ml+exim at wzff
Apr 9, 2012, 7:54 AM
Post #4 of 5
(370 views)
Permalink
|
Hello,
On Mon, Apr 09, 2012 at 07:25:19 -0700, Phil Pennock wrote:
> On 2012-04-04 at 18:53 +0200, Moritz Wilhelmy wrote:
> > On my setup, LDAP lookups happen through NSS. If the LDAP server goes
> > down, the lookup fails, and the mail gets permanently rejected. I'd like
> > to either reject it only temporarily or accept all messages if the LDAP
> > server is down/can't be reached and freeze them.
> >
> > I tried a simple lookup like this
> > ${if eq{\
> > ${lookup ldap{ldaps:///ou=People,dc=bla?uid?sub?(uid=${quote_ldap:$local_part)}}}}\
> > {$local_part}\
> > {true}{false}}
>
> You don't say where this query is.
I tried expanding it in exim -be. The result was an error, and I wasn't
so sure how exim handles these.
> The LDAP lookups always return temporary errors.
>
> In a Router or Transport, you'll get a deferral, 4xx.
I guess it fails in the localuser router.
> In an ACL, the condition is likely to fail. Careful construction of
> your ACL rules, with "set acl_m_foo" will let you set a variable and
> check for deferral, which will let you return a 4xx error from the ACL.
Thanks for pointing this out, I wouldn't have thought of that.
> You can also set more than one server in ldap_default_servers which
> helps with failover.
We have two LDAP servers, both of which are in the configuration, but in
case the network is down during a delivery attempt, this doesn't help
too much.
We use NSS because some users insist on using procmail. NSS makes
dealing and identifying with user processes easier.
> I'm guessing your expansion problem is in an ACL. If you need help
> restructuring the ACL, post the relevant ACL here and people will help.
Which ACL should I use? The configuration file differs from the official
configuration example only marginally..
Currently, there are only two ACLs, like in the default configuration:
acl_check_data (which sounds like the wrong one to use) and
acl_check_rcpt.
My naïve attempt at this would be putting the expansion as a condition
into the localuser router:
localuser:
driver = accept
check_local_user
local_part_suffix = +* : -*
local_part_suffix_optional
transport = local_delivery
cannot_route_message = Unknown user
condition = ${if >={${lookup ldap{ldaps:///ou=People,dc=bla?uidNumber?sub?(uid=${quote_ldap:$local_user})}}}{1000}{yes}{no}}
Currently, the condition looks like this:
condition = ${if >={$local_user_uid}{1000}{yes}{no}}
This should generate a temporary error if the ldap lookup fails, if I'm
not mistaken?
Best regards,
Moritz
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
|
