zimbraHideInGAL, Edge MTA, and LDAP

[daneturner]

My site is using an edge MTA to relay mail between Zimbra and the internet. We've configured the edge MTA to do an LDAP lookup on Zimbra to verify incoming email addresses. However, distribution lists marked as "Hide In GAL" (zimbraHideInGAL TRUE) do not appear in the LDAP query results, and consequently get bounced as 'Unknown user' by the edge MTA. This is bad.

What is the correct way to query Zimbra's LDAP directory if we want to include hidden distribution lists in the results?

Here's anonymous LDAP query we're currently using from the edge MTA:

ldapsearch -LLL -D "" -h zimbra.greatschools.net -b ou=people,dc=greatschools,dc=net -x '(objectClass=zimbraMailRecipient)' zimbraMailHost zimbraMailDeliveryAddress mail

Thanks for suggestions,
Dane

[daneturner]

Anyone know how Zimbra's postfix queries LDAP when looking up valid email addresses? This would probably be the same query I need to run from the edge MTA.

Any pointers?

[daneturner]

In case this helps others, here's what I ended up doing. Disclaimer: Sendmail LDAP configuration is notoriously tricky and loosely documented. Please comment if you know a better way (ahem, adding Sendmail LDAP alias maps would make the partial solution complete).

SITUATION
We run Zimbra behind a Sendmail edge MTA. Sendmail is the mail exchanger and relays all mail to/from the internet.

GOAL
To configure Sendmail on the edge MTA to verify email addresses against Zimbra's LDAP directory.

(PARTIAL) SOLUTION
I solved this using Sendmail's "LDAP Routing" feature with custom LDAP map definitions. See below for why this is only a partial solution.

Add the following lines to Sendmail's sendmail.mc:

Code:

dnl LDAP ROUTING
dnl http://www.sendmail.org/doc/sendmail-current/cf/README
dnl http://www.onlamp.com/pub/a/onlamp/excerpt/sendmailckbk_chap01/index.html
define(`confLDAP_DEFAULT_SPEC', ` -w 3 -h zimbra.example.com -b ou=people,dc=example,dc=com')dnl
LDAPROUTE_DOMAIN(`example.com')dnl
dnl
dnl ---> There's LDAP trickery here in the -v return value...  Users have the zimbraMailHost attribute,
dnl ---> while distribution lists and aliases have the zimbraMailAlias attribute.
FEATURE(`ldap_routing',`ldap -1 -T<TMPF> -v zimbraMailHost -k (|(zimbraMailAlias=%0)(mail=%0))',`ldap -1 -T<TMPF> -v zimbraMailAlias -k (|(zimbraMailAlias=%0)(mail=%0))',`bounce',`preserve',`tempfail')dnl
dnl

LIMITATIONS
I've discovered one scenario in which this solution fails. Multiple aliases for a given Zimbra account will not be visible to sendmail using the above configuration and will generate a "User unknown" response from Sendmail. For example, if a Zimbra account "JohnDoe@example.com" exists and has two or more mail aliases, say "jd@example.com" and "johnny@example.com", external email to either jd or johnny will be rejected by the Sendmail edge MTA as "user unknown". Mail to JohnDoe will be accepted as normal.

On the other hand, if user "JaneDoe@example.com" has only one mail alias, say "jane@example.com", external mail to the alias will be accepted correctly.

WHY THE FAILURE?
Sendmail expects the ldap query to return only one value for a given attribute. When a user has multiple aliases, the LDAP attribute zimbraMailAlias has multiple values, causing the sendmail ldap map to return "false". This behavior is supposed to be controlled by the "-1" flag to ldap (shown above as "ldap -1 -T..."). However, removing the -1 flag did not fix this problem in my tests.

WORKAROUND
Use distribution lists instead of mail aliases in Zimbra.

REAL SOLUTION
I'm not sure.... maybe configure Sendmail LDAP aliases?

[phletaylor]

As a bit of a follow-up to this in case anyone is interested :-)

I have got this working with the latest build of FRANKLIN (as of last week) and Sendmail 8.14.3 and I haven't experienced the multiple aliases problem so I assume something has now been fixed in Sendmail???

One problem I did experience, I have quite a few domains and have created an LDAPROUTE_DOMAIN_FILE with all of them in but of course the base DN is different for each domain so any queries for anything other than my primary domain fail (unless they are accounts in the primary domain who also have an alias within the secondary).

I have it working at the moment by not setting a base DN and letting it search the ENTIRE LDAP database, I have two quite busy backup-mx's and my zimbra server is quite busy as well so I was a bit concerned about extra load on the slapd process but it seems OK, can anybody think of a way that I can set a different base DN for each domain?

Also I have noticed that Distribution Lists don't appear to have a zimbraMailHost object, this doesn't appear to cause sendmail a problem as the address lookup works but I just wondered why???

Thanks

Phil