Re: [exim] Exim + AD (trouble)

Author: Ian Eiloart
Date:
To: Alexandr Kobzarenko
CC: <exim-users@exim.org>
Subject: Re: [exim] Exim + AD (trouble)

On 2 Mar 2013, at 19:33, Alexandr Kobzarenko <puzo@???>
wrote:

>
>
>
> Hi people.
> First, forgive me for my bad English.
> NOw i tryed configure Exim to work with 2008 serrver AD (LDAP) users.
> But have some trouble, and dont know how to fix it..
> When i try send mail from zerg@??? to zerg@???
> i see the error in log

Hi,

Can you explain exactly: what are you trying to do?

It looks as if you are (a) making an LDAP lookup with Exim's built in lookup, and (b) using perl to do an LDAP lookup. Why are you doing both?

If you explain what you're trying to do, it will help us to understand your configuration.

>
> 2013-03-02 16:00:13 [21494] End queue run: pid=21494
> 2013-03-02 16:00:17 [21509] 1UBmz3-0005av-UQ SA: Debug: SAEximRunCond
> expand returned: '1'
> 2013-03-02 16:00:17 [21509] 1UBmz3-0005av-UQ SA: Debug: check succeeded,
> running spamc
> 2013-03-02 16:00:19 [21509] 1UBmz3-0005av-UQ SA: Action: scanned but
> message isn't spam: score=-0.0 required=5.0 (scanned in 2/2 secs |
> Message-Id: E1UBmz3-0005av-UQ@???). From
> <root@???> (local) for kobzar@???
> 2013-03-02 16:00:19 [21509] 1UBmz3-0005av-UQ <= root@???
> U=root P=local S=754 T="Test" from <root@???> for
> kobzar@???
> 2013-03-02 16:00:19 [21513] 1UBmz3-0005av-UQ == kobzar@???
> R=ldap_EXTdistrib_group defer (-1): condition check lookup defer
>
> As i undestand, i have error in this sections in my config
> "ldap_EXTdistrib_group"
> But in global i have error on ldap filters. May be some one can show me
> to my mistake.
>
> My exim config and perl script
>
> ######################################################################
> # MAIN CONFIGURATION SETTINGS #
> ######################################################################
> primary_hostname = mx.emorion.com.ua
> domainlist local_domains = @
> domainlist relay_to_domains = emorion.com.ua
> domainlist trust_domains = kuz.com.ua
> hostlist local_net = 172.16.16.0/24 : 172.16.100.0/24
> hostlist nonauth_hosts = 172.16.16.10
>
> acl_smtp_rcpt = acl_check_rcpt
> acl_smtp_data = acl_check_data
>
> ldap_default_servers = 172.16.16.2::3268 : 172.16.16.4::3268
>
> LDAP_AUTH = user="unix_ldap@???" pass="Пароль"
> LDAP_BASE_SEARCH = ldap:///DC=jsp,DC=local
> LDAP_DOMAIN = jsp.local
> LDAP_MAIL_FILTER =
> (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(mail=${quote_ldap:$local_part}${quote_ldap:@}${quote_ldap:$domain}))
>
> av_scanner = clamd:/var/run/clamav/clamd.sock
> spamd_address = 127.0.0.1 783
>
> #SMTP SSL
> # Какой порт будет слушать демон Exim
> tls_advertise_hosts = *
> tls_certificate = /usr/local/etc/exim/ssl/exim.crt
> tls_privatekey = /usr/local/etc/exim/ssl/exim.key
> tls_on_connect_ports = 465
> daemon_smtp_ports = 25:465
>
> exim_user = mailnull
> exim_group = mailnull
>
> never_users = root
>
> host_lookup = !+local_net
> rfc1413_query_timeout = 0s
> ignore_bounce_errors_after = 45m
> timeout_frozen_after = 1d
> split_spool_directory = true
> helo_accept_junk_hosts = +local_net
> smtp_banner = $primary_hostname ESMTP server
> smtp_receive_timeout = 3m
> smtp_accept_max = 100
> smtp_accept_max_per_host = 10
> smtp_accept_max_per_connection = 10
> remote_max_parallel = 15
> recipients_max = 120
> message_size_limit = 10M
> auth_advertise_hosts = +local_net : localhost
>
> log_selector = \
> +all \
> -arguments \
> -smtp_connection \
> -all_parents \
> -ident_timeout \
> -incoming_port \
> -outgoing_port \
> -queue_time \
> -queue_time_overall
>
> syslog_timestamp = no
> log_file_path = /var/log/exim/%s-%D.log
> system_filter = /usr/local/etc/exim/filters/system-filter
> system_filter_pipe_transport = address_pipe
> system_filter_user = mailnull
> system_filter_group = mailnull
>
> # Скрипт для встроенного Perl. Использую для групп рассылок.
> perl_startup = do '/usr/local/etc/exim/scripts/group_distrib_AD.pl'
>
> ######################################################################
> # ACL CONFIGURATION #
> # Specifies access control lists for incoming SMTP mail #
> ######################################################################
> begin acl
>
> acl_check_rcpt:
> accept hosts = :
> deny message = Restricted characters in address
> domains = +relay_to_domains
> local_parts = ^[.] : ^.*[@%!/|]
> delay = 30s
>
> deny message = Restricted characters in address
> domains = !+relay_to_domains
> local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
> delay = 30s
>
> accept hosts = !+local_net : !localhost
> domains = +relay_to_domains
> condition = ${lookup{$sender_address_domain}wildlsearch\
> {/usr/local/etc/exim/db/whitelist}{yes}{no}}
> logwrite = OK! The host $sender_address_domainis in the WHITE list
>
> accept hosts = +nonauth_hosts
> domains = +relay_to_domains
>
> warn set acl_c1 = 0
>
> warn condition = ${if eq{$sender_helo_name}{}{yes}{no}}
> logwrite = SPAM. Send HELO/EHLO and your name first
> set acl_c1 = ${eval:$acl_c1+1}
>
> deny message = You are not allowed to send mail outside the own domain.
> hosts = +local_net : localhost
> domains = !+relay_to_domains
> condition = ${if eqi{LD}{${lookup ldapm{LDAP_AUTH \
> LDAP_BASE_SEARCH?physicalDeliveryOfficeName?sub?\
> (samaccountName=$sender_address_local_part)}}}{yes}{no}}
>
> accept hosts = +local_net : localhost
> authenticated = *
> control = dkim_disable_verify
>
> drop message = Forbidden to send mail on behalf of users domain \
> $sender_address_domain
> hosts = !+local_net : !localhost
> condition = ${if match_domain{$sender_address_domain}\
> {$primary_hostname : +local_domains : +relay_to_domains}\
> {yes}{no}}
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> condition = ${if or {{ isip{$sender_helo_name}}\
> {eq{$sender_helo_name}{[$sender_host_address]}}}{yes}{no}}
> logwrite = SPAM. Forbidden to use IP-address instead of the host name in
> HELO
> set acl_c1 = ${eval:$acl_c1+2}
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> condition = ${if match_domain{$sender_helo_name}\
> {$primary_hostname : +local_domains : +relay_to_domains}{yes}{no}}
> logwrite = SPAM. In HELO a name of our server
> set acl_c1 = ${eval:$acl_c1+3}
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> condition = ${if eq{$host_lookup_failed}{1}{yes}{no}}
> logwrite = SPAM. Yours PTR and A records DNS do not conform
> set acl_c1 = ${eval:$acl_c1+4}
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> condition = ${lookup{$sender_host_name}wildlsearch\
> {/usr/local/etc/exim/db/blacklist}{yes}{no}}
> logwrite = SPAM. $sender_host_name in our local blacklist
> set acl_c1 = ${eval:$acl_c1+6}
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> condition = ${if and {{match{$sender_host_name}\
> {\N(?>[^.]+[.]){5,}|(?>[^-]+[\-]){4,}\N}}\
> {!match{$sender_host_name}{\N\.yahoo\.com$\N}}}{yes}{no}}
> logwrite = SPAM. Too many point or hyphens in the hostname
> ($sender_host_name)
> set acl_c1 = ${eval:$acl_c1+7}
>
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> condition = ${if !match{$sender_host_name}{\N\.yahoo\.com$\N}{yes}{no}}
> condition = ${lookup{$sender_host_name}\
> wildlsearch{/usr/local/etc/exim/db/dialup_hosts}{yes}{no}}
> logwrite = SPAM. $sender_host_name possibly represents dialup host
> set acl_c1 = ${eval:$acl_c1+8}
>
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> dnslists = cbl.abuseat.org : sbl-xbl.spamhaus.org : bl.spamcop.net
> logwrite = SPAM. You in blacklist - $dnslist_domain --> $dnslist_text; \
> $dnslist_value
> set acl_c1 = ${eval:$acl_c1+9}
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> spf = fail
> logwrite = SPAM. SPF check failed: $sender_host_address is not allowed
> to\
> send mail from $sender_address_domain
> set acl_c1 = ${eval:$acl_c1+10}
>
> warn hosts = !+local_net : !localhost
> condition = ${if eq{$acl_c1}{0}{yes}{no}}
> !verify = sender/no_details/callout=15s
> logwrite = SPAM. $acl_verify_message: $sender_address - does not exist
> set acl_c1 = ${eval:$acl_c1+11}
>
> warn hosts = !+local_net : !localhost
> delay = 20s
>
> accept domains = +relay_to_domains
> hosts = !+local_net : !localhost
>
> drop message = Access deny - this not open relay!
>
>
> ###################################################################################
> ### Проверяем тело письма ###
> acl_check_data:
>
> deny message = contains $found_extension file (blacklisted)
> demime = com:vbs:bat:cmd:pif:scr:exe
>
> deny malware = *
> message = This message contains a virus ($malware_name).
>
> deny message = This message contains a MIME error $demime_reason
> demime = *
> condition = ${if >{$demime_errorlevel}{2}{yes}{no}}
>
> deny message = Incorrect headers syntax
> hosts = !+local_net
> !verify = header_syntax
>
>
> accept
> ######################################################################
> # ROUTERS CONFIGURATION #
> # Specifies how addresses are handled #
> ######################################################################
> begin routers
>
> dnslookup:
> driver = dnslookup
> domains = !+relay_to_domains : !+local_domains
> transport = remote_smtp
> ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
> more = no
> cannot_route_message = Remote domain not found in DNS
>
> ldap_EXTdistrib_group:
> driver = redirect
> domains = +relay_to_domains
> allow_fail
> allow_defer
> condition = ${if eqi{${quote:$local_part}@$domain}{${lookup
> ldapdn{LDAP_AUTH
> ldap:///DC=jsp,DC=local?mail?sub?(objectClass=group)}}}{no}{yes}}
> data = ${perl{get_mail_lists}{${quote:$local_part}@$domain}}
>
> ldap_INTdistrib_group:
> driver = redirect
> domains = +relay_to_domains
> allow_fail
> allow_defer
> condition = ${if and{{match{$local_part}{\N^dg_\N}}{match_domain\
> {$sender_address_domain}{+relay_to_domains : +trust_domains}}}}
> data = ${perl{get_mail_lists}{${quote:$local_part}@$domain}}
>
>
> ldap_aliases:
> driver = redirect
> domains = +relay_to_domains
> allow_fail
> allow_defer
> data = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH\
> ?mail?sub?(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))\
> (objectClass=user)(url=${quote_ldap:$local_part}\
> ${quote_ldap:@}${quote_ldap:$domain}))}}
>
> ldap_forwarding:
> driver = redirect
> domains = +relay_to_domains
> allow_fail
> allow_defer
> data = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH?otherTelephone?sub?\
> (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))\
> (objectClass=user)(mail=${quote_ldap:$local_part}${quote_ldap:@}\
> ${quote_ldap:$domain}))}},${quote:$local_part}@${quote:$domain}
>
> ldap_dovecot:
> debug_print = "R: ldap_local_user for $local_part@$domain"
> driver = accept
> domains = +relay_to_domains
> condition = ${if eq{}{${lookup ldapdn{LDAP_AUTH LDAP_BASE_SEARCH\
> ??sub?LDAP_MAIL_FILTER}}}{no}{yes}}
> transport = dovecot_lda
> router_home_directory = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH\
> ?samaccountName?sub?LDAP_MAIL_FILTER}{/mail/$value/}}
> user = 26
> group = 26
> more = no
> cannot_route_message = Unknown address
>
> system_aliases:
> driver = redirect
> domains = +local_domains
> allow_fail
> allow_defer
> data = ${lookup{$local_part}lsearch{/etc/aliases}}
> user = mailnull
> group = mail
> file_transport = address_file
> pipe_transport = address_pipe
>
> localuser:
> driver = accept
> domains = +local_domains
> check_local_user
> transport = local_delivery
> cannot_route_message = Unknown address
>
>
> ######################################################################
> # TRANSPORTS CONFIGURATION #
> ######################################################################
> begin transports
>
> remote_smtp:
> driver = smtp
>
> dovecot_lda:
> driver = pipe
> command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
> message_prefix =
> message_suffix =
> delivery_date_add
> envelope_to_add
> return_path_add
> log_output
> user = mailnull
> temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
>
> local_delivery:
> driver = appendfile
> file = /mail/UNIX/$local_part
> delivery_date_add
> envelope_to_add
> return_path_add
> group = mail
> user = $local_part
> mode = 0660
> no_mode_fail_narrower
>
> address_pipe:
> driver = pipe
> return_output
>
> address_file:
> driver = appendfile
> delivery_date_add
> envelope_to_add
> return_path_add
>
> address_reply:
> driver = autoreply
>
> ######################################################################
> # RETRY CONFIGURATION #
> ######################################################################
>
> begin retry
>
> * quota
> * * F,2h,15m; G,8h,1h,1.5
>
>
> ######################################################################
> # REWRITE CONFIGURATION #
> ######################################################################
>
> # There are no rewriting specifications in this default configuration
> file.
>
> begin rewrite
>
>
> ######################################################################
> # AUTHENTICATION CONFIGURATION #
> ######################################################################
>
>
>
> begin authenticators
>
>
> dovecot_plain:
> driver = dovecot
> public_name = PLAIN
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth2
>
> dovecot_login:
> driver = dovecot
> public_name = LOGIN
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
>
> dovecot_gssapi:
> driver = dovecot
> public_name = GSSAPI
> server_socket = /var/run/dovecot/auth-client
> server_set_id = $auth1
>
> # End of Exim configuration file
>
>
>
>
> #!/usr/bin/perl -w
> use strict;
> use warnings;
> use Net::LDAP;
> my %ldap_connect=(
> HOST=>"172.16.16.4",
> PORT=>"3268",
> TIMEOUT=>"120",
> BASE_DN=>"DC=JSP,DC=LOCAL",
> BIND_DN=>"CN=unix_ldap,CN=Users,DC=JSP,DC=LOCAL",
> BIND_PASS=>"Password",
> VERSION=>"3"
> );
> sub get_mail_lists
> {
> my $address = shift;
> my ($user_mail, $dn, $mesg, $entry, $mail_lists);
> my (@array_of_ldap_search, @entries);
> $mail_lists="";
> my $ldap = Net::LDAP->new($ldap_connect{'HOST'},
> version=>$ldap_connect{'VERSION'}, \
> port=>$ldap_connect{'PORT'}, timeout=>$ldap_connect{'TIMEOUT'}) or die
> exit 0;
>
> $mesg=$ldap->bind($ldap_connect{'BIND_DN'}, password =>
> $ldap_connect{'BIND_PASS'}) or die exit 0;
>
> $mesg = $ldap->search(
> base => $ldap_connect{'BASE_DN'},
> scope => 'sub',
> filter => "(&(objectClass=top)(objectClass=group)(mail=$address))",
> attrs => ['member']
> );
>
> foreach $entry ($mesg->entries) {
> @array_of_ldap_search = $entry->get_value("member");
> }
>
> foreach $dn (@array_of_ldap_search) {
> $mesg =
> $ldap->search(filter=>"(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(objectClass=person)(distinguishedName=$dn))",
> base=>$ldap_connect{'BASE_DN'},
> scope =>'sub',
> attrs=>['mail']
> );
>
>
> @entries = $mesg->entries;
> foreach $entry (@entries) {
> $user_mail = $entry->get_value("mail");
> $mail_lists = $mail_lists."\n".$user_mail;
> }
> }
> $ldap->unbind;
> return $mail_lists;
> }
>
> #print get_mail_lists('mf@???'),"\n";
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/

--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148

This message is part of the following thread:
	the complete thread tree sorted by date
	Alexandr Kobzarenko at