feat: add mailSendOnly possibility

2026-02-18 14:15:48 +01:00 · 2026-02-18 14:15:48 +01:00 · 6072d13dc0
commit 6072d13dc0
parent 133d031386
3 changed files with 12 additions and 6 deletions
--- a/hosts/mail/modules/dovecot.nix
+++ b/hosts/mail/modules/dovecot.nix
@ -14,7 +14,7 @@ let
    auth_bind = no
    ldap_version = 3
    base = ou=users,dc=%Dd
-    user_filter = (&(objectClass=mailAccount)(mail=%u))
+    user_filter = (&(objectClass=mailAccount)(mail=%u)(!(mailSendOnly=TRUE)))
    user_attrs = \
      quota=quota_rule=*:bytes=%$, \
      =home=/var/vmail/%d/%n/, \
--- a/hosts/mail/modules/openldap.nix
+++ b/hosts/mail/modules/openldap.nix
@ -376,6 +376,12 @@ in
              SUBSTR caseIgnoreIA5SubstringsMatch
              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256})
          ''
+          ''
+            (1.3.6.1.4.1.12461.1.1.9 NAME 'mailSendOnly'
+              DESC 'If TRUE, account can only send mail, not receive'
+              EQUALITY caseIgnoreIA5Match
+              SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
+          ''
        ];
        olcObjectClasses = [
          ''
@ -383,14 +389,14 @@ in
              SUP top AUXILIARY
              DESC 'Mail account objects'
              MUST ( mail $ userPassword )
-              MAY (  cn $ description $ quota))
+              MAY ( cn $ description $ quota $ mailSendOnly))
          ''
          ''
            (1.3.6.1.4.1.12461.1.2.2 NAME 'mailAlias'
              SUP top STRUCTURAL
              DESC 'Mail aliasing/forwarding entry'
              MUST ( mail $ maildrop )
-              MAY ( cn $ description ))
+              MAY ( cn $ description $ mailSendOnly ))
          ''
          ''
            (1.3.6.1.4.1.12461.1.2.3 NAME 'mailDomain'
--- a/hosts/mail/modules/postfix.nix
+++ b/hosts/mail/modules/postfix.nix
@ -31,7 +31,7 @@ let
    bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
    bind_pw           = @ldap-password@
    scope             = sub
-    query_filter      = (&(uid=%u)(objectClass=mailAccount))
+    query_filter      = (&(uid=%u)(objectClass=mailAccount)(!(mailSendOnly=TRUE)))
    result_attribute  = mail
    debuglevel        = 0
  '';
@ -59,7 +59,7 @@ let
    bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
    bind_pw           = @ldap-password@
    scope             = sub
-    query_filter      = (&(objectClass=mailAccount)(uid=%u))
+    query_filter      = (&(objectClass=mailAccount)(uid=%u)(!(mailSendOnly=TRUE)))
    result_attribute  = mail
    debuglevel        = 0
  '';
@ -73,7 +73,7 @@ let
    bind_dn           = cn=vmail,ou=system,ou=users,dc=cloonar,dc=com
    bind_pw           = @ldap-password@
    scope             = one
-    query_filter      = (&(objectClass=mailAlias)(mail=%s))
+    query_filter      = (&(objectClass=mailAlias)(mail=%s)(!(mailSendOnly=TRUE)))
    result_attribute  = maildrop
    debuglevel        = 0
  '';