Hi Viktor,
thanks for Your advices. I now have "almost working" configuration, but
still some problems with mail groups - because of what you warned me
about. In more details below:

On Wed, 7 Feb 2018 12:27:25 -0500
Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:

> > On Feb 6, 2018, at 9:05 AM, Franta Noska <frano...@stavebninyberanek.cz> 
> > wrote:
> > 
> > - mailserver will be the target for two domains (old surviving and current 
> > new)
> > 
> > - users, their aliases and mail groups are in remote LDAP DB with schema
> > /objects/values as:
> > 
> > USERS:
> > dn: cn=username, ou=rank, o=myorg
> > cn: username
> > objectClass: Person
> > gidNumber: uNNN
> > uidNumber: gNNN
> > userPassword: (somehow hashed, only bind verification)
> > homeDirectory: /Home/$rank/$username
> > mailActive:  0/1 
> > mail: user1@NewDomain
> > mail: user2@OldDomain    (not all users have old address]
> > uid: username
> > groupMembership: group DN   (can be multiple times for different groups)  
> I would recommend against an LDAP schema with a multi-valued "mail"
> attribute.  This attribute is generally used to hold the user's
> *primary* email address (e.g. used for canonicalization) and should
> be single valued.  You should store all the user's addresses (possibly
> including a second copy of "mail" for simplicity of queries) as:
>       mail: user1@NewDomain
>       mailAlternateAddress: user1@NewDomain
>       mailAlternateAddress: user1@OldDomain

It is difficult for me to set this in this fashion. But perhaps I
can impose the end of using the old domain.

> > Users can have a mail alias with LDAP in form:
> > ----------------------------------------------
> > dn: cn=alias, ou=Alias, o=myorg
> > objectClass: aliasObject
> > cn: alias
> > aliasedObjectName: user object DN  
> A much simpler and cleaner form of aliasing, when
> the target is just a single user is to add more
> "mailAlternateAddress" values to the user object,
> rather than create separate alias objects.
> Avoid the above.

See below

> > and finally there can be mail groups defined as:
> > ------------------------------------------------
> > dn: cn=groupname, ou=Groups, o=myorg
> > cn: groupname
> > mailActive:  0/1       (meaning same as for users)
> > objectClass: groupOfNames
> > member: user DN
> > ....  
> This is fine, but I would give mail groups an email address:
>       mail: groupname@someDomain
> with the group defined in that particular domain, and
> not just implicitly all local domains.  That way also,
> not all unix groups are necessarily email groups.

It is probably that stumbling block, that's the thing that made me decide
between local and virtual users. I did not mention that in my previous
e-mail - LDAP DB which I'm using is not my work, I did not propose it,
nor manage it, and I probably can not influence it anyway. It is LDAP
exported from Novell NDS on some our Novell Netware server, and I would
not want to modify it unless it is absolutely necessary.

And now I have problem when building aliases map above it, just because
its mail does not contain a complete address.
What I need is something like this:

1) Is domain in recipient address same as mine? If not, I do not have
to go ahead and return as if the LDAP alias did not exist.

2) if recipients domain part is same as mine, then I'll look for
record in the LDAP group tables where 'cn' is the same as a user part
of recipient address (%n).

Please, is this homehow solvable? Can I in Postfix take this '%d' part
of recipient address and make decision according to comparison result
with e.g. some string or Postfix variable?

> > And my idea is:
> > - postfix MTA (v3.2.4) with some milters (milters not essential)
> > - dovecot (v2.3.0) IMAP server and LMTP deliver (with Sieve)
> > - postfix, dovecot, user's mail folders on one machine (Centos 7 Linux)
> > 
> > What will be the most appropriate layout for this scenario?  
> As much as possible avoid local aliases(5) and use virtul(5)
> aliases instead.  Specifically, when an alias expands to
> other email addresses, make it a virtual alias.  Use local
> aliases(5) just for things that expand to "|pipes",
> "/files" and ":include:/paths".

'As much as possible' and when it isn't possible - is there some

> > - local users or virtual users?
> >  (I think best will be when all mail directory tree will be owned
> >  by one user account (vmail in lot howtos), but it's really best?)  
> I'd go with virtual users generally, unless some users really
> want control via .forward files.  You can use virtual aliases
> to rewrite some mailboxes into a local domain.

IMO .forward files are not necessary, as Dovecot LMTP in cooperation
with Sieve is able to do forwarding, vacation autoreply etc.

> > - mail folders should be in form '/someTopDir/$username/.mail/' ?
> >  (because isn't possible have domain part, as the user can have two
> >  mail addresses in different domains)  
> If a mailbox has a primary domain, you could still use that.

Thanks, Franta

Reply via email to