From 23364b04e86313c73aaa4224221946ded5f65ba5 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Sat, 21 Mar 2026 22:36:09 +0100 Subject: [PATCH] ldap: allow local accounts and aliases with ldap enabled In conflicts between local addresses and LDAP addresses the local one will always take priority in mail routing. This is something we now document and guarantee through tests. --- README.md | 2 - docs/ldap.rst | 30 ++++++++++---- docs/release-notes.rst | 2 + mail-server/assertions.nix | 10 ----- tests/ldap.nix | 84 ++++++++++++++++++++++++++++++++++++++ 5 files changed, 107 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index e8367d4..16ad813 100644 --- a/README.md +++ b/README.md @@ -70,8 +70,6 @@ SNM branch corresponding to your NixOS version. * [ ] [Mobileconfig](https://support.apple.com/guide/profile-manager/distribute-profiles-manually-pmdbd71ebc9/mac) * Improve the Forwarding Experience * [ ] Support [ARC](https://en.wikipedia.org/wiki/Authenticated_Received_Chain) signing with [Rspamd](https://rspamd.com/doc/modules/arc.html) -* User management - * [ ] Allow local and LDAP user to coexist * OpenID Connect * Depends on relevant clients adding support, e.g. [Thunderbird](https://bugzilla.mozilla.org/show_bug.cgi?id=1602166) diff --git a/docs/ldap.rst b/docs/ldap.rst index 4750e31..d65ccfd 100644 --- a/docs/ldap.rst +++ b/docs/ldap.rst @@ -40,15 +40,25 @@ follow best practices to simplify maintenance. Limitations ~~~~~~~~~~~ -We have various assertions in place, that prevent using LDAP together with -other features. Most of them are not technical limitations per se, but instead -lack configuration or validation. +Design choices +^^^^^^^^^^^^^^ -- Local users (:option:`mailserver.loginAccounts`) and aliases - (:option:`mailserver.extraVirtualAliases`) are not currently allowed with - :option:`mailserver.ldap.enable` enabled -- Aliases based on LDAP attributes are currently not implemented -- Quotas based on LDAP attributes are currently not implemented +These are intentional choices in how the mail server operates that affect the +LDAP integration. + +- For mail address routing local accounts always take priority over LDAP accounts. + +Planned +^^^^^^^ + +These are features we are interested in but require implementation, +documentation and tests. + +- Aliases based on LDAP attributes +- Quotas based on LDAP attributes + +Avoided +^^^^^^^ The following features will likely never be implemented, since they would complicate the setup significantly. @@ -58,7 +68,9 @@ complicate the setup significantly. - Use of ``homeDirectory``, ``uid``, ``gid`` LDAP attributes (we are committed to a virtual setup with one vmail user/uid/gid and UUID based home directories) - +- Declarative aliases through :option:`mailserver.extraVirtualAliases`. These + are limited to local accounts, because Postfix enforces sender ownership based + on login identity and does not consult virtual aliases for authorization. Enabling LDAP support ~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/release-notes.rst b/docs/release-notes.rst index e3122d4..9ee6ccc 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -30,6 +30,8 @@ NixOS 26.05 rather than their email address, which is more convenient and consistent with typical LDAP practices. The exact attribute can be customized through :option:`mailserver.ldap.attributes.username`. +- Local and LDAP accounts can now co-exist. For overlapping names and addresses + the local account will always win. - The following integrations are deprecated and will be removed before the next release: diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix index 8a346ad..a3c2428 100644 --- a/mail-server/assertions.nix +++ b/mail-server/assertions.nix @@ -98,16 +98,6 @@ in ) config.mailserver.dkim.domains ) ) - ++ lib.optionals config.mailserver.ldap.enable [ - { - assertion = config.mailserver.loginAccounts == { }; - message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.loginAccounts"; - } - { - assertion = config.mailserver.extraVirtualAliases == { }; - message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases"; - } - ] ++ lib.optionals (config.mailserver.ldap.enable && config.mailserver.mailDirectory != "/var/vmail") [ diff --git a/tests/ldap.nix b/tests/ldap.nix index a67362b..7cde1d0 100644 --- a/tests/ldap.nix +++ b/tests/ldap.nix @@ -1,7 +1,25 @@ +{ + pkgs, + ... +}: let + hashPassword = + password: + pkgs.runCommand "password-${password}-hashed" + { + buildInputs = [ pkgs.mkpasswd ]; + inherit password; + } + '' + mkpasswd -s <<<"$password" > $out + ''; + bindPassword = "unsafegibberish"; alicePassword = "testalice"; bobPassword = "testbob"; + carolPassword = "testcarol"; + frankPassword = "testfrank"; + malloryPassword = "testmallory"; in { name = "ldap"; @@ -83,6 +101,22 @@ in mail: bob@example.com homeDirectory: /home/bob userPassword: ${bobPassword} + + dn: cn=carol,ou=users,dc=example + entryUUID: 41240499-27e2-4fa2-be4f-4113a77661b1 + objectClass: inetOrgPerson + uid: carol + sn: Baz + mail: carol@example.com + userPassword: ${carolPassword} + + dn: cn=frank,ou=users,dc=example + entryUUID: ca16f594-f6b2-418f-87d3-0d02d746461f + objectClass: inetOrgPerson + uid: frank + sn: Moo + mail: frank@example.com + userPassword: ${frankPassword} ''; }; @@ -93,6 +127,24 @@ in localDnsResolver = false; indexDir = "/var/lib/dovecot/indices"; + extraVirtualAliases = { + # Steal frank@example.com from LDAP user frank + "frank@example.com" = "mallory@example.com"; + }; + + loginAccounts = { + # Colliding local account takes precedence over LDAP account with + # same address. + "carol@example.com" = { + hashedPasswordFile = hashPassword carolPassword; + }; + # Another account used as a virtual alias target to steal + # frank@example.com from the LDAP user frank + "mallory@example.com" = { + hashedPasswordFile = hashPassword malloryPassword; + }; + }; + ldap = { enable = true; uris = [ @@ -237,5 +289,37 @@ in ])) machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob'") + with subtest("Local addresses take priority over those learnt from LDAP"): + # carol@example.com is routed to the local user account + machine.succeed(" ".join([ + "mail-check send-and-read", + "--smtp-port 465", + "--smtp-ssl", + "--smtp-host localhost", + "--smtp-username alice", # LDAP user + "--imap-host localhost", + "--imap-username carol@example.com", # Local user + "--from-addr alice@example.com", + "--to-addr carol@example.com", + "--src-password-file <(echo '${alicePassword}')", + "--dst-password-file <(echo '${carolPassword}')", + "--ignore-dkim-spf" + ])) + + # frank@example.com gets routed to mallory@example.com due to a virtual alias + machine.succeed(" ".join([ + "mail-check send-and-read", + "--smtp-port 465", + "--smtp-ssl", + "--smtp-host localhost", + "--smtp-username alice", # LDAP user + "--imap-host localhost", + "--imap-username mallory@example.com", # Local user + "--from-addr alice@example.com", + "--to-addr frank@example.com", + "--src-password-file <(echo '${alicePassword}')", + "--dst-password-file <(echo '${malloryPassword}')", + "--ignore-dkim-spf" + ])) ''; }