how to reject disabled LDAP users

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

how to reject disabled LDAP users

Ivars Strazdiņš
Hi,
our postfix mail server is FreeIPA client. What this means is that user accounts are kept on a separate FreeIPA server, but they are real linux accounts on the mail server. "id" and "getent passwd" commands work on mail server and return user id and group membership information. (FreeIPA is RedHat implementation of identity management, http://www.freeipa.org/page/About)
FreeIPA server also has LDAP service, and so far it has been used for virtual address expansion. For example, if a message is sent to [hidden email], then postfix does LDAP lookup for mail attribute "[hidden email]" and deliver to "uid" result attribute “testuser". If LDAP lookup fails, then postfix attempts to deliver to local user "testuser” mailbox anyway.
To say otherwise, LDAP lookup failure is not a fatal error and postfix still attempts to deliver locally.

Now I would like to change this and include a check for account validity (and/or group membership).
Say, if account is disabled (LDAP attribute nsAccountLock=TRUE) and LDAP lookup fails, then postfix should not attempt to deliver locally and reject message instead. 
Is it possible to achive this and keep current configuration relatively intact? (i.e., keep local_transport=local:$myhostname)
I understand that I can change local_transport to "local_transport=virtual", but this brings in many other changes.

I appreciate your time spent on this. Thank you. “postconf -nf” output and ldap-virtual.cf file attached.
Kind regards,
Ivars




ldap-virtual.cf (381 bytes) Download Attachment
main.cf (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: how to reject disabled LDAP users

Bastien Durel
Le mardi 03 octobre 2017 à 18:24 +0530, Ivars Strazdiņš a écrit :

> Hi,
> our postfix mail server is FreeIPA client. What this means is that
> user accounts are kept on a separate FreeIPA server, but they are
> real linux accounts on the mail server. "id" and "getent passwd"
> commands work on mail server and return user id and group membership
> information. (FreeIPA is RedHat implementation of identity
> management, http://www.freeipa.org/page/About)
> FreeIPA server also has LDAP service, and so far it has been used for
> virtual address expansion. For example, if a message is sent to test.
> [hidden email], then postfix does LDAP lookup for mail attribute "t
> [hidden email]" and deliver to "uid" result attribute
> “testuser". If LDAP lookup fails, then postfix attempts to deliver to
> local user "testuser” mailbox anyway.
> To say otherwise, LDAP lookup failure is not a fatal error and
> postfix still attempts to deliver locally.
>
> Now I would like to change this and include a check for account
> validity (and/or group membership).
> Say, if account is disabled (LDAP attribute
> nsAccountLock=TRUE) and LDAP lookup fails, then postfix
> should not attempt to deliver locally and reject message instead.
> Is it possible to achive this and keep current configuration
> relatively intact? (i.e., keep local_transport=local:$myhostname)
> I understand that I can change local_transport to
> "local_transport=virtual", but this brings in many other changes.
>
> I appreciate your time spent on this. Thank you. “postconf -nf”
> output and ldap-virtual.cf file attached.
> Kind regards,
> Ivars
>

Hello,

You may add a transport(5) table that returns "error:locked account
msg" if nsAccountLock is true on the given address ("error:" untested
on my side, I use discard)

I have such a table in my config :

query_filter =
(&(|(mail=%s)(mailAlternateAddress=%s))(qmailDotMode=discard))
result_attribute = uid
result_format = discard:

(Actually I discard mails, I do not reject them)

It's plugged in main.cf as this :

transport_maps = ldap:/etc/postfix/ldap-trash.cf,
ldap:/etc/postfix/ldap-virtual-transport.cf, ldap:/etc/postfix/ldap-
local-transport.cf

Regards,

--
Bastien Durel
DATA
Intégration des données de l'entreprise,
Systèmes d'information décisionnels.

[hidden email]
tel : +33 (0) 1 57 19 59 28
fax : +33 (0) 1 57 19 59 73
12 avenue Raspail, 94250 GENTILLY France
www.data.fr
Reply | Threaded
Open this post in threaded view
|

Re: how to reject disabled LDAP users

Viktor Dukhovni
In reply to this post by Ivars Strazdiņš

> On Oct 3, 2017, at 8:54 AM, Ivars Strazdiņš <[hidden email]> wrote:
>
> For example, if a message is sent to [hidden email], then postfix does LDAP lookup for mail attribute "[hidden email]" and deliver to "uid" result attribute “testuser". If LDAP lookup fails, then postfix attempts to deliver to local user "testuser” mailbox anyway.
> To say otherwise, LDAP lookup failure is not a fatal error and postfix still attempts to deliver locally.
>
> Now I would like to change this and include a check for account validity (and/or group membership).
> Say, if account is disabled (LDAP attribute nsAccountLock=TRUE) and LDAP lookup fails, then postfix should not attempt to deliver locally and reject message instead.
> Is it possible to achive this and keep current configuration relatively intact? (i.e., keep local_transport=local:$myhostname)
> I understand that I can change local_transport to "local_transport=virtual", but this brings in many other changes.

See http://www.postfix.org/ADDRESS_CLASS_README.html
    http://www.postfix.org/postconf.5.html#local_recipient_maps

Remove unix:passwd.byname from local_recipient_maps or otherwise
ensure that it only matches the users you want to accept mail for.

If all the users in question are listed in virtual_alias_maps
(which is implicitly applicable to every address class), then
use an essentially empty table for local_recipient_maps.
With a sufficiently recent Postfix, you could use something
like:

     local_recipient_maps = inline:{ postmaster=root }

--
        Viktor.