diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-01-15 07:32:20 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:38 +0200 |
commit | 9304813d505baaa50294ed0d37a11d9e3f0f6c79 (patch) | |
tree | 450f263fb6e9d7cfa67cf2e1235c2c593bad14ab /roles/common-LDAP | |
parent | ab83789bd70d294623e62e0b366b6b649cb5b0af (diff) |
Fix the catch-all resolution again.
We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.
The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.
We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:
virtual_alias_maps:
mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain
transport_maps:
mlmmj.localhost.localdomain mlmmj:
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r-- | roles/common-LDAP/files/etc/ldap/schema/fripost.ldif | 18 | ||||
-rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 8 |
2 files changed, 16 insertions, 10 deletions
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif index 72695ab..54f3037 100644 --- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif +++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif @@ -83,7 +83,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostMaildrop' # users, because the presence index should *not* apply to the # mandatory attribute above. olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop' - DESC 'An optional email address for catch-all aliases on domains and users' + DESC 'An optional email address for catch-all or domain aliases' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) @@ -145,26 +145,32 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain' fripostOwner $ fripostPostmaster $ fripostOptionalMaildrop $ description ) ) # +# Domain alias (for the domain given by fripostMaildrop). Children are ignored. +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain' + SUP FripostVirtualDomain STRUCTURAL + DESC 'Virtual alias domain' + MUST ( fripostMaildrop ) ) +# # | TODO: add limits here -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser' SUP top STRUCTURAL DESC 'Virtual user' MUST ( fvl $ userPassword $ fripostIsStatusActive ) - MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) ) + MAY ( fripostUserQuota $ description) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias' SUP top STRUCTURAL DESC 'Virtual alias' MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualList' SUP top STRUCTURAL DESC 'Virtual list' MUST ( fvl $ fripostListManager $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostPendingEntry' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry' SUP top AUXILIARY DESC 'Virtual pending entry' MAY ( fripostPendingToken ) ) diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 6e5961b..33ef108 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -289,7 +289,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" # # We're giving away create/delete access on the children attributes, but we will be carefull # with the 'entry' permissions. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w @@ -300,7 +300,7 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z by * break olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" - filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) + filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain))) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w # @@ -534,11 +534,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # # Users with "canAddDomain" access can see that they have the right # to create domains. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=entry by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=fripostCanAddDomain by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd |