user verification via ldap

[peterve]

Hi,

I want to set up a sendmail (or postfix - don't know yet ) server, that is internet facing.
The server should allow incoming emails only (from the internet, to my internal mail platform), for a given number of domains, but should not allow "open relays" - for obvious reasons.

Now I want to add this functionality :
1. when an incoming email enters the sendmail engine, sendmail should verify if that user is a valid user by querying an ldap database, and reject if the user does not exist in the ldap database
2. when the user exists, the email should be sent (relayed) to an internal host. Because of redundancy reasons, I want to specify 2 hosts for this...

How can I solve those 2 questions ?

thanks

--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------

 

[mrballcb]

There are a few things to keep in mind when using sendmail with LDAP on the backend:
1) sendmail can only do anonymous LDAP binds, you can't specify a user DN and password
2) sendmail must see the user as a real system user (whether or not the user can actually login at a prompt has no bearing). So the users are not truly virtual in this sense.

#1 is not that big a deal as long as your ldap server is protected from the outside. #2 can be a pretty big deal because this means that PAM must be aware of the existence of a user. The way we do it, I figure we're kind of cheating a little bit. Basically PAM sees the full email address (todd@todd.com) as a user. And it's virtuser mapped to a slightly altered email address (todd.todd.com). PAM can resolve both forms to a common username.

This is the way we do it for each email address we accept mail for:
1) We have a PAM user defined under ou=users,dc=root,dc=com. An example is uid=todd@todd.com,ou=users,dc=root,dc=com. The objectClasses used are top, account, posixAccount, shadowAccount, and CourierMailAccount (because we use CourierIMAP for our imap server).
2) We have a sendmail virtuser defined under sendmailMTAMapName=virtuser,dc=ivenue,dc=net. An example is sendmailMTAKey=todd@todd.com,sendmailMTAMapName=virtuser,dc=root,dc=com. The objectClasses used are sendmailMTA, sendmailMTAMap, and sendmailMTAMapObject.
3) We install nss_ldap and pam_ldap modules so that pam and nss know how to talk to an ldap server. We configure /etc/ldap.conf to configure the defaults for getting the user information from the ldap server.

site02 root # id todd@todd.com
uid=1101(todd@todd.com) gid=1000(mailusers) groups=1000(mailusers)
site02 root # id todd.todd.com
uid=1101(todd@todd.com) gid=1000(mailusers) groups=1000(mailusers)
site02 root # getent passwd todd@todd.com
todd@todd.com:x:1101:1000: :/netapp1/mail/maildirs/t/o/d/todd.todd.com:/sbin/nologin

There are great examples on the internet for what you need in the LDIF to create a PAM visible user in LDAP.
There are great examples in sendmail-cf/README of what needs to be in the LDIF for each user that you want sendmail to handle mail for in LDAP.

The major flaw with all of this is that the users are not truly virtual because they have to exist according to PAM because sendmail delivers to real user mailboxes, where real user is defined as a user that has a uid, gid, and home directory. Postfix, Qmail, Exim, all of these support truly virtual users. I consider that an advantage, but it's also a more difficult system to troubleshoot if troubleshooting is needed. Internally all of those virtual users end up with the same uid and gid of the MDA system and so it becomes harder if it's writing things in places you don't anticipate.

HTH and HAND.

Blue skies... Todd