ldapforward

ldapforward is an add-on to qmail to forward mail to one or more addresses retrieved from an LDAP server.

ldapforward can be used e.g. to resolve email aliases, to route incoming addresses to local maildrop addresses or remote forward addresses, and it can be used to implement mailing lists. It can preserve qmail-style dash-separated address extensions. Connections to the server with strong encryption and strong client authentication is possible.

Author:

Timo Felbinger
Quantum Optics Group
Institut für Physik
University of Potsdam

Download

ldapforward is free software and comes with NO WARRANTY. Here is the

Usage

ldapforward is designed to be used in .qmail files, similar to forward(1); also see qmail-command(8).

ldapforward can forward mail to one or more addresses obtained from an LDAP directory. LDAP queries are controlled by command line arguments in the form of LDAP URLs (RFC 2255):

| ldapforward [-d] [-t] URL ... [emailaddress] [errorcode]
In the URL arguments, you can specify LDAP queries to any server, with arbitrary filter expressions; see the man page ldapforward(1) for details.

Examples

Note: In the examples below, lines and URLs are broken for readability: in a .qmail file, you must put every command and all of its arguments into one single line, and you must not insert whitespace into a URL!

All examples are taken from a real-world production mail server accessing the LDAP directory at the Insitute of Physics of the University of Potsdam.

The first example implements a mailing list: it will forward mail to every inetorgperson below ou=people,ou=physics,o=uni-potsdam,c=de which has the attribute memberof=quantum:
| ldapforward -d 'ldap://ldap.qipc.org /ou=people,ou=physics,o=uni-potsdam,c=de ?maildrop,mail ?sub ?(&(objectclass=inetorgperson)(memberof=quantum)) ?matchesLimit=0' 'ldaps://ldap-slave.qipc.org /ou=people,ou=physics,o=uni-potsdam,c=de ?maildrop,mail ?sub ?(&(objectclass=inetorgperson)(memberof=quantum)) ?matchesLimit=0' postmaster@some.where To determine a delivery address, the attribute maildrop is searched first; attribute mail is checked if there is no maildrop.
There are two almost identical URLs: the second one specifies a backup server for failover. If both servers fail, mail is forwarded to postmaster@some.where. The backup server is accessed with TLS (scheme ldaps).
The extension matchesLimit=0 means there is no limit imposed on the number of delivery addresses obtained (but note that LDAP servers may impose limits on the number of hits they are willing to hand out!).
The following is /var/qmail/alias/.qmail-...-default, the mail hub of several virtual domains:
| ldapforward 'ldap://ldap.qipc.org /ou=people,ou=physics,o=uni-potsdam,c=de ?maildrop ?sub ?(&(objectclass=inetorgperson)(memberof=${LOCAL0})(|(mail=${LOCAL1}@physik.uni-potsdam.de)(physikalias=${LOCAL1}@physik.uni-potsdam.de)(uid=${LOCAL1}))) ?matchesLimit=1,preserveExtension=2,authoritative' 'ldaps://ldap-slave.qipc.org /ou=people,ou=physics,o=uni-potsdam,c=de ?maildrop ?sub ?(&(objectclass=inetorgperson)(memberof=${LOCAL0})(|(mail=${LOCAL1}@physik.uni-potsdam.de)(physikalias=${LOCAL1}@physik.uni-potsdam.de)(uid=${LOCAL1}))) ?matchesLimit=1,preserveExtension=2,authoritative' 111 This assumes that there is a line like
dom.org:dom
in /var/qmail/control/virtualdomains for every virtual domain.
If email to joe.average-ext@dom.org arrives, qmail will set the variable LOCAL=dom-joe.average-ext in the environment. ldapforward expands LOCAL0 (here: dom, see ldapforward(1)) to match only people with the appropriate memberof attribute. LOCAL1 is expanded (here: joe.average) to form an LDAP filter expression to search for people with any of
mail=joe.average@physik.uni-potsdam.de
physikalias=joe.average@physik.uni-potsdam.de
uid=joe.average
in the LDAP directory. If found, the email is forwarded to the address stored in the attribute maildrop. The match must be unique (matchesLimit=1, which is redundant because it is the default).
Both URLs are marked authoritative: if either LDAP query succeeds but does not find a match, a hard error (100) is returned (ie, the mail will bounce). If both servers are down, error 111 (temporary failure) is returned.
preserveExtension=2 will insert the address extension following the second dash in LOCAL (if any) into every delivery address.

Authentication

By default, ldapforward will bind anonymously to the LDAP server. From version 1.3.0 on, it also supports two different client authentication schemes:

Installation

In addition to a standard qmail-1.03 installation, this will give you one additional program, ldapforward, and its man page.

If you already have a running qmail system, then after applying the patch, you just need to
 make ldapforward
and install ldapforward and its man page manually.
If you are running an already patched version of qmail, you might get away by building ldapforward in a clean qmail-1.03 source tree and installing it manually.
Again: there is no warranty: you may install and use ldapforward, but entirely at your own risk!