Loading ...
Sorry, an error occurred while loading the content.

LDAP canonical_maps and domain rewriting

Expand Messages
  • Patrick Lists
    Hi all, Venturing into postfix+openldap country I bumped into a challenge: is it possible to use an LDAP table for canonical_maps to generically rewrite
    Message 1 of 18 , Mar 16, 2013
    • 0 Attachment
      Hi all,

      Venturing into postfix+openldap country I bumped into a challenge: is it
      possible to use an LDAP table for canonical_maps to generically rewrite
      domainA to domainB (so for all email addresses @...)? It works
      fine when I use this in a hash table:

      @... @...

      But I can't make this work via LDAP.

      The OpenLDAP server uses this setup:

      uid=test@...,ou=people,ou=domainA.org,ou=hosted,dc=example,dc=org

      $ grep canonical /etc/postfix/main.cf
      canonical_maps = proxy:ldap:/etc/postfix/ldap-canonical.cf
      canonical_classes = envelope_recipient

      $ cat /etc/postfix/ldap-canonical.cf
      server_host = ldapi://%2Fvar%2Frun%2Fldapi
      bind = yes
      bind_dn = cn=Manager,dc=example,dc=org
      bind_pw = <scrubbed>
      search_base = ou=hosted,dc=example,dc=org
      version = 3
      scope = one
      query_filter = ou=%d
      result_attribute = description
      result_format = %s

      I abused the "description" attribute under ou=domainA.org to contain the
      new domainB.org that domainA.org should be rewritten to. The ldif of
      ou=domainA.org is:

      dn: ou=domainA.org,ou=hosted,dc=example,dc=org
      objectClass: organizationalUnit
      objectClass: top
      ou: domainA.org
      description: @...

      When testing only @... shows up instead of the rewritten email
      address (use of %d):

      postmap -q test@... ldap:/etc/postfix/ldap-canonical.cf
      @...

      I can't figure out how to make it do the rewrite for all email addresses
      under domainA.org to domainB.org. I would appreciate it if anyone could
      give me a hint or point me to some fine material to read how to make
      this work (if possible).

      Thanks and regards,
      Patrick
    • Fernando Maior
      Hi Patrick, If you use the hash table, and issue the postmap command, what is the output? Regards, ... Fernando Maciel Souto Maior On Sat, Mar 16, 2013 at 2:19
      Message 2 of 18 , Mar 16, 2013
      • 0 Attachment
        Hi Patrick,

        If you use the hash table, and issue the postmap command, what is the output?

        Regards,
        ---
        Fernando Maciel Souto Maior

        On Sat, Mar 16, 2013 at 2:19 PM, Patrick Lists <postfix-list@...> wrote:
        Hi all,

        Venturing into postfix+openldap country I bumped into a challenge: is it possible to use an LDAP table for canonical_maps to generically rewrite domainA to domainB (so for all email addresses @...)? It works fine when I use this in a hash table:

        @...  @...

        But I can't make this work via LDAP.

        The OpenLDAP server uses this setup:

        uid=test@...,ou=people,ou=domainA.org,ou=hosted,dc=example,dc=org

        $ grep canonical /etc/postfix/main.cf
        canonical_maps = proxy:ldap:/etc/postfix/ldap-canonical.cf
        canonical_classes = envelope_recipient

        $ cat /etc/postfix/ldap-canonical.cf
        server_host = ldapi://%2Fvar%2Frun%2Fldapi
        bind = yes
        bind_dn = cn=Manager,dc=example,dc=org
        bind_pw = <scrubbed>
        search_base = ou=hosted,dc=example,dc=org
        version = 3
        scope = one
        query_filter = ou=%d
        result_attribute = description
        result_format  = %s

        I abused the "description" attribute under ou=domainA.org to contain the new domainB.org that domainA.org should be rewritten to. The ldif of ou=domainA.org is:

        dn: ou=domainA.org,ou=hosted,dc=example,dc=org
        objectClass: organizationalUnit
        objectClass: top
        ou: domainA.org
        description: @...

        When testing only @... shows up instead of the rewritten email address (use of %d):

        postmap -q test@... ldap:/etc/postfix/ldap-canonical.cf
        @...

        I can't figure out how to make it do the rewrite for all email addresses under domainA.org to domainB.org. I would appreciate it if anyone could give me a hint or point me to some fine material to read how to make this work (if possible).

        Thanks and regards,
        Patrick

      • Viktor Dukhovni
        ... I ve always avoided wildcard rewrites with LDAP, do the rewrite only with actual valid user addresses. ... I don t recall whether %d works with @domain
        Message 3 of 18 , Mar 16, 2013
        • 0 Attachment
          On Sat, Mar 16, 2013 at 06:19:45PM +0100, Patrick Lists wrote:

          > Venturing into postfix+openldap country I bumped into a challenge:
          > is it possible to use an LDAP table for canonical_maps to
          > generically rewrite domainA to domainB (so for all email addresses
          > @...)? It works fine when I use this in a hash table:

          I've always avoided wildcard rewrites with LDAP, do the rewrite
          only with actual valid user addresses.

          > @... @...

          I don't recall whether "%d" works with "@domain" input keys. I
          would have guessed it does, but perhaps I overlooked something.
          You really should not do this. Instead take the high road:

          query_filter = mailDeliveryAddress=%s
          result = mail

          Wildcard rewrites break recipient validation.

          --
          Viktor.
        • Patrick Lists
          Hi Fernando, ... Here is the output: $ cat /etc/postfix/canonical @domainA.org @domainB.org $ postmap -q test@domainA.org hash:/etc/postfix/canonical
          Message 4 of 18 , Mar 17, 2013
          • 0 Attachment
            Hi Fernando,

            On 03/16/2013 07:43 PM, Fernando Maior wrote:
            > Hi Patrick,
            >
            > If you use the hash table, and issue the postmap command, what is the
            > output?

            Here is the output:

            $ cat /etc/postfix/canonical
            @... @...

            $ postmap -q test@... hash:/etc/postfix/canonical
            <nothing>

            $ postmap -q @... hash:/etc/postfix/canonical
            @...


            Regards,
            Patrick
          • Patrick Lists
            Hi Victor, On 03/16/2013 11:25 PM, Viktor Dukhovni wrote: [snip] ... Ok. ... Will try that. ... Good to know. Thank you for your feedback. Regards, Patrick
            Message 5 of 18 , Mar 17, 2013
            • 0 Attachment
              Hi Victor,

              On 03/16/2013 11:25 PM, Viktor Dukhovni wrote:
              [snip]
              > I've always avoided wildcard rewrites with LDAP, do the rewrite
              > only with actual valid user addresses.

              Ok.

              >> @... @...
              >
              > I don't recall whether "%d" works with "@domain" input keys. I
              > would have guessed it does, but perhaps I overlooked something.
              > You really should not do this. Instead take the high road:
              >
              > query_filter = mailDeliveryAddress=%s
              > result = mail

              Will try that.

              > Wildcard rewrites break recipient validation.

              Good to know. Thank you for your feedback.

              Regards,
              Patrick
            • Viktor Dukhovni
              ... Keep in mind that there are many different LDAP email schemas and yours may keep the additional email addresses of each user in an differently named
              Message 6 of 18 , Mar 17, 2013
              • 0 Attachment
                On Sun, Mar 17, 2013 at 11:31:31AM +0100, Patrick Lists wrote:

                > Hi Victor,
                >
                > On 03/16/2013 11:25 PM, Viktor Dukhovni wrote:
                > [snip]
                > >I've always avoided wildcard rewrites with LDAP, do the rewrite
                > >only with actual valid user addresses.
                >
                > Ok.
                >
                > >>@... @...
                > >
                > >I don't recall whether "%d" works with "@domain" input keys. I
                > >would have guessed it does, but perhaps I overlooked something.
                > >You really should not do this. Instead take the high road:
                > >
                > > query_filter = mailDeliveryAddress=%s
                > > result = mail
                >
                > Will try that.

                Keep in mind that there are many different LDAP email schemas and
                yours may keep the additional email addresses of each user in an
                differently named attribute. The "mailDeliveryAddress" attribute
                is taken from one popular schema (assuming I remembered the attribute
                name correctly).

                --
                Viktor.
              • Patrick Lists
                Hi Victor, On 03/17/2013 07:38 PM, Viktor Dukhovni wrote: [snip] ... Figured that out when I could not find the mailDeliveryAddress attribute in the schemas
                Message 7 of 18 , Mar 17, 2013
                • 0 Attachment
                  Hi Victor,

                  On 03/17/2013 07:38 PM, Viktor Dukhovni wrote:
                  [snip]
                  >>> You really should not do this. Instead take the high road:
                  >>>
                  >>> query_filter = mailDeliveryAddress=%s
                  >>> result = mail
                  >>
                  >> Will try that.
                  >
                  > Keep in mind that there are many different LDAP email schemas and
                  > yours may keep the additional email addresses of each user in an
                  > differently named attribute. The "mailDeliveryAddress" attribute
                  > is taken from one popular schema (assuming I remembered the attribute
                  > name correctly).

                  Figured that out when I could not find the "mailDeliveryAddress"
                  attribute in the schemas present in my OpenLDAP config:

                  include: file:///etc/openldap/schema/core.ldif
                  include: file:///etc/openldap/schema/corba.ldif
                  include: file:///etc/openldap/schema/cosine.ldif
                  include: file:///etc/openldap/schema/duaconf.ldif
                  include: file:///etc/openldap/schema/dyngroup.ldif
                  include: file:///etc/openldap/schema/inetorgperson.ldif
                  include: file:///etc/openldap/schema/java.ldif
                  include: file:///etc/openldap/schema/mozillaabpersonalpha.ldif
                  include: file:///etc/openldap/schema/nis.ldif
                  include: file:///etc/openldap/schema/openldap.ldif
                  include: file:///etc/openldap/schema/postfix.ldif
                  include: file:///etc/openldap/schema/ppolicy.ldif
                  include: file:///etc/openldap/schema/collective.ldif

                  Googling around I found a small postfix.schema and used the "maildrop"
                  attribute which works fine using this /etc/postfix/ldap-canonical.cf:

                  server_host = ldapi://%2Fvar%2Frun%2Fldapi
                  bind = yes
                  bind_dn = cn=Manager,dc=example,dc=org
                  bind_pw = 1234
                  search_base = ou=hosted,dc=example,dc=org
                  version = 3
                  scope=sub
                  query_filter = mail=%s
                  result_attribute = maildrop


                  Thanks again for your help.

                  Regards,
                  Patrick
                • Viktor Dukhovni
                  ... This may not be the right choice. The schema that uses maildrop IIRC typically uses: mail: primary address mailalternateaddress: secondary addresses
                  Message 8 of 18 , Mar 17, 2013
                  • 0 Attachment
                    On Sun, Mar 17, 2013 at 11:12:00PM +0100, Patrick Lists wrote:

                    > Hi Victor,
                    >
                    > On 03/17/2013 07:38 PM, Viktor Dukhovni wrote:
                    > >
                    > >Keep in mind that there are many different LDAP email schemas and
                    > >yours may keep the additional email addresses of each user in an
                    > >differently named attribute. The "mailDeliveryAddress" attribute
                    > >is taken from one popular schema (assuming I remembered the attribute
                    > >name correctly).
                    >
                    > Figured that out when I could not find the "mailDeliveryAddress"
                    > attribute in the schemas present in my OpenLDAP config:
                    >
                    > Googling around I found a small postfix.schema and used the
                    > "maildrop" attribute which works fine using this

                    This may not be the right choice. The schema that uses "maildrop"
                    IIRC typically uses:

                    mail: primary address
                    mailalternateaddress: secondary addresses (may include primary)
                    maildrop: delivery mailbox

                    It is generally wrong to rewrite "maildrop" to mail, because maildrop
                    is not "another" address for the same user, it is rather where their
                    mail is rerouted to, may be shared for multiple users (often system
                    accounts ...).

                    How do you manage users who have multiple email addresses? You should
                    avoid domain to domain rewrites, and for each user list all the
                    valid addresses. Read:

                    http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03

                    where "maildrop" is called "mailRoutingAddress".

                    > /etc/postfix/ldap-canonical.cf:
                    >
                    > server_host = ldapi://%2Fvar%2Frun%2Fldapi
                    > bind = yes
                    > bind_dn = cn=Manager,dc=example,dc=org
                    > bind_pw = 1234
                    > search_base = ou=hosted,dc=example,dc=org
                    > version = 3
                    > scope=sub
                    > query_filter = mail=%s
                    > result_attribute = maildrop
                    >
                    > Thanks again for your help.

                    The canonical mapping has to match the actual process for managing
                    your user addresses. Use the right attributes and define their
                    semantics clearly.

                    --
                    Viktor.
                  • Patrick Lists
                    On 03/17/2013 11:48 PM, Viktor Dukhovni wrote: [snip] ... Got it. ... Thanks. Just read it and I switched to mailRoutingAddress. ... Having read that draft
                    Message 9 of 18 , Mar 17, 2013
                    • 0 Attachment
                      On 03/17/2013 11:48 PM, Viktor Dukhovni wrote:
                      [snip]
                      >> Googling around I found a small postfix.schema and used the
                      >> "maildrop" attribute which works fine using this
                      >
                      > This may not be the right choice. The schema that uses "maildrop"
                      > IIRC typically uses:
                      >
                      > mail: primary address
                      > mailalternateaddress: secondary addresses (may include primary)
                      > maildrop: delivery mailbox
                      >
                      > It is generally wrong to rewrite "maildrop" to mail, because maildrop
                      > is not "another" address for the same user, it is rather where their
                      > mail is rerouted to, may be shared for multiple users (often system
                      > accounts ...).

                      Got it.

                      > How do you manage users who have multiple email addresses? You should
                      > avoid domain to domain rewrites, and for each user list all the
                      > valid addresses. Read:
                      >
                      > http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
                      >
                      > where "maildrop" is called "mailRoutingAddress".

                      Thanks. Just read it and I switched to mailRoutingAddress.

                      >> /etc/postfix/ldap-canonical.cf:
                      >>
                      >> server_host = ldapi://%2Fvar%2Frun%2Fldapi
                      >> bind = yes
                      >> bind_dn = cn=Manager,dc=example,dc=org
                      >> bind_pw = 1234
                      >> search_base = ou=hosted,dc=example,dc=org
                      >> version = 3
                      >> scope=sub
                      >> query_filter = mail=%s
                      >> result_attribute = maildrop
                      >>
                      >> Thanks again for your help.
                      >
                      > The canonical mapping has to match the actual process for managing
                      > your user addresses. Use the right attributes and define their
                      > semantics clearly.

                      Having read that draft it's clear now that I shouldn't be abusing
                      attributes for a purpose for which they are not intended.

                      Thanks again,
                      Patrick
                    • Viktor Dukhovni
                      ... But this is still the delivery address attribute, not the additional address attribute, that is mailAlternateAddress in the draft. What matters to
                      Message 10 of 18 , Mar 17, 2013
                      • 0 Attachment
                        On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

                        > >How do you manage users who have multiple email addresses? You should
                        > >avoid domain to domain rewrites, and for each user list all the
                        > >valid addresses. Read:
                        > >
                        > > http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
                        > >
                        > >where "maildrop" is called "mailRoutingAddress".
                        >
                        > Thanks. Just read it and I switched to mailRoutingAddress.

                        But this is still the delivery address attribute, not the additional
                        address attribute, that is "mailAlternateAddress" in the draft.

                        What matters to Postfix is not what name or OID you use, but what
                        data you populate the attributes with. You SHOULD populate the
                        attributes with data that matches the attribute's published semantics,
                        but this only matters if you use tools that assign fixed meanings
                        to the attributes. Postfix does not care which attribute is which
                        it just does the lookups you configure.

                        > >The canonical mapping has to match the actual process for managing
                        > >your user addresses. Use the right attributes and define their
                        > >semantics clearly.
                        >
                        > Having read that draft it's clear now that I shouldn't be abusing
                        > attributes for a purpose for which they are not intended.

                        Except you are still trying to rewrite the mailbox delivery address
                        back to a unique user, but mailbox delivery addresses are not in
                        1-to-1 correspondence with users. The addresses that really do
                        uniquely belong to the user should be in mailAlternateAddress,
                        which is also known as mailLocalAddress in some documents.

                        This is my last post on the subject, perhaps someone else can
                        help if you're still confused.

                        --
                        Viktor.
                      • Fernando Maior
                        Hello, All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the
                        Message 11 of 18 , Mar 19, 2013
                        • 0 Attachment
                          Hello,

                          All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the implementation.

                          May I ask you why you need to change the domain name part of the mail delivery address? Can you provide us with information on your mail accepting and delivery needs? 

                          May be if you look from a different direction, you can see a different - and more appropriate - sollution.

                          Thanks!!

                          Atenciosamente,
                          ---
                          Fernando Maciel Souto Maior
                          Projetos e Soluções de Tecnologia
                          (31) 9669-5768 Claro
                          (31) 9226-9440 TIM


                          On Sun, Mar 17, 2013 at 10:54 PM, Viktor Dukhovni <postfix-users@...> wrote:
                          On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

                          > >How do you manage users who have multiple email addresses? You should
                          > >avoid domain to domain rewrites, and for each user list all the
                          > >valid addresses.  Read:
                          > >
                          > >     http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
                          > >
                          > >where "maildrop" is called "mailRoutingAddress".
                          >
                          > Thanks. Just read it and I switched to mailRoutingAddress.

                          But this is still the delivery address attribute, not the additional
                          address attribute, that is "mailAlternateAddress" in the draft.

                          What matters to Postfix is not what name or OID you use, but what
                          data you populate the attributes with.  You SHOULD populate the
                          attributes with data that matches the attribute's published semantics,
                          but this only matters if you use tools that assign fixed meanings
                          to the attributes.  Postfix does not care which attribute is which
                          it just does the lookups you configure.

                          > >The canonical mapping has to match the actual process for managing
                          > >your user addresses. Use the right attributes and define their
                          > >semantics clearly.
                          >
                          > Having read that draft it's clear now that I shouldn't be abusing
                          > attributes for a purpose for which they are not intended.

                          Except you are still trying to rewrite the mailbox delivery address
                          back to a unique user, but mailbox delivery addresses are not in
                          1-to-1 correspondence with users. The addresses that really do
                          uniquely belong to the user should be in mailAlternateAddress,
                          which is also known as mailLocalAddress in some documents.

                          This is my last post on the subject, perhaps someone else can
                          help if you're still confused.

                          --
                                  Viktor.

                        • Patrick Lists
                          Hi Fernando, ... I don t think I m doing something out of the ordinary but that s just me ... I use unique email addresses (aliases) for every website I
                          Message 12 of 18 , Mar 19, 2013
                          • 0 Attachment
                            Hi Fernando,

                            On 03/19/2013 01:02 PM, Fernando Maior wrote:
                            > Hello,
                            >
                            > All this seems to be something very different from what postfix and
                            > other smtp usually does. So, may be the problem is with the concept, not
                            > with the implementation.
                            >
                            > May I ask you why you need to change the domain name part of the mail
                            > delivery address? Can you provide us with information on your mail
                            > accepting and delivery needs?
                            >
                            > May be if you look from a different direction, you can see a different -
                            > and more appropriate - sollution.

                            I don't think I'm doing something out of the ordinary but that's just me
                            :-) Here's it goes:

                            I use unique email addresses (aliases) for every website I register or
                            where I order something. Right now I have close to 300 aliases using
                            several different domains (private & business). On my current ancient
                            CentOS5 mailserver Postfix handles those domains and the aliases. So all
                            mail is processed by postfix and then delivered to dovecot. The new
                            mailserver will use Postfix plus some groupware software and the concept
                            is taken from http://www.postfix.org/VIRTUAL_README.html: Non-Postfix
                            mailbox store: separate domains, non-UNIX accounts.

                            So I'm using virtual_mailbox_domains, virtual_maibox_maps,
                            virtual_alias_maps, virtual_transport and canonical_maps and the
                            accounts are stored in OpenLDAP.

                            Examples of how email addresses are handled:

                            amazon@... is delivered to myaccount@... because
                            amazon@... is an alias of myaccount@....

                            biz@... is rewritten to biz@... because it's in
                            canonical_maps and then delivered to myaccount@... because
                            biz@... is an alias of myaccount@....

                            The second example is the reason why I asked about canonical_maps with
                            LDAP that would do @... -> @....

                            In my new test setup this all works fine although I don't doubt that
                            Victor could find something odd in my setup that requires me to read
                            many more RFCs to get a clue :-)

                            Hope this makes sense.

                            Regards,
                            Patrick
                          • Viktor Dukhovni
                            ... Nothing unusual at all about canonical mapping, the only anomaly I m making a fuss about is the underlying data model. It is OK to turn secondary
                            Message 13 of 18 , Mar 19, 2013
                            • 0 Attachment
                              On Tue, Mar 19, 2013 at 09:02:51AM -0300, Fernando Maior wrote:

                              > All this seems to be something very different from what postfix and other
                              > smtp usually does. So, may be the problem is with the concept, not with the
                              > implementation.
                              >
                              > May I ask you why you need to change the domain name part of the mail
                              > delivery address? Can you provide us with information on your mail
                              > accepting and delivery needs?

                              Nothing unusual at all about canonical mapping, the only anomaly
                              I'm making a fuss about is the underlying data model. It is OK to
                              turn secondary addresses into primary, it is generally risky to
                              try to turn target (delivery) addresses back into original addresses,
                              since the mapping is often not one-to-one (and the need to introduce
                              many-to-one may arise later).

                              --
                              Viktor.
                            • Patrick Lists
                              Hi Viktor, My apologies for getting your name wrong on the previous email. ... Thanks, I ll think this over more as I try to wrap my head around this. When I
                              Message 14 of 18 , Mar 19, 2013
                              • 0 Attachment
                                Hi Viktor,

                                My apologies for getting your name wrong on the previous email.

                                On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                                > Nothing unusual at all about canonical mapping, the only anomaly
                                > I'm making a fuss about is the underlying data model. It is OK to
                                > turn secondary addresses into primary, it is generally risky to
                                > try to turn target (delivery) addresses back into original addresses,
                                > since the mapping is often not one-to-one (and the need to introduce
                                > many-to-one may arise later).

                                Thanks, I'll think this over more as I try to wrap my head around this.
                                When I stray into this issue I'll make sure to reread your much
                                appreciated advice. And probably a few more RFCs.

                                Initially I thought adding LDAP was a fun idea. Given the archaic nature
                                and complexity of this beast I'm not so sure anymore. I'm beginning to
                                understand why I've heard sysadmins say that Microsoft has done a nice
                                job with AD of hiding the complexity and making it work. But this is
                                getting OT so I'll leave it at that.

                                Thanks again for your advice.

                                Regards,
                                Patrick
                              • Viktor Dukhovni
                                ... Just in terms of data models and Microsoft, the corresponding pieces in that case are: mail: primary@example.com proxyAddresses: smtp:primary@example.com
                                Message 15 of 18 , Mar 19, 2013
                                • 0 Attachment
                                  On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                                  > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                                  > >Nothing unusual at all about canonical mapping, the only anomaly
                                  > >I'm making a fuss about is the underlying data model. It is OK to
                                  > >turn secondary addresses into primary, it is generally risky to
                                  > >try to turn target (delivery) addresses back into original addresses,
                                  > >since the mapping is often not one-to-one (and the need to introduce
                                  > >many-to-one may arise later).
                                  >
                                  > Thanks, I'll think this over more as I try to wrap my head around
                                  > this. When I stray into this issue I'll make sure to reread your
                                  > much appreciated advice. And probably a few more RFCs.
                                  >
                                  > Initially I thought adding LDAP was a fun idea. Given the archaic
                                  > nature and complexity of this beast I'm not so sure anymore. I'm
                                  > beginning to understand why I've heard sysadmins say that Microsoft
                                  > has done a nice job with AD of hiding the complexity and making it
                                  > work. But this is getting OT so I'll leave it at that.

                                  Just in terms of data models and Microsoft, the corresponding pieces
                                  in that case are:

                                  mail: primary@...
                                  proxyAddresses: smtp:primary@...
                                  proxyAddresses: smtp:secondary@...
                                  proxyAddresses: ...
                                  <some-mailbox-attribute>: mailbox

                                  so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                                  lookup key for a canonical mapping with "mail" as the result, but
                                  not reasonable to map the <some-mailbox-attribute> back to mail.

                                  Don't think LDAP, think data-model, and then map that onto LDAP,
                                  if you're not too discouraged.

                                  --
                                  Viktor.
                                • Fernando Maior
                                  Patrick, I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming
                                  Message 16 of 18 , Mar 20, 2013
                                  • 0 Attachment
                                    Patrick,

                                    I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming email to the real mailbox.

                                    What I do:
                                    1. Use the qmail.schema in OpenLDAP
                                    2. Add objectClass: qmailUser to each user account
                                    3. Edit mailForwardingAddress when appropriate
                                    4. Create a file on /etc/postfix/ldap/ named forwarding
                                    5. Change /etc/postfix/main.cf to map aliases to the forwarding file
                                    In order to make changes to LDAP, you may use something like ldapadmin (ldapadmin.org) and put the difficulties to manage LDAP entries behind you.

                                    You may create an account with mail attribute as biz@... and mailForwardingAddress attribute as myaccount@.... 

                                    That configuration is only enough for receiving e-mail, not to sending e-mail.

                                    May be this can help you.

                                    Best regards,
                                    ---
                                    Fernando Maciel Souto Maior

                                    On Tue, Mar 19, 2013 at 7:19 PM, Viktor Dukhovni <postfix-users@...> wrote:
                                    On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                                    > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                                    > >Nothing unusual at all about canonical mapping,  the only anomaly
                                    > >I'm making a fuss about is the underlying data model.  It is OK to
                                    > >turn secondary addresses into primary, it is generally risky to
                                    > >try to turn target (delivery) addresses back into original addresses,
                                    > >since the mapping is often not one-to-one (and the need to introduce
                                    > >many-to-one may arise later).
                                    >
                                    > Thanks, I'll think this over more as I try to wrap my head around
                                    > this. When I stray into this issue I'll make sure to reread your
                                    > much appreciated advice. And probably a few more RFCs.
                                    >
                                    > Initially I thought adding LDAP was a fun idea. Given the archaic
                                    > nature and complexity of this beast I'm not so sure anymore. I'm
                                    > beginning to understand why I've heard sysadmins say that Microsoft
                                    > has done a nice job with AD of hiding the complexity and making it
                                    > work. But this is getting OT so I'll leave it at that.

                                    Just in terms of data models and Microsoft, the corresponding pieces
                                    in that case are:

                                            mail: primary@...
                                            proxyAddresses: smtp:primary@...
                                            proxyAddresses: smtp:secondary@...
                                            proxyAddresses: ...
                                            <some-mailbox-attribute>: mailbox

                                    so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                                    lookup key for a canonical mapping with "mail" as the result, but
                                    not reasonable to map the <some-mailbox-attribute> back to mail.

                                    Don't think LDAP, think data-model, and then map that onto LDAP,
                                    if you're not too discouraged.

                                    --
                                            Viktor.

                                  • Patrick Lists
                                    Hi Fernando, ... Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list. ... It s Windows only and I don t
                                    Message 17 of 18 , Mar 20, 2013
                                    • 0 Attachment
                                      Hi Fernando,

                                      On 03/20/2013 05:40 PM, Fernando Maior wrote:
                                      > Patrick,
                                      >
                                      > I do not use canonical maps at all when using LDAP. I do not need it,
                                      > because I just use mailForwardingAddress (actually an alias) to map the
                                      > incoming email to the real mailbox.
                                      >
                                      > What I do:
                                      >
                                      > 1. Use the qmail.schema in OpenLDAP
                                      > 2. Add objectClass: qmailUser to each user account
                                      > 3. Edit mailForwardingAddress when appropriate
                                      > 4. Create a file on /etc/postfix/ldap/ named forwarding
                                      > 5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                                      > forwarding file

                                      Thanks for the tip. I had seen the qmail.schema but had not really
                                      looked into it. Added to the TODO list.

                                      > In order to make changes to LDAP, you may use something like ldapadmin
                                      > (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to
                                      > manage LDAP entries behind you.

                                      It's Windows only and I don't have anything with Windows on it. Instead
                                      I use Apache Directory Studio. Works quite well on Linux.

                                      > You may create an account with mail attribute as biz@... and
                                      > mailForwardingAddress attribute as myaccount@....
                                      >
                                      > That configuration is only enough for receiving e-mail, not to sending
                                      > e-mail.
                                      >
                                      > May be this can help you.

                                      It did. Thank you for your feedback.

                                      Regards,
                                      Patrick
                                    • Fernando Maior
                                      Patrick, You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs. Best
                                      Message 18 of 18 , Mar 20, 2013
                                      • 0 Attachment
                                        Patrick,

                                        You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs.

                                        Best regards.
                                        ---
                                        Fernando Maciel Souto Maior

                                        On Wed, Mar 20, 2013 at 2:52 PM, Patrick Lists <postfix-list@...> wrote:
                                        Hi Fernando,


                                        On 03/20/2013 05:40 PM, Fernando Maior wrote:
                                        Patrick,

                                        I do not use canonical maps at all when using LDAP. I do not need it,
                                        because I just use mailForwardingAddress (actually an alias) to map the
                                        incoming email to the real mailbox.

                                        What I do:

                                         1. Use the qmail.schema in OpenLDAP
                                         2. Add objectClass: qmailUser to each user account
                                         3. Edit mailForwardingAddress when appropriate
                                         4. Create a file on /etc/postfix/ldap/ named forwarding
                                         5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                                            forwarding file

                                        Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list.

                                        In order to make changes to LDAP, you may use something like ldapadmin
                                        (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to

                                        manage LDAP entries behind you.

                                        It's Windows only and I don't have anything with Windows on it. Instead I use Apache Directory Studio. Works quite well on Linux.


                                        You may create an account with mail attribute as biz@... and
                                        mailForwardingAddress attribute as myaccount@....

                                        That configuration is only enough for receiving e-mail, not to sending
                                        e-mail.

                                        May be this can help you.

                                        It did. Thank you for your feedback.

                                        Regards,
                                        Patrick


                                      Your message has been successfully submitted and would be delivered to recipients shortly.