Loading ...
Sorry, an error occurred while loading the content.

Integrating User list

Expand Messages
  • Jody Detmer
    Hello all: I should start by mentioning im fairly new to postfix, but liking it much more over sendmail! Im running in a windows AD environment but with a
    Message 1 of 8 , Feb 28, 2007
    • 0 Attachment

      Hello all:

       

      I should start by mentioning im fairly new to postfix, but liking it much more over sendmail!

       

      Im running in a windows AD environment but with a postfix/centos bastion host to scan mail and pass it inward.  Id like to implement user checks on the postfix box so the AD server doesn’t have to reject all the bad users.  My first attempt was taking my user list out of AD and putting them in the postfix access file with OK’s.  This didn’t work.  Is there a more simple way to do this that im missing?

       

      Thanks for your help,

       

       

      Jody Detmer

       

    • Sandy Drobic
      ... You are on the right track with your initial idea, but the execution of said idea fell flat. Postfix uses maps to check validity of recipient addresses.
      Message 2 of 8 , Feb 28, 2007
      • 0 Attachment
        Jody Detmer wrote:
        >
        >
        > Hello all:
        >
        >
        >
        > I should start by mentioning im fairly new to postfix, but liking it
        > much more over sendmail!
        >
        >
        >
        > Im running in a windows AD environment but with a postfix/centos bastion
        > host to scan mail and pass it inward. Id like to implement user checks
        > on the postfix box so the AD server doesn’t have to reject all the bad
        > users. My first attempt was taking my user list out of AD and putting
        > them in the postfix access file with OK’s. This didn’t work. Is there
        > a more simple way to do this that im missing?

        You are on the right track with your initial idea, but the execution of
        said idea fell flat. Postfix uses maps to check validity of recipient
        addresses.

        Domains in map
        mydestination local_recipient_maps
        relay_domains relay_recipient_maps
        virtual_mailbox_domains virtual_mailbox_maps
        virtual_alias_maps virtual_alias_maps


        For details please read:
        http://www.postfix.org/ADDRESS_CLASS_README.html

        You have probably set up your domain on the Postfix server as a
        relay_domain. So put the valid addresses in a relay_recipient_maps.

        /etc/postfix/main.cf:
        relay_domains = example.com
        relay_recipient_maps = hash:/etc/postfix/relay_recipients

        /etc/postfix/relay_recipients:
        user1@... OK
        user2@... OK

        Don't forget to postmap hash databases.

        Rejecting invalid recipients on the mailgateway is an absolute requisite
        today, otherwise you are a backscatter source.

        --
        Sandy

        List replies only please!
        Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
      • Davide Ferrari
        ... As he s using an Active Directory behind, he really wants to use LDAP as map backend, so every mail that arrives is checked against the most current users
        Message 3 of 8 , Feb 28, 2007
        • 0 Attachment
          El Wednesday 28 February 2007 16:42:24 Sandy Drobic escribió:
          > You have probably set up your domain on the Postfix server as a
          > relay_domain. So put the valid addresses in a relay_recipient_maps.
          >
          > /etc/postfix/main.cf:
          > relay_domains = example.com
          > relay_recipient_maps = hash:/etc/postfix/relay_recipients

          As he's using an Active Directory behind, he really wants to use LDAP as map
          backend, so every mail that arrives is checked against the most current users
          DB.

          --
          Davide Ferrari
          System Administrator
          http://www.atrapalo.com
        • Jody Detmer
          DB: That s true, but alternately we have a script made that will push any changes up to the postfix. Id love to have it interface directly with AD, but that s
          Message 4 of 8 , Feb 28, 2007
          • 0 Attachment
            DB:
            That's true, but alternately we have a script made that will push any changes up to the postfix. Id love to have it interface directly with AD, but that's a different mailing list :)


            Jody Detmer


            -----Original Message-----
            From: owner-postfix-users@... [mailto:owner-postfix-users@...] On Behalf Of Davide Ferrari
            Sent: Wednesday, February 28, 2007 10:50 AM
            To: postfix-users@...
            Subject: Re: Integrating User list

            El Wednesday 28 February 2007 16:42:24 Sandy Drobic escribió:
            > You have probably set up your domain on the Postfix server as a
            > relay_domain. So put the valid addresses in a relay_recipient_maps.
            >
            > /etc/postfix/main.cf:
            > relay_domains = example.com
            > relay_recipient_maps = hash:/etc/postfix/relay_recipients

            As he's using an Active Directory behind, he really wants to use LDAP as map
            backend, so every mail that arrives is checked against the most current users
            DB.

            --
            Davide Ferrari
            System Administrator
            http://www.atrapalo.com
          • Sandy Drobic
            ... It s more a case of preference. If the exchange server is running stable with little downtime that s okay. But you are rejecting mails when the server can
            Message 5 of 8 , Feb 28, 2007
            • 0 Attachment
              Davide Ferrari wrote:
              > El Wednesday 28 February 2007 16:42:24 Sandy Drobic escribió:
              >> You have probably set up your domain on the Postfix server as a
              >> relay_domain. So put the valid addresses in a relay_recipient_maps.
              >>
              >> /etc/postfix/main.cf:
              >> relay_domains = example.com
              >> relay_recipient_maps = hash:/etc/postfix/relay_recipients
              >
              > As he's using an Active Directory behind, he really wants to use LDAP as map
              > backend, so every mail that arrives is checked against the most current users
              > DB.

              It's more a case of preference. If the exchange server is running stable
              with little downtime that's okay. But you are rejecting mails when the
              server can not be queried for valid recipients. Postfix 2.3+ is doing this
              more gracefully than version 2.2 (that is logging a fatal error when the
              map cannot be queried).

              I prefer to use a script to extract a list of valid addresses via ldap
              from our domino server and compile a hash file with valid addresses. That
              way it doesn't matter if the domino server is shut down for maintenance,
              mails will be received and not rejected.

              --
              Sandy

              List replies only please!
              Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
            • Davide Ferrari
              ... Yes, this is a good point (and moreover if you re running the postfix server in a DMZ while the AD stays in LAN). In my case my users float very much,
              Message 6 of 8 , Feb 28, 2007
              • 0 Attachment
                El Wednesday 28 February 2007 17:27:28 Sandy Drobic escribió:
                > I prefer to use a script to extract a list of valid addresses via ldap
                > from our domino server and compile a hash file with valid addresses. That
                > way it doesn't matter if the domino server is shut down for maintenance,
                > mails will be received and not rejected.

                Yes, this is a good point (and moreover if you're running the postfix server
                in a DMZ while the AD stays in LAN).

                In my case my users "float" very much, and I have no need for a DMZ, so I've
                chosen the LDAP solution.

                --
                Davide Ferrari
                System Administrator
                http://www.atrapalo.com
              • Sandy Drobic
                ... I needed to cleanup the result anyway, so I couldn t use a direct map. Since our userbase is only a few hundred addresses and the server is idling most of
                Message 7 of 8 , Feb 28, 2007
                • 0 Attachment
                  Davide Ferrari wrote:
                  > El Wednesday 28 February 2007 17:27:28 Sandy Drobic escribió:
                  >> I prefer to use a script to extract a list of valid addresses via ldap
                  >> from our domino server and compile a hash file with valid addresses. That
                  >> way it doesn't matter if the domino server is shut down for maintenance,
                  >> mails will be received and not rejected.
                  >
                  > Yes, this is a good point (and moreover if you're running the postfix server
                  > in a DMZ while the AD stays in LAN).
                  >
                  > In my case my users "float" very much, and I have no need for a DMZ, so I've
                  > chosen the LDAP solution.

                  I needed to cleanup the result anyway, so I couldn't use a direct map.
                  Since our userbase is only a few hundred addresses and the server is
                  idling most of the time I can afford to run the script every five minutes.
                  It only takes a few seconds anyway and sends a report when the
                  relay_recipients have changed.


                  --
                  Sandy

                  List replies only please!
                  Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                • Noah Dain
                  ... if it s not been mentioned already, this does a good job of pulling all email addresses from ad and making the postfix mapping:
                  Message 8 of 8 , Mar 1, 2007
                  • 0 Attachment
                    On 2/28/07, Sandy Drobic <postfix-users@...> wrote:
                    > Davide Ferrari wrote:
                    > > El Wednesday 28 February 2007 17:27:28 Sandy Drobic escribió:
                    > >> I prefer to use a script to extract a list of valid addresses via ldap
                    > >> from our domino server and compile a hash file with valid addresses. That
                    > >> way it doesn't matter if the domino server is shut down for maintenance,
                    > >> mails will be received and not rejected.
                    > >
                    > > Yes, this is a good point (and moreover if you're running the postfix server
                    > > in a DMZ while the AD stays in LAN).
                    > >
                    > > In my case my users "float" very much, and I have no need for a DMZ, so I've
                    > > chosen the LDAP solution.
                    >
                    > I needed to cleanup the result anyway, so I couldn't use a direct map.
                    > Since our userbase is only a few hundred addresses and the server is
                    > idling most of the time I can afford to run the script every five minutes.
                    > It only takes a few seconds anyway and sends a report when the
                    > relay_recipients have changed.
                    >
                    >
                    > --
                    > Sandy
                    >
                    > List replies only please!
                    > Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
                    >
                    >

                    if it's not been mentioned already, this does a good job of pulling
                    all email addresses from ad and making the postfix mapping:

                    http://www-personal.umich.edu/~malth/gaptuning/postfix/
                    alternatively:
                    http://www2.origogeneris.com:4000/relay_recipients.html

                    --
                    Noah Dain
                    "The beatings will continue, until moral improves" - the Management
                  Your message has been successfully submitted and would be delivered to recipients shortly.