Sendmail Inc. Directory Usage

Sendmail Messaging Directory Usage

Note: This article is specifically tailored for Sendmail Inc. commercial software deployments.  Much of the information here also pertains to sendmail opensource versions, as well as to other full-featured mailers such as Postfix and others that implement the LACHMAN-LASER draft specifications for email routing.

This article is provided to describe the LDAP attribute/value pairs used by Sendmail software.  Specific information on how to configure the Sendmail software for LDAP lookups will be found in a future article.

Sendmail Inc's commercial software utilizes LDAP directories heavily, for a number of functionalities.  Here is a partial list, all of these features can be used :
The following information in broken down into specific areas:  basics, followed by per-functionality writeups.

Just a few email and directory basics

Legacy data sources, such as "aliases" and "virtusertable" files, have a number of problems:

When converting from legacy data sources (such as alias files) to directory data source, the single hardest task is simply identifying which of the entries are lists, which are users, which are alternate entries for each of the above, which are orphaned accounts, and so forth.  Plus the inevitable dirty data that finds its way into the system over time.

LDAP-based storage simplifies management by starting with the following design points:

Recipient Address lookups - Feature LDAP Routing

When any MTA looks at an email recipient address, it has to determine three pieces of information -- this is called the "mailer triple".  These pieces are:
Sendmail's LDAP routing is used to determine the first two parts of the triple.  The third part of the triple is usually left at the default value, but it too can use LDAP lookups

Basic MTA lookups make use of the following LDAP attribute/value pairs.  None of these are case-sensitive.
A few caveats and notes:
  1. For any given value of mailLocalAddress, no more than one directory entry may have that as a value.  If two or more entries have the same value for mailLocalAddress, the MTA will treat this as a configuration error.  In effect, you have told message should be routed to two different recipients, and email addresses must be unique.   (Do not confuse this with email lists, which is a different matter and uses different attribute/value pairs.)
  2. More than one entry might have the same mailRoutingAddress value.   This does not break the "one entry, one address" rule so long as the routing MTA has distinct mailLocalAddress values for each entry.
  3. The MTA can be configured to "Bounce recipient if not found in LDAP".  If this is enabled, two additional checks are enabled as a result:
EXAMPLE:

Consider an LDAP entry that includes the following attribute-value pairs:

dn: mailLocalAddress=mfd5524@ldapman.org,ou=People,dc=ldapman,dc=org
mailLocalAddress: donnelly@ldapman.org
mailLocalAddress: mdonnelly@ldapman.org
mailLocalAddress: mdonnelly@ldapman.NET
mailLocalAddress: michael.donnelly@ldapman.org
mailLocalAddress: Michael_Donnelly@ldapman.org
mailLocalAddress: mfd5524@ldapman.org
mailHost: mailstore1.ldapman.org
mailRoutingAddress: mfd5524@ldapman.org
mail: Michael.Donnelly@ldapman.org
...
In our example case, we have email coming in for "mdonnelly@ldapman.net". 

To determine how to route the message to this recipient, the Sendmail MTA LDAP routing feature performs all of the following lookups and checks:
  1. Check - is "ldapman.net" in the list of LDAP route domains?  (Yes in this example.)
  2. Perform an LDAP lookup, searching for a single entry where mailLocalAddress=mdonnelly@ldapman.net
  3. Single entry found?  Yes.  (With zero, or greater than one entry found, we would bounce it.)
  4. mailRoutingAddress value found, of "mfd5524@ldapman.org", so the recipient envelope is rewritten using this address.
  5. mailHost value found, with value of "mailstore1.ldapman.org"
  6. If mailertable feature is enabled, MTA performs a mailertable lookup on "mailstore1.ldapman.org" to see if default delivery mechanism and/or routing has been overridden.   (Nothing found in this example.)
  7. MTA does an MX lookup of "mailstore1.ldapman.org".  (No such entry found in DNS in this example.)
  8. MTA does an A record lookup of "mailstore1.ldapman.org", and finds an IP address of 12.34.56.78
  9. MTA now knows to deliver the message to 12.34.56.78 with an envelope recipient value of "mfd5524@ldapman.org"
To test the LDAP routing lookups and the results they return, one could use the test command:
sendmail -bv mdonnelly@ldapman.net
You would expect to see something like this:
donnelly@ldapman.net... deliverable: mailer relay, host mailstore1.ldapman.org, user mfd5524@ldapman.org

A final note, regarding LDAP-based routing as they pertain to email lists.   In many respects, an email list is the same as any other email address- it may be routed to another machine if the LDAP entry specifies that the message should be routed to another mailHost or to a non-local mailRouting address.  This is frequently done for Exchange and Domino environments, where the message must be accepted on Sendmail MTAs and passed on to the back-end mail server for list expansion.

Email distribution lists - Implementing LDAP lookups for Aliases feature

A directory entry for an email distribution list may include all of the attribute/value pairs mentioned above for single entries, including:
mail
mailHost
mailRoutingAddress
mailLocalAddress
Each attribute is used in the same way as above.   The new attribute/value pairs used for email lists are:
If LDAP-based aliases expansion has been configured in combination with LDAP-based routing, the mailHost value is used to determine what happens next.   Each MTA knows a list of local host names, which is determined by looking at the local-host-names file and by probing its own interfaces on startup.

If the MTA sees that the mailHost value is a "local" host name, it will proceed to the aliases expansion step, and the mailRoutingAddress value is ignored.   Otherwise the MTA will route the message to the server specified in mailHost just as with any other LDAP routed message. 

EXAMPLE:

Consider an LDAP entry that includes the following attribute-value pairs:

dn: mailLocalAddress=mylist@ldapman.org,ou=messageRecipientGroups,dc=ldapman,dc=org
mailLocalAddress: mylist@ldapman.org
mailLocalAddress: my_list@ldapman.org
mailLocalAddress: my-list@ldapman.NET
mailHost: ldap-mta.ldapman.org
mailRoutingAddress: My_List@ldapman.org
mail: My_List@ldapman.org
mgrpRFC822MailMember: donnelly@ldapman.org
mgrpRFC822MailMember: otheruser@ldapman.org
mgrpRFC822MailMember: somebody@pogonip.org
...
In our example case, we have email coming in for "mylist@ldapman.net", and the local-host-names file includes the host name "ldap-mta.ldapman.org".   (All of the MTAs in this environment include that name in the file, allowing all of them to perform LDAP-based aliases expansion.)

To determine how to route the message to this recipient, the Sendmail MTA LDAP routing feature performs all of the following lookups and checks:
  1. Check - is "ldapman.org" in the list of LDAP route domains?  (Yes in this example.)
  2. Perform an LDAP lookup, searching for a single entry where mailLocalAddress=mylist@ldapman.org
  3. Single entry found?  Yes.  (With zero, or greater than one entry found, we would bounce it.)
  4. mailRoutingAddress value found, of "mylist@ldapman.org", so the recipient envelope is rewritten using this address if external routing is going to happen
  5. mailHost value found, with value of "ldap-mta.ldapman.org"
  6. ldap-mta.ldapman.org is found in local-host-names, so MTA proceeds to aliases expansion phase
  7. MTA performs another LDAP query, once again looking for mailLocalAddress=mylist@ldapman.org, this time to retrieve the values in mgrpRFC822MailMember.
  8. The complete list of email values in mgrpRFC822MailMember is now used as envelope recipients, instead of mylist@ldapman.org.   For each value, the MTA will perform the same LDAP routing and list expansion steps.
To test the LDAP routing lookups and aliases expansion, use the test command:
sendmail -bv mylist@ldapman.net
You would expect to see output like this:
otheruser@ldapman.org... deliverable: mailer relay, host [exchange.mydomain.com], user otheruser@ldapman.org
donnelly@ldapman.net... deliverable: mailer relay, host mailstore1.ldapman.org, user mfd5524@ldapman.org
somebody@pogonip.org... deliverable: mailer esmtp, host pogonip.org., user somebody@pogonip.org