Remove the 'fripostLocalAlias' attribute.

Instead, we pretend that lists are valid users (via a match in the
mailbox_transport_maps) but choose a different transport (with the same
request in transport_maps).

The advantage is that we get rid of the ugly hack for list transport…

A minor drawback is that we now have two LDAP lookups instead of one for
non local addresses (ie, everything but reserved addresses). Hopefully
the requests are cached; but even if they aren't, querying a local LDAP
server is supposed to be cheap.

2 files changed, 16 insertions, 43 deletions

diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index 2e5bb1f..514b6fa 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -73,22 +73,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 #
-# This is redundant since we always use DNs of the form
-#     fvl=localpart,fvd=domainpart.tld,...
-# (But Postfix doesn't allow the use of '%u' and '%d' from the query in
-# its 'result_format'.)
-# It is a priori insecure to allow arbitrary values here since users
-# will modify this value themselves, however our Postfix will only
-# accept well-formed values, enforced by a custom filter:
-#    query_filter = (&...(fripostLocalAlias=%u#%d))
-#    result_attribute = fripostLocalAlias
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostLocalAlias'
-    DESC 'A local alias, typically localpart#domainpart.tld'
-    EQUALITY caseIgnoreIA5Match
-    SUBSTR caseIgnoreIA5SubstringsMatch
-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
-#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostMaildrop'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostMaildrop'
     DESC 'An email address the virtual alias should be mapped to'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
@@ -97,48 +82,48 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostMaildrop'
 # We are creating a new attribute, optional in virtual domains and
 # users, because the presence index should *not* apply to the
 # mandatory attribute above.
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostOptionalMaildrop'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop'
     DESC 'An optional email address for catch-all aliases on domains and users'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostIsStatusActive'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostIsStatusActive'
     DESC 'When present, a token locking the entry in an inactive state'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostPendingToken'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostPendingToken'
     DESC 'Is the entry pending?'
     EQUALITY caseExactMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostUserQuota'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostUserQuota'
     DESC 'The quota on a user e.g., "50MB"'
     EQUALITY caseExactMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddDomain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostCanAddDomain'
     DESC 'A user/domain that can add domains'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddAlias'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddAlias'
     DESC 'A user/domain that can add aliases under the parent domain'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanAddList'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddList'
     DESC 'A user/domain that can add lists under the parent domain'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostOwner'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostOwner'
     DESC 'A user that owns under parent domain'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostPostmaster'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostPostmaster'
     DESC 'A user that is a postmaster of the parent domain'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostListManager'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager'
     DESC 'The list manager'
     EQUALITY caseIgnoreMatch
     SUBSTR caseIgnoreSubstringsMatch
@@ -176,13 +161,13 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias'
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
     SUP top STRUCTURAL
     DESC 'Virtual list'
-    MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias )
+    MUST ( fvl $ fripostListManager $ fripostIsStatusActive )
     MAY ( fripostOwner $ description ) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand'
     SUP top STRUCTURAL
     DESC 'Virtual list command'
-    MUST ( fvl $ fripostLocalAlias ) )
+    MUST ( fvl ) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry'
     SUP top AUXILIARY
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 56cd110..3752f9f 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -58,7 +58,7 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 #
 olcDbIndex: objectClass eq
 # Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc.
-olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq
+olcDbIndex: fripostIsStatusActive,fvd,fvl eq
 olcDbIndex: fripostOptionalMaildrop pres
 # SyncProv/SyncRepl specific indexing.
 olcDbIndex: entryCSN,entryUUID eq
@@ -85,7 +85,7 @@ olcSyncrepl: rid=000
   type=refreshAndPersist
   retry="5 5 300 +"
   searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
+  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
   scope=sub
   schemachecking=off
   bindmethod=simple
@@ -115,18 +115,12 @@ olcSyncrepl: rid=000
 # Postfix have read access to the attribute it needs when eg, doing
 # alias resolution.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-        attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
+        attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop
         filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
     by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by realanonymous =rsd
     by users =0 break
 #
-# Postfix needs to look up lists' local aliases.
-olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-        attrs=entry
-    by realanonymous =s
-    by users =0 break
-#
 # Search domain owners / postmasters (used by reserved-alias.pl).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
@@ -462,12 +456,6 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/FripostVirtualDomain/fripostOwner.expand="$1" =rscd
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
 #
-# Local aliases are for internal use only.
-olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
-        filter=(objectClass=FripostVirtualList)
-        attrs=fripostLocalAlias
-    by * =0
-#
 # 1. The list owners can edit their entry's attributes.
 # 2. So can the domain owners.
 # 3. So can the domain postmasters.