Loading ...
Sorry, an error occurred while loading the content.

Re: Domain alias rewriting

Expand Messages
  • Wietse Venema
    ... You should not need a policy script for this. To validate an RCPT TO address, it s sufficient to have a virtual alias. You can use the ldap_table(5) domain
    Message 1 of 10 , Jan 3, 2013
    • 0 Attachment
      Kristof Bajnok:
      > On 01/03/2013 12:50 PM, Bastian Blank wrote:
      > >> My other question was going to be how I could verify the 'alias' address
      > >> in RCPT stage (a wildcard virtual_alias_maps entry prevents this),
      > > How do you get your user information?
      >
      > LDAP, no local users. LDIF attached.
      >
      > Currently, a custom policy script (domainalias-aware) verifies the
      > recipient in LDAP, then Postfix queries the LDAP again for possible SMTP
      > forwards (virtual_alias_maps). If found, then forwards the message via
      > SMTP, else if passes the message to the LMTP server.

      You should not need a policy script for this. To validate an RCPT
      TO address, it's sufficient to have a virtual alias. You can use
      the ldap_table(5) domain feature to limit the queries.

      Wietse
    • Kristof Bajnok
      ... Ah indeed, I should ve spotted. Thanks! Do you have any tips for envelope address rewriting for the LMTP server, which is not domainalias-aware? (My first
      Message 2 of 10 , Jan 3, 2013
      • 0 Attachment
        On 01/03/2013 02:28 PM, Wietse Venema wrote:
        >> Currently, a custom policy script (domainalias-aware) verifies the
        >> > recipient in LDAP, then Postfix queries the LDAP again for possible SMTP
        >> > forwards (virtual_alias_maps). If found, then forwards the message via
        >> > SMTP, else if passes the message to the LMTP server.
        > You should not need a policy script for this. To validate an RCPT
        > TO address, it's sufficient to have a virtual alias. You can use
        > the ldap_table(5) domain feature to limit the queries.

        Ah indeed, I should've spotted. Thanks!

        Do you have any tips for envelope address rewriting for the LMTP server,
        which is not domainalias-aware? (My first question.)

        Kristof
      • Wietse Venema
        ... You should rewrite the envelope recipient address with virtual_alias_maps, from the alias form to the canonical form. This will also validate the alias
        Message 3 of 10 , Jan 3, 2013
        • 0 Attachment
          Kristof Bajnok:
          > Hi,
          >
          > I have several alias domains, I mean where users should receive mails
          > for both user@... (call it 'canonical') and user@...
          > ('alias') mail addresses.
          >
          > However, the delivery is done by an LMTP server which can not handle the
          > alias domains, its user database (LDAP) only contains the canonical
          > addresses, therefore I need to rewrite the aliased addresses to
          > canonical ones in Postfix before passing the message to the MDA. How can I?

          You should rewrite the envelope recipient address with virtual_alias_maps,
          from the alias form to the canonical form. This will also validate
          the alias form as a valid address in RCPT TO commands.

          Wietse
        • Kristof Bajnok
          ... Unfortunately, I can not accomplish this with a single query. First, I need to find out, what the canonical domain part is (map domain.org to domain.com),
          Message 4 of 10 , Jan 3, 2013
          • 0 Attachment
            On 01/03/2013 04:03 PM, Wietse Venema wrote:
            >> I have several alias domains, I mean where users should receive mails
            >> > for both user@... (call it 'canonical') and user@...
            >> > ('alias') mail addresses.
            >> >
            >> > However, the delivery is done by an LMTP server which can not handle the
            >> > alias domains, its user database (LDAP) only contains the canonical
            >> > addresses, therefore I need to rewrite the aliased addresses to
            >> > canonical ones in Postfix before passing the message to the MDA. How can I?
            > You should rewrite the envelope recipient address with virtual_alias_maps,
            > from the alias form to the canonical form. This will also validate
            > the alias form as a valid address in RCPT TO commands.

            Unfortunately, I can not accomplish this with a single query.

            First, I need to find out, what the canonical domain part is (map
            domain.org to domain.com), then replace the original domain part with
            the result. I can't find a way to use results of table lookups within
            query_filter.

            Kristof
          • Viktor Dukhovni
            ... Actually, you can: domain = example.com example.org ... query_filter = mail=%u@example.com result_attribute = mail Just list all the domains whose
            Message 5 of 10 , Jan 3, 2013
            • 0 Attachment
              On Thu, Jan 03, 2013 at 07:28:20PM +0100, Kristof Bajnok wrote:

              > > from the alias form to the canonical form. This will also validate
              > > the alias form as a valid address in RCPT TO commands.
              >
              > Unfortunately, I can not accomplish this with a single query.

              Actually, you can:

              domain = example.com example.org ...
              query_filter = mail=%u@...
              result_attribute = mail

              Just list all the domains whose namespace is identical to example.com
              after example.com in the "domain = " list, then query for the user
              in the canonical domain.

              This said, it is far better to list all the valid of each user in
              a suitable multi-valued attribute and skip the domain alias hack.

              --
              Viktor.
            • Kristof Bajnok
              ... Unfortunately it does not fit to our ISP scenario, where there are hundreds of served domains and each domain possibly has some alias domains. ... I think
              Message 6 of 10 , Jan 4, 2013
              • 0 Attachment
                On 01/04/2013 04:13 AM, Viktor Dukhovni wrote:
                >>> from the alias form to the canonical form. This will also validate
                >>> > > the alias form as a valid address in RCPT TO commands.
                >> >
                >> > Unfortunately, I can not accomplish this with a single query.
                > Actually, you can:
                >
                > domain = example.com example.org ...
                > query_filter = mail=%u@...
                > result_attribute = mail
                >
                > Just list all the domains whose namespace is identical to example.com
                > after example.com in the "domain = " list, then query for the user
                > in the canonical domain.

                Unfortunately it does not fit to our ISP scenario, where there are
                hundreds of served domains and each domain possibly has some alias domains.

                >
                > This said, it is far better to list all the valid of each user in
                > a suitable multi-valued attribute and skip the domain alias hack.

                I think it's not scalable with LDAP.

                Many years ago I developed the same functionality to qmail-ldap, but
                that project seems to be dead now. Eventually I may find some time to
                implement this in Postfix. I'm wondering about adding some kind of
                argument attribute(s?) to ldap-table, which can look up other tables and
                its result can be expanded to query_filter, etc. Would it fit to Postfix?

                Kristof
              • Viktor Dukhovni
                ... Yes, for that case, provision all LDAP users with a full list of their valid addresses. Receiving the same spam at an ever growing list of domains is not a
                Message 7 of 10 , Jan 4, 2013
                • 0 Attachment
                  On Fri, Jan 04, 2013 at 10:09:44AM +0100, Kristof Bajnok wrote:

                  > On 01/04/2013 04:13 AM, Viktor Dukhovni wrote:
                  > >>> from the alias form to the canonical form. This will also validate
                  > >>> > > the alias form as a valid address in RCPT TO commands.
                  > >> >
                  > >> > Unfortunately, I can not accomplish this with a single query.
                  > >
                  > > Actually, you can:
                  > >
                  > > domain = example.com example.org ...
                  > > query_filter = mail=%u@...
                  > > result_attribute = mail
                  > >
                  > > Just list all the domains whose namespace is identical to example.com
                  > > after example.com in the "domain = " list, then query for the user
                  > > in the canonical domain.
                  >
                  > Unfortunately it does not fit to our ISP scenario, where there are
                  > hundreds of served domains and each domain possibly has some alias domains.

                  Yes, for that case, provision all LDAP users with a full list of
                  their valid addresses. Receiving the same spam at an ever growing
                  list of domains is not a win for most users, domain-level aliasing
                  is over-rated. Receiving mail at a large list of domains is only
                  useful for a handful of contact addresses, my experience is that
                  real users are sufficiently happy with one or two email domains
                  (some users use disposable addresses, but that's a separate
                  issue fro domain aliasing).

                  > > This said, it is far better to list all the valid of each user in
                  > > a suitable multi-valued attribute and skip the domain alias hack.
                  >
                  > I think it's not scalable with LDAP.

                  Multi-valued LDAP attributes scale just fine. Each user has a set
                  of valid addresses that is never too large for a single LDAP entry.
                  The totality of all domains across all users is not a scaling limit.

                  > Would it fit to Postfix?

                  Much complexity for not a lot of gain IMHO. Perhaps if the address
                  rewriting engine is made generally more configurable, with new
                  optional 1-to-1 rewriting performed in smtpd(8) before recipient
                  validation, then you get your domain aliasing as just one possible
                  application.

                  This should be a point feature, rather if there is a Postfix 3.0,
                  with a new address rewriting engine, that would be the place to
                  consider this.

                  --
                  Viktor.
                Your message has been successfully submitted and would be delivered to recipients shortly.