Hi Victor, A high level description of my need may help: "I would like to accept relaying messages coming from a set of IPs AND which recipient address is described AT LEAST ONE TIME in the LDAP directory, not as a mail/mailAlternateAddress address but as group(s) member(s).
Example: from host[w.x.y.z] AND to=<j...@u.org> with <j...@u.org> being declared in the ldap as group(s) member(s) (mgrpRFC822MailMember: j...@u.org ) and not having any mail or mailAlternateAddress attributes. I used the smtpd_client_restrictions with a recipient exception filter for it. It works fine except if the recipient is declared more than one time as having a mgrpRFC822MailMember attribute. => I would like to have one OK result_filter and not several ones. But maybe this is not possible. Anyway, thank you for your time. Alain ----- Original Message ----- From: Victor Duchovni <victor.ducho...@morganstanley.com> Date: Thursday, May 7, 2009 6:52 pm Subject: Re: ldap and result_filter question To: postfix-users@postfix.org > On Thu, May 07, 2009 at 05:30:37PM +0200, postfix wrote: > > > Hi Victor, > > > > ok, I know my question is a bit confusing. That's because I tried to > > "simplify" the case I face with a generic example. It seems > > simplification leads to more confusion ... sorry ! > > Here below the real case: > > > > in main.cf: > > check_recipient_access > > ldap:/etc/postfix/ldapUserAccess_mgrprfc822mailmember.cf > > > > $cat ldapUserAccess_mgrprfc822mailmember.cf > > server_host = ldap://fe-ldap1-data:389 > > search_base = ou=fe1,o=fe > > bind_dn = cn=root DN > > bind_pw = xxxxxx > > version = 3 > > query_filter = > > > (&(mgrprfc822mailmember=%s)(|(objectclass=mailrecipient)(objectclass=inetlocalmailrecipient)(objectclass=mailgroup)(objectclass=inetmailgroup)))> domain = hash:/etc/postfix/relay_domains > > result_attribute = mail > > bind = yes > > result_filter = OK > > expansion_limit = 1 > > This is an access(5) table, not a rewriting table. Why are you writing > a query that matches multiple "entries" for a subset of valid lookup > keys. DON'T DO THAT. > > The query filter looks rather bogus, it insists on finding the address > as a member of a group, rather than as the address of a group or the > address of a user. > > > That's my problem. > > Is it possible to only have one OK as a result ? > > Yes, by writing a sensible query and choosing a sensible result > attribute. > Forget LDAP for a moment, describe the intended semantics of this > table,in high-level terms: > > - Return OK when an input address X has useful property Y > > What is "useful property Y"? I am skeptical that > "mgrprfc822mailmember=%s"is a useful property of an *input* address. > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. >
