Sending an email to LDAP/AD group - Mail Alias is not a solution

(Dennis Lloyd) #1

This has been a problem for as long as I have been interested in using Nethserver. I feel this should be a basic feature of a mail server connected to a domain.

referring to my initial post

the suggestion to use a mail alias was looked at… unfortuanatly this is not a solution since I still have to maintain a list… the purpose of using a domain controller with groups and users is to make this centralized and easier to manage… not harder…

looking into this again since i’m trying to reduce the amount of servers I have and wanted to move email to Nethserver, I see this is still not a feature.

I found two more:

it looks like it’s not possible, yet almost every other package I’ve tested has this feature… why wouldn’t Nethserver support this? If it’s joined too a domain, why not use the features of a domain???

I really would like to use Nethserver since it has many other great features, but mail is the primary one for me. I need to email a group

Nethserver email alias dynamic when using groups
Nethserver 7.3 as Domain AD - User deletion and group mail alias
Send an email to all members of a group?
(Stéphane de Labrusse) #2

With nethgui it won’t be on the todo list, but why not for cockpit. This feature could not work with a remote authentication, but with a local authentification it should

cc @edoardo_spadoni @giacomo @davidep

(Michael Kicks) #3

Currently, a LDAP group is not a mailserver object. Also a user… Scripts when creating user can create the mailbox, but on next step is mailbox/mailaddress the object for the mailserver.

Question for you, @SGVFR: do the LDAP/AD group have a mailaddress configurated on?

(Dan) #4

Agreed. Neth is a big step forward from SME in most ways, but this is a definite step backward.

(Dennis Lloyd) #5

Hi, yes the group’s all have email addresses configured. I updated and expanded the template to make groups contact lists, and specified mailPrimaryAddress. In sogo I can search groups and see the email address, and auto complete will find it when typing in the TO field.

I am on my phone, but will get screenshots on my PC later.


(Davide Principi) #6

I’d like this feature because we have it in ns6.

However its implementation is really bad. As Steph said we’re going to work on the mail server UI, and that could be the right time to see if something simple and effective can be rolled out.

Please note that we already started the discussion about this #feature in the linked topic!

(Dennis Lloyd) #7


here is some more information. Everything here makes it appear that Neth + SOGo can email all members of an LDAP group… But it cannot. This is a very important feature for any domain. This should be possible without having to maintain separate lists or aliases.


  /* 45 ldap authentication */
    SOGoUserSources =(
        id = groups;
        type = ldap;
        CNFieldName = cn;
        UIDFieldName = cn;
        IDFieldName = cn;
        baseDN = "$groupDN";
        bindDN = "$bindDN";
        bindPassword = "$bindPassword";
        scope = ONE;
        canAuthenticate = YES;
        MailFieldNames = ("mailPrimaryAddress");
        displayName = "SGVFR groups";
        hostname = $ldapURI;
        isAddressBook = YES;
        filter = "((&(objectCategory=group)(mail=*)))";

I have also used mailPrimaryAddress in the filter.

Screenshots showing the SOGo view on groups…

(Stéphane de Labrusse) #8

The link between ldap and postfix doesn’t exist and moreover we need a recompiled version of postfix to use ldap and postfix together.

The nethserver mantra imposes to use software from upstream therefore we could/should not do it ourself and the only way I see is to maintain a list with user-* and group-* events but I agree it won’t work for the remote authentication.

BY the way, the email server needs to save a lot of properties in the local server, so we could state on the fact and accept this limitation.

Please add some feed for thoughs

(Davide Principi) #9

There are two possible approaches:

  • cronjob that queries the group members and pushes the group aliases in a postfix DB
  • let postfix query a dynamic table (socketmap or tcp). A systemd socket activation script could be the way to implement it

(Michael Kicks) #10

Query should overwrite conflicting aliases on postfix?
If i define a group alias which is already written into single mail alias, what would happen?

(Dan) #11

I guess a third possibility would be to add this as an action to any event that changes group membership (user/group creation/modification/deletion would cover it, I’d think)–build groups as aliases in the background, and rebuild those aliases any time there’s a change. It sounds like an ugly hack, but I think it’d be less ugly (and also more responsive) than a cron job.

(Davide Principi) #12

Yes possible, but it works only with a local accounts provider.

It should gain lower precedence: if a group alias is already defined, it overrides the dynamic query. Furthermore this new feature should be disabled by default (as usual, for new features until 7.7 is released at least).

The dynamic query is the best option IMO: no service restarts, no template/DB expansions. Its effectiveness is bound to SSSD group caching mechanism: we can tune it for remote providers; for local providers the problem doesn’t exist because SSSD cache is cleared by user/group modifications.

(Alessio Fattorini) #13

Can we close similar discussions and move forward the debate just in one of them?
So we can clean up a bit and not scatter the information

(Matteo Valentini) #14

I have just start to work on an implementation of the second approach. :slight_smile:

(Davide Principi) #15

Great news for the Fire Dept, @SGVFR! :fire_engine:

(Dennis Lloyd) #16

That is wonderful news! Thank you. This will work with a remote account provider, correct? All my accounts are on a univention corporate server.

Thank you so much. Looking forward to testing!

(Matteo Valentini) #17

Yep, it use getent for obtain the list of users, so it will works with local or remote account providers, can be ldap or Active Directory.

(Dennis Lloyd) #18

Wonderful, I’m sure there will be MANY users of Nethserver who will be looking forward to this new capability. I will finally be able to retire my old mail-servers and migrate everything over to NS and UCS (Which are a fantastic combination in a domain)

I apologize to everyone involved for being a pest and bring this up multiple times. I am very appreciative of all the work that goes into Nethserver.

(Matthieu Gaillet) #19

I can’t wait either. I can’t remember how many time I forgot to add an user to a group alias, to remove it, to correct a typo or whatever. Thanks !

(Matteo Valentini) #20

The package is now in nethserver-testing repository, you can install and test with yum install --enablerepo nethserver-testing nethserver-mail-server.
For enable the feature you can follow the QA steps in the related issue:

Please note that groups with space are not supported, as eg. domain admins