
######################################################################

begin retry

* quota
* * F,2h,15m; G,8h,1h,1.5


######################################################################
# REWRITE CONFIGURATION #
######################################################################

# There are no rewriting specifications in this default configuration
file.

begin rewrite


######################################################################
# AUTHENTICATION CONFIGURATION #
######################################################################



begin authenticators


dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth2

dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1

dovecot_gssapi:
driver = dovecot
public_name = GSSAPI
server_socket = /var/run/dovecot/auth-client
server_set_id = $auth1

# End of Exim configuration file




#!/usr/bin/perl -w
use strict;
use warnings;
use Net::LDAP;
my %ldap_connect=(
HOST=>"172.16.16.4",
PORT=>"3268",
TIMEOUT=>"120",
BASE_DN=>"DC=JSP,DC=LOCAL",
BIND_DN=>"CN=unix_ldap,CN=Users,DC=JSP,DC=LOCAL",
BIND_PASS=>"Password",
VERSION=>"3"
);
sub get_mail_lists
{
my $address = shift;
my ($user_mail, $dn, $mesg, $entry, $mail_lists);
my (@array_of_ldap_search, @entries);
$mail_lists="";
my $ldap = Net::LDAP->new($ldap_connect{'HOST'},
version=>$ldap_connect{'VERSION'}, \
port=>$ldap_connect{'PORT'}, timeout=>$ldap_connect{'TIMEOUT'}) or die
exit 0;

$mesg=$ldap->bind($ldap_connect{'BIND_DN'}, password =>
$ldap_connect{'BIND_PASS'}) or die exit 0;

$mesg = $ldap->search(
base => $ldap_connect{'BASE_DN'},
scope => 'sub',
filter => "(&(objectClass=top)(objectClass=group)(mail=$address))",
attrs => ['member']
);

foreach $entry ($mesg->entries) {
@array_of_ldap_search = $entry->get_value("member");
}

foreach $dn (@array_of_ldap_search) {
$mesg =
$ldap->search(filter=>"(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(objectClass=person)(distinguishedName=$dn))",
base=>$ldap_connect{'BASE_DN'},
scope =>'sub',
attrs=>['mail']
);


@entries = $mesg->entries;
foreach $entry (@entries) {
$user_mail = $entry->get_value("mail");
$mail_lists = $mail_lists."\n".$user_mail;
}
}
$ldap->unbind;
return $mail_lists;
}

#print get_mail_lists('mf@???'),"\n";