Notes from Patrick Morris: It can be a bit tricky to set up, since the documentation (here's a starting point: http://www.sendmail.org/m4/ldap_routing.html ) is a bit scattered. Basically, it allows you to look up accounts, aliases, etc., from LDAP. As an example, here's a line from my sendmail.mc file for one of my SMTP relays: FEATURE(`ldap_routing',`ldap -T -v mailHost -k (&(objectClass=mailRecipient)(mail=%0))',`ldap -T -v mailRoutingAddress -k (&(objectClass=mailRecipient)(mail=%0))',`reject',`preserve') Here's what it means: FEATURE(`ldap_routing ', , , , ) In my case, it gets the mail host to deliver to by looking for a "mailRecipient" object in LDAP where the "mail" attribute matches the e-mail address on the incoming message. The name of this recipient's next-hop relay (in my case, my POP/IMAP servers) is in the "mailHost" LDAP attribute, if found. It can also get an address to route the mail to by looking up a "mailRoutingAddress" attribute in the LDAP record. There's a good table at the link above saying what happens if it finds a mail host but no routing address, vice versa, both or neither. The third parameter says what to do on a lookup failure. In my case, I use "reject" to indicate I reject them as an unknown user, but really anything other than "passthru" will cause failed lookups to be rejected with a "User Unknown" error. The fourth parameter tells it how to deal with "plussed" addresses. Your LDAP query would, I'm sure, be different to match how your LDAP is set up, but that's pretty much how it's done. The hard part is getting the syntax of the LDAP query correct, but once that's done it works like a champ. Notes from Jim McCullars: > Has anyone had any luck integrating LDAP lookups into MD with the goal > of verifying whether inbound addresses are valid? I haven't integrated LDAP in MD, but I have written several scripts in perl that talk to our directory server. The first thing you have to decide is which perl module you want to use. On our Tru64 machine, I use Net::LDAP, which is the most portable, but it is slow (because it has to do everything in perl). On my Solaris machine, I use Mozilla::LDAP::Conn, but I think I had to find the right SDK (software development kit) on the Mozilla site for Solaris. It is faster because the "guts" are written in C. If you go with Net::LDAP, then you might do something like this: Outside of any subroutine, establish the connection: use Net::LDAP; $ldap = Net::LDAP->new("server-name"); unless($ldap) { Do whatever you want to do if the connection cant be made. In my scripts, I usually "die" but David says don't to that in a MD slave } #if you can connect, then bind (authenticate) $mesg = $ldap->bind("some-dn-that-can-do-searches", password => "pw"); if($mesg->code) { #take some appropriate action regarding authentication failure } At this point, there should be a connection for the life of the slave. Now in filter_recipient, you might do something like this: sub filter_recipient { my ($recipient, $sender, $ip, $hostname, $first, $helo, $rcpt_mailer, $rcpt_host, $rcpt_addr) = @_; unless($ldap) { return ('TEMPFAIL', "Directory service not available, please try later") } $recipient =~ tr/<>//d; # strip angle brackets my $mesg = $ldap->search ( base => "your-base-DN", filter => "(mail=$recipient)" ); if $mesg->code { # Some other error occurred. I would probably tempfail the # email and syslog something } my $count = $mesg->count; # number of LDAP entries that matched if ($count == 0) { # invalid recipient return('REJECT', "Invalid recipient") } return ('CONTINUE', "ok"); } The search example shown above assumes that the "mail" attribute is populated with a value that will match the incoming email address ($recipient). Also, please note that this is "Untested Code While Replying To Email" so you may have to tweak it some. But it should give you an idea of what is involved in using LDAP connects from perl. HTH... Jim