Hi all,
I've attached a diff file for the debops.postldap role. It contains
CipherMail-specific changes to the role defaults that more people might be interested in.
What do you think? Should I make a PR for (some of) these changes?
The changes are:
- Use of mailRecipient object class where it makes sense, specifically in the
ldap_virtual_alias_maps, ldap_virtual_mailbox_maps and ldap_smtpd_sender_login_maps
configuration.
- Support for virtual alias lookups for group members. This allows us to make a
distribution list out of an LDAP group. Postfix resolves the distribution list members
using special_result_attribute and leaf_result_attribute.
- search_base of ldap_virtual_mailbox_maps.cf set to the base DN instead of ou=People. We
did this because we also have mailboxes that are accessed by services whose LDAP accounts
are under the ou=Hosts tree. An example is the system that uses IMAP to access messages in
our support(a)ciphermail.com mailbox.
- The maildir paths are /var/vmail/<uid>/Maildir instead of
/var/vmail/<domain>/<localpart>/Maildir. I like to associate mailboxes with
the accounts in LDAP, which are primarily distinguished by uid and not email addresses.
- We are using mailAlternateAddress attributes (mailRecipient objectClass) instead of
mailAlias objects. This allows us to add email aliases directly to the existing people and
group objects. The filters have been updated for this.
- I have removed the ldap_unauth_sender_access sender restriction. This restriction forces
SMTP clients to authenticate before sending mail when the sender address exists in LDAP.
This is nice, but the ldap_unauth_domain_access sender restriction already forces
authentication when an SMTP client tries to send mail from one of the domains in LDAP,
which should be enough. Removing this restriction reduces the complexity of the whole
system a little and saves some LDAP lookups.
- We're not using postldap__domain_rev_pattern.
Personal LDAP objects look like this:
dn: uid=imre,ou=People,dc=ciphermail,dc=com
objectClass: authorizedServiceObject
objectClass: hostObject
objectClass: inetOrgPerson
objectClass: ldapPublicKey
objectClass: mailRecipient
objectClass: posixAccount
objectClass: posixGroup
objectClass: posixGroupId
objectClass: shadowAccount
objectClass: top
cn: Imre Jonk
gid: imre
gidNumber: 2002000000
homeDirectory: /home/imre
mail: imre(a)ciphermail.com
mailAddress: imre(a)ciphermail.com
sn: Jonk
uid: imre
uidNumber: 2002000000
authorizedService: all
givenName: Imre
host: posix:all
loginShell: /bin/bash
mailAlternateAddress: dev(a)ciphermail.com
mailAlternateAddress: imre(a)ciphermail.com
mailAlternateAddress: imre(a)staging.ciphermail.com
Group LDAP objects used as distribution lists look like this:
dn: cn=UNIX Administrators,ou=Groups,dc=ciphermail,dc=com
objectClass: authorizedServiceObject
objectClass: groupOfNames
objectClass: hostObject
objectClass: mailRecipient
objectClass: posixGroup
objectClass: posixGroupId
objectClass: top
cn: UNIX Administrators
gid: admins
gidNumber: 2000000000
mail: tech(a)ciphermail.com
mailAddress: tech(a)ciphermail.com
member: uid=imre,ou=People,dc=ciphermail,dc=com
member: uid=martijn,ou=People,dc=ciphermail,dc=com
authorizedService: all
description: People responsible for UNIX-like infrastructure
host: posix:all
mailAlternateAddress: abuse(a)ciphermail.com
mailAlternateAddress: abuse(a)djigzo.com
mailAlternateAddress: hostmaster(a)ciphermail.com
mailAlternateAddress: postmaster(a)ciphermail.com
mailAlternateAddress: postmaster(a)djigzo.com
mailAlternateAddress: root(a)ciphermail.com
mailAlternateAddress: security(a)ciphermail.com
mailAlternateAddress: tech(a)ciphermail.com
mailAlternateAddress: tech(a)staging.ciphermail.com
mailAlternateAddress: webmaster(a)ciphermail.com
owner: uid=imre,ou=People,dc=ciphermail,dc=com
owner: uid=martijn,ou=People,dc=ciphermail,dc=com
Hoping this is useful for someone. It took me quite a while to figure out and explain in
writing what customizations I've made to this role. It's been a while since I last
touched the mail cluster configuration...
Cheers,
Imre