Loading ...
Sorry, an error occurred while loading the content.

Domain alias rewriting

Expand Messages
  • Kristof Bajnok
    Hi, I have several alias domains, I mean where users should receive mails for both user@domain.com (call it canonical ) and user@domain.org ( alias ) mail
    Message 1 of 10 , Jan 3, 2013
    • 0 Attachment
      Hi,

      I have several alias domains, I mean where users should receive mails
      for both user@... (call it 'canonical') and user@...
      ('alias') mail addresses.

      However, the delivery is done by an LMTP server which can not handle the
      alias domains, its user database (LDAP) only contains the canonical
      addresses, therefore I need to rewrite the aliased addresses to
      canonical ones in Postfix before passing the message to the MDA. How can I?

      As Postfix is so thoroughly documented, I suspect this use case is also
      covered, I just couldn't find it.

      My other question was going to be how I could verify the 'alias' address
      in RCPT stage (a wildcard virtual_alias_maps entry prevents this), but I
      think I already found the answer: write your own policy script.
      (http://osdir.com/ml/mail.postfix.devel/2007-01/msg00021.html)

      Thanks,
      Kristof
    • Bastian Blank
      ... How do you get your user information? Bastian -- Change is the essential process of all existence. -- Spock, Let That Be Your Last Battlefield , stardate
      Message 2 of 10 , Jan 3, 2013
      • 0 Attachment
        On Thu, Jan 03, 2013 at 11:16:19AM +0100, Kristof Bajnok wrote:
        > My other question was going to be how I could verify the 'alias' address
        > in RCPT stage (a wildcard virtual_alias_maps entry prevents this),

        How do you get your user information?

        Bastian

        --
        Change is the essential process of all existence.
        -- Spock, "Let That Be Your Last Battlefield", stardate 5730.2
      • Kristof Bajnok
        ... LDAP, no local users. LDIF attached. Currently, a custom policy script (domainalias-aware) verifies the recipient in LDAP, then Postfix queries the LDAP
        Message 3 of 10 , Jan 3, 2013
        • 0 Attachment
          On 01/03/2013 12:50 PM, Bastian Blank wrote:
          >> My other question was going to be how I could verify the 'alias' address
          >> in RCPT stage (a wildcard virtual_alias_maps entry prevents this),
          > How do you get your user information?

          LDAP, no local users. LDIF attached.

          Currently, a custom policy script (domainalias-aware) verifies the
          recipient in LDAP, then Postfix queries the LDAP again for possible SMTP
          forwards (virtual_alias_maps). If found, then forwards the message via
          SMTP, else if passes the message to the LMTP server.

          I wish it could be done easier. I've come from qmail-ldap world, and I'm
          still fighting to get the Postfix concepts, sorry.

          Kristof

          LDIF:
          # domain.com, alias: domain.org
          dn: dc=domain.com,ou=hosting,dc=isp,dc=com
          objectClass: domain
          objectClass: top
          destinationIndicator: domain.org
          dc: domain.com

          # user1 with local delivery (no mailForwardingAddress)
          dn: uid=user1,dc=domain.com,ou=hosting,dc=isp,dc=com
          objectClass: inetOrgPerson
          objectClass: inetMailUser
          objectClass: organizationalPerson
          objectClass: top
          objectClass: person
          cn: Test User1
          sn: Test
          mail: john.doe@...
          mail: user1@...
          mailQuota: 200M
          mailUserStatus: active
          uid: user1

          # user2 with forwarding via smtp
          dn: uid=user2,dc=domain.com,ou=hosting,dc=isp,dc=com
          mailForwardingAddress: remote@...
          objectClass: inetOrgPerson
          objectClass: inetMailUser
          objectClass: organizationalPerson
          objectClass: top
          objectClass: person
          cn: Test User2
          sn: Test
          mail: jane.doe@...
          mail: user2@...
          mailQuota: 200M
          mailUserStatus: active
          uid: user2
        • Wietse Venema
          ... You should not need a policy script for this. To validate an RCPT TO address, it s sufficient to have a virtual alias. You can use the ldap_table(5) domain
          Message 4 of 10 , Jan 3, 2013
          • 0 Attachment
            Kristof Bajnok:
            > On 01/03/2013 12:50 PM, Bastian Blank wrote:
            > >> My other question was going to be how I could verify the 'alias' address
            > >> in RCPT stage (a wildcard virtual_alias_maps entry prevents this),
            > > How do you get your user information?
            >
            > LDAP, no local users. LDIF attached.
            >
            > Currently, a custom policy script (domainalias-aware) verifies the
            > recipient in LDAP, then Postfix queries the LDAP again for possible SMTP
            > forwards (virtual_alias_maps). If found, then forwards the message via
            > SMTP, else if passes the message to the LMTP server.

            You should not need a policy script for this. To validate an RCPT
            TO address, it's sufficient to have a virtual alias. You can use
            the ldap_table(5) domain feature to limit the queries.

            Wietse
          • Kristof Bajnok
            ... Ah indeed, I should ve spotted. Thanks! Do you have any tips for envelope address rewriting for the LMTP server, which is not domainalias-aware? (My first
            Message 5 of 10 , Jan 3, 2013
            • 0 Attachment
              On 01/03/2013 02:28 PM, Wietse Venema wrote:
              >> Currently, a custom policy script (domainalias-aware) verifies the
              >> > recipient in LDAP, then Postfix queries the LDAP again for possible SMTP
              >> > forwards (virtual_alias_maps). If found, then forwards the message via
              >> > SMTP, else if passes the message to the LMTP server.
              > You should not need a policy script for this. To validate an RCPT
              > TO address, it's sufficient to have a virtual alias. You can use
              > the ldap_table(5) domain feature to limit the queries.

              Ah indeed, I should've spotted. Thanks!

              Do you have any tips for envelope address rewriting for the LMTP server,
              which is not domainalias-aware? (My first question.)

              Kristof
            • Wietse Venema
              ... You should rewrite the envelope recipient address with virtual_alias_maps, from the alias form to the canonical form. This will also validate the alias
              Message 6 of 10 , Jan 3, 2013
              • 0 Attachment
                Kristof Bajnok:
                > Hi,
                >
                > I have several alias domains, I mean where users should receive mails
                > for both user@... (call it 'canonical') and user@...
                > ('alias') mail addresses.
                >
                > However, the delivery is done by an LMTP server which can not handle the
                > alias domains, its user database (LDAP) only contains the canonical
                > addresses, therefore I need to rewrite the aliased addresses to
                > canonical ones in Postfix before passing the message to the MDA. How can I?

                You should rewrite the envelope recipient address with virtual_alias_maps,
                from the alias form to the canonical form. This will also validate
                the alias form as a valid address in RCPT TO commands.

                Wietse
              • Kristof Bajnok
                ... Unfortunately, I can not accomplish this with a single query. First, I need to find out, what the canonical domain part is (map domain.org to domain.com),
                Message 7 of 10 , Jan 3, 2013
                • 0 Attachment
                  On 01/03/2013 04:03 PM, Wietse Venema wrote:
                  >> I have several alias domains, I mean where users should receive mails
                  >> > for both user@... (call it 'canonical') and user@...
                  >> > ('alias') mail addresses.
                  >> >
                  >> > However, the delivery is done by an LMTP server which can not handle the
                  >> > alias domains, its user database (LDAP) only contains the canonical
                  >> > addresses, therefore I need to rewrite the aliased addresses to
                  >> > canonical ones in Postfix before passing the message to the MDA. How can I?
                  > You should rewrite the envelope recipient address with virtual_alias_maps,
                  > from the alias form to the canonical form. This will also validate
                  > the alias form as a valid address in RCPT TO commands.

                  Unfortunately, I can not accomplish this with a single query.

                  First, I need to find out, what the canonical domain part is (map
                  domain.org to domain.com), then replace the original domain part with
                  the result. I can't find a way to use results of table lookups within
                  query_filter.

                  Kristof
                • Viktor Dukhovni
                  ... Actually, you can: domain = example.com example.org ... query_filter = mail=%u@example.com result_attribute = mail Just list all the domains whose
                  Message 8 of 10 , Jan 3, 2013
                  • 0 Attachment
                    On Thu, Jan 03, 2013 at 07:28:20PM +0100, Kristof Bajnok wrote:

                    > > from the alias form to the canonical form. This will also validate
                    > > the alias form as a valid address in RCPT TO commands.
                    >
                    > Unfortunately, I can not accomplish this with a single query.

                    Actually, you can:

                    domain = example.com example.org ...
                    query_filter = mail=%u@...
                    result_attribute = mail

                    Just list all the domains whose namespace is identical to example.com
                    after example.com in the "domain = " list, then query for the user
                    in the canonical domain.

                    This said, it is far better to list all the valid of each user in
                    a suitable multi-valued attribute and skip the domain alias hack.

                    --
                    Viktor.
                  • Kristof Bajnok
                    ... Unfortunately it does not fit to our ISP scenario, where there are hundreds of served domains and each domain possibly has some alias domains. ... I think
                    Message 9 of 10 , Jan 4, 2013
                    • 0 Attachment
                      On 01/04/2013 04:13 AM, Viktor Dukhovni wrote:
                      >>> from the alias form to the canonical form. This will also validate
                      >>> > > the alias form as a valid address in RCPT TO commands.
                      >> >
                      >> > Unfortunately, I can not accomplish this with a single query.
                      > Actually, you can:
                      >
                      > domain = example.com example.org ...
                      > query_filter = mail=%u@...
                      > result_attribute = mail
                      >
                      > Just list all the domains whose namespace is identical to example.com
                      > after example.com in the "domain = " list, then query for the user
                      > in the canonical domain.

                      Unfortunately it does not fit to our ISP scenario, where there are
                      hundreds of served domains and each domain possibly has some alias domains.

                      >
                      > This said, it is far better to list all the valid of each user in
                      > a suitable multi-valued attribute and skip the domain alias hack.

                      I think it's not scalable with LDAP.

                      Many years ago I developed the same functionality to qmail-ldap, but
                      that project seems to be dead now. Eventually I may find some time to
                      implement this in Postfix. I'm wondering about adding some kind of
                      argument attribute(s?) to ldap-table, which can look up other tables and
                      its result can be expanded to query_filter, etc. Would it fit to Postfix?

                      Kristof
                    • Viktor Dukhovni
                      ... Yes, for that case, provision all LDAP users with a full list of their valid addresses. Receiving the same spam at an ever growing list of domains is not a
                      Message 10 of 10 , Jan 4, 2013
                      • 0 Attachment
                        On Fri, Jan 04, 2013 at 10:09:44AM +0100, Kristof Bajnok wrote:

                        > On 01/04/2013 04:13 AM, Viktor Dukhovni wrote:
                        > >>> from the alias form to the canonical form. This will also validate
                        > >>> > > the alias form as a valid address in RCPT TO commands.
                        > >> >
                        > >> > Unfortunately, I can not accomplish this with a single query.
                        > >
                        > > Actually, you can:
                        > >
                        > > domain = example.com example.org ...
                        > > query_filter = mail=%u@...
                        > > result_attribute = mail
                        > >
                        > > Just list all the domains whose namespace is identical to example.com
                        > > after example.com in the "domain = " list, then query for the user
                        > > in the canonical domain.
                        >
                        > Unfortunately it does not fit to our ISP scenario, where there are
                        > hundreds of served domains and each domain possibly has some alias domains.

                        Yes, for that case, provision all LDAP users with a full list of
                        their valid addresses. Receiving the same spam at an ever growing
                        list of domains is not a win for most users, domain-level aliasing
                        is over-rated. Receiving mail at a large list of domains is only
                        useful for a handful of contact addresses, my experience is that
                        real users are sufficiently happy with one or two email domains
                        (some users use disposable addresses, but that's a separate
                        issue fro domain aliasing).

                        > > This said, it is far better to list all the valid of each user in
                        > > a suitable multi-valued attribute and skip the domain alias hack.
                        >
                        > I think it's not scalable with LDAP.

                        Multi-valued LDAP attributes scale just fine. Each user has a set
                        of valid addresses that is never too large for a single LDAP entry.
                        The totality of all domains across all users is not a scaling limit.

                        > Would it fit to Postfix?

                        Much complexity for not a lot of gain IMHO. Perhaps if the address
                        rewriting engine is made generally more configurable, with new
                        optional 1-to-1 rewriting performed in smtpd(8) before recipient
                        validation, then you get your domain aliasing as just one possible
                        application.

                        This should be a point feature, rather if there is a Postfix 3.0,
                        with a new address rewriting engine, that would be the place to
                        consider this.

                        --
                        Viktor.
                      Your message has been successfully submitted and would be delivered to recipients shortly.