I need some experienced Dovecot and email administrators to give me some feed back on a project which has been assigned to me.
First some background. What exists now at our college:
Three email gateway systems that route email between the Internet and one of the student email system, the staff email system, or the email list server system. The gateway systems do not route email from an external system to another external system. The MTA on each gateway is Postfix. The MTA of the student email system is Luminis. The MUA of the student email system is a web interface to Luminis. The MTA of the staff email system is Exchange. There are two staff MUA. One is Outlook. The other is Outlook Web Access.
Within our network we have a system (separate from above) that is a LDAP server used for implementing single sign on to many college systems including the student and staff email systems. At this time SASL is not used in any way. There is no authentication of the movement of email. Authentication is only for using a MUA.
It is now proposed that certain staff members should be allowed to be at some remote location and compose an email which will be sent to SOMETHING at our college which will then cause two things to happen.
First, the From: information and Reply-To: information will be re-written from what ever they may be to become that person's college email address.
Second, the email will then be routed to an intended recipient be it within our community or outside of our community.
For examples, if the college president were with a member of the state legislature trying to get information for the state governor, she could send an email via her personal phone system to a college financial person who would never see her personal address. Upon receiving a reply, she then could send the state governor an email and it would appear to the governor as if it came from her college account.
I have been told by my management other colleges are doing this with Postfix and SASL. I posted a question about this to a Postfix list and I was told Dovecot was the best SASL to use for implementing this.
So, the project as it has been described to me is this:
We will make no changes to the three gateway systems. We will add a new gateway system to enable this. This new system will challenge all email being sent to it. It will collect the college account-name and the password which will then be used to see if there is a matching account in the LDAP system. If there is not then the email transfer conversation will quit. If there is a matching account then the header rewrites will occur and the email will be routed.
There are many things I do not understand:
Is if this senario is possible?
Would postfix on the new system do the address re-writes or would Dovecot do it?
What would store the information necessary for the reply routing?
What would happen in one internal address to many external address situations?
If the project was simplified by removing the ability to reply to an email; so it was only a way to route external to external with rewrite is is then possible?
So, I would like some comment on if this is a common or know practice and if Dovecot is used in those situations (if any).
Thank you.
-- Robert Lopez Unix Systems Administrator Central New Mexico Community College (CNM) 525 Buena Vista SE Albuquerque, New Mexico 87106
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 30 Mar 2010, Robert Lopez wrote:
First, the From: information and Reply-To: information will be re-written from what ever they may be to become that person's college email address.
Second, the email will then be routed to an intended recipient be it within our community or outside of our community.
Third, the envelop sender (MAIL FROM in SMTP protocol) is to be rewritten.
Is if this senario is possible?
Yes.
Would postfix on the new system do the address re-writes or would Dovecot do it?
postfix, because this is a service of a MTA. Postfix needs SASL to authentificate users, then an user DB to get the user information (aka mail address) from.
What would store the information necessary for the reply routing?
I don't understand this. You have to configure postfix, to replace header information. IMHO Postfix should not care about whether this is "reply" information or anything else.
What would happen in one internal address to many external address situations?
You meddle with sender information in all situations (VIP -> internal, VIP -> external), so no problem.
If the project was simplified by removing the ability to reply to an email; so it was only a way to route external to external with rewrite is is then possible?
It makes no difference, per RFC nobody has the right to send mails "without the ability to reply on" except for DSNs. ;-)
I cannot help you with your postfix configuration, because I don't use it.
Regards,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBS7MQd7+Vh58GPL/cAQJUAAf/YX+QRx79bPYaLAsuOAZ+5Mrr0ioghHxj 71gblT2gJOHqYTVkTmnv4Pv/38OY7QdYvxZr7xtY21JhhOJdoFaRRgWwj7xGi30J I6+bZ3Vp528ukVRrTJjgHhSro/ovARovkFHSBzkXFUiMlHEuxpMXKvUMUHWCm71v QcKrTnSEcnFHwBS67Dd1uivPjpRYui4A/rCNdYHkVqa/bHGbcGzKPNAMezqg4NKV qs+5PKUMSe5L7vl6f6/Lqn1wkverTTQJ251HyXIHEshasLQ4ISVtSrSKiGZm7s3O Fwp8rX8+z0qZo7aK0zfKRSsQZ8hWpj+tK/f3KTygS+oIEa8HNMkIKg== =TXM6 -----END PGP SIGNATURE-----
On Tue, Mar 30, 2010 at 11:50:42AM -0600, Robert Lopez wrote:
It is now proposed that certain staff members should be allowed to be at some remote location and compose an email which will be sent to SOMETHING at our college which will then cause two things to happen.
First, the From: information and Reply-To: information will be re-written from what ever they may be to become that person's college email address.
Second, the email will then be routed to an intended recipient be it within our community or outside of our community.
Well, this is all stuff which happens on receipt of mail to SOMETHING@yourcollege. The best place to do this is in the MTA. Postfix might be able to do this; exim definitely can (it's the Swiss army knife of MTAs :-). Certainly any header and envelope rewriting you want can be done, and it can be database-driven.
But have you thought, how is the "intended recipient" going to be decided? Via telepathy perhaps? :-)
Consider: the president (sending from her hotmail account, hotsox@hotmail.com) wants to send a mail to fred@example.com. She could send a mail to presidents-rewriter@college.com, but then the rewriter would have no idea that it was for fred@example.com.
You could go back to the 1980's and use source-routed addresses like
fred%example.com@president.college.comI suspect she wouldn't like having to do that.
Or you could get the president to configure her account to send all outbound mail via your SMTP server, and use SMTP AUTH to identify herself. The mail server knows her identity so can then rewrite her From: header appropriately before relaying it.
But if you're going to all that trouble to configure her MUA, you could also configure her MUA to send the correct From: header too, which makes the whole exercise pointless.
If the requirement is for the president to be able to send mails from a cybercafe, maybe you should just set up your own webmail service she can login to. There are many webmail frontends which can talk IMAP to Dovecot.
Is if this senario is possible?
Based on the above, I think you need to make your requirements clearer :-)
Would postfix on the new system do the address re-writes or would Dovecot do it?
Header rewriting and mail delivery is nothing to do with Dovecot. (Well, there is Dovecot LDA with Sieve filtering, which can do a very limited series of actions just before the mail gets added to the mailbox, but I don't think that's what you want)
What would store the information necessary for the reply routing?
That could be in a flat file, or a .db file, or custom attributes in an LDAP database, or SQL, or ...
Regards,
Brian.
participants (3)
-
Brian Candler
-
Robert Lopez
-
Steffen Kaiser