Re: Question about restriction class (AD LDAP)

Tue, 09 Oct 2018 09:58:25 -0700 

Hi Viktor,
Thank you for your answer. Do you have any direction I could follow to achieve my end goal - control who can send mail to some addresses with data from LDAP? Any hint or idea is helpfull. 

Thanks, best regards.


Em 09/10/2018 11:57, Viktor Dukhovni escreveu:

What you're trying to do can't be done with Postfix access(5)
tables.  You're trying to encode a pair of lookup keys, the
sender and the receiving alias into a single query, so that
different receiving aliases can have different allowed senders.

Postfix has only single-key queries.  If a single set of
authorized senders across all the aliases will not do,
you need one restriction class per-alias, or will need
to move the lookups into a policy service, which can do
multi-key lookups.


On Oct 9, 2018, at 10:19 AM, Marcio Vogel Merlone dos Santos 
<marcio.merl...@a1.ind.br> wrote:

I have to implement a restriction class as per 
http://www.postfix.org/RESTRICTION_CLASS_README.html to protect some internal 
aliases, allowing just selected users to send mails to. Initial idea is to 
create a security group (called PSIU below) inside AD (Samba 4.7) and put 
granted people there. I went this way:

main.cf:

smtpd_restriction_classes       = insiders_only
insiders_only                   = check_sender_access 
ldap:/etc/postfix/adinsidersok.cf, reject

smtpd_recipient_restrictions =
     ...
     check_recipient_access ldap:/etc/postfix/adinsiders.cf,

     ...



adinsiders.cf defines the aliases to protect:

server_host                 = ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = OU=MailAliases,DC=tld
query_filter                = (mail=%s)
result_attribute            = msDS-AzApplicationData

On msDS-AzApplicationData attribute I have "insiders_only" for some aliases. 
This is fine.

adinsidersok.cf defines who can use those protected aliases:

server_host                 = ldap://addc
bind_dn                     = CN=postfix,OU=Sistemas,DC=tld
bind_pw                     = xxx
search_base                 = CN=PSIU,OU=Sistemas,DC=tld
query_filter                = (member=%s)
result_attribute            = memberOf




--
*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone:   +55 41 3616-3797
Cel:    +55 41 99689-0036

https://a1.ind.br/ <https://a1.ind.br>






















					Reply via email to