Loading ...
Sorry, an error occurred while loading the content.
 

Re: LDAP canonical_maps and domain rewriting

Expand Messages
  • Viktor Dukhovni
    ... But this is still the delivery address attribute, not the additional address attribute, that is mailAlternateAddress in the draft. What matters to
    Message 1 of 18 , Mar 17, 2013
      On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

      > >How do you manage users who have multiple email addresses? You should
      > >avoid domain to domain rewrites, and for each user list all the
      > >valid addresses. Read:
      > >
      > > http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
      > >
      > >where "maildrop" is called "mailRoutingAddress".
      >
      > Thanks. Just read it and I switched to mailRoutingAddress.

      But this is still the delivery address attribute, not the additional
      address attribute, that is "mailAlternateAddress" in the draft.

      What matters to Postfix is not what name or OID you use, but what
      data you populate the attributes with. You SHOULD populate the
      attributes with data that matches the attribute's published semantics,
      but this only matters if you use tools that assign fixed meanings
      to the attributes. Postfix does not care which attribute is which
      it just does the lookups you configure.

      > >The canonical mapping has to match the actual process for managing
      > >your user addresses. Use the right attributes and define their
      > >semantics clearly.
      >
      > Having read that draft it's clear now that I shouldn't be abusing
      > attributes for a purpose for which they are not intended.

      Except you are still trying to rewrite the mailbox delivery address
      back to a unique user, but mailbox delivery addresses are not in
      1-to-1 correspondence with users. The addresses that really do
      uniquely belong to the user should be in mailAlternateAddress,
      which is also known as mailLocalAddress in some documents.

      This is my last post on the subject, perhaps someone else can
      help if you're still confused.

      --
      Viktor.
    • Fernando Maior
      Hello, All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the
      Message 2 of 18 , Mar 19, 2013
        Hello,

        All this seems to be something very different from what postfix and other smtp usually does. So, may be the problem is with the concept, not with the implementation.

        May I ask you why you need to change the domain name part of the mail delivery address? Can you provide us with information on your mail accepting and delivery needs? 

        May be if you look from a different direction, you can see a different - and more appropriate - sollution.

        Thanks!!

        Atenciosamente,
        ---
        Fernando Maciel Souto Maior
        Projetos e Soluções de Tecnologia
        (31) 9669-5768 Claro
        (31) 9226-9440 TIM


        On Sun, Mar 17, 2013 at 10:54 PM, Viktor Dukhovni <postfix-users@...> wrote:
        On Mon, Mar 18, 2013 at 02:34:05AM +0100, Patrick Lists wrote:

        > >How do you manage users who have multiple email addresses? You should
        > >avoid domain to domain rewrites, and for each user list all the
        > >valid addresses.  Read:
        > >
        > >     http://tools.ietf.org/html/draft-lachman-ldap-mail-routing-03
        > >
        > >where "maildrop" is called "mailRoutingAddress".
        >
        > Thanks. Just read it and I switched to mailRoutingAddress.

        But this is still the delivery address attribute, not the additional
        address attribute, that is "mailAlternateAddress" in the draft.

        What matters to Postfix is not what name or OID you use, but what
        data you populate the attributes with.  You SHOULD populate the
        attributes with data that matches the attribute's published semantics,
        but this only matters if you use tools that assign fixed meanings
        to the attributes.  Postfix does not care which attribute is which
        it just does the lookups you configure.

        > >The canonical mapping has to match the actual process for managing
        > >your user addresses. Use the right attributes and define their
        > >semantics clearly.
        >
        > Having read that draft it's clear now that I shouldn't be abusing
        > attributes for a purpose for which they are not intended.

        Except you are still trying to rewrite the mailbox delivery address
        back to a unique user, but mailbox delivery addresses are not in
        1-to-1 correspondence with users. The addresses that really do
        uniquely belong to the user should be in mailAlternateAddress,
        which is also known as mailLocalAddress in some documents.

        This is my last post on the subject, perhaps someone else can
        help if you're still confused.

        --
                Viktor.

      • Patrick Lists
        Hi Fernando, ... I don t think I m doing something out of the ordinary but that s just me ... I use unique email addresses (aliases) for every website I
        Message 3 of 18 , Mar 19, 2013
          Hi Fernando,

          On 03/19/2013 01:02 PM, Fernando Maior wrote:
          > Hello,
          >
          > All this seems to be something very different from what postfix and
          > other smtp usually does. So, may be the problem is with the concept, not
          > with the implementation.
          >
          > May I ask you why you need to change the domain name part of the mail
          > delivery address? Can you provide us with information on your mail
          > accepting and delivery needs?
          >
          > May be if you look from a different direction, you can see a different -
          > and more appropriate - sollution.

          I don't think I'm doing something out of the ordinary but that's just me
          :-) Here's it goes:

          I use unique email addresses (aliases) for every website I register or
          where I order something. Right now I have close to 300 aliases using
          several different domains (private & business). On my current ancient
          CentOS5 mailserver Postfix handles those domains and the aliases. So all
          mail is processed by postfix and then delivered to dovecot. The new
          mailserver will use Postfix plus some groupware software and the concept
          is taken from http://www.postfix.org/VIRTUAL_README.html: Non-Postfix
          mailbox store: separate domains, non-UNIX accounts.

          So I'm using virtual_mailbox_domains, virtual_maibox_maps,
          virtual_alias_maps, virtual_transport and canonical_maps and the
          accounts are stored in OpenLDAP.

          Examples of how email addresses are handled:

          amazon@... is delivered to myaccount@... because
          amazon@... is an alias of myaccount@....

          biz@... is rewritten to biz@... because it's in
          canonical_maps and then delivered to myaccount@... because
          biz@... is an alias of myaccount@....

          The second example is the reason why I asked about canonical_maps with
          LDAP that would do @... -> @....

          In my new test setup this all works fine although I don't doubt that
          Victor could find something odd in my setup that requires me to read
          many more RFCs to get a clue :-)

          Hope this makes sense.

          Regards,
          Patrick
        • Viktor Dukhovni
          ... Nothing unusual at all about canonical mapping, the only anomaly I m making a fuss about is the underlying data model. It is OK to turn secondary
          Message 4 of 18 , Mar 19, 2013
            On Tue, Mar 19, 2013 at 09:02:51AM -0300, Fernando Maior wrote:

            > All this seems to be something very different from what postfix and other
            > smtp usually does. So, may be the problem is with the concept, not with the
            > implementation.
            >
            > May I ask you why you need to change the domain name part of the mail
            > delivery address? Can you provide us with information on your mail
            > accepting and delivery needs?

            Nothing unusual at all about canonical mapping, the only anomaly
            I'm making a fuss about is the underlying data model. It is OK to
            turn secondary addresses into primary, it is generally risky to
            try to turn target (delivery) addresses back into original addresses,
            since the mapping is often not one-to-one (and the need to introduce
            many-to-one may arise later).

            --
            Viktor.
          • Patrick Lists
            Hi Viktor, My apologies for getting your name wrong on the previous email. ... Thanks, I ll think this over more as I try to wrap my head around this. When I
            Message 5 of 18 , Mar 19, 2013
              Hi Viktor,

              My apologies for getting your name wrong on the previous email.

              On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
              > Nothing unusual at all about canonical mapping, the only anomaly
              > I'm making a fuss about is the underlying data model. It is OK to
              > turn secondary addresses into primary, it is generally risky to
              > try to turn target (delivery) addresses back into original addresses,
              > since the mapping is often not one-to-one (and the need to introduce
              > many-to-one may arise later).

              Thanks, I'll think this over more as I try to wrap my head around this.
              When I stray into this issue I'll make sure to reread your much
              appreciated advice. And probably a few more RFCs.

              Initially I thought adding LDAP was a fun idea. Given the archaic nature
              and complexity of this beast I'm not so sure anymore. I'm beginning to
              understand why I've heard sysadmins say that Microsoft has done a nice
              job with AD of hiding the complexity and making it work. But this is
              getting OT so I'll leave it at that.

              Thanks again for your advice.

              Regards,
              Patrick
            • Viktor Dukhovni
              ... Just in terms of data models and Microsoft, the corresponding pieces in that case are: mail: primary@example.com proxyAddresses: smtp:primary@example.com
              Message 6 of 18 , Mar 19, 2013
                On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                > >Nothing unusual at all about canonical mapping, the only anomaly
                > >I'm making a fuss about is the underlying data model. It is OK to
                > >turn secondary addresses into primary, it is generally risky to
                > >try to turn target (delivery) addresses back into original addresses,
                > >since the mapping is often not one-to-one (and the need to introduce
                > >many-to-one may arise later).
                >
                > Thanks, I'll think this over more as I try to wrap my head around
                > this. When I stray into this issue I'll make sure to reread your
                > much appreciated advice. And probably a few more RFCs.
                >
                > Initially I thought adding LDAP was a fun idea. Given the archaic
                > nature and complexity of this beast I'm not so sure anymore. I'm
                > beginning to understand why I've heard sysadmins say that Microsoft
                > has done a nice job with AD of hiding the complexity and making it
                > work. But this is getting OT so I'll leave it at that.

                Just in terms of data models and Microsoft, the corresponding pieces
                in that case are:

                mail: primary@...
                proxyAddresses: smtp:primary@...
                proxyAddresses: smtp:secondary@...
                proxyAddresses: ...
                <some-mailbox-attribute>: mailbox

                so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                lookup key for a canonical mapping with "mail" as the result, but
                not reasonable to map the <some-mailbox-attribute> back to mail.

                Don't think LDAP, think data-model, and then map that onto LDAP,
                if you're not too discouraged.

                --
                Viktor.
              • Fernando Maior
                Patrick, I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming
                Message 7 of 18 , Mar 20, 2013
                  Patrick,

                  I do not use canonical maps at all when using LDAP. I do not need it, because I just use mailForwardingAddress (actually an alias) to map the incoming email to the real mailbox.

                  What I do:
                  1. Use the qmail.schema in OpenLDAP
                  2. Add objectClass: qmailUser to each user account
                  3. Edit mailForwardingAddress when appropriate
                  4. Create a file on /etc/postfix/ldap/ named forwarding
                  5. Change /etc/postfix/main.cf to map aliases to the forwarding file
                  In order to make changes to LDAP, you may use something like ldapadmin (ldapadmin.org) and put the difficulties to manage LDAP entries behind you.

                  You may create an account with mail attribute as biz@... and mailForwardingAddress attribute as myaccount@.... 

                  That configuration is only enough for receiving e-mail, not to sending e-mail.

                  May be this can help you.

                  Best regards,
                  ---
                  Fernando Maciel Souto Maior

                  On Tue, Mar 19, 2013 at 7:19 PM, Viktor Dukhovni <postfix-users@...> wrote:
                  On Tue, Mar 19, 2013 at 08:00:51PM +0100, Patrick Lists wrote:

                  > On 03/19/2013 04:22 PM, Viktor Dukhovni wrote:
                  > >Nothing unusual at all about canonical mapping,  the only anomaly
                  > >I'm making a fuss about is the underlying data model.  It is OK to
                  > >turn secondary addresses into primary, it is generally risky to
                  > >try to turn target (delivery) addresses back into original addresses,
                  > >since the mapping is often not one-to-one (and the need to introduce
                  > >many-to-one may arise later).
                  >
                  > Thanks, I'll think this over more as I try to wrap my head around
                  > this. When I stray into this issue I'll make sure to reread your
                  > much appreciated advice. And probably a few more RFCs.
                  >
                  > Initially I thought adding LDAP was a fun idea. Given the archaic
                  > nature and complexity of this beast I'm not so sure anymore. I'm
                  > beginning to understand why I've heard sysadmins say that Microsoft
                  > has done a nice job with AD of hiding the complexity and making it
                  > work. But this is getting OT so I'll leave it at that.

                  Just in terms of data models and Microsoft, the corresponding pieces
                  in that case are:

                          mail: primary@...
                          proxyAddresses: smtp:primary@...
                          proxyAddresses: smtp:secondary@...
                          proxyAddresses: ...
                          <some-mailbox-attribute>: mailbox

                  so it would be reasonable to use "proxyAddresses=smtp:%s" as the
                  lookup key for a canonical mapping with "mail" as the result, but
                  not reasonable to map the <some-mailbox-attribute> back to mail.

                  Don't think LDAP, think data-model, and then map that onto LDAP,
                  if you're not too discouraged.

                  --
                          Viktor.

                • Patrick Lists
                  Hi Fernando, ... Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list. ... It s Windows only and I don t
                  Message 8 of 18 , Mar 20, 2013
                    Hi Fernando,

                    On 03/20/2013 05:40 PM, Fernando Maior wrote:
                    > Patrick,
                    >
                    > I do not use canonical maps at all when using LDAP. I do not need it,
                    > because I just use mailForwardingAddress (actually an alias) to map the
                    > incoming email to the real mailbox.
                    >
                    > What I do:
                    >
                    > 1. Use the qmail.schema in OpenLDAP
                    > 2. Add objectClass: qmailUser to each user account
                    > 3. Edit mailForwardingAddress when appropriate
                    > 4. Create a file on /etc/postfix/ldap/ named forwarding
                    > 5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                    > forwarding file

                    Thanks for the tip. I had seen the qmail.schema but had not really
                    looked into it. Added to the TODO list.

                    > In order to make changes to LDAP, you may use something like ldapadmin
                    > (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to
                    > manage LDAP entries behind you.

                    It's Windows only and I don't have anything with Windows on it. Instead
                    I use Apache Directory Studio. Works quite well on Linux.

                    > You may create an account with mail attribute as biz@... and
                    > mailForwardingAddress attribute as myaccount@....
                    >
                    > That configuration is only enough for receiving e-mail, not to sending
                    > e-mail.
                    >
                    > May be this can help you.

                    It did. Thank you for your feedback.

                    Regards,
                    Patrick
                  • Fernando Maior
                    Patrick, You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs. Best
                    Message 9 of 18 , Mar 20, 2013
                      Patrick,

                      You may want to give a try to JXplorer. It is Java-based and runs nicely. Also, you can change the forms used by it, customizing to your needs.

                      Best regards.
                      ---
                      Fernando Maciel Souto Maior

                      On Wed, Mar 20, 2013 at 2:52 PM, Patrick Lists <postfix-list@...> wrote:
                      Hi Fernando,


                      On 03/20/2013 05:40 PM, Fernando Maior wrote:
                      Patrick,

                      I do not use canonical maps at all when using LDAP. I do not need it,
                      because I just use mailForwardingAddress (actually an alias) to map the
                      incoming email to the real mailbox.

                      What I do:

                       1. Use the qmail.schema in OpenLDAP
                       2. Add objectClass: qmailUser to each user account
                       3. Edit mailForwardingAddress when appropriate
                       4. Create a file on /etc/postfix/ldap/ named forwarding
                       5. Change /etc/postfix/main.cf <http://main.cf> to map aliases to the
                          forwarding file

                      Thanks for the tip. I had seen the qmail.schema but had not really looked into it. Added to the TODO list.

                      In order to make changes to LDAP, you may use something like ldapadmin
                      (ldapadmin.org <http://ldapadmin.org>) and put the difficulties to

                      manage LDAP entries behind you.

                      It's Windows only and I don't have anything with Windows on it. Instead I use Apache Directory Studio. Works quite well on Linux.


                      You may create an account with mail attribute as biz@... and
                      mailForwardingAddress attribute as myaccount@....

                      That configuration is only enough for receiving e-mail, not to sending
                      e-mail.

                      May be this can help you.

                      It did. Thank you for your feedback.

                      Regards,
                      Patrick


                    Your message has been successfully submitted and would be delivered to recipients shortly.