Re: Postfix with virtual domains and the username
On 03.02.2011 00:27, wrote Matt: On Wed, Feb 2, 2011 at 5:31 PM, Mauricio Tavares raubvo...@gmail.com wrote: On Wed, Feb 2, 2011 at 5:10 PM, Matt mhop...@gmail.com wrote: I'm working on replacing an ageing Posfix install with a new server. On the old and new server we use virtual domains. On the old server we login with: username.domain.com On the new server Postfix is configured to allow login as: usern...@domain.com I'd actually rather prefer the new format, however, for ease of transition is there a way I can configure Postfix to allow the . and even better yet, to allow either? What are you using to do the authentication? And, when you mean logging in do you mean to check mail (IMAP/POP3) or to send mail (SMTP AUTH)? I am using dovecot. I mean IMAP/POP3 and SMTP. It's really not a big deal if I need to use the @ sign, I just figured if I could do both it would ease the transition. Maybe this helps: http://wiki1.dovecot.org/MainConfig?highlight=(auth_username_translation)
Re: Postfix with virtual domains and the username
On Wed, Feb 02, 2011 at 05:10:08PM -0500, Matt wrote: I'm working on replacing an ageing Posfix install with a new server. On the old and new server we use virtual domains. On the old server we login with: username.domain.com On the new server Postfix is configured to allow login as: usern...@domain.com I'd actually rather prefer the new format, however, for ease of transition is there a way I can configure Postfix to allow the . and even better yet, to allow either? Postfix does not process SASL user-names, they are opaque strings returned by the SASL library. If your SASL drivers support multiple login names for the same user account, then Postfix will accept either, since all the work is done by the SASL library. If you use smtpd_sender_login_maps, you'll need to list all the variant names for each login in that table. -- Viktor.
Re: Postfix with virtual domains and the username
On Wed, Feb 2, 2011 at 5:10 PM, Matt mhop...@gmail.com wrote: I'm working on replacing an ageing Posfix install with a new server. On the old and new server we use virtual domains. On the old server we login with: username.domain.com On the new server Postfix is configured to allow login as: usern...@domain.com I'd actually rather prefer the new format, however, for ease of transition is there a way I can configure Postfix to allow the . and even better yet, to allow either? What are you using to do the authentication? And, when you mean logging in do you mean to check mail (IMAP/POP3) or to send mail (SMTP AUTH)?
Re: Postfix with virtual domains and the username
On 2/2/2011 5:25 PM, Victor Duchovni wrote: On Wed, Feb 02, 2011 at 05:10:08PM -0500, Matt wrote: I'm working on replacing an ageing Posfix install with a new server. On the old and new server we use virtual domains. On the old server we login with: username.domain.com On the new server Postfix is configured to allow login as: usern...@domain.com I'd actually rather prefer the new format, however, for ease of transition is there a way I can configure Postfix to allow the . and even better yet, to allow either? Postfix does not process SASL user-names, they are opaque strings returned by the SASL library. If your SASL drivers support multiple login names for the same user account, then Postfix will accept either, since all the work is done by the SASL library. If you use smtpd_sender_login_maps, you'll need to list all the variant names for each login in that table. If you use dovecot for imap/pop3, you should compile postfix with CFLAG -DDEF_SERVER_SASL_TYPE=\dovecot\ Then, dovecot does allow you to configure the auth to do what you like, such as resolving sasl_username to the real username in mysql/postgre. Look at the wiki2 of dovecot for the configuration of service paramter, such as service auth { config here }. Using the config, you can include a small bash script, as part of the auth process, to transform the username usingif statements. Such as: if [${USER} != ]; then USER=$(sed ${USER}) endif You're not limited to bash, just to stdin stdout :) This was really ingenious of Timo, one maintainer of dovecot as it allowed us to store a bunch of criteria for security, such as the ip address logging in, the last login time, etc. Jerrale G. SC Senior Admin
Re: Postfix with virtual domains and the username
On Wed, Feb 02, 2011 at 05:48:20PM -0500, Jerrale G wrote: If you use dovecot for imap/pop3, you should compile postfix with CFLAG -DDEF_SERVER_SASL_TYPE=\dovecot\ Then, dovecot does allow you to configure the auth to do what you like, such as resolving sasl_username to the real username in mysql/postgre. This is incorrect in numerous ways. First, the argument to make makefiles is CCARGS, not CFLAG. Details DO matter. Second, the required CCARGS is only -DUSE_SASL_AUTH. The '-DDEF_SERVER_SASL_TYPE=\dovecot\' is merely to set a default value for smtpd_sasl_type. Third, how Postfix is or is not compiled has no bearing at all on how Dovecot SASL works. Documented here: http://www.postfix.org/SASL_README.html#build_dovecot -- Offlist mail to this address is discarded unless /dev/rob0 or not-spam is in Subject: header
Re: Postfix with virtual domains and the username
On Wed, Feb 2, 2011 at 5:31 PM, Mauricio Tavares raubvo...@gmail.com wrote: On Wed, Feb 2, 2011 at 5:10 PM, Matt mhop...@gmail.com wrote: I'm working on replacing an ageing Posfix install with a new server. On the old and new server we use virtual domains. On the old server we login with: username.domain.com On the new server Postfix is configured to allow login as: usern...@domain.com I'd actually rather prefer the new format, however, for ease of transition is there a way I can configure Postfix to allow the . and even better yet, to allow either? What are you using to do the authentication? And, when you mean logging in do you mean to check mail (IMAP/POP3) or to send mail (SMTP AUTH)? I am using dovecot. I mean IMAP/POP3 and SMTP. It's really not a big deal if I need to use the @ sign, I just figured if I could do both it would ease the transition.
Re: Postfix with virtual domains and the username
On 2/2/2011 6:27 PM, Matt wrote: On Wed, Feb 2, 2011 at 5:31 PM, Mauricio Tavaresraubvo...@gmail.com wrote: On Wed, Feb 2, 2011 at 5:10 PM, Mattmhop...@gmail.com wrote: I'm working on replacing an ageing Posfix install with a new server. On the old and new server we use virtual domains. On the old server we login with: username.domain.com On the new server Postfix is configured to allow login as: usern...@domain.com I'd actually rather prefer the new format, however, for ease of transition is there a way I can configure Postfix to allow the . and even better yet, to allow either? What are you using to do the authentication? And, when you mean logging in do you mean to check mail (IMAP/POP3) or to send mail (SMTP AUTH)? I am using dovecot. I mean IMAP/POP3 and SMTP. It's really not a big deal if I need to use the @ sign, I just figured if I could do both it would ease the transition. I'll expand on what Viktor said a bit in case it helps put you in the right direction. Are you using PostgreSQL / MySQL for the Dovecot / SASL query as well as any followup virtual user Postfix (mailbox mapping) queries? If so (all of!) the SQL scripts need only be updated to accept both login formats. For example if you are currently doing, in the dovecat SASL driver: password_query = SELECT password from my_users where local_part = '%n' and domain_part = '%d' then you would need to do some string manipulation to grandfather in the old format: password_query = SELECT password from my_users where local_part = '%n' and domain_part = '%d' UNION SELECT password from my_users where local_part = LEFT('%n', POSITION('%n', '.')-1) and domain_part = MID('%n',...etc.) Warning that such mappings are full of fencepost errors and gotchas, so work through all the cases. Make this code temporary; it's ugly. Policy-wise, maybe better to force users to upgrade to reasonable MUA settings now. Like I said in my post to Ignacio, I'm an advocate of paying the short term pain now in the name of a solid design. Users NEED the e-mail so they'll have to fix their MUA. Anyway, I'm not going to debug or perfect anything here, just sketching the main idea. SQL has plenty of useful dynamic functions; it is not relegated to returning unprocessed table data. Note in particular that the old format is pretty broken, because: for example with the username daniel.bromb...@example.com, the old format would be daniel.bromberg.example.com, thus in my simplistic code above, 'bromberg.example.com' would be interpreted as the domain! It is also broken because '%d' cannot be gleaned from the login string, which would need to contain the '@'. As Viktor said, focus on the translation layer, as Postfix is totally neutral to how these maps work. Think like a programmer, not a configurator*, and design the mapping function any way you want. -Daniel *You should never think like a configurator, because that's not even a word.