Hi all,
I have to implement a restriction class as per
http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some
internal aliases, allowing just selected users to send mails to. Initial
idea is to create a security group (called PSIU below) inside AD (Samba
4.7) and put granted people there. I went this way:
main.cf:
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access
ldap:/etc/postfix/adinsidersok.cf, reject
smtpd_recipient_restrictions =
...
check_recipient_access ldap:/etc/postfix/adinsiders.cf,
...
adinsiders.cf defines the aliases to protect:
server_host = ldap://addc
bind_dn = CN=postfix,OU=Sistemas,DC=tld
bind_pw = xxx
search_base = OU=MailAliases,DC=tld
query_filter = (mail=%s)
result_attribute = msDS-AzApplicationData
On msDS-AzApplicationData attribute I have "insiders_only" for some
aliases. This is fine.
adinsidersok.cf defines who can use those protected aliases:
server_host = ldap://addc
bind_dn = CN=postfix,OU=Sistemas,DC=tld
bind_pw = xxx
search_base = CN=PSIU,OU=Sistemas,DC=tld
query_filter = (member=%s)
result_attribute = memberOf
There is where I stuck. To start, "member" attribute contains a DN, not
a mail, and how to return 'OK' for those people?
What approach you guys use in cases like this and to keep everything
inside LDAP? What you recommend?
Thank you all, best regards.
--
*Marcio Merlone*
