--- /dev/null
+### router/900_exim4-config_local_user
+#################################
+
+# These routers deal with mail meant for virtual_domains and real_domains.
+# The targets for addresses in these domains and hosts are taken from
+# the LDAP server.
+#
+# The first two routers check the LDAP directory to find an object to
+# which the mail should be delivered. The first one works on
+# virtual_domains, and finds an object based on the mail or
+# alternateMailAddress attributes. For example, info@stdin.nl might be
+# resolved by that one. The second one works on real_domains and finds an
+# object based its uid (i.e., username). For example,
+# matthijs@login.drsnuggles.stderr.nl might be resolved by the second
+# router.
+#
+# The next set of routers works when a person is retrieved. They handle
+# forwarding the mail to another mail server when the mailHost attribute
+# is set but it is not us, forwarding the email to any
+# mailForwardingAddresses in the object or delivering the mail locally
+# when the mailHost is set. Note that both either or both of the last
+# two routers can apply. If none of these three apply, routing continues
+# to the last set. Local delivery works by redirecting to username@localhost
+# and redirecting to the local_delivery router. This allows for a number of
+# different routers (put after the local_delivery router) to handle the
+# local_delivery. This is also the only way to get to any routers after the
+# ones in this file!
+#
+# The last two routers work when a group is retrieved. They handle
+# forwarding the mail to any members, both rfc822members (ie, addresses)
+# and uniqueMembers (ie, other LDAP objects).
+#
+# Note that this distinction between persons and groups is not made by
+# looking at the object classes, but at the attributes. Any object that
+# has a mailHost and/or mailForwardingAddresses is treated as a person,
+# meaning that only these two attributes are processed. Any object that
+# has neither of these attributes is assumed to be a group and has its
+# rfc822members and uniqueMembers processed. Any object that has none of
+# these properties, will cause a delivery failure.
+#
+# Note also that only the first two routers have the domains
+# precondition set, to differentiate between virtual_domains and
+# real_domains. Assuming that the routers in this file will only be called for
+# virtual_domains and real_domains, exactly one of these two routers will be
+# called. If the lookup fails, the more option ensures that the rest of the
+# routers are not called.
+#
+# The routers in this file assume that the url to LDAP server is defined
+# as LDAPSERVER and the base dn is defined as LDAPBASE. No assumptions
+# are made about the structure of the LDAP directory, so any object that
+# has the mail or mailForwardingAddress attributes is considered a
+# valid target for email, anywhere in the directory. These routers do
+# assume that a single email address is listed only once. If not, mails
+# to the address will be deferred.
+
+LDAPURL=LDAPSERVER/LDAPBASE
+
+# This router looks up an object in the ldap directory using its mail and
+# alternateMailAddress attributes, for any domains in virtual_domains.
+# This handles email addresses in "virtual" domains, since the object
+# found does not need to actually have a username (it can even be a
+# group).
+ADDR=${quote_ldap:${local_part}@${domain}}
+ldap_lookup_virtual:
+ debug_print = "R: ldap_lookup_virtual for $local_part@$domain: Finding person or group with (alternate) email address $local_part@$domain"
+ driver = redirect
+ domains = +virtual_domains
+ address_data = ${lookup ldap {LDAPURL?uid,mailHost,mailForwardingAddress,rfc822member,uniqueMember?sub?(|(mail=ADDR)(mailAlternateAddress=ADDR))}{$value}fail}
+ # Noop, this router just needs to pass its preconditions, evaluate
+ # address_data and then pass control to ldap_person_other_mailhost below
+ data = ${local_part}@${domain}
+ redirect_router=ldap_person_other_mailhost
+ # If no objects are found and the address_data expansion is forced to fail,
+ # stop processing. Note that this setting does not apply when the domains
+ # precondition fails.
+ more = false
+ cannot_route_message = "Unknown address"
+
+# This router looks up an object in the ldap directory using its uid
+# (username) attribute, for any hosts in real_domains. This handles email
+# addresses of actual users in this domain, i.e., objects that have uid
+# property.
+LOCALPART=${quote_ldap:${local_part}}
+ldap_lookup_real:
+ debug_print = "R: ldap_lookup_real for $local_part@$domain: Finding user with uid $local_part"
+ driver = redirect
+ domains = +real_domains
+ address_data = ${lookup ldap {LDAPURL?uid,mailHost,mailForwardingAddress?sub?(uid=LOCALPART)}{$value}fail}
+ # Noop, this router just needs to pass its preconditions, evaluate
+ # address_data and then pass control to ldap_person_other_mailhost below
+ data = ${local_part}@${domain}
+ redirect_router=ldap_person_other_mailhost
+ # If no objects are found and the address_data expansion is forced to fail,
+ # stop processing. Note that this setting does not apply when the domains
+ # precondition fails.
+ more = false
+ cannot_route_message = "Unknown user"
+
+# If the person has a mailhost configured, and it's not us, forward to
+# that mailhost. If this router accepts, no others will be tried. This
+# means we're also not processing any mailForwardingAddresses, assuming
+# that the host forwarded to will do this.
+#
+# This entry is mostly future-compatible, since at the time of writing
+# there are no other mailservers using the same LDAP directory. But it
+# looks cool!
+ldap_person_other_mailhost:
+ debug_print = "R: ldap_person_other_mailhost for $local_part@$domain: Forwarding to a mailHost if it is not us"
+ driver = manualroute
+ condition = ${if and { \
+ # If mailhost is not empty
+ {!eqi{${extract{mailHost}{$address_data}}}{}} \
+ # And mailhost is not this host
+ {!eqi{${extract{mailHost}{$address_data}}}{$primary_hostname}} \
+ }}
+ # Then, forward to the other mailHost
+ route_data = ${extract{mailHost}{$address_data}}
+ transport = remote_smtp
+
+# Forward the mail to any mailForwardingAddresses configured
+DELIVER_HERE=${if eqi{${extract{mailHost}{$address_data}}}{$primary_hostname}{true}{false}}
+ldap_person_forward:
+ debug_print = "R: ldap_person_forward for $local_part@$domain: Forwarding to any mailForwardingAddresses"
+ driver = redirect
+ data = ${extract{mailForwardingAddress}{$address_data}}
+ # Pass the message to the ldap_person_local router as well, so we can support both
+ # local delivery and forwarding. However, only set unseen to yes if we know
+ # the ldap_person_local will accept it. Just putting unseen = yes here doesn't
+ # work because if there is no local delivery, an error message is generated
+ # even when the email was forwarded succesfully.
+ unseen = DELIVER_HERE
+
+# Deliver the mail locally if the mailHost points to us.
+ldap_person_local:
+ debug_print = "R: ldap_person_local for $local_part@$domain: Doing local delivery if the mailHost is us"
+ driver = redirect
+ # Lookup if there is a user that has the target email address in either his
+ # mail attribute, or one of his mailAlternateAddresses and also has his
+ # mailstore on this host as its mailhost.
+ condition = DELIVER_HERE
+ # Forward the email to username@localhost. There is a separate set of routers
+ # that explicitly handles the localhost "domain", and has support for things
+ # like .forward files, procmail, etc.
+ data = ${extract{uid}{$address_data}}@localhost
+ redirect_router = local_delivery
+
+# If any of the two above routers accepted the message, processing will
+# stop here!
+
+# Forward the mail to any full members (uniqueMember) configured
+ldap_group_member:
+ debug_print = "R: ldap_group_member for $local_part@$domain: Forwarding to any uniqueMembers"
+ driver = redirect
+ # Lookup the mail address (if any) of each member. This gracefully ignores
+ # any members without an email address.
+ data = ${map \
+ # Since multipe attributes are separated by ", ", we replace ", " by "\n"
+ # and use that as a list separator (fortunately it's not just ",", as the
+ # documentation suggests, since then we would have had one big dn...)
+ {<\n ${sg \
+ {${extract{uniqueMember}{$address_data}}} \
+ {, } \
+ {\n} \
+ }} \
+ {${lookup ldap {LDAPSERVER/$item?mail?base?}}} \
+ }
+ # Pass the message to the ldap_group_address router as well, so we can support both
+ # addresses (rfc822member) and dns (uniqueMember) in a group.
+ # However, only set unseen to yes if we know the ldap_group_address will
+ # accept it. Just putting unseen = yes here doesn't work because if there is
+ # no local delivery, an error message is generated even when the email was
+ # already forwarded succesfully.
+ unseen = ${if !eqi{${extract{rfc822member}{$address_data}}}{}{true}{false}}
+
+# Forward the mail to any mail-only members (rfc822member) configured
+ldap_group_address:
+ debug_print = "R: ldap_group_address for $local_part@$domain: Forwarding to any rfc822members"
+ driver = redirect
+ data = ${extract{rfc822member}{$address_data}}
+ cannot_route_message = "Recipient is not set up for mail reception"
+ # If this router did not match, stop processing.
+ more = false
+
+# vim: set sts=2 expandtab sw=2 ai:
projects / matthijs / servers / drsnuggles.git / blobdiff