Victor Duchovni wrote:
On Thu, Jul 24, 2008 at 07:48:51PM +0200, mouss wrote:
Victor Duchovni wrote:
[snip]
Listen carefully when Wietse and I recommend "proxymap".
Step 1: migrate to "proxy:ldap:" tables
Step 2: debug any problems that remain after Step 1.
a question here. is there a reason why proxymap wouldn't be the default
(so people would have to exclude maps instead of listing the ones that
use the proxymap service)?
The only tables in a default Postfix configuration are (I compile with
"cdb" as the default_database_type):
alias_database = cdb:/etc/mail/aliases
alias_maps = cdb:/etc/mail/aliases
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
Any other tables are user defined. You seem to suggest that all "ldap",
"mysql", ... tables be automatically proxied, even when defined as:
foo_maps = ldap:/some/table.cf
how would one specify an unproxied table? If we want to force all
LDAP and *SQL to be proxied when allowed, we'd need to revise the
dict_open() interface, so that clients can specify tables that
must not be proxied for security reasons, and also the map type
registration interface, so that appropriate types are marked for
auto-proxy.
It is not obious how proxy_read_maps will cove to have the right value
when people use custom tables. I don't know that it is safe to allow
proxymap() to be "promiscuous" and allow any table to be opened.
I meant something like
dont_proxy_maps =
ldap:/this/one
mysql:/that/one
...
this would not allow one to use the same map with and without proxy
depending on context (where it is used), but I don't think there is a
real use case for such thing.
