From 6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 31 May 2017 21:42:32 +0200
Subject: Don't let authenticated client use arbitrary sender addresses.

The following policy is now implemented:

    * users can use their SASL login name as sender address;
    * alias and/or list owners can use the address as envelope sender;
    * domain postmasters can use arbitrary sender addresses under their
      domains;
    * domain owners can use arbitrary sender addresses under their domains,
      unless it is also an existing account name;
    * for known domains without owner or postmasters, other sender addresses
      are not allowed; and
    * arbitrary sender addresses under unknown domains are allowed.
---
 roles/common-LDAP/templates/etc/default/slapd.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'roles/common-LDAP/templates/etc/default/slapd.j2')

diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2
index 80c1be1..fdd7481 100644
--- a/roles/common-LDAP/templates/etc/default/slapd.j2
+++ b/roles/common-LDAP/templates/etc/default/slapd.j2
@@ -20,7 +20,7 @@ SLAPD_PIDFILE=
 # service requests on TCP-port 636 (ldaps) and requests via unix
 # sockets.
 SLAPD_SERVICES="ldapi:///"
-{% for i in group_names | intersect(['MX','lists']) | sort %}
+{% for i in group_names | intersect(['MX','lists','MSA']) | sort %}
 SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/"
 {% endfor %}
 {% if 'LDAP-provider' in group_names %}
-- 
cgit v1.2.3