Postfix and Dynamic Groups



  • I’m having a problem sending to Dynamic groups through Postfix.

    I can list the groups fine using kopano-admin
    I can send fine if I use WebApp or Z-Push, but not if I use a SMTP client…

    It appears the difference is that in WebApp and Z-Push the group membership is resolved before it is sent to Postfix. Where as if I use a SMTP client, Postfix accepts the mail, but it gets stuck with the following errors:

    Aug 15 10:53:11 postfixserver postfix/lmtp[22557]: 0D10E8019090: to=<dynamic-group@domain.name>, relay=127.0.0.1[127.0.0.1]:2003, delay=0.08, delays=0.01/0/0.06/0, dsn=4.2.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 450 4.2.0 dynamic-group@domain.name Mailbox temporarily unavailable (in reply to end of DATA command))
    Aug 15 11:01:52 postfixserver postfix/lmtp[21720]: 0D10E8019090: to=<dynamic-group@domain.name>, relay=127.0.0.1[127.0.0.1]:2003, delay=522, delays=522/0/0.06/0.01, dsn=4.2.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 450 4.2.0 dynamic-group@domain.name Mailbox temporarily unavailable (in reply to end of DATA command))
    Aug 15 11:11:52 postfixserver postfix/lmtp[21735]: 0D10E8019090: to=<dynamic-group@domain.name>, relay=127.0.0.1[127.0.0.1]:2003, delay=1121, delays=1121/0/0.05/0, dsn=4.2.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 450 4.2.0 dynamic-group@domain.name Mailbox temporarily unavailable (in reply to end of DATA command))
    

    Is this by design? Is it possible to use Dynamic Groups with Postfix?

    Thanks
    Bob



  • Sorry, I should have mentioned that I’m using Active Directory as my backend.
    I did find this article, but that seems specific to OpenLDAP…



  • i suggest start reading here https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-kc-active-directory-integration

    first set to something like :
    virtual_mailbox_maps = ldap:/etc/postfix/kopano-ads-users-aliases.cf

    my filter :
    scope = sub
    query_filter = (&(objectClass=person)(kopanoAccount=1)(|(mail=%s)(otherMailbox=%s)))
    result_attribute = mail

    virtual_alias_maps = /etc/postfix/kopano-ads-groups-aliases.cf
    query_filter = (&(objectclass=group)(zarafaAccount=1)(|(mail=%s)(otherMailbox=%s)))
    leaf_result_attribute = mail
    special_result_attribute = member

    and test with :
    postmap -q Your_Group@domain.tld ldap:/etc/postfix/kopano-ads-groups-aliases.cf



  • Thanks!

    I did look at that and my setup seems fine from the Kopano side of things, the problem is the Postfix and specifically Postfix when used with Dynamic Groups.

    Postfix with users, groups, and aliases works perfectly fine. (All of which is covered in the document you mentioned) but Dynamic Groups with respect to Postfix are not.)
    When you look at a Dynamic Group object, you can see from the objectclass that is is not a person, it is not a group and the only attributes it has if a filter string.

    Bob



  • Hi robert,
    you got kopano working with AD and dynamicGroups?
    Maybe you can help me with my issue.
    "No dynamicGroups and addresslists with samba AD"
    We are using Samba4 AD controller



  • Hi Bob,
    im playing with kopano and AD LDAP since many days now.
    Yes you are right the kopanoDynamicGroups and kopanoAddressLists are handled by kopano internally befor any postfix aktivities.
    But you can play with additional virtual_alias_maps as i did.

    The special_result_attribut is used for recursion, but it must be a DN or LDAP URL.
    The kopanoFilter Attribute used by kopano is only a query fragment, and can not directly be used with special_result_attribut :-(

    Assuming our kopanoDynamicGroup named grp-London has a kopanoFilter like this with email grp-london@<your-domain>

    (physicalDeliveryOfficeName=London)

    we expect something like this as URL result to use with special_result_attribut

    ldap://<your-server-ip>:389/ou=users,dc=<your>,dc=<domain>?mail?sub?(physicalDeliveryOfficeName=London)
    

    unfortunately we can not use URI with kopanoFilter :-(

    My Workaround:
    When using the dangerous ADSI-Editor you can change the attribute url of your kopanoDynamicGroup to use as our LDAP URI

    And here is what we use in virtual_alias_maps
    Our testfile ldap-kopano-dynGroup.cf

    server_host = ldap://<your-server-ip>
    server_port = 389
    search_base = dc=<your>,dc=<domain>
    version = 3
    
    bind = yes
    bind_dn =  <your-bind-dn>
    bind_pw =  <your-bind-password>
    
    query_filter = (&(objectclass=kopanoDynamicGroup)(kopanoAccount=1)(|(mail=%s)(otherMailbox=%s)))
    result_attribute = sn
    leaf_result_attribute = mail
    special_result_attribute = url
    

    running the command
    postmap -v -q grp-london@<your-domain> /etc/postfix/ldap-kopano-dynGroup.cf

    should now show the ldap queries and results we expect from within postfix.

    Simply copy ldap-kopano-dynGroup.cf to ldap-kopano-addrList.cf and change the objectClass to kopanoAddrList to get the same for Addresslists.
    You can also combine the query_filter to match both

    Have fun
    Tom
    PS: as far as i know, there is no option to rewrite the results of special_result_attribute to prepend a string to kopanoFilter with something like result_format = ldap:// … … … %s


Log in to reply
 

Looks like your connection to Kopano Community Forum was lost, please wait while we try to reconnect.