Sorry, in trying to be brief in my original posting, I probably wasn't clear enough.
All you had to do is to explain "why."
Before using SA, we'd set up a regular cron job to send the relevant data from MySQL into an OpenLDAP directory so that we could then use this easily as a shared address book from mail clients like Mozilla Mail, e.g. to autocomplete addresses when composing. Works well.
So the ldap directory is internal.
To avoid exposing our SMTP server to the outside world, we actually pick up all incoming mail from our ISP relay using fetchmail in multi-drop mode, and then pump it into our internal SMTP server (sendmail).
Ah. Does this make any difference to putting your MTA in a proxy-forwarding DMZ? Don't know what provision Sendmail has for defeating dictionary attacks and suchlike, but both Postfix 2.0 and Exim 4.20 can completely defeat them, so using Fetchmail isn't necessary. Also, both can be configured to refuse mail for non-existent user accounts. Which I don't believe Sendmail can. I don't know much about the innards of Fetchmail
The Fetchmail alternative wouldn't work for large orgs, or those which demand instant e-mail.
So, I could have constructed a "whitelist_from" list of 600 email addresses, put that in SA's config file, and arrange somehow to keep them in step, but that didn't seem very elegant. So I figured it might be better if I got SA to check the from addresses of incoming mail directly against our LDAP server. The latter basically contains a schema of inetOrgPerson objects whose "mail" attribute is the email address of the external contact. Maybe I could have done the checks directly against MySQL, but I figured querying the LDAP server might be more lightweight.
ldap is a bottomless magic box.
My modifications to SA allow this LDAP-based whitelist-checking to be performed immediately after the usual whitelist_from and whitelist_from_rcvd processing, enabled in a minimal case by two extra config lines, e.g.
whitelist_ldap_url ldap://localhost:389 whitelist_ldap_base_dn dc=example,dc=com
I don't know Sendmail at all, but as I said, both SA-Exim 4.20/3.0 and Postfix 2.0 could be configured to whitelist your ldap users without altering any SA code. SA-Exim would do that with inclusion in the exception rule, Postfix with a custom transport.
but with a few additional config options to allow specifying Bind DN and password, and to cater for "ldaps://" server CA cert checking. I've also put in an additional filter option, so e.g. if the LDAP entries were flagged with some other attribute saying whether a given address should be whitelisted or not, that would be easily accommodated.
Both Exim 4 and Postfix 2.0 ldap routers/alias maps (respectively) could be configured to do this. A problem I have with Postfix at the moment, is getting it to use ldaps or starttls for ldap at all, though Exim can do that easily. Both can be configured to use CA certs for whatever they *can* do with tls (e.g. smtp starttls for Postfix 2.0)
My LDAP config options are in the spirit of those used by Mozilla Mail.
Yea!
Maybe this isn't a common problem, and there may well be other ways of solving it, but we're happy now!
My only worry would be at the developers feeling they would have to modify SA code to do such a thing. As I pointed out, I have no idea how Sendmail works; for that matter Qmail or Smail neither. Maybe code changes would be necessary for the latter two.
Best,
Tony
-- Tony Earnshaw
- Deyr fé, deyr frendr deyr sjálfr 'it sama - ek veit ein aldrigi deyr - dómr um dauđan hvern.
From Hávamál - what gods have said
http://j-walk.com/blog/docs/conference.htm http://www.billy.demon.nl Mail: [EMAIL PROTECTED]
------------------------------------------------------- This SF.NET email is sponsored by: eBay Great deals on office technology -- on eBay now! Click here: http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
