From b343c5e8fa17f97c24a878398502388b4248ccad Mon Sep 17 00:00:00 2001 From: Elian Doran Date: Wed, 27 Dec 2023 20:27:11 +0200 Subject: [PATCH 1/2] assertions: Allow mailserver.forwards with LDAP set up --- mail-server/assertions.nix | 6 +----- tests/ldap.nix | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix index 0e5b15b..91921c6 100644 --- a/mail-server/assertions.nix +++ b/mail-server/assertions.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ config, lib, ... }: { assertions = lib.optionals config.mailserver.ldap.enable [ { @@ -9,10 +9,6 @@ assertion = config.mailserver.extraVirtualAliases == {}; message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.extraVirtualAliases"; } - { - assertion = config.mailserver.forwards == {}; - message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards"; - } ] ++ lib.optionals (config.mailserver.enable && config.mailserver.certificateScheme != "acme") [ { assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn; diff --git a/tests/ldap.nix b/tests/ldap.nix index 02c5ac1..bf4411b 100644 --- a/tests/ldap.nix +++ b/tests/ldap.nix @@ -104,6 +104,10 @@ pkgs.nixosTest { searchScope = "sub"; }; + forwards = { + "bob_fw@example.com" = "bob@example.com"; + }; + vmailGroupName = "vmail"; vmailUID = 5000; @@ -179,5 +183,39 @@ pkgs.nixosTest { "--dst-password-file <(echo '${bobPassword}')", "--ignore-dkim-spf" ])) + + with subtest("Test mail forwarding works"): + machine.succeed(" ".join([ + "mail-check send-and-read", + "--smtp-port 587", + "--smtp-starttls", + "--smtp-host localhost", + "--smtp-username alice@example.com", + "--imap-host localhost", + "--imap-username bob@example.com", + "--from-addr alice@example.com", + "--to-addr bob_fw@example.com", + "--src-password-file <(echo '${alicePassword}')", + "--dst-password-file <(echo '${bobPassword}')", + "--ignore-dkim-spf" + ])) + + with subtest("Test cannot send mail from forwarded address"): + machine.fail(" ".join([ + "mail-check send-and-read", + "--smtp-port 587", + "--smtp-starttls", + "--smtp-host localhost", + "--smtp-username bob@example.com", + "--imap-host localhost", + "--imap-username alice@example.com", + "--from-addr bob_fw@example.com", + "--to-addr alice@example.com", + "--src-password-file <(echo '${bobPassword}')", + "--dst-password-file <(echo '${alicePassword}')", + "--ignore-dkim-spf" + ])) + machine.succeed("journalctl -u postfix | grep -q 'Sender address rejected: not owned by user bob@example.com'") + ''; } From f6a64f713ce82945446b41a79e97fee93af97c2b Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 6 May 2025 05:30:05 +0200 Subject: [PATCH 2/2] docs/release-notes: advertise mailserver.forwards with ldap --- docs/release-notes.rst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release-notes.rst b/docs/release-notes.rst index 556de5f..3cdd5da 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -14,6 +14,8 @@ NixOS 25.05 (`merge request `__) - Individual domains can now be excluded from DMARC Reporting through ``mailserver.dmarcReporting.excludedDomains``. (`merge request `__) +- Configuring ``mailserver.forwards`` is now possible when the setup relies on LDAP. + (`merge request `__) NixOS 24.11 -----------