# This file is managed by Helm
#
# LDAP routers
#

ldap_user_forward:
  # For local users: if they have an `{{ .Values.ldap.forwardEmailAttribute }}` attribute, use that
  # address instead.
  #
  # This caters for users who do not pick up their email locally, but
  # use mailboxes on other domains instead.
  debug_print = "R: ldap_user_forward for $local_part@$domain"
  driver = redirect
  domains = +local_domains

  # Since the redirection email address is under user control, we cannot trust it..
  forbid_file = true
  forbid_filter_dlfunc = true
  forbid_filter_existstest = true
  forbid_filter_perl = true
  forbid_filter_readfile = true
  forbid_filter_run = true
  forbid_include = true
  forbid_pipe = true
  forbid_sieve_filter = true

  data = ${lookup ldap{\
              {{- if .Values.ldap.auth.enabled }}
              user=${env{LDAP_USER}{$value} fail } \
              pass=${env{LDAP_PASSWORD}{$value} fail } \
              {{- end }}
              ldap:///LDAP_BASE?\
              {{ .Values.ldap.forwardEmailAttribute }}?sub?\
              (&({{ .Values.ldap.uidAttribute }}=${quote_ldap:$local_part})\
                ({{ .Values.ldap.userFilter }})\
              )\
              }}
  headers_add = Resent-From: $local_part@$domain
  headers_add = Resent-Date: $tod_full
  headers_add = Resent-Message-ID: $message_exim_id

ldap_user:
  #
  # Mail to (local) posix accounts
  #
  debug_print = "R: ldap_user for $local_part@$domain"
  driver = accept
  domains = +local_domains
  transport = ldap_delivery
  local_parts = ${lookup ldap{ \
              {{- if .Values.ldap.auth.enabled }}
              user=${env{LDAP_USER}{$value} fail } \
              pass=${env{LDAP_PASSWORD}{$value} fail } \
              {{- end }}
              ldap:///LDAP_BASE?\
              {{ .Values.ldap.uidAttribute }}?sub?\
              (&({{ .Values.ldap.uidAttribute }}=${quote_ldap:$local_part})\
                ({{ .Values.ldap.userFilter }})\
              )\
              }}

ldap_user_with_suffix:
  #
  # Mail to (possibly local) posix accounts, using prefix rules.
  #
  # This allows users to have an infinite amount of email addresses:
  # E.g. "joe" can also be reached with "joe-foo", "joe-bar" etc.
  # Basically this allows users to use "throwaway" email addresses,
  # e.g. for subscriptions.
  #
  debug_print = "R: ldap_user_with_suffix for $local_part@$domain"
  driver = redirect
  domains = +local_domains
  local_part_suffix = "-*:\+*"
  headers_add = X-Local-Part-Suffix: ${local_part_suffix_v}
  data = ${lookup ldap{ \
              {{- if .Values.ldap.auth.enabled }}
              user=${env{LDAP_USER}{$value} fail } \
              pass=${env{LDAP_PASSWORD}{$value} fail } \
              {{- end }}
              ldap:///LDAP_BASE?\
              {{ .Values.ldap.uidAttribute }}?sub?\
              (&({{ .Values.ldap.uidAttribute }}=${quote_ldap:$local_part})\
                ({{ .Values.ldap.userFilter }})\
              )\
              }}

# ldap_group:
#   #
#   # Emails to a group goes to all its members
#   #
#   debug_print = "R: ldap_group for $local_part@$domain"
#   domains = +local_domains
#   driver = redirect
#   data = ${lookup ldap{\
#               {{- if .Values.ldap.auth.enabled }}
#               user=${env{LDAP_USER}{$value} fail } \
#               pass=${env{LDAP_PASSWORD}{$value} fail } \
#               {{- end }}
#               ldap:///LDAP_BASE?\
#               memberUid?sub?\
#               (&({{ .Values.ldap.uidAttribute }}=${quote_ldap:$local_part})\
#                  ({{ .Values.ldap.userFilter }})\
#               )\
#               {$value@$domain} fail}\
#           }
#   headers_add = X-Resent-From: $local_part@$domain
#   headers_add = X-Resent-Date: $tod_full
#   headers_add = X-Resent-Message-ID: $message_exim_id

# Local Variables:
# mode: conf-space
# compile-command: "make -C ../../../.. diff"
# End:
