upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-26 17:49:59 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
openldap/doc/drafts/draft-lachman-ldap-mail-routing-xx.txt
Kurt Zeilenga 7ea7c51c4d Add draft-lachman-ldap-mail-routing-03.txt
1999-09-16 02:34:53 +00:00

1067 lines
43 KiB
Text
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Network Working Group H. Lachman
INTERNET-DRAFT Netscape Communications Corp.
Intended Category: Informational October 1998
Expires: April 1999
Filename: draft-lachman-ldap-mail-routing-03.txt
LDAP Schema Definitions for Intranet Mail Routing -
The mailRecipient Object Class
Status of this Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
This document is an Internet-Draft. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as ``work in progress.''
To learn the current status of any Internet-Draft, please check the
``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow
Directories on ftp.is.co.za (Africa), ftp.nordu.net (Europe),
munnari.oz.au (Pacific Rim), ftp.ietf.org (US East Coast), or
ftp.isi.edu (US West Coast).
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
Abstract
Directory services based on the Lightweight Directory Access Protocol
(LDAP) [1] and X.500 [2] provide a general-purpose means to store
information about users and other network entities. One of the many
possible uses of a directory service is to store information about
users' email accounts, such as their email addresses, and how
messages addressed to them should be routed. In the interest of
interoperability, it is desirable to have a common schema for such
email-related information.
This document defines an object class called 'mailRecipient' to
Lachman [Page 1]
INTERNET-DRAFT The mailRecipient Object Class October 1998
support SMTP [3] message transfer agents (MTAs) in routing RFC 822-
based email messages [4] within an organization. The intent is to
suggest a model for MTA interoperability via the directory, to
provide information about a solution that has been implemented and
deployed, and to stimulate discussion about whether and how to
standardize the functionality in question.
1. Background and Motivation
LDAP-based directory services are currently being used in many
organizations as a repository of information about users and other
network entities (such as groups of users, network resources, etc.).
Some information is stored in the directory for the consumption of
persons browsing for information (e.g., telephone numbers, postal
addresses, secretary's name). Other information (e.g., login name,
password, disk quota) is stored for use by one or more network
applications or services. This latter use of the directory suggests
the opportunity to centralize the storage and management of user
account information related to different services. In general, it is
advantageous for different network applications and services to refer
to the directory for user account information, rather than each
service keeping its own collection of user account records, which
requires the network administrator to separately create or destroy
user entities, passwords, etc., in many different systems each time a
user joins or leaves the organization. The goals of centralized user
management and sharing of information with other service types drove
our decision in the design of Netscape Messaging Server (an SMTP-
based mail server product) to use LDAP-based directory services as a
common repository for user account information.
Thus, in our implementation, all account information for a given mail
server user is stored in the directory entry that represents that
user. This includes the user's delivery options, access
restrictions, mailbox quota, and vacation status, among other things.
Now, if a given mail server can refer to the directory for its own
users' account information, it follows that that same information can
be made visible to other LDAP-aware mail servers in the same
organization, and therefore that information can aid those other mail
servers in correctly routing messages to users of the mail server in
question. This assumes that there is an agreed-upon set of per-user
attributes to support message routing among the mail servers in the
organization. If this assumption is met in our implementation, we
can obviate other means currently employed to specify per-user
message routing (such as the sendmail "aliases" database). The
benefit of this is to further consolidate per-user system
information.
If different vendors provide LDAP-aware mail server products, each
Lachman [Page 2]
INTERNET-DRAFT The mailRecipient Object Class October 1998
having its own schema for message routing, then the above benefits
can be achieved for single-vendor customers, but customers who have
multiple vendors' mail server products would not be well served.
They will likely expect interoperability, which will require a common
schema to be supported by the various vendors' products. Thus, it is
worthwhile to consider how to develop a common schema.
This document defines a schema designed to provide a means by which a
directory entry that represents a mail recipient can provide
information enabling MTAs to route messages to the recipient's "home"
MTA. This document considers only intra-enterprise SMTP message
routing using LDAP-based directory services. Solutions and issues
involving inter-enterprise routing, non-SMTP message handling, non-
LDAP directory services, and other messaging management topics not
related to message routing, are outside the scope of this document
(except that the concepts presented may also be applicable in the
case of any X.500-based directory service).
2. Overview of the Approach Implemented
In our design of Netscape Messaging Server, we identified all pieces
of per-user account information, and assigned attributes such that
the information for a given user can be held in the user's "LDAP
entry" (the directory entry representing the user in an LDAP-based
directory service). We segregated the attributes into two subsets:
those that are of interest only to the "target MTA" (i.e., the MTA
that considers the recipient to be local), and those that are of
interest to "intermediary MTAs" (i.e., MTAs that are not the target
MTA). Each subset of attributes is aggregated into an object class,
the former being 'nsMessagingServerUser' (see Appendix), and the
latter, 'mailRecipient'. It is the latter object class that is the
focus of this document.
The 'mailRecipient' object class provides attributes that may be used
to specify addressing and routing information pertaining to a given
recipient. This information may be used by an intermediary MTA to
route a message to the recipient's designated target MTA, i.e., to
the MTA that "takes responsibility" for messages to the recipient in
question. The target MTA then accepts the message and, regarding the
recipient as local, handles the message as specified by attributes
intended for use by the target MTA (such as those associated with the
'nsMessagingServerUser' object class).
Lachman [Page 3]
INTERNET-DRAFT The mailRecipient Object Class October 1998
Consider a network with three hosts that run MTAs:
+------+
local | |
handling | MDA2 |
layer | |
+------+
^
|
+------+ +------+ +------+
| | | | | |
routing | MTA1 | -----> | MTA2 | -----> | MTA3 |
layer | | | | | |
+------+ +------+ +------+
host1 host2 host3
The above illustrates a two-layer mail routing and delivery model.
The attributes provided by the 'mailRecipient' object class are used
by the lower layer (the routing layer) to support the routing of a
message to the correct target MTA. Other attributes may be used by
the upper layer, which roughly equates to what is commonly called an
MDA (message delivery agent), although the local handling may or may
not involve delivery of the message to a mailbox (e.g., the message
may be resent if the recipient is a mail group or a forwarded
account). (In this discussion, "target MTA" means "target Messaging
Server" which includes both MTA and MDA functionalities; while the
implementation is not necessarily layered internally as implied
above, the product nonetheless exhibits the functionality described.)
In our implementation, an LDAP entry that represents a mail recipient
will have two mail-related object classes, 'mailRecipient', plus an
additional one that may be used by the local handling layer to
determine the recipient type and how messages for the recipient are
to be handled on the target MTA. A mail user account will have
'mailRecipient' plus 'nsMessagingServerUser'. A mail group will have
'mailRecipient' plus 'mailGroup' [5]. An MTA need only look at
attributes associated with 'mailRecipient' to determine whether a
recipient is local, and if not, how to route the message. The
additional object class and attributes are of interest only if the
recipient is local.
(Note: While the Messaging Server fully implements this approach,
earlier versions of its account creation tool do not place all of the
above-mentioned object classes in the entries it creates. The
Messaging Server is compatible with both the old and the new object
class interpretations.)
Lachman [Page 4]
INTERNET-DRAFT The mailRecipient Object Class October 1998
A Netscape Messaging Server can route messages to recipients on other
vendors' MTAs if the users' LDAP entries have the 'mailRecipient'
object class and associated attributes. (Other vendors' MTA
implementations may or may not follow the above-described model of
indicating recipient type and MDA-level account configuration in
LDAP, since only 'mailRecipient' and associated attributes are
required for MTA-level recognition.)
Likewise, other vendors' MTAs can route messages to recipients on a
Netscape Messaging Server if they recognize and interpret the
'mailRecipient' object class and associated attributes as defined in
Sec. 3.
The intent of this model is to provide a framework within which any
vendor can define new types of mail recipients, without requiring
other vendors' implementations to have knowledge of the new recipient
types; they need only have a consistent interpretation and
application of the 'mailRecipient' object class and associated
attributes.
In short, the main advantage of the 'mailRecipient' object class is
to define a single object class that can serve to identify an LDAP
entry as an entity to which email can be addressed, and to aggregate
the attributes that can provide multivendor MTA interoperability via
the directory.
3. Object Class and Attribute Definitions
The 'mailRecipient' object class and associated attributes are
defined (using syntaxes given in [6]) as follows.
3.1 The mailRecipient Object Class
( 2.16.840.1.113730.3.2.3
NAME 'mailRecipient'
SUP top
AUXILIARY
MAY ( cn $ mail $ mailAlternateAddress $
mailHost $ mailRoutingAddress
)
)
The 'mailRecipient' object class signifies that the entry represents
an entity within the organization that can receive SMTP mail, such as
a mail user account or a mail group account (mailing list).
The 'cn' attribute (common name) is provided as a means for
administrators to identify the entry [7].
Lachman [Page 5]
INTERNET-DRAFT The mailRecipient Object Class October 1998
3.2 Address Attributes
( 0.9.2342.19200300.100.1.3
NAME 'mail'
DESC 'RFC 822 email address of this recipient'
EQUALITY caseIgnoreIA5Match
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
SINGLE-VALUE
)
The attribute name 'mail' is a synonym for 'rfc822Mailbox', as
defined earlier in [8]. This attribute specifies the recipient's
"primary" or "advertised" email address, i.e., that which might
appear on a business card; for example, "user@example.com".
( 2.16.840.1.113730.3.1.13
NAME 'mailAlternateAddress'
DESC 'alternate RFC 822 email address of this recipient'
EQUALITY caseIgnoreIA5Match
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
)
The 'mailAlternateAddress' attribute is used to specify alternate
email addresses, if any, for the recipient; for example,
"nickname@example.com".
When determining the disposition of a given message, an MTA may
search the directory for an entry with object class 'mailRecipient'
and a 'mail' or 'mailAlternateAddress' attribute matching the
message's recipient address. If exactly one matching entry is found,
the MTA may regard the message as being addressed to the entity that
is represented by the directory entry.
In short, address attributes may be used by an LDAP entry to answer
the question "what is/are this account's email address(es)?"
3.3 Routing Attributes
( 2.16.840.1.113730.3.1.18
NAME 'mailHost'
DESC 'fully qualified hostname of the SMTP MTA that
handles messages for this recipient'
EQUALITY caseIgnoreIA5Match
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
SINGLE-VALUE
)
The 'mailHost' attribute indicates which MTA considers the
Lachman [Page 6]
INTERNET-DRAFT The mailRecipient Object Class October 1998
recipient's mail to be locally handlable. This information can be
used for routing, in that an intermediary MTA may take it to be the
destination for messages addressed to this recipient.
( 2.16.840.1.113730.3.1.47
NAME 'mailRoutingAddress'
DESC 'RFC 822 address to use when routing messages to
the SMTP MTA of this recipient'
EQUALITY caseIgnoreIA5Match
SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
SINGLE-VALUE
)
The 'mailRoutingAddress' attribute indicates a routing address for
the recipient. An intermediary MTA may use this information to route
the message to the MTA that handles mail for this recipient.
Only one of the above two attributes need be present in order to
route messages on behalf of the recipient. The 'mailRoutingAddress'
attribute is more explicit in terms of providing an address that can
be used to rewrite the SMTP envelope recipient address. With
'mailHost', the envelope address either is not rewritten, or is
rewritten according to implementation-specific rules and/or
configuration.
In short, routing attributes may be used by an LDAP entry to answer
the question "how should MTAs route mail to this account?"
(analogous to using the sendmail "aliases" database for per-user
routing within an organization). This is in contrast with
"forwarding" (see Appendix); forwarding and delivery options may be
used by an LDAP entry to answer the question "what happens to mail
once it arrives at this account?", which may include forwarding to
some other account within or outside the organization (analogous to
using the sendmail ".forward" file).
4. MTA Implementation Details
This section provides details of the algorithms followed by the
Netscape Messaging Server as they relate to the 'mailRecipient'
object class and associated attributes. Our implementation includes
features that go beyond what is minimally needed to support the
schema defined in Section 3, and other MTA implementations need not
match our implementation in every detail in order to be interoperable
(especially since various features described here can be disabled);
but, in general, the features described here are recommended.
4.1 Finding the LDAP Entry for a Given Email Address
Lachman [Page 7]
INTERNET-DRAFT The mailRecipient Object Class October 1998
When the MTA receives a message, it attempts to determine whether
there is an LDAP entry that represents the recipient. It takes the
SMTP envelope recipient address, and performs a search in LDAP,
spanning the directory subtree specified in the configuration, for an
entry that has the object class 'mailRecipient', and has either a
'mail' or 'mailAlternateAddress' attribute matching the recipient
address in question. If exactly one match is found, this is taken to
be the LDAP entry that represents the recipient.
If there were zero matches, but the domain part of the address
matches the local MTA's hostname, we perform a fallback search with
the same address except that the domain part is truncated to not
include the host part (e.g., the search for
"user@nsmail1.example.com" is retried as "user@example.com"). This
fallback search is optional, as per the server configuration.
If there were zero matches so far, but the domain part of the address
is considered to be local (by configurable criteria), we perform a
fallback search for an LDAP entry that has object class
'mailRecipient' and a 'uid' attribute (i.e., login name; synonym for
'userid' [8]) equal to the local part of the recipient address. This
fallback search is optional, as per the server configuration.
If the MTA finds the LDAP entry representing the recipient, it
proceeds with the logic discussed in Section 4.2. Otherwise, it will
rely on other information resources to determine whether to reject
the message or route it elsewhere.
Note that LDAP entries without the 'mailRecipient' object class are
ignored (except as may be needed for backward compatibility). This
is necessary because some sites have LDAP entries that do not
represent mail recipients, but have a 'mail' attribute nonetheless.
For example, a conference room might have an LDAP entry including an
email address, telephone number, etc., that are the same as for the
secretary who books reservations for the room. In this example, the
conference room's email address is for contact information only, and
is not intended to imply that it has an email account. Therefore,
the MTA correctly ignores the conference room's LDAP entry, and
avoids producing multiple matches on the search.
4.2 Deciding Whether a Message can be Handled Locally
If the MTA has found the LDAP entry representing the recipient, as
per Section 4.1, it checks the LDAP entry's 'mailHost' value to see
if it matches the MTA's local hostname. If so, it handles the
message locally. (Note that since accounts hosted on a Netscape MTA
are expected to have a 'mailHost' value, they typically do not have a
'mailRoutingAddress' value; other implementations could make
Lachman [Page 8]
INTERNET-DRAFT The mailRecipient Object Class October 1998
different design choices, and still be compatible.)
Otherwise, it routes the message as specified by the 'mailHost' value
and/or the 'mailRoutingAddress' value. See Section 4.3 for further
details.
If the recipient's LDAP entry contains no routing information (i.e.,
no 'mailHost' nor 'mailRoutingAddress'), the MTA will bounce (reject)
the message. There are two exceptions to this rule, to accommodate
location-independent accounts, as follows.
If the entry has no routing information, but is a mailing list (i.e.,
has object class 'mailGroup'), the message is handled locally, i.e.,
the MTA "receives" messages to the address in question, performs the
mail group expansion, and resends to the group members. Thus, a mail
group can be configured as "location-independent", meaning that it
does not require a particular Messaging Server to perform the mail
group expansion.
If the entry has no routing information, but has one or more
'mailForwardingAddress' attributes (see Appendix), it is handled
locally, i.e., the MTA "receives" messages to the address in question
under the assumption that it is a forwarding-only (or "redirect")
account, and forwards the message to the new address(es). Thus, it
is not necessary to designate a particular Messaging Server to
perform forwarding on behalf of a forwarding-only account. (This
exception may be deprecated in a future version, and then all
'nsMessagingServerUser' accounts will require a 'mailHost' value. If
location-independent redirects are still desired, a 'mailGroup' entry
can be used to achieve the same effect. Or, one could imagine a new
object class to combine with 'mailRecipient', say,
'mailForwardingAlias', that just provides a way to configure a
location-independent recipient that has a 'mailForwardingAddress',
but this may be overkill. One might also consider whether the
desired action is actually "routing", not "forwarding" - see Sec. 3.3
for clarification. The point is that a mail server should never
perform "forwarding" unless it also takes responsibility for the
account's other attributes that specify delivery-time handling, if
any; this is to ensure that all of the account's forwarding and
delivery preferences are acted upon exactly once in the life of a
message.)
Note that if there were a non-Netscape MTA in the environment that
implemented the 'mailRecipient' concept but did not mimic the
Netscape MTA behavior regarding the above exception cases, it would
probably be unadvisable for administrators to configure any accounts
as location-independent. (This suggests that if it is generally
useful to configure a certain recipient type as location-independent,
Lachman [Page 9]
INTERNET-DRAFT The mailRecipient Object Class October 1998
e.g., 'mailGroup', it ought to be standardized.)
4.3 Determining how to Route a Message
If the recipient is not local, but has a 'mailHost' and/or
'mailRoutingAddress' attribute in its LDAP entry, we route the
message as follows.
First, we determine a destination. If a 'mailHost' value is present,
that is taken to be the destination. Otherwise, the domain part of
the 'mailRoutingAddress' value is taken to be the destination.
Second, we determine whether and how to rewrite the SMTP envelope
recipient address. If a 'mailRoutingAddress' value is present, the
envelope address is rewritten to that. Otherwise, depending on the
configuration, the envelope address may be rewritten by combining the
'uid' value, if present, with the 'mailHost' value (e.g.,
"uid@mail.host"), or, it is rewritten by combining the original
envelope address local part with the 'mailHost' value (e.g.,
"orig.localpart@mail.host"), or it is not rewritten at all.
Third, we determine the next SMTP hop. This may or may not be the
same as the destination determined above. Given the destination, the
MTA will consult the routing table in the MTA configuration, and/or
consult DNS for "MX" and/or "A" records [9].
The message is then relayed to the next SMTP hop, with the SMTP
envelope recipient address set as determined above.
Note that if both 'mailHost' and 'mailRoutingAddress' are present,
the 'mailHost' attribute determines the destination while the
'mailRoutingAddress' attribute determines the envelope rewrite. It
is expected that specifying both is unnecessary, although not
inherently harmful, and may be useful in some peculiar cases.
Note also that envelope rewrites may be considered unnecessary (e.g.,
in Netscape-only MTA sites), and perhaps undesirable (e.g., if the
user has multiple addresses and the target MTA allows the user to
configure server-side filters that read the envelope; also, envelope
rewrites may increase the chances of "namespace crossovers" in
multi-domain sites, as mentioned in Sec. 5.8). Envelope rewrites
become necessary when routing to MTAs whose reckoning of their
accounts' email addresses is not consistent with the accounts'
respective LDAP entries (which could be the case with MTAs that are
not 'mailRecipient'-compatible).
5. Examples
Lachman [Page 10]
INTERNET-DRAFT The mailRecipient Object Class October 1998
The following is a set of directory entries, shown in LDIF [10]
format, that illustrates the use of the 'mailRecipient' object class.
Examples based on this set of entries are provided in the sections
that follow. Each example explains what happens when a message
arrives on nsmail1.example.com for the indicated recipient.
dn: cn=Joe Blow,o=Example Corp,c=US
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mailRecipient
objectclass: nsMessagingServerUser
cn: Joe Blow
sn: Blow
uid: joeblow
userpassword: {crypt}y9LyrzNBT49Ao
mail: joeblow@example.com
mailhost: nsmail1.example.com
maildeliveryoption: mailbox
dn: cn=John Doe,o=Example Corp,c=US
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mailRecipient
objectclass: nsMessagingServerUser
cn: John Doe
sn: Doe
uid: johndoe
userpassword: {crypt}y9LyrzNBT49Ao
mail: johndoe@example.com
mailalternateaddress: jonjon@example.com
mailhost: nsmail2.example.com
maildeliveryoption: mailbox
dn: cn=Scuba Group,o=Example Corp,c=US
objectclass: top
objectclass: groupOfUniqueNames
objectclass: mailRecipient
objectclass: mailGroup
cn: Scuba Group
mail: scuba@example.com
mgrprfc822mailmember: joeblow@example.com
mgrprfc822mailmember: johndoe@example.com
dn: cn=Tuba Group,o=Example Corp,c=US
Lachman [Page 11]
INTERNET-DRAFT The mailRecipient Object Class October 1998
objectclass: top
objectclass: groupOfUniqueNames
objectclass: mailRecipient
objectclass: mailGroup
cn: Tuba Group
mail: tuba@example.com
mailhost: nsmail2.example.com
mgrprfc822mailmember: joeblow@example.com
mgrprfc822mailmember: janeroe@example.com
dn: cn=Jane Roe,o=Example Corp,c=US
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mailRecipient
objectclass: nsMessagingServerUser
cn: Jane Roe
sn: Doe
uid: janeroe
userpassword: {crypt}y9LyrzNBT49Ao
mail: janeroe@example.com
mailhost: nsmail1.example.com
maildeliveryoption: mailbox
mailforwardingaddress: babs@example.com
dn: cn=J Random User,o=Example Corp,c=US
objectclass: top
objectclass: mailRecipient
objectclass: nsMessagingServerUser
cn: J Random User
sn: User
mail: jruser@example.com
mailforwardingaddress: random@pu.edu
dn: cn=Babs Jensen,o=Example Corp,c=US
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mailRecipient
objectclass: xyzMailUser
cn: Babs Jensen
sn: Jensen
uid: babs
userpassword: {crypt}y9LyrzNBT49Ao
mail: babs@example.com
mailalternateaddress: bj@schooldist12.k12.ca.us
Lachman [Page 12]
INTERNET-DRAFT The mailRecipient Object Class October 1998
mailroutingaddress: Babs_Jensen@xyz1.example.com
xyzPostOfficeName: Example_PO_1
xyzUserType: regular
xyzQuota: 1000000
dn: cn=Charlie Hacker,o=Example Corp,c=US
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mailRecipient
objectclass: nsMessagingServerUser
cn: Charlie Hacker
sn: Hacker
uid: hacker
userpassword: {crypt}y9LyrzNBT49Ao
mail: hacker@schooldist12.k12.ca.us
mailhost: nsmail2.example.com
mailroutingaddress: hacker@schooldist12.k12.ca.us
maildeliveryoption: mailbox
mailforwardingaddress: babs@example.com
dn: cn=Conference Room 102,o=Example Corp,c=US
objectclass: top
objectclass: conferenceRoom
mail: babs@example.com
roomNumber: 102
5.1 Example #1
When a message arrives on nsmail1.example.com for
joeblow@example.com, the message is deposited in Joe Blow's mailbox.
5.2 Example #2
When a message arrives on nsmail1.example.com for johndoe@example.com
or for jonjon@example.com, the message is relayed to
nsmail2.example.com, with "johndoe@nsmail2.example.com" in the
envelope (assuming the "uid@mail.host" rewrite option is enabled on
nsmail1.example.com). On nsmail2.example.com, the message is
identified as belonging to John Doe by virtue of
"nsmail2.example.com" being local and "johndoe" being the 'uid' of
John Doe (assuming the 'uid' fallback search is enabled on
nsmail2.example.com). So the message is deposited in his mailbox on
nsmail2.example.com.
The above case would also succeed if the "truncate host part"
fallback search were enabled on nsmail2.example.com, or if no
Lachman [Page 13]
INTERNET-DRAFT The mailRecipient Object Class October 1998
fallback searches or envelope rewrites were configured on either
machine (in which case the envelope recipient address would remain
unchanged).
5.3 Example #3
When a message arrives on nsmail1.example.com for scuba@example.com,
the message is resent to joeblow@example.com and johndoe@example.com.
(The message is considered to be locally handlable since the
recipient is a mail group with no routing information.)
5.4 Example #4
When a message arrives on nsmail1.example.com for tuba@example.com,
the message is relayed to nsmail2.example.com with
"tuba@nsmail2.example.com" (assuming that the
"orig.localpart@mail.host" option is enabled). On
nsmail2.example.com, the message is identified as belonging to the
Tuba Group by virtue of the "truncate host part" fallback search, so
the message is accepted and resent to the group members.
As in Example #2, the above case would also succeed if no fallback
searches or envelope rewrites were configured on either machine.
5.5 Example #5
When a message arrives on nsmail1.example.com for
janeroe@example.com, the message is delivered to Jane's mailbox, and
is also forwarded to Babs. Perhaps Jane is on leave.
5.6 Example #6
When a message arrives on nsmail1.example.com for jruser@example.com,
it is forwarded to random@pu.edu. Perhaps he has left the company to
go back to school, and the company is forwarding his mail as a favor.
Note that the presence or absence of the usual object classes such as
'person' do not affect the Messaging Server. Also, the absence of
'uid' and 'userPassword' is probably a good idea since a person who
has left the company should not be able to login. Note also that a
'mailHost' could have been specified, e.g., as "nsmail2.example.com",
with no difference in overall effect, except that it would require
all messages addressed to this user to be passed to
nsmail2.example.com where the forward action would then be performed.
(This is an example of a location-independent "redirect" account,
which may be deprecated in a future release; see Sec. 4.2.)
Lachman [Page 14]
INTERNET-DRAFT The mailRecipient Object Class October 1998
5.7 Example #7
When a message arrives on nsmail1.example.com for babs@example.com,
or for bj@schooldist12.k12.ca.us (the company is doing a favor to a
local school district by hosting their mail accounts on the company
servers; Babs is both an employee in the company and a volunteer at
the school district, and so she has both addresses), the message is
relayed to the SMTP MTA on host xyz1.example.com (which may be an
SMTP-to-XYZ gateway), with "Babs_Jensen@xyz1.example.com" in the
envelope.
Note that Conference Room 102 is not identified by the MTA as a
recipient of mail addressed to babs@example.com, despite it's having
the matching 'mail' address. This is because it does not have the
'mailRecipient' object class.
5.8 Example #8
When a message arrives on nsmail1.example.com for
hacker@schooldist12.k12.ca.us, the message is relayed to
nsmail2.example.com with "hacker@schooldist12.k12.ca.us" in the
envelope. Mail arriving on nsmail2.example.com for this user is
deposited into his mailbox, and a copy is forwarded to Babs. Charlie
is a guest user from a local school district, and is not in the
company, and therefore does not have an address with "example.com".
The reason to force the envelope using 'mailRoutingAddress' is to
avoid having it rewritten to "hacker@nsmail2.example.com", which
would happen if envelope rewrites using 'mailHost' are enabled.
Thus, we avoid a "namespace crossover" that could result in
misdelivered mail if there were some other user with address
"hacker@example.com". This is one of the peculiar cases where having
both 'mailHost' and 'mailRoutingAddress' is useful, since
'mailRoutingAddress' overrides the default rewrite rule (although the
problem could also be solved by disabling envelope rewrites, assuming
they are not needed). Any site that hosts multiple domains (e.g., an
Internet service provider) must be especially careful in considering
whether and how envelopes are to be rewritten when mail is routed
among its MTAs. (See also Sec. 4.3.)
6. Security Considerations
As in all cases where account information is stored in an LDAP-based
directory service, network administrators must be careful to ensure
that their directory service controls users' access to the entries
and attributes stored therein, according to site policy (e.g.,
allowing users to modify, say, their 'mailForwardingAddress'
attribute, but not their 'mailHost' attribute). Mail server products
Lachman [Page 15]
INTERNET-DRAFT The mailRecipient Object Class October 1998
and their associated user management tools should help administrators
to ensure this, and should also help administrators avoid
configurations that would result in misdelivered mail due to
"namespace crossovers" and other reasons.
7. Acknowledgements
Many members of the Netscape Messaging Server and Directory Server
teams contributed to the design of this schema, including Bill
Fitler, Prabhat Keni, Mike Macgirvin, Bruce Steinback, John Myers,
Tim Howes, Mark Smith, and John Kristian (who coined the object class
name 'mailRecipient'). Special thanks to Leif Hedstrom, Netscape's
Chief Dogfood Taster, for his "real world" insights. Thanks also to
Jeff Hodges for contributing to the discussion that led to this memo,
and to Stuart Freedman for providing review comments.
8. References
[1] W. Yeong, T. Howes, S. Kille, "Lightweight Directory Access
Protocol", RFC 1777, March 1995.
[2] "Information Processing Systems - Open Systems Interconnection -
The Directory: Overview of Concepts, Models and Service", ISO/IEC JTC
1/SC21, International Standard 9594-1, 1988.
[3] J. Postel, "Simple Mail Transfer Protocol", STD 10, RFC 821,
August 1982.
[4] D. Crocker, "Standard for the Format of ARPA Internet Text
Messages", STD 11, RFC 822, August 1982.
[5] B. Steinback, "Using LDAP for SMTP Mailing Lists and Aliases",
Internet-Draft (work in progress).
[6] M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight X.500
Directory Access Protocol (v3): Attribute Syntax Definitions", RFC
2252, December 1997.
[7] M. Wahl, "A Summary of the X.500(96) User Schema for use with
LDAPv3", RFC 2256, December 1997.
[8] P. Barker, S. Kille, "The COSINE and Internet X.500 Schema", RFC
1274, November 1991.
[9] C. Partridge, "Mail routing and the domain system", STD 14, RFC
974, January 1986.
[10] G. Good, "The LDAP Data Interchange Format (LDIF) - Technical
Lachman [Page 16]
INTERNET-DRAFT The mailRecipient Object Class October 1998
Specification", Internet-Draft (work in progress).
[11] M. Smith, "The inetOrgPerson Object Class", Internet-Draft
(work in progress).
9. Author's Address
Hans Lachman
Netscape Communications Corp.
501 East Middlefield Road
Mountain View, CA 94043
Phone: (650) 254-1900
EMail: lachman@netscape.com
10. Appendix - nsMessagingServerUser Object Class and Attributes
The following is an informal description of the
'nsMessagingServerUser' object class and associated attributes. It
was designed to be used in combination with the 'mailRecipient' and
'inetOrgPerson' [11] object classes to define a Netscape Messaging
Server user account. This definition is not considered part of the
'mailRecipient' definition, and is provided here purely as
supplemental information. These attributes may change across
releases, and such changes would not affect MTA interoperability.
Object class: nsMessagingServerUser
Allowed attributes:
cn
Common name (person's full name).
mailAccessDomain
Domains and IP addresses from which user may do POP
or IMAP login.
mailAutoReplyMode
Auto-reply mode, may be one (or none) of: 'vacation'
(send reply text to sender, but only once per
vacation), 'reply' (send reply text unconditionally),
or 'echo' (like 'reply' but include original message
in the reply).
mailAutoReplyText
Reply text to use with 'mailAutoReplyMode'.
mailDeliveryOption
Mail delivery option, one or more of: 'mailbox'
(deliver to user's POP/IMAP mailbox), 'native'
(deliver with platform's native delivery method,
e.g., "/usr/bin/mail"), or 'program' (perform program
delivery). There must be at least one
'mailDeliveryOption' and/or 'mailForwardingAddress',
Lachman [Page 17]
INTERNET-DRAFT The mailRecipient Object Class October 1998
otherwise, mail to this account is undeliverable.
mailForwardingAddress
User-specifiable mail forwarding address(es). This
is different from 'mailRoutingAddress' in that it is
intended to be configurable by the user, and may be
multi-valued. Thus, forwarding and delivery options
may be thought of as "account preferences", while
routing attributes are used to get a message to the
MTA that will take responsibility for handling the
message as per the recipient's account preferences.
mailMessageStore
Identifier for the message store containing this
user's POP/IMAP mailbox.
mailProgramDeliveryInfo
Command text for program delivery.
mailQuota
Quota in bytes for user's POP/IMAP mailbox.
Lachman [Page 18]
INTERNET-DRAFT The mailRecipient Object Class October 1998
11. Full Copyright Statement
Copyright (C) The Internet Society (1998). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Lachman Expires: April 1999 [Page 19]
Reference in a new issue View git blame Copy permalink