Anton Tilstra wrote:
Hello,
(For those short one time, the actual question is at the bottom…)
I’m on a mission to replace an outdated Barracuda with a shiny new
DSPAM installation. We are hosting a half dozen domains or so, and
have a number of people with multiple email aliases. All users are on
Exchange, and so the DSPAM box will function as a mail relay (it is
not in production yet).
I have a running installation of DSPAM 3.6.8 on Debian Etch, with a
MySQL 5.0 backend, Postfix 2.3.8 and Apache 2.2.3. The basics are
working, I can control through Postfix which domains go through DSPAM,
and filtering/web front-end etc. works, the latter with LDAP
authentication against the domain even.
My goal is to polish this into something that works as transparently
as possible, with as little disruption to the end-user as possible.
Because I obviously want the end-users to take part in training DSPAM
for themselves, it is also important that this process be as simple
and uninvolved as possible (Outlook plugin has my preference). Aside
from the now horrendous filtering performance (accuracy wise) and
ridiculous cost of the annual subscription service, we were pretty
satisfied with the way the Barracuda functions and interfaces with the
end-user. There are some issues I need to work out before I can put
DSPAM in production however.
The hurdle I’m trying to get over at the moment is the challenge of
DSPAM and email aliases. I’m aware of the localStore option where
uid’s are re-used for email aliases, and that would be fine. The part
that I was trying to figure out is how to get DSPAM to be aware of
what’s an alias – an LDAP lookup to Active Directory would’ve been
ideal, but that doesn’t seem to be implemented by DSPAM (yet?), at
least not with this functionality. Periodically running some kind of
script to maintain an alias database would be acceptable, but I’d
prefer some way to do “live” lookups. Then, while searching this list,
several people mentioned handling this with Postfix instead so that
the recipient is replaced with the primary email address which DSPAM
will recognize, and that makes a lot of sense to me.
So this is my question today: how can I get Postfix to perform LDAP
lookups to Active Directory and substitute any email alias with its
primary email address in the envelope before passing the message to
DSPAM? I have found some documentation on some aspects of this, but
nothing that specifically does this with AD in particular.
I'm no postfix expert, by all means, and what i'm about to say is "hear
say". If i recall correctly, though i don't remember where, i saw some
posts on LDAP address lookups using postfix. Addresses weren't
substituted in the message at all, but they were used to pass dspamc the
proper --user parameter. Regarding this you'll be better off asking the
postfix folks, or awaiting for someone else here to speak, since there
is a good number of postfix guys on this list.
One other solution is to get DSPAM to preform those lookups. I have
written a small patch that implements this. I've been using this to make
DSPAM work with qmail in a rather custom installation and the service
has been up for over a year now without any problems. One other thing
that it implements is letting you set the content of the username field
in the dspam_virtualusers table to whatever LDAP attribute you want.
That was the mean reason i made the patch, since we allow our users to
not only change their mail address and aliases but also their logins.
One side effect of the patch is that it lets you define a (more) complex
LDAP filter than the usual (mail = %u).
Also you referred that you were using debian etch. I the case you are
using the debian package you can apply the patch cleanly on the source
package and run dpkg-rebuildpackage. I've done that myself a few times,
both on etch and sarge.
You can find the patch here:
http://pessoa.fct.unl.pt/hmmm/files/anti-spam/dspam/dspam-3.6.8-external_lookup-0.8.1.patch
To finish, let me just say that probably the easiest solution is to
tweak your postfix installation. But at least now you know there is one
possible way.
Good luck!
Hugo Monteiro.
And on the same subject, what about distribution groups? Should they
also be expanded, or treated as a single entity?
Thanks in advance for any help.
Anton Tilstra
--
ci.fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : [EMAIL PROTECTED]
Telefone : +351 212948300 Ext.15307
Centro de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.ci.fct.unl.pt [EMAIL PROTECTED]
ci.fct.unl.pt:~# _
