Merge pull request #197 from NethServer/bug-7552-2

DavidePrincipi · web-flow · commit 889b39d1dc82 · 2025-07-30T16:20:22.000+02:00
fix: priority of address over LDAP user/group Refs NethServer/dev#7552
diff --git a/postfix/etc/postfix/alias-access-check.cf b/postfix/etc/postfix/alias-access-check.cf
@@ -0,0 +1,23 @@
+#
+# alias-access-check -- check_recipient_access
+#
+# Check if a matching alias does NOT exist. The result of this query is %s,
+# the search key itself, so it can be sent in "pipeline:" to LDAP,
+# to verify if it corresponds to a domain user or group name.
+#
+# If the alias EXISTS, the query returns an empty set and the "pipeline:"
+# lookup stops.
+#
+
+dbpath = /srv/pcdb.sqlite
+query =
+  SELECT '%s'
+  FROM destmap
+  WHERE NOT EXISTS (
+    SELECT dest
+    FROM destmap
+    WHERE alocal = '%u'
+      AND domain IN ('%d', '*')
+      AND '%d' IN (SELECT domain FROM domains)
+  )
+  LIMIT 1
diff --git a/postfix/usr/local/bin/reload-config b/postfix/usr/local/bin/reload-config
@@ -56,16 +56,16 @@ tmpl_virtual_alias_domains=$(pcdbquery "SELECT group_concat(domain) FROM domains
 origin_flags="$(pcdbquery "SELECT addusers + (addgroups * 2) AS origin_flags FROM domains WHERE domain='${POSTFIX_ORIGIN}'")"
 if [ "${origin_flags}" == 1  ]; then
     # addusers flag: reject groups and vmail, accept users and aliases
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{proxy:ldap:$meta_directory/laddgroupmembers.cf,static:{REJECT access denied}}'
+    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{sqlite:$meta_directory/alias-access-check.cf,proxy:ldap:$meta_directory/laddgroupmembers.cf,static:{REJECT access denied}}'
 elif [ "${origin_flags}" == 2  ]; then
     # addgroups flag: reject users and vmail, accept groups and aliases
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{proxy:ldap:$meta_directory/laddusers-origin.cf,static:{REJECT access denied}}'
+    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{sqlite:$meta_directory/alias-access-check.cf,proxy:ldap:$meta_directory/laddusers-origin.cf,static:{REJECT access denied}}'
 elif [ "${origin_flags}" == 3  ]; then
     # addusers+addgroups flag: reject vmail only, accept everything else
     tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}"
 elif  [ "${origin_flags}" == 0  ]; then
     # domain has no flags: reject users, groups, and vmail, accept aliases
-    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{unionmap:{proxy:ldap:$meta_directory/laddusers-origin.cf,proxy:ldap:$meta_directory/laddgroupmembers.cf},static:{REJECT access denied}}'
+    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{sqlite:$meta_directory/alias-access-check.cf,unionmap:{proxy:ldap:$meta_directory/laddusers-origin.cf,proxy:ldap:$meta_directory/laddgroupmembers.cf},static:{REJECT access denied}}'
 else
     # reject everything because the domain not defined
     tmpl_reject_internal_myorigin="check_recipient_access inline:{{ ${POSTFIX_ORIGIN} = REJECT access denied }}"
diff --git a/tests/50__smtp/00__user_domain.robot b/tests/50__smtp/00__user_domain.robot
@@ -22,6 +22,7 @@ Everything but defined addresses is internal
     Addresses are accessible
     Check different forward settings
     Address overrides user name
+    Address overrides group name
 
 User is public, group and vmail are internal
     [Tags]     robot:continue-on-failure
@@ -33,6 +34,7 @@ User is public, group and vmail are internal
     Addresses are accessible
     Check different forward settings
     Address overrides user name
+    Address overrides group name
 
 Group is public, user and vmail are internal
     [Tags]     robot:continue-on-failure
@@ -44,6 +46,7 @@ Group is public, user and vmail are internal
     Addresses are accessible
     Check different forward settings
     Address overrides user name
+    Address overrides group name
 
 Group and user are public, vmail is internal
     [Tags]     robot:continue-on-failure
@@ -55,6 +58,7 @@ Group and user are public, vmail is internal
     Addresses are accessible
     Check different forward settings
     Address overrides user name
+    Address overrides group name
 
 
 *** Keywords ***
@@ -93,9 +97,38 @@ Remove public mailbox
 
 ###
 
+Address overrides group name
+    [Documentation]    Corner case where the group name corresponds to an address.
+    ...                The address must have precedence and is always accessible.
+    [Setup]        Run task     module/${MID}/add-address
+    ...            {"atype":"domain","local":"g1","domain":"ldap.dom.test","destinations":[{"dtype":"group","name":"g1"}]}
+    [Teardown]     Run task     module/${MID}/remove-address
+    ...            {"atype":"domain","local":"g1","domain":"ldap.dom.test"}
+    [Tags]     robot:continue-on-failure
+    Address overrides group name, destination is equal to group name
+    Address overrides group name, destination is a specific user
+
+Address overrides group name, destination is equal to group name
+    # [Setup] from parent keyword is enough for this test
+    Log    CANTFIX group address \=\= dest. Alias expansion stops when the result equals the queried key.
+    RETURN
+    Send SMTP message to    g1@ldap.dom.test
+    Should be delivered via LMTP to  u1
+    Should be delivered via LMTP to  u2
+
+Address overrides group name, destination is a specific user
+    [Setup]        Run task     module/${MID}/alter-address
+    ...            {"atype":"domain","local":"g1","domain":"ldap.dom.test","destinations":[{"dtype":"user","name":"u3"}]}
+    Send SMTP message to    g1@ldap.dom.test
+    Should be delivered via LMTP to  u3
+    Should not be delivered via LMTP to    u1
+    Should not be delivered via LMTP to    u2
+
+###
+
 Address overrides user name
     [Documentation]    Corner case where the user name corresponds to an address.
-    ...                The address must have precedence.
+    ...                The address must have precedence and is always accessible.
     [Setup]        Run task     module/${MID}/add-address
     ...            {"atype":"domain","local":"u1","domain":"ldap.dom.test","destinations":[{"dtype":"user","name":"u1"}]}
     [Teardown]     Run task     module/${MID}/remove-address
@@ -110,34 +143,34 @@ Address overrides user name
 
 Address overrides user name, destination is equal to user name
     # [Setup] from parent keyword is enough for this test
-    Send SMTP message to    u1@ldap.dom.test    mail_server=127.0.0.1
+    Send SMTP message to    u1@ldap.dom.test
     Should be delivered via LMTP to  u1
 
 Address overrides user name, and has priority over user forward
     [Setup]            Configure forward for user  u1  to=u2  dtype=user
     [Teardown]         Cleanup forward for u1
-    Send SMTP message to    u1@ldap.dom.test    mail_server=127.0.0.1
+    Send SMTP message to    u1@ldap.dom.test
     Should be delivered via LMTP to  u1
     Should not be delivered via LMTP to  u2
 
 Address overrides user name, and has priority over group forward
     [Setup]            Configure forward for user  u1  to=g2  dtype=group
     [Teardown]         Cleanup forward for u1
-    Send SMTP message to    u1@ldap.dom.test    mail_server=127.0.0.1
+    Send SMTP message to    u1@ldap.dom.test
     Should be delivered via LMTP to  u1
     Should not be delivered via LMTP to  u2
     Should not be delivered via LMTP to  u3
 
 Address overrides user name, destination is another user
     [Setup]        Run task     module/${MID}/alter-address
     ...            {"atype":"domain","local":"u1","domain":"ldap.dom.test","destinations":[{"dtype":"user","name":"u2"}]}
-    Send SMTP message to    u1@ldap.dom.test    mail_server=127.0.0.1
+    Send SMTP message to    u1@ldap.dom.test
     Should be delivered via LMTP to  u2
 
 Address overrides user name, destination is a group
     [Setup]        Run task     module/${MID}/alter-address
     ...            {"atype":"domain","local":"u1","domain":"ldap.dom.test","destinations":[{"dtype":"group","name":"g2"}]}
-    Send SMTP message to    u1@ldap.dom.test    mail_server=127.0.0.1
+    Send SMTP message to    u1@ldap.dom.test
     Should not be delivered via LMTP to    u1
     Should be delivered via LMTP to  u2
     Should be delivered via LMTP to  u3
