Hi Francis
Generally I avoid 'top posting', but as I've only a couple things to add:
Re: Spamassasin and integrations: You can see the choices I made by
visiting here: https://rockstablesystems.com/home/mail/ It's still a
preview, people who on a bad day have better grammar than mine on a good
day have yet to fix it up.
Re: DNS: I found, that in order to be thought 'best in class' 'best
practices' DNS, with DNSSEC had to be fully integrated. To include
DMARC, SPF, the lot. If you're willing to leave a couple high-security
check-boxes unchecked (which for many relaxed and non-financial
applications might be a very reasonable thing) using 'other people DNS'
is just fine. Here's a screenshot that will give you an idea about
what I did:
https://rockstablesystems.b-cdn.net/wp-content/uploads/2022/03/ActiveUserScreenshot.png
Over the many many years I've been involved with this category of
effort, I've learned when using complex open source systems over time:
getting something that works, and getting something that's maintainable
over time are whole different things. You either have days set aside to
fix what 'the next release' of such as freeipa breaks, or you 'color
within the lines that's there standard' and provide what's missing using
other packages and avenues.
Keep us posted on your progress!
Harry
On 4/20/22 13:04, Francis Augusto Medeiros-Logeay wrote:
=
On 2022-04-20 16:39, Harry G. Coin via FreeIPA-users wrote:
Hi Francis
Hi Harry,
Thanks a lot for your input on this!
I integrated freeipa with postfix/dovecot, and many other anti-spam /
address validation capabilities. I can tell you -- it's quite a bumpy
ride.
I can imagine - did you put the spamassassin on ldap as well?
A 'good plan' has more to do with your model of how 'real
people' would expect to map onto domains, accounts and the like. To
do it properly, there has to be pretty tight integration into DNS,
with a fair few administrative accounts and related records and a
whole bunch of support packages. It's possible to do well, but it's
a way bigger project than the relationship between freeipa and
postfix.
The domain issue is important, and I am still trying to think of a
model that will be flexible and straightforward at the same time:
- using DNS zones as autoritative source for valid domains for
mailboxes or
- relying entirely on a domain container on LDAP for mail domains
I am inclined for the latter, thus not having an integration with DNS.
My main idea was a model where existing FreeIPA users with a `mail`
attribute would have mailboxes. That would be a paradigm I would like
to keep. So if there's a need for a mailbox called
"[email protected]", so "contact" would need to be a user.
Groups would be treated like aliases, but I could think that for many
use cases, groups would also need a mailbox.
For example, many business users have a concept of 'their primary
email address' with secondary addresses that might 'float' among
staffers (techsupport@ productspecialistfoo@ info@). You might
require those to be separate users with separate email boxes, or
'groups' and then have to deal with passwords, etc. Also secondary
addresses that appear later that allow for name changes (
jsmith@domain also gets email for jjones@domain). Another issue is
whether to allow 'one email bucket' to get email from 'secondary
domains entirely' and not just different accounts within the domain,
for example [email protected] [email protected] are
aliases for [email protected]
I believe that this could be solved with aliases, and that's where the
bulk of the project lies, actually.
What I think of it as a postfixadmin-like interface on FreeIPA to
administer virtual domains and virtual accounts. Virtual accounts
would necessarily have a `mail` (or `maildrop` attribute) that
corresponds to a real mailbox.
Address validation would be a bit of a concern, as there's no
guarantee that the `mail` attribute of a user would contain a domain
that is configured on postfix, but maybe that can be done on the query
side.
It goes on, but big picture, the tradeoff is admin setup-time vs
admin-management time vs user-account setup time. I find users, with
their many various devices and so on, generally want 'one account with
one password' they can set up for all their devices, then have 'the
system' route 'whatever from whereever' to that. Generally, not always
of course.
That's how I think as well. That's why aliases are important here.
Good luck!
Thank you!
Francis
You're welcome. You can see the choices I made by visiting here:
https://rockstablesystems.com/home/mail/
You're welcome. You can see the choices I made by visiting here:
https://rockstablesystems.com/home/mail/
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
