On Tue, Sep 22, 2020 at 04:43:22PM +0200, Marek Kozlowski wrote:
> Let's imagine that my SMTP server is an MX for 'mydomain.tld' (and some
> other ones). I've defined LDAP query for 'virtual_alias_maps', something
> like:
Tables used with virtual(5) need to implement a mapping between envelope
recipient email addresses. Each input address rewrites to one or more
(comma,separated) output addresses, subject to the documented quoting
and escaping rules for the LHS and RHS values.
> virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf
When using LDAP as a backend for virtual(5) lookups, the LDAP query
needs to extract from each matching "entry" zero or email-address-valued
attributes, which are combined (by adding comma separators) to yield the
final result. The address values themselves are assumed to be in valid
"external" (i.e. quoted and escaped as needed) form.
> The query file in some very simplified form can be expressed as:
>
> server_host = ldaps://myhosthere:636
> version = 3
> search_base = ou=someou,o=myorg
> query_filter = (mail=%s)
> result_attribute = cn
> result_format = %s
> bind = no
> dereference = 3
This query definition makes no sense, because in all the LDAP schemas
I'm familiar with, the "cn" attribute is just a free-form name (like
"John Smith", and is NOT an email address. Things that are more like
an email address are:
- mail (canonical email address, single-valued)
- maildrop (alias target, can be multi-valued)
- mailRoutingAddress (ditto under another name)
- uid (login name without domain suffix, single-valued)
with Microsoft Exchange, the lookup key is generally matched against:
- proxyAddresses (input address with "smtp:" as a prefix)
In Microsoft exchange only "contact" objects have built-in
email-address-valued destination (RHS) addresses other than the primary
address. However many sites add custom attributes for these, e.g.
"mailRoutingAddress" is somewhat popular. Or you can use the AD
analogue of "uid" which is "sAMAccountName", which is then
domain-qualified explicitly in the result format, or implicitly with
"$myorigin".
> The intended behavior is as follows: If there is an e-mail to:
>
> something.h...@mydoman.tld
Which you'd match against "mail", though typically a multi-input
lookup key is more appropriate, allowing the same mailbox to be
reachable via more than one address. Though of course one can
also create "alias" objects in LDAP with "mail" as the LHS key,
and "maildrop" (or similar) as the result attribute value.
> The problem is: If the 'mail' field of a user 'smithj' (there is such a
> user) is NOT set to 'smi...@mydoman.tld' I don't want e-mails to
> 'smi...@mydoman.tld' to be delivered to this user. I'm afraid they are :-(
Well, user "smithj" would in many an LDAP schema have "uid: smithj",
allowing you to write:
query_filter = (&(mail=%s)(uid=%u))
if that's what you're looking for. Of course you then still have
the problem that your result attribute is quite wrong, it should
probably be "mail", based on the description so far.
--
Viktor.
