Sending an email to LDAP/AD group - Mail Alias is not a solution

(Dennis Lloyd) #21

I will test this right now!

(Dennis Lloyd) #22


I just followed the instructions (mostly) for the test. I already have existing groups in my remote LDAP/AD system with email address’s configured with the attribute “mailPrimaryAddress”


I hope this isn’t the problem, my AD/LDAP domain has always been sgvfr.lan

changing to seems like a lot of work.

I also tried to email SGVFR-INSTRUCTORS@sgvfr.lan - it also bounced.

LDAP group I was testing with is SGVFR-INSTRUCTORS (

my first test I tried the email address, then realized i should have sent the message to the group instead… both bounced from the server with

<>: host[/var/run/dovecot/lmtp]
said: 550 5.1.1 <> User doesn't exist: (in reply to RCPT TO command)

login as: root's password:
Last login: Sun Mar  3 19:46:06 2019 from

[root@sparky ~]# yum install --enablerepo nethserver-testing nethserver-mail-ser                                              ver
Loaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile
 * ce-base:
 * ce-extras:
 * ce-sclo-rh:
 * ce-sclo-sclo:
 * ce-updates:
 * epel:
 * nethforge:
 * nethserver-base:
 * nethserver-updates:
nethserver-testing/7/x86_64/signature                    |  836 B     00:00
nethserver-testing/7/x86_64/signature                    | 2.9 kB     00:00 !!!
nethserver-testing/7/x86_64/primary_db                     | 129 kB   00:00
Resolving Dependencies
--> Running transaction check
---> Package nethserver-mail-server.noarch 0:2.4.5-1.ns7 will be updated
---> Package nethserver-mail-server.noarch 0:2.4.5-1.9.gd3d7cd1.ns7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

 Package                           Arch              Version                              Repository                     Size
 nethserver-mail-server            noarch            2.4.5-1.9.gd3d7cd1.ns7               nethserver-testing            112 k

Transaction Summary
Upgrade  1 Package

Total download size: 112 k
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for nethserver-testing
nethserver-mail-server-2.4.5-1.9.gd3d7cd1.ns7.noarch.rpm                                               | 112 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : nethserver-mail-server-2.4.5-1.9.gd3d7cd1.ns7.noarch                                                       1/2
  Cleanup    : nethserver-mail-server-2.4.5-1.ns7.noarch                                                                  2/2
  Verifying  : nethserver-mail-server-2.4.5-1.9.gd3d7cd1.ns7.noarch                                                       1/2
  Verifying  : nethserver-mail-server-2.4.5-1.ns7.noarch                                                                  2/2

  nethserver-mail-server.noarch 0:2.4.5-1.9.gd3d7cd1.ns7

[root@sparky ~]# db configuration setprop postfix DynamicGroupAlias enable
[root@sparky ~]# signal-event nethserver-mail-server-update

[root@sparky ~]# mail -s "Test Subject" < /dev/null
Null message body; hope that's ok
[root@sparky ~]# mail -s "Test Subject" < /dev/null
Null message body; hope that's ok

Question: Do I still need to configure a “mail alias” under Management>Email Addresses ??
Please let me know what logs I can provide, I will do everything I can to help troubleshoot.

(Davide Principi) #23

That is ignored

In this case you have to define some address aliases, however the UI is still not ready to support this use case: you have to use the command line (see below :arrow_heading_down:)

@amygos is checking if the “-” minus sign is a problem

Yes you have to add a mail alias. As said the UI can’t do it by now, but you can do it with this command

 db accounts set instructors@ pseudonym Access public Account SGVFR-INSTRUCTORS@sgvfr.lan Description Test-5725
 signal-event nethserver-mail-server-save

Delete instructors@ if it already exists.

(Matteo Valentini) #24

There was a typo in the test cases, the value of the prop DynamicGroupAlias must be set to enabled instead of enable, sorry @SGVFR :sweat_smile: .
So you can enable the feature with:

  • db configuration setprop postfix DynamicGroupAlias enabled
  • signal-event nethserver-mail-server-update

(Matteo Valentini) #25

This don’t seem to be a problem

(Dennis Lloyd) #26

Great, I will try again.

Thanks !

(Dennis Lloyd) #27

Initial test did work… I am able to send email to from the root accouunt.

When you say “that is ignored” regarding the email address attribute on the groups does that mean we will have to manually (one time) configure the alias for each group we want as a contact? but it will dynamically update with users on the LDAP/AD server, right?


Looking great so far !!

(Davide Principi) #28

Good news! :+1:

Yes, just once.

Exactly. Consider also that group changes are effective when sssd cache expires, for remote ad/ldap. We have to check the sssd docs for the actual timings

(Michael Kicks) #29

@davidep A button/signal event for “refresh cache now” could lead to problems?

(Davide Principi) #30

I think it can be useful if you are in a hurry. However I see it for the cockpit UI only.

Another thing we can do is decreasing the cache lifetime to 15 minutes.

(Dennis Lloyd) #31

chance of a cli command for the impatient people? Could there be an option for a realtime view of the current email address list in the cockpit / dashboard ? I’m happy with a cli command also.

(Davide Principi) #32
sss_cache --groups

More info: man sss_cache

:+1: it’s a nice idea

(Matthieu Gaillet) #33

Found a bug : an user is not removed from a group after it has been deleted.

Reproduce : delete user (eg “test1”) and send a mail to the group (eg “mailgroup”).

You got an non delivery notification.

(Davide Principi) #34

Did you run it?

sss_cache --groups

(Matthieu Gaillet) #35

Oh ! No. Working after that. Didn’t understood what it was about in the context of this discussion.

(Matthieu Gaillet) #36

I didn’t understood that sentence. When I tested I didn’t create any alias of any sort - and that’s the intended way of doing things from my point of view. What is that alias you’re talking about ?

It looks like it is the same for local AD.

(Davide Principi) #37

Some people have a “domain.lan” (or similar) domain suffix: a private domain suffix. They need to configure an alias domain or a group mail alias address to deliver messages into users’ mailboxes.

Thanks for the heads-up: this need to be checked.

(Matthieu Gaillet) #38

You’re welcome. Btw I mixed up things; on this particular machine we’re talking about a DC (simple LDAP).


(Matthieu Gaillet) #39

PS / Did i say how GREAT this update was ?? It will save us hours of pain and encoding errors.

PS2 / Will the definitive version support import / conversion of existing aliases ?

(Dennis Lloyd) #40

hello Matteo, just wondering if there is anything else I can help test or check? I’ve added a couple alias’s, which also do show in the current dashboard so I can see which ones I have created.

So far it is working great.

Anything else I can do, I would be happy to help with.