Designing a proper postfix/dovecot LMTP/LDAP layout

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Designing a proper postfix/dovecot LMTP/LDAP layout

Franta Noska
I want to replace old Sendmail server with new with Postfix. And although
I have read some documentation and howtos, I'm still disoriented in the
vast array of possibilities in Postfix itself and its interaction with
other pieces. Here is what I have:

- mailserver will be the target for two domains (old surviving and current new)

- users, their aliases and mail groups are in remote LDAP DB with schema
/objects/values as:

USERS:
dn: cn=username, ou=rank, o=myorg
cn: username
objectClass: Person
gidNumber: uNNN
uidNumber: gNNN
userPassword: (somehow hashed, only bind verification)
homeDirectory: /Home/$rank/$username
mailActive:  0/1
mail: user1@NewDomain
mail: user2@OldDomain    (not all users have old address]
uid: username
groupMembership: group DN (can be multiple times for different groups)

For users in objectClass = Person applies:
- cn == uid, but user1, user2 and username are not necessarily the same
- users have uidNumber and gidNumber, but are almost unusable, because
   start from 100 (thus overlapping with system accounts ID)
- homeDirectory has no meaning for mailserver machine itself - there will
   be only an administrator account.
- absent or zero mailActive item cause mail rejecting

Users can have a mail alias with LDAP in form:
----------------------------------------------
dn: cn=alias, ou=Alias, o=myorg
objectClass: aliasObject
cn: alias
aliasedObjectName: user object DN

and finally there can be mail groups defined as:
------------------------------------------------
dn: cn=groupname, ou=Groups, o=myorg
cn: groupname
mailActive:  0/1       (meaning same as for users)
objectClass: groupOfNames
member: user DN
....


And my idea is:
- postfix MTA (v3.2.4) with some milters (milters not essential)
- dovecot (v2.3.0) IMAP server and LMTP deliver (with Sieve)
- postfix, dovecot, user's mail folders on one machine (Centos 7 Linux)

What will be the most appropriate layout for this scenario?

I have a number of unclear areas what is best:

- local users or virtual users?
  (I think best will be when all mail directory tree will be owned
  by one user account (vmail in lot howtos), but it's really best?)

- mail folders should be in form '/someTopDir/$username/.mail/' ?
  (because isn't possible have domain part, as the user can have two
  mail addresses in different domains)

- which transport to choose (whether one from something as
local_transport = lmtp:unix:/var/run/dovecot/dovecot-lmtp
virtual_transport = lmtp:unix:/var/run/dovecot/dovecot-lmtp
mailbox_transport = lmtp:unix:/var/run/dovecot/dovecot-lmtp
or something else?

- which maps are needed and how to define them?

- eventually how to configure dovecot LMTP deliver?

Any recommendations or instructions are highly appreciated.
Thanks, Franta
Reply | Threaded
Open this post in threaded view
|

Re: Designing a proper postfix/dovecot LMTP/LDAP layout

Viktor Dukhovni


> On Feb 6, 2018, at 9:05 AM, Franta Noska <[hidden email]> wrote:
>
> - mailserver will be the target for two domains (old surviving and current new)
>
> - users, their aliases and mail groups are in remote LDAP DB with schema
> /objects/values as:
>
> USERS:
> dn: cn=username, ou=rank, o=myorg
> cn: username
> objectClass: Person
> gidNumber: uNNN
> uidNumber: gNNN
> userPassword: (somehow hashed, only bind verification)
> homeDirectory: /Home/$rank/$username
> mailActive:  0/1
> mail: user1@NewDomain
> mail: user2@OldDomain    (not all users have old address]
> uid: username
> groupMembership: group DN (can be multiple times for different groups)

I would recommend against an LDAP schema with a multi-valued "mail"
attribute.  This attribute is generally used to hold the user's
*primary* email address (e.g. used for canonicalization) and should
be single valued.  You should store all the user's addresses (possibly
including a second copy of "mail" for simplicity of queries) as:

        mail: user1@NewDomain
        mailAlternateAddress: user1@NewDomain
        mailAlternateAddress: user1@OldDomain

> Users can have a mail alias with LDAP in form:
> ----------------------------------------------
> dn: cn=alias, ou=Alias, o=myorg
> objectClass: aliasObject
> cn: alias
> aliasedObjectName: user object DN

A much simpler and cleaner form of aliasing, when
the target is just a single user is to add more
"mailAlternateAddress" values to the user object,
rather than create separate alias objects.

Avoid the above.


> and finally there can be mail groups defined as:
> ------------------------------------------------
> dn: cn=groupname, ou=Groups, o=myorg
> cn: groupname
> mailActive:  0/1       (meaning same as for users)
> objectClass: groupOfNames
> member: user DN
> ....

This is fine, but I would give mail groups an email address:

        mail: groupname@someDomain

with the group defined in that particular domain, and
not just implicitly all local domains.  That way also,
not all unix groups are necessarily email groups.

> And my idea is:
> - postfix MTA (v3.2.4) with some milters (milters not essential)
> - dovecot (v2.3.0) IMAP server and LMTP deliver (with Sieve)
> - postfix, dovecot, user's mail folders on one machine (Centos 7 Linux)
>
> What will be the most appropriate layout for this scenario?

As much as possible avoid local aliases(5) and use virtul(5)
aliases instead.  Specifically, when an alias expands to
other email addresses, make it a virtual alias.  Use local
aliases(5) just for things that expand to "|pipes",
"/files" and ":include:/paths".

> - local users or virtual users?
>  (I think best will be when all mail directory tree will be owned
>  by one user account (vmail in lot howtos), but it's really best?)

I'd go with virtual users generally, unless some users really
want control via .forward files.  You can use virtual aliases
to rewrite some mailboxes into a local domain.

> - mail folders should be in form '/someTopDir/$username/.mail/' ?
>  (because isn't possible have domain part, as the user can have two
>  mail addresses in different domains)

If a mailbox has a primary domain, you could still use that.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Designing a proper postfix/dovecot LMTP/LDAP layout

Franta Noska
Hi Viktor,
thanks for Your advices. I now have "almost working" configuration, but
still some problems with mail groups - because of what you warned me
about. In more details below:

On Wed, 7 Feb 2018 12:27:25 -0500
Viktor Dukhovni <[hidden email]> wrote:

> > On Feb 6, 2018, at 9:05 AM, Franta Noska <[hidden email]> wrote:
> >
> > - mailserver will be the target for two domains (old surviving and current new)
> >
> > - users, their aliases and mail groups are in remote LDAP DB with schema
> > /objects/values as:
> >
> > USERS:
> > dn: cn=username, ou=rank, o=myorg
> > cn: username
> > objectClass: Person
> > gidNumber: uNNN
> > uidNumber: gNNN
> > userPassword: (somehow hashed, only bind verification)
> > homeDirectory: /Home/$rank/$username
> > mailActive:  0/1
> > mail: user1@NewDomain
> > mail: user2@OldDomain    (not all users have old address]
> > uid: username
> > groupMembership: group DN (can be multiple times for different groups)  
>
> I would recommend against an LDAP schema with a multi-valued "mail"
> attribute.  This attribute is generally used to hold the user's
> *primary* email address (e.g. used for canonicalization) and should
> be single valued.  You should store all the user's addresses (possibly
> including a second copy of "mail" for simplicity of queries) as:
>
> mail: user1@NewDomain
> mailAlternateAddress: user1@NewDomain
> mailAlternateAddress: user1@OldDomain

It is difficult for me to set this in this fashion. But perhaps I
can impose the end of using the old domain.


> > Users can have a mail alias with LDAP in form:
> > ----------------------------------------------
> > dn: cn=alias, ou=Alias, o=myorg
> > objectClass: aliasObject
> > cn: alias
> > aliasedObjectName: user object DN  
>
> A much simpler and cleaner form of aliasing, when
> the target is just a single user is to add more
> "mailAlternateAddress" values to the user object,
> rather than create separate alias objects.
>
> Avoid the above.

See below

> > and finally there can be mail groups defined as:
> > ------------------------------------------------
> > dn: cn=groupname, ou=Groups, o=myorg
> > cn: groupname
> > mailActive:  0/1       (meaning same as for users)
> > objectClass: groupOfNames
> > member: user DN
> > ....  
>
> This is fine, but I would give mail groups an email address:
>
> mail: groupname@someDomain
>
> with the group defined in that particular domain, and
> not just implicitly all local domains.  That way also,
> not all unix groups are necessarily email groups.

It is probably that stumbling block, that's the thing that made me decide
between local and virtual users. I did not mention that in my previous
e-mail - LDAP DB which I'm using is not my work, I did not propose it,
nor manage it, and I probably can not influence it anyway. It is LDAP
exported from Novell NDS on some our Novell Netware server, and I would
not want to modify it unless it is absolutely necessary.

And now I have problem when building aliases map above it, just because
its mail does not contain a complete address.
What I need is something like this:

1) Is domain in recipient address same as mine? If not, I do not have
to go ahead and return as if the LDAP alias did not exist.

2) if recipients domain part is same as mine, then I'll look for
record in the LDAP group tables where 'cn' is the same as a user part
of recipient address (%n).

Please, is this homehow solvable? Can I in Postfix take this '%d' part
of recipient address and make decision according to comparison result
with e.g. some string or Postfix variable?


> > And my idea is:
> > - postfix MTA (v3.2.4) with some milters (milters not essential)
> > - dovecot (v2.3.0) IMAP server and LMTP deliver (with Sieve)
> > - postfix, dovecot, user's mail folders on one machine (Centos 7 Linux)
> >
> > What will be the most appropriate layout for this scenario?  
>
> As much as possible avoid local aliases(5) and use virtul(5)
> aliases instead.  Specifically, when an alias expands to
> other email addresses, make it a virtual alias.  Use local
> aliases(5) just for things that expand to "|pipes",
> "/files" and ":include:/paths".

'As much as possible' and when it isn't possible - is there some
solution?


> > - local users or virtual users?
> >  (I think best will be when all mail directory tree will be owned
> >  by one user account (vmail in lot howtos), but it's really best?)  
>
> I'd go with virtual users generally, unless some users really
> want control via .forward files.  You can use virtual aliases
> to rewrite some mailboxes into a local domain.

IMO .forward files are not necessary, as Dovecot LMTP in cooperation
with Sieve is able to do forwarding, vacation autoreply etc.



> > - mail folders should be in form '/someTopDir/$username/.mail/' ?
> >  (because isn't possible have domain part, as the user can have two
> >  mail addresses in different domains)  
>
> If a mailbox has a primary domain, you could still use that.
>

Thanks, Franta