Freeipa group expansion for postfix
21 September,2023
This tutorial will present reader 2 ways to add mail to a group and how we can configure Postfix for group expansion.
FreeIPA Groups does not allow mail attribute to group by default, which means that we must add mailGroup objectClass to the group. Consider an example group named support. To add mail attribute to group run the following command
ipa group-mod support --addattr="objectclass=mailGroup" --addattr="mail=support@example.com"
This will add mailGroup objectclass and mail attribute with value “support@example.com”
####support, groups, accounts, amogha.labnetwork.in
dn: cn=support,cn=groups,cn=accounts,dc=example,dc=com
cn: support
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: mailGroup
ipaUniqueID: 58c0bc3a-7e97-11ec-ab9c-96f26bde8936
mail: support@example.com
member: uid=test,cn=users,cn=accounts,dc=example,dc=com
member: uid=test2,cn=users,cn=accounts,dc=example,dc=com
In postfix, create a ldap lookup table. I usually create all these ldap files in /etc/postfix/ldap Inorder to use this mail group with Postfix, we have to configure 2 things:
- A lookup table that will return members of group
- Adding this lookup table to main.cf config file.
LDAP Group lookup table (/etc/postfix/ldap/virtual_groups.cf)
bind = yes
bind_dn = uid=user,cn=users,cn=accounts,dc=example,dc=com
bind_pw = secret
server_host = ipa.example.com
search_base = cn=accounts,dc=example,dc=com
query_filter = (&(objectClass=groupofnames)(mail=%s))
leaf_result_attribute = mail
special_result_attribute = member
We use leaf_result_attribute instead of result_attribute because using latter will also return groups email id. This can be checked with postmap command as given below. Former uses result_attribute, latter leaf_result_attribute.
$ postmap -q support@example.com ldap:/etc/postfix/ldap/virtual_groups.cf
support@example.com,test@exmaple.com,test2@exmample.com
$ postmap -q support@example.com ldap:/etc/postfix/ldap/virtual_groups.cf
test@exmaple.com,test2@exmample.com
To add group expansion to postfix, append ldap:/etc/postfix/ldap/virtual_groups.cf to virtual_alias_maps.
vitual_alias_maps = $(whatever user configured), ldap:/etc/postfix/ldap/virtual_groups.cf
And we have successfully configured group expansion for FreeIPA in Postfix. But… adding objectClasses using cli is bit of a hassle and we will not be able to see group mails in UI.
What can we do here? The simplest option is to use an attribute that is already shown in UI, wouldn’t it? Enter description attribute. No extra work, shows up in UI.
Is it ugly to see mails under description? Yes, atleast we don’t need to use cli. I consider this a win-win.
How can we do this? Replace mail in lookup table above with description. Done.
bind = yes
bind_dn = uid=user,cn=users,cn=accounts,dc=example,dc=com
bind_pw = secret
server_host = ipa.example.com
search_base = cn=accounts,dc=example,dc=com
query_filter = (&(objectClass=groupofnames)(description=%s))
leaf_result_attribute = mail
special_result_attribute = member
Finally! we successfully configured group expansion for FreeIPA in Postfix.