Loading ...
Sorry, an error occurred while loading the content.
 

Migrating from /etc/passwd to LDAP in-site

Expand Messages
  • Maykel Moya
    I have a server with a ton of local users. Nobody has local access granted, just mail delivery. I m in process of migrate them to LDAP with the implication of
    Message 1 of 10 , Oct 1, 2007
      I have a server with a ton of local users. Nobody has local access
      granted, just mail delivery. I'm in process of migrate them to LDAP with
      the implication of make them virtual instead of local users.

      Due to some constrains I should make the migration in-site. I have been
      thinking in configuring Postfix to lookup first users in LDAP, then in
      local database but it's not clear to me how to accomplish this given
      that one set of users are virtual and the other local.

      For local users I have now
      mailbox_command = /usr/local/bin/deliverquota -w 90 ${HOME}/Maildir

      The maildir directory will be available in every user's LDAP entry.

      Is VDA the only way to go? I would like to patch the source only as a
      last resort

      Regards,
      maykel
    • Victor Duchovni
      ... Use virtual_mailbox_maps via LDAP for the virtual users. See VIRTUAL_README. ... Virtual users don t have home directories, how will users access their
      Message 2 of 10 , Oct 1, 2007
        On Mon, Oct 01, 2007 at 04:20:50AM -0400, Maykel Moya wrote:

        > I have a server with a ton of local users. Nobody has local access
        > granted, just mail delivery. I'm in process of migrate them to LDAP with
        > the implication of make them virtual instead of local users.
        >
        > Due to some constrains I should make the migration in-site. I have been
        > thinking in configuring Postfix to lookup first users in LDAP, then in
        > local database but it's not clear to me how to accomplish this given
        > that one set of users are virtual and the other local.

        Use virtual_mailbox_maps via LDAP for the virtual users. See
        VIRTUAL_README.

        > For local users I have now
        > mailbox_command = /usr/local/bin/deliverquota -w 90 ${HOME}/Maildir
        >
        > The maildir directory will be available in every user's LDAP entry.

        Virtual users don't have home directories, how will users access their
        email?

        > Is VDA the only way to go? I would like to patch the source only as a
        > last resort

        The VDA patch is only needed for maildir "quota" support. Postfix supports
        delivery to maildir directly via virtual(8), or you can use a 3rd party
        VDA such as "maildrop", via the pipe(8) delivery agent.

        --
        Viktor.

        Disclaimer: off-list followups get on-list replies or get ignored.
        Please do not ignore the "Reply-To" header.

        To unsubscribe from the postfix-users list, visit
        http://www.postfix.org/lists.html or click the link below:
        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

        If my response solves your problem, the best way to thank me is to not
        send an "it worked, thanks" follow-up. If you must respond, please put
        "It worked, thanks" in the "Subject" so I can delete these quickly.
      • Maykel Moya
        ... virtual_mailbox_maps implied that the domain in question, say foo.org, will be listed in virtual_mailbox_domains and thus *not* listed in mydestinations. I
        Message 3 of 10 , Oct 1, 2007
          El lun, 01-10-2007 a las 11:30 -0400, Victor Duchovni escribió:
          > On Mon, Oct 01, 2007 at 04:20:50AM -0400, Maykel Moya wrote:
          >
          > > I have a server with a ton of local users. Nobody has local access
          > > granted, just mail delivery. I'm in process of migrate them to LDAP with
          > > the implication of make them virtual instead of local users.
          > >
          > > Due to some constrains I should make the migration in-site. I have been
          > > thinking in configuring Postfix to lookup first users in LDAP, then in
          > > local database but it's not clear to me how to accomplish this given
          > > that one set of users are virtual and the other local.
          >
          > Use virtual_mailbox_maps via LDAP for the virtual users. See
          > VIRTUAL_README.

          virtual_mailbox_maps implied that the domain in question, say foo.org,
          will be listed in virtual_mailbox_domains and thus *not* listed in
          mydestinations.

          I would to have the possibility to make a gradual migration. I mean, not
          entering all the users to LDAP at the same time.

          The logic I would like Postfix to follow is: is the user is in LDAP use
          the directory data to deliver, is not, then try to deliver locally. Is
          there any trick I could follow to achieve that?

          Regards,
          maykel
        • Victor Duchovni
          ... No, it does not. All that is required is that the users in question be routed by one means or another to the virtual(8) transport, and that smtpd(8) be
          Message 4 of 10 , Oct 1, 2007
            On Mon, Oct 01, 2007 at 10:45:17PM -0400, Maykel Moya wrote:

            >
            > El lun, 01-10-2007 a las 11:30 -0400, Victor Duchovni escribi??:
            > > On Mon, Oct 01, 2007 at 04:20:50AM -0400, Maykel Moya wrote:
            > >
            > > > I have a server with a ton of local users. Nobody has local access
            > > > granted, just mail delivery. I'm in process of migrate them to LDAP with
            > > > the implication of make them virtual instead of local users.
            > > >
            > > > Due to some constrains I should make the migration in-site. I have been
            > > > thinking in configuring Postfix to lookup first users in LDAP, then in
            > > > local database but it's not clear to me how to accomplish this given
            > > > that one set of users are virtual and the other local.
            > >
            > > Use virtual_mailbox_maps via LDAP for the virtual users. See
            > > VIRTUAL_README.
            >
            > virtual_mailbox_maps implied that the domain in question, say foo.org,
            > will be listed in virtual_mailbox_domains and thus *not* listed in
            > mydestinations.

            No, it does not. All that is required is that the users in question be
            routed by one means or another to the virtual(8) transport, and that
            smtpd(8) be given appropriate recipient validation tables for each
            address class.

            You can split the domain by rewriting, via mailbox_transport_maps or
            via per-user transport_maps. Each choice has different pros/cons.

            > I would to have the possibility to make a gradual migration. I mean, not
            > entering all the users to LDAP at the same time.
            >
            > The logic I would like Postfix to follow is: is the user is in LDAP use
            > the directory data to deliver, is not, then try to deliver locally. Is
            > there any trick I could follow to achieve that?
            >

            Rewrite (virtual(5)) selectively to a virual domain, or route
            (transport(5)) selectively to the virtual(8) transport, or hand-off
            mailbox delivery (mailbox_transport_maps) selectively to a virtual
            transport.

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          • Alan Fullmer
            Hello, I have a quick question regarding the pipe function in Postfix and the use of PHP as a mail sorter/parser. I ve looked around and see many people have
            Message 5 of 10 , Oct 2, 2007
              Hello,

              I have a quick question regarding the pipe function in Postfix and the
              use of PHP as a mail sorter/parser. I've looked around and see many
              people have used PHP as a quick and dirty solution for putting mail data
              into a database.

              I am taking all incoming mail, parsing out headers and putting the mail
              into a MySQL database. The problem I have is, if the script cannot
              connect to the database, the script fails. What I want is to have this
              message return back into the normal mail queue with a temporary failure
              or something so it can retry at a later time without disappearing into
              never never land. The reason for this, is if there is a connection
              failure, or the database stops for some reason, I don't want these
              messages to be lost due to a script failure.

              Here is my pipe command:
              spamfilter unix - n n - - pipe
              flags=DRq user=spamfilter argv=/scripts/spamfilter.sh -f ${sender} --
              ${recipient}

              Here is my spamfilter.sh command:
              #!/bin/bash
              /usr/bin/spamc -f -u "$4" | /scripts/parsemessage.php "$4"
              exit $?


              So is there a way to exit(); with some sort of code to put that message
              back into the queue? I have read that I need to exit(75); but that does
              not work. If anyone could help, that would be more than fantastic.

              Thanks,
              Alan
            • Ralf Hildebrandt
              ... exit 75 -- Ralf Hildebrandt (Ralf.Hildebrandt@charite.de) plonk@charite.de Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450
              Message 6 of 10 , Oct 2, 2007
                * Alan Fullmer <lists-alan@...>:
                > Hello,
                >
                > I have a quick question regarding the pipe function in Postfix and the use
                > of PHP as a mail sorter/parser. I've looked around and see many people
                > have used PHP as a quick and dirty solution for putting mail data into a
                > database.
                >
                > I am taking all incoming mail, parsing out headers and putting the mail into
                > a MySQL database. The problem I have is, if the script cannot connect to
                > the database, the script fails. What I want is to have this message return
                > back into the normal mail queue with a temporary failure or something so it
                > can retry at a later time without disappearing into never never land. The
                > reason for this, is if there is a connection failure, or the database stops
                > for some reason, I don't want these messages to be lost due to a script
                > failure.

                exit 75

                --
                Ralf Hildebrandt (Ralf.Hildebrandt@...) plonk@...
                Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
                http://www.arschkrebs.de
                The same people that tell you that a Linux program is as good as a
                WinNT program would also tell you it's better to wipe your ass with a
                belt sander instead of toilet paper. I can hear them now -- "It may
                not look as good but it's faster and does a more thorough job!
              • Alan Fullmer
                ... this is what I have and it wasn t working. That s why I ask :/ $dbc = mysql_connect ( $host , $name , $pass ) or exit(75);
                Message 7 of 10 , Oct 2, 2007
                  Ralf Hildebrandt wrote:
                  > * Alan Fullmer <lists-alan@...>:
                  >
                  >> Hello,
                  >>
                  >> I have a quick question regarding the pipe function in Postfix and the use
                  >> of PHP as a mail sorter/parser. I've looked around and see many people
                  >> have used PHP as a quick and dirty solution for putting mail data into a
                  >> database.
                  >>
                  >> I am taking all incoming mail, parsing out headers and putting the mail into
                  >> a MySQL database. The problem I have is, if the script cannot connect to
                  >> the database, the script fails. What I want is to have this message return
                  >> back into the normal mail queue with a temporary failure or something so it
                  >> can retry at a later time without disappearing into never never land. The
                  >> reason for this, is if there is a connection failure, or the database stops
                  >> for some reason, I don't want these messages to be lost due to a script
                  >> failure.
                  >>
                  >
                  > exit 75
                  >
                  >
                  this is what I have and it wasn't working. That's why I ask :/

                  $dbc = mysql_connect (
                  $host ,
                  $name ,
                  $pass
                  ) or exit(75);
                • Ralf Hildebrandt
                  ... What happens instead? Show some logs of that particular case. -- Ralf Hildebrandt (Ralf.Hildebrandt@charite.de) plonk@charite.de Postfix -
                  Message 8 of 10 , Oct 2, 2007
                    * Alan Fullmer <lists-alan@...>:

                    >> exit 75
                    >>
                    >>
                    > this is what I have and it wasn't working. That's why I ask :/
                    >
                    > $dbc = mysql_connect (
                    > $host ,
                    > $name ,
                    > $pass
                    > ) or exit(75);

                    What happens instead? Show some logs of that particular case.

                    --
                    Ralf Hildebrandt (Ralf.Hildebrandt@...) plonk@...
                    Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
                    http://www.arschkrebs.de
                    How many viruses must arrive before people realize,
                    that M$ is just not ready for the enterprise?
                  • Alan Fullmer
                    ... Sorry, it does seem to work now. I don t know why it requires ( 75 ). I added quotes and it works. Thanks for your help. Much appreciated!
                    Message 9 of 10 , Oct 2, 2007
                      Alan Fullmer wrote:
                      > Ralf Hildebrandt wrote:
                      >> * Alan Fullmer <lists-alan@...>:
                      >>
                      >>> Hello,
                      >>>
                      >>> I have a quick question regarding the pipe function in Postfix and
                      >>> the use of PHP as a mail sorter/parser. I've looked around and see
                      >>> many people have used PHP as a quick and dirty solution for putting
                      >>> mail data into a database.
                      >>>
                      >>> I am taking all incoming mail, parsing out headers and putting the
                      >>> mail into a MySQL database. The problem I have is, if the script
                      >>> cannot connect to the database, the script fails. What I want is to
                      >>> have this message return back into the normal mail queue with a
                      >>> temporary failure or something so it can retry at a later time
                      >>> without disappearing into never never land. The reason for this, is
                      >>> if there is a connection failure, or the database stops for some
                      >>> reason, I don't want these messages to be lost due to a script failure.
                      >>>
                      >>
                      >> exit 75
                      >>
                      >>
                      > this is what I have and it wasn't working. That's why I ask :/
                      >
                      > $dbc = mysql_connect (
                      > $host ,
                      > $name ,
                      > $pass
                      > ) or exit(75);
                      >
                      >
                      >
                      >
                      Sorry, it does seem to work now. I don't know why it requires ("75").
                      I added quotes and it works. Thanks for your help. Much appreciated!
                    • Victor Duchovni
                      ... Make sure your main.cf contains: spamfilter_destination_recipient_limit = 1 or you will lose mail to all but the first recipient of multi-recipient
                      Message 10 of 10 , Oct 2, 2007
                        On Tue, Oct 02, 2007 at 11:54:58AM -0600, Alan Fullmer wrote:

                        > Here is my pipe command:
                        > spamfilter unix - n n - - pipe
                        > flags=DRq user=spamfilter argv=/scripts/spamfilter.sh -f ${sender} --
                        > ${recipient}
                        >
                        > Here is my spamfilter.sh command:
                        > #!/bin/bash
                        > /usr/bin/spamc -f -u "$4" | /scripts/parsemessage.php "$4"
                        > exit $?

                        Make sure your main.cf contains:

                        spamfilter_destination_recipient_limit = 1

                        or you will lose mail to all but the first recipient of multi-recipient
                        messages.

                        > So is there a way to exit(); with some sort of code to put that message
                        > back into the queue? I have read that I need to exit(75); but that does
                        > not work. If anyone could help, that would be more than fantastic.

                        Your parsemessage.php script should produce an exit code of 75 if you
                        want temporary failure. Also for robust handling of errors in the
                        "spamc" filter you need (on systems with mktemp(1)):

                        tempfile=$(mktemp /tmp/msg.XXXXXX) || exit 75
                        trap 0 "rm $tempfile"
                        /usr/bin/spamc -f -u "$4" > $tempfile || exit 75
                        /scripts/parsemessage.pgp "$4" < $tempfile

                        This way you won't be storing fragmented messages in the database when
                        spamc fails or is killed, ... Of course if the pipe(8) delivery agent
                        is killed mid-message, you will still get a partial message, but the
                        full message will be re-tried later.

                        Truly robust (and performant) systems use resident LMTP daemons, not
                        scripts fired off via pipe(8). Your requirements may be more modest.

                        --
                        Viktor.

                        Disclaimer: off-list followups get on-list replies or get ignored.
                        Please do not ignore the "Reply-To" header.

                        To unsubscribe from the postfix-users list, visit
                        http://www.postfix.org/lists.html or click the link below:
                        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                        If my response solves your problem, the best way to thank me is to not
                        send an "it worked, thanks" follow-up. If you must respond, please put
                        "It worked, thanks" in the "Subject" so I can delete these quickly.
                      Your message has been successfully submitted and would be delivered to recipients shortly.