substitution variables in ldap query_filter

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

substitution variables in ldap query_filter

John Heim-3
I have a problem with a mail relay I inherited (I mention that because I'm
kind of ignorant). I need to make it work so that mail to addresses like
[hidden email] work.

Right now, we use the canonical feature to rewrite the header. The problem
is that as a result, the ldap lookup is never done. So then mail to invalid
addresses like [hidden email] are rewritten as
[hidden email] and relayed on. That results in a bounce by the main
server whereas I'd rather the ldap lookup gets done so the mail can be
rejected by the relay.

I emailed my predecessor   about this and he suggested I get rid of the
canonical rewrite and set up the ldap search to work for addresses like
[hidden email].

Okay, so I re-read the ldap howto and i see that you can use other
substitution variables besides %s. I'm thinking my query_filter could be
(mail=%u@%3.%2.%1)

But rather than poking and hoping and possibly breaking my mta in the mean
time, I was hoping someone could direct me to some examples of use of these
substitution variables.


--
John Heim
[hidden email] / 608-263-4189
"An operator of a vehicle shall stop the vehicle before approaching closer
than 10 feet to a pedestrian who is using a service animal"
-- Wisconsin Statute 2005 Act 354,

Reply | Threaded
Open this post in threaded view
|

Re: substitution variables in ldap query_filter

Victor Duchovni
On Wed, May 14, 2008 at 09:36:48AM -0500, John Heim wrote:

> I have a problem with a mail relay I inherited (I mention that because I'm
> kind of ignorant). I need to make it work so that mail to addresses like
> [hidden email] work.
>
> Right now, we use the canonical feature to rewrite the header. The problem
> is that as a result, the ldap lookup is never done. So then mail to invalid
> addresses like [hidden email] are rewritten as
> [hidden email] and relayed on. That results in a bounce by the main
> server whereas I'd rather the ldap lookup gets done so the mail can be
> rejected by the relay.

You can do *non-wildcard* canonical rewriting, and this won't break
recipient validation.

        domain = legacy.example.com
        query_filter = mail=%[hidden email]
        result_attribute = mail

> Okay, so I re-read the ldap howto and i see that you can use other
> substitution variables besides %s. I'm thinking my query_filter could be
> (mail=%u@%3.%2.%1)
>
> But rather than poking and hoping and possibly breaking my mta in the mean
> time, I was hoping someone could direct me to some examples of use of these
> substitution variables.

The variables are documnted in ldap_table(5). You can also restrict
which domains are in scope via the "domain" list.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: substitution variables in ldap query_filter

John Heim-3

----- Original Message -----
From: "Victor Duchovni" <[hidden email]>
Cc: <[hidden email]>
Sent: Wednesday, May 14, 2008 11:06 AM
> You can do *non-wildcard* canonical rewriting, and this won't break
> recipient validation.
>
> domain = legacy.example.com
> query_filter = mail=%[hidden email]
> result_attribute = mail


I'm a bit confused. These are ldap parameters, right? So I'd change main.cf
from:

canonical_maps = regexp:/etc/postfix/canonical

to

canonical_maps = ldap:/etc/postfix/canonical



So postfix would do an ldap lookup to rewrite the headers. But then would it
do a second ldap lookup to validate the recipient?

Reply | Threaded
Open this post in threaded view
|

Re: substitution variables in ldap query_filter

Victor Duchovni
On Wed, May 14, 2008 at 01:45:07PM -0500, John Heim wrote:

>
> ----- Original Message -----
> From: "Victor Duchovni" <[hidden email]>
> Cc: <[hidden email]>
> Sent: Wednesday, May 14, 2008 11:06 AM
> >You can do *non-wildcard* canonical rewriting, and this won't break
> >recipient validation.
> >
> >domain = legacy.example.com
> >query_filter = mail=%[hidden email]
> >result_attribute = mail
>
>
> I'm a bit confused. These are ldap parameters, right? So I'd change main.cf
> from:
>
> canonical_maps = regexp:/etc/postfix/canonical
>
> to
>
> canonical_maps = ldap:/etc/postfix/canonical
>

Yes.

> So postfix would do an ldap lookup to rewrite the headers. But then would
> it do a second ldap lookup to validate the recipient?

Rewriting happens after access control. Your wildcard canonical
mapping was suppressing the validation lookup in virtual_alias_maps
(relay_recipient_maps, ...). This additional lookup will now take place.

LDAP (replica dedicated for mail) should not be a noticeable bottleneck.
Don't over-optimize the LDAP lookups.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.