Posted in Howto LDAP Postfix

Postfix + virtual users/groups/aliases stored in LDAP

January 25, 2010 - No comment

This will just explain the configuration files needed for Postfix to check against the LDAP server.

We want to be able to send emails to username@domain.tld
We also want to have aliases for our users, for example : firstname.lastname@domain.tld pointing to username@domain.tld
Finally, we want groups to act as a mailing list, forwarding emails to members of the group, for example : support@domain.tld

LDAP tree

dc=domain,dc=tld
|-------ou=Aliases,dc=domain,dc=tld
|---------------cn=support,ou=Aliases,dc=domain,dc=tld
|
|		cn : support
|		description : alias support
|		gidNumber : 50000
|		mailRoutingAddress : support@domain.tld
|		memberUid : it (this is a group with a inetLocalMailRecipient class and a mailRoutingAddress field defined)
|		memberUid : username3 (this is a user account)
|
|-------ou=Groups,dc=domain,dc=tld
|---------------cn=it,ou=Groups,dc=domain,dc=tld
|
|		cn : it
|		description : IT dept group
|		gidNumber : 40000
|		mailRoutingAddress : it@domain.tld
|		memberUid : username1
|		memberUid : username2
|
|-------ou=Users,dc=domain,dc=tld
|---------------uid=username1,ou=Users,dc=domain,dc=tld

		cn : username1
		gecos : John Doe
		gidNumber : 10000
		homeDirectory : /home/username1
		mail : john.doe@domain.tld
		mailLocalAddress : john.doe
		uid : username1
		[...]

Postfix configuration

For this to work, we must define “append_at_myorigin = yes” in main.cf
For group/alias emails to work, the group must have the inetLocalMailRecipient class and mailRoutingAddress defined

So we basically add in main.cf :
virtual_alias_maps = ldap:/etc/postfix/ldap-account.cf, ldap:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-alias.cf

It means that Postfix will check ldap-account.cf first, then ldap-group.cf and finally ldap-alias.cf.

So we create those files :

ldap-account.cf (for virtual users) :

server_host = localhost
port = 389
version = 3
search_base = ou=Users,dc=domain,dc=tld
scope = sub
# we search through the Users base for the recipient email address (%s)
query_filter = (mail=%s)
# if we find anything under ou=Users,dc=domain,dc=tld, we deliver to the account specified under "uid"
# so basically, if we send an email to john.doe@domain.tld, we will find an entry, finally delivering the email to uid username1
result_attribute = uid

ldap-alias.cf (for virtual aliases) :

server_host = localhost
port = 389
version = 3
scope = sub
# we search through the Aliases base...
search_base = ou=Aliases,dc=domain,dc=tld
# ...for the recipient email address (%s) specified under mailRoutingAddress field
query_filter = mailRoutingAddress=%s
# If we find anything, return memberUid, that can be accounts, groups, or aliases
result_attribute = memberUid

ldap-group.cf (for virtual groups) :

server_host = localhost
port = 389
version = 3
scope = sub
# Same as aliases, but in a different base
search_base = ou=Groups,dc=domain,dc=tld
query_filter = mailRoutingAddress=%s
result_attribute = memberUid

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.