Loading ...
Sorry, an error occurred while loading the content.

Re: LDAP canonical_maps and domain rewriting

Expand Messages
  • Viktor Dukhovni
    ... This may not be the right choice. The schema that uses maildrop IIRC typically uses: mail: primary address mailalternateaddress: secondary addresses
    Message 1 of 18 , Mar 17, 2013
    • 0 Attachment
      On Sun, Mar 17, 2013 at 11:12:00PM +0100, Patrick Lists wrote:

      > Hi Victor,
      >
      > On 03/17/2013 07:38 PM, Viktor Dukhovni wrote:
      > >
      > >Keep in mind that there are many different LDAP email schemas and
      > >yours may keep the additional email addresses of each user in an
      > >differently named attribute. The "mailDeliveryAddress" attribute
      > >is taken from one popular schema (assuming I remembered the attribute
      > >name correctly).
      >
      > Figured that out when I could not find the "mailDeliveryAddress"
      > attribute in the schemas present in my OpenLDAP config:
      >
      > Googling around I found a small postfix.schema and used the
      > "maildrop" attribute which works fine using this

      This may not be the right choice. The schema that uses "maildrop"
      IIRC typically uses:

      mail: primary address
      mailalternateaddress: secondary addresses (may include primary)
      maildrop: delivery mailbox

      It is generally wrong to rewrite "maildrop" to mail, because maildrop
      is not "another" address for the same user, it is rather where their
      mail is rerouted to, may be shared for multiple users (often system
      accounts ...).

      How do you manage users who have multiple email addresses? You should
      avoid domain to domain rewrites, and for each user list all the
      valid addresses. Read:

      http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03

      where "maildrop" is called "mailRoutingAddress".

      > /etc/postfix/ldap-canonical.cf:
      >
      > server_host = ldapi://%2Fvar%2Frun%2Fldapi
      > bind = yes
      > bind_dn = cn=Manager,dc=example,dc=org
      > bind_pw = 1234
      > search_base = ou=hosted,dc=example,dc=org
      > version = 3
      > scope=sub
      > query_filter = mail=%s
      > result_attribute = maildrop
      >
      > Thanks again for your help.

      The canonical mapping has to match the actual process for managing
      your user addresses. Use the right attributes and define their
      semantics clearly.

      --
      Viktor.
    • Patrick Lists
      On 03/17/2013 11:48 PM, Viktor Dukhovni wrote: [snip] ... Got it. ... Thanks. Just read it and I switched to mailRoutingAddress. ... Having read that draft
      Message 2 of 18 , Mar 17, 2013
      • 0 Attachment
        On 03/17/2013 11:48 PM, Viktor Dukhovni wrote:
        [snip]
        >> Googling around I found a small postfix.schema and used the
        >> "maildrop" attribute which works fine using this
        >
        > This may not be the right choice. The schema that uses "maildrop"
        > IIRC typically uses:
        >
        > mail: primary address
        > mailalternateaddress: secondary addresses (may include primary)
        > maildrop: delivery mailbox
        >
        > It is generally wrong to rewrite "maildrop" to mail, because maildrop
        > is not "another" address for the same user, it is rather where their
        > mail is rerouted to, may be shared for multiple users (often system
        > accounts ...).

        Got it.

        > How do you manage users who have multiple email addresses? You should
        > avoid domain to domain rewrites, and for each user list all the
        > valid addresses. Read:
        >
        > http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
        >
        > where "maildrop" is called "mailRoutingAddress".

        Thanks. Just read it and I switched to mailRoutingAddress.

        >> /etc/postfix/ldap-canonical.cf:
        >>
        >> server_host = ldapi://%2Fvar%2Frun%2Fldapi
        >> bind = yes
        >> bind_dn = cn=Manager,dc=example,dc=org
        >> bind_pw = 1234
        >> search_base = ou=hosted,dc=example,dc=org
        >> version = 3
        >> scope=sub
        >> query_filter = mail=%s
        >> result_attribute = maildrop
        >>
        >> Thanks again for your help.
        >
        > The canonical mapping has to match the actual process for managing
        > your user addresses. Use the right attributes and define their
        > semantics clearly.

        Having read that draft it's clear now that I shouldn't be abusing
        attributes for a purpose for which they are not intended.

        Thanks again,
        Patrick
      • Viktor Dukhovni
        ... But this is still the delivery address attribute, not the additional address attribute, that is mailAlternateAddress in the draft. What matters to
        Message 3 of 18 , Mar 17, 2013
        • 0 Attachment
          On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

          > >How do you manage users who have multiple email addresses? You should
          > >avoid domain to domain rewrites, and for each user list all the
          > >valid addresses. Read:
          > >
          > > http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
          > >
          > >where "maildrop" is called "mailRoutingAddress".
          >
          > Thanks. Just read it and I switched to mailRoutingAddress.

          But this is still the delivery address attribute, not the additional
          address attribute, that is "mailAlternateAddress" in the draft.

          What matters to Postfix is not what name or OID you use, but what
          data you populate the attributes with. You SHOULD populate the
          attributes with data that matches the attribute's published semantics,
          but this only matters if you use tools that assign fixed meanings
          to the attributes. Postfix does not care which attribute is which
          it just does the lookups you configure.

          > >The canonical mapping has to match the actual process for managing
          > >your user addresses. Use the right attributes and define their
          > >semantics clearly.
          >
          > Having read that draft it's clear now that I shouldn't be abusing
          > attributes for a purpose for which they are not intended.

          Except you are still trying to rewrite the mailbox delivery address
          back to a unique user, but mailbox delivery addresses are not in
          1-to-1 correspondence with users. The addresses that really do
          uniquely belong to the user should be in mailAlternateAddress,
          which is also known as mailLocalAddress in some documents.

          This is my last post on the subject, perhaps someone else can
          help if you're still confused.

          --
          Viktor.
        • Fernando Maior
          Hello, All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the
          Message 4 of 18 , Mar 19, 2013
          • 0 Attachment
            Hello,

            All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the implementation.

            May I ask you why you need to change the domain name part of the mail delivery address? Can you provide us with information on your mail accepting and delivery needs? 

            May be if you look from a different direction, you can see a different - and more appropriate - sollution.

            Thanks!!

            Atenciosamente,
            ---
            Fernando Maciel Souto Maior
            Projetos e Soluções de Tecnologia
            (31) 9669-5768 Claro
            (31) 9226-9440 TIM


            On Sun, Mar 17, 2013 at 10:54 PM, Viktor Dukhovni <postfix-users@...> wrote:
            On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

            > >How do you manage users who have multiple email addresses? You should
            > >avoid domain to domain rewrites, and for each user list all the
            > >valid addresses.  Read:
            > >
            > >     http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
            > >
            > >where "maildrop" is called "mailRoutingAddress".
            >
            > Thanks. Just read it and I switched to mailRoutingAddress.

            But this is still the delivery address attribute, not the additional
            address attribute, that is "mailAlternateAddress" in the draft.

            What matters to Postfix is not what name or OID you use, but what
            data you populate the attributes with.  You SHOULD populate the
            attributes with data that matches the attribute's published semantics,
            but this only matters if you use tools that assign fixed meanings
            to the attributes.  Postfix does not care which attribute is which
            it just does the lookups you configure.

            > >The canonical mapping has to match the actual process for managing
            > >your user addresses. Use the right attributes and define their
            > >semantics clearly.
            >
            > Having read that draft it's clear now that I shouldn't be abusing
            > attributes for a purpose for which they are not intended.

            Except you are still trying to rewrite the mailbox delivery address
            back to a unique user, but mailbox delivery addresses are not in
            1-to-1 correspondence with users. The addresses that really do
            uniquely belong to the user should be in mailAlternateAddress,
            which is also known as mailLocalAddress in some documents.

            This is my last post on the subject, perhaps someone else can
            help if you're still confused.

            --
                    Viktor.

          • Patrick Lists
            Hi Fernando, ... I don t think I m doing something out of the ordinary but that s just me ... I use unique email addresses (aliases) for every website I
            Message 5 of 18 , Mar 19, 2013
            • 0 Attachment
              Hi Fernando,

              On 03/19/2013 01:02 PM, Fernando Maior wrote:
              > Hello,
              >
              > All this seems to be something very different from what postfix and
              > other smtp usually does. So, may be the problem is with the concept, not
              > with the implementation.
              >
              > May I ask you why you need to change the domain name part of the mail
              > delivery address? Can you provide us with information on your mail
              > accepting and delivery needs?
              >
              > May be if you look from a different direction, you can see a different -
              > and more appropriate - sollution.

              I don't think I'm doing something out of the ordinary but that's just me
              :-) Here's it goes:

              I use unique email addresses (aliases) for every website I register or
              where I order something. Right now I have close to 300 aliases using
              several different domains (private & business). On my current ancient
              CentOS5 mailserver Postfix handles those domains and the aliases. So all
              mail is processed by postfix and then delivered to dovecot. The new
              mailserver will use Postfix plus some groupware software and the concept
              is taken from http://www.postfix.org/VIRTUAL_README.html: Non-Postfix
              mailbox store: separate domains, non-UNIX accounts.

              So I'm using virtual_mailbox_domains, virtual_maibox_maps,
              virtual_alias_maps, virtual_transport and canonical_maps and the
              accounts are stored in OpenLDAP.

              Examples of how email addresses are handled:

              amazon@... is delivered to myaccount@... because
              amazon@... is an alias of myaccount@....

              biz@... is rewritten to biz@... because it's in
              canonical_maps and then delivered to myaccount@... because
              biz@... is an alias of myaccount@....

              The second example is the reason why I asked about canonical_maps with
              LDAP that would do @... -> @....

              In my new test setup this all works fine although I don't doubt that
              Victor could find something odd in my setup that requires me to read
              many more RFCs to get a clue :-)

              Hope this makes sense.

              Regards,
              Patrick
            • Viktor Dukhovni
              ... Nothing unusual at all about canonical mapping, the only anomaly I m making a fuss about is the underlying data model. It is OK to turn secondary
              Message 6 of 18 , Mar 19, 2013
              • 0 Attachment
                On Tue, Mar 19, 2013 at 09:02:51AM -0300, Fernando Maior wrote:

                > All this seems to be something very different from what postfix and other
                > smtp usually does. So, may be the problem is with the concept, not with the
                > implementation.
                >
                > May I ask you why you need to change the domain name part of the mail
                > delivery address? Can you provide us with information on your mail
                > accepting and delivery needs?

                Nothing unusual at all about canonical mapping, the only anomaly
                I'm making a fuss about is the underlying data model. It is OK to
                turn secondary addresses into primary, it is generally risky to
                try to turn target (delivery) addresses back into original addresses,
                since the mapping is often not one-to-one (and the need to introduce
                many-to-one may arise later).

                --
                Viktor.
              • Patrick Lists
                Hi Viktor, My apologies for getting your name wrong on the previous email. ... Thanks, I ll think this over more as I try to wrap my head around this. When I
                Message 7 of 18 , Mar 19, 2013
                • 0 Attachment
                  Hi Viktor,

                  My apologies for getting your name wrong on the previous email.

                  On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                  > Nothing unusual at all about canonical mapping, the only anomaly
                  > I'm making a fuss about is the underlying data model. It is OK to
                  > turn secondary addresses into primary, it is generally risky to
                  > try to turn target (delivery) addresses back into original addresses,
                  > since the mapping is often not one-to-one (and the need to introduce
                  > many-to-one may arise later).

                  Thanks, I'll think this over more as I try to wrap my head around this.
                  When I stray into this issue I'll make sure to reread your much
                  appreciated advice. And probably a few more RFCs.

                  Initially I thought adding LDAP was a fun idea. Given the archaic nature
                  and complexity of this beast I'm not so sure anymore. I'm beginning to
                  understand why I've heard sysadmins say that Microsoft has done a nice
                  job with AD of hiding the complexity and making it work. But this is
                  getting OT so I'll leave it at that.

                  Thanks again for your advice.

                  Regards,
                  Patrick
                • Viktor Dukhovni
                  ... Just in terms of data models and Microsoft, the corresponding pieces in that case are: mail: primary@example.com proxyAddresses: smtp:primary@example.com
                  Message 8 of 18 , Mar 19, 2013
                  • 0 Attachment
                    On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                    > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                    > >Nothing unusual at all about canonical mapping, the only anomaly
                    > >I'm making a fuss about is the underlying data model. It is OK to
                    > >turn secondary addresses into primary, it is generally risky to
                    > >try to turn target (delivery) addresses back into original addresses,
                    > >since the mapping is often not one-to-one (and the need to introduce
                    > >many-to-one may arise later).
                    >
                    > Thanks, I'll think this over more as I try to wrap my head around
                    > this. When I stray into this issue I'll make sure to reread your
                    > much appreciated advice. And probably a few more RFCs.
                    >
                    > Initially I thought adding LDAP was a fun idea. Given the archaic
                    > nature and complexity of this beast I'm not so sure anymore. I'm
                    > beginning to understand why I've heard sysadmins say that Microsoft
                    > has done a nice job with AD of hiding the complexity and making it
                    > work. But this is getting OT so I'll leave it at that.

                    Just in terms of data models and Microsoft, the corresponding pieces
                    in that case are:

                    mail: primary@...
                    proxyAddresses: smtp:primary@...
                    proxyAddresses: smtp:secondary@...
                    proxyAddresses: ...
                    <some-mailbox-attribute>: mailbox

                    so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                    lookup key for a canonical mapping with "mail" as the result, but
                    not reasonable to map the <some-mailbox-attribute> back to mail.

                    Don't think LDAP, think data-model, and then map that onto LDAP,
                    if you're not too discouraged.

                    --
                    Viktor.
                  • Fernando Maior
                    Patrick, I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming
                    Message 9 of 18 , Mar 20, 2013
                    • 0 Attachment
                      Patrick,

                      I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming email to the real mailbox.

                      What I do:
                      1. Use the qmail.schema in OpenLDAP
                      2. Add objectClass: qmailUser to each user account
                      3. Edit mailForwardingAddress when appropriate
                      4. Create a file on /etc/postfix/ldap/ named forwarding
                      5. Change /etc/postfix/main.cf to map aliases to the forwarding file
                      In order to make changes to LDAP, you may use something like ldapadmin (ldapadmin.org) and put the difficulties to manage LDAP entries behind you.

                      You may create an account with mail attribute as biz@... and mailForwardingAddress attribute as myaccount@.... 

                      That configuration is only enough for receiving e-mail, not to sending e-mail.

                      May be this can help you.

                      Best regards,
                      ---
                      Fernando Maciel Souto Maior

                      On Tue, Mar 19, 2013 at 7:19 PM, Viktor Dukhovni <postfix-users@...> wrote:
                      On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                      > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                      > >Nothing unusual at all about canonical mapping,  the only anomaly
                      > >I'm making a fuss about is the underlying data model.  It is OK to
                      > >turn secondary addresses into primary, it is generally risky to
                      > >try to turn target (delivery) addresses back into original addresses,
                      > >since the mapping is often not one-to-one (and the need to introduce
                      > >many-to-one may arise later).
                      >
                      > Thanks, I'll think this over more as I try to wrap my head around
                      > this. When I stray into this issue I'll make sure to reread your
                      > much appreciated advice. And probably a few more RFCs.
                      >
                      > Initially I thought adding LDAP was a fun idea. Given the archaic
                      > nature and complexity of this beast I'm not so sure anymore. I'm
                      > beginning to understand why I've heard sysadmins say that Microsoft
                      > has done a nice job with AD of hiding the complexity and making it
                      > work. But this is getting OT so I'll leave it at that.

                      Just in terms of data models and Microsoft, the corresponding pieces
                      in that case are:

                              mail: primary@...
                              proxyAddresses: smtp:primary@...
                              proxyAddresses: smtp:secondary@...
                              proxyAddresses: ...
                              <some-mailbox-attribute>: mailbox

                      so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                      lookup key for a canonical mapping with "mail" as the result, but
                      not reasonable to map the <some-mailbox-attribute> back to mail.

                      Don't think LDAP, think data-model, and then map that onto LDAP,
                      if you're not too discouraged.

                      --
                              Viktor.

                    • Patrick Lists
                      Hi Fernando, ... Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list. ... It s Windows only and I don t
                      Message 10 of 18 , Mar 20, 2013
                      • 0 Attachment
                        Hi Fernando,

                        On 03/20/2013 05:40 PM, Fernando Maior wrote:
                        > Patrick,
                        >
                        > I do not use canonical maps at all when using LDAP. I do not need it,
                        > because I just use mailForwardingAddress (actually an alias) to map the
                        > incoming email to the real mailbox.
                        >
                        > What I do:
                        >
                        > 1. Use the qmail.schema in OpenLDAP
                        > 2. Add objectClass: qmailUser to each user account
                        > 3. Edit mailForwardingAddress when appropriate
                        > 4. Create a file on /etc/postfix/ldap/ named forwarding
                        > 5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                        > forwarding file

                        Thanks for the tip. I had seen the qmail.schema but had not really
                        looked into it. Added to the TODO list.

                        > In order to make changes to LDAP, you may use something like ldapadmin
                        > (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to
                        > manage LDAP entries behind you.

                        It's Windows only and I don't have anything with Windows on it. Instead
                        I use Apache Directory Studio. Works quite well on Linux.

                        > You may create an account with mail attribute as biz@... and
                        > mailForwardingAddress attribute as myaccount@....
                        >
                        > That configuration is only enough for receiving e-mail, not to sending
                        > e-mail.
                        >
                        > May be this can help you.

                        It did. Thank you for your feedback.

                        Regards,
                        Patrick
                      • Fernando Maior
                        Patrick, You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs. Best
                        Message 11 of 18 , Mar 20, 2013
                        • 0 Attachment
                          Patrick,

                          You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs.

                          Best regards.
                          ---
                          Fernando Maciel Souto Maior

                          On Wed, Mar 20, 2013 at 2:52 PM, Patrick Lists <postfix-list@...> wrote:
                          Hi Fernando,


                          On 03/20/2013 05:40 PM, Fernando Maior wrote:
                          Patrick,

                          I do not use canonical maps at all when using LDAP. I do not need it,
                          because I just use mailForwardingAddress (actually an alias) to map the
                          incoming email to the real mailbox.

                          What I do:

                           1. Use the qmail.schema in OpenLDAP
                           2. Add objectClass: qmailUser to each user account
                           3. Edit mailForwardingAddress when appropriate
                           4. Create a file on /etc/postfix/ldap/ named forwarding
                           5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                              forwarding file

                          Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list.

                          In order to make changes to LDAP, you may use something like ldapadmin
                          (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to

                          manage LDAP entries behind you.

                          It's Windows only and I don't have anything with Windows on it. Instead I use Apache Directory Studio. Works quite well on Linux.


                          You may create an account with mail attribute as biz@... and
                          mailForwardingAddress attribute as myaccount@....

                          That configuration is only enough for receiving e-mail, not to sending
                          e-mail.

                          May be this can help you.

                          It did. Thank you for your feedback.

                          Regards,
                          Patrick


                        Your message has been successfully submitted and would be delivered to recipients shortly.