Recipe 5.10 Using LDAP Routing with Masquerading

Problem

When the hostname part of the email address assigned to the mailLocalAddress attribute of an LDAP routing record is a masquerade value, sendmail must convert the hostname from the recipient address to the masquerade name before doing the LDAP lookup. You have been asked to configure sendmail to do this.

Solution

Recipe 5.9 provides information for the LDAP administrator on including support for the IETF draft schema for intranet mail routing and the sendmail.schema file in the LDAP configuration file. That recipe also explains how to add mail routing data to the LDAP database. Read Recipe 5.9 before you proceed.

On the sendmail host, create an ldaproute-equivalents file to load the $={LDAPRouteEquiv} class. List hostnames in the file that should be converted to the MASQUERADE_AS hostname before querying the LDAP server for routing information. Here is an example:

 #  cd /etc/mail  #  cat > ldaproute-equivalents   jamis.wrotethebook.com   giant.wrotethebook.com   horseshoe.wrotethebook.com   Ctrl-D

Create a sendmail configuration that includes the MASQUERADE_AS macro, the confLDAP_DEFAULT_SPEC define, the ldap_routing feature, and the LDAPROUTE_EQUIVALENT_FILE macro, which loads class $={LDAPRouteEquiv} . Here is a sample of the lines that might be added to the sendmail configuration:

 dnl Define the masquerade value MASQUERADE_AS(`wrotethebook.com') dnl Stop Build from complaining define(`confLDAP_DEFAULT_SPEC', ` -h ldserver -b dc=wrotethebook,dc=com') dnl Load $={LDAPRouteEquiv} from ldaproute-equivalents LDAPROUTE_EQUIVALENT_FILE(`/etc/mail/ldaproute-equivalents') dnl Enable the ldap_routing feature FEATURE(`ldap_routing')

Following the instructions in Recipe 1.8, rebuild and reinstall sendmail.cf , and then restart sendmail.

Discussion

When a recipient host is a member of the $={LDAPRouteEquiv} class, sendmail converts the host's name to the MASQUERADE_AS hostname before querying the LDAP server for routing information. Hostnames can be added to $={LDAPRouteEquiv} individually using LDAPROUTE_EQUIVALENT macros, or the hostnames can be loaded into the class from a file (or an LDAP server) using the LDAPROUTE_EQUIVALENT_FILE macro. This recipe uses a local ldaproute-equivalents file.

The MASQUERADE_AS macro must be included in this sendmail configuration because the hostnames listed in the $={LDAPRouteEquiv} class are converted to the masquerade name. The sample configuration in the Solution section specifies wrotethebook.com as the MASQUERADE_AS value. Therefore, if the host portion of a recipient address matches a value in $={LDAPRouteEquiv} , the host portion is converted to wrotethebook.com before the LDAP server is queried.

The confLDAP_DEFAULT_SPEC define sets the LDAP server hostname and the base distinguished name that sendmail will use to query the LDAP server. Why it is needed in this configuration is covered in the Discussion section of Recipe 5.9, as is the ldap_routing FEATURE command and its syntax.

After this recipe is installed, use sendmail -bt to observe the effect of the configuration on sendmail variables and on the routing of mail to specific addresses. Here is an example:

 #  sendmail -bt  ADDRESS TEST MODE (ruleset 3 NOT automatically invoked) Enter <ruleset> <address> >  $M  wrotethebook.com >  $={LDAPRouteEquiv}  giant.wrotethebook.com jamis.wrotethebook.com horseshoe.wrotethebook.com >  Parse1 alana<@jamis.wrotethebook.com.>  Parse1             input: alana < @ jamis . wrotethebook . com . > LDAPExpand         input: < alana < @ jamis . wrotethebook . com . > > < alana @  wrotethebook . com > < > LDAPExpand       returns: $# relay $@ chef . wrotethebook . com $: alana < @ jamis .  wrotethebook . com . > Parse1           returns: $# relay $@ chef . wrotethebook . com $: alana < @ jamis .  wrotethebook . com . > >  /quit

The $M command shows the masquerade value, which, in this case, is wrotethebook.com . The $={LDAPRouteEquiv} command shows the list of recipient hosts that will be converted to the masquerade value before being passed to the LDAP server. The next command line calls the Parse1 ruleset and passes it the recipient address alana@jamis.wrotethebook.com with the proper focus characters inserted. The ldap_routing feature adds two rules to the Parse1 ruleset that call the LDAPExpand ruleset. One rule calls LDAPExpand to process hosts listed in $={LDAPRoute} and the other calls it to process hosts listed in $={LDAPRouteEquiv} . When Parse1 calls LDAPExpand , it passes it three values: the original address, which is used as a pass-through value, the address used for the lookup, and any + detail information.

The Parse1 alana<@jamis.wrotethebook.com.> test shows that, when Parse1 is passed an address containing a hostname found in $={LDAPRouteEquiv} , Parse1 in turn calls the LDAPExpand ruleset and passes it the original address as the first parameter and a rewritten address as the second parameter. The rewritten address contains the masquerade value as the host part. The LDAPExpand ruleset queries the LDAP server and processes the LDAP server's response. As the test shows, LDAPExpand returns a mail delivery triple. Notice that the mailer in the triple is relay , and the host in the triple is chef.wrotethebook.com . The relay hostname came from the LDAP server, and it came in response to a query using the masquerade address, as these ldapsearch tests show:

 #  ldapsearch -LLL -x \   > '(&(objectClass=inetLocalMailRecipient) \   > (mailLocalAddress=alana@wrotethebook.com))' mailHost  dn: uid=alana, dc=wrotethebook, dc=com mailHost: chef.wrotethebook.com #  ldapsearch -LLL -x \   > '(&(objectClass=inetLocalMailRecipient) \   > (mailLocalAddress=alana@jamis.wrotethebook.com))' mailHost

The first ldapsearch test shows that a record for alana@wrotethebook.com is found in the LDAP database. The second test shows that alana@jamis.wrotethebook.com is not in the LDAP database. Clearly, jamis.wrotethebook.com needs to be rewritten to wrotethebook.com for the lookup to succeed.

Recipe 5.10 Using LDAP Routing with Masquerading

Problem

Solution

Discussion

See Also