MailScanner, postfix and exchange server as a gateway

Drew Burchett DrewB at united-systems.com
Tue Feb 21 13:15:39 GMT 2006


I just got finished setting up MailScanner/postfix to forward mail to my
Exchange server, but I used a bit of a different tactic than the one in
the article.  I have about 500 users, so I can't say how well this
approach would scale, but I didn't see any performance hit when I
implemented it.

First, create a file called users.ldap.  Doesn't matter where, or even
the name.  The contents will be as follows:

server_host = my.ldap.server
search_base = dc=my,dc=tld
bind_dn = cn=LDAP Query,ou=users,dc=my,dc=tld
bind_pw = secret
domain = hash:/etc/postfix/db/mydestination
query_filter =
(&(|(mail=%s)(proxyAddresses=smtp:%s))(!(userAccountControl:1.2.840.1135
56.1.4.803:=2)))
result_attribute = mail
version = 3

If you aren't familiar with ldap, the file breaks down as follows:

server_host is the name or IP address of your Active Directory server.

search_base is the base DN of your Active Directory.

bind_dn and bind_pw are an account and password that has permissions to
search the Active Directory.  Note that if you don't want to store a
user password in a cleartext file, you can also enable anonymous lookups
on the Active Directory.  Personally, I'd rather take the chance on
storing a password on a relatively secure machine.

domain is an option that you can use or not.  When I specified
mydestination in my Postfix configuration, I pointed it to a hash
database.  This parameter points to the same hash database so that if a
query comes through and it's not one of my valid domains, the query
won't even be performed.  I figure it saves a little on performance.

The query_filter is how you specify what parameters to look up.  In this
config, I specified that if the mail account exists in either the mail
attribute or the proxyAddresses attribute, then it's a valid account.
After some further reading yesterday, I found that I could actually take
the mail attribute out as Exchange stores all the addresses in
proxyAddresses.  The userAccountControl portion of the query is used to
tell if an account is active or not.  If you aren't familiar with LDAP
query syntax, there's a lot of good information on the web about it.

The result_attribute is what LDAP attribute to return.  I returned the
mail attribute, but for this particular query, it wouldn't matter as any
response other than nothing would be considered a valid user.

Version is set to 3 because AD uses LDAP v3.

Once that file is created and in place, go into your Postfix config and
set the following:

Local_recipient_maps = ldap:/path/to/users.ldap

Reload postfix and it will run the ldap query against every email that
comes in.  Again, this may cause a performance problem on a really large
system, but it seems to work fine on mine.

Drew Burchett
United Systems & Software
http://www.united-systems.com

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of rob
Sent: Tuesday, February 21, 2006 6:05 AM
To: MailScanner discussion
Subject: Re: MailScanner, postfix and exchange server as a gateway

On Tue, 21 Feb 2006 19:37:26 +0800, Admin wrote
> Hi,
> 
> Currently I am using MailScanner 4.50.15-1 with postfix as a gateway
for 
> my exchange server , its run on FC4, Is it better to change to
sendmail 
> or stick with postfix?. If so how can I accept mail only for valid 
> Exchange users in sendmail.
> 
> Thanks In Advance.
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

We use MailScanner with sendmail in front of our exchange 2000 server
and followed the
instructions here to make only valid exchange users accept mail:

http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/270.html

There is also an article about how to setup sendmail to forward emails
to an exchange
server.  It is on the site documentation.  

Rob


--
Open WebMail Project (http://openwebmail.org)


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.



More information about the MailScanner mailing list