Adding networks to LDAP accessdb

I have sendmail set up to use my LDAP tree for the accessdb. This is
working fine when I add single IPs, but when I try to add networks,
sendmail doesn't seem to recognize them.

Here is one of my LDAP entries:

# Connect:64.233.160.0/19, MailAliases, wccnet.edu
dn: sendmailMTAKey=Connect:
64.233.160.0/19,ou=MailAliases,dc=wccnet,dc=edu
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
sendmailMTAMapName: access
sendmailMTAKey: Connect:64.233.160.0/19
sendmailMTAMapValue: RELAY
sendmailMTACluster: wccnet.edu
description: Google Mail Server


example bounce:

Aug 18 08:42:44 oak sendmail[3042]: [ID 801593 mail.notice]
m7ICgaI0003042: ruleset=check_rcpt, arg1=<xxxx@xxxxxx.com>, relay=wr-
out-0506.google.com [64.233.184.231], reject=550 5.7.1
<xxxx@xxxxxx.com>... Relaying denied

I have other objects, like this one:

# 71.227.90.162, MailAliases, wccnet.edu
dn: sendmailMTAKey=71.227.90.162,ou=MailAliases,dc=wcc net,dc=edu
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
sendmailMTAMapName: access
sendmailMTAKey: 71.227.90.162
sendmailMTAMapValue: RELAY
sendmailMTACluster: wccnet.edu


that work just fine, but they don't describe networks.

I know this worked just fine when I had an access db that was in a
hash as opposed to sendmail.

does anyone know the trick to this?

Rex Roof schrieb:
> I have sendmail set up to use my LDAP tree for the accessdb. This is
> working fine when I add single IPs, but when I try to add networks,
> sendmail doesn't seem to recognize them.
>
> Here is one of my LDAP entries:
>
> # Connect:64.233.160.0/19, MailAliases, wccnet.edu
> dn: sendmailMTAKey=Connect:
> 64.233.160.0/19,ou=MailAliases,dc=wccnet,dc=edu
> objectClass: sendmailMTA
> objectClass: sendmailMTAMap
> objectClass: sendmailMTAMapObject
> sendmailMTAMapName: access
> sendmailMTAKey: Connect:64.233.160.0/19
> sendmailMTAMapValue: RELAY
> sendmailMTACluster: wccnet.edu
> description: Google Mail Server

That cannot work. accessdb lookups are simple string matches.
Therefore they cannot support CIDR notation. What does work is
prefixes like 64.233.160, ie. /8, /16 and /24 ranges.

> I know this worked just fine when I had an access db that was in a
> hash as opposed to sendmail.

I doubt it. You probably had just /24 and/or /16 networks then.

> does anyone know the trick to this?

There are tools out there which convert a CIDR network into a
list of prefixes, ie. from 64.233.160.0/19 you get a list

64.233.160
64.233.161
....
64.233.192

which you can then enter into your LDAP database. Not pretty,
but it's the only thing that works.

--
Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...

Tilman Schmidt wrote:
> Rex Roof schrieb:
>> I have sendmail set up to use my LDAP tree for the accessdb. This is
>> working fine when I add single IPs, but when I try to add networks,
>> sendmail doesn't seem to recognize them.
>>
>> Here is one of my LDAP entries:
>>
>> # Connect:64.233.160.0/19, MailAliases, wccnet.edu
>> dn: sendmailMTAKey=Connect:
>> 64.233.160.0/19,ou=MailAliases,dc=wccnet,dc=edu
>> objectClass: sendmailMTA
>> objectClass: sendmailMTAMap
>> objectClass: sendmailMTAMapObject
>> sendmailMTAMapName: access
>> sendmailMTAKey: Connect:64.233.160.0/19
>> sendmailMTAMapValue: RELAY
>> sendmailMTACluster: wccnet.edu
>> description: Google Mail Server
>
> That cannot work. accessdb lookups are simple string matches.
> Therefore they cannot support CIDR notation. What does work is
> prefixes like 64.233.160, ie. /8, /16 and /24 ranges.
>
>> I know this worked just fine when I had an access db that was in a
>> hash as opposed to sendmail.
>
> I doubt it. You probably had just /24 and/or /16 networks then.
>
>> does anyone know the trick to this?
>
> There are tools out there which convert a CIDR network into a
> list of prefixes, ie. from 64.233.160.0/19 you get a list

The sendmail source contains such a script "cidrexpand" in the
contrib directory. I suppose the OP used that script to make
his hash table work while using CIDR notations in the text
representaion of the table.

From the script:
# usage:
# cidrexpand < /etc/mail/access | makemap -r hash /etc/mail/access
#

That script won't work to expand the CIDR notations in the
LDAP entry above.

>
> 64.233.160
> 64.233.161
> ...
> 64.233.192

<nitpicking> You better stop at: 64.233.191 </nitpicking>

>
> which you can then enter into your LDAP database. Not pretty,
> but it's the only thing that works.
>

Ooh, excellent. thanks so much for enlightening me.

I'm writing something in perl to auto-update these LDAP entries based
on google's spf records, so I'll just use the Net::CIDR perl module.

-Rex


On Aug 18, 12:33*pm, Kees Theunissen <theun...@rijnh.nl> wrote:
> Tilman Schmidt wrote:
> > Rex Roof schrieb:
> >> I have sendmail set up to use my LDAP tree for the accessdb. * This is
> >> working fine when I add single IPs, but when I try to add networks,
> >> sendmail doesn't seem to recognize them.
>
> >> Here is one of my LDAP entries:
>
> >> # Connect:64.233.160.0/19, MailAliases, wccnet.edu
> >> dn: sendmailMTAKey=Connect:
> >> 64.233.160.0/19,ou=MailAliases,dc=wccnet,dc=edu
> >> objectClass: sendmailMTA
> >> objectClass: sendmailMTAMap
> >> objectClass: sendmailMTAMapObject
> >> sendmailMTAMapName: access
> >> sendmailMTAKey: Connect:64.233.160.0/19
> >> sendmailMTAMapValue: RELAY
> >> sendmailMTACluster: wccnet.edu
> >> description: Google Mail Server
>
> > That cannot work. accessdb lookups are simple string matches.
> > Therefore they cannot support CIDR notation. What does work is
> > prefixes like 64.233.160, ie. /8, /16 and /24 ranges.
>
> >> I know this worked just fine when I had an access db that was in a
> >> hash as opposed to sendmail.
>
> > I doubt it. You probably had just /24 and/or /16 networks then.
>
> >> does anyone know the trick to this?
>
> > There are tools out there which convert a CIDR network into a
> > list of prefixes, ie. from 64.233.160.0/19 you get a list
>
> The sendmail source contains such a script "cidrexpand" in the
> contrib directory. I suppose the OP used that script to make
> his hash table work while using CIDR notations in the text
> representaion of the table.
>
> *From the script:
> # usage:
> # *cidrexpand < /etc/mail/access | makemap -r hash /etc/mail/access
> #
>
> That script won't work to expand the CIDR notations in the
> LDAP entry above.
>
>
>
> > 64.233.160
> > 64.233.161
> > ...
> > 64.233.192
>
> <nitpicking> You better stop at: 64.233.191 </nitpicking>
>
>
>
> > which you can then enter into your LDAP database. Not pretty,
> > but it's the only thing that works.