Scalix Forums

I've searched the forums and haven't found anything relating to the problem I'm having. I'm sure that others have run into the same thing.

My Scalix configuration is accepting email for invalid users in my domain. For instance, if someone sends an email to 'gooduser@mydomain.com' then it's accepted - as it should be! But if they send an email to 'baduser@mydomain.com' it's still accepted, even though that user is not valid on my domain.

I looked at /var/log/maillog and it shows that mail to invalid users is "deferred". However, the sending agent (in this case, my Barracuda firewall) still thinks it's a vallid user!

Is there any way to keep Scalix from accepting mail to invalid local accounts? Then the sending agent would receive an "invalid user" notice.

Ed

Hi Ed,

do you have an entry for 'mydomain.com' in /etc/mail/local-host-names?

Yes. Actually I have both 'mydomain.com' and 'pop.mydomain.com' since both of these domains map to this server.

Ed

I'm not sure your issue is with Scalix itself - what happens when you telnet to port 25 on your Scalix server & try to deliver a message to a non-existent user?

That comes back as an invalid recipient. So I just checked my Barracuda configuration, and for some reason it wasn't processing the users as invalid. A reboot of the Barracuda seems to have fixed the problem!

Thanks for the help!

Ed

I have quiet a bit experience with the Barracuda. Please make sure that you are running the latest Barracuda firmware. If still delivers mail for invalid users, ask Barracuda support to connect remotely and take a look. I had similar problem with one Barracuda sometimes ago, spoke to support they connected remotely, restarted some of the services and it is fine after that. However, if the message on the Barracuda scores enough high to be quarantined but not blocked, the Barracuda will create an account for that user in itself and keep the message. The best is to integrate the existing LDAP address lookup feature on the Barracuda with your existing Scalix LDAP database.

How do you integrate Scalix's LDAP with Barracuda? I've tried it a dozen different ways and every time I get "invalid Credential" errors. I've tried using a DN of cn=sxadmin,o=Scalix with the password that I set up for interfaciing with multiple Scalix servers. I've also tried using the Scalix administrator accounts, and even general user accounts. Nothing works.

From what I've read on other threads the Scalix LDAP isn't really an LDAP server. That's why it's nearly impossible to get it to work with Barracuda. I'd install openLDAP, but that's a lot of work!

Ed

You don't need OpenLDAP. Here is the config on the Barracuda:

LDAP Server: yourscalixserver.domain.com
LDAP Port: 389
Exchange Accelerator/LDAP Verification: Yes
Unify Email Aliases: No
SSL/TLS Mode: Off
Require SSL/TLS: No
Bind DN: CN=sxqueryadmin #note that my Scalix user authentication is configured only for username/password and not for username@domain.com/password, if yours includes the domain, change the CN if needed. You can use CN=sxadmin as well but be careful bacause the password is send clear text and it is a possible security issue.
Bind Password: ************
LDAP Filter: mail=${recipient_email}
LDAP Search Base: ${defaultNamingContext}
LDAP UID: omcn
LDAP Primary Email Attribute: mail
Canary Email:
Valid Email (for testing): validemail@domain.com

Last thing - if there is a firewall between the Barracuda and the Scalix server make sure port 389 is open from the Barracuda to Scalix.

This is very good to know. I had never tried setting it up. Good to know it'll work when we do try.

Kev.

Well it works for me. Are you also using Barracuda? I'm pretty sure the same settings can be used for any other device to query valid e-mail addresses on the Scalix server.

Ed Dulaney wrote:From what I've read on other threads the Scalix LDAP isn't really an LDAP server.

Scalix's omslapd is a fork of the origin UofMich LDAP code. It's a real LDAP server, but it's talking to an x.400 directory in the background, and translating back and forth.

I'm aware this isn't related to the actual issue, but thought I'd clear that up.

Chris