Hi,
I implemented something like that in the backend, too. I’m using OpenLDAP.
I have a script (PHP CLI script as part of a Zend Framework management
frontend) that uses a config file containing some LDAP searches to
automatically add/remove users to/from groups based on some attributes. That
part is hard to share, but it shouldn’t be too hard implementing it with some
Shell script if you are using the LDAP backend, too.
Regarding restrictions:
As MJ proposed, I handle that in Postfix.
In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions,
there is a section:
# allow setting action internal_user_lookup to disallow non-listed users as
sender
smtpd_restriction_classes =
internal_user_lookup
internal_user_lookup =
check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf,
# reject if not successful
check_recipient_access
regexp:/etc/postfix/regexp-check_recipient_access-reject,
reject
ldap-internal_user_lookup.cf looks like this:
# resolve all mail addresses to OK (for checking of internal users)
query_filter =
(&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s)))
result_attribute = mail
result_format = OK
(LDAP config is missing here)
regexp-check_recipient_access-reject:
# the same message for all
/^(.*)$/ 550 5.4.1 Delivery to this mailbox is not permitted for you
You see the point - if the sender address is somewhere in my Directory, the
LDAP result returns OK - Mail is accepted. Otherwise, it returns no result and
the second check is performed.
# postmap -q kreutzer.christ...@yesthatsmymail.com
ldap:/etc/postfix/ldap-internal_user_lookup.cf
OK
# postmap -q kreutzer.christ...@example.com
ldap:/etc/postfix/ldap-internal_user_lookup.cf
(no result)
# postmap -q kreutzer.christ...@example.com
regexp:/etc/postfix/regexp-check_recipient_access-reject
550 5.4.1 Delivery to this mailbox is not permitted for you
That always returns the 550 so the message will be rejected.
But how is internal_user_lookup actually enforced? This is how I’ve got it done:
ldap-check_recipient_access.cf:
# get recipient policy for a mail group
query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s)))
result_attribute = mgrpBroadcasterPolicy
main.cf again:
smtpd_recipient_restrictions =
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unlisted_recipient,
[...]
check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf,
reject_unverified_recipient
So, for every incoming mail I make a call to that LDAP search above. If the
group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup
(that’s the only value that will be set at the moment, otherwise it won’t
exist), the defined smtpd_restriction_class is called. Which does what I
described above.
Hope that helps :-) The postfix docs are actually really good, but it’s complex
to implement. Sometimes you just need a test setup. I got started there, I
believe: http://www.postfix.org/LDAP_README.html
<http://www.postfix.org/LDAP_README.html>
Best regards,
Christoph
> Am 25.01.2019 um 13:09 schrieb mj (li...@merit.unu.edu) <users@sogo.nu>:
>
> Hi,
>
> On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote:
>> Hi,
>> how i can create an distribution list (alias) that contain all mailboxes of
>> one domain? its possible?
>> It’s possible restrict who can send emails to one alias?
>
> We do this in our accounts backend (ldap/AD) by creating a group, give it an
> email address, and add users to it.
>
> Then in sogo.conf we add a specific user source, something like:
>
>> type = ldap;
>> CNFieldName = displayName;
>> IDFieldName = cn;
>> UIDFieldName = uid;
>> baseDN = "CN=Groups,DC=....";
>> canAuthenticate = NO;
>> bindDN = "cn=sogo-groups,cn=.....";
>> bindPassword = ....;
>> displayName = "Our groups";
>> listRequiresDot = NO;
>> MailFieldNames =(mail, otherMailbox, proxyAddresses);
>> id = ad-mail-groups;
>> isAddressBook = YES;
>> port = 389;
>> scope = "SUB";
>> filter = "(objectClass=group)";
>
> You also need to configure postfix to handle these same groups.
>
> About restrictions: I guess I'd look at the postfix side of things for
> restrictions. But I don't have an answer ready for you.
>
> MJ
> --
> users@sogo.nu
> https://inverse.ca/sogo/lists
--
users@sogo.nu
https://inverse.ca/sogo/lists
