Remove the 'fripostLocalAlias' attribute.

Instead, we pretend that lists are valid users (via a match in the
mailbox_transport_maps) but choose a different transport (with the same
request in transport_maps).

The advantage is that we get rid of the ugly hack for list transport…

A minor drawback is that we now have two LDAP lookups instead of one for
non local addresses (ie, everything but reserved addresses). Hopefully
the requests are cached; but even if they aren't, querying a local LDAP
server is supposed to be cheap.

1 files changed, 3 insertions, 15 deletions

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 56cd110..3752f9f 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -41,109 +41,103 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 #  * Restart slapd  sudo service slapd start
 #
 #
 # On single- and dual-core systems, change the maximum number of threads
 # to 8. (The default, 16, is fine for 4- and 8-core systems.)
 #
 #     dn: cn=config
 #     changetype: modify
 #     add: olcThreads
 #     olcThreads: 8
 #
 # References
 # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
 # - http://www.openldap.org/doc/admin24/tuning.html
 # - http://www.openldap.org/faq/data/cache/42.html
 # - http://www.openldap.org/faq/data/cache/136.html
 # - http://www.zytrax.com/books/ldap/apa/indeces.html
 #
 olcDbIndex: objectClass eq
 # Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc.
-olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq
+olcDbIndex: fripostIsStatusActive,fvd,fvl eq
 olcDbIndex: fripostOptionalMaildrop pres
 # SyncProv/SyncRepl specific indexing.
 olcDbIndex: entryCSN,entryUUID eq
 #
 #
 ########################################################################
 ########################################################################
 # Sync Replication
 # TODO: replace the simple bind by Kerberos/GSSAPI
 #
 # References:
 # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
 {% if 'LDAP-provider' in group_names %}
 olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
   time.soft=unlimited
   time.hard=unlimited
   size.soft=unlimited
   size.hard=unlimited
 {% elif 'MX' in group_names %}
 olcSyncrepl: rid=000
   provider=ldap://{{ LDAP_provider }}
   type=refreshAndPersist
   retry="5 5 300 +"
   searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
+  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
   scope=sub
   schemachecking=off
   bindmethod=simple
   binddn="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
   credentials=mx
 {% endif %}
 #
 #
 ########################################################################
 ########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
 #
 # References:
 # - http://www.openldap.org/doc/admin24/access-control.html
 # - http://www.openldap.org/faq/data/cache/189.html
 # - http://www.openldap.org/faq/data/cache/1140.html
 # - http://www.openldap.org/faq/data/cache/1133.html
 # - man 5 slapd.access
 #
 #
 ########################################################################
 # Most common services: Postfix, Amavis, Dovecot
 # (Most used ACLs are cheaper when written first.)
 #
 # Postfix have read access to the attribute it needs when eg, doing
 # alias resolution.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-        attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
+        attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop
         filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
     by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by realanonymous =rsd
     by users =0 break
 #
-# Postfix needs to look up lists' local aliases.
-olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-        attrs=entry
-    by realanonymous =s
-    by users =0 break
-#
 # Search domain owners / postmasters (used by reserved-alias.pl).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
     by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
     by users =0 break
 #
 # The following is required for the content filter
 {% if 'MDA' in group_names %}
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry
         filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s
     by users =0 break
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl,@AmavisAccount
         filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd
     by users =0 break
@@ -445,46 +439,40 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # 2. The domain owner can add/delete/change the ownership of the entry.
 # 3. So can the domain postmasters.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualList)
         attrs=fripostOwner
     by dnattr=fripostOwner =rscd continue
     by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
     by * +0
 #
 # 1. The list owner read (but not edit) the transport-related attributes.
 # 2. So can the domain ower.
 # 3. So can the domain postmaster.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualList)
         attrs=fripostListManager
     by dnattr=fripostOwner =rscd
     by group/FripostVirtualDomain/fripostOwner.expand="$1" =rscd
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
 #
-# Local aliases are for internal use only.
-olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
-        filter=(objectClass=FripostVirtualList)
-        attrs=fripostLocalAlias
-    by * =0
-#
 # 1. The list owners can edit their entry's attributes.
 # 2. So can the domain owners.
 # 3. So can the domain postmasters.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualList)
         attrs=@FripostVirtualList
     by dnattr=fripostOwner =wrscd
     by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
 #
 # 1. The domain owner can create and delete lists, but only those with a 'pending' status
 # 2. So can the domain postmaster.
 # 3. The list owner can delete pending lists.
 # 4. The entry creator can delete pending lists (needed to be able to rollback).
 # 5. People with "canAddList" access can create lists, but only with a 'pending' status.
 # 6. The list creation service can search and browse the entry.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
         attrs=entry
     by group/FripostVirtualDomain/fripostOwner.expand="$1" +w break