ldap: allow local accounts and aliases with ldap enabled

In conflicts between local addresses and LDAP addresses the local one will always take priority in mail routing. This is something we now document and guarantee through tests.
2026-03-21 22:36:09 +01:00
parent 86d256870b
commit 23364b04e8
5 changed files with 107 additions and 21 deletions
@@ -1,7 +1,25 @@
+{
+  pkgs,
+  ...
+}:
 let
+  hashPassword =
+    password:
+    pkgs.runCommand "password-${password}-hashed"
+      {
+        buildInputs = [ pkgs.mkpasswd ];
+        inherit password;
+      }
+      ''
+        mkpasswd -s <<<"$password" > $out
+      '';
+
  bindPassword = "unsafegibberish";
  alicePassword = "testalice";
  bobPassword = "testbob";
+  carolPassword = "testcarol";
+  frankPassword = "testfrank";
+  malloryPassword = "testmallory";
 in
 {
  name = "ldap";
@@ -83,6 +101,22 @@ in
              mail: bob@example.com
              homeDirectory: /home/bob
              userPassword: ${bobPassword}
+
+              dn: cn=carol,ou=users,dc=example
+              entryUUID: 41240499-27e2-4fa2-be4f-4113a77661b1
+              objectClass: inetOrgPerson
+              uid: carol
+              sn: Baz
+              mail: carol@example.com
+              userPassword: ${carolPassword}
+
+              dn: cn=frank,ou=users,dc=example
+              entryUUID: ca16f594-f6b2-418f-87d3-0d02d746461f
+              objectClass: inetOrgPerson
+              uid: frank
+              sn: Moo
+              mail: frank@example.com
+              userPassword: ${frankPassword}
            '';
        };

@@ -93,6 +127,24 @@ in
          localDnsResolver = false;
          indexDir = "/var/lib/dovecot/indices";

+          extraVirtualAliases = {
+            # Steal frank@example.com from LDAP user frank
+            "frank@example.com" = "mallory@example.com";
+          };
+
+          loginAccounts = {
+            # Colliding local account takes precedence over LDAP account with
+            # same address.
+            "carol@example.com" = {
+              hashedPasswordFile = hashPassword carolPassword;
+            };
+            # Another account used as a virtual alias target to steal
+            # frank@example.com from the LDAP user frank
+            "mallory@example.com" = {
+              hashedPasswordFile = hashPassword malloryPassword;
+            };
+          };
+
          ldap = {
            enable = true;
            uris = [
@@ -237,5 +289,37 @@ in
        ]))
        machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob'")

+      with subtest("Local addresses take priority over those learnt from LDAP"):
+        # carol@example.com is routed to the local user account
+        machine.succeed(" ".join([
+          "mail-check send-and-read",
+          "--smtp-port 465",
+          "--smtp-ssl",
+          "--smtp-host localhost",
+          "--smtp-username alice", # LDAP user
+          "--imap-host localhost",
+          "--imap-username carol@example.com", # Local user
+          "--from-addr alice@example.com",
+          "--to-addr carol@example.com",
+          "--src-password-file <(echo '${alicePassword}')",
+          "--dst-password-file <(echo '${carolPassword}')",
+          "--ignore-dkim-spf"
+        ]))
+
+        # frank@example.com gets routed to mallory@example.com due to a virtual alias
+        machine.succeed(" ".join([
+          "mail-check send-and-read",
+          "--smtp-port 465",
+          "--smtp-ssl",
+          "--smtp-host localhost",
+          "--smtp-username alice", # LDAP user
+          "--imap-host localhost",
+          "--imap-username mallory@example.com", # Local user
+          "--from-addr alice@example.com",
+          "--to-addr frank@example.com",
+          "--src-password-file <(echo '${alicePassword}')",
+          "--dst-password-file <(echo '${malloryPassword}')",
+          "--ignore-dkim-spf"
+        ]))
    '';
 }