ADVICE: Best Practice - Usernames with Domain components

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ADVICE: Best Practice - Usernames with Domain components

Nick Piggott
Hello,

Here's my setup:
* Ubuntu 18.04 LTS
* Postfix 3.3.0
* Mailutils 3.4
* Samba 4.7.6
* Active Directory (provided by Samba)

My usernames are of the format:
* DOMAIN\username

I can separately maintain a list of mappings between DOMAIN\username
and username.

Here are the problems I'm looking to solve appropriately:
* mail - sends the origination user as "DOMAIN\username", which
postfix provides onto the destination mail exchanger, which rejects it
as being an incorrect format
* postfix - is configured with:
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
which flattens the return address to "domain\username", and creates a
mailbox in /var/mail as "domain\username". When the user types "mail"
to read their email, it opens "DOMAIN\username", so they never see
their newly received messages.

Things I have tried:
* Using
sender_canonical_maps = hash:\etc\postfix\sender_canonical
to change a specific DOMAIN\username to username. It didn't work,
although I could see it parsing sender_canonical.db when sending. The
exact line was
DOMAIN\\username : username
Postfix still provided "DOMAIN\username" as the originator to the
destination mail exchanger.
* Using
recipient_canonical_maps = hash:\etc\postfix\recipient_canonical
to convert a specific username back to DOMAIN\username. That failed
because the output is still casefolded to domain\username before
writing to the mailbox file.

Questions:
* Am I trying the right approach to rewriting the originating email
address from DOMAIN\username to username? What am I potentially
missing to get it working?
* As postfix will always fold the return address to lowercase (because
of the local_recipient_maps filter), should I just softlink together
the mailbox files DOMAIN\username and domain\username in /var/mail, or
is there a solution I can put into postfix to revert back to
DOMAIN\username before outputting to the mail file?

Thanks in advance,

--
Nick
mj
Reply | Threaded
Open this post in threaded view
|

Re: ADVICE: Best Practice - Usernames with Domain components

mj
Hi,

I have read your mail, and we're using a setup similar to yours (samba,
postfix, debian) and we're using 'regular' usernames, without the domain
prefix.

Sometimes, but only in windows, we specify a domain name to make clear
to windows that we mean the DOMAIN account username, and not a local
account, or DOMAINB\username.

But in common practise, we never login anywhere with DOMAIN\username

And we also never have the issues you are describing, and no need fotr
mappings of any kind.

Are you *sure* you need your usernames in that format?

MJ


On 26/05/2020 13:50, Nick Piggott wrote:

> Hello,
>
> Here's my setup:
> * Ubuntu 18.04 LTS
> * Postfix 3.3.0
> * Mailutils 3.4
> * Samba 4.7.6
> * Active Directory (provided by Samba)
>
> My usernames are of the format:
> * DOMAIN\username
>
> I can separately maintain a list of mappings between DOMAIN\username
> and username.
>
> Here are the problems I'm looking to solve appropriately:
> * mail - sends the origination user as "DOMAIN\username", which
> postfix provides onto the destination mail exchanger, which rejects it
> as being an incorrect format
> * postfix - is configured with:
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> which flattens the return address to "domain\username", and creates a
> mailbox in /var/mail as "domain\username". When the user types "mail"
> to read their email, it opens "DOMAIN\username", so they never see
> their newly received messages.
>
> Things I have tried:
> * Using
> sender_canonical_maps = hash:\etc\postfix\sender_canonical
> to change a specific DOMAIN\username to username. It didn't work,
> although I could see it parsing sender_canonical.db when sending. The
> exact line was
> DOMAIN\\username : username
> Postfix still provided "DOMAIN\username" as the originator to the
> destination mail exchanger.
> * Using
> recipient_canonical_maps = hash:\etc\postfix\recipient_canonical
> to convert a specific username back to DOMAIN\username. That failed
> because the output is still casefolded to domain\username before
> writing to the mailbox file.
>
> Questions:
> * Am I trying the right approach to rewriting the originating email
> address from DOMAIN\username to username? What am I potentially
> missing to get it working?
> * As postfix will always fold the return address to lowercase (because
> of the local_recipient_maps filter), should I just softlink together
> the mailbox files DOMAIN\username and domain\username in /var/mail, or
> is there a solution I can put into postfix to revert back to
> DOMAIN\username before outputting to the mail file?
>
> Thanks in advance,
>
Reply | Threaded
Open this post in threaded view
|

Re: ADVICE: Best Practice - Usernames with Domain components

Nick Piggott
Hi,

I'm not able to suppress the DOMAIN element of the username part on *this* machine.

All the machines in the AD have a directive in their /etc/samba/smb.conf file
winbind use default domain = yes
however this doesn't work on this machine acting as the AD-DC, and looking at the Samba mailing lists, this is by design, and unlikely to change. It does work on the workstations (where users are just shown as their username).

So one "workaround" would be to work out how to suppress the DOMAIN through Samba / Winbind on this machine. But I have not been able to achieve that at all, so that's why I'm looking to fix it around postfix.

Nick


On Tue, 26 May 2020 at 13:49, mj <[hidden email]> wrote:
Hi,

I have read your mail, and we're using a setup similar to yours (samba,
postfix, debian) and we're using 'regular' usernames, without the domain
prefix.

Sometimes, but only in windows, we specify a domain name to make clear
to windows that we mean the DOMAIN account username, and not a local
account, or DOMAINB\username.

But in common practise, we never login anywhere with DOMAIN\username

And we also never have the issues you are describing, and no need fotr
mappings of any kind.

Are you *sure* you need your usernames in that format?

MJ


On 26/05/2020 13:50, Nick Piggott wrote:
> Hello,
>
> Here's my setup:
> * Ubuntu 18.04 LTS
> * Postfix 3.3.0
> * Mailutils 3.4
> * Samba 4.7.6
> * Active Directory (provided by Samba)
>
> My usernames are of the format:
> * DOMAIN\username
>
> I can separately maintain a list of mappings between DOMAIN\username
> and username.
>
> Here are the problems I'm looking to solve appropriately:
> * mail - sends the origination user as "DOMAIN\username", which
> postfix provides onto the destination mail exchanger, which rejects it
> as being an incorrect format
> * postfix - is configured with:
> local_recipient_maps = proxy:unix:passwd.byname $alias_maps
> which flattens the return address to "domain\username", and creates a
> mailbox in /var/mail as "domain\username". When the user types "mail"
> to read their email, it opens "DOMAIN\username", so they never see
> their newly received messages.
>
> Things I have tried:
> * Using
> sender_canonical_maps = hash:\etc\postfix\sender_canonical
> to change a specific DOMAIN\username to username. It didn't work,
> although I could see it parsing sender_canonical.db when sending. The
> exact line was
> DOMAIN\\username : username
> Postfix still provided "DOMAIN\username" as the originator to the
> destination mail exchanger.
> * Using
> recipient_canonical_maps = hash:\etc\postfix\recipient_canonical
> to convert a specific username back to DOMAIN\username. That failed
> because the output is still casefolded to domain\username before
> writing to the mailbox file.
>
> Questions:
> * Am I trying the right approach to rewriting the originating email
> address from DOMAIN\username to username? What am I potentially
> missing to get it working?
> * As postfix will always fold the return address to lowercase (because
> of the local_recipient_maps filter), should I just softlink together
> the mailbox files DOMAIN\username and domain\username in /var/mail, or
> is there a solution I can put into postfix to revert back to
> DOMAIN\username before outputting to the mail file?
>
> Thanks in advance,
>


--
Nick
mj
Reply | Threaded
Open this post in threaded view
|

Re: ADVICE: Best Practice - Usernames with Domain components

mj
Hi,

So, do I understand correctly that you are running postfix/mailutils etc
directly on your ADDC, and you are using 'local' (=winbind) users?

Then probably I ould change that: not use local users, but make
everything mail-related talk to ldap only, and don't use local users.

Also...perhaps consider running it on a seperate machine. (perhaps even
a VM on your samba ADDC)

MJ

On 5/27/20 12:40 PM, Nick Piggott wrote:

> Hi,
>
> I'm not able to suppress the DOMAIN element of the username part on
> *this* machine.
>
> All the machines in the AD have a directive in their /etc/samba/smb.conf
> file
> winbind use default domain = yes
> however this doesn't work on this machine acting as the AD-DC, and
> looking at the Samba mailing lists, this is by design, and unlikely to
> change. It does work on the workstations (where users are just shown as
> their username).
>
> So one "workaround" would be to work out how to suppress the DOMAIN
> through Samba / Winbind on this machine. But I have not been able to
> achieve that at all, so that's why I'm looking to fix it around postfix.
>
> Nick
>
>
> On Tue, 26 May 2020 at 13:49, mj <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Hi,
>
>     I have read your mail, and we're using a setup similar to yours (samba,
>     postfix, debian) and we're using 'regular' usernames, without the
>     domain
>     prefix.
>
>     Sometimes, but only in windows, we specify a domain name to make clear
>     to windows that we mean the DOMAIN account username, and not a local
>     account, or DOMAINB\username.
>
>     But in common practise, we never login anywhere with DOMAIN\username
>
>     And we also never have the issues you are describing, and no need fotr
>     mappings of any kind.
>
>     Are you *sure* you need your usernames in that format?
>
>     MJ
>
>
>     On 26/05/2020 13:50, Nick Piggott wrote:
>      > Hello,
>      >
>      > Here's my setup:
>      > * Ubuntu 18.04 LTS
>      > * Postfix 3.3.0
>      > * Mailutils 3.4
>      > * Samba 4.7.6
>      > * Active Directory (provided by Samba)
>      >
>      > My usernames are of the format:
>      > * DOMAIN\username
>      >
>      > I can separately maintain a list of mappings between DOMAIN\username
>      > and username.
>      >
>      > Here are the problems I'm looking to solve appropriately:
>      > * mail - sends the origination user as "DOMAIN\username", which
>      > postfix provides onto the destination mail exchanger, which
>     rejects it
>      > as being an incorrect format
>      > * postfix - is configured with:
>      > local_recipient_maps = proxy:unix:passwd.byname $alias_maps
>      > which flattens the return address to "domain\username", and creates a
>      > mailbox in /var/mail as "domain\username". When the user types "mail"
>      > to read their email, it opens "DOMAIN\username", so they never see
>      > their newly received messages.
>      >
>      > Things I have tried:
>      > * Using
>      > sender_canonical_maps = hash:\etc\postfix\sender_canonical
>      > to change a specific DOMAIN\username to username. It didn't work,
>      > although I could see it parsing sender_canonical.db when sending. The
>      > exact line was
>      > DOMAIN\\username : username
>      > Postfix still provided "DOMAIN\username" as the originator to the
>      > destination mail exchanger.
>      > * Using
>      > recipient_canonical_maps = hash:\etc\postfix\recipient_canonical
>      > to convert a specific username back to DOMAIN\username. That failed
>      > because the output is still casefolded to domain\username before
>      > writing to the mailbox file.
>      >
>      > Questions:
>      > * Am I trying the right approach to rewriting the originating email
>      > address from DOMAIN\username to username? What am I potentially
>      > missing to get it working?
>      > * As postfix will always fold the return address to lowercase
>     (because
>      > of the local_recipient_maps filter), should I just softlink together
>      > the mailbox files DOMAIN\username and domain\username in
>     /var/mail, or
>      > is there a solution I can put into postfix to revert back to
>      > DOMAIN\username before outputting to the mail file?
>      >
>      > Thanks in advance,
>      >
>
>
>
> --
> Nick