What I didn’t find out is how I could allow the accounts receiving emails to a certain address to send using the address as sender.
Update
In postfix main.cf the setting smtpd_sender_restrictions
defines who is allowed to send using which sender address. To let user send using their aliases as sender names there are exceptions defined for the setting reject_authenticated_sender_login_mismatch
.
These exceptions are defined in smtpd_sender_login_maps
by /etc/postfix/ldap-accounts.cf
an ldap query that returns the uid for a specific email address. If the returned uid matches the uid of the authenticated user the email address is allowed for that user as the sender.
To make this work for the solution described in this thread another ldap query to resolve an email address defined in the manner described here to an uid which should be very well possible.
Meanwhile I talked to @Aleks on matrix about this and he suggested a completely different solution: using groups (as for example the admin group) for email aliases which deliver to several maildrops and/or email addresses.
The postfix documentation suggests the use of yet another objectClass for aliases delivering to multiple recipients: ldapGroups.
We’d need to consider in which way 1-m aliases fit best into the original concept of yunohosts directory.
To work towards a good feature request I’d like to define the possibly wanted features of the 1-m aliases:
- an email received for that alias is send to multiple maildrops and/or email addresses
- its got one or more owner(s) who
- are able to edit the list of receivers
- are allowed to delete it
- for an 1-m alias is defined who is allowed to change the receivers
- its open to subscription by every uid
- only owner(s) are allowed to change the receivers
- for an 1-m alias is defined who is allowed to use it as the sender address of emails
- a freely defined list of one or more uids
- every uid that own one of the maildrops which receive the emails
Something missing? Please comment!
Off the above features I’d like to see the best possible subset that can be realized by one ldap entry per 1-m alias and an understandable additional query for smtpd_sender_login_maps
.
I’d expect that for the beginning it would be a feature that would be used through direct editing the directory (through e.g. phpldapadmin) before the feature would be added to the the yunohost
command and maybe the webgui.
Another update
On my former mailserver I had a database table containing entries with columns for ‘alias’ (mailalias), ‘target’ (maildrop or address to deliver to), ‘owner’ (person with permission to alter the record). The primary key of the table had been made from ‘alias’ & ‘target’.
For each alias there were multiple targets allowed owned by the same or different uids. A mail addressed to an alias has been delivered to all of the targets listed in the different rows for that alias.
If an alias for yunohost would be made of (instead of the above proposed solution):
dn: cn=alias_target,ou=alias,dc=yunohost,dc=org
uid: owner
objectClass: inetOrgPerson
objectClass: mailAccount
cn: alias_target
sn: <whatever>
and only one maildrop
or mail
attribute it should be possible to add these several times for the same alias. I’ll have to do the following:
- check whether
dn
would be valid (cn
instead of uid
- the dn
has to be unique and the same uid could be used in multiple aliases)
works fine, _‘dn=cn=alias_rcpt,ou=alias,dc=yunohost,dc=org’ works
the ‘primary key’ would be cn=<aliasname>__<target>
then
- and even though: as logic dictates the field
mail:
containing the email address needs to be unique
- this needs a different approach
- Could be that the email address is something like an ou that can contain sub-items which in turn are the targets to be delivered to + additional informations needed (like e.g. ownership)
- There’s this article pointing to the misc schema which is not included, yet.
- ldap knows aliases that could be used to point from an email address being used as an alias to the dn of an email user for local users (solving the question of maildrop and ownership for those)
- solve the permission problem of the actual yunohost configuration (reading the ldap bible)
- everything point to defining a ‘manager’ for the directory that can be used without the ACLs applying
- Manager could be ‘root’ via sasl to not have another account that wouldn’t be used much
- Since we don’t want to use the root account in phpldapadmin the manager account could be used to set up a dn exclusively used for editing the directory via e.g. phpldapadmin (or the ldap cli utils)
- check postfix whether it’s possible and performance-wise o.k. to get the targets for an alias from several different entries