Question about restriction class (AD LDAP)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Question about restriction class (AD LDAP)

Márcio Merlone

Hi all,

I have to implement a restriction class as per http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some internal aliases, allowing just selected users to send mails to. Initial idea is to create a security group (called PSIU below) inside AD (Samba 4.7) and put granted people there. I went this way:

main.cf:

smtpd_restriction_classes       = insiders_only
insiders_only                   = check_sender_access <a class="moz-txt-link-freetext" href="ldap:/etc/postfix/adinsidersok.cf">ldap:/etc/postfix/adinsidersok.cf, reject

smtpd_recipient_restrictions =
    ...
    check_recipient_access <a class="moz-txt-link-freetext" href="ldap:/etc/postfix/adinsiders.cf">ldap:/etc/postfix/adinsiders.cf,

    ...


adinsiders.cf defines the aliases to protect:

server_host                 = <a class="moz-txt-link-freetext" href="ldap://addc">ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = OU=MailAliases,DC=tld
query_filter                = (mail=%s)
result_attribute            = msDS-AzApplicationData

On msDS-AzApplicationData attribute I have "insiders_only" for some aliases. This is fine.

adinsidersok.cf defines who can use those protected aliases:

server_host                 = <a class="moz-txt-link-freetext" href="ldap://addc">ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = CN=PSIU,OU=Sistemas,DC=tld
query_filter                = (member=%s)
result_attribute            = memberOf

There is where I stuck. To start, "member" attribute contains a DN, not a mail, and how to return 'OK' for those people?

What approach you guys use in cases like this and to keep everything inside LDAP? What you recommend?

Thank you all, best regards.


--
Marcio Merlone
Reply | Threaded
Open this post in threaded view
|

Re: Question about restriction class (AD LDAP)

Viktor Dukhovni
What you're trying to do can't be done with Postfix access(5)
tables.  You're trying to encode a pair of lookup keys, the
sender and the receiving alias into a single query, so that
different receiving aliases can have different allowed senders.

Postfix has only single-key queries.  If a single set of
authorized senders across all the aliases will not do,
you need one restriction class per-alias, or will need
to move the lookups into a policy service, which can do
multi-key lookups.

> On Oct 9, 2018, at 10:19 AM, Marcio Vogel Merlone dos Santos <[hidden email]> wrote:
>
> I have to implement a restriction class as per http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some internal aliases, allowing just selected users to send mails to. Initial idea is to create a security group (called PSIU below) inside AD (Samba 4.7) and put granted people there. I went this way:
>
> main.cf:
>
> smtpd_restriction_classes       = insiders_only
> insiders_only                   = check_sender_access ldap:/etc/postfix/adinsidersok.cf, reject
>
> smtpd_recipient_restrictions =
>     ...
>     check_recipient_access ldap:/etc/postfix/adinsiders.cf,
>
>     ...
>
>
>
> adinsiders.cf defines the aliases to protect:
>
> server_host                 = ldap://addc
> bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
> bind_pw                     = xxx
> search_base                 = OU=MailAliases,DC=tld
> query_filter                = (mail=%s)
> result_attribute            = msDS-AzApplicationData
>
> On msDS-AzApplicationData attribute I have "insiders_only" for some aliases. This is fine.
>
> adinsidersok.cf defines who can use those protected aliases:
>
> server_host                 = ldap://addc
> bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
> bind_pw                     = xxx
> search_base                 = CN=PSIU,OU=Sistemas,DC=tld
> query_filter                = (member=%s)
> result_attribute            = memberOf
>
>

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Question about restriction class (AD LDAP)

Márcio Merlone

Hi Viktor,

Thank you for your answer. Do you have any direction I could follow to achieve my end goal - control who can send mail to some addresses with data from LDAP? Any hint or idea is helpfull.

Thanks, best regards.


Em 09/10/2018 11:57, Viktor Dukhovni escreveu:
What you're trying to do can't be done with Postfix access(5)
tables.  You're trying to encode a pair of lookup keys, the
sender and the receiving alias into a single query, so that
different receiving aliases can have different allowed senders.

Postfix has only single-key queries.  If a single set of
authorized senders across all the aliases will not do,
you need one restriction class per-alias, or will need
to move the lookups into a policy service, which can do
multi-key lookups.

On Oct 9, 2018, at 10:19 AM, Marcio Vogel Merlone dos Santos [hidden email] wrote:

I have to implement a restriction class as per http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some internal aliases, allowing just selected users to send mails to. Initial idea is to create a security group (called PSIU below) inside AD (Samba 4.7) and put granted people there. I went this way:

main.cf:

smtpd_restriction_classes       = insiders_only
insiders_only                   = check_sender_access <a class="moz-txt-link-freetext" href="ldap:/etc/postfix/adinsidersok.cf">ldap:/etc/postfix/adinsidersok.cf, reject

smtpd_recipient_restrictions =
    ...
    check_recipient_access <a class="moz-txt-link-freetext" href="ldap:/etc/postfix/adinsiders.cf">ldap:/etc/postfix/adinsiders.cf,

    ...



adinsiders.cf defines the aliases to protect:

server_host                 = <a class="moz-txt-link-freetext" href="ldap://addc">ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = OU=MailAliases,DC=tld
query_filter                = (mail=%s)
result_attribute            = msDS-AzApplicationData

On msDS-AzApplicationData attribute I have "insiders_only" for some aliases. This is fine.

adinsidersok.cf defines who can use those protected aliases:

server_host                 = <a class="moz-txt-link-freetext" href="ldap://addc">ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = CN=PSIU,OU=Sistemas,DC=tld
query_filter                = (member=%s)
result_attribute            = memberOf



    

--
Marcio Merlone
TI - Administrador de redes

A1 Engenharia - Unidade Corporativa
Fone: +55 41 3616-3797
Cel: +55 41 99689-0036
https://a1.ind.br/
Reply | Threaded
Open this post in threaded view
|

Re: Question about restriction class (AD LDAP)

Viktor Dukhovni


> On Oct 9, 2018, at 12:57 PM, Marcio Vogel Merlone dos Santos <[hidden email]> wrote:
>
> Thank you for your answer. Do you have any direction I could follow to achieve my end goal - control who can send mail to some addresses with data from LDAP? Any hint or idea is helpfull.

Postfix has only single-key queries.  If a single set of
authorized senders across all the aliases will not do,
you'll need one restriction class per-alias, or will need
to move the lookups into a policy service, which can do
multi-key lookups.

--
        Viktor.