Re: Qmail + LDAP = difficult fun.

Leif Sawyer wrote:
>
> I know I'm interested in SMTP Auth via ldap. I'm currently
> using postfix though, and I'm thinking of migrating to sendmail,
> because of the milter plugin archetecture.
>
> I've had problems getting the LDAP auth to work correctly, so
> seeing what steps you took to get it running will be helpful!

Leif,

If you do go to sendmail be sure to checkout mimedefang. It is a perl
filter that uses milter, but because the perl children are kept running
in a pool, and use tmpfs for working space, there isn't a major
performance hit (unless your using SA), just a memory cost.

If you setup sendmail to pass a macro to mimedefang that tells it about
the authentication status then you can change your rules around to omit
authenticated users from spam filtering or other interesting things. At
one mail system I manage, all users are forced to use smtp auth (all
other relaying is disabled) then I check to make sure that email sent
from the local domain came from an authenticated user or it is bounced.

Another major advantage to using mimedefang and ldap is you can query
your ldap directory in mimedefang during the milter process and make
your rules do different things based on ldap lookups. Want to delete
every other letter in a message, but only if squashEmail in ldap equals
'fred', and it's the 13th minute of the hour? No problem, 10 lines of
perl and it's all done.

As far as making sendmail's smtp auth work against ldap, simply setup
sasl to use saslauthd, then setup saslauthd to search against ldap.
Here is some config that may help:

cat /usr/lib/sasl2/Sendmail.conf:
pwcheck_method:saslauthd

cat /etc/saslauthd.conf:
ldap_servers: ldap://127.0.0.1/
ldap_filter: (&(uid=%u)(MailEnabled=1)(AccountEnabled=1))
ldap_version: 3
ldap_search_base: dc=schu,dc=net
ldap_scope: sub

That's pretty much it, nothing to it.

Oh, almost forgot, if your using sendmail smtp auth then make sure you put:

define(`confAUTH_OPTIONS', `A,p')
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')

In your sendmail.mc. The first one tells sendmail to work around an
outlook issue and to not allow AUTH until after STARTTLS, and the second
one tells sendmail that plain logins are ok.

Hopefully this will help list members (or archive browsers) interested
in playing with sendmail.

schu

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Jun 13 11:18:25 2005