Loading ...
Sorry, an error occurred while loading the content.

alias maps, virtual domains, and LDAP

Expand Messages
  • Greg Woods
    I m having a small problem with a virtual domain. We have mydomain=ucar.edu, but we serve a virtual domain called nlr.net. It had to be a virtual domain
    Message 1 of 8 , Jun 30, 2006
    • 0 Attachment
      I'm having a small problem with a virtual domain. We have
      mydomain=ucar.edu, but we serve a virtual domain called nlr.net. It had
      to be a virtual domain because when we took nlr.net over, there were
      existing aliases that conflicted with some from ucar.edu (i.e.
      news@... reaches our USENET admin, but news@... is a Mailman
      list). Everything works fine on the central server, but we also have a
      Mailman server that wants to serve lists in both virtual domains. This
      works OK as far as the Mailman server is concerned. Users can send mail
      to the Mailman aliases and that all works. Addresses within ucar.edu
      work. What doesn't work is non-Mailman aliases within nlr.net, when mail
      is originated on the Mailman server. We discovered this when one of the
      nlr.net list admins tried to use "editor@..." as the list admin
      address, and stopped receiving subscribe notifications. Attached is the
      entire postconf -n output, but here are some of the more relevant config
      file lines:

      virtual_alias_maps = hash:/etc/mailman/virtual-mailman
      alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap_alias.cf

      This doesn't quite work. The only nlr.net aliases that get correctly
      delivered are those that are in the virtual-mailman map. Aliases within
      the virtual domain that are in the LDAP server don't get recognized, but
      they are there:

      # postmap -q editor@... ldap:/etc/postfix/ldap_alias.cf
      sac@...

      But "sendmail.postfix -bv editor@..." gets this response:

      <editor@...>: delivery via none: User unknown in virtual alias table


      OK, so let's try putting the ldap:/etc/postfix/ldap_alias.cf into
      virtual_alias_maps too. As soon as I do that, the aliases that overlap
      between the domain and the virtual domain don't work correctly:

      <woods@...> (expanded from <news@...>): delivery via
      local: delivers to command: /usr/bin/procmail

      That's because news@... expands to news@..., and the
      mailman.ucar.edu gets stripped out because it is the name of the local
      host, and then "news" from the LDAP query gets expanded to
      woods@... and that's a local address, so now nobody can
      post to the Mailman list news@....

      Is there some way to set this up to do what I want? I think I've tried
      just about every order of the maps, but it always works out so that
      either the nlr.net aliases that overlap with ucar.edu get interpreted as
      the ucar.edu alias, or the nlr.net aliases that are not in the
      virtual-mailman map will bounce.

      # postmap -q news@... hash:/etc/mailman/virtual-mailman
      news
      # postmap -q news@... hash:/etc/aliases
      # postmap -q news@... ldap:/etc/postfix/ldap_alias.cf
      news@mailman
      # postmap -q news hash:/etc/mailman/virtual-mailman
      # postmap -q news hash:/etc/aliases
      "|/usr/lib/mailman/mail/mailman post news"
      # postmap -q news ldap:/etc/postfix/ldap_alias.cf
      woods
      # postmap -q editor@... hash:/etc/mailman/virtual-mailman
      # postmap -q editor@... hash:/etc/aliases
      # postmap -q editor@... ldap:/etc/postfix/ldap_alias.cf
      sac@...

      There is no "editor" in any of the maps.

      What I want, of course, is something that doesn't require me to maintain
      all of the virtual aliases on the Mailman system too, I want to get them
      from LDAP.

      --Greg
    • Noel Jones
      ... Aliases for virtual_alias_domains must be defined in virtual_alias_maps. Entries in alias_maps are expanded when local mail (listed in $mydestination) is
      Message 2 of 8 , Jun 30, 2006
      • 0 Attachment
        At 11:40 AM 6/30/2006, Greg Woods wrote:
        >mydomain=ucar.edu, but we serve a virtual domain called
        >nlr.net. It had
        >to be a virtual domain because when we took nlr.net over,
        >there were
        >existing aliases that conflicted with some from ucar.edu (i.e.
        >news@... reaches our USENET admin, but news@...
        >is a Mailman
        >...
        >virtual_alias_maps = hash:/etc/mailman/virtual-mailman
        >alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap_alias.cf
        >
        >This doesn't quite work. The only nlr.net aliases that get
        >correctly
        >delivered are those that are in the virtual-mailman map.
        >Aliases within
        >the virtual domain that are in the LDAP server don't get
        >recognized, but
        >they are there:

        Aliases for virtual_alias_domains must be defined in
        virtual_alias_maps. Entries in alias_maps are expanded
        when local mail (listed in $mydestination) is delivered by
        local(8).
        Your editor@... address must be added to your
        virtual-mailman hash, and removed from ldap_alias.cf.


        --
        Noel Jones
      • Greg Woods
        ... If that is the case, then there really is no fix for my problem. I really don t want to have to maintain all the nlr.net aliases in multiple places. There
        Message 3 of 8 , Jun 30, 2006
        • 0 Attachment
          On Fri, 2006-06-30 at 13:42 -0500, Noel Jones wrote:

          > Your editor@... address must be added to your
          > virtual-mailman hash, and removed from ldap_alias.cf.

          If that is the case, then there really is no fix for my problem. I
          really don't want to have to maintain all the nlr.net aliases in
          multiple places. There are quite a lot of them, and there is no way of
          knowing when someone might decide to use one of them as a list
          administrator address, sign it up for a Mailman list, etc., so anything
          I come up with must allow any of the @... aliases to be sent to. And
          to be a real solution, it can't require all of the aliases to be
          hand-maintained on the Mailman system, I have to find a way to get them
          from the LDAP server.

          Here's one other thing I tried. In the virtual-mailman map, instead of
          an alias like:

          testnlr@... testnlr

          I tried putting the testnlr expansion directly in here:

          testnlr@... "|/usr/lib/mailman/mail/mailman post testnlr"

          The /etc/aliases map already had:

          testnlr "|/usr/lib/mailman/mail/mailman post testnlr"

          When I do this, I get:


          <"|/usr/lib/mailman/mail/mailman post testnlr"@...>
          (expanded from
          <testnlr@...>): delivery via local: unknown user:
          "|/usr/lib/mailman/mail/mailman post testnlr"

          Why doesn't this work? You can expand an alias_maps entry to a pipe, but
          not a virtual_alias_maps entry?

          --Greg
        • Magnus Bäck
          On Friday, June 30, 2006 at 20:59 CEST, Greg Woods wrote: [...] ... Correct. The result of a virtual rewriting is always another address.
          Message 4 of 8 , Jun 30, 2006
          • 0 Attachment
            On Friday, June 30, 2006 at 20:59 CEST,
            Greg Woods <woods@...> wrote:

            [...]

            > Why doesn't this work? You can expand an alias_maps entry to a pipe,
            > but not a virtual_alias_maps entry?

            Correct. The result of a virtual rewriting is always another address.
            virtual(5) has the details.

            --
            Magnus Bäck
            magnus@...
          • Wietse Venema
            ... I suggest that you read the documentation, in this case, VIRTUAL_README. Wietse
            Message 5 of 8 , Jun 30, 2006
            • 0 Attachment
              Greg Woods:
              > On Fri, 2006-06-30 at 13:42 -0500, Noel Jones wrote:
              >
              > > Your editor@... address must be added to your
              > > virtual-mailman hash, and removed from ldap_alias.cf.
              >
              > If that is the case, then there really is no fix for my problem. I
              > really don't want to have to maintain all the nlr.net aliases in
              > multiple places. There are quite a lot of them, and there is no way of
              > knowing when someone might decide to use one of them as a list
              > administrator address, sign it up for a Mailman list, etc., so anything
              > I come up with must allow any of the @... aliases to be sent to. And
              > to be a real solution, it can't require all of the aliases to be
              > hand-maintained on the Mailman system, I have to find a way to get them
              > from the LDAP server.
              >
              > Here's one other thing I tried. In the virtual-mailman map, instead of
              > an alias like:
              >
              > testnlr@... testnlr
              >
              > I tried putting the testnlr expansion directly in here:
              >
              > testnlr@... "|/usr/lib/mailman/mail/mailman post testnlr"
              >
              > The /etc/aliases map already had:
              >
              > testnlr "|/usr/lib/mailman/mail/mailman post testnlr"
              >
              > When I do this, I get:
              >
              >
              > <"|/usr/lib/mailman/mail/mailman post testnlr"@...>
              > (expanded from
              > <testnlr@...>): delivery via local: unknown user:
              > "|/usr/lib/mailman/mail/mailman post testnlr"
              >
              > Why doesn't this work? You can expand an alias_maps entry to a pipe, but
              > not a virtual_alias_maps entry?

              I suggest that you read the documentation, in this case, VIRTUAL_README.

              Wietse
            • Noel Jones
              ... So set up another ldap query to use in virtual_alias_maps. ... Correct. Virtual_alias_maps will not expand to a pipe, file, or command - only to another
              Message 6 of 8 , Jun 30, 2006
              • 0 Attachment
                At 01:59 PM 6/30/2006, Greg Woods wrote:
                >hand-maintained on the Mailman system, I have to find a
                >way to get them
                >from the LDAP server.

                So set up another ldap query to use in virtual_alias_maps.

                ><"|/usr/lib/mailman/mail/mailman post
                >testnlr"@...>
                >(expanded from
                > <testnlr@...>): delivery via local: unknown user:
                > "|/usr/lib/mailman/mail/mailman post testnlr"
                >
                >Why doesn't this work? You can expand an alias_maps entry
                >to a pipe, but
                >not a virtual_alias_maps entry?

                Correct. Virtual_alias_maps will not expand to a pipe,
                file, or command - only to another mail address.
                (but the result can be something listed in alias_maps and
                expand to a list there).

                Others have suggested VIRTUAL_README for further insight.
                http://www.postfix.org/VIRTUAL_README.html

                --
                Noel Jones
              • Greg Woods
                ... That was enough to convince me that I didn t want to use a virtual domain here. The virtual domain on the central server is what I want in that case. The
                Message 7 of 8 , Jun 30, 2006
                • 0 Attachment
                  On Fri, 2006-06-30 at 14:11 -0500, Noel Jones wrote:

                  > Others have suggested VIRTUAL_README for further insight.
                  > http://www.postfix.org/VIRTUAL_README.html

                  That was enough to convince me that I didn't want to use a virtual
                  domain here. The virtual domain on the central server is what I want in
                  that case. The central server does no local delivery, it relays
                  everything to internal servers specified for each user in the LDAP
                  server, including mailman lists which expand "listname@..." or
                  "listname@..." to "listname@...". With a virtual
                  domain, it can also expand "listname@..." to something completely
                  different, which is what was needed.

                  The reason I started doing it this way on the Mailman server is because
                  I was following the Mailman documentation (reading the documentation is
                  NOT always a magic bullet!) Obviously the authors of that document were
                  assuming that you were running the Mailman server on the same machine as
                  the central Postfix server, which is not true in my case.

                  What actually worked was much simpler than what I was trying to do. Get
                  rid of the virtual domain on the Mailman server, and maintain only
                  aliases for the Mailman software. I don't need to have all the @...
                  aliases available at all, because if it's not a Mailman list, the MX
                  record will send it to the central server for delivery anyway. If it is
                  a Mailman list, all I need is a local expand-to-pipe alias like:

                  testnlr "|/pipe/to/mailman testnlr"

                  If I send to "testnlr@..." from anywhere, including from the Mailman
                  server, it goes to our central server, gets expanded to
                  "testnlr@...", gets sent back to the Mailman server after
                  expansion, and everything works.

                  So I was just trying to get too cute. In the end, the only aliases I
                  have to maintain are those directly related to the Mailman system, and
                  I've always had to do that anyway. I also have to make sure that there
                  are not two Mailman lists in the two domains with the same name, but a
                  list name can conflict with an LDAP alias in the other domain, or two
                  LDAP aliases can conflict, and everything works as expected. Problem
                  solved.

                  --Greg
                • mouss
                  ... The conflict can be solved with virtual_alias_maps. for instance, news@ucar.edu = news+ucar@listserver.example.org news@nlr.net =
                  Message 8 of 8 , Jul 2, 2006
                  • 0 Attachment
                    Greg Woods wrote:
                    > [snip]
                    >
                    > So I was just trying to get too cute. In the end, the only aliases I
                    > have to maintain are those directly related to the Mailman system, and
                    > I've always had to do that anyway. I also have to make sure that there
                    > are not two Mailman lists in the two domains with the same name, but a
                    > list name can conflict with an LDAP alias in the other domain, or two
                    > LDAP aliases can conflict, and everything works as expected. Problem
                    > solved.
                    >
                    >
                    The conflict can be solved with virtual_alias_maps. for instance,
                    news@... => news+ucar@...
                    news@... => news+nrl@...

                    then use news+ucar and news+nlr in your alias_maps. you can choose othe
                    forms, but '+' is nice if you also have it as an extension delimiter (so
                    that if no match is found, "news" will be tried).

                    A more general form would be
                    listname@... =>
                    locallistname+listname=listdomain@...
                    but don't use wildcards as they break recipient validation.
                  Your message has been successfully submitted and would be delivered to recipients shortly.