Loading ...
Sorry, an error occurred while loading the content.

Re: LDAP canonical_maps and domain rewriting

Expand Messages
  • Patrick Lists
    Hi Victor, On 03/16/2013 11:25 PM, Viktor Dukhovni wrote: [snip] ... Ok. ... Will try that. ... Good to know. Thank you for your feedback. Regards, Patrick
    Message 1 of 18 , Mar 17, 2013
    • 0 Attachment
      Hi Victor,

      On 03/16/2013 11:25 PM, Viktor Dukhovni wrote:
      [snip]
      > I've always avoided wildcard rewrites with LDAP, do the rewrite
      > only with actual valid user addresses.

      Ok.

      >> @... @...
      >
      > I don't recall whether "%d" works with "@domain" input keys. I
      > would have guessed it does, but perhaps I overlooked something.
      > You really should not do this. Instead take the high road:
      >
      > query_filter = mailDeliveryAddress=%s
      > result = mail

      Will try that.

      > Wildcard rewrites break recipient validation.

      Good to know. Thank you for your feedback.

      Regards,
      Patrick
    • Viktor Dukhovni
      ... Keep in mind that there are many different LDAP email schemas and yours may keep the additional email addresses of each user in an differently named
      Message 2 of 18 , Mar 17, 2013
      • 0 Attachment
        On Sun, Mar 17, 2013 at 11:31:31AM +0100, Patrick Lists wrote:

        > Hi Victor,
        >
        > On 03/16/2013 11:25 PM, Viktor Dukhovni wrote:
        > [snip]
        > >I've always avoided wildcard rewrites with LDAP, do the rewrite
        > >only with actual valid user addresses.
        >
        > Ok.
        >
        > >>@... @...
        > >
        > >I don't recall whether "%d" works with "@domain" input keys. I
        > >would have guessed it does, but perhaps I overlooked something.
        > >You really should not do this. Instead take the high road:
        > >
        > > query_filter = mailDeliveryAddress=%s
        > > result = mail
        >
        > Will try that.

        Keep in mind that there are many different LDAP email schemas and
        yours may keep the additional email addresses of each user in an
        differently named attribute. The "mailDeliveryAddress" attribute
        is taken from one popular schema (assuming I remembered the attribute
        name correctly).

        --
        Viktor.
      • Patrick Lists
        Hi Victor, On 03/17/2013 07:38 PM, Viktor Dukhovni wrote: [snip] ... Figured that out when I could not find the mailDeliveryAddress attribute in the schemas
        Message 3 of 18 , Mar 17, 2013
        • 0 Attachment
          Hi Victor,

          On 03/17/2013 07:38 PM, Viktor Dukhovni wrote:
          [snip]
          >>> You really should not do this. Instead take the high road:
          >>>
          >>> query_filter = mailDeliveryAddress=%s
          >>> result = mail
          >>
          >> Will try that.
          >
          > Keep in mind that there are many different LDAP email schemas and
          > yours may keep the additional email addresses of each user in an
          > differently named attribute. The "mailDeliveryAddress" attribute
          > is taken from one popular schema (assuming I remembered the attribute
          > name correctly).

          Figured that out when I could not find the "mailDeliveryAddress"
          attribute in the schemas present in my OpenLDAP config:

          include: file:///etc/openldap/schema/core.ldif
          include: file:///etc/openldap/schema/corba.ldif
          include: file:///etc/openldap/schema/cosine.ldif
          include: file:///etc/openldap/schema/duaconf.ldif
          include: file:///etc/openldap/schema/dyngroup.ldif
          include: file:///etc/openldap/schema/inetorgperson.ldif
          include: file:///etc/openldap/schema/java.ldif
          include: file:///etc/openldap/schema/mozillaabpersonalpha.ldif
          include: file:///etc/openldap/schema/nis.ldif
          include: file:///etc/openldap/schema/openldap.ldif
          include: file:///etc/openldap/schema/postfix.ldif
          include: file:///etc/openldap/schema/ppolicy.ldif
          include: file:///etc/openldap/schema/collective.ldif

          Googling around I found a small postfix.schema and used the "maildrop"
          attribute which works fine using this /etc/postfix/ldap-canonical.cf:

          server_host = ldapi://%2Fvar%2Frun%2Fldapi
          bind = yes
          bind_dn = cn=Manager,dc=example,dc=org
          bind_pw = 1234
          search_base = ou=hosted,dc=example,dc=org
          version = 3
          scope=sub
          query_filter = mail=%s
          result_attribute = maildrop


          Thanks again for your help.

          Regards,
          Patrick
        • Viktor Dukhovni
          ... This may not be the right choice. The schema that uses maildrop IIRC typically uses: mail: primary address mailalternateaddress: secondary addresses
          Message 4 of 18 , Mar 17, 2013
          • 0 Attachment
            On Sun, Mar 17, 2013 at 11:12:00PM +0100, Patrick Lists wrote:

            > Hi Victor,
            >
            > On 03/17/2013 07:38 PM, Viktor Dukhovni wrote:
            > >
            > >Keep in mind that there are many different LDAP email schemas and
            > >yours may keep the additional email addresses of each user in an
            > >differently named attribute. The "mailDeliveryAddress" attribute
            > >is taken from one popular schema (assuming I remembered the attribute
            > >name correctly).
            >
            > Figured that out when I could not find the "mailDeliveryAddress"
            > attribute in the schemas present in my OpenLDAP config:
            >
            > Googling around I found a small postfix.schema and used the
            > "maildrop" attribute which works fine using this

            This may not be the right choice. The schema that uses "maildrop"
            IIRC typically uses:

            mail: primary address
            mailalternateaddress: secondary addresses (may include primary)
            maildrop: delivery mailbox

            It is generally wrong to rewrite "maildrop" to mail, because maildrop
            is not "another" address for the same user, it is rather where their
            mail is rerouted to, may be shared for multiple users (often system
            accounts ...).

            How do you manage users who have multiple email addresses? You should
            avoid domain to domain rewrites, and for each user list all the
            valid addresses. Read:

            http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03

            where "maildrop" is called "mailRoutingAddress".

            > /etc/postfix/ldap-canonical.cf:
            >
            > server_host = ldapi://%2Fvar%2Frun%2Fldapi
            > bind = yes
            > bind_dn = cn=Manager,dc=example,dc=org
            > bind_pw = 1234
            > search_base = ou=hosted,dc=example,dc=org
            > version = 3
            > scope=sub
            > query_filter = mail=%s
            > result_attribute = maildrop
            >
            > Thanks again for your help.

            The canonical mapping has to match the actual process for managing
            your user addresses. Use the right attributes and define their
            semantics clearly.

            --
            Viktor.
          • Patrick Lists
            On 03/17/2013 11:48 PM, Viktor Dukhovni wrote: [snip] ... Got it. ... Thanks. Just read it and I switched to mailRoutingAddress. ... Having read that draft
            Message 5 of 18 , Mar 17, 2013
            • 0 Attachment
              On 03/17/2013 11:48 PM, Viktor Dukhovni wrote:
              [snip]
              >> Googling around I found a small postfix.schema and used the
              >> "maildrop" attribute which works fine using this
              >
              > This may not be the right choice. The schema that uses "maildrop"
              > IIRC typically uses:
              >
              > mail: primary address
              > mailalternateaddress: secondary addresses (may include primary)
              > maildrop: delivery mailbox
              >
              > It is generally wrong to rewrite "maildrop" to mail, because maildrop
              > is not "another" address for the same user, it is rather where their
              > mail is rerouted to, may be shared for multiple users (often system
              > accounts ...).

              Got it.

              > How do you manage users who have multiple email addresses? You should
              > avoid domain to domain rewrites, and for each user list all the
              > valid addresses. Read:
              >
              > http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
              >
              > where "maildrop" is called "mailRoutingAddress".

              Thanks. Just read it and I switched to mailRoutingAddress.

              >> /etc/postfix/ldap-canonical.cf:
              >>
              >> server_host = ldapi://%2Fvar%2Frun%2Fldapi
              >> bind = yes
              >> bind_dn = cn=Manager,dc=example,dc=org
              >> bind_pw = 1234
              >> search_base = ou=hosted,dc=example,dc=org
              >> version = 3
              >> scope=sub
              >> query_filter = mail=%s
              >> result_attribute = maildrop
              >>
              >> Thanks again for your help.
              >
              > The canonical mapping has to match the actual process for managing
              > your user addresses. Use the right attributes and define their
              > semantics clearly.

              Having read that draft it's clear now that I shouldn't be abusing
              attributes for a purpose for which they are not intended.

              Thanks again,
              Patrick
            • Viktor Dukhovni
              ... But this is still the delivery address attribute, not the additional address attribute, that is mailAlternateAddress in the draft. What matters to
              Message 6 of 18 , Mar 17, 2013
              • 0 Attachment
                On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

                > >How do you manage users who have multiple email addresses? You should
                > >avoid domain to domain rewrites, and for each user list all the
                > >valid addresses. Read:
                > >
                > > http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
                > >
                > >where "maildrop" is called "mailRoutingAddress".
                >
                > Thanks. Just read it and I switched to mailRoutingAddress.

                But this is still the delivery address attribute, not the additional
                address attribute, that is "mailAlternateAddress" in the draft.

                What matters to Postfix is not what name or OID you use, but what
                data you populate the attributes with. You SHOULD populate the
                attributes with data that matches the attribute's published semantics,
                but this only matters if you use tools that assign fixed meanings
                to the attributes. Postfix does not care which attribute is which
                it just does the lookups you configure.

                > >The canonical mapping has to match the actual process for managing
                > >your user addresses. Use the right attributes and define their
                > >semantics clearly.
                >
                > Having read that draft it's clear now that I shouldn't be abusing
                > attributes for a purpose for which they are not intended.

                Except you are still trying to rewrite the mailbox delivery address
                back to a unique user, but mailbox delivery addresses are not in
                1-to-1 correspondence with users. The addresses that really do
                uniquely belong to the user should be in mailAlternateAddress,
                which is also known as mailLocalAddress in some documents.

                This is my last post on the subject, perhaps someone else can
                help if you're still confused.

                --
                Viktor.
              • Fernando Maior
                Hello, All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the
                Message 7 of 18 , Mar 19, 2013
                • 0 Attachment
                  Hello,

                  All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the implementation.

                  May I ask you why you need to change the domain name part of the mail delivery address? Can you provide us with information on your mail accepting and delivery needs? 

                  May be if you look from a different direction, you can see a different - and more appropriate - sollution.

                  Thanks!!

                  Atenciosamente,
                  ---
                  Fernando Maciel Souto Maior
                  Projetos e Soluções de Tecnologia
                  (31) 9669-5768 Claro
                  (31) 9226-9440 TIM


                  On Sun, Mar 17, 2013 at 10:54 PM, Viktor Dukhovni <postfix-users@...> wrote:
                  On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

                  > >How do you manage users who have multiple email addresses? You should
                  > >avoid domain to domain rewrites, and for each user list all the
                  > >valid addresses.  Read:
                  > >
                  > >     http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
                  > >
                  > >where "maildrop" is called "mailRoutingAddress".
                  >
                  > Thanks. Just read it and I switched to mailRoutingAddress.

                  But this is still the delivery address attribute, not the additional
                  address attribute, that is "mailAlternateAddress" in the draft.

                  What matters to Postfix is not what name or OID you use, but what
                  data you populate the attributes with.  You SHOULD populate the
                  attributes with data that matches the attribute's published semantics,
                  but this only matters if you use tools that assign fixed meanings
                  to the attributes.  Postfix does not care which attribute is which
                  it just does the lookups you configure.

                  > >The canonical mapping has to match the actual process for managing
                  > >your user addresses. Use the right attributes and define their
                  > >semantics clearly.
                  >
                  > Having read that draft it's clear now that I shouldn't be abusing
                  > attributes for a purpose for which they are not intended.

                  Except you are still trying to rewrite the mailbox delivery address
                  back to a unique user, but mailbox delivery addresses are not in
                  1-to-1 correspondence with users. The addresses that really do
                  uniquely belong to the user should be in mailAlternateAddress,
                  which is also known as mailLocalAddress in some documents.

                  This is my last post on the subject, perhaps someone else can
                  help if you're still confused.

                  --
                          Viktor.

                • Patrick Lists
                  Hi Fernando, ... I don t think I m doing something out of the ordinary but that s just me ... I use unique email addresses (aliases) for every website I
                  Message 8 of 18 , Mar 19, 2013
                  • 0 Attachment
                    Hi Fernando,

                    On 03/19/2013 01:02 PM, Fernando Maior wrote:
                    > Hello,
                    >
                    > All this seems to be something very different from what postfix and
                    > other smtp usually does. So, may be the problem is with the concept, not
                    > with the implementation.
                    >
                    > May I ask you why you need to change the domain name part of the mail
                    > delivery address? Can you provide us with information on your mail
                    > accepting and delivery needs?
                    >
                    > May be if you look from a different direction, you can see a different -
                    > and more appropriate - sollution.

                    I don't think I'm doing something out of the ordinary but that's just me
                    :-) Here's it goes:

                    I use unique email addresses (aliases) for every website I register or
                    where I order something. Right now I have close to 300 aliases using
                    several different domains (private & business). On my current ancient
                    CentOS5 mailserver Postfix handles those domains and the aliases. So all
                    mail is processed by postfix and then delivered to dovecot. The new
                    mailserver will use Postfix plus some groupware software and the concept
                    is taken from http://www.postfix.org/VIRTUAL_README.html: Non-Postfix
                    mailbox store: separate domains, non-UNIX accounts.

                    So I'm using virtual_mailbox_domains, virtual_maibox_maps,
                    virtual_alias_maps, virtual_transport and canonical_maps and the
                    accounts are stored in OpenLDAP.

                    Examples of how email addresses are handled:

                    amazon@... is delivered to myaccount@... because
                    amazon@... is an alias of myaccount@....

                    biz@... is rewritten to biz@... because it's in
                    canonical_maps and then delivered to myaccount@... because
                    biz@... is an alias of myaccount@....

                    The second example is the reason why I asked about canonical_maps with
                    LDAP that would do @... -> @....

                    In my new test setup this all works fine although I don't doubt that
                    Victor could find something odd in my setup that requires me to read
                    many more RFCs to get a clue :-)

                    Hope this makes sense.

                    Regards,
                    Patrick
                  • Viktor Dukhovni
                    ... Nothing unusual at all about canonical mapping, the only anomaly I m making a fuss about is the underlying data model. It is OK to turn secondary
                    Message 9 of 18 , Mar 19, 2013
                    • 0 Attachment
                      On Tue, Mar 19, 2013 at 09:02:51AM -0300, Fernando Maior wrote:

                      > All this seems to be something very different from what postfix and other
                      > smtp usually does. So, may be the problem is with the concept, not with the
                      > implementation.
                      >
                      > May I ask you why you need to change the domain name part of the mail
                      > delivery address? Can you provide us with information on your mail
                      > accepting and delivery needs?

                      Nothing unusual at all about canonical mapping, the only anomaly
                      I'm making a fuss about is the underlying data model. It is OK to
                      turn secondary addresses into primary, it is generally risky to
                      try to turn target (delivery) addresses back into original addresses,
                      since the mapping is often not one-to-one (and the need to introduce
                      many-to-one may arise later).

                      --
                      Viktor.
                    • Patrick Lists
                      Hi Viktor, My apologies for getting your name wrong on the previous email. ... Thanks, I ll think this over more as I try to wrap my head around this. When I
                      Message 10 of 18 , Mar 19, 2013
                      • 0 Attachment
                        Hi Viktor,

                        My apologies for getting your name wrong on the previous email.

                        On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                        > Nothing unusual at all about canonical mapping, the only anomaly
                        > I'm making a fuss about is the underlying data model. It is OK to
                        > turn secondary addresses into primary, it is generally risky to
                        > try to turn target (delivery) addresses back into original addresses,
                        > since the mapping is often not one-to-one (and the need to introduce
                        > many-to-one may arise later).

                        Thanks, I'll think this over more as I try to wrap my head around this.
                        When I stray into this issue I'll make sure to reread your much
                        appreciated advice. And probably a few more RFCs.

                        Initially I thought adding LDAP was a fun idea. Given the archaic nature
                        and complexity of this beast I'm not so sure anymore. I'm beginning to
                        understand why I've heard sysadmins say that Microsoft has done a nice
                        job with AD of hiding the complexity and making it work. But this is
                        getting OT so I'll leave it at that.

                        Thanks again for your advice.

                        Regards,
                        Patrick
                      • Viktor Dukhovni
                        ... Just in terms of data models and Microsoft, the corresponding pieces in that case are: mail: primary@example.com proxyAddresses: smtp:primary@example.com
                        Message 11 of 18 , Mar 19, 2013
                        • 0 Attachment
                          On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                          > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                          > >Nothing unusual at all about canonical mapping, the only anomaly
                          > >I'm making a fuss about is the underlying data model. It is OK to
                          > >turn secondary addresses into primary, it is generally risky to
                          > >try to turn target (delivery) addresses back into original addresses,
                          > >since the mapping is often not one-to-one (and the need to introduce
                          > >many-to-one may arise later).
                          >
                          > Thanks, I'll think this over more as I try to wrap my head around
                          > this. When I stray into this issue I'll make sure to reread your
                          > much appreciated advice. And probably a few more RFCs.
                          >
                          > Initially I thought adding LDAP was a fun idea. Given the archaic
                          > nature and complexity of this beast I'm not so sure anymore. I'm
                          > beginning to understand why I've heard sysadmins say that Microsoft
                          > has done a nice job with AD of hiding the complexity and making it
                          > work. But this is getting OT so I'll leave it at that.

                          Just in terms of data models and Microsoft, the corresponding pieces
                          in that case are:

                          mail: primary@...
                          proxyAddresses: smtp:primary@...
                          proxyAddresses: smtp:secondary@...
                          proxyAddresses: ...
                          <some-mailbox-attribute>: mailbox

                          so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                          lookup key for a canonical mapping with "mail" as the result, but
                          not reasonable to map the <some-mailbox-attribute> back to mail.

                          Don't think LDAP, think data-model, and then map that onto LDAP,
                          if you're not too discouraged.

                          --
                          Viktor.
                        • Fernando Maior
                          Patrick, I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming
                          Message 12 of 18 , Mar 20, 2013
                          • 0 Attachment
                            Patrick,

                            I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming email to the real mailbox.

                            What I do:
                            1. Use the qmail.schema in OpenLDAP
                            2. Add objectClass: qmailUser to each user account
                            3. Edit mailForwardingAddress when appropriate
                            4. Create a file on /etc/postfix/ldap/ named forwarding
                            5. Change /etc/postfix/main.cf to map aliases to the forwarding file
                            In order to make changes to LDAP, you may use something like ldapadmin (ldapadmin.org) and put the difficulties to manage LDAP entries behind you.

                            You may create an account with mail attribute as biz@... and mailForwardingAddress attribute as myaccount@.... 

                            That configuration is only enough for receiving e-mail, not to sending e-mail.

                            May be this can help you.

                            Best regards,
                            ---
                            Fernando Maciel Souto Maior

                            On Tue, Mar 19, 2013 at 7:19 PM, Viktor Dukhovni <postfix-users@...> wrote:
                            On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                            > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                            > >Nothing unusual at all about canonical mapping,  the only anomaly
                            > >I'm making a fuss about is the underlying data model.  It is OK to
                            > >turn secondary addresses into primary, it is generally risky to
                            > >try to turn target (delivery) addresses back into original addresses,
                            > >since the mapping is often not one-to-one (and the need to introduce
                            > >many-to-one may arise later).
                            >
                            > Thanks, I'll think this over more as I try to wrap my head around
                            > this. When I stray into this issue I'll make sure to reread your
                            > much appreciated advice. And probably a few more RFCs.
                            >
                            > Initially I thought adding LDAP was a fun idea. Given the archaic
                            > nature and complexity of this beast I'm not so sure anymore. I'm
                            > beginning to understand why I've heard sysadmins say that Microsoft
                            > has done a nice job with AD of hiding the complexity and making it
                            > work. But this is getting OT so I'll leave it at that.

                            Just in terms of data models and Microsoft, the corresponding pieces
                            in that case are:

                                    mail: primary@...
                                    proxyAddresses: smtp:primary@...
                                    proxyAddresses: smtp:secondary@...
                                    proxyAddresses: ...
                                    <some-mailbox-attribute>: mailbox

                            so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                            lookup key for a canonical mapping with "mail" as the result, but
                            not reasonable to map the <some-mailbox-attribute> back to mail.

                            Don't think LDAP, think data-model, and then map that onto LDAP,
                            if you're not too discouraged.

                            --
                                    Viktor.

                          • Patrick Lists
                            Hi Fernando, ... Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list. ... It s Windows only and I don t
                            Message 13 of 18 , Mar 20, 2013
                            • 0 Attachment
                              Hi Fernando,

                              On 03/20/2013 05:40 PM, Fernando Maior wrote:
                              > Patrick,
                              >
                              > I do not use canonical maps at all when using LDAP. I do not need it,
                              > because I just use mailForwardingAddress (actually an alias) to map the
                              > incoming email to the real mailbox.
                              >
                              > What I do:
                              >
                              > 1. Use the qmail.schema in OpenLDAP
                              > 2. Add objectClass: qmailUser to each user account
                              > 3. Edit mailForwardingAddress when appropriate
                              > 4. Create a file on /etc/postfix/ldap/ named forwarding
                              > 5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                              > forwarding file

                              Thanks for the tip. I had seen the qmail.schema but had not really
                              looked into it. Added to the TODO list.

                              > In order to make changes to LDAP, you may use something like ldapadmin
                              > (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to
                              > manage LDAP entries behind you.

                              It's Windows only and I don't have anything with Windows on it. Instead
                              I use Apache Directory Studio. Works quite well on Linux.

                              > You may create an account with mail attribute as biz@... and
                              > mailForwardingAddress attribute as myaccount@....
                              >
                              > That configuration is only enough for receiving e-mail, not to sending
                              > e-mail.
                              >
                              > May be this can help you.

                              It did. Thank you for your feedback.

                              Regards,
                              Patrick
                            • Fernando Maior
                              Patrick, You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs. Best
                              Message 14 of 18 , Mar 20, 2013
                              • 0 Attachment
                                Patrick,

                                You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs.

                                Best regards.
                                ---
                                Fernando Maciel Souto Maior

                                On Wed, Mar 20, 2013 at 2:52 PM, Patrick Lists <postfix-list@...> wrote:
                                Hi Fernando,


                                On 03/20/2013 05:40 PM, Fernando Maior wrote:
                                Patrick,

                                I do not use canonical maps at all when using LDAP. I do not need it,
                                because I just use mailForwardingAddress (actually an alias) to map the
                                incoming email to the real mailbox.

                                What I do:

                                 1. Use the qmail.schema in OpenLDAP
                                 2. Add objectClass: qmailUser to each user account
                                 3. Edit mailForwardingAddress when appropriate
                                 4. Create a file on /etc/postfix/ldap/ named forwarding
                                 5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                                    forwarding file

                                Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list.

                                In order to make changes to LDAP, you may use something like ldapadmin
                                (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to

                                manage LDAP entries behind you.

                                It's Windows only and I don't have anything with Windows on it. Instead I use Apache Directory Studio. Works quite well on Linux.


                                You may create an account with mail attribute as biz@... and
                                mailForwardingAddress attribute as myaccount@....

                                That configuration is only enough for receiving e-mail, not to sending
                                e-mail.

                                May be this can help you.

                                It did. Thank you for your feedback.

                                Regards,
                                Patrick


                              Your message has been successfully submitted and would be delivered to recipients shortly.