Qmail-verify

From Qmail-LDAP Wiki

Contents 1 Overview 2 Description 3 Recipient Check 4 Sender Check 5 Control Files 6 Environment Variables

Overview

qmail-verify performs SMTP-time recipient and sender checks on the LDAP directory

Description

qmail-verify is invoked by qmail-smtpd to verify the validity of the sender address and recipient addressess of the e-mail messages during the SMTP conversation. If the check fails, qmail-smtpd will reject the message returning a permanent error code.

The sender and recipient checks are triggered if qmail-smtpd detects SENDERCHECK and RCPTCHECK environment variables respectively.

To make the check, qmail-verify will make an ldap search on the directory to find an entry having the fields LDAP_UID or LDAP_MAILALTERNATE matching what's appeared as RCPT or SENDER address in the mail message.

Recipient Check

This qmail-smtpd feature will look up every RCPT TO address in ldap with qmail-verify to check the recipients existance. If it does not exist, qmail-smtpd will answer directly with a 550 reply instead of accepting the email and bouncing it later. Only addresses whose domain part is listed in locals are checked (because only there we know the definite answer). Recipients will not be checked for domains listed in rcpthosts.

Addresses listed in new goodmailaddr will be accepted in any case. This is very useful for important or special (like postmaster or mail admin) addresses which must work under any circumstances (or local addresses which are not in ldap).

Sender Check

This qmail-smtpd feature will look up every MAIL FROM address in ldap with qmail-verify to check the senders existance. If it does not exist, qmail-smtpd will reject with 550 reply. In normal mode only (envelope) senders whose domain part is listed in locals are checked. Otherwise no-one else from outside could send mail to local users anymore.

SENDERCHECK can be set to "LOOSE" or "STRICT" In mode LOOSE it will only allow verified sender plus any sender with its domain listed in rcpthosts. In STRICT mode it will allow only ldap verified senders. With this you can, for example, enforce that users within your network must use a valid sender which exists in ldap and no other.

Addresses listed in new goodmailaddr will be accepted in any case. This is very useful for important or special (like postmaster or mail admin) addresses which must work under any circumstances (or local addresses which are not in ldap).

Control Files

ldapbasedn, ldaplogin, ldapobjectclass, ldappassword, ldapserver, ldaptimeout

Environment Variables

none