Exim +AD (Запросы и фильтры)

EXIM, sendmail, postfix, Dovecot и прочие. Решение проблем связанных с работой электронной почты

Модератор: xM

Правила форума
Убедительная просьба юзать теги [code] при оформлении листингов.
Сообщения не оформленные должным образом имеют все шансы быть незамеченными.
Аватара пользователя
Kobzar
рядовой
Сообщения: 31
Зарегистрирован: 2011-05-30 8:38:07

Exim +AD (Запросы и фильтры)

Непрочитанное сообщение Kobzar » 2013-03-02 17:21:37

Я конечно же, дико прошу прощения за то что прошу помочь в данном вопросе, но можно сказать что ВЫ моя последняя надежда. Настраиваю связку Exim + AD по мЭмуарам журнала системный администратор. В целом то все красиво. Но вот никак не заставлю работать всю эту связку. А точнее - какая-то непонятная проблема с фильтрами которую не могу вторую неделю решить. При попытке отправить почту самому себе например получаю ошибку
На всякий случай вот ссыллка на оригинал конфига - может я просто неправильно понял автора при замене переменных на свои ?:
http://samag.ru/uploads/artpdf/1322461774configure_Exim

Код: Выделить всё

2013-03-02 16:00:13 [21494] End queue run: pid=21494
2013-03-02 16:00:17 [21509] 1UBmz3-0005av-UQ SA: Debug: SAEximRunCond expand returned: '1'
2013-03-02 16:00:17 [21509] 1UBmz3-0005av-UQ SA: Debug: check succeeded, running spamc
2013-03-02 16:00:19 [21509] 1UBmz3-0005av-UQ SA: Action: scanned but message isn't spam: score=-0.0 required=5.0 (scanned in 2/2 secs | Message-Id: E1UBmz3-0005av-UQ@mx.emorion.com.ua). From <root@mx.emorion.com.ua> (local) for kobzar@emorion.com.ua
2013-03-02 16:00:19 [21509] 1UBmz3-0005av-UQ <= root@mx.emorion.com.ua U=root P=local S=754 T="Test" from <root@mx.emorion.com.ua> for kobzar@emorion.com.ua
2013-03-02 16:00:19 [21513] 1UBmz3-0005av-UQ == kobzar@emorion.com.ua R=ldap_EXTdistrib_group defer (-1): condition check lookup defer
ТО есть судя по ошибке у меня что то не то с ldap_EXTdistrib_group
Но где я ошибаюсь понять не могу.
ниже конфиг ексима. Доступ к лдапу есть. (проверял через ldapsearch)
Посмотрите опытным взглядом... где ж я туплю то так ацки ?

Конфиг Ексима:

Код: Выделить всё

######################################################################
#                    MAIN CONFIGURATION SETTINGS                     #
######################################################################
primary_hostname = mx.emorion.com.ua
domainlist local_domains = @ 
domainlist relay_to_domains = emorion.com.ua
domainlist trust_domains = kuz.com.ua
hostlist   local_net = 172.16.16.0/24 : 172.16.100.0/24
hostlist  nonauth_hosts = 172.16.16.10

acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data

ldap_default_servers = 172.16.16.2::3268 : 172.16.16.4::3268

LDAP_AUTH      = user="unix_ldap@jsp.local" pass="Пароль"
LDAP_BASE_SEARCH = ldap:///DC=jsp,DC=local
LDAP_DOMAIN  = jsp.local 
LDAP_MAIL_FILTER = (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(mail=${quote_ldap:$local_part}${quote_ldap:@}${quote_ldap:$domain}))

av_scanner = clamd:/var/run/clamav/clamd.sock
spamd_address = 127.0.0.1 783

#SMTP SSL
# Какой порт будет слушать демон Exim
tls_advertise_hosts = *
tls_certificate = /usr/local/etc/exim/ssl/exim.crt
tls_privatekey = /usr/local/etc/exim/ssl/exim.key
tls_on_connect_ports = 465
daemon_smtp_ports = 25:465

exim_user = mailnull
exim_group = mailnull

never_users = root

host_lookup = !+local_net
rfc1413_query_timeout = 0s
ignore_bounce_errors_after = 45m
timeout_frozen_after = 1d
split_spool_directory = true
helo_accept_junk_hosts = +local_net
smtp_banner = $primary_hostname ESMTP server
smtp_receive_timeout = 3m
smtp_accept_max = 100
smtp_accept_max_per_host = 10
smtp_accept_max_per_connection = 10
remote_max_parallel = 15
recipients_max = 120
message_size_limit = 10M
auth_advertise_hosts = +local_net : localhost

 log_selector = \
    +all \
    -arguments \
    -smtp_connection \
    -all_parents \
    -ident_timeout \
    -incoming_port \
    -outgoing_port \
    -queue_time \
    -queue_time_overall

syslog_timestamp = no
log_file_path = /var/log/exim/%s-%D.log
system_filter = /usr/local/etc/exim/filters/system-filter
system_filter_pipe_transport = address_pipe
system_filter_user = mailnull
system_filter_group = mailnull

# Скрипт для встроенного Perl. Использую для групп рассылок.
perl_startup = do '/usr/local/etc/exim/scripts/group_distrib_AD.pl'

######################################################################
#                       ACL CONFIGURATION                            #
#         Specifies access control lists for incoming SMTP mail      #
######################################################################
begin acl

acl_check_rcpt:
  accept  hosts = :
  deny   message       = Restricted characters in address
         domains       = +relay_to_domains
         local_parts   = ^[.] : ^.*[@%!/|]
	   delay 	= 30s
 
  deny   message       = Restricted characters in address
         domains       = !+relay_to_domains
         local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
	   delay 	= 30s
    
  accept  hosts        = !+local_net : !localhost
          domains      = +relay_to_domains
          condition    = ${lookup{$sender_address_domain}wildlsearch\
                         {/usr/local/etc/exim/db/whitelist}{yes}{no}}
          logwrite     = OK! The host $sender_address_domainis in the WHITE list

  accept  hosts        = +nonauth_hosts
          domains      = +relay_to_domains

  warn	  set acl_c1	= 0

  warn   condition    = ${if eq{$sender_helo_name}{}{yes}{no}}
	 logwrite       = SPAM. Send HELO/EHLO and your name first
 	 set acl_c1     = ${eval:$acl_c1+1}
   
    deny   message       = You are not allowed to send mail outside the own domain.
	     hosts         = +local_net : localhost
           domains       = !+relay_to_domains
	     condition     = ${if eqi{LD}{${lookup ldapm{LDAP_AUTH \
                           LDAP_BASE_SEARCH?physicalDeliveryOfficeName?sub?\
                           (samaccountName=$sender_address_local_part)}}}{yes}{no}}
  
  accept hosts         = +local_net : localhost
	   authenticated = *
         control       = dkim_disable_verify
     
  drop   message      = Forbidden to send mail on behalf of users domain \
                        $sender_address_domain
         hosts        = !+local_net : !localhost
         condition    = ${if match_domain{$sender_address_domain}\
                        {$primary_hostname : +local_domains : +relay_to_domains}\
                        {yes}{no}}

  warn   hosts 	= !+local_net : !localhost
	 condition  = ${if eq{$acl_c1}{0}{yes}{no}}
	 condition 	= ${if or {{ isip{$sender_helo_name}}\
                    {eq{$sender_helo_name}{[$sender_host_address]}}}{yes}{no}}
  	 logwrite  = SPAM. Forbidden to use IP-address instead of the host name in HELO
	 set acl_c1     = ${eval:$acl_c1+2}

  warn   hosts 	    = !+local_net : !localhost
	 condition      = ${if eq{$acl_c1}{0}{yes}{no}}
	 condition = ${if match_domain{$sender_helo_name}\
                   {$primary_hostname : +local_domains : +relay_to_domains}{yes}{no}}
	 logwrite       = SPAM. In HELO a name of our server
  	 set acl_c1     = ${eval:$acl_c1+3}
  
  warn   hosts 		= !+local_net : !localhost
	   condition      = ${if eq{$acl_c1}{0}{yes}{no}}
	   condition  	= ${if eq{$host_lookup_failed}{1}{yes}{no}}
  	   logwrite       = SPAM. Yours PTR and A records DNS do not conform
	   set acl_c1    = ${eval:$acl_c1+4}

  warn hosts 	= !+local_net : !localhost
	 condition  =  ${if eq{$acl_c1}{0}{yes}{no}}
	 condition 	=  ${lookup{$sender_host_name}wildlsearch\
                     {/usr/local/etc/exim/db/blacklist}{yes}{no}}
	 logwrite 	= SPAM. $sender_host_name in our local blacklist
  	 set acl_c1     = ${eval:$acl_c1+6}

  warn   hosts 		= !+local_net : !localhost
	   condition      = ${if eq{$acl_c1}{0}{yes}{no}}
	   condition      = ${if and {{match{$sender_host_name}\
                          {\N(?>[^.]+[.]){5,}|(?>[^-]+[\-]){4,}\N}}\
                          {!match{$sender_host_name}{\N\.yahoo\.com$\N}}}{yes}{no}}
       logwrite = SPAM. Too many point or hyphens in the hostname ($sender_host_name)
  	 set acl_c1     = ${eval:$acl_c1+7}

  
  warn   hosts 	    = !+local_net : !localhost
	 condition      = ${if eq{$acl_c1}{0}{yes}{no}}
       condition      = ${if !match{$sender_host_name}{\N\.yahoo\.com$\N}{yes}{no}}
	 condition 	= ${lookup{$sender_host_name}\
                    wildlsearch{/usr/local/etc/exim/db/dialup_hosts}{yes}{no}}
	 logwrite 	= SPAM. $sender_host_name possibly represents dialup host
  	 set acl_c1     = ${eval:$acl_c1+8}

  
  warn  hosts 	 = !+local_net : !localhost
	  condition  = ${if eq{$acl_c1}{0}{yes}{no}}
	  dnslists 	=  cbl.abuseat.org : sbl-xbl.spamhaus.org : bl.spamcop.net
        logwrite  =  SPAM. You in blacklist - $dnslist_domain --> $dnslist_text; \
                     $dnslist_value
	 set acl_c1  = ${eval:$acl_c1+9}

  warn   hosts 	    = !+local_net : !localhost
	 condition      = ${if eq{$acl_c1}{0}{yes}{no}}
	 spf 		= fail
	 logwrite   = SPAM. SPF check failed: $sender_host_address is not allowed to\
                    send mail from $sender_address_domain
	 set acl_c1  = ${eval:$acl_c1+10}
  
  warn  hosts 		= !+local_net : !localhost
	  condition 	= ${if eq{$acl_c1}{0}{yes}{no}}
	  !verify 	= sender/no_details/callout=15s
	  logwrite 	= SPAM. $acl_verify_message: $sender_address - does not exist      
    	  set acl_c1     = ${eval:$acl_c1+11}

  warn   hosts 		= !+local_net : !localhost
	   delay 		= 20s
	
  accept  domains      = +relay_to_domains
	    hosts        = !+local_net : !localhost
    
  drop    message 	= Access deny - this not open relay!


###################################################################################
### Проверяем тело письма ###
acl_check_data:

  deny   message 	= contains $found_extension file (blacklisted)
	   demime 	= com:vbs:bat:cmd:pif:scr:exe

  deny   malware 	= *
         message 	= This message contains a virus ($malware_name).

  deny   message 	= This message contains a MIME error $demime_reason
	 demime 	= *
	 condition 	= ${if >{$demime_errorlevel}{2}{yes}{no}}
    
  deny   message 	= Incorrect headers syntax
	   hosts 	= !+local_net
	   !verify 	= header_syntax
   
  
  accept
######################################################################
#                      ROUTERS CONFIGURATION                         #
#               Specifies how addresses are handled                  #
######################################################################
begin routers

dnslookup:
  driver        = dnslookup
  domains       = !+relay_to_domains : !+local_domains
  transport     = remote_smtp
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
  more	    = no
  cannot_route_message = Remote domain not found in DNS

ldap_EXTdistrib_group:
  driver        = redirect
  domains       = +relay_to_domains
  allow_fail
  allow_defer
  condition     = ${if eqi{${quote:$local_part}@$domain}{${lookup ldapdn{LDAP_AUTH ldap:///DC=jsp,DC=local?mail?sub?(objectClass=group)}}}{no}{yes}}
  data          = ${perl{get_mail_lists}{${quote:$local_part}@$domain}}

ldap_INTdistrib_group:
  driver      	= redirect
  domains     	= +relay_to_domains
  allow_fail
  allow_defer
  condition     = ${if and{{match{$local_part}{\N^dg_\N}}{match_domain\
                      {$sender_address_domain}{+relay_to_domains : +trust_domains}}}}
  data          = ${perl{get_mail_lists}{${quote:$local_part}@$domain}}


ldap_aliases:
    driver      = redirect
    domains     = +relay_to_domains
    allow_fail
    allow_defer
    data 	     = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH\
	    	       ?mail?sub?(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))\
                   (objectClass=user)(url=${quote_ldap:$local_part}\
                   ${quote_ldap:@}${quote_ldap:$domain}))}}

ldap_forwarding:
    driver      = redirect
    domains     = +relay_to_domains
    allow_fail
    allow_defer
    data        = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH?otherTelephone?sub?\
                  (&(!(userAccountControl:1.2.840.113556.1.4.803:=2))\
                  (objectClass=user)(mail=${quote_ldap:$local_part}${quote_ldap:@}\
                   ${quote_ldap:$domain}))}},${quote:$local_part}@${quote:$domain}

ldap_dovecot:
   debug_print = "R: ldap_local_user for $local_part@$domain"
   driver       = accept
   domains      = +relay_to_domains
   condition    = ${if eq{}{${lookup ldapdn{LDAP_AUTH LDAP_BASE_SEARCH\
                  ??sub?LDAP_MAIL_FILTER}}}{no}{yes}}
   transport    = dovecot_lda
   router_home_directory = ${lookup ldapm{LDAP_AUTH LDAP_BASE_SEARCH\
                           ?samaccountName?sub?LDAP_MAIL_FILTER}{/mail/$value/}}
   user         = 26
   group        = 26
   more         = no
   cannot_route_message = Unknown address

system_aliases:
  driver  = redirect
  domains = +local_domains
  allow_fail
  allow_defer
  data 	  = ${lookup{$local_part}lsearch{/etc/aliases}}
  user 	  = mailnull
  group   = mail
  file_transport = address_file
  pipe_transport = address_pipe

localuser:
  driver  = accept
  domains = +local_domains
  check_local_user
  transport = local_delivery
  cannot_route_message = Unknown address


######################################################################
#                      TRANSPORTS CONFIGURATION                      #
######################################################################
begin transports

remote_smtp:
  driver = smtp

dovecot_lda:
  driver  = pipe
  command = /usr/local/libexec/dovecot/deliver -d $local_part@$domain
  message_prefix =
  message_suffix =
  delivery_date_add
  envelope_to_add
  return_path_add
  log_output
  user 	 = mailnull
  temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78

local_delivery:
  driver = appendfile
  file = /mail/UNIX/$local_part
  delivery_date_add
  envelope_to_add
  return_path_add
  group = mail
  user = $local_part
  mode = 0660
  no_mode_fail_narrower

address_pipe:
  driver = pipe
  return_output

address_file:
  driver = appendfile
  delivery_date_add
  envelope_to_add
  return_path_add

address_reply:
  driver = autoreply

######################################################################
#                      RETRY CONFIGURATION                           #
######################################################################

begin retry

*              quota
*                      *           F,2h,15m; G,8h,1h,1.5


######################################################################
#                      REWRITE CONFIGURATION                         #
######################################################################

# There are no rewriting specifications in this default configuration file.

begin rewrite


######################################################################
#                   AUTHENTICATION CONFIGURATION                     #
######################################################################



begin authenticators


dovecot_plain:
  driver = dovecot
  public_name = PLAIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth2

dovecot_login:
  driver = dovecot
  public_name = LOGIN
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

dovecot_gssapi:
  driver = dovecot
  public_name = GSSAPI
  server_socket = /var/run/dovecot/auth-client
  server_set_id = $auth1

# End of Exim configuration file
Перловый скрипт

Код: Выделить всё

#!/usr/bin/perl -w
use strict;
use warnings;
use Net::LDAP;
my %ldap_connect=(
HOST=>"172.16.16.4",
PORT=>"3268",
TIMEOUT=>"120",
BASE_DN=>"DC=JSP,DC=LOCAL",
BIND_DN=>"CN=unix_ldap,CN=Users,DC=JSP,DC=LOCAL",
BIND_PASS=>"Password",
VERSION=>"3"
);
sub get_mail_lists
{
    my $address = shift;
    my ($user_mail, $dn, $mesg, $entry, $mail_lists);
    my (@array_of_ldap_search, @entries);
    $mail_lists="";
    my $ldap = Net::LDAP->new($ldap_connect{'HOST'}, version=>$ldap_connect{'VERSION'}, \
port=>$ldap_connect{'PORT'}, timeout=>$ldap_connect{'TIMEOUT'}) or die  exit 0;

    $mesg=$ldap->bind($ldap_connect{'BIND_DN'}, password => $ldap_connect{'BIND_PASS'}) or die exit 0;

    $mesg = $ldap->search(
        base => $ldap_connect{'BASE_DN'},
        scope => 'sub',
        filter => "(&(objectClass=top)(objectClass=group)(mail=$address))",
        attrs => ['member']
        );

        foreach $entry ($mesg->entries) {
                @array_of_ldap_search = $entry->get_value("member");
        }

        foreach $dn (@array_of_ldap_search) {
                $mesg = $ldap->search(filter=>"(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)(objectClass=person)(distinguishedName=$dn))",
        base=>$ldap_connect{'BASE_DN'},
        scope =>'sub',
        attrs=>['mail']
        );


                @entries = $mesg->entries;
                foreach $entry (@entries) {
            $user_mail = $entry->get_value("mail");
            $mail_lists = $mail_lists."\n".$user_mail;
                }
        }
        $ldap->unbind;
        return $mail_lists;
}

#print get_mail_lists('mf@emorion.com.ua'),"\n";
Заранее благодарю если тыкнете носом. В целом сложилось впечатление что проблема в совместной работе перлоскрипта и запросов в лдап. Так как особой полезностия от него не вижу готов его даже выпилить....
Так же всегда доступен в гуглтолке и аське maodzedun_at_gmail.com icq:125551140 могу и в скайп зайти... Хоть пост и похож на вопрос идиота, все же надеюсь что найдется человек который потратит немного своего времени и укажет камраду на ошибки !
Влодение рускай арфаграфией - это как владение кунг-фу: настаящие мастира не преминяют ево бес ниабхадимости

Хостинговая компания Host-Food.ru
Хостинг HostFood.ru
 

Услуги хостинговой компании Host-Food.ru

Хостинг HostFood.ru

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

Аватара пользователя
Alex Keda
стреляли...
Сообщения: 35332
Зарегистрирован: 2004-10-18 14:25:19
Откуда: Made in USSR
Контактная информация:

Exim +AD (Запросы и фильтры)

Непрочитанное сообщение Alex Keda » 2015-02-11 18:31:12

В дебаге запустите и посмотрите запросы/ответы
Убей их всех! Бог потом рассортирует...