headers
John Heim | 14 May 16:36
Picon

substitution variables in ldap query_filter

I have a problem with a mail relay I inherited (I mention that because I'm 
kind of ignorant). I need to make it work so that mail to addresses like 
jheim <at> vulcan.math.wisc.edu work.

Right now, we use the canonical feature to rewrite the header. The problem 
is that as a result, the ldap lookup is never done. So then mail to invalid 
addresses like spock <at> vulcan.math.wisc.edu are rewritten as 
spock <at> math.wisc.edu and relayed on. That results in a bounce by the main 
server whereas I'd rather the ldap lookup gets done so the mail can be 
rejected by the relay.

I emailed my predecessor   about this and he suggested I get rid of the 
canonical rewrite and set up the ldap search to work for addresses like 
jheim <at> vulcan.math.wisc.edu.

Okay, so I re-read the ldap howto and i see that you can use other 
substitution variables besides %s. I'm thinking my query_filter could be
(mail=%u@%3.%2.%1)

But rather than poking and hoping and possibly breaking my mta in the mean 
time, I was hoping someone could direct me to some examples of use of these 
substitution variables.

--
John Heim
jheim <at> math.wisc.edu / 608-263-4189
"An operator of a vehicle shall stop the vehicle before approaching closer 
than 10 feet to a pedestrian who is using a service animal"
-- Wisconsin Statute 2005 Act 354,
(Continue reading)

Permalink | Reply |
headers
Victor Duchovni | 14 May 18:06

Re: substitution variables in ldap query_filter

On Wed, May 14, 2008 at 09:36:48AM -0500, John Heim wrote:

> I have a problem with a mail relay I inherited (I mention that because I'm 
> kind of ignorant). I need to make it work so that mail to addresses like 
> jheim <at> vulcan.math.wisc.edu work.
> 
> Right now, we use the canonical feature to rewrite the header. The problem 
> is that as a result, the ldap lookup is never done. So then mail to invalid 
> addresses like spock <at> vulcan.math.wisc.edu are rewritten as 
> spock <at> math.wisc.edu and relayed on. That results in a bounce by the main 
> server whereas I'd rather the ldap lookup gets done so the mail can be 
> rejected by the relay.

You can do *non-wildcard* canonical rewriting, and this won't break
recipient validation.

	domain = legacy.example.com
	query_filter = mail=%u <at> current.example.com
	result_attribute = mail

> Okay, so I re-read the ldap howto and i see that you can use other 
> substitution variables besides %s. I'm thinking my query_filter could be
> (mail=%u@%3.%2.%1)
> 
> But rather than poking and hoping and possibly breaking my mta in the mean 
> time, I was hoping someone could direct me to some examples of use of these 
> substitution variables.

The variables are documnted in ldap_table(5). You can also restrict
which domains are in scope via the "domain" list.
(Continue reading)

Permalink | Reply |
headers
John Heim | 14 May 20:45
Picon

Re: substitution variables in ldap query_filter


----- Original Message ----- 
From: "Victor Duchovni" <Victor.Duchovni <at> morganstanley.com>
Cc: <postfix-users <at> postfix.org>
Sent: Wednesday, May 14, 2008 11:06 AM
> You can do *non-wildcard* canonical rewriting, and this won't break
> recipient validation.
>
> domain = legacy.example.com
> query_filter = mail=%u <at> current.example.com
> result_attribute = mail

I'm a bit confused. These are ldap parameters, right? So I'd change main.cf 
from:

canonical_maps = regexp:/etc/postfix/canonical

to

canonical_maps = ldap:/etc/postfix/canonical

So postfix would do an ldap lookup to rewrite the headers. But then would it 
do a second ldap lookup to validate the recipient?
Permalink | Reply |
headers
Victor Duchovni | 14 May 20:50

Re: substitution variables in ldap query_filter

On Wed, May 14, 2008 at 01:45:07PM -0500, John Heim wrote:

> 
> ----- Original Message ----- 
> From: "Victor Duchovni" <Victor.Duchovni <at> morganstanley.com>
> Cc: <postfix-users <at> postfix.org>
> Sent: Wednesday, May 14, 2008 11:06 AM
> >You can do *non-wildcard* canonical rewriting, and this won't break
> >recipient validation.
> >
> >domain = legacy.example.com
> >query_filter = mail=%u <at> current.example.com
> >result_attribute = mail
> 
> 
> I'm a bit confused. These are ldap parameters, right? So I'd change main.cf 
> from:
> 
> canonical_maps = regexp:/etc/postfix/canonical
> 
> to
> 
> canonical_maps = ldap:/etc/postfix/canonical
> 

Yes.

> So postfix would do an ldap lookup to rewrite the headers. But then would 
> it do a second ldap lookup to validate the recipient?
(Continue reading)

Permalink | Reply |

Gmane