DevHeads.net

Question about restriction class (AD LDAP)

Hi all,

I have to implement a restriction class as per
<a href="http://www.postfix.org/RESTRICTION_CLASS_README.html" title="http://www.postfix.org/RESTRICTION_CLASS_README.html">http://www.postfix.org/RESTRICTION_CLASS_README.html</a> to protect some
internal aliases, allowing just selected users to send mails to. Initial
idea is to create a security group (called PSIU below) inside AD (Samba
4.7) and put granted people there. I went this way:

main.cf:

smtpd_restriction_classes       = insiders_only
insiders_only                   = check_sender_access
ldap:/etc/postfix/adinsidersok.cf, reject

smtpd_recipient_restrictions =
    ...
    check_recipient_access ldap:/etc/postfix/adinsiders.cf,

    ...

adinsiders.cf defines the aliases to protect:

server_host                 = ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = OU=MailAliases,DC=tld
query_filter                = (mail=%s)
result_attribute            = msDS-AzApplicationData

On msDS-AzApplicationData attribute I have "insiders_only" for some
aliases. This is fine.

adinsidersok.cf defines who can use those protected aliases:

server_host                 = ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = CN=PSIU,OU=Sistemas,DC=tld
query_filter                = (member=%s)
result_attribute            = memberOf

There is where I stuck. To start, "member" attribute contains a DN, not
a mail, and how to return 'OK' for those people?

What approach you guys use in cases like this and to keep everything
inside LDAP? What you recommend?

Thank you all, best regards.

Comments

Re: Question about restriction class (AD LDAP)

By Viktor Dukhovni at 10/09/2018 - 10:57

What you're trying to do can't be done with Postfix access(5)
tables. You're trying to encode a pair of lookup keys, the
sender and the receiving alias into a single query, so that
different receiving aliases can have different allowed senders.

Postfix has only single-key queries. If a single set of
authorized senders across all the aliases will not do,
you need one restriction class per-alias, or will need
to move the lookups into a policy service, which can do
multi-key lookups.