Sending an email to LDAP/AD group - Mail Alias is not a solution

I will test this right now!

@Amygos

I just followed the instructions (mostly) for the test. I already have existing groups in my remote LDAP/AD system with email address’s configured with the attribute “mailPrimaryAddress”

cn=SGVFR-INSTRUCTORS,ou=Groups,dc=sgvfr,dc=lan

I hope this isn’t the problem, my AD/LDAP domain has always been sgvfr.lan

changing to sgvfr.com seems like a lot of work.

I also tried to email SGVFR-INSTRUCTORS@sgvfr.lan - it also bounced.

LDAP group I was testing with is SGVFR-INSTRUCTORS (instructors@sgvfr.com)

my first test I tried the email address, then realized i should have sent the message to the group instead… both bounced from the server with

<SGVFR-INSTRUCTORS@sgvfr.com>: host sparky.sgvfr.com[/var/run/dovecot/lmtp]
said: 550 5.1.1 <SGVFR-INSTRUCTORS@sgvfr.com> User doesn't exist:
SGVFR-INSTRUCTORS@sgvfr.com (in reply to RCPT TO command)

login as: root
root@sparky.sgvfr.com's password:
Last login: Sun Mar  3 19:46:06 2019 from 172.20.250.15

[root@sparky ~]# yum install --enablerepo nethserver-testing nethserver-mail-ser                                              ver
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile
 * ce-base: mirror.cwcs.co.uk
 * ce-extras: mirror.cwcs.co.uk
 * ce-sclo-rh: mirror.cwcs.co.uk
 * ce-sclo-sclo: mirror.cwcs.co.uk
 * ce-updates: mirror.cwcs.co.uk
 * epel: mirrors.kernel.org
 * nethforge: mirror.nordest.systems
 * nethserver-base: mirror.nordest.systems
 * nethserver-updates: mirror.nordest.systems
nethserver-testing/7/x86_64/signature                    |  836 B     00:00
nethserver-testing/7/x86_64/signature                    | 2.9 kB     00:00 !!!
nethserver-testing/7/x86_64/primary_db                     | 129 kB   00:00
Resolving Dependencies
--> Running transaction check
---> Package nethserver-mail-server.noarch 0:2.4.5-1.ns7 will be updated
---> Package nethserver-mail-server.noarch 0:2.4.5-1.9.gd3d7cd1.ns7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================
 Package                           Arch              Version                              Repository                     Size
==============================================================================================================================
Updating:
 nethserver-mail-server            noarch            2.4.5-1.9.gd3d7cd1.ns7               nethserver-testing            112 k

Transaction Summary
==============================================================================================================================
Upgrade  1 Package

Total download size: 112 k
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for nethserver-testing
nethserver-mail-server-2.4.5-1.9.gd3d7cd1.ns7.noarch.rpm                                               | 112 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : nethserver-mail-server-2.4.5-1.9.gd3d7cd1.ns7.noarch                                                       1/2
  Cleanup    : nethserver-mail-server-2.4.5-1.ns7.noarch                                                                  2/2
  Verifying  : nethserver-mail-server-2.4.5-1.9.gd3d7cd1.ns7.noarch                                                       1/2
  Verifying  : nethserver-mail-server-2.4.5-1.ns7.noarch                                                                  2/2

Updated:
  nethserver-mail-server.noarch 0:2.4.5-1.9.gd3d7cd1.ns7

Complete!
[root@sparky ~]# db configuration setprop postfix DynamicGroupAlias enable
[root@sparky ~]# signal-event nethserver-mail-server-update

[root@sparky ~]# mail -s "Test Subject" instructors@sgvfr.com < /dev/null
Null message body; hope that's ok
[root@sparky ~]# mail -s "Test Subject" SGVFR-INSTRUCTORS@sgvfr.com < /dev/null
Null message body; hope that's ok

Question: Do I still need to configure a “mail alias” under Management>Email Addresses ??
Please let me know what logs I can provide, I will do everything I can to help troubleshoot.

That is ignored

In this case you have to define some address aliases, however the UI is still not ready to support this use case: you have to use the command line (see below )

@amygos is checking if the “-” minus sign is a problem

Yes you have to add a mail alias. As said the UI can’t do it by now, but you can do it with this command

 db accounts set instructors@ pseudonym Access public Account SGVFR-INSTRUCTORS@sgvfr.lan Description Test-5725
 signal-event nethserver-mail-server-save

Delete instructors@ if it already exists.

There was a typo in the test cases, the value of the prop DynamicGroupAlias must be set to enabled instead of enable, sorry @SGVFR .
So you can enable the feature with:

• db configuration setprop postfix DynamicGroupAlias enabled
• signal-event nethserver-mail-server-update

This don’t seem to be a problem

Great, I will try again.

Thanks !

Initial test did work… I am able to send email to SGVFR-INSTRUCTORS@sgvfr.com from the root accouunt.

When you say “that is ignored” regarding the email address attribute on the groups does that mean we will have to manually (one time) configure the alias for each group we want as a contact? but it will dynamically update with users on the LDAP/AD server, right?

Thanks.

Looking great so far !!

Good news!

Yes, just once.

Exactly. Consider also that group changes are effective when sssd cache expires, for remote ad/ldap. We have to check the sssd docs for the actual timings

@davidep A button/signal event for “refresh cache now” could lead to problems?

I think it can be useful if you are in a hurry. However I see it for the cockpit UI only.

Another thing we can do is decreasing the cache lifetime to 15 minutes.

chance of a cli command for the impatient people? Could there be an option for a realtime view of the current email address list in the cockpit / dashboard ? I’m happy with a cli command also.

sss_cache --groups

More info: man sss_cache

it’s a nice idea

Found a bug : an user is not removed from a group after it has been deleted.

Reproduce : delete user (eg “test1”) and send a mail to the group (eg “mailgroup”).

You got an non delivery notification.

Did you run it?

sss_cache --groups

Oh ! No. Working after that. Didn’t understood what it was about in the context of this discussion.

I didn’t understood that sentence. When I tested I didn’t create any alias of any sort - and that’s the intended way of doing things from my point of view. What is that alias you’re talking about ?

It looks like it is the same for local AD.

Some people have a “domain.lan” (or similar) domain suffix: a private domain suffix. They need to configure an alias domain or a group mail alias address to deliver messages into users’ mailboxes.

Thanks for the heads-up: this need to be checked.

You’re welcome. Btw I mixed up things; on this particular machine we’re talking about a DC (simple LDAP).

Matt

PS / Did i say how GREAT this update was ?? It will save us hours of pain and encoding errors.

PS2 / Will the definitive version support import / conversion of existing aliases ?

hello Matteo, just wondering if there is anything else I can help test or check? I’ve added a couple alias’s, which also do show in the current dashboard so I can see which ones I have created.

So far it is working great.

Anything else I can do, I would be happy to help with.