A few password related updates.

[openldap] / doc / drafts / draft-lachman-laser-ldap-mail-routing-xx.txt

INTERNET-DRAFT                                                H. Lachman
Intended Category: Standards Track         Netscape Communications Corp.
Filename: draft-lachman-laser-ldap-mail-routing-01.txt        G. Shapiro
                                                          Sendmail, Inc.
Expires: April 2000                                         October 1999

                 LDAP Schema for Intranet Mail Routing

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This draft is being discussed on the Laser mailing list at
   <laser@sunroof.eng.sun.com>.  Subscription requests can be sent to
   <laser-request@sunroof.eng.sun.com> (send an email message with the
   word "subscribe" in the body).  More information on the mailing list
   along with an archive of back messages is available at
   <http://playground.sun.com/laser/>.

   [[Section X will be removed before the document is submitted to the
     IESG.]]

Copyright Notice

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

Abstract

   This document defines an LDAP [1] object class called
   'inetLocalMailRecipient' and associated attributes that provide a way
   to designate an LDAP entry as one that represents a local (intra-
   organizational) email recipient, to specify the recipient's email
   address(es), and to provide routing information pertinent to the
   recipient.  This is intended to support SMTP [2] message transfer
   agents in routing RFC 822-based email [3] within a private enterprise
   only, and is not to be used in the process of routing email across
   the public Internet.

Lachman, et. al.                                                [Page 1]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

1.  Conventions Used in this Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
   document are to be interpreted as described in [10].

2.  Background and Motivation

   LDAP-based directory services are currently being used in many
   organizations as a repository of information about users and other
   network entities (such as groups of users, network resources, etc.).
   In cases where LDAP entries are used to represent entities that are
   email recipients (e.g., a mail user or a mailing list), the LDAP
   entries provide a convenient place to store per-recipient data, such
   as a recipient's email address.

   In many organizations, an email recipient may have an email address
   (e.g., "joe@example.com") that does not specify the host that
   receives mail for that recipient (e.g., "host42.example.com").  A
   message transfer agent (MTA) responsible for routing mail within the
   organization needs some way to determine the appropriate target host
   for such a recipient.  A common solution is the sendmail "aliases"
   database which may contain a record that provides the necessary per-
   recipient routing information (e.g., "joe: joe@host42").  A drawback
   of this solution is that if the organization hosts more than one DNS
   domain (e.g., "example.com" and "example.org", with "joe" in each
   domain being different recipients), a more explicit mapping is
   desirable.  The schema defined in this document provides a way to
   represent such mappings in LDAP and X.500 [4] directory services.

   An LDAP entry that represents an email recipient could conceivably
   contain a variety of attributes related to email, such as disk quota
   and delivery preferences.  We consider here only attributes that
   specify address information and routing information; these attributes
   may be useful to multiple MTAs within the organization since one or
   more MTAs may be responsible for intra-organizational routing.  The
   various MTAs in an organization may have been developed by different
   implementors, so a common schema is desirable for such attributes.

3.  Overview

   The 'inetLocalMailRecipient' object class and associated attributes
   identify an LDAP entry as representing an SMTP mail recipient (in the
   sense "recipient" is used in [2]).  A recipient may be a mail user, a
   mailing list, an auto-responder of some kind (e.g., a mailing list
   subscription program), a network device such as a printer or fax
   machine, or other recipient type.  Address attributes and routing
   attributes are provided to aid SMTP MTAs in routing mail within an
   organization to the appropriate target MTA for each recipient.

Lachman, et. al.                                                [Page 2]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

   Once on the target MTA, a message is handled as per the recipient
   type and options (which may be specified using other auxiliary object
   classes and is outside the scope of this document).  For example, the
   message may be delivered to a user mailbox, or to a program or
   network device, and/or forwarded to another recipient.  Or, the
   target MTA may be a gateway to a non-SMTP mail routing and delivery
   system including non-SMTP MTAs.  Note that, in this discussion,
   "target MTA" refers to the final SMTP destination of messages for the
   recipient in question, as we are considering routing of mail only
   among the SMTP MTAs within an organization.

   The target MTA checks to see if the destination domain of the
   recipient address is one that it is responsible for LDAP-based
   routing.  If so, checks for matching e-mail addresses in LDAP by
   looking up the envelope recipient address in LDAP using the object
   class described in section 4.1 and the attribute discussed in section
   4.2.  If it gets back an unambiguous match, it interprets the routing
   attributes as described in section 4.3.

   Routing of mail between different organizations across the public
   Internet is outside the scope of this document, as the mechanism for
   this is already standardized [5,6].  An 'inetLocalMailRecipient'
   entry represents a mail recipient that is local to the organization
   in question, not recipients in other organizations.  This means that
   the domain names that appear within the 'mailLocalAddress' and
   'mailHost' attribute values in an 'inetLocalMailRecipient' entry must
   be DNS domain names that are within the administrative authority of
   the organization in question (i.e., the organization within which
   MTAs are accessing such entries and using these attributes for mail
   routing).

   LDAP entries that are not 'inetLocalMailRecipient' entries should be
   ignored by MTAs for the purpose of routing.  An example is a
   conference room whose LDAP entry contains contact information (e.g.,
   email address and telephone number) for the person who books
   reservations for the room; the conference room is not a mail
   recipient, and can safely be ignored by MTAs doing route
   determination based on recipient address.

4.  Object Class and Attribute Definitions

   The 'inetLocalMailRecipient' object class and associated attributes
   are defined (using syntaxes given in [7]) as follows.

Lachman, et. al.                                                [Page 3]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

 4.1  The inetLocalMailRecipient Object Class

       ( 2.16.840.1.113730.3.2.[[TBD]]
           NAME 'inetLocalMailRecipient'
           SUP top
           AUXILIARY
           MAY ( mailLocalAddress $
               mailHost $ mailRoutingAddress
           )
       )

   The 'inetLocalMailRecipient' object class signifies that the entry
   represents an entity within the organization that can receive SMTP
   mail, such as a mail user or a mailing list.  In any case of an entry
   containing the 'inetLocalMailRecipient' object class, attributes
   defined in this document MUST be interpreted as specified in this
   document.

 4.2  Address Attribute

       ( 2.16.840.1.113730.3.1.13
           NAME 'mailLocalAddress'
           DESC 'RFC 822 email address of this recipient'
           EQUALITY caseIgnoreIA5Match
           SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
       )

   The 'mailLocalAddress' attribute is used to specify email addresses,
   for the recipient; for example, "nickname@example.com".  The address
   conforms to the syntax of an 'addr-spec' as defined in [3].

   The 'mailLocalAddress' attribute MUST contain all addresses that
   represent each recipient of the target MTA.  Commonly, the value of
   the 'mail' attribute should also be among the addresses listed in
   the 'mailLocalAddress' attribute if it is expected to be used for
   LDAP mail routing.

   When determining the disposition of a given message, MTAs using LDAP
   (directly or indirectly) to route mail MUST search for an entry
   with object class 'inetLocalMailRecipient' and a 'mailLocalAddress'
   attribute matching the message's recipient address.  If exactly one
   matching entry is found, MTAs MUST regard the message as being
   addressed to the entity that is represented by the directory entry.

   If multiple entries are found, but all share an identical match for
   both mailRoutingAddress and mailHost (e.g., their presence or absence
   is the same as well as their values if present), the MTA MAY treat
   this as a single match.  Duplicate entries that return different
   routing attributes or contradict each other are errors, however, and
   should be handled by the MTA in some locally-appropriate way, such as
   returning a DSN [11] to the sender.

Lachman, et. al.                                                [Page 4]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

   If there is no match found by the above, MTAs SHOULD have the
   capability of searching for the recipient domain against the
   'mailLocalAddress' attribute using the "wildcard domain" address
   "@<full-local-domain>" , e.g., "@example.org".  In other words, if
   mail arrives for "someone@example.org", and there is no recipient
   with that address specified as 'mailLocalAddress', then the recipient
   with the wildcard domain address should receive the mail.

   MTAs MAY do other searches but only after the above are done.

   In short, the address attribute 'mailLocalAddress' may be used by an
   LDAP entry to answer the question "what is/are this account's email
   address(es)?"

 4.3  Routing Attributes

       ( 2.16.840.1.113730.3.1.18
           NAME 'mailHost'
           DESC 'fully-qualified hostname of the MTA that is the final
               SMTP destination of messages to this recipient'
           EQUALITY caseIgnoreIA5Match
           SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
           SINGLE-VALUE
       )

   The 'mailHost' attribute indicates which SMTP MTA considers the
   recipient's mail to be locally handleable.  This information can be
   used for routing, in that an intermediary MTA may take it to be the
   destination for messages addressed to this recipient.  Normal mail
   routing requirements (i.e., use of MX records) apply to the specified
   hostname unless overridden by local conventions.  In other words, the
   mail should be sent to the specified host without changing the
   recipient address.  The hostname is specified as a fully-qualified
   DNS hostname with no trailing dot (e.g., "host42.example.com").

   If the 'inetLocalMailRecipient' object class is present, the
   'mailHost' attribute for each entry MAY contain a value.  If it does,
   that value MUST be the fully qualified name of the server containing
   the host MTA for this person.  If 'mailHost' is present then it MUST
   be taken as the host for this user, and all mail to this user MUST be
   routed to this machine.

       ( 2.16.840.1.113730.3.1.47
           NAME 'mailRoutingAddress'
           DESC 'RFC 822 address to use when routing messages to
               the SMTP MTA of this recipient'
           EQUALITY caseIgnoreIA5Match
           SYNTAX '1.3.6.1.4.1.1466.115.121.1.26{256}'
           SINGLE-VALUE
       )

Lachman, et. al.                                                [Page 5]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

   The 'mailRoutingAddress' attribute indicates a routing address for
   the recipient.  The address MUST conform to the syntax of an
   'addr-spec' in [3].  An intermediary MTA MUST use this information to
   route the message to the MTA that handles mail for this recipient,
   e.g., the envelope address MUST be rewritten to this value.  This is
   useful in cases where, for a given recipient, the target MTA prefers
   a particular address to appear as the recipient address in the SMTP
   envelope.  'mailRoutingAddress' MAY be used as an alternative to
   'mailHost', and is intended to have the same effect as 'mailHost'
   except that 'mailRoutingAddress' is an address for rewriting the
   envelope.  With 'mailHost', the envelope address either is not
   rewritten, or is rewritten according to implementation-specific rules
   and/or configuration.

   If both 'mailHost' and 'mailRoutingAddress' are present, MTAs MAY
   interpret it to mean that messages are to be routed to the host
   indicated by 'mailHost', while rewriting the envelope as per
   'mailRoutingAddress'.  In theory, there could be peculiar cases where
   this is necessary, but this is not normally expected.

   Absence of both 'mailHost' and 'mailRoutingAddress' MAY be considered an
   error, unless "location-independent" recipient types are supported by
   the various MTAs within the organization.  This would allow any MTA in
   the organization to handle the processing of mail for, say, a mailing
   list.  This presumes that the various MTAs all recognize the recipient
   type in question, suggesting a need to standardize recipient types that
   could be "location-independent".

   In short, routing attributes may be used by an LDAP entry to answer
   the question "how should MTAs route mail to this account?"
   (analogous to using the sendmail "aliases" database for per-user
   routing within an organization).  This is in contrast with
   "forwarding"; forwarding and delivery options may be specified in an
   LDAP entry to answer the question "what happens to mail once it
   arrives at this account?", which may include forwarding to some other
   account within or outside the organization (analogous to using the
   sendmail ".forward" file).  Such options are outside the scope of the
   'inetLocalMailRecipient' schema definition.

   The following possibilities exist as a result of an LDAP lookup on an
   address:

        mailHost is     mailRoutingAddress is   Results in
        -----------     ---------------------   ----------
        set to a        set                     mail routed to
        "local" host                            mailRoutingAddress

        set to a        not set                 delivered to
        "local" host                            original address

Lachman, et. al.                                                [Page 6]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

        set to a        set                     MAY relay to mailHost
        remote host                             using mailRoutingAddress

        set to a        not set                 original address
        remote host                             relayed to mailHost

        not set         set                     mail routed to
                                                mailRoutingAddress

        not set         not set                 error or
                                                "location-independent"

   The term "local" host above means the host specified is one that the
   local (target) MTA considers to be a local delivery.  The local MTA
   MAY rewrite the original address when mailRoutingAddress is not set
   if local conventions warrant the change.

5.  Examples

   The following examples illustrate possible uses of the
   'inetLocalMailRecipient' object class.

   Here is an example of an LDAP entry representing a mail user:

       dn: uid=joe,o=Example Corp,c=US
       objectClass: top
       objectClass: person
       objectClass: organizationalPerson
       objectClass: inetOrgPerson
       objectClass: inetLocalMailRecipient
       objectClass: nsMessagingServerUser
       cn: Joe User
       sn: User
       uid: joe
       userPassword: {crypt}y2KxtbzMYnApU
       mail: joe@example.com
       mailLocalAddress: joe@example.com
       mailLocalAddress: joe@another.example.com
       mailHost: nsmail1.example.com
       mailDeliveryOption: mailbox
       mailQuota: 1000000
       mailForwardingAddress: mary@example.com

   Joe User is a user of a hypothetical mail system called NS Messaging.
   Let's say mail arrives on an MTA called "mx.example.com", addressed
   to "joe@example.com".  That MTA searches the directory for a mail
   recipient with that address, using an LDAP search filter [8] such as:

       (&(objectClass=inetLocalMailRecipient)
         (mailLocalAddress=joe@example.com))

Lachman, et. al.                                                [Page 7]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

   It finds Joe's LDAP entry, and routes the message to the target MTA
   "nsmail1.example.com", while not rewriting the SMTP envelope
   recipient address.  Then, "nsmail1.example.com" receives the message,
   searches for and finds the recipient in the directory, ascertains
   that it is the recipient's target MTA, and handles the message as per
   other attributes in the recipient's entry and/or the MTA
   configuration (in this case, the message is delivered to a mailbox,
   and forwarded to another recipient).

   Note that this document does not specify the rules an MTA is to use
   to ascertain whether or not it is the target MTA for a given
   recipient (it could check the recipient's 'mailHost' value against
   its own hostname, or check the recipient's 'mailRoutingAddress', or
   check the MTA configuration, or some combination of these).

   Here is another example of an LDAP entry representing a mail user:

       dn: uid=john,o=Example Corp,c=US
       objectClass: top
       objectClass: person
       objectClass: organizationalPerson
       objectClass: inetOrgPerson
       objectClass: inetLocalMailRecipient
       objectClass: xyzMailUser
       cn: John Doe
       sn: Doe
       uid: john
       userPassword: {crypt}y2KxtbzMYnApU
       mail: john@example.com
       mailLocalAddress: john@example.com
       mailRoutingAddress: John_Doe@xyz-gw.example.com
       xyzPostOfficeName: PO_1
       xyzClusterNumber: 3
       xyzMessageStoreId: 9

   John Doe is a user of a hypothetical mail system called XYZ Mail.
   Let's say mail arrives on an MTA called "mx.example.com", addressed
   to "john@example.com".  That MTA searches the directory for a mail
   recipient with that address, and routes the message to "xyz-
   gw.example.com", rewriting the SMTP envelope recipient address to
   "John_Doe@xyz-gw.example.com", as per the 'mailRoutingAddress'.  On
   "xyz-gw.example.com", the message is gatewayed into the XYZ Mail
   system and then dealt with as per other attributes.

Lachman, et. al.                                                [Page 8]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

   Here is an example of an LDAP entry representing a mailing list:

       dn: cn=Scuba Group,o=Example Corp,c=US
       objectClass: top
       objectClass: groupOfUniqueNames
       objectClass: inetLocalMailRecipient
       objectClass: mailGroup
       cn: Scuba Group
       mail: scuba@example.com
       mailLocalAddress: scuba@example.com
       mailHost: host42.example.com
       mgrpRFC822MailMember: joe@example.com
       mgrpRFC822MailMember: john@example.com

   The Scuba Group is a mail group (mailing list) that includes two
   members.  A message addressed to "scuba@example.com" is routed to
   "host42.example.com" where it is then resent to the mailing list
   members.  The 'mailGroup' object class is specified elsewhere [9].

   Here is an example of an LDAP entry representing a forwarding alias:

       dn: cn=Jane Roe Forwarding Alias,o=Example,c=US
       objectClass: top
       objectClass: inetLocalMailRecipient
       objectClass: mailForwardingAlias
       mail: janeroe@example.org
       mailLocalAddress: janeroe@example.org
       mailHost: mail.example.org
       mailForwardingAddress: janeroe@elsewhere.example.com
       cn: Jane Roe Forwarding Alias

   This entry uses a hypothetical object class 'mailForwardingAlias'
   that is not specified here, but is used as an example of how an LDAP
   entry might represent such a recipient type.  A message addressed to
   "janeroe@example.org" is routed to "mail.example.org" where it is
   then forwarded.  In this case, Jane Roe may be a former member of the
   Example Organization, and they are forwarding her mail to her new
   address elsewhere.

6.  Security Considerations

   As in all cases where account information is stored in an LDAP-based
   directory service, network administrators must be careful to ensure
   that their directory service controls users' access to the entries
   and attributes stored therein, according to site policy.  In
   particular, mail routing information should not be accessible from
   outside the organization, since it is intended for use only by MTAs
   within the organization.

Lachman, et. al.                                                [Page 9]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

7.  Acknowledgments

   The 'inetLocalMailRecipient' object class is based on an earlier
   design done by the Netscape Messaging and Directory Server teams,
   which was implemented and deployed to customers as part of Netscape
   Messaging Server.  Various team members contributed to the design,
   including Bill Fitler, Bruce Steinback, Prabhat Keni, Mike Macgirvin,
   John Myers, John Kristian, Tim Howes, Mark Smith, and Leif Hedstrom.
   Thanks also to Jeff Hodges of Stanford for contributing to the early
   design discussions, and to the other participants in the IETF LASER
   BOF, including, from Sun Microsystems, John Beck, Anil Srivastava,
   and Darryl Huff.

8.  References

   [1]  M. Wahl, T. Howes, S. Kille, "Lightweight Directory Access
   Protocol (v3)", RFC 2251, December 1997.

   [2]  J. Postel, "Simple Mail Transfer Protocol", STD 10, RFC 821,
   August 1982.

   [3]  D. Crocker, "Standard for the Format of ARPA Internet Text
   Messages", STD 11, RFC 822, August 1982.

   [4]  "Information Processing Systems - Open Systems Interconnection -
   The Directory: Overview of Concepts, Models and Service", ISO/IEC JTC
   1/SC21, International Standard 9594-1, 1988.

   [5]  C. Partridge, "Mail routing and the domain system", STD 14, RFC
   974, January 1986.

   [6]  R. Braden, "Requirements for Internet hosts - application and
   support", STD 3, RFC 1123, October 1989.

   [7]  M. Wahl, A. Coulbeck, T. Howes, S. Kille, "Lightweight X.500
   Directory Access Protocol (v3): Attribute Syntax Definitions", RFC
   2252, December 1997.

   [8]  T. Howes, "The String Representation of LDAP Search Filters",
   RFC 2254, December 1997.

   [9]  B. Steinback, "Using LDAP for SMTP Mailing Lists and Aliases",
   Internet-Draft (work in progress).

   [10]  S. Bradner, "Key words for use in RFCs to Indicate Requirement
   Levels", BCP 14, RFC 2119, March 1997.

   [11]  K. Moore, "SMTP Service Extension for Delivery Status
   Notifications", RCP 1891, January 1996.

Lachman, et. al.                                               [Page 10]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

9.  Authors' Addresses

   Hans Lachman
   Netscape Communications Corp.
   501 East Middlefield Road
   Mountain View, CA  94043
   Phone: (650) 254-1900
   EMail: lachman@netscape.com

   Gregory Neil Shapiro
   Sendmail, Inc.
   6603 Shellmound Street
   Emeryville, CA 94608-1042
   Phone: +1 510-594-5522
   Fax:   +1 510-594-5411
   EMail: gshapiro@sendmail.org

X. Change Summary

X.1.1 Substantive changes between
      draft-lachman-laser-ldap-mail-routing-00.txt and
      draft-lachman-laser-ldap-mail-routing-01.txt

   (i)     Added Gregory Neil Shapiro as another author.
   (ii)    Changed Draft heaer.
   (iii)   Added "Conventions Used in this Document" section.
   (iv)    Replaced RFC mentions with reference numbers.
   (v)     Add new MUST/SHOULD/MAY sections to bring more in line with
           RFC documents.
   (vi)    Clarify job of MTA in Overview by adding third paragraph.
   (vii)   mailRoutingAddress can be outside of administrative control.
   (viii)  Eliminated use of 'mail' attribute for mail routing.
   (ix)    Changed name of 'mailAlternateAddress' to 'mailLocalAddress'.
   (x)     Remove "routable" from 'mailLocalAddress' description.
   (xi)    Clarify which addresses MUST be in 'mailLocalAddress'.
   (xii)   Allow for multiple responses if they all have the same
           routing attribute values.
   (xiii)  Clarify use of MX records on routing attributes.
   (xiv)   Add a table to clarify use of 'mailHost' and
           'mailRoutingAddress'.
   (xv)    Remove document weakening statements from section 5.
   (xvi)   Only use reserved domains (example.com, example.org) in
           examples.
   (xvii)  Clean up references
   (xviii) Added section X to list the changes between draft versions.

Lachman, et. al.                                               [Page 11]

INTERNET-DRAFT   LDAP Schema for Intranet Mail Routing      October 1999

10.  Full Copyright Statement

   Copyright (C) The Internet Society (1999).  All Rights Reserved.

   This document and translations of it may be copied and furnished
   to others, and derivative works that comment on or otherwise
   explain it or assist in its implementation may be prepared, copied,
   published and distributed, in whole or in part, without
   restriction of any kind, provided that the above copyright notice
   and this paragraph are included on all such copies and derivative
   works.  However, this document itself may not be modified in any
   way, such as by removing the copyright notice or references to the
   Internet Society or other Internet organizations, except as needed
   for the purpose of developing Internet standards in which case the
   procedures for copyrights defined in the Internet Standards
   process must be followed, or as required to translate it into
   languages other than English.

   The limited permissions granted above are perpetual and will not
   be revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on
   an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Lachman, et. al.                                               [Page 12]