SMTP service.

1 files changed, 37 insertions, 20 deletions

diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index eb28872..212d4d9 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -23,15 +23,39 @@
 dn: olcDatabase={1}hdb,cn=config
 changetype: modify
 replace: olcAccess
-## Managers have read/write access to the "virtual" subtree.
-#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-#    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
-#    by * break
-#-
-## 1. Users/Services/Managers can change their password (but not read it).
-## 2. Anonymous users/services/managers can bind.
-## 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+#
+# Services have read access to the attribute they need. We put this ACL
+# first as it's likely to be the most used.
+# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
+# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
+# TODO: IMAP & SASLauth
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand
+        filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
+    by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
+    by users none break
+#
+# Anonymous can authenticate into the services. (But not read or write the password.)
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+        attrs=userPassword
+    by anonymous auth
+#
+# That's necessary for SASL proxy Authorize the web application.
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+        attrs=entry,objectClass,authzTo
+    by * =x
+#
+# 1. Services have no access other than the one above.
+# 2. Managers have read/write access to the "virtual" subtree.
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none
+    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
+    by * none break
+#
+# 1. Users can change their password (but not read it).
+# 2. Anonymous users/services/managers can bind.
+# 3. Else, we inspect the 2 following ACLs.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
     by self =w
     by anonymous auth
@@ -49,17 +73,6 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
     by * none
 #
-# That's necessary for SASL proxy Authorize the web application.
-olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
-        attrs=entry,objectClass,authzTo
-    by * =x
-##
-## Services can read the whole subtree (minus the userPassword attributes).
-#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
-#        attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList
-#    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read
-#    by users none break
-#
 # Users can search (e.g., to list the entries they have created).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=objectClass
@@ -270,6 +283,10 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
     by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
     by users +0
+#TODO
+#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+#        filter=(objectClass=FripostVirtualListCommand)
+#    by users read
 #
 # Catch the "break" control above.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"