--On Friday, November 21, 2008 3:15 PM -0500 Victor Duchovni
<[EMAIL PROTECTED]> wrote:
On Fri, Nov 21, 2008 at 12:06:17PM -0800, Quanah Gibson-Mount wrote:
[EMAIL PROTECTED] conf]$ grep ldap main.cf
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
Don't use sender_canonical_maps. Use either canonical_maps or
smtp_generic_maps as appropriate. Header recipients become "senders"
(really addresses to reply-to) when Reply-All is used, so you really
need to rewrite all addresses (sender and recipient) uniformly.
Thanks, I've filed a bug to have this fixed in a later release.
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
The problem description I've been given is:
We need a milter that validates RCPT To: content specifically for alias
domains. Currently we automatically accept email for alias domains and
then generate a bounce.
What is an "alias domain"? Do you have wildcard aliases in the
virtual_alias_maps tables? DO NOT use these. They break recipient
validation.
Our virtual alias maps table looks at the user accounts, not domains, so I
think the answer here is no?
ldap-vam.cf has:
query_filter =
(&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute =
zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
In my test server configuration, I have two domains,
freelancer.lab.zimbra.com, and tribes.lab.zimbra.com, which is aliased to
freelancer.lab.zimbra.com. As far as email goes, email to
"[EMAIL PROTECTED]" is then sent to
"[EMAIL PROTECTED]". Sending an email to a non-existent
user @tribes.lab.zimbra.com generates a bounce that that user
@freelancer.lab.zimbra.com doesn't exist.
This has the potential for backscatter abuse and
we'd like to close this hole for hosed and still be able to offer alias
domains without adding aliases to each account.
Add aliases to each account.
I've been informed that adding aliases to every account is not an option at
this time.
The problem with alias
domains is we define them as a catchall domain @aliasdomain.com so it
automatically accepts the email for that domain and then does the
rewrite to [EMAIL PROTECTED], if that user doesn't exist it bounces.
Add aliases to each account. Or define a set of domains that share the
same namespace a single representative domain and use:
domain = list of alias domains
query = [EMAIL PROTECTED]
I've been informed that this isn't a workable option, either. I think
because we host multiple domains, and those domains may all have their
unique sets of aliases. But again, this isn't my normal knowledge base.
We want the
milter to reject at rcpt_to time instead of allowing the bounce. My
guess is you'll have to insert it on smtp_recipient_restrictions as
opposed to using the normal milter rules, which normally work on queued
mail.
Why use a complex multi-threaded milter when a much simpler policy
service will do? But, better yet, don't break recipient validation.
So, I'm guessing not breaking recipient validation means adding aliases,
which I can't do, or the above bit about the domain and query, which I also
apparently can't do. I'll look into a policy service, thanks!
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
