Merge branch 'feature/ldap_forwards' into 'master'

ldap: Allow mailserver.forwards See merge request simple-nixos-mailserver/nixos-mailserver!313
2025-03-31 07:59:52 +05:00 · 2025-03-20 23:34:52 +00:00 · 2025-03-20 23:34:52 +00:00 · 507cc0de69
commit 507cc0de69
parent b4fbffe79c 6008f60deb
2 changed files with 39 additions and 5 deletions
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, ... }:
 {
  assertions = lib.optionals config.mailserver.ldap.enable [
    {
@ -9,10 +9,6 @@
      assertion = config.mailserver.extraVirtualAliases == {};
      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases";
    }
-    {
-      assertion = config.mailserver.forwards == {};
-      message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
-    }
  ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [
    {
      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
--- a/tests/ldap.nix
+++ b/tests/ldap.nix
@ -104,6 +104,10 @@ pkgs.nixosTest {
          searchScope = "sub";
        };

+        forwards = {
+          "bob_fw@example.com" = "bob@example.com";
+        };
+
        vmailGroupName = "vmail";
        vmailUID = 5000;

@ -179,5 +183,39 @@ pkgs.nixosTest {
        "--dst-password-file <(echo '${bobPassword}')",
        "--ignore-dkim-spf"
      ]))
+
+    with subtest("Test mail forwarding works"):
+      machine.succeed(" ".join([
+        "mail-check send-and-read",
+        "--smtp-port 587",
+        "--smtp-starttls",
+        "--smtp-host localhost",
+        "--smtp-username alice@example.com",
+        "--imap-host localhost",
+        "--imap-username bob@example.com",
+        "--from-addr alice@example.com",
+        "--to-addr bob_fw@example.com",
+        "--src-password-file <(echo '${alicePassword}')",
+        "--dst-password-file <(echo '${bobPassword}')",
+        "--ignore-dkim-spf"
+      ]))
+
+    with subtest("Test cannot send mail from forwarded address"):
+      machine.fail(" ".join([
+        "mail-check send-and-read",
+        "--smtp-port 587",
+        "--smtp-starttls",
+        "--smtp-host localhost",
+        "--smtp-username bob@example.com",
+        "--imap-host localhost",
+        "--imap-username alice@example.com",
+        "--from-addr bob_fw@example.com",
+        "--to-addr alice@example.com",
+        "--src-password-file <(echo '${bobPassword}')",
+        "--dst-password-file <(echo '${alicePassword}')",
+        "--ignore-dkim-spf"
+      ]))
+      machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob@example.com'")
+
  '';
 }