Hi, I implemented something like that in the backend, too. I’m using OpenLDAP.
I have a script (PHP CLI script as part of a Zend Framework management frontend) that uses a config file containing some LDAP searches to automatically add/remove users to/from groups based on some attributes. That part is hard to share, but it shouldn’t be too hard implementing it with some Shell script if you are using the LDAP backend, too. Regarding restrictions: As MJ proposed, I handle that in Postfix. In main.cf, after smtpd_recipient_restrictions and smtpd_data_restrictions, there is a section: # allow setting action internal_user_lookup to disallow non-listed users as sender smtpd_restriction_classes = internal_user_lookup internal_user_lookup = check_sender_access ldap:/etc/postfix/ldap-internal_user_lookup.cf, # reject if not successful check_recipient_access regexp:/etc/postfix/regexp-check_recipient_access-reject, reject ldap-internal_user_lookup.cf looks like this: # resolve all mail addresses to OK (for checking of internal users) query_filter = (&(|(objectClass=mailGroup)(objectClass=mailRecipient)(objectClass=inetOrgPerson))(|(mail=%s)(mailAlternateAddress=%s)(mailForwardingAddress=%s)(mailRoutingAddress=%s))) result_attribute = mail result_format = OK (LDAP config is missing here) regexp-check_recipient_access-reject: # the same message for all /^(.*)$/ 550 5.4.1 Delivery to this mailbox is not permitted for you You see the point - if the sender address is somewhere in my Directory, the LDAP result returns OK - Mail is accepted. Otherwise, it returns no result and the second check is performed. # postmap -q kreutzer.christ...@yesthatsmymail.com ldap:/etc/postfix/ldap-internal_user_lookup.cf OK # postmap -q kreutzer.christ...@example.com ldap:/etc/postfix/ldap-internal_user_lookup.cf (no result) # postmap -q kreutzer.christ...@example.com regexp:/etc/postfix/regexp-check_recipient_access-reject 550 5.4.1 Delivery to this mailbox is not permitted for you That always returns the 550 so the message will be rejected. But how is internal_user_lookup actually enforced? This is how I’ve got it done: ldap-check_recipient_access.cf: # get recipient policy for a mail group query_filter = (&(objectClass=mailGroup)(|(mail=%s)(mailAlternateAddress=%s))) result_attribute = mgrpBroadcasterPolicy main.cf again: smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unlisted_recipient, [...] check_recipient_access ldap:/etc/postfix/ldap-check_recipient_access.cf, reject_unverified_recipient So, for every incoming mail I make a call to that LDAP search above. If the group has the attribute mgrpBroadcasterPolicy set to internal_user_lookup (that’s the only value that will be set at the moment, otherwise it won’t exist), the defined smtpd_restriction_class is called. Which does what I described above. Hope that helps :-) The postfix docs are actually really good, but it’s complex to implement. Sometimes you just need a test setup. I got started there, I believe: http://www.postfix.org/LDAP_README.html <http://www.postfix.org/LDAP_README.html> Best regards, Christoph > Am 25.01.2019 um 13:09 schrieb mj (li...@merit.unu.edu) <users@sogo.nu>: > > Hi, > > On 1/25/19 3:37 AM, Pedro Antunes (pantu...@suroot.pt) wrote: >> Hi, >> how i can create an distribution list (alias) that contain all mailboxes of >> one domain? its possible? >> It’s possible restrict who can send emails to one alias? > > We do this in our accounts backend (ldap/AD) by creating a group, give it an > email address, and add users to it. > > Then in sogo.conf we add a specific user source, something like: > >> type = ldap; >> CNFieldName = displayName; >> IDFieldName = cn; >> UIDFieldName = uid; >> baseDN = "CN=Groups,DC=...."; >> canAuthenticate = NO; >> bindDN = "cn=sogo-groups,cn=....."; >> bindPassword = ....; >> displayName = "Our groups"; >> listRequiresDot = NO; >> MailFieldNames =(mail, otherMailbox, proxyAddresses); >> id = ad-mail-groups; >> isAddressBook = YES; >> port = 389; >> scope = "SUB"; >> filter = "(objectClass=group)"; > > You also need to configure postfix to handle these same groups. > > About restrictions: I guess I'd look at the postfix side of things for > restrictions. But I don't have an answer ready for you. > > MJ > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists