Colin Dean wrote:

Sorry, in trying to be brief in my original posting, I probably wasn't
clear enough.

All you had to do is to explain "why."

Before using SA, we'd set up a regular cron job to send the relevant
data from MySQL into an OpenLDAP directory so that we could then use
this easily as a shared address book from mail clients like Mozilla
Mail, e.g. to autocomplete addresses when composing.  Works well.

So the ldap directory is internal.

To avoid exposing our SMTP server to the outside world, we actually
pick up all incoming mail from our ISP relay using fetchmail in
multi-drop mode, and then pump it into our internal SMTP server

Ah. Does this make any difference to putting your MTA in a proxy-forwarding DMZ? Don't know what provision Sendmail has for defeating dictionary attacks and suchlike, but both Postfix 2.0 and Exim 4.20 can completely defeat them, so using Fetchmail isn't necessary. Also, both can be configured to refuse mail for non-existent user accounts. Which I don't believe Sendmail can. I don't know much about the innards of Fetchmail

The Fetchmail alternative wouldn't work for large orgs, or those which demand instant e-mail.

So, I could have constructed a "whitelist_from" list of 600 email
addresses, put that in SA's config file, and arrange somehow to keep
them in step, but that didn't seem very elegant.  So I figured it
might be better if I got SA to check the from addresses of incoming
mail directly against our LDAP server.  The latter basically contains
a schema of inetOrgPerson objects whose "mail" attribute is the email
address of the external contact.  Maybe I could have done the checks
directly against MySQL, but I figured querying the LDAP server might
be more lightweight.

ldap is a bottomless magic box.

My modifications to SA allow this LDAP-based whitelist-checking to
be performed immediately after the usual whitelist_from and
whitelist_from_rcvd processing, enabled in a minimal case by two
extra config lines, e.g.

    whitelist_ldap_url      ldap://localhost:389
    whitelist_ldap_base_dn  dc=example,dc=com

I don't know Sendmail at all, but as I said, both SA-Exim 4.20/3.0 and Postfix 2.0 could be configured to whitelist your ldap users without altering any SA code. SA-Exim would do that with inclusion in the exception rule, Postfix with a custom transport.

but with a few additional config options to allow specifying Bind DN
and password, and to cater for "ldaps://" server CA cert checking.
I've also put in an additional filter option, so e.g. if the LDAP
entries were flagged with some other attribute saying whether a given
address should be whitelisted or not, that would be easily accommodated.

Both Exim 4 and Postfix 2.0 ldap routers/alias maps (respectively) could be configured to do this. A problem I have with Postfix at the moment, is getting it to use ldaps or starttls for ldap at all, though Exim can do that easily. Both can be configured to use CA certs for whatever they *can* do with tls (e.g. smtp starttls for Postfix 2.0)

My LDAP config options are in the spirit of those used by Mozilla Mail.


Maybe this isn't a common problem, and there may well be other ways of
solving it, but we're happy now!

My only worry would be at the developers feeling they would have to modify SA code to do such a thing. As I pointed out, I have no idea how Sendmail works; for that matter Qmail or Smail neither. Maybe code changes would be necessary for the latter two.



Tony Earnshaw

- Deyr fé, deyr frendr
deyr sjálfr 'it sama
- ek veit ein aldrigi deyr
- dómr um dauđan hvern.

From Hávamál - what gods have said

This SF.NET email is sponsored by: eBay
Great deals on office technology -- on eBay now! Click here:
Spamassassin-talk mailing list

Reply via email to