Re: how to reject disabled LDAP users

Tue, 03 Oct 2017 08:33:34 -0700 

Le mardi 03 octobre 2017 à 18:24 +0530, Ivars Strazdiņš a écrit :
> Hi,
> our postfix mail server is FreeIPA client. What this means is that
> user accounts are kept on a separate FreeIPA server, but they are
> real linux accounts on the mail server. "id" and "getent passwd"
> commands work on mail server and return user id and group membership
> information. (FreeIPA is RedHat implementation of identity
> management, http://www.freeipa.org/page/About)
> FreeIPA server also has LDAP service, and so far it has been used for
> virtual address expansion. For example, if a message is sent to test.
> u...@example.net, then postfix does LDAP lookup for mail attribute "t
> est.u...@example.net" and deliver to "uid" result attribute
> “testuser". If LDAP lookup fails, then postfix attempts to deliver to
> local user "testuser” mailbox anyway.
> To say otherwise, LDAP lookup failure is not a fatal error and
> postfix still attempts to deliver locally.
> 
> Now I would like to change this and include a check for account
> validity (and/or group membership).
> Say, if account is disabled (LDAP attribute
> nsAccountLock=TRUE) and LDAP lookup fails, then postfix
> should not attempt to deliver locally and reject message instead. 
> Is it possible to achive this and keep current configuration
> relatively intact? (i.e., keep local_transport=local:$myhostname)
> I understand that I can change local_transport to
> "local_transport=virtual", but this brings in many other changes.
> 
> I appreciate your time spent on this. Thank you. “postconf -nf”
> output and ldap-virtual.cf file attached.
> Kind regards,
> Ivars
> 

Hello,

You may add a transport(5) table that returns "error:locked account
msg" if nsAccountLock is true on the given address ("error:" untested
on my side, I use discard)

I have such a table in my config :

query_filter =
(&(|(mail=%s)(mailAlternateAddress=%s))(qmailDotMode=discard))
result_attribute = uid
result_format = discard:

(Actually I discard mails, I do not reject them)

It's plugged in main.cf as this :

transport_maps = ldap:/etc/postfix/ldap-trash.cf,
ldap:/etc/postfix/ldap-virtual-transport.cf, ldap:/etc/postfix/ldap-
local-transport.cf

Regards,

-- 
Bastien Durel
DATA
Intégration des données de l'entreprise,
Systèmes d'information décisionnels.

bastien.du...@data.fr
tel : +33 (0) 1 57 19 59 28
fax : +33 (0) 1 57 19 59 73
12 avenue Raspail, 94250 GENTILLY France
www.data.fr

Reply via email to