When implementing sender login maps, we've run into an issue where people
cannot send out email using a "from" address of the alias domain. We store
all of the data in LDAP, but I'm not coming up with a good resolution on a
lookup query that will handle this. Thoughts appreciated.
The general configuration is:
smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,
check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re,
permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts,
check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
[zimbra@zre-ldap003 conf]$ cat ldap-slm.cf
server_host = ldap://zre-ldap003.eng.zimbra.com:389
server_port = 389
search_base =
query_filter =
(&(|(uid=%s)(zimbraAllowFromAddress=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_format = %u, %s
result_attribute =
uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,zimbraMailAlias,zimbraAllowFromAddress
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = B7fPB4Deo
timeout = 30
So in this instance, I have a user (testuser1) in the domain
"zre-ldap003.eng.zimbra.com". I've created an alias domain of
"zre-ldap002.eng.zimbra.com". I'm unable to send out email using
testus...@zre-ldap002.eng.zimbra.com as the MAIL FROM: address for this
specific case, even if I (successfully) log in using that username.
auth login
334 VXNlcm5hbWU6
dGVzdHVzZXIxQHpyZS1sZGFwMDAyLmVuZy56aW1icmEuY29t
334 UGFzc3dvcmQ6
dGVzdHVzZXI=
235 2.7.0 Authentication successful
mail from: <testus...@zre-ldap002.eng.zimbra.com>
250 2.1.0 Ok
rcpt to: <testus...@zre-ldap003.eng.zimbra.com>
553 5.7.1 <testus...@zre-ldap002.eng.zimbra.com>: Sender address rejected:
not owned by user testus...@zre-ldap002.eng.zimbra.com
For the search, we have:
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=9 SRCH base=""
scope=2 deref=0
filter="(&(|(uid=testus...@zre-ldap002.eng.zimbra.com)(zimbraAllowFromAddress=testus...@zre-ldap002.eng.zimbra.com)(zimbraMailDeliveryAddress=testus...@zre-ldap002.eng.zimbra.com)(zimbraMailAlias=testus...@zre-ldap002.eng.zimbra.com)(zimbraMailCatchAllAddress=testus...@zre-ldap002.eng.zimbra.com))(zimbraMailStatus=enabled))"
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=9 SRCH attr=uid
zimbraMailDeliveryAddress zimbraMailForwardingAddress
zimbraPrefMailForwardingAddress zimbraMailCatchAllForwardingAddress
zimbraMailAlias zimbraAllowFromAddress
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=9 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH base=""
scope=2 deref=0
filter="(&(|(uid=@zre-ldap002.eng.zimbra.com)(zimbraAllowFromAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailDeliveryAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailAlias=@zre-ldap002.eng.zimbra.com)(zimbraMailCatchAllAddress=@zre-ldap002.eng.zimbra.com))(zimbraMailStatus=enabled))"
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH attr=uid
zimbraMailDeliveryAddress zimbraMailForwardingAddress
zimbraPrefMailForwardingAddress zimbraMailCatchAllForwardingAddress
zimbraMailAlias zimbraAllowFromAddress
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Nov 19 15:24:53 zre-ldap003 postfix/submission/smtpd[2718]: NOQUEUE:
reject: RCPT from zre-ldap003.eng.zimbra.com[10.137.242.53]: 553 5.7.1
<testus...@zre-ldap002.eng.zimbra.com>: Sender address rejected: not owned
by user testus...@zre-ldap002.eng.zimbra.com;
from=<testus...@zre-ldap002.eng.zimbra.com>
to=<testus...@zre-ldap003.eng.zimbra.com> proto=ESMTP
helo=<zre-ldap003.eng.zimbra.com>
Is there some way to tell postfix to look for the user under the actual
domain?
I.e., this query:
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH base=""
scope=2 deref=0
filter="(&(|(uid=@zre-ldap002.eng.zimbra.com)(zimbraAllowFromAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailDeliveryAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailAlias=@zre-ldap002.eng.zimbra.com)(zimbraMailCatchAllAddress=@zre-ldap002.eng.zimbra.com))(zimbraMailStatus=enabled))"
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH attr=uid
zimbraMailDeliveryAddress zimbraMailForwardingAddress
zimbraPrefMailForwardingAddress zimbraMailCatchAllForwardingAddress
zimbraMailAlias zimbraAllowFromAddress
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SEARCH RESULT
tag=101 err=0 nentries=1 text=
where we get one response while looking at the domain is from this:
zimbraMailCatchAllForwardingAddress: @zre-ldap003.eng.zimbra.com
which is set on the alias domain.
Thanks!
--Quanah
--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration