sender login maps and alias domains

[Quanah Gibson-Mount]

When implementing sender login maps, we've run into an issue where people 
cannot send out email using a "from" address of the alias domain.  We store 
all of the data in LDAP, but I'm not coming up with a good resolution on a 
lookup query that will handle this.  Thoughts appreciated.

The general configuration is:
smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, 
check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, 
permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, 
check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re

[zimbra@zre-ldap003 conf]$ cat ldap-slm.cf
server_host = ldap://zre-ldap003.eng.zimbra.com:389
server_port = 389
search_base =
query_filter = 
(&(|(uid=%s)(zimbraAllowFromAddress=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_format = %u, %s
result_attribute = 
uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,zimbraMailAlias,zimbraAllowFromAddress
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = B7fPB4Deo
timeout = 30


So in this instance, I have a user (testuser1) in the domain 
"zre-ldap003.eng.zimbra.com".  I've created an alias domain of 
"zre-ldap002.eng.zimbra.com".  I'm unable to send out email using 
testus...@zre-ldap002.eng.zimbra.com as the MAIL FROM: address for this 
specific case, even if I (successfully) log in using that username.

auth login
334 VXNlcm5hbWU6
dGVzdHVzZXIxQHpyZS1sZGFwMDAyLmVuZy56aW1icmEuY29t
334 UGFzc3dvcmQ6
dGVzdHVzZXI=
235 2.7.0 Authentication successful
mail from: <testus...@zre-ldap002.eng.zimbra.com>
250 2.1.0 Ok
rcpt to: <testus...@zre-ldap003.eng.zimbra.com>
553 5.7.1 <testus...@zre-ldap002.eng.zimbra.com>: Sender address rejected: 
not owned by user testus...@zre-ldap002.eng.zimbra.com

For the search, we have:
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=9 SRCH base="" 
scope=2 deref=0 
filter="(&(|(uid=testus...@zre-ldap002.eng.zimbra.com)(zimbraAllowFromAddress=testus...@zre-ldap002.eng.zimbra.com)(zimbraMailDeliveryAddress=testus...@zre-ldap002.eng.zimbra.com)(zimbraMailAlias=testus...@zre-ldap002.eng.zimbra.com)(zimbraMailCatchAllAddress=testus...@zre-ldap002.eng.zimbra.com))(zimbraMailStatus=enabled))"
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=9 SRCH attr=uid 
zimbraMailDeliveryAddress zimbraMailForwardingAddress 
zimbraPrefMailForwardingAddress zimbraMailCatchAllForwardingAddress 
zimbraMailAlias zimbraAllowFromAddress
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=9 SEARCH RESULT 
tag=101 err=0 nentries=0 text=
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH base="" 
scope=2 deref=0 
filter="(&(|(uid=@zre-ldap002.eng.zimbra.com)(zimbraAllowFromAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailDeliveryAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailAlias=@zre-ldap002.eng.zimbra.com)(zimbraMailCatchAllAddress=@zre-ldap002.eng.zimbra.com))(zimbraMailStatus=enabled))"
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH attr=uid 
zimbraMailDeliveryAddress zimbraMailForwardingAddress 
zimbraPrefMailForwardingAddress zimbraMailCatchAllForwardingAddress 
zimbraMailAlias zimbraAllowFromAddress
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
Nov 19 15:24:53 zre-ldap003 postfix/submission/smtpd[2718]: NOQUEUE: 
reject: RCPT from zre-ldap003.eng.zimbra.com[10.137.242.53]: 553 5.7.1 
<testus...@zre-ldap002.eng.zimbra.com>: Sender address rejected: not owned 
by user testus...@zre-ldap002.eng.zimbra.com; 
from=<testus...@zre-ldap002.eng.zimbra.com> 
to=<testus...@zre-ldap003.eng.zimbra.com> proto=ESMTP 
helo=<zre-ldap003.eng.zimbra.com>

Is there some way to tell postfix to look for the user under the actual 
domain?

I.e., this query:


Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH base="" 
scope=2 deref=0 
filter="(&(|(uid=@zre-ldap002.eng.zimbra.com)(zimbraAllowFromAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailDeliveryAddress=@zre-ldap002.eng.zimbra.com)(zimbraMailAlias=@zre-ldap002.eng.zimbra.com)(zimbraMailCatchAllAddress=@zre-ldap002.eng.zimbra.com))(zimbraMailStatus=enabled))"
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SRCH attr=uid 
zimbraMailDeliveryAddress zimbraMailForwardingAddress 
zimbraPrefMailForwardingAddress zimbraMailCatchAllForwardingAddress 
zimbraMailAlias zimbraAllowFromAddress
Nov 19 15:24:53 zre-ldap003 slapd[23266]: conn=7277 op=10 SEARCH RESULT 
tag=101 err=0 nentries=1 text=

where we get one response while looking at the domain is from this:

zimbraMailCatchAllForwardingAddress: @zre-ldap003.eng.zimbra.com

which is set on the alias domain.

Thanks!

--Quanah



--
Quanah Gibson-Mount
Platform Architect
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration