Mandriva 2005 Postfix Anti-Spam, Anti-Virus Relay Server for Exchange Server 2000/2003 - Page 4

Want to support HowtoForge? Become a subscriber!
 
Submitted by deeztech (Contact Author) (Forums) on Tue, 2006-06-27 12:38. ::

STEP 5: Configure Relay Recipient Maps

The steps below outline how to tell postfix who are valid recipients on your Exchange server so that the postfix server doesn’t forward e-mail to invalid e-mail addresses on your domain and have your Exchange server logs fill up with undeliverable receipts. This step requires installing a few extra packages as well as running Chris Covington’s getadsmtp.pl script to get all the recipients from your Exchange box. The recipients will be saved on the /etc/postfix/exchange_recipients file. Finally, when we verify that the script works, we will schedule to run at regular intervals with crond depending on how dynamic the accounts on our Exchange server are.

1. First, goto the following link: http://www-personal.umich.edu/~malth/gaptuning/postfix/getadsmtp.pl You will be presented with Christ Covington's getadsmtp.pl script. In your putty window, create the getadsmtp.pl under your /usr/bin directory as follows:

vi /usr/bin/getadsmtp.pl

Now, hit "i" to start editing the file, then select and copy everything from your browser which has the getadsmtp.pl script and paste it your putty window. Hit "ESC" to stop editing, and then "SHIFT ZZ" to save the file.

2. Next you must install Net::LDAP. In your console/putty window type:

urpmi perl-ldap

Accept the the dependencies and have it install automatically.

3. Most of the instructions below have been taken verbatim from http://doc.nettools.ru/Unix/Postfix&intserver/. I have copied and pasted them for convenience and redundancy. These instructions will guide you through configuring and running the getadsmtp.pl script against your exchange server to get a list of valid aliases. I have put some of my own comments where necessary: Important: your spamfilter box will require port 389 access to your Active Directory DC in order for this script to work, so adjust your firewalls accordingly! Open the getadsmtp.pl script in your editor:

vi /usr/bin/getadsmtp.pl

Enter the path to your recipient maps file by changing the line:
$VALID = "/etc/postfix/example_recipients"; 
to:
$VALID = "/etc/postfix/exchange_recipients"; 
Next you will need to enter either the Fully Qualified Domain Name (FQDN) of your Active Directory Domain Controller or you can enter the DC's local IP address. You may have to do the latter if your DC uses the "yourdomain.local" naming scheme since your spamfilter would not be able to resolve this address (unless you explicitly tell it). In any event, depending on your situation, this parameter may need some tweaking in order for the spamfilter to "talk" to the DC. If you only have one DC, make sure that both $dc1 and $dc2 lines are set with the same FQDN or IP address of your one and only DC. Change the lines that say:
$dc1="domaincontroller1.example.com";
$dc2="domaincontroller1.example.com"; 
to:
$dc1="w.x.y.z";
$dc2="w.x.y.z"; 

Where w.x.y.z is the local IP address of your DC, and Backup Domain Controller ($dc2), if you have one. Again, enter the same IP address on both fields if you only have one DC.

Next, you will need to determine and enter the LDAP container of your user base. To do this you should download and install the Windows 2000/2003 Support Tools and install them on your AD DC. The tools are usually located under the /Support/Tools directory of your Windows 2000/2003 Server installation CD if you don't want to download them. Once you install the support tools, goto your Exchange server and click on Start/Run and then type in "mmc". You should be presented with the windows root console. Click on File and then "Add/Remove Snap-In". In the next window click on the "Add" button. In the following "Add Remove Standalone Snap-In" you should see a list of already installed snap-ins. If you installed the support tools correctly, you should see the "ADSI Edit" snap in. Click on it, and then click on "Add" and then click on "Close" and then "Ok". You should have the ADSI Edit snap-in under the Console Root window. Right-Click on ADSI Edit and then click on "Connect To". On the next window just click "OK". Now under the ADSI Edit in your Console Root you should see your domain. Expand the domain tree, then expand the "DC=" tree and then click on the "CN=" tree that contains your Exchange users. Unless you moved your users around different containers in your AD, this is most probably the "CN=Users" tree. Now on the label of your console root window. It should something similar to this:

"Console Root\ADSI Edit\Domain [yourdc.yourdomain.tld]\DC=yourdomain,DC=tld\CN=users"
where yourdc.yourdomain.tld is the FQDN of your DC. So, on the getadsmtp.pl line below, change the default values to the values of your domain using the settings you got from above:
$hqbase="cn=Users,dc=example,dc=com"; 
Next, you will need to enter a username and password for a user in your Active Directory. This user does not need any special privileges but you should make sure that the user's password is set to not expire. The format of the user should be entered as "cn=username,cn=Users,dc=example,dc=com". Again, I suggest you read the comments in the getadsmtp.pl script carefully. Note that because you are entering a password here in clear text, I would make sure that this script is only readable by root. Once you have the information you need, change the lines:
$user="cn=user,cn=Users,dc=example,dc=com";
$passwd="password";
to the appropriate values.
* Please note that if the password you use contains the $ sign (and perhaps others? I am not familiar with perl really, but some characters such as $ and probably also quotes have special meaning) you will have to escape them appropriatly with the backslash or perl will complain. For exaple, if your password is: pa$$word, you would have to enter: pa\$\$word here. Once you have made all the changes to the getadsmtp.pl script you should save it (hit Esc, and then :wq): save and exit vi Now, make the script executable and test out the script and see if it works:

chmod 755 /usr/bin/getadsmtp.pl

/usr/bin/getadsmtp.pl

If the script runs successfully, you should now have a file in /etc/postfix called exchange_recipients listing all your email addresses. To verify this, issue the command:

less /etc/postfix/exchange_recipients

(of course, replace this with the file name you chose earlier, if needed) You should see a list scroll by with format similar to this:
user1@domain.com OK
user2@domain.com OK
user2@domain2.com OK 

...etc.

Some final comments: If you look at your main.cf file, you will see that the unknown_local_recipient_reject_code is set to 550. However, this directive does not control the rejection code for a recipient that is not listed in the relay_recipients_maps. The default rejection code for unknown users is 550, which is most likely what you want, but if you ever wanted to change it, the directive to change is

unknown_relay_recipient_reject_code


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2006-06-29 16:59.

Postfix can directly query Active directory and the setup is much simpler.  In addition, your postfix setup is now always up-to-date on active users.  In main.cf add:

relay_recipient_maps = ldap:/etc/postfix/ldap.cf

in ldap.cf:

server_host = ldap://dc1.example.com:389
search_base = cn=Users,dc=example,dc=com
timeout = 5
bind = yes
version = 3
bind_dn = ADuser@example.com
bind_pw = ADusersPW
query_filter = (proxyAddresses=smtp:%s)
result_attribute = extensionAttribute1
domain = hash:/etc/postfix/transport

in transport:

example.com smtp:exchange.example.com:25

Lastly in the Active Domain user management you need to put "OK" (no quotes) in the extensionAtribute1 for each user you wish to allow to receive external email.  This is required because Postfix looks for OK in the lookup response, anything else is a negative response.

Enjoy,

Woody (woody at linif dot org)