Merge pull request #195 from NethServer/bug-7552

fix(postfix): groups/alias/userforwards expansion

Refs NethServer/dev#7552 NethServer/dev#7553

Author: DavidePrincipi

postfix/etc/postfix/aliases.cf

@@ -2,7 +2,9 @@
 # aliases -- virtual alias map
 #
 # Expand an address to multiple user/group destinations.
-# Other email addresses are expanded by aliases-other.cf.
+# Wildcard address expansion has lower priority than
+# exact-domain match, and they are mutually-exclusive
+# (see NOT EXISTS clause).
 #
 
 dbpath = /srv/pcdb.sqlite

postfix/usr/local/bin/reload-config

@@ -38,12 +38,10 @@ fi
 S='$' # to escape $ in template
 
 if [ -n "${POSTFIX_ORIGIN}" ]; then
-    tmpl_transport_maps="inline:{ ${POSTFIX_ORIGIN}=lmtp:unix:/var/lib/umail/lmtp }"
     tmpl_virtual_mailbox_domains=${POSTFIX_ORIGIN}
-    tmpl_virtual_mailbox_maps='proxy:ldap:$meta_directory/laddusers-origin.cf'
+    tmpl_virtual_mailbox_maps="inline:{{ vmail@${POSTFIX_ORIGIN} = vmail }}, "'proxy:ldap:$meta_directory/laddusers-origin.cf'
     tmpl_myorigin=${POSTFIX_ORIGIN}
 else
-    tmpl_transport_maps=
     tmpl_virtual_mailbox_domains=
     tmpl_virtual_mailbox_maps=
     tmpl_myorigin='$myhostname'
@@ -55,14 +53,26 @@ tmpl_myhostname="${POSTFIX_HOSTNAME:-$(hostname -f)}"
 tmpl_debug_peer_list="${POSTFIX_DEBUG_PEERS:-\$mynetworks}"
 tmpl_relay_domains=$(pcdbquery "SELECT group_concat(domain || '=' || transport) FROM domains WHERE transport LIKE '_mtp:%'")
 tmpl_virtual_alias_domains=$(pcdbquery "SELECT group_concat(domain) FROM domains WHERE transport IS NULL AND domain NOT IN ('*', '${POSTFIX_ORIGIN}')")
-if [ -n "$(pcdbquery "SELECT 1 FROM domains WHERE domain='${POSTFIX_ORIGIN}' AND addusers = 1")" ]; then
+origin_flags="$(pcdbquery "SELECT addusers + (addgroups * 2) AS origin_flags FROM domains WHERE domain='${POSTFIX_ORIGIN}'")"
+if [ "${origin_flags}" == 1  ]; then
+    # addusers flag: reject groups and vmail, accept users and aliases
+    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{proxy:ldap:$meta_directory/laddgroupmembers.cf,static:{REJECT access denied}}'
+elif [ "${origin_flags}" == 2  ]; then
+    # addgroups flag: reject users and vmail, accept groups and aliases
+    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{proxy:ldap:$meta_directory/laddusers-origin.cf,static:{REJECT access denied}}'
+elif [ "${origin_flags}" == 3  ]; then
+    # addusers+addgroups flag: reject vmail only, accept everything else
     tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}"
+elif  [ "${origin_flags}" == 0  ]; then
+    # domain has no flags: reject users, groups, and vmail, accept aliases
+    tmpl_reject_internal_myorigin="check_recipient_access inline:{{ vmail@${POSTFIX_ORIGIN} = REJECT access denied }}",'check_recipient_access pipemap:{unionmap:{proxy:ldap:$meta_directory/laddusers-origin.cf,proxy:ldap:$meta_directory/laddgroupmembers.cf},static:{REJECT access denied}}'
 else
+    # reject everything because the domain not defined
     tmpl_reject_internal_myorigin="check_recipient_access inline:{{ ${POSTFIX_ORIGIN} = REJECT access denied }}"
 fi
 tmpl_domain_catchall_map=$(pcdbquery "SELECT 'inline:{' || group_concat('{@' || domain || '=' || catchall || '@${tmpl_myorigin}}', ', ') || '}' FROM domains WHERE length(catchall) > 0 AND domain != '*'")
-tmpl_laddgroups_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM domains WHERE addgroups = 1")
-tmpl_laddusers_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM domains WHERE addusers = 1")
+tmpl_laddgroups_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM (SELECT domain FROM domains WHERE addgroups = 1 UNION SELECT '${POSTFIX_ORIGIN}' AS domain)")
+tmpl_laddusers_domains=$(pcdbquery "SELECT group_concat(domain, ' ') FROM (SELECT domain FROM domains WHERE addusers = 1 UNION SELECT '${POSTFIX_ORIGIN}' AS domain)")
 tmpl_ldap_bind_dn="${POSTFIX_LDAP_USER}"
 tmpl_ldap_bind_pw="${POSTFIX_LDAP_PASS}"
 tmpl_ldap_host="${POSTFIX_LDAP_HOST}"
@@ -85,11 +95,10 @@ set +a
 envsubst >/etc/postfix/main.cf <"${TEMPLATES_DIR:?}/main.cf"
 envsubst >/etc/postfix/master.cf <"${TEMPLATES_DIR:?}/master.cf"
 envsubst >/etc/postfix/laddusers.cf <"${TEMPLATES_DIR:?}/laddusers-${ldap_schema}.cf"
-envsubst >/etc/postfix/laddgroups.cf <"${TEMPLATES_DIR:?}/laddgroups-${ldap_schema}.cf"
-envsubst >/etc/postfix/lgroupmembers.cf <"${TEMPLATES_DIR:?}/lgroupmembers-${ldap_schema}.cf"
+envsubst >/etc/postfix/userforwards.cf <"${TEMPLATES_DIR:?}/userforwards.cf"
 envsubst >/etc/postfix/laddgroupmembers.cf <"${TEMPLATES_DIR:?}/laddgroupmembers-${ldap_schema}.cf"
 envsubst <"${TEMPLATES_DIR:?}/laddusers-${ldap_schema}.cf" | \
-    sed "s/^domain = .*/domain = ${tmpl_myorigin}/" >/etc/postfix/laddusers-origin.cf
+    sed "s/^domain = .*/domain = ${tmpl_myorigin}/ ; /^# just/ d" >/etc/postfix/laddusers-origin.cf
 
 if [ -z "${tmpl_sasl_commentout}" ] ; then
     cat /etc/postfix/dovecot-sasl.cf >> /etc/postfix/main.cf

postfix/usr/local/lib/templates/laddgroupmembers-ad.cf

@@ -1,5 +1,5 @@
 #
-# lsenderlogin.cf (rfc2307) -- group members expansion
+# laddgroupmembers.cf (rfc2307) -- group members expansion
 # just for domains with addgroups flag
 #
 

postfix/usr/local/lib/templates/laddgroupmembers-rfc2307.cf

@@ -1,5 +1,5 @@
 #
-# lsenderlogin.cf (rfc2307) -- group members expansion
+# laddgroupmembers.cf (rfc2307) -- group members expansion
 # just for domains with addgroups flag
 #
 

postfix/usr/local/lib/templates/laddgroups-ad.cf

@@ -47,15 +47,15 @@ message_size_limit = 100000000
 virtual_alias_domains = ${tmpl_virtual_alias_domains}
 virtual_alias_maps =
   sqlite:${S}meta_directory/aliases.cf
-  proxy:ldap:${S}meta_directory/laddgroups.cf
-  proxy:ldap:${S}meta_directory/laddusers.cf
-  proxy:ldap:${S}meta_directory/lgroupmembers.cf
   sqlite:${S}meta_directory/userforwards.cf
+  proxy:ldap:${S}meta_directory/laddgroupmembers.cf
+  proxy:ldap:${S}meta_directory/laddusers.cf
   ${tmpl_domain_catchall_map}
 virtual_mailbox_domains = ${tmpl_virtual_mailbox_domains}
 virtual_mailbox_maps = ${tmpl_virtual_mailbox_maps}
+virtual_transport = lmtp:unix:/var/lib/umail/lmtp
 relay_domains = ${tmpl_relay_domains}
-transport_maps = ${tmpl_transport_maps}, sqlite:${S}meta_directory/relaydest.cf,
+transport_maps = sqlite:${S}meta_directory/relaydest.cf
 recipient_delimiter = +
 myorigin = ${tmpl_myorigin}
 
@@ -106,8 +106,8 @@ smtpd_relay_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
-  ${tmpl_reject_internal_myorigin},
   check_recipient_access sqlite:${S}meta_directory/internal_access.cf,
+  ${tmpl_reject_internal_myorigin},
 
 smtpd_recipient_restrictions =
   reject_non_fqdn_recipient,

postfix/usr/local/lib/templates/laddgroups-rfc2307.cf

@@ -6,4 +6,5 @@ dbpath = /srv/pcdb.sqlite
 query =
     SELECT dest
     FROM userforwards
-    WHERE user = '%s'
+    WHERE user = '%u'
+domain = ${tmpl_myorigin}