Prev: Can I Omit Same Values
Next: Sender Access Restrictions and MySQL Table
From: Ronie Gilberto Henrich on 18 Mar 2010 12:54
Hi Victor,

Thanks also for your reply.

Isn't it a simpler way to accomplish that?
Something like a support for variables (%u) on the left side?

Example:
everyone_query_filter = (&(accountStatus=active)(%u=everyone))


Thanks,
Ronie


-------- Original Message --------
Subject: Re: everyone(a)example.com virtual_alias_maps using ldap query
From: Victor Duchovni <Victor.Duchovni(a)morganstanley.com>
To: postfix-users(a)postfix.org
Date: Thu Mar 18 2010 13:45:50 GMT-0300

On Thu, Mar 18, 2010 at 01:31:11PM -0300, Ronie Gilberto Henrich wrote:

The problem about your solution below is that it will go into a loop.

Only if you go out of your way to make it loop. The address
expansion in virtual(5) is recursive, but it stops as soon as address
expands to itself.

If "everyone" is a group object that expands to a list of users, just
make sure the query returns all users and no groups.

If you want the group be "dynamic", you can use LDAP URI valued
groups and
"special_result_attribute" to process such URIs. If the list of users
is not too large, this works reasonably well. Once you are processing
thousands of users, you should consider operating a list server to
which such addresses are routed, and do the expansion there...

Giving all users an "everyone(a)example.com" address is a bit ugly, just
use objectClasses or sub-trees to determine who is in scope.

From: Victor Duchovni on 18 Mar 2010 13:00
On Thu, Mar 18, 2010 at 01:54:08PM -0300, Ronie Gilberto Henrich wrote:

> Isn't it a simpler way to accomplish that?

No.

> Something like a support for variables (%u) on the left side?
>
> Example:
> everyone_query_filter = (&(accountStatus=active)(%u=everyone))

This is not "simpler" it is simply wrong. The substituted LDAP search
filter is parsed by LDAP server, not Postfix. Postfix will not try
to interpret a subset of the conditions in the LDAP filter.

To make "everyone(a)example.com" an address, create an LDAP object
with that address.

If the LDAP object needs to expans to all user addresses, make it an
LDAP-URI valued group. If the group is large (thousands of recipients), do
the expansion on a dedicated list server, not your primary Postfix queue.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Ronie Gilberto Henrich on 19 Mar 2010 06:52
I am resending this because I've accidentaly sent the last email in
HTML format, sorry.

> -------- Original Message --------
> Subject: Re: everyone(a)example.com virtual_alias_maps using ldap query
> From: Victor Duchovni <Victor.Duchovni(a)morganstanley.com>
> To: Ronie Gilberto Henrich <ronie(a)ronie.com.br>
> Cc: postfix-users(a)postfix.org
> Date: Thu Mar 18 2010 14:00:45 GMT-0300
>>> Something like a support for variables (%u) on the left side?
>>>
>>> Example:
>>> everyone_query_filter = (&(accountStatus=active)(%u=everyone))
>>>
>>
>> This is not "simpler" it is simply wrong. The substituted LDAP search
>> filter is parsed by LDAP server, not Postfix. Postfix will not try
>> to interpret a subset of the conditions in the LDAP filter.
>>
>> To make "everyone(a)example.com" an address, create an LDAP object
>> with that address.
>>
>> If the LDAP object needs to expans to all user addresses, make it an
>> LDAP-URI valued group. If the group is large (thousands of recipients), do
>> the expansion on a dedicated list server, not your primary Postfix queue.
>>
>>
> You mean something like the ldap object below?
> mail=everyone(a)example.com,ou=Mail,o=example,c=com
> ObjectClass=referral
> ref=ldaps://localhost/ou=Mail,o=example,c=com
>
> I did that and it does list all ou=Mail,o=example,c=com mail accounts.
>
> Then I modified my ldap:everyone mappings to the folowing:
> virtual_alias_maps = ldap:everyone
> everyone_server_host = ldaps://localhost
> everyone_version = 3
> everyone_search_base = ou=Mail,o=example,c=com
> everyone_query_filter = (mail=%s)
> everyone_result_attribute = mail
>
> But it does not work.
> 550 <everyone(a)example.com>: Recipient address rejected: User unknown;
>
> Any ideas of what I am doing wrong?
>
> Thanks,
> Ronie

From: Victor Duchovni on 19 Mar 2010 11:24
On Thu, Mar 18, 2010 at 09:10:18PM -0300, Ronie Gilberto Henrich wrote:

> If the LDAP object needs to expans to all user addresses, make it an
> LDAP-URI valued group. If the group is large (thousands of recipients), do
> the expansion on a dedicated list server, not your primary Postfix queue.
>
>
>
> You mean something like the ldap object below?
> [6]mail=everyone(a)example.com,ou=Mail,o=example,c=com
> ObjectClass=referral
> ref=ldaps://localhost/ou=Mail,o=example,c=com

No, not a referral, an LDAP query URI (aka "dynamic group"). The above
does not appear to have the syntax of a stored query, there is no
"filter part".

> I did that and it does list all ou=Mail,o=example,c=com mail accounts.

What does this mean? What tool did you use?

> Then I modified my [7]ldap:everyone mappings to the folowing:
> virtual_alias_maps = [8]ldap:everyone
> everyone_server_host = ldaps://localhost
> everyone_version = 3
> everyone_search_base = ou=Mail,o=example,c=com
> everyone_query_filter = (mail=%s)
> everyone_result_attribute = mail

Where is the "special_result_attribute" definition? Did you read
the ldap_table(5) documentation?

> But it does not work.
> 550 [9]<everyone(a)example.com>: Recipient address rejected: User unknown;
>
> Any ideas of what I am doing wrong?

Pretty much everything, so far...

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

First  |  Prev  | 
Pages: 1 2
Prev: Can I Omit Same Values
Next: Sender Access Restrictions and MySQL Table