debops
debops copied to clipboard
debops
[postfix] Can't get LDAP mailAlias to work
This: https://github.com/debops/debops/blob/d7130bace17833ae72abaad4c752c6fe10f23058/ansible/roles/postldap/defaults/main.yml#L341-L362
results in a /etc/postfix/ldap_virtual_forward_maps.cf file which looks something like this:
# This file is managed remotely, all changes will be lost
# The virtual_forward_maps setting is used to find the final delivery address,
# given a distribution list.
server_host = ldaps://ldap.example.com/
search_base = dc=example,dc=com
query_filter = (& (| (objectClass=mailAlias) (objectClass=mailDistributionList) ) (mailAddress=%s) (| (authorizedService=all) (authorizedService=mail:receive) ) )
result_attribute = mailForwardTo
special_result_attribute = member
leaf_result_attribute = mailAddress
scope = sub
bind = yes
bind_dn = uid=postfix,cn=smtp.example.com,ou=Hosts,dc=example,dc=com
bind_pw = <something>
version = 3
start_tls = no
tls_ca_cert_dir = /etc/ssl/certs/
If I create a mailAlias LDAP entry like this (the authorizedService seems a bit like overkill but probably necessary given the query filter above?):
dn: [email protected],ou=Groups,uid=postfix,cn=smtp.example.com,ou=Hosts,dc=example,dc=com
objectClass: mailAlias
objectClass: authorizedServiceObject
mail: [email protected]
mailAddress: [email protected]
mailForwardTo: [email protected]
authorizedService : all
Then the alias lookup will expand to both the alias and the mailForwardTo address:
root@smtp:~# postmap -q [email protected] ldap:/etc/postfix/ldap_virtual_forward_maps.cf
[email protected],[email protected]
root@smtp:~# postmap -vq [email protected] ldap:/etc/postfix/ldap_virtual_forward_maps.cf
...
postmap: dict_ldap_lookup: /etc/postfix/ldap_virtual_forward_maps.cf: Searching with filter (& (| (objectClass=mailAlias) (objectClass=mailDistributionList) ) ([email protected]) (| (authorizedService=all) (authorizedService=mail:receive) ) )
postmap: dict_ldap_get_values[1]: Search found 1 match(es)
postmap: dict_ldap_get_values[1]: search returned 1 value(s) for requested result attribute mailAddress
postmap: dict_ldap_get_values[1]: search returned 1 value(s) for requested result attribute mailForwardTo
postmap: dict_ldap_get_values[1]: Leaving dict_ldap_get_values
postmap: dict_ldap_lookup: Search returned [email protected],[email protected]
...
While I'd expect only the mailForwardTo address to be returned (i.e. [email protected]).
I'm guessing one reason could be that the Postfix LDAP docs, section leaf_result_attribute says:
When one or more special result attributes are found in a
non-terminal (see above) LDAP entry, leaf result attributes are
excluded from the expansion of that entry
(note the leading when).
One alternative would be to change the mailAlias entry so that it contains members attributes pointing to the DN corresponding to "Bob", but I can't really figure out how to do so. mailAlias is structural and I can't find a suitable auxiliary objectClass which permits member attributes (and also, the above LDAP entry should work, shouldn't it?).
So, suggestions on what to do? Have I misunderstood how a mailAlias entry should be configured....or have I hit a bug in Postfix? (this was all tested using Bullseye).
Also, @drybjed - the mailservice.schema seems a bit....underdocumented at the moment? Any chance of adding some more documentation about it to one of the appropriate roles?
